diff options
author | Mike Gilbert <floppym@gentoo.org> | 2020-12-23 14:13:51 -0500 |
---|---|---|
committer | Mike Gilbert <floppym@gentoo.org> | 2020-12-23 14:13:51 -0500 |
commit | de6efe6b3e28eea299401244e7b506a6f9c22d51 (patch) | |
tree | 16d6701e15a7713429940bebbd996b87c0a1f352 /sys-apps | |
parent | app-admin/mcelog: stabilize new revision w/ upstream systemd unit (diff) | |
download | gentoo-de6efe6b3e28eea299401244e7b506a6f9c22d51.tar.gz gentoo-de6efe6b3e28eea299401244e7b506a6f9c22d51.tar.bz2 gentoo-de6efe6b3e28eea299401244e7b506a6f9c22d51.zip |
sys-apps/man-db: allow clock_gettime64 syscall
Closes: https://bugs.gentoo.org/744712
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Diffstat (limited to 'sys-apps')
-rw-r--r-- | sys-apps/man-db/files/man-db-2.9.3-clock_gettime64.patch | 44 | ||||
-rw-r--r-- | sys-apps/man-db/man-db-2.9.3-r1.ebuild | 162 | ||||
-rw-r--r-- | sys-apps/man-db/man-db-9999.ebuild | 4 |
3 files changed, 209 insertions, 1 deletions
diff --git a/sys-apps/man-db/files/man-db-2.9.3-clock_gettime64.patch b/sys-apps/man-db/files/man-db-2.9.3-clock_gettime64.patch new file mode 100644 index 000000000000..0da1b2c5b2b7 --- /dev/null +++ b/sys-apps/man-db/files/man-db-2.9.3-clock_gettime64.patch @@ -0,0 +1,44 @@ +From 7315a9475d8fa37af49e9e7ed11e1534f23ef70b Mon Sep 17 00:00:00 2001 +From: "S. Gilles" <sgilles@umd.edu> +Date: Wed, 12 Aug 2020 16:40:07 -0400 +Subject: Allow clock_gettime64; return ENOSYS so libcs can engage fallbacks + +libcs such as musl expect ENOSYS to be returned (not EPERM) in their +fallback code, so change the seccomp filter to be more agreeable to +them. + +At the same time, clock_gettime is permitted in the filter, so permit +clock_gettime64 as well -- it will be needed by 2038 in any case. + +* lib/sandbox.c (make_seccomp_filter): Set default action to +SCMP_ACT_ERRNO (ENOSYS). Allow clock_gettime64. +* NEWS: Document this. +--- + NEWS | 9 +++++++++ + lib/sandbox.c | 3 ++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/lib/sandbox.c b/lib/sandbox.c +index 21ec28aa..d934a0f9 100644 +--- a/lib/sandbox.c ++++ b/lib/sandbox.c +@@ -232,7 +232,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive) + ; + + debug ("initialising seccomp filter (permissive: %d)\n", permissive); +- ctx = seccomp_init (SCMP_ACT_ERRNO (EPERM)); ++ ctx = seccomp_init (SCMP_ACT_ERRNO (ENOSYS)); + if (!ctx) + error (FATAL, errno, "can't initialise seccomp filter"); + +@@ -271,6 +271,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive) + /* systemd: SystemCallFilter=@default */ + SC_ALLOW ("clock_getres"); + SC_ALLOW ("clock_gettime"); ++ SC_ALLOW ("clock_gettime64"); + SC_ALLOW ("clock_nanosleep"); + SC_ALLOW ("execve"); + SC_ALLOW ("exit"); +-- +cgit v1.2.1 + diff --git a/sys-apps/man-db/man-db-2.9.3-r1.ebuild b/sys-apps/man-db/man-db-2.9.3-r1.ebuild new file mode 100644 index 000000000000..35e2bb5d6ce5 --- /dev/null +++ b/sys-apps/man-db/man-db-2.9.3-r1.ebuild @@ -0,0 +1,162 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit systemd + +DESCRIPTION="a man replacement that utilizes berkdb instead of flat files" +HOMEPAGE="http://www.nongnu.org/man-db/" +if [[ "${PV}" = 9999* ]] ; then + inherit autotools git-r3 + EGIT_REPO_URI="https://git.savannah.gnu.org/git/man-db.git" +else + SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux" +fi + +LICENSE="GPL-3" +SLOT="0" +IUSE="berkdb +gdbm +manpager nls +seccomp selinux static-libs zlib" + +CDEPEND=" + !sys-apps/man + >=dev-libs/libpipeline-1.5.0 + sys-apps/groff + gdbm? ( sys-libs/gdbm:= ) + !gdbm? ( berkdb? ( sys-libs/db:= ) ) + !berkdb? ( !gdbm? ( sys-libs/gdbm:= ) ) + seccomp? ( sys-libs/libseccomp ) + zlib? ( sys-libs/zlib ) +" +DEPEND="${CDEPEND}" +BDEPEND=" + app-arch/xz-utils + virtual/pkgconfig + nls? ( + >=app-text/po4a-0.45 + sys-devel/gettext + ) +" +RDEPEND=" + ${CDEPEND} + acct-group/man + acct-user/man + selinux? ( sec-policy/selinux-mandb ) +" +PDEPEND="manpager? ( app-text/manpager )" + +PATCHES=( + "${FILESDIR}"/${PN}-2.9.3-sandbox-env-tests.patch + "${FILESDIR}"/man-db-2.9.3-clock_gettime64.patch +) + +pkg_setup() { + if (use gdbm && use berkdb) || (use !gdbm && use !berkdb) ; then #496150 + ewarn "Defaulting to USE=gdbm due to ambiguous berkdb/gdbm USE flag settings" + fi +} + +src_unpack() { + if [[ "${PV}" == *9999 ]] ; then + git-r3_src_unpack + + # We need to mess with gnulib :-/ + EGIT_REPO_URI="https://git.savannah.gnu.org/r/gnulib.git" \ + EGIT_CHECKOUT_DIR="${WORKDIR}/gnulib" \ + git-r3_src_unpack + else + default + fi +} + +src_prepare() { + default + if [[ "${PV}" == *9999 ]] ; then + local bootstrap_opts=( + --gnulib-srcdir=../gnulib + --no-bootstrap-sync + --copy + --no-git + ) + AUTORECONF="/bin/true" \ + LIBTOOLIZE="/bin/true" \ + sh ./bootstrap "${bootstrap_opts[@]}" || die + + eautoreconf + fi +} + +src_configure() { + export ac_cv_lib_z_gzopen=$(usex zlib) + local myeconfargs=( + --with-systemdtmpfilesdir="${EPREFIX}"/usr/lib/tmpfiles.d + --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" + --disable-setuid #662438 + --enable-cache-owner=man + --with-sections="1 1p 8 2 3 3p 4 5 6 7 9 0p tcl n l p o 1x 2x 3x 4x 5x 6x 7x 8x" + $(use_enable nls) + $(use_enable static-libs static) + $(use_with seccomp libseccomp) + --with-db=$(usex gdbm gdbm $(usex berkdb db gdbm)) + ) + econf "${myeconfargs[@]}" + + # Disable color output from groff so that the manpager can add it. #184604 + sed -i \ + -e '/^#DEFINE.*\<[nt]roff\>/{s:^#::;s:$: -c:}' \ + src/man_db.conf || die + + cat > 15man-db <<-EOF || die + SANDBOX_PREDICT="/var/cache/man" + EOF +} + +src_install() { + default + dodoc docs/{HACKING,TODO} + find "${ED}" -type f -name "*.la" -delete || die + + exeinto /etc/cron.daily + newexe "${FILESDIR}"/man-db.cron-r1 man-db #289884 + + insinto /etc/sandbox.d + doins 15man-db +} + +pkg_preinst() { + local cachedir="${EROOT}/var/cache/man" + # If the system was already exploited, and the attacker is hiding in the + # cachedir of the old man-db, let's wipe them out. + # see bug #602588 comment 18 + local _replacing_version= + local _setgid_vuln=0 + for _replacing_version in ${REPLACING_VERSIONS}; do + if ver_test '2.7.6.1-r2' -le "${_replacing_version}"; then + debug-print "Skipping security bug #602588 ... existing installation (${_replacing_version}) should not be affected!" + else + _setgid_vuln=1 + debug-print "Applying cleanup for security bug #602588" + fi + done + [[ ${_setgid_vuln} -eq 1 ]] && rm -rf "${cachedir}" + + # Fall back to recreating the cachedir + if [[ ! -d ${cachedir} ]] ; then + mkdir -p "${cachedir}" || die + chown man:man "${cachedir}" || die + fi + + # Update the whatis cache + if [[ -f ${cachedir}/whatis ]] ; then + einfo "Cleaning ${cachedir} from sys-apps/man" + find "${cachedir}" -type f '!' '(' -name index.bt -o -name index.db ')' -delete + fi +} + +pkg_postinst() { + if [[ $(ver_cut 2 ${REPLACING_VERSIONS}) -lt 7 ]] ; then + einfo "Rebuilding man-db from scratch with new database format!" + su man -s /bin/sh -c 'mandb --quiet --create' 2>/dev/null + fi +} diff --git a/sys-apps/man-db/man-db-9999.ebuild b/sys-apps/man-db/man-db-9999.ebuild index 25d02ea5f572..cf3711365b0a 100644 --- a/sys-apps/man-db/man-db-9999.ebuild +++ b/sys-apps/man-db/man-db-9999.ebuild @@ -46,7 +46,9 @@ RDEPEND=" " PDEPEND="manpager? ( app-text/manpager )" -PATCHES=( "${FILESDIR}"/${PN}-2.9.3-sandbox-env-tests.patch ) +PATCHES=( + "${FILESDIR}"/man-db-2.9.3-sandbox-env-tests.patch +) pkg_setup() { if (use gdbm && use berkdb) || (use !gdbm && use !berkdb) ; then #496150 |