1 |
commit: 885bd9eb1a8173fdae19461f80f312d1244acecf |
2 |
Author: Steve Arnold <nerdboy <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Dec 3 19:27:16 2021 +0000 |
4 |
Commit: Steve Arnold <nerdboy <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Dec 3 19:28:08 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=885bd9eb |
7 |
|
8 |
net-misc/ntpsec: seccomp cleanup, (really) fixes seccomp on riscv |
9 |
|
10 |
* rollup seccomp changes into single patch against 1.2.1 |
11 |
* remove old seccomp patches |
12 |
|
13 |
Package-Manager: Portage-3.0.20, Repoman-3.0.3 |
14 |
Signed-off-by: Steve Arnold <nerdboy <AT> gentoo.org> |
15 |
|
16 |
...sec-1.1.8-fix-missing-scmp_sys-on-aarch64.patch | 16 --- |
17 |
.../files/ntpsec-1.2.0-move-newfstatat.patch | 20 ---- |
18 |
net-misc/ntpsec/files/ntpsec-1.2.0-seccomp.patch | 30 ------ |
19 |
.../files/ntpsec-1.2.1-seccomp-glibc-2-3-4.patch | 21 ---- |
20 |
.../ntpsec/files/ntpsec-1.2.1-seccomp-rollup.patch | 116 +++++++++++++++++++++ |
21 |
net-misc/ntpsec/ntpsec-1.2.1-r1.ebuild | 5 +- |
22 |
6 files changed, 117 insertions(+), 91 deletions(-) |
23 |
|
24 |
diff --git a/net-misc/ntpsec/files/ntpsec-1.1.8-fix-missing-scmp_sys-on-aarch64.patch b/net-misc/ntpsec/files/ntpsec-1.1.8-fix-missing-scmp_sys-on-aarch64.patch |
25 |
deleted file mode 100644 |
26 |
index ee75d103d2e6..000000000000 |
27 |
--- a/net-misc/ntpsec/files/ntpsec-1.1.8-fix-missing-scmp_sys-on-aarch64.patch |
28 |
+++ /dev/null |
29 |
@@ -1,16 +0,0 @@ |
30 |
-diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c |
31 |
-index 4e5ceaa36c1a7b452445023e201ddb6211625c52..78ac7aea263ed3d3394b2d32e79a6836f0387434 100644 |
32 |
---- a/ntpd/ntp_sandbox.c |
33 |
-+++ b/ntpd/ntp_sandbox.c |
34 |
-@@ -428,6 +428,11 @@ int scmp_sc[] = { |
35 |
- /* gentoo 64-bit and 32-bit, Intel and Arm use mmap */ |
36 |
- SCMP_SYS(mmap), |
37 |
- #endif |
38 |
-+#if defined(__aarch64__) |
39 |
-+ SCMP_SYS(faccessat), |
40 |
-+ SCMP_SYS(newfstatat), |
41 |
-+ SCMP_SYS(renameat), |
42 |
-+#endif |
43 |
- #if defined(__i386__) || defined(__arm__) || defined(__powerpc__) |
44 |
- SCMP_SYS(_newselect), |
45 |
- SCMP_SYS(_llseek), |
46 |
|
47 |
diff --git a/net-misc/ntpsec/files/ntpsec-1.2.0-move-newfstatat.patch b/net-misc/ntpsec/files/ntpsec-1.2.0-move-newfstatat.patch |
48 |
deleted file mode 100644 |
49 |
index 75453c6cb5f6..000000000000 |
50 |
--- a/net-misc/ntpsec/files/ntpsec-1.2.0-move-newfstatat.patch |
51 |
+++ /dev/null |
52 |
@@ -1,20 +0,0 @@ |
53 |
-diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c |
54 |
-index e66faaa8c..b2af654e5 100644 |
55 |
---- a/ntpd/ntp_sandbox.c |
56 |
-+++ b/ntpd/ntp_sandbox.c |
57 |
-@@ -349,6 +349,7 @@ int scmp_sc[] = { |
58 |
- SCMP_SYS(lseek), |
59 |
- SCMP_SYS(membarrier), /* Needed on Alpine 3.11.3 */ |
60 |
- SCMP_SYS(munmap), |
61 |
-+ SCMP_SYS(newfstatat), |
62 |
- SCMP_SYS(open), |
63 |
- #ifdef __NR_openat |
64 |
- SCMP_SYS(openat), /* SUSE */ |
65 |
-@@ -451,7 +452,6 @@ int scmp_sc[] = { |
66 |
- #endif |
67 |
- #if defined(__aarch64__) |
68 |
- SCMP_SYS(faccessat), |
69 |
-- SCMP_SYS(newfstatat), |
70 |
- SCMP_SYS(renameat), |
71 |
- SCMP_SYS(linkat), |
72 |
- SCMP_SYS(unlinkat), |
73 |
|
74 |
diff --git a/net-misc/ntpsec/files/ntpsec-1.2.0-seccomp.patch b/net-misc/ntpsec/files/ntpsec-1.2.0-seccomp.patch |
75 |
deleted file mode 100644 |
76 |
index 27dd321e2a29..000000000000 |
77 |
--- a/net-misc/ntpsec/files/ntpsec-1.2.0-seccomp.patch |
78 |
+++ /dev/null |
79 |
@@ -1,30 +0,0 @@ |
80 |
-https://bugs.gentoo.org/705128 |
81 |
-https://bugs.gentoo.org/786228 |
82 |
---- a/ntpd/ntp_sandbox.c |
83 |
-+++ b/ntpd/ntp_sandbox.c |
84 |
-@@ -463,6 +463,15 @@ int scmp_sc[] = { |
85 |
- SCMP_SYS(send), |
86 |
- SCMP_SYS(stat64), |
87 |
- #endif |
88 |
-+#if defined(__arm__) |
89 |
-+ SCMP_SYS(statx), |
90 |
-+#endif |
91 |
-+#if defined(__riscv32__) || defined(__riscv64__) |
92 |
-+ SCMP_SYS(faccessat), |
93 |
-+#endif |
94 |
-+#if defined(__aarch64__) || defined(__riscv64__) |
95 |
-+ SCMP_SYS(syscall), |
96 |
-+#endif |
97 |
- }; |
98 |
- { |
99 |
- for (unsigned int i = 0; i < COUNTOF(scmp_sc); i++) { |
100 |
---- a/ntpd/ntp_sandbox.c |
101 |
-+++ b/ntpd/ntp_sandbox.c |
102 |
-@@ -355,6 +355,7 @@ int scmp_sc[] = { |
103 |
- SCMP_SYS(openat), /* SUSE */ |
104 |
- #endif |
105 |
- SCMP_SYS(poll), |
106 |
-+ SCMP_SYS(pread64), |
107 |
- SCMP_SYS(pselect6), |
108 |
- SCMP_SYS(read), |
109 |
- SCMP_SYS(recvfrom), /* Comment this out for testing. |
110 |
|
111 |
diff --git a/net-misc/ntpsec/files/ntpsec-1.2.1-seccomp-glibc-2-3-4.patch b/net-misc/ntpsec/files/ntpsec-1.2.1-seccomp-glibc-2-3-4.patch |
112 |
deleted file mode 100644 |
113 |
index 5936adaf9a49..000000000000 |
114 |
--- a/net-misc/ntpsec/files/ntpsec-1.2.1-seccomp-glibc-2-3-4.patch |
115 |
+++ /dev/null |
116 |
@@ -1,21 +0,0 @@ |
117 |
-https://bugs.gentoo.org/823692 |
118 |
-https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1247 |
119 |
-https://gitlab.com/NTPsec/ntpsec/-/issues/713 |
120 |
- |
121 |
-From 170d60b7e269154fb108bb4b010ee5ee0110bf2d Mon Sep 17 00:00:00 2001 |
122 |
-From: Sam James <sam@g.o> |
123 |
-Date: Sun, 14 Nov 2021 08:44:28 +0000 |
124 |
-Subject: [PATCH] ntpd/ntp_sandbox.c: allow clone3 in seccomp filter for |
125 |
- glibc-2.34 |
126 |
- |
127 |
-Signed-off-by: Sam James <sam@g.o> |
128 |
---- a/ntpd/ntp_sandbox.c |
129 |
-+++ b/ntpd/ntp_sandbox.c |
130 |
-@@ -403,6 +403,7 @@ int scmp_sc[] = { |
131 |
- * rather than generate a trap. |
132 |
- */ |
133 |
- SCMP_SYS(clone), /* threads */ |
134 |
-+ SCMP_SYS(clone3), |
135 |
- SCMP_SYS(kill), /* generate signal */ |
136 |
- SCMP_SYS(madvise), |
137 |
- SCMP_SYS(mprotect), |
138 |
|
139 |
diff --git a/net-misc/ntpsec/files/ntpsec-1.2.1-seccomp-rollup.patch b/net-misc/ntpsec/files/ntpsec-1.2.1-seccomp-rollup.patch |
140 |
new file mode 100644 |
141 |
index 000000000000..c9ba3760cce6 |
142 |
--- /dev/null |
143 |
+++ b/net-misc/ntpsec/files/ntpsec-1.2.1-seccomp-rollup.patch |
144 |
@@ -0,0 +1,116 @@ |
145 |
+From 9a13c2bd472786472360f1a6465d8a808f6b8311 Mon Sep 17 00:00:00 2001 |
146 |
+From: Stephen L Arnold <nerdboy@g.o> |
147 |
+Date: Thu, 2 Dec 2021 20:16:18 -0800 |
148 |
+Subject: [PATCH] ntpd/ntp_sandbox.c: seccomp rollup patch for arm, arm64, |
149 |
+ riscv, all |
150 |
+ |
151 |
+* add renameat2, move newfstatat and faccessat, remove arch dups |
152 |
+* rollup previous patches, remove cruft |
153 |
+* includes riscv fixes, previous bugs: |
154 |
+ https://bugs.gentoo.org/705128 |
155 |
+ https://bugs.gentoo.org/786228 |
156 |
+ https://bugs.gentoo.org/823692 |
157 |
+ https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1247 |
158 |
+ https://gitlab.com/NTPsec/ntpsec/-/issues/713 |
159 |
+ |
160 |
+Signed-off-by: Stephen L Arnold <nerdboy@g.o> |
161 |
+--- |
162 |
+ ntpd/ntp_sandbox.c | 27 +++++++++++++++++++-------- |
163 |
+ 1 file changed, 19 insertions(+), 8 deletions(-) |
164 |
+ |
165 |
+diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c |
166 |
+index e66faaa8c..04eaa003a 100644 |
167 |
+--- a/ntpd/ntp_sandbox.c |
168 |
++++ b/ntpd/ntp_sandbox.c |
169 |
+@@ -306,8 +306,8 @@ int scmp_sc[] = { |
170 |
+ #endif |
171 |
+ #endif /* ENABLE_EARLY_DROPROOT */ |
172 |
+ |
173 |
+- SCMP_SYS(accept), |
174 |
+- SCMP_SYS(access), |
175 |
++ SCMP_SYS(accept), |
176 |
++ SCMP_SYS(access), |
177 |
+ SCMP_SYS(adjtimex), |
178 |
+ SCMP_SYS(bind), |
179 |
+ SCMP_SYS(brk), |
180 |
+@@ -319,6 +319,9 @@ int scmp_sc[] = { |
181 |
+ SCMP_SYS(connect), |
182 |
+ SCMP_SYS(exit), |
183 |
+ SCMP_SYS(exit_group), |
184 |
++#ifdef __NR_faccessat |
185 |
++ SCMP_SYS(faccessat), /* riscv and aarch64 */ |
186 |
++#endif |
187 |
+ SCMP_SYS(fcntl), |
188 |
+ SCMP_SYS(fstat), |
189 |
+ SCMP_SYS(fsync), |
190 |
+@@ -349,11 +352,13 @@ int scmp_sc[] = { |
191 |
+ SCMP_SYS(lseek), |
192 |
+ SCMP_SYS(membarrier), /* Needed on Alpine 3.11.3 */ |
193 |
+ SCMP_SYS(munmap), |
194 |
++ SCMP_SYS(newfstatat), /* riscv and aarch64 */ |
195 |
+ SCMP_SYS(open), |
196 |
+ #ifdef __NR_openat |
197 |
+ SCMP_SYS(openat), /* SUSE */ |
198 |
+ #endif |
199 |
+ SCMP_SYS(poll), |
200 |
++ SCMP_SYS(pread64), |
201 |
+ SCMP_SYS(pselect6), |
202 |
+ SCMP_SYS(read), |
203 |
+ SCMP_SYS(recvfrom), /* Comment this out for testing. |
204 |
+@@ -362,6 +367,9 @@ int scmp_sc[] = { |
205 |
+ */ |
206 |
+ SCMP_SYS(recvmsg), |
207 |
+ SCMP_SYS(rename), |
208 |
++#ifdef __NR_renameat2 |
209 |
++ SCMP_SYS(renameat2), /* riscv */ |
210 |
++#endif |
211 |
+ SCMP_SYS(rt_sigaction), |
212 |
+ SCMP_SYS(rt_sigprocmask), |
213 |
+ SCMP_SYS(rt_sigreturn), |
214 |
+@@ -401,6 +409,7 @@ int scmp_sc[] = { |
215 |
+ * rather than generate a trap. |
216 |
+ */ |
217 |
+ SCMP_SYS(clone), /* threads */ |
218 |
++ SCMP_SYS(clone3), |
219 |
+ SCMP_SYS(kill), /* generate signal */ |
220 |
+ SCMP_SYS(madvise), |
221 |
+ SCMP_SYS(mprotect), |
222 |
+@@ -415,9 +424,9 @@ int scmp_sc[] = { |
223 |
+ SCMP_SYS(nanosleep), |
224 |
+ #endif |
225 |
+ #ifdef CLOCK_SHM |
226 |
+- SCMP_SYS(shmget), |
227 |
+- SCMP_SYS(shmat), |
228 |
+- SCMP_SYS(shmdt), |
229 |
++ SCMP_SYS(shmget), |
230 |
++ SCMP_SYS(shmat), |
231 |
++ SCMP_SYS(shmdt), |
232 |
+ #endif |
233 |
+ |
234 |
+ SCMP_SYS(fcntl64), |
235 |
+@@ -450,10 +459,9 @@ int scmp_sc[] = { |
236 |
+ SCMP_SYS(mmap), |
237 |
+ #endif |
238 |
+ #if defined(__aarch64__) |
239 |
+- SCMP_SYS(faccessat), |
240 |
+- SCMP_SYS(newfstatat), |
241 |
+- SCMP_SYS(renameat), |
242 |
+ SCMP_SYS(linkat), |
243 |
++ SCMP_SYS(renameat), |
244 |
++ SCMP_SYS(syscall), |
245 |
+ SCMP_SYS(unlinkat), |
246 |
+ #endif |
247 |
+ #if defined(__i386__) || defined(__arm__) || defined(__powerpc__) |
248 |
+@@ -463,6 +471,9 @@ int scmp_sc[] = { |
249 |
+ SCMP_SYS(send), |
250 |
+ SCMP_SYS(stat64), |
251 |
+ #endif |
252 |
++#if defined(__arm__) |
253 |
++ SCMP_SYS(statx), |
254 |
++#endif |
255 |
+ }; |
256 |
+ { |
257 |
+ for (unsigned int i = 0; i < COUNTOF(scmp_sc); i++) { |
258 |
+-- |
259 |
+2.32.0 |
260 |
+ |
261 |
|
262 |
diff --git a/net-misc/ntpsec/ntpsec-1.2.1-r1.ebuild b/net-misc/ntpsec/ntpsec-1.2.1-r1.ebuild |
263 |
index 7e9d34caf33b..8835c7ccfcfb 100644 |
264 |
--- a/net-misc/ntpsec/ntpsec-1.2.1-r1.ebuild |
265 |
+++ b/net-misc/ntpsec/ntpsec-1.2.1-r1.ebuild |
266 |
@@ -58,11 +58,8 @@ DEPEND="${CDEPEND} |
267 |
" |
268 |
|
269 |
PATCHES=( |
270 |
- "${FILESDIR}/${PN}-1.1.8-fix-missing-scmp_sys-on-aarch64.patch" |
271 |
"${FILESDIR}/${PN}-1.1.9-remove-asciidoctor-from-config.patch" |
272 |
- "${FILESDIR}/${PN}-1.2.0-move-newfstatat.patch" |
273 |
- "${FILESDIR}/${PN}-1.2.0-seccomp.patch" |
274 |
- "${FILESDIR}/${PN}-1.2.1-seccomp-glibc-2-3-4.patch" |
275 |
+ "${FILESDIR}/${PN}-1.2.1-seccomp-rollup.patch" |
276 |
) |
277 |
|
278 |
WAF_BINARY="${S}/waf" |