summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas PARLANT <nicolas.parlant@parhuet.fr>2023-09-17 08:35:57 +0100
committerMatthew Smith <matthew@gentoo.org>2023-09-17 08:35:57 +0100
commita1c699c2a6c5e30dfd7fa8e645756bb90cf87409 (patch)
tree7da88a557350a18b37661bb24e06060c1b502063 /net-dns
parentdev-vcs/tortoisehg: 6.5.1, add PYTHON_COMPAT=python3_12 (diff)
downloadgentoo-a1c699c2a6c5e30dfd7fa8e645756bb90cf87409.tar.gz
gentoo-a1c699c2a6c5e30dfd7fa8e645756bb90cf87409.tar.bz2
gentoo-a1c699c2a6c5e30dfd7fa8e645756bb90cf87409.zip
net-dns/knot-resolver: drop privileges in kresd.initd
Closes: https://github.com/gentoo/gentoo/pull/32871 Signed-off-by: Nicolas PARLANT <nicolas.parlant@parhuet.fr> Signed-off-by: Matthew Smith <matthew@gentoo.org>
Diffstat (limited to 'net-dns')
-rw-r--r--net-dns/knot-resolver/files/kresd.confd-r19
-rw-r--r--net-dns/knot-resolver/files/kresd.initd-r131
-rw-r--r--net-dns/knot-resolver/knot-resolver-5.6.0-r2.ebuild96
3 files changed, 136 insertions, 0 deletions
diff --git a/net-dns/knot-resolver/files/kresd.confd-r1 b/net-dns/knot-resolver/files/kresd.confd-r1
new file mode 100644
index 000000000000..2b67587c646a
--- /dev/null
+++ b/net-dns/knot-resolver/files/kresd.confd-r1
@@ -0,0 +1,9 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+#KRESD_USER=knot-resolver
+#KRESD_GROUP=knot-resolver
+#KRESD_CONFIG="/etc/knot-resolver/kresd.conf"
+#KRESD_RUNDIR="/var/run/kresd"
+#KRESD_PIDFILE="/var/run/kresd.pid"
+KRESD_OPTS="" \ No newline at end of file
diff --git a/net-dns/knot-resolver/files/kresd.initd-r1 b/net-dns/knot-resolver/files/kresd.initd-r1
new file mode 100644
index 000000000000..9732b48cc2cb
--- /dev/null
+++ b/net-dns/knot-resolver/files/kresd.initd-r1
@@ -0,0 +1,31 @@
+#!/sbin/openrc-run
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+: ${KRESD_GROUP:=knot-resolver}
+: ${KRESD_USER:=knot-resolver}
+: ${KRESD_CONFIG:=/etc/knot-resolver/kresd.conf}
+: ${KRESD_RUNDIR:=/var/run/kresd}
+: ${KRESD_PIDFILE:=/var/run/kresd.pid}
+
+command="/usr/sbin/kresd"
+command_args="${KRESD_OPTS} -n -c ${KRESD_CONFIG} ${KRESD_RUNDIR}"
+command_user="${KRESD_USER}:${KRESD_GROUP}"
+pidfile="${KRESD_PIDFILE}"
+command_background=true
+retry="TERM/60/KILL/5"
+
+capabilities="^cap_net_bind_service,^cap_setpcap"
+
+name="knot-resolver"
+description="scaleable caching DNS resolver"
+
+depend() {
+ need net
+ use logger
+ provide dns
+}
+
+start_pre() {
+ checkpath -d -m 0750 -o "${KRESD_USER}:${KRESD_GROUP}" ${KRESD_RUNDIR}
+}
diff --git a/net-dns/knot-resolver/knot-resolver-5.6.0-r2.ebuild b/net-dns/knot-resolver/knot-resolver-5.6.0-r2.ebuild
new file mode 100644
index 000000000000..1c2b1ab746e9
--- /dev/null
+++ b/net-dns/knot-resolver/knot-resolver-5.6.0-r2.ebuild
@@ -0,0 +1,96 @@
+# Copyright 2022-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+LUA_COMPAT=( luajit )
+
+inherit lua-single meson tmpfiles verify-sig
+
+DESCRIPTION="A scaleable caching DNS resolver"
+HOMEPAGE="https://www.knot-resolver.cz https://gitlab.nic.cz/knot/knot-resolver"
+SRC_URI="
+ https://secure.nic.cz/files/${PN}/${P}.tar.xz
+ verify-sig? ( https://secure.nic.cz/files/${PN}/${P}.tar.xz.asc )
+"
+
+LICENSE="Apache-2.0 BSD CC0-1.0 GPL-3+ LGPL-2.1+ MIT"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE="caps dnstap kresc nghttp2 systemd test"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="${LUA_REQUIRED_USE}"
+
+RDEPEND="
+ ${LUA_DEPS}
+ acct-group/knot-resolver
+ acct-user/knot-resolver
+ dev-db/lmdb:=
+ dev-libs/libuv:=
+ net-dns/knot:=
+ net-libs/gnutls:=
+ caps? ( sys-libs/libcap-ng )
+ dnstap? (
+ dev-libs/fstrm
+ dev-libs/protobuf-c:=
+ )
+ kresc? ( dev-libs/libedit )
+ nghttp2? ( net-libs/nghttp2:= )
+ systemd? ( sys-apps/systemd:= )
+"
+DEPEND="
+ ${RDEPEND}
+ test? (
+ dev-util/cmocka
+ )
+"
+BDEPEND="
+ virtual/pkgconfig
+ verify-sig? ( sec-keys/openpgp-keys-knot-resolver )
+"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-5.5.3-docdir.patch
+ "${FILESDIR}"/${PN}-5.5.3-nghttp-openssl.patch
+)
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/${PN}.gpg
+
+src_unpack() {
+ if use verify-sig; then
+ verify-sig_verify_detached "${DISTDIR}"/${P}.tar.xz{,.asc}
+ fi
+
+ unpack ${P}.tar.xz
+}
+
+src_configure() {
+ local emesonargs=(
+ --localstatedir "${EPREFIX}"/var # double lib
+ # https://bugs.gentoo.org/870019
+ -Dauto_features=disabled
+ -Ddoc=disabled
+ -Ddocdir="${EPREFIX}"/usr/share/doc/${PF}
+ -Dopenssl=disabled
+ $(meson_feature caps capng)
+ $(meson_feature dnstap)
+ $(meson_feature kresc client)
+ $(meson_feature nghttp2)
+ $(meson_feature test unit_tests)
+ $(meson_feature systemd systemd_files)
+ )
+
+ meson_src_configure
+}
+
+src_install() {
+ meson_src_install
+ fowners -R ${PN}: /etc/${PN}
+
+ newinitd "${FILESDIR}"/kresd.initd-r1 kresd
+ newconfd "${FILESDIR}"/kresd.confd-r1 kresd
+}
+
+pkg_postinst() {
+ use systemd && tmpfiles_process knot-resolver.conf
+}