From 36f9f88e7216789a31548076ae77a83ce59f4a8c Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 3 Dec 2021 18:57:20 +0100
Subject: [PATCH 01/37] app-admin/etcd-wrapper: Port to tmpfiles eclass

---
 ...tcd-wrapper-3.5.0.ebuild => etcd-wrapper-3.5.0-r1.ebuild} | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/{etcd-wrapper-3.5.0.ebuild => etcd-wrapper-3.5.0-r1.ebuild} (88%)

diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/etcd-wrapper-3.5.0.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/etcd-wrapper-3.5.0-r1.ebuild
similarity index 88%
rename from sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/etcd-wrapper-3.5.0.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/etcd-wrapper-3.5.0-r1.ebuild
index de8545b4fc..62e4fd6ecb 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/etcd-wrapper-3.5.0.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/etcd-wrapper-3.5.0-r1.ebuild
@@ -3,7 +3,8 @@
 
 EAPI=6
 
-inherit systemd
+TMPFILES_OPTIONAL=1
+inherit systemd tmpfiles
 
 DESCRIPTION="etcd (System Application Container)"
 HOMEPAGE="https://github.com/etcd-io/etcd"
@@ -31,5 +32,5 @@ src_install() {
 	sed "s|@ETCD_IMAGE_TAG@|${tag}|g" \
 		"${FILESDIR}"/etcd-member.service > ${T}/etcd-member.service
 	systemd_dounit ${T}/etcd-member.service
-	systemd_dotmpfilesd "${FILESDIR}"/etcd-wrapper.conf
+	dotmpfiles "${FILESDIR}"/etcd-wrapper.conf
 }

From b0603768b409bc46c87c4ccdad6ad11f8cd2f15f Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 3 Dec 2021 18:59:24 +0100
Subject: [PATCH 02/37] app-crypt/trousers: Clean slate to reapply our changes

---
 .../app-crypt/trousers/files/system.data      |  1 -
 .../app-crypt/trousers/files/tcsd.service     |  3 -
 .../trousers/files/tmpfiles.d/trousers.conf   |  3 -
 ...-24330_CVE-2020-24331_CVE-2020-24332.patch | 58 -------------------
 .../trousers/trousers-0.3.14-r2.ebuild        | 25 +-------
 5 files changed, 2 insertions(+), 88 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/system.data
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tmpfiles.d/trousers.conf
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.14-CVE-2020-24330_CVE-2020-24331_CVE-2020-24332.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/system.data b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/system.data
deleted file mode 100644
index b498fd495d..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/system.data
+++ /dev/null
@@ -1 +0,0 @@
-/
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tcsd.service b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tcsd.service
index c4dc803dfc..4a46e6143b 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tcsd.service
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tcsd.service
@@ -1,11 +1,8 @@
 [Unit]
 Description=TCG Core Services Daemon
-ConditionPathExists=/dev/tpm0
-ConditionSecurity=!tpm2
 
 [Service]
 User=tss
-ExecCondition=/bin/bash -c "/usr/bin/test $(cat /sys/class/tpm/*/tpm_version_major | grep -m 1 1 || echo 0) -eq 1"
 ExecStart=/usr/sbin/tcsd -f
 
 [Install]
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tmpfiles.d/trousers.conf b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tmpfiles.d/trousers.conf
deleted file mode 100644
index ad2171ad3d..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tmpfiles.d/trousers.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-d /var/lib/tpm 0755 tss tss - -
-C /etc/tcsd.conf 0640 root tss - /usr/share/trousers/tcsd.conf
-C /var/lib/tpm/system.data 0600 tss tss - /usr/share/trousers/system.data
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.14-CVE-2020-24330_CVE-2020-24331_CVE-2020-24332.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.14-CVE-2020-24330_CVE-2020-24331_CVE-2020-24332.patch
deleted file mode 100644
index 10031e0882..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.14-CVE-2020-24330_CVE-2020-24331_CVE-2020-24332.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-Index: trousers-0.3.14/src/tcs/ps/tcsps.c
-===================================================================
---- trousers-0.3.14.orig/src/tcs/ps/tcsps.c
-+++ trousers-0.3.14/src/tcs/ps/tcsps.c
-@@ -72,7 +72,7 @@ get_file()
- 	}
- 
- 	/* open and lock the file */
--	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
-+	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
- 	if (system_ps_fd < 0) {
- 		LogError("system PS: open() of %s failed: %s",
- 				tcsd_options.system_ps_file, strerror(errno));
-Index: trousers-0.3.14/src/tcsd/svrside.c
-===================================================================
---- trousers-0.3.14.orig/src/tcsd/svrside.c
-+++ trousers-0.3.14/src/tcsd/svrside.c
-@@ -473,6 +473,7 @@ main(int argc, char **argv)
- 		}
- 		return TCSERR(TSS_E_INTERNAL_ERROR);
- 	}
-+	setgid(pwd->pw_gid);
- 	setuid(pwd->pw_uid);
- #endif
- #endif
-Index: trousers-0.3.14/src/tcsd/tcsd_conf.c
-===================================================================
---- trousers-0.3.14.orig/src/tcsd/tcsd_conf.c
-+++ trousers-0.3.14/src/tcsd/tcsd_conf.c
-@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
- #ifndef SOLARIS
- 	struct group *grp;
- 	struct passwd *pw;
--	mode_t mode = (S_IRUSR|S_IWUSR);
-+	mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
- #endif /* SOLARIS */
- 	TSS_RESULT result;
- 
-@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
- 	}
- 
- 	/* make sure user/group TSS owns the conf file */
--	if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
-+	if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
- 		LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
--				TSS_USER_NAME, TSS_GROUP_NAME);
-+				"root", TSS_GROUP_NAME);
- 		return TCSERR(TSS_E_INTERNAL_ERROR);
- 	}
- 
--	/* make sure only the tss user can manipulate the config file */
-+	/* make sure only the tss user can read (but not manipulate) the config file */
- 	if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
--		LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
-+		LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
- 		return TCSERR(TSS_E_INTERNAL_ERROR);
- 	}
- #endif /* SOLARIS */
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/trousers-0.3.14-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/trousers-0.3.14-r2.ebuild
index fce278c35c..a36ff68307 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/trousers-0.3.14-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/trousers-0.3.14-r2.ebuild
@@ -1,8 +1,3 @@
-# Flatcar modifications:
-# - added "Flatcar:" customizations
-# - added condition to files/tcsd.service
-# - created files/tmpfiles.d/trousers.conf
-# - created files/system.data
 # Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
@@ -36,7 +31,6 @@ PATCHES=(
 	"${FILESDIR}/${P}-libressl.patch"
 	"${FILESDIR}/${P}-fno-common.patch"
 	"${FILESDIR}/${P}-Makefile.am-Mark-tddl.a-nodist.patch"
-	"${FILESDIR}/${P}-CVE-2020-24330_CVE-2020-24331_CVE-2020-24332.patch"
 )
 
 DOCS="AUTHORS ChangeLog NICETOHAVES README TODO"
@@ -65,25 +59,10 @@ src_install() {
 
 	keepdir /var/lib/tpm
 	use doc && dodoc doc/*
-	# Flatcar:
-	# (removed newinitd and newconfd)
-	fowners root:tss /etc/tcsd.conf
-
+	newinitd "${FILESDIR}"/tcsd.initd tcsd
+	newconfd "${FILESDIR}"/tcsd.confd tcsd
 	systemd_dounit "${FILESDIR}"/tcsd.service
-
-	# Flatcar:
-	systemd_enable_service multi-user.target tcsd.service
-
 	udev_dorules "${FILESDIR}"/61-trousers.rules
 	fowners tss:tss /var/lib/tpm
 	readme.gentoo_create_doc
-
-	# Flatcar:
-	insinto /usr/share/trousers/
-	doins "${FILESDIR}"/system.data
-	# stash a copy of the config so we can restore it from tmpfiles
-	doins "${D}"/etc/tcsd.conf
-	fowners tss:tss /usr/share/trousers/system.data
-	fowners root:tss /usr/share/trousers/tcsd.conf
-	systemd_dotmpfilesd "${FILESDIR}"/tmpfiles.d/trousers.conf
 }

From d126cac46841aff1996c079e8bb6b15ff83cfba0 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 18:34:24 +0100
Subject: [PATCH 03/37] app-crypt/trousers: Apply Flatcar modifications

---
 .../app-crypt/trousers/files/system.data      |  1 +
 .../app-crypt/trousers/files/tcsd.service     |  3 +
 .../trousers/files/tmpfiles.d/trousers.conf   |  3 +
 ...-24330_CVE-2020-24331_CVE-2020-24332.patch | 58 +++++++++++++++++++
 .../trousers/trousers-0.3.14-r2.ebuild        | 29 +++++++++-
 5 files changed, 91 insertions(+), 3 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/system.data
 create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tmpfiles.d/trousers.conf
 create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.14-CVE-2020-24330_CVE-2020-24331_CVE-2020-24332.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/system.data b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/system.data
new file mode 100644
index 0000000000..b498fd495d
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/system.data
@@ -0,0 +1 @@
+/
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tcsd.service b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tcsd.service
index 4a46e6143b..c4dc803dfc 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tcsd.service
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tcsd.service
@@ -1,8 +1,11 @@
 [Unit]
 Description=TCG Core Services Daemon
+ConditionPathExists=/dev/tpm0
+ConditionSecurity=!tpm2
 
 [Service]
 User=tss
+ExecCondition=/bin/bash -c "/usr/bin/test $(cat /sys/class/tpm/*/tpm_version_major | grep -m 1 1 || echo 0) -eq 1"
 ExecStart=/usr/sbin/tcsd -f
 
 [Install]
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tmpfiles.d/trousers.conf b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tmpfiles.d/trousers.conf
new file mode 100644
index 0000000000..ad2171ad3d
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tmpfiles.d/trousers.conf
@@ -0,0 +1,3 @@
+d /var/lib/tpm 0755 tss tss - -
+C /etc/tcsd.conf 0640 root tss - /usr/share/trousers/tcsd.conf
+C /var/lib/tpm/system.data 0600 tss tss - /usr/share/trousers/system.data
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.14-CVE-2020-24330_CVE-2020-24331_CVE-2020-24332.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.14-CVE-2020-24330_CVE-2020-24331_CVE-2020-24332.patch
new file mode 100644
index 0000000000..10031e0882
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.14-CVE-2020-24330_CVE-2020-24331_CVE-2020-24332.patch
@@ -0,0 +1,58 @@
+Index: trousers-0.3.14/src/tcs/ps/tcsps.c
+===================================================================
+--- trousers-0.3.14.orig/src/tcs/ps/tcsps.c
++++ trousers-0.3.14/src/tcs/ps/tcsps.c
+@@ -72,7 +72,7 @@ get_file()
+ 	}
+ 
+ 	/* open and lock the file */
+-	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
++	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
+ 	if (system_ps_fd < 0) {
+ 		LogError("system PS: open() of %s failed: %s",
+ 				tcsd_options.system_ps_file, strerror(errno));
+Index: trousers-0.3.14/src/tcsd/svrside.c
+===================================================================
+--- trousers-0.3.14.orig/src/tcsd/svrside.c
++++ trousers-0.3.14/src/tcsd/svrside.c
+@@ -473,6 +473,7 @@ main(int argc, char **argv)
+ 		}
+ 		return TCSERR(TSS_E_INTERNAL_ERROR);
+ 	}
++	setgid(pwd->pw_gid);
+ 	setuid(pwd->pw_uid);
+ #endif
+ #endif
+Index: trousers-0.3.14/src/tcsd/tcsd_conf.c
+===================================================================
+--- trousers-0.3.14.orig/src/tcsd/tcsd_conf.c
++++ trousers-0.3.14/src/tcsd/tcsd_conf.c
+@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
+ #ifndef SOLARIS
+ 	struct group *grp;
+ 	struct passwd *pw;
+-	mode_t mode = (S_IRUSR|S_IWUSR);
++	mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
+ #endif /* SOLARIS */
+ 	TSS_RESULT result;
+ 
+@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
+ 	}
+ 
+ 	/* make sure user/group TSS owns the conf file */
+-	if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
++	if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
+ 		LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
+-				TSS_USER_NAME, TSS_GROUP_NAME);
++				"root", TSS_GROUP_NAME);
+ 		return TCSERR(TSS_E_INTERNAL_ERROR);
+ 	}
+ 
+-	/* make sure only the tss user can manipulate the config file */
++	/* make sure only the tss user can read (but not manipulate) the config file */
+ 	if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
+-		LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
++		LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
+ 		return TCSERR(TSS_E_INTERNAL_ERROR);
+ 	}
+ #endif /* SOLARIS */
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/trousers-0.3.14-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/trousers-0.3.14-r2.ebuild
index a36ff68307..b00c14f14c 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/trousers-0.3.14-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/trousers-0.3.14-r2.ebuild
@@ -1,9 +1,15 @@
+# Flatcar modifications:
+# - added "Flatcar:" customizations
+# - added condition to files/tcsd.service
+# - created files/tmpfiles.d/trousers.conf
+# - created files/system.data
 # Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 
-inherit autotools linux-info readme.gentoo-r1 systemd udev
+TMPFILES_OPTIONAL=1
+inherit autotools linux-info readme.gentoo-r1 systemd tmpfiles udev
 
 DESCRIPTION="An open-source TCG Software Stack (TSS) v1.1 implementation"
 HOMEPAGE="http://trousers.sf.net"
@@ -31,6 +37,7 @@ PATCHES=(
 	"${FILESDIR}/${P}-libressl.patch"
 	"${FILESDIR}/${P}-fno-common.patch"
 	"${FILESDIR}/${P}-Makefile.am-Mark-tddl.a-nodist.patch"
+	"${FILESDIR}/${P}-CVE-2020-24330_CVE-2020-24331_CVE-2020-24332.patch"
 )
 
 DOCS="AUTHORS ChangeLog NICETOHAVES README TODO"
@@ -59,10 +66,26 @@ src_install() {
 
 	keepdir /var/lib/tpm
 	use doc && dodoc doc/*
-	newinitd "${FILESDIR}"/tcsd.initd tcsd
-	newconfd "${FILESDIR}"/tcsd.confd tcsd
+	# Flatcar: Comment out the openrc stuff.
+	# newinitd "${FILESDIR}"/tcsd.initd tcsd
+	# newconfd "${FILESDIR}"/tcsd.confd tcsd
+	fowners root:tss /etc/tcsd.conf
+
 	systemd_dounit "${FILESDIR}"/tcsd.service
+
+	# Flatcar:
+	systemd_enable_service multi-user.target tcsd.service
+
 	udev_dorules "${FILESDIR}"/61-trousers.rules
 	fowners tss:tss /var/lib/tpm
 	readme.gentoo_create_doc
+
+	# Flatcar:
+	insinto /usr/share/trousers/
+	doins "${FILESDIR}"/system.data
+	# stash a copy of the config so we can restore it from tmpfiles
+	doins "${D}"/etc/tcsd.conf
+	fowners tss:tss /usr/share/trousers/system.data
+	fowners root:tss /usr/share/trousers/tcsd.conf
+	dotmpfiles "${FILESDIR}"/tmpfiles.d/trousers.conf
 }

From 1e5df051b4d5307cdbd1925da306549f0b6d69d0 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 3 Dec 2021 19:02:46 +0100
Subject: [PATCH 04/37] app-misc/ca-certificates: Port to tmpfiles eclass

---
 .../app-misc/ca-certificates/ca-certificates-3.73-r1.ebuild  | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.73-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.73-r1.ebuild
index 49fcc9981e..ccf8d89c08 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.73-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.73-r1.ebuild
@@ -3,7 +3,8 @@
 
 EAPI=7
 PYTHON_COMPAT=( python3_{6..10} )
-inherit python-any-r1 systemd
+TMPFILES_OPTIONAL=1
+inherit python-any-r1 systemd tmpfiles
 
 RTM_NAME="NSS_${PV//./_}_RTM"
 MY_PN="nss"
@@ -88,7 +89,7 @@ src_install() {
 	systemd_dounit "${FILESDIR}/update-ca-certificates.service"
 	systemd_enable_service sysinit.target clean-ca-certificates.service
 	systemd_enable_service sysinit.target update-ca-certificates.service
-	systemd_dotmpfilesd ${PN}.conf
+	dotmpfiles ${PN}.conf
 
 	# Setup initial links in /etc
 	dodir /etc/ssl/certs

From 13bb7c3bf32e1258f5dfac53c97ede822f7b2457 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 3 Dec 2021 19:05:01 +0100
Subject: [PATCH 05/37] coreos-base/update_engine: Port to tmpfiles eclass

---
 ...ngine-0.4.10-r4.ebuild => update_engine-0.4.10-r5.ebuild} | 0
 .../coreos-base/update_engine/update_engine-9999.ebuild      | 5 +++--
 2 files changed, 3 insertions(+), 2 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/{update_engine-0.4.10-r4.ebuild => update_engine-0.4.10-r5.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-0.4.10-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-0.4.10-r5.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-0.4.10-r4.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-0.4.10-r5.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild
index 7bdbe7d146..e14292cd13 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/update_engine/update_engine-9999.ebuild
@@ -12,7 +12,8 @@ else
 	KEYWORDS="amd64 arm64"
 fi
 
-inherit autotools flag-o-matic toolchain-funcs cros-workon systemd
+TMPFILES_OPTIONAL=1
+inherit autotools flag-o-matic toolchain-funcs cros-workon systemd tmpfiles
 
 DESCRIPTION="CoreOS OS Update Engine"
 HOMEPAGE="https://github.com/coreos/update_engine"
@@ -105,5 +106,5 @@ src_install() {
 	doins com.coreos.update1.conf
 
 	# Install rule to remove old UpdateEngine.conf from /etc
-	systemd_dotmpfilesd "${FILESDIR}"/update-engine.conf
+	dotmpfiles "${FILESDIR}"/update-engine.conf
 }

From 036628635052d09ff983af0f24526e8da800beb6 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 3 Dec 2021 19:06:24 +0100
Subject: [PATCH 06/37] dev-libs/cyrus-sasl: Clean slate to reapply our changes

---
 .../cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild    |  2 -
 ...yrus-sasl-2.1.27-fix-cross-compiling.patch | 40 -------------------
 2 files changed, 42 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-fix-cross-compiling.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild
index bcbff9d8ba..d7fb6c3409 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild
@@ -57,8 +57,6 @@ PATCHES=(
 	"${FILESDIR}/${PN}-2.1.27-doc_build_fix.patch"
 	"${FILESDIR}/${PN}-2.1.27-memmem.patch"
 	"${FILESDIR}/${PN}-2.1.27-CVE-2019-19906.patch"
-	# Flatcar:
-	"${FILESDIR}/${PN}-2.1.27-fix-cross-compiling.patch"
 )
 
 pkg_setup() {
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-fix-cross-compiling.patch b/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-fix-cross-compiling.patch
deleted file mode 100644
index 86fbcad2e4..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-fix-cross-compiling.patch
+++ /dev/null
@@ -1,40 +0,0 @@
---- cyrus-sasl-2.1.27/m4/sasl2.m4
-+++ cyrus-sasl-2.1.27/m4/sasl2.m4
-@@ -311,36 +311,7 @@ if test "$gssapi" != no; then
-                     [AC_DEFINE(HAVE_GSS_C_SEC_CONTEXT_SASL_SSF,,
-                                [Define if your GSSAPI implementation defines GSS_C_SEC_CONTEXT_SASL_SSF])])
-   fi
--  cmu_save_LIBS="$LIBS"
--  LIBS="$LIBS $GSSAPIBASE_LIBS"
--
--  AC_MSG_CHECKING([for SPNEGO support in GSSAPI libraries])
--  AC_TRY_RUN([
--#ifdef HAVE_GSSAPI_H
--#include <gssapi.h>
--#else
--#include <gssapi/gssapi.h>
--#endif
--
--int main(void)
--{
--    gss_OID_desc spnego_oid = { 6, (void *) "\x2b\x06\x01\x05\x05\x02" };
--    gss_OID_set mech_set;
--    OM_uint32 min_stat;
--    int have_spnego = 0;
--                                                                               
--    if (gss_indicate_mechs(&min_stat, &mech_set) == GSS_S_COMPLETE) {
--	gss_test_oid_set_member(&min_stat, &spnego_oid, mech_set, &have_spnego);
--	gss_release_oid_set(&min_stat, &mech_set);
--    }
--
--    return (!have_spnego);  // 0 = success, 1 = failure
--}
--],	
--	[ AC_DEFINE(HAVE_GSS_SPNEGO,,[Define if your GSSAPI implementation supports SPNEGO])
--	AC_MSG_RESULT(yes) ],
--	AC_MSG_RESULT(no))
--  LIBS="$cmu_save_LIBS"
-+  AC_DEFINE(HAVE_GSS_SPNEGO,,[1])
- 
- else
-   AC_MSG_RESULT([disabled])

From e8c04ce6c41527b09c4b6b915e645511ac5863d8 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 19:20:09 +0100
Subject: [PATCH 07/37] dev-libs/cyrus-sasl: Apply Flatcar modifications

---
 .../cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild    |  7 +++-
 ...yrus-sasl-2.1.27-fix-cross-compiling.patch | 40 +++++++++++++++++++
 2 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-fix-cross-compiling.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild
index d7fb6c3409..2501feed45 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/cyrus-sasl-2.1.27-r3.ebuild
@@ -3,7 +3,8 @@
 
 EAPI=7
 
-inherit eutils flag-o-matic multilib multilib-minimal autotools pam java-pkg-opt-2 db-use systemd
+TMPFILES_OPTIONAL=1
+inherit eutils flag-o-matic multilib multilib-minimal autotools pam java-pkg-opt-2 db-use systemd tmpfiles
 
 SASLAUTHD_CONF_VER="2.1.26"
 
@@ -57,6 +58,8 @@ PATCHES=(
 	"${FILESDIR}/${PN}-2.1.27-doc_build_fix.patch"
 	"${FILESDIR}/${PN}-2.1.27-memmem.patch"
 	"${FILESDIR}/${PN}-2.1.27-CVE-2019-19906.patch"
+	# Flatcar:
+	"${FILESDIR}/${PN}-2.1.27-fix-cross-compiling.patch"
 )
 
 pkg_setup() {
@@ -224,7 +227,7 @@ multilib_src_install_all() {
 	newinitd "${FILESDIR}/saslauthd2.rc7" saslauthd
 	newconfd "${FILESDIR}/saslauthd-${SASLAUTHD_CONF_VER}.conf" saslauthd
 	systemd_dounit "${FILESDIR}/saslauthd.service"
-	systemd_dotmpfilesd "${FILESDIR}/${PN}.conf"
+	dotmpfiles "${FILESDIR}/${PN}.conf"
 
 	# The get_modname bit is important: do not remove the .la files on
 	# platforms where the lib isn't called .so for cyrus searches the .la to
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-fix-cross-compiling.patch b/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-fix-cross-compiling.patch
new file mode 100644
index 0000000000..86fbcad2e4
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.27-fix-cross-compiling.patch
@@ -0,0 +1,40 @@
+--- cyrus-sasl-2.1.27/m4/sasl2.m4
++++ cyrus-sasl-2.1.27/m4/sasl2.m4
+@@ -311,36 +311,7 @@ if test "$gssapi" != no; then
+                     [AC_DEFINE(HAVE_GSS_C_SEC_CONTEXT_SASL_SSF,,
+                                [Define if your GSSAPI implementation defines GSS_C_SEC_CONTEXT_SASL_SSF])])
+   fi
+-  cmu_save_LIBS="$LIBS"
+-  LIBS="$LIBS $GSSAPIBASE_LIBS"
+-
+-  AC_MSG_CHECKING([for SPNEGO support in GSSAPI libraries])
+-  AC_TRY_RUN([
+-#ifdef HAVE_GSSAPI_H
+-#include <gssapi.h>
+-#else
+-#include <gssapi/gssapi.h>
+-#endif
+-
+-int main(void)
+-{
+-    gss_OID_desc spnego_oid = { 6, (void *) "\x2b\x06\x01\x05\x05\x02" };
+-    gss_OID_set mech_set;
+-    OM_uint32 min_stat;
+-    int have_spnego = 0;
+-                                                                               
+-    if (gss_indicate_mechs(&min_stat, &mech_set) == GSS_S_COMPLETE) {
+-	gss_test_oid_set_member(&min_stat, &spnego_oid, mech_set, &have_spnego);
+-	gss_release_oid_set(&min_stat, &mech_set);
+-    }
+-
+-    return (!have_spnego);  // 0 = success, 1 = failure
+-}
+-],	
+-	[ AC_DEFINE(HAVE_GSS_SPNEGO,,[Define if your GSSAPI implementation supports SPNEGO])
+-	AC_MSG_RESULT(yes) ],
+-	AC_MSG_RESULT(no))
+-  LIBS="$cmu_save_LIBS"
++  AC_DEFINE(HAVE_GSS_SPNEGO,,[1])
+ 
+ else
+   AC_MSG_RESULT([disabled])

From f6983eb7b24a882ee85dcaf4e9291b284b4484c9 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 19:24:13 +0100
Subject: [PATCH 08/37] dev-libs/openssl: Clean slate to reapply our changes

---
 .../dev-libs/openssl/files/openssl.conf       |  3 ---
 .../dev-libs/openssl/openssl-3.0.0.ebuild     | 24 +++++++++----------
 2 files changed, 12 insertions(+), 15 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf

diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf
deleted file mode 100644
index d8788d2929..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-d      /etc/ssl                -       -       -       -       -
-d      /etc/ssl/private        0700    -       -       -       -
-L      /etc/ssl/openssl.cnf    -       -       -       -       ../../usr/share/ssl/openssl.cnf
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.0.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.0.ebuild
index 41e616da20..dad6d1b877 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.0.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.0.ebuild
@@ -3,7 +3,7 @@
 
 EAPI="7"
 
-inherit flag-o-matic linux-info toolchain-funcs multilib-minimal systemd
+inherit flag-o-matic linux-info toolchain-funcs multilib-minimal
 
 MY_P=${P/_/-}
 
@@ -248,6 +248,9 @@ multilib_src_install_all() {
 
 	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
 
+	# create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
 	# Namespace openssl programs to prevent conflicts with other man pages
 	cd "${ED}"/usr/share/man || die
 	local m d s
@@ -279,15 +282,12 @@ multilib_src_install_all() {
 	dodir /etc/sandbox.d #254521
 	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
 
-	# flatcar changes: do not keep the sample CA files in `/etc`
-	rm -rf "${ED}"${SSL_CNF_DIR}
-
-	# flatcar changes: save the default `openssl.cnf` in `/usr`
-	dodir /usr/share/ssl
-	insinto /usr/share/ssl
-	doins "${S}"/apps/openssl.cnf
-	systemd_dotmpfilesd "${FILESDIR}"/openssl.conf
-
-	# flatcar changes: package `tmpfiles.d` setup for SDK bootstrapping.
-	systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/openssl.conf
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
 }

From cc795e270aa21a52b56c21412373ac18f989f526 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 19:25:11 +0100
Subject: [PATCH 09/37] dev-libs/openssl: Apply Flatcar modifications

- drop `pkg_postint`
- create `/etc/ssl` with tmpfiles
---
 .../dev-libs/openssl/files/openssl.conf       |  3 +++
 .../dev-libs/openssl/openssl-3.0.0.ebuild     | 23 ++++++++++---------
 2 files changed, 15 insertions(+), 11 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf

diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf
new file mode 100644
index 0000000000..d8788d2929
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf
@@ -0,0 +1,3 @@
+d      /etc/ssl                -       -       -       -       -
+d      /etc/ssl/private        0700    -       -       -       -
+L      /etc/ssl/openssl.cnf    -       -       -       -       ../../usr/share/ssl/openssl.cnf
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.0.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.0.ebuild
index dad6d1b877..21f479c80d 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.0.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.0.ebuild
@@ -3,7 +3,8 @@
 
 EAPI="7"
 
-inherit flag-o-matic linux-info toolchain-funcs multilib-minimal
+TMPFILES_OPTIONAL=1
+inherit flag-o-matic linux-info toolchain-funcs multilib-minimal systemd tmpfiles
 
 MY_P=${P/_/-}
 
@@ -248,9 +249,6 @@ multilib_src_install_all() {
 
 	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
 
-	# create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
 	# Namespace openssl programs to prevent conflicts with other man pages
 	cd "${ED}"/usr/share/man || die
 	local m d s
@@ -282,12 +280,15 @@ multilib_src_install_all() {
 	dodir /etc/sandbox.d #254521
 	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
 
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
+	# flatcar changes: do not keep the sample CA files in `/etc`
+	rm -rf "${ED}"${SSL_CNF_DIR}
 
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
+	# flatcar changes: save the default `openssl.cnf` in `/usr`
+	dodir /usr/share/ssl
+	insinto /usr/share/ssl
+	doins "${S}"/apps/openssl.cnf
+	dotmpfiles "${FILESDIR}"/openssl.conf
+
+	# flatcar changes: package `tmpfiles.d` setup for SDK bootstrapping.
+	systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/openssl.conf
 }

From 63490fac0cc500eb9884dcc7dd699eaee252c3f3 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 19:31:40 +0100
Subject: [PATCH 10/37] net-fs/nfs-utils: Clean slate to reapply our changes

---
 .../net-fs/nfs-utils/files/exports            |   1 +
 .../net-fs/nfs-utils/files/nfs.confd          |  38 ++++
 .../net-fs/nfs-utils/files/nfs.initd          | 162 ++++++++++++++++++
 .../net-fs/nfs-utils/files/nfsclient.confd    |  18 ++
 .../net-fs/nfs-utils/files/nfsclient.initd    |  33 ++++
 .../net-fs/nfs-utils/files/nfsmount.confd     |   7 +
 .../nfs-utils/files/nfsmount.initd-1.3.1      |  26 +++
 .../net-fs/nfs-utils/files/rpc.gssd.initd     |  23 +++
 .../net-fs/nfs-utils/files/rpc.idmapd.initd   |  25 +++
 .../net-fs/nfs-utils/files/rpc.pipefs.initd   |  32 ++++
 .../net-fs/nfs-utils/files/rpc.statd.initd    |  32 ++++
 .../net-fs/nfs-utils/files/rpc.svcgssd.initd  |  23 +++
 .../nfs-utils/nfs-utils-2.3.1-r3.ebuild       |  63 ++++++-
 13 files changed, 476 insertions(+), 7 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/exports
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.confd
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.initd
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.confd
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.initd
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.confd
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.initd-1.3.1
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.gssd.initd
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.idmapd.initd
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.pipefs.initd
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.statd.initd
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.svcgssd.initd

diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/exports b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/exports
new file mode 100644
index 0000000000..5102ef27c1
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/exports
@@ -0,0 +1 @@
+# /etc/exports: NFS file systems being exported.  See exports(5).
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.confd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.confd
new file mode 100644
index 0000000000..9dc14058c1
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.confd
@@ -0,0 +1,38 @@
+# /etc/conf.d/nfs
+
+# If you wish to set the port numbers for lockd,
+# please see /etc/sysctl.conf
+
+# Optional services to include in default `/etc/init.d/nfs start`
+# For NFSv4 users, you'll want to add "rpc.idmapd" here.
+NFS_NEEDED_SERVICES=""
+
+# Options to pass to rpc.nfsd
+OPTS_RPC_NFSD="8"
+
+# Options to pass to rpc.mountd
+# ex. OPTS_RPC_MOUNTD="-p 32767"
+OPTS_RPC_MOUNTD=""
+
+# Options to pass to rpc.statd
+# ex. OPTS_RPC_STATD="-p 32765 -o 32766"
+OPTS_RPC_STATD=""
+
+# Options to pass to rpc.idmapd
+OPTS_RPC_IDMAPD=""
+
+# Options to pass to rpc.gssd
+OPTS_RPC_GSSD=""
+
+# Options to pass to rpc.svcgssd
+OPTS_RPC_SVCGSSD=""
+
+# Options to pass to rpc.rquotad (requires sys-fs/quota)
+OPTS_RPC_RQUOTAD=""
+
+# Timeout (in seconds) for exportfs
+EXPORTFS_TIMEOUT=30
+
+# Options to set in the nfsd filesystem (/proc/fs/nfsd/).
+# Format is <option>=<value>.  Multiple options are allowed.
+#OPTS_NFSD="nfsv4leasetime=30 max_block_size=4096"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.initd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.initd
new file mode 100644
index 0000000000..4b572fc2e5
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.initd
@@ -0,0 +1,162 @@
+#!/sbin/openrc-run
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_started_commands="reload"
+
+# This variable is used for controlling whether or not to run exportfs -ua;
+# see stop() for more information
+restarting=no
+
+# The binary locations
+exportfs=/usr/sbin/exportfs
+  mountd=/usr/sbin/rpc.mountd
+    nfsd=/usr/sbin/rpc.nfsd
+smnotify=/usr/sbin/sm-notify
+
+depend() {
+	local myneed=""
+	# XXX: no way to detect NFSv4 is desired and so need rpc.idmapd
+	myneed="${myneed} $(
+		awk '!/^[[:space:]]*#/ {
+			# clear the path to avoid spurious matches
+			$1 = "";
+			if ($0 ~ /[(][^)]*sec=(krb|spkm)[^)]*[)]/) {
+				print "rpc.svcgssd"
+				exit 0
+			}
+		}' /etc/exports /etc/exports.d/*.exports 2>/dev/null
+	)"
+	config /etc/exports /etc/exports.d/*.exports
+	need portmap rpc.statd ${myneed} ${NFS_NEEDED_SERVICES}
+	use ypbind net dns rpc.rquotad rpc.idmapd rpc.svcgssd
+	after quota
+}
+
+mkdir_nfsdirs() {
+	local d
+	for d in v4recovery v4root ; do
+		d="/var/lib/nfs/${d}"
+		[ ! -d "${d}" ] && mkdir -p "${d}"
+	done
+}
+
+waitfor_exportfs() {
+	local pid=$1
+	( sleep ${EXPORTFS_TIMEOUT:-30}; kill -9 ${pid} 2>/dev/null ) &
+	wait $1
+}
+
+mount_nfsd() {
+	if [ -e /proc/modules ] ; then
+		# Make sure nfs support is loaded in the kernel #64709
+		if ! grep -qs nfsd /proc/filesystems ; then
+			modprobe -q nfsd
+		fi
+		# Restart idmapd if needed #220747
+		if grep -qs nfsd /proc/modules ; then
+			killall -q -HUP rpc.idmapd
+		fi
+	fi
+
+	# This is the new "kernel 2.6 way" to handle the exports file
+	if grep -qs nfsd /proc/filesystems ; then
+		if ! mountinfo -q /proc/fs/nfsd ; then
+			ebegin "Mounting nfsd filesystem in /proc"
+			mount -t nfsd -o nodev,noexec,nosuid nfsd /proc/fs/nfsd
+			eend $?
+		fi
+
+		local o
+		for o in ${OPTS_NFSD} ; do
+			echo "${o#*=}" > "/proc/fs/nfsd/${o%%=*}"
+		done
+	fi
+}
+
+start_it() {
+	ebegin "Starting NFS $1"
+	shift
+	"$@"
+	eend $?
+	ret=$((ret + $?))
+}
+start() {
+	mount_nfsd
+	mkdir_nfsdirs
+
+	# Exportfs likes to hang if networking isn't working.
+	# If that's the case, then try to kill it so the
+	# bootup process can continue.
+	if grep -qs '^[[:space:]]*/' /etc/exports /etc/exports.d/*.exports ; then
+		ebegin "Exporting NFS directories"
+		${exportfs} -r &
+		waitfor_exportfs $!
+		eend $?
+	fi
+
+	local ret=0
+	start_it mountd ${mountd} ${OPTS_RPC_MOUNTD}
+	start_it daemon ${nfsd} ${OPTS_RPC_NFSD}
+	[ -x "${smnotify}" ] && start_it smnotify ${smnotify} ${OPTS_SMNOTIFY}
+	return ${ret}
+}
+
+stop() {
+	local ret=0
+
+	ebegin "Stopping NFS mountd"
+	start-stop-daemon --stop --exec ${mountd}
+	eend $?
+	ret=$((ret + $?))
+
+	# nfsd sets its process name to [nfsd] so don't look for $nfsd
+	ebegin "Stopping NFS daemon"
+	start-stop-daemon --stop --name nfsd --user root --signal 2
+	eend $?
+	ret=$((ret + $?))
+	# in case things don't work out ... #228127
+	rpc.nfsd 0
+
+	# When restarting the NFS server, running "exportfs -ua" probably
+	# isn't what the user wants.  Running it causes all entries listed
+	# in xtab to be removed from the kernel export tables, and the
+	# xtab file is cleared. This effectively shuts down all NFS
+	# activity, leaving all clients holding stale NFS filehandles,
+	# *even* when the NFS server has restarted.
+	#
+	# That's what you would want if you were shutting down the NFS
+	# server for good, or for a long period of time, but not when the
+	# NFS server will be running again in short order.  In this case,
+	# then "exportfs -r" will reread the xtab, and all the current
+	# clients will be able to resume NFS activity, *without* needing
+	# to umount/(re)mount the filesystem.
+	if [ "${restarting}" = no -o "${RC_CMD}" = "restart" ] ; then
+		ebegin "Unexporting NFS directories"
+		# Exportfs likes to hang if networking isn't working.
+		# If that's the case, then try to kill it so the
+		# shutdown process can continue.
+		${exportfs} -ua &
+		waitfor_exportfs $!
+		eend $?
+	fi
+
+	return ${ret}
+}
+
+reload() {
+	# Exportfs likes to hang if networking isn't working.
+	# If that's the case, then try to kill it so the
+	# bootup process can continue.
+	ebegin "Reloading /etc/exports"
+	${exportfs} -r 1>&2 &
+	waitfor_exportfs $!
+	eend $?
+}
+
+restart() {
+	# See long comment in stop() regarding "restarting" and exportfs -ua
+	restarting=yes
+	svc_stop
+	svc_start
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.confd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.confd
new file mode 100644
index 0000000000..8a995571e1
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.confd
@@ -0,0 +1,18 @@
+# You need to decide which nfs protocol version you want to use.
+# If you are unsure, leave these alone.
+#
+# If you are using only nfsv4, uncomment this line:
+#
+#rc_need="!rpc.statd"
+#
+# If you are using only nfsv3, uncomment this line:
+#
+#rc_need="!rpc.idmapd"
+# 
+# You will need to set the dependencies in the nfsclient script to match
+# the network configuration tools you are using. This should be done in
+# this file by following the examples below, and not by changing the
+# service script itself.  See /etc/conf.d/netmount for more examples.
+#
+# This is a safe default.
+rc_after="net"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.initd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.initd
new file mode 100644
index 0000000000..6724e913d1
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.initd
@@ -0,0 +1,33 @@
+#!/sbin/openrc-run
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
+
+depend() {
+	local opts myneed=""
+	if [ -e /etc/fstab ] ; then
+		for opts in $(fstabinfo -o -t nfs,nfs4) ; do
+			case $opts in
+				*sec=krb*|*sec=spkm*) myneed="$myneed rpc.gssd" ;;
+			esac
+		done
+	fi
+	config /etc/fstab
+	need portmap rpc.statd rpc.idmapd ${myneed}
+	use ypbind dns
+}
+
+start() {
+	if [ -x /usr/sbin/sm-notify ] ; then
+		ebegin "Starting NFS sm-notify"
+		/usr/sbin/sm-notify ${OPTS_SMNOTIFY}
+		eend $?
+	fi
+
+	# Make sure nfs support is loaded in the kernel #64709
+	if [ -e /proc/modules ] && ! grep -qs 'nfs$' /proc/filesystems ; then
+		modprobe -q nfs
+	fi
+	return 0
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.confd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.confd
new file mode 100644
index 0000000000..418353668f
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.confd
@@ -0,0 +1,7 @@
+# You will need to set the dependencies in the nfsmount script to match
+# the network configuration tools you are using. This should be done in
+# this file by following the examples below, and not by changing the
+# service script itself.  See /etc/conf.d/netmount for more examples.
+#
+# This is a safe default.
+rc_after="net"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.initd-1.3.1 b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.initd-1.3.1
new file mode 100644
index 0000000000..68007ca119
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.initd-1.3.1
@@ -0,0 +1,26 @@
+#!/sbin/openrc-run
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# This is mostly as a fix for bug #537996, to avoid breaking existing users
+# with nfsmount in their runlevels.
+# If neither nfsclient nor netmount are in your runlevels, and you manually
+# start netmount before nfsclient, then this will break. A real solution is
+# forthcoming, but requires feature development, see bug #406021 for soft
+# dependencies
+depend() {
+	need nfsclient netmount
+}
+
+msg() {
+	ewarn "nfsmount is deprecated, please migrate as described in the news item: 2015-02-02-nfs-service-changes"
+	ewarn "This migration script will be removed after 01 Aug 2015."
+}
+
+start() {
+	msg
+}
+
+stop() {
+	msg
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.gssd.initd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.gssd.initd
new file mode 100644
index 0000000000..445d44c444
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.gssd.initd
@@ -0,0 +1,23 @@
+#!/sbin/openrc-run
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
+
+depend() {
+	use ypbind net
+	need portmap rpc.pipefs
+	after quota
+}
+
+start() {
+	ebegin "Starting gssd"
+	start-stop-daemon --start --exec /usr/sbin/rpc.gssd -- ${OPTS_RPC_GSSD}
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping gssd"
+	start-stop-daemon --stop --exec /usr/sbin/rpc.gssd
+	eend $?
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.idmapd.initd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.idmapd.initd
new file mode 100644
index 0000000000..61cfd4de2e
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.idmapd.initd
@@ -0,0 +1,25 @@
+#!/sbin/openrc-run
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
+
+rpc_bin=/usr/sbin/rpc.idmapd
+
+depend() {
+	use ypbind net
+	need portmap rpc.pipefs
+	after quota
+}
+
+start() {
+	ebegin "Starting idmapd"
+	${rpc_bin} ${OPTS_RPC_IDMAPD}
+	eend $? "make sure DNOTIFY support is enabled ..."
+}
+
+stop() {
+	ebegin "Stopping idmapd"
+	start-stop-daemon --stop --exec ${rpc_bin}
+	eend $?
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.pipefs.initd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.pipefs.initd
new file mode 100644
index 0000000000..f971a49b39
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.pipefs.initd
@@ -0,0 +1,32 @@
+#!/sbin/openrc-run
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+MNT="/var/lib/nfs/rpc_pipefs"
+
+mount_pipefs() {
+	local fstype=rpc_pipefs
+
+	# if things are already mounted, nothing to do
+	mountinfo -q ${MNT} && return 0
+
+	# if rpc_pipefs is not available, try to load sunrpc for it #219566
+	grep -qs ${fstype} /proc/filesystems || modprobe -q sunrpc
+	# if still not available, the `mount` will issue an error for the user
+
+	# now just do it for kicks
+	mkdir -p ${MNT}
+	mount -t ${fstype} ${fstype} ${MNT}
+}
+
+start() {
+	ebegin "Setting up RPC pipefs"
+	mount_pipefs
+	eend $? "make sure you have NFS/SUNRPC enabled in your kernel"
+}
+
+stop() {
+	ebegin "Unmounting RPC pipefs"
+	umount ${MNT}
+	eend $?
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.statd.initd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.statd.initd
new file mode 100644
index 0000000000..ea78b9aef6
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.statd.initd
@@ -0,0 +1,32 @@
+#!/sbin/openrc-run
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
+
+rpc_bin=/sbin/rpc.statd
+rpc_pid=/var/run/rpc.statd.pid
+
+depend() {
+	use ypbind net
+	need portmap
+	after quota
+}
+
+start() {
+	# Don't start rpc.statd if already started by someone else ...
+	# Don't try and kill it if it's already dead ...
+	if killall -q -0 ${rpc_bin} ; then
+		return 0
+	fi
+
+	ebegin "Starting NFS statd"
+	start-stop-daemon --start --exec ${rpc_bin} -- --no-notify ${OPTS_RPC_STATD}
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping NFS statd"
+	start-stop-daemon --stop --exec ${rpc_bin} --pidfile /var/run/rpc.statd.pid
+	eend $?
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.svcgssd.initd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.svcgssd.initd
new file mode 100644
index 0000000000..c714e36076
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.svcgssd.initd
@@ -0,0 +1,23 @@
+#!/sbin/openrc-run
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
+
+depend() {
+	use ypbind net
+	need portmap rpc.pipefs
+	after quota
+}
+
+start() {
+	ebegin "Starting svcgssd"
+	start-stop-daemon --start --exec /usr/sbin/rpc.svcgssd -- ${OPTS_RPC_SVCGSSD}
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping svcgssd"
+	start-stop-daemon --stop --exec /usr/sbin/rpc.svcgssd
+	eend $?
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/nfs-utils-2.3.1-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/nfs-utils-2.3.1-r3.ebuild
index 2164415198..5cd180a79b 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/nfs-utils-2.3.1-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/nfs-utils-2.3.1-r3.ebuild
@@ -120,6 +120,10 @@ src_install() {
 	keepdir /var/lib/nfs/{,sm,sm.bak}
 	mv "${ED%/}"/var/lib/nfs "${ED%/}"/usr/$(get_libdir)/ || die
 
+	# Install some client-side binaries in /sbin
+	dodir /sbin
+	mv "${ED%/}"/usr/sbin/rpc.statd "${ED%/}"/sbin/ || die
+
 	if use nfsv4 && use nfsidmap ; then
 		# Install a config file for idmappers in newer kernels. #415625
 		insinto /etc/request-key.d
@@ -127,13 +131,58 @@ src_install() {
 		doins id_resolver.conf
 	fi
 
-	systemd_dotmpfilesd "${FILESDIR}"/nfs-utils.conf
+	insinto /etc
+	doins "${FILESDIR}"/exports
+	keepdir /etc/exports.d
 
-	# Provide an empty xtab for compatibility with the old tmpfiles config.
-	touch "${ED%/}"/usr/$(get_libdir)/nfs/xtab
+	local f list=() opt_need=""
+	if use nfsv4 ; then
+		opt_need="rpc.idmapd"
+		list+=( rpc.idmapd rpc.pipefs )
+		use kerberos && list+=( rpc.gssd rpc.svcgssd )
+	fi
+	for f in nfs nfsclient rpc.statd "${list[@]}" ; do
+		newinitd "${FILESDIR}"/${f}.initd ${f}
+	done
+	newinitd "${FILESDIR}"/nfsmount.initd-1.3.1 nfsmount # Nuke after 2015/08/01
+	for f in nfs nfsclient ; do
+		newconfd "${FILESDIR}"/${f}.confd ${f}
+	done
+	sed -i \
+		-e "/^NFS_NEEDED_SERVICES=/s:=.*:=\"${opt_need}\":" \
+		"${ED%/}"/etc/conf.d/nfs || die #234132
+
+	local systemd_systemunitdir="$(systemd_get_systemunitdir)"
+	sed -i \
+		-e 's:/usr/sbin/rpc.statd:/sbin/rpc.statd:' \
+		"${ED%/}${systemd_systemunitdir}"/* || die
+
+	keepdir /var/lib/nfs #368505
+	keepdir /var/lib/nfs/v4recovery #603628
 
-	# Maintain compatibility with the old gentoo systemd unit names, since nfs-utils has units upstream now.
-	dosym nfs-server.service "$(systemd_get_systemunitdir)"/nfsd.service
-	dosym nfs-idmapd.service "$(systemd_get_systemunitdir)"/rpc-idmapd.service
-	dosym nfs-mountd.service "$(systemd_get_systemunitdir)"/rpc-mountd.service
+}
+
+pkg_postinst() {
+	# Install default xtab and friends if there's none existing.  In
+	# src_install we put them in /usr/lib/nfs for safe-keeping, but
+	# the daemons actually use the files in /var/lib/nfs.  #30486
+	local f
+	for f in "${EROOT%/}"/usr/$(get_libdir)/nfs/*; do
+		[[ -e ${EROOT%/}/var/lib/nfs/${f##*/} ]] && continue
+		einfo "Copying default ${f##*/} from ${EPREFIX}/usr/$(get_libdir)/nfs to ${EPREFIX}/var/lib/nfs"
+		cp -pPR "${f}" "${EROOT%/}"/var/lib/nfs/
+	done
+
+	if systemd_is_booted; then
+		if [[ ${REPLACING_VERSIONS} < 1.3.0 ]]; then
+			ewarn "We have switched to upstream systemd unit files. Since"
+			ewarn "they got renamed, you should probably enable the new ones."
+			ewarn "You can run 'equery files nfs-utils | grep systemd'"
+			ewarn "to know what services you need to enable now."
+		fi
+	else
+		ewarn "If you use OpenRC, the nfsmount service has been replaced with nfsclient."
+		ewarn "If you were using nfsmount, please add nfsclient and netmount to the"
+		ewarn "same runlevel as nfsmount."
+	fi
 }

From e2c80f8deafccbef6dd76b1d42ed4bb9ce7a272f Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 19:35:10 +0100
Subject: [PATCH 11/37] net-fs/nfs-utils: Apply Flatcar modifications

  - Add the tmpfiles configuration for populating /var
  - Add service compatibility symlinks (maybe time to drop them)
  - Drop moving a binary from /usr/sbin to /sbin
  - Drop populating /etc and /var
  - Drop pkg_postinst
---
 .../net-fs/nfs-utils/files/exports            |   1 -
 .../net-fs/nfs-utils/files/nfs.confd          |  38 ----
 .../net-fs/nfs-utils/files/nfs.initd          | 162 ------------------
 .../net-fs/nfs-utils/files/nfsclient.confd    |  18 --
 .../net-fs/nfs-utils/files/nfsclient.initd    |  33 ----
 .../net-fs/nfs-utils/files/nfsmount.confd     |   7 -
 .../nfs-utils/files/nfsmount.initd-1.3.1      |  26 ---
 .../net-fs/nfs-utils/files/rpc.gssd.initd     |  23 ---
 .../net-fs/nfs-utils/files/rpc.idmapd.initd   |  25 ---
 .../net-fs/nfs-utils/files/rpc.pipefs.initd   |  32 ----
 .../net-fs/nfs-utils/files/rpc.statd.initd    |  32 ----
 .../net-fs/nfs-utils/files/rpc.svcgssd.initd  |  23 ---
 .../nfs-utils/nfs-utils-2.3.1-r3.ebuild       |  66 +------
 13 files changed, 9 insertions(+), 477 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/exports
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.confd
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.initd
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.confd
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.initd
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.confd
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.initd-1.3.1
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.gssd.initd
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.idmapd.initd
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.pipefs.initd
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.statd.initd
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.svcgssd.initd

diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/exports b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/exports
deleted file mode 100644
index 5102ef27c1..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/exports
+++ /dev/null
@@ -1 +0,0 @@
-# /etc/exports: NFS file systems being exported.  See exports(5).
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.confd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.confd
deleted file mode 100644
index 9dc14058c1..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.confd
+++ /dev/null
@@ -1,38 +0,0 @@
-# /etc/conf.d/nfs
-
-# If you wish to set the port numbers for lockd,
-# please see /etc/sysctl.conf
-
-# Optional services to include in default `/etc/init.d/nfs start`
-# For NFSv4 users, you'll want to add "rpc.idmapd" here.
-NFS_NEEDED_SERVICES=""
-
-# Options to pass to rpc.nfsd
-OPTS_RPC_NFSD="8"
-
-# Options to pass to rpc.mountd
-# ex. OPTS_RPC_MOUNTD="-p 32767"
-OPTS_RPC_MOUNTD=""
-
-# Options to pass to rpc.statd
-# ex. OPTS_RPC_STATD="-p 32765 -o 32766"
-OPTS_RPC_STATD=""
-
-# Options to pass to rpc.idmapd
-OPTS_RPC_IDMAPD=""
-
-# Options to pass to rpc.gssd
-OPTS_RPC_GSSD=""
-
-# Options to pass to rpc.svcgssd
-OPTS_RPC_SVCGSSD=""
-
-# Options to pass to rpc.rquotad (requires sys-fs/quota)
-OPTS_RPC_RQUOTAD=""
-
-# Timeout (in seconds) for exportfs
-EXPORTFS_TIMEOUT=30
-
-# Options to set in the nfsd filesystem (/proc/fs/nfsd/).
-# Format is <option>=<value>.  Multiple options are allowed.
-#OPTS_NFSD="nfsv4leasetime=30 max_block_size=4096"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.initd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.initd
deleted file mode 100644
index 4b572fc2e5..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs.initd
+++ /dev/null
@@ -1,162 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-extra_started_commands="reload"
-
-# This variable is used for controlling whether or not to run exportfs -ua;
-# see stop() for more information
-restarting=no
-
-# The binary locations
-exportfs=/usr/sbin/exportfs
-  mountd=/usr/sbin/rpc.mountd
-    nfsd=/usr/sbin/rpc.nfsd
-smnotify=/usr/sbin/sm-notify
-
-depend() {
-	local myneed=""
-	# XXX: no way to detect NFSv4 is desired and so need rpc.idmapd
-	myneed="${myneed} $(
-		awk '!/^[[:space:]]*#/ {
-			# clear the path to avoid spurious matches
-			$1 = "";
-			if ($0 ~ /[(][^)]*sec=(krb|spkm)[^)]*[)]/) {
-				print "rpc.svcgssd"
-				exit 0
-			}
-		}' /etc/exports /etc/exports.d/*.exports 2>/dev/null
-	)"
-	config /etc/exports /etc/exports.d/*.exports
-	need portmap rpc.statd ${myneed} ${NFS_NEEDED_SERVICES}
-	use ypbind net dns rpc.rquotad rpc.idmapd rpc.svcgssd
-	after quota
-}
-
-mkdir_nfsdirs() {
-	local d
-	for d in v4recovery v4root ; do
-		d="/var/lib/nfs/${d}"
-		[ ! -d "${d}" ] && mkdir -p "${d}"
-	done
-}
-
-waitfor_exportfs() {
-	local pid=$1
-	( sleep ${EXPORTFS_TIMEOUT:-30}; kill -9 ${pid} 2>/dev/null ) &
-	wait $1
-}
-
-mount_nfsd() {
-	if [ -e /proc/modules ] ; then
-		# Make sure nfs support is loaded in the kernel #64709
-		if ! grep -qs nfsd /proc/filesystems ; then
-			modprobe -q nfsd
-		fi
-		# Restart idmapd if needed #220747
-		if grep -qs nfsd /proc/modules ; then
-			killall -q -HUP rpc.idmapd
-		fi
-	fi
-
-	# This is the new "kernel 2.6 way" to handle the exports file
-	if grep -qs nfsd /proc/filesystems ; then
-		if ! mountinfo -q /proc/fs/nfsd ; then
-			ebegin "Mounting nfsd filesystem in /proc"
-			mount -t nfsd -o nodev,noexec,nosuid nfsd /proc/fs/nfsd
-			eend $?
-		fi
-
-		local o
-		for o in ${OPTS_NFSD} ; do
-			echo "${o#*=}" > "/proc/fs/nfsd/${o%%=*}"
-		done
-	fi
-}
-
-start_it() {
-	ebegin "Starting NFS $1"
-	shift
-	"$@"
-	eend $?
-	ret=$((ret + $?))
-}
-start() {
-	mount_nfsd
-	mkdir_nfsdirs
-
-	# Exportfs likes to hang if networking isn't working.
-	# If that's the case, then try to kill it so the
-	# bootup process can continue.
-	if grep -qs '^[[:space:]]*/' /etc/exports /etc/exports.d/*.exports ; then
-		ebegin "Exporting NFS directories"
-		${exportfs} -r &
-		waitfor_exportfs $!
-		eend $?
-	fi
-
-	local ret=0
-	start_it mountd ${mountd} ${OPTS_RPC_MOUNTD}
-	start_it daemon ${nfsd} ${OPTS_RPC_NFSD}
-	[ -x "${smnotify}" ] && start_it smnotify ${smnotify} ${OPTS_SMNOTIFY}
-	return ${ret}
-}
-
-stop() {
-	local ret=0
-
-	ebegin "Stopping NFS mountd"
-	start-stop-daemon --stop --exec ${mountd}
-	eend $?
-	ret=$((ret + $?))
-
-	# nfsd sets its process name to [nfsd] so don't look for $nfsd
-	ebegin "Stopping NFS daemon"
-	start-stop-daemon --stop --name nfsd --user root --signal 2
-	eend $?
-	ret=$((ret + $?))
-	# in case things don't work out ... #228127
-	rpc.nfsd 0
-
-	# When restarting the NFS server, running "exportfs -ua" probably
-	# isn't what the user wants.  Running it causes all entries listed
-	# in xtab to be removed from the kernel export tables, and the
-	# xtab file is cleared. This effectively shuts down all NFS
-	# activity, leaving all clients holding stale NFS filehandles,
-	# *even* when the NFS server has restarted.
-	#
-	# That's what you would want if you were shutting down the NFS
-	# server for good, or for a long period of time, but not when the
-	# NFS server will be running again in short order.  In this case,
-	# then "exportfs -r" will reread the xtab, and all the current
-	# clients will be able to resume NFS activity, *without* needing
-	# to umount/(re)mount the filesystem.
-	if [ "${restarting}" = no -o "${RC_CMD}" = "restart" ] ; then
-		ebegin "Unexporting NFS directories"
-		# Exportfs likes to hang if networking isn't working.
-		# If that's the case, then try to kill it so the
-		# shutdown process can continue.
-		${exportfs} -ua &
-		waitfor_exportfs $!
-		eend $?
-	fi
-
-	return ${ret}
-}
-
-reload() {
-	# Exportfs likes to hang if networking isn't working.
-	# If that's the case, then try to kill it so the
-	# bootup process can continue.
-	ebegin "Reloading /etc/exports"
-	${exportfs} -r 1>&2 &
-	waitfor_exportfs $!
-	eend $?
-}
-
-restart() {
-	# See long comment in stop() regarding "restarting" and exportfs -ua
-	restarting=yes
-	svc_stop
-	svc_start
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.confd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.confd
deleted file mode 100644
index 8a995571e1..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.confd
+++ /dev/null
@@ -1,18 +0,0 @@
-# You need to decide which nfs protocol version you want to use.
-# If you are unsure, leave these alone.
-#
-# If you are using only nfsv4, uncomment this line:
-#
-#rc_need="!rpc.statd"
-#
-# If you are using only nfsv3, uncomment this line:
-#
-#rc_need="!rpc.idmapd"
-# 
-# You will need to set the dependencies in the nfsclient script to match
-# the network configuration tools you are using. This should be done in
-# this file by following the examples below, and not by changing the
-# service script itself.  See /etc/conf.d/netmount for more examples.
-#
-# This is a safe default.
-rc_after="net"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.initd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.initd
deleted file mode 100644
index 6724e913d1..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsclient.initd
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
-
-depend() {
-	local opts myneed=""
-	if [ -e /etc/fstab ] ; then
-		for opts in $(fstabinfo -o -t nfs,nfs4) ; do
-			case $opts in
-				*sec=krb*|*sec=spkm*) myneed="$myneed rpc.gssd" ;;
-			esac
-		done
-	fi
-	config /etc/fstab
-	need portmap rpc.statd rpc.idmapd ${myneed}
-	use ypbind dns
-}
-
-start() {
-	if [ -x /usr/sbin/sm-notify ] ; then
-		ebegin "Starting NFS sm-notify"
-		/usr/sbin/sm-notify ${OPTS_SMNOTIFY}
-		eend $?
-	fi
-
-	# Make sure nfs support is loaded in the kernel #64709
-	if [ -e /proc/modules ] && ! grep -qs 'nfs$' /proc/filesystems ; then
-		modprobe -q nfs
-	fi
-	return 0
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.confd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.confd
deleted file mode 100644
index 418353668f..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.confd
+++ /dev/null
@@ -1,7 +0,0 @@
-# You will need to set the dependencies in the nfsmount script to match
-# the network configuration tools you are using. This should be done in
-# this file by following the examples below, and not by changing the
-# service script itself.  See /etc/conf.d/netmount for more examples.
-#
-# This is a safe default.
-rc_after="net"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.initd-1.3.1 b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.initd-1.3.1
deleted file mode 100644
index 68007ca119..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfsmount.initd-1.3.1
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# This is mostly as a fix for bug #537996, to avoid breaking existing users
-# with nfsmount in their runlevels.
-# If neither nfsclient nor netmount are in your runlevels, and you manually
-# start netmount before nfsclient, then this will break. A real solution is
-# forthcoming, but requires feature development, see bug #406021 for soft
-# dependencies
-depend() {
-	need nfsclient netmount
-}
-
-msg() {
-	ewarn "nfsmount is deprecated, please migrate as described in the news item: 2015-02-02-nfs-service-changes"
-	ewarn "This migration script will be removed after 01 Aug 2015."
-}
-
-start() {
-	msg
-}
-
-stop() {
-	msg
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.gssd.initd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.gssd.initd
deleted file mode 100644
index 445d44c444..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.gssd.initd
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2008 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
-
-depend() {
-	use ypbind net
-	need portmap rpc.pipefs
-	after quota
-}
-
-start() {
-	ebegin "Starting gssd"
-	start-stop-daemon --start --exec /usr/sbin/rpc.gssd -- ${OPTS_RPC_GSSD}
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping gssd"
-	start-stop-daemon --stop --exec /usr/sbin/rpc.gssd
-	eend $?
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.idmapd.initd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.idmapd.initd
deleted file mode 100644
index 61cfd4de2e..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.idmapd.initd
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2008 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
-
-rpc_bin=/usr/sbin/rpc.idmapd
-
-depend() {
-	use ypbind net
-	need portmap rpc.pipefs
-	after quota
-}
-
-start() {
-	ebegin "Starting idmapd"
-	${rpc_bin} ${OPTS_RPC_IDMAPD}
-	eend $? "make sure DNOTIFY support is enabled ..."
-}
-
-stop() {
-	ebegin "Stopping idmapd"
-	start-stop-daemon --stop --exec ${rpc_bin}
-	eend $?
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.pipefs.initd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.pipefs.initd
deleted file mode 100644
index f971a49b39..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.pipefs.initd
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-MNT="/var/lib/nfs/rpc_pipefs"
-
-mount_pipefs() {
-	local fstype=rpc_pipefs
-
-	# if things are already mounted, nothing to do
-	mountinfo -q ${MNT} && return 0
-
-	# if rpc_pipefs is not available, try to load sunrpc for it #219566
-	grep -qs ${fstype} /proc/filesystems || modprobe -q sunrpc
-	# if still not available, the `mount` will issue an error for the user
-
-	# now just do it for kicks
-	mkdir -p ${MNT}
-	mount -t ${fstype} ${fstype} ${MNT}
-}
-
-start() {
-	ebegin "Setting up RPC pipefs"
-	mount_pipefs
-	eend $? "make sure you have NFS/SUNRPC enabled in your kernel"
-}
-
-stop() {
-	ebegin "Unmounting RPC pipefs"
-	umount ${MNT}
-	eend $?
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.statd.initd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.statd.initd
deleted file mode 100644
index ea78b9aef6..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.statd.initd
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
-
-rpc_bin=/sbin/rpc.statd
-rpc_pid=/var/run/rpc.statd.pid
-
-depend() {
-	use ypbind net
-	need portmap
-	after quota
-}
-
-start() {
-	# Don't start rpc.statd if already started by someone else ...
-	# Don't try and kill it if it's already dead ...
-	if killall -q -0 ${rpc_bin} ; then
-		return 0
-	fi
-
-	ebegin "Starting NFS statd"
-	start-stop-daemon --start --exec ${rpc_bin} -- --no-notify ${OPTS_RPC_STATD}
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping NFS statd"
-	start-stop-daemon --stop --exec ${rpc_bin} --pidfile /var/run/rpc.statd.pid
-	eend $?
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.svcgssd.initd b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.svcgssd.initd
deleted file mode 100644
index c714e36076..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/rpc.svcgssd.initd
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2008 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
-
-depend() {
-	use ypbind net
-	need portmap rpc.pipefs
-	after quota
-}
-
-start() {
-	ebegin "Starting svcgssd"
-	start-stop-daemon --start --exec /usr/sbin/rpc.svcgssd -- ${OPTS_RPC_SVCGSSD}
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping svcgssd"
-	start-stop-daemon --stop --exec /usr/sbin/rpc.svcgssd
-	eend $?
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/nfs-utils-2.3.1-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/nfs-utils-2.3.1-r3.ebuild
index 5cd180a79b..f4ecb22679 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/nfs-utils-2.3.1-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/nfs-utils-2.3.1-r3.ebuild
@@ -3,7 +3,8 @@
 
 EAPI=6
 
-inherit autotools flag-o-matic multilib systemd
+TMPFILES_OPTIONAL=1
+inherit autotools flag-o-matic multilib systemd tmpfiles
 
 DESCRIPTION="NFS client and server daemons"
 HOMEPAGE="http://linux-nfs.org/"
@@ -120,10 +121,6 @@ src_install() {
 	keepdir /var/lib/nfs/{,sm,sm.bak}
 	mv "${ED%/}"/var/lib/nfs "${ED%/}"/usr/$(get_libdir)/ || die
 
-	# Install some client-side binaries in /sbin
-	dodir /sbin
-	mv "${ED%/}"/usr/sbin/rpc.statd "${ED%/}"/sbin/ || die
-
 	if use nfsv4 && use nfsidmap ; then
 		# Install a config file for idmappers in newer kernels. #415625
 		insinto /etc/request-key.d
@@ -131,58 +128,13 @@ src_install() {
 		doins id_resolver.conf
 	fi
 
-	insinto /etc
-	doins "${FILESDIR}"/exports
-	keepdir /etc/exports.d
+	dotmpfiles "${FILESDIR}"/nfs-utils.conf
 
-	local f list=() opt_need=""
-	if use nfsv4 ; then
-		opt_need="rpc.idmapd"
-		list+=( rpc.idmapd rpc.pipefs )
-		use kerberos && list+=( rpc.gssd rpc.svcgssd )
-	fi
-	for f in nfs nfsclient rpc.statd "${list[@]}" ; do
-		newinitd "${FILESDIR}"/${f}.initd ${f}
-	done
-	newinitd "${FILESDIR}"/nfsmount.initd-1.3.1 nfsmount # Nuke after 2015/08/01
-	for f in nfs nfsclient ; do
-		newconfd "${FILESDIR}"/${f}.confd ${f}
-	done
-	sed -i \
-		-e "/^NFS_NEEDED_SERVICES=/s:=.*:=\"${opt_need}\":" \
-		"${ED%/}"/etc/conf.d/nfs || die #234132
-
-	local systemd_systemunitdir="$(systemd_get_systemunitdir)"
-	sed -i \
-		-e 's:/usr/sbin/rpc.statd:/sbin/rpc.statd:' \
-		"${ED%/}${systemd_systemunitdir}"/* || die
-
-	keepdir /var/lib/nfs #368505
-	keepdir /var/lib/nfs/v4recovery #603628
+	# Provide an empty xtab for compatibility with the old tmpfiles config.
+	touch "${ED%/}"/usr/$(get_libdir)/nfs/xtab
 
-}
-
-pkg_postinst() {
-	# Install default xtab and friends if there's none existing.  In
-	# src_install we put them in /usr/lib/nfs for safe-keeping, but
-	# the daemons actually use the files in /var/lib/nfs.  #30486
-	local f
-	for f in "${EROOT%/}"/usr/$(get_libdir)/nfs/*; do
-		[[ -e ${EROOT%/}/var/lib/nfs/${f##*/} ]] && continue
-		einfo "Copying default ${f##*/} from ${EPREFIX}/usr/$(get_libdir)/nfs to ${EPREFIX}/var/lib/nfs"
-		cp -pPR "${f}" "${EROOT%/}"/var/lib/nfs/
-	done
-
-	if systemd_is_booted; then
-		if [[ ${REPLACING_VERSIONS} < 1.3.0 ]]; then
-			ewarn "We have switched to upstream systemd unit files. Since"
-			ewarn "they got renamed, you should probably enable the new ones."
-			ewarn "You can run 'equery files nfs-utils | grep systemd'"
-			ewarn "to know what services you need to enable now."
-		fi
-	else
-		ewarn "If you use OpenRC, the nfsmount service has been replaced with nfsclient."
-		ewarn "If you were using nfsmount, please add nfsclient and netmount to the"
-		ewarn "same runlevel as nfsmount."
-	fi
+	# Maintain compatibility with the old gentoo systemd unit names, since nfs-utils has units upstream now.
+	dosym nfs-server.service "$(systemd_get_systemunitdir)"/nfsd.service
+	dosym nfs-idmapd.service "$(systemd_get_systemunitdir)"/rpc-idmapd.service
+	dosym nfs-mountd.service "$(systemd_get_systemunitdir)"/rpc-mountd.service
 }

From c5eb243890f97345d9c278e9394f7a92efd641c5 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 19:39:50 +0100
Subject: [PATCH 12/37] net-fs/samba: Clean slate to reapply our changes

---
 .../coreos-overlay/net-fs/samba/metadata.xml  |  4 -
 ....12.9-r3.ebuild => samba-4.12.9-r1.ebuild} | 77 +++++++------------
 2 files changed, 28 insertions(+), 53 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/net-fs/samba/{samba-4.12.9-r3.ebuild => samba-4.12.9-r1.ebuild} (86%)

diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml
index e871aa5724..d1bb8bfdd5 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml
@@ -16,16 +16,12 @@
 		<flag name="client">Enables the client part</flag>
 		<flag name="cluster">Enable support for clustering</flag>
 		<flag name="dmapi">Enable support for DMAPI. This currently works only in combination with XFS.</flag>
-		<flag name="glusterfs">Enable support for Glusterfs filesystem via <pkg>sys-cluster/glusterfs</pkg></flag>
 		<flag name="gpg">Use <pkg>app-crypt/gpgme</pkg> for AD DC</flag>
 		<flag name="json">Enable json audit support through <pkg>dev-libs/jansson</pkg></flag>
 		<flag name="iprint">Enabling iPrint technology by Novell</flag>
-		<flag name="ntvfs">Enable support for NTVFS fileserver</flag>
 		<flag name="profiling-data">Enables support for collecting profiling data</flag>
 		<flag name="quota">Enables support for user quotas</flag>
-		<flag name="regedit">Enable support for regedit command-line tool</flag>
 		<flag name="snapper">Enable vfs_snapper module (requires <pkg>sys-apps/dbus</pkg>)</flag>
-		<flag name="spotlight">Enable support for spotlight backend</flag>
 		<flag name="system-heimdal">Use <pkg>app-crypt/heimdal</pkg> instead of
 			bundled heimdal.</flag>
 		<flag name="system-mitkrb5">Use <pkg>app-crypt/mit-krb5</pkg> instead of
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.12.9-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.12.9-r1.ebuild
similarity index 86%
rename from sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.12.9-r3.ebuild
rename to sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.12.9-r1.ebuild
index 5b9a5ff7d8..d719891701 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.12.9-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.12.9-r1.ebuild
@@ -1,9 +1,9 @@
 # Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=6
 
-PYTHON_COMPAT=( python3_{6..10} )
+PYTHON_COMPAT=( python3_{6,7,8} )
 PYTHON_REQ_USE='threads(+),xml(+)'
 inherit python-single-r1 waf-utils multilib-minimal linux-info systemd pam
 
@@ -23,11 +23,9 @@ LICENSE="GPL-3"
 
 SLOT="0"
 
-IUSE="acl addc addns ads ceph client cluster cups debug dmapi fam glusterfs
-gpg iprint json ldap ntvfs pam profiling-data python quota +regedit selinux
-snapper spotlight syslog system-heimdal +system-mitkrb5 systemd test winbind
-zeroconf"
-IUSE+=" +minimal"  # Flatcar: Only install libraries, not executables.
+IUSE="acl addc addns ads ceph client cluster cups debug dmapi fam gpg iprint
+json ldap pam profiling-data python quota selinux snapper syslog
+system-heimdal +system-mitkrb5 systemd test winbind zeroconf"
 
 MULTILIB_WRAPPED_HEADERS=(
 	/usr/include/samba-4.0/policy.h
@@ -42,24 +40,35 @@ MULTILIB_WRAPPED_HEADERS=(
 
 CDEPEND="
 	>=app-arch/libarchive-3.1.2[${MULTILIB_USEDEP}]
-	spotlight? ( dev-libs/icu:=[${MULTILIB_USEDEP}] )
+	dev-lang/perl:=
+	dev-libs/icu:=[${MULTILIB_USEDEP}]
 	dev-libs/libbsd[${MULTILIB_USEDEP}]
-	!minimal? ( dev-libs/libtasn1[${MULTILIB_USEDEP}] )
+	dev-libs/libtasn1[${MULTILIB_USEDEP}]
 	dev-libs/popt[${MULTILIB_USEDEP}]
+	dev-perl/Parse-Yapp
 	>=net-libs/gnutls-3.4.7[${MULTILIB_USEDEP}]
+	net-libs/libnsl:=[${MULTILIB_USEDEP}]
 	sys-libs/e2fsprogs-libs[${MULTILIB_USEDEP}]
+	>=sys-libs/ldb-2.1.4[ldap(+)?,python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}]
+	<sys-libs/ldb-2.2.0[ldap(+)?,python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}]
 	sys-libs/libcap[${MULTILIB_USEDEP}]
 	sys-libs/liburing:=[${MULTILIB_USEDEP}]
 	sys-libs/ncurses:0=
 	sys-libs/readline:0=
+	>=sys-libs/talloc-2.3.1[python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}]
+	>=sys-libs/tdb-1.4.3[python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}]
+	>=sys-libs/tevent-0.10.2[python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}]
 	sys-libs/zlib[${MULTILIB_USEDEP}]
 	virtual/libiconv
 	pam? ( sys-libs/pam )
 	acl? ( virtual/acl )
-	addns? (
-		net-dns/bind-tools[gssapi]
-		dev-python/dnspython
-	)
+	$(python_gen_cond_dep "
+		dev-python/subunit[\${PYTHON_MULTI_USEDEP},${MULTILIB_USEDEP}]
+		addns? (
+			net-dns/bind-tools[gssapi]
+			dev-python/dnspython:=[\${PYTHON_MULTI_USEDEP}]
+		)
+	")
 	ceph? ( sys-cluster/ceph )
 	cluster? (
 		net-libs/rpcsvc-proto
@@ -80,7 +89,8 @@ CDEPEND="
 "
 DEPEND="${CDEPEND}
 	${PYTHON_DEPS}
-	dev-lang/perl:=
+	app-text/docbook-xsl-stylesheets
+	dev-libs/libxslt
 	>=dev-util/cmocka-1.1.3[${MULTILIB_USEDEP}]
 	net-libs/libtirpc[${MULTILIB_USEDEP}]
 	virtual/pkgconfig
@@ -88,10 +98,6 @@ DEPEND="${CDEPEND}
 		net-libs/rpcsvc-proto
 		<sys-libs/glibc-2.26[rpc(+)]
 	)
-	spotlight? (
-		app-misc/tracker
-		dev-libs/glib
-	)
 	test? (
 		!system-mitkrb5? (
 			>=sys-libs/nss_wrapper-1.1.3
@@ -106,19 +112,12 @@ RDEPEND="${CDEPEND}
 	selinux? ( sec-policy/selinux-samba )
 "
 
-BDEPEND="
-	app-text/docbook-xsl-stylesheets
-	dev-libs/libxslt
-"
-
 REQUIRED_USE="
 	addc? ( python json winbind )
 	addns? ( python )
 	ads? ( acl ldap winbind )
 	cluster? ( ads )
 	gpg? ( addc )
-	ntvfs? ( addc )
-	spotlight? ( json )
 	test? ( python )
 	?? ( system-heimdal system-mitkrb5 )
 	${PYTHON_REQUIRED_USE}
@@ -169,6 +168,9 @@ src_prepare() {
 		sed -i -e '/"iso8601":/d' "${S}"/third_party/wscript || die
 	fi
 
+	## ugly hackaround for bug #592502
+	#cp /usr/include/tevent_internal.h "${S}"/lib/tevent/ || die
+
 	sed -e 's:<gpgme\.h>:<gpgme/gpgme.h>:' \
 		-i source4/dsdb/samdb/ldb_modules/password_hash.c \
 		|| die
@@ -185,10 +187,6 @@ multilib_src_configure() {
 		bundled_libs="heimbase,heimntlm,hdb,kdc,krb5,wind,gssapi,hcrypto,hx509,roken,asn1,com_err,NONE"
 	fi
 
-	# Flatcar: we need only the mandatory bundled library, ldb by default.
-	# Without that, configure will fail because of a missing bundled library.
-	bundled_libs="ldb"
-
 	local myconf=(
 		--enable-fhs
 		--sysconfdir="${EPREFIX}/etc"
@@ -202,7 +200,6 @@ multilib_src_configure() {
 		--nopyc
 		--nopyo
 		--without-winexe
-		--disable-python
 		$(multilib_native_use_with acl acl-support)
 		$(multilib_native_usex addc '' '--without-ad-dc')
 		$(multilib_native_use_with addns dnsupdate)
@@ -212,17 +209,13 @@ multilib_src_configure() {
 		$(multilib_native_use_enable cups)
 		$(multilib_native_use_with dmapi)
 		$(multilib_native_use_with fam)
-		$(multilib_native_use_enable glusterfs)
 		$(multilib_native_use_with gpg gpgme)
 		$(multilib_native_use_with json)
 		$(multilib_native_use_enable iprint)
-		$(multilib_native_use_with ntvfs ntvfs-fileserver)
 		$(multilib_native_use_with pam)
 		$(multilib_native_usex pam "--with-pammodulesdir=${EPREFIX}/$(get_libdir)/security" '')
 		$(multilib_native_use_with quota quotas)
-		$(multilib_native_use_with regedit regedit)
 		$(multilib_native_use_enable snapper)
-		$(multilib_native_use_enable spotlight)
 		$(multilib_native_use_with syslog)
 		$(multilib_native_use_with systemd)
 		--systemd-install-services
@@ -284,7 +277,7 @@ multilib_src_install() {
 		newinitd "${CONFDIR}/samba4.initd-r1" samba
 		newconfd "${CONFDIR}/samba4.confd" samba
 
-		[[ ! use_minimal ]] && systemd_dotmpfilesd "${FILESDIR}"/samba.conf
+		systemd_dotmpfilesd "${FILESDIR}"/samba.conf
 		use addc || rm "${D}/$(systemd_get_systemunitdir)/samba.service" || die
 
 		# Preserve functionality for old gentoo-specific unit names
@@ -305,20 +298,6 @@ multilib_src_install() {
 	keepdir /var/lib/samba/{bind-dns,private}
 	keepdir /var/lock/samba
 	keepdir /var/log/samba
-
-
-	rm -f "${ED%/}"/etc/samba/*
-	rm -f "${ED%/}"/usr/lib*/samba/ldb/*
-	if use minimal ; then
-		mv "${ED%/}"/usr/bin/net "${T}"/
-		rm -f "${ED%/}"/usr/bin/* "${ED%/}"/usr/sbin/*
-		mv "${T}"/net "${ED%/}"/usr/bin/net
-		rm -rf ${ED%/}/lib*/security
-		rm -rf ${ED%/}/usr/lib/systemd
-		rm -rf ${ED%/}/usr/lib*/perl*
-		rm -rf ${ED%/}/usr/lib*/python*
-		rm -rf ${ED%/}/var
-	fi
 }
 
 multilib_src_test() {

From 6c8076e2722d6a401e51e7cd9e05f1d57f8191f3 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 19:43:24 +0100
Subject: [PATCH 13/37] net-fs/samba: Apply Flatcar modifications

  - Add a minimal USE flag for only installing libraries
  - Change the Perl and Python run-time deps to build-time only
  - Drop a bunch of dependencies with broken cross-compilation
  - Enable using bundled libraries in their place
  - Disable building libraries requiring Python
  - Use EAPI7
  - Move libsxlt and stylesheets to BDEPEND
  - Introduce some USE flags, so we don't install some tools we don't
    need
  - Limit the size of bundled libraries
  - Make it compatible with newer python versions
  - Bump to r2 because of updating EAPI to 7
---
 .../coreos-overlay/net-fs/samba/metadata.xml  |  4 +
 ....12.9-r1.ebuild => samba-4.12.9-r2.ebuild} | 80 ++++++++++++-------
 2 files changed, 55 insertions(+), 29 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/net-fs/samba/{samba-4.12.9-r1.ebuild => samba-4.12.9-r2.ebuild} (85%)

diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml
index d1bb8bfdd5..e871aa5724 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml
@@ -16,12 +16,16 @@
 		<flag name="client">Enables the client part</flag>
 		<flag name="cluster">Enable support for clustering</flag>
 		<flag name="dmapi">Enable support for DMAPI. This currently works only in combination with XFS.</flag>
+		<flag name="glusterfs">Enable support for Glusterfs filesystem via <pkg>sys-cluster/glusterfs</pkg></flag>
 		<flag name="gpg">Use <pkg>app-crypt/gpgme</pkg> for AD DC</flag>
 		<flag name="json">Enable json audit support through <pkg>dev-libs/jansson</pkg></flag>
 		<flag name="iprint">Enabling iPrint technology by Novell</flag>
+		<flag name="ntvfs">Enable support for NTVFS fileserver</flag>
 		<flag name="profiling-data">Enables support for collecting profiling data</flag>
 		<flag name="quota">Enables support for user quotas</flag>
+		<flag name="regedit">Enable support for regedit command-line tool</flag>
 		<flag name="snapper">Enable vfs_snapper module (requires <pkg>sys-apps/dbus</pkg>)</flag>
+		<flag name="spotlight">Enable support for spotlight backend</flag>
 		<flag name="system-heimdal">Use <pkg>app-crypt/heimdal</pkg> instead of
 			bundled heimdal.</flag>
 		<flag name="system-mitkrb5">Use <pkg>app-crypt/mit-krb5</pkg> instead of
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.12.9-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.12.9-r2.ebuild
similarity index 85%
rename from sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.12.9-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.12.9-r2.ebuild
index d719891701..7b1b079397 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.12.9-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.12.9-r2.ebuild
@@ -1,11 +1,12 @@
 # Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=6
+EAPI=7
 
-PYTHON_COMPAT=( python3_{6,7,8} )
+PYTHON_COMPAT=( python3_{6..10} )
 PYTHON_REQ_USE='threads(+),xml(+)'
-inherit python-single-r1 waf-utils multilib-minimal linux-info systemd pam
+TMPFILES_OPTIONAL=1
+inherit python-single-r1 waf-utils multilib-minimal linux-info systemd pam tmpfiles
 
 MY_PV="${PV/_rc/rc}"
 MY_P="${PN}-${MY_PV}"
@@ -23,9 +24,11 @@ LICENSE="GPL-3"
 
 SLOT="0"
 
-IUSE="acl addc addns ads ceph client cluster cups debug dmapi fam gpg iprint
-json ldap pam profiling-data python quota selinux snapper syslog
-system-heimdal +system-mitkrb5 systemd test winbind zeroconf"
+IUSE="acl addc addns ads ceph client cluster cups debug dmapi fam glusterfs
+gpg iprint json ldap ntvfs pam profiling-data python quota +regedit selinux
+snapper spotlight syslog system-heimdal +system-mitkrb5 systemd test winbind
+zeroconf"
+IUSE+=" +minimal"  # Flatcar: Only install libraries, not executables.
 
 MULTILIB_WRAPPED_HEADERS=(
 	/usr/include/samba-4.0/policy.h
@@ -40,35 +43,24 @@ MULTILIB_WRAPPED_HEADERS=(
 
 CDEPEND="
 	>=app-arch/libarchive-3.1.2[${MULTILIB_USEDEP}]
-	dev-lang/perl:=
-	dev-libs/icu:=[${MULTILIB_USEDEP}]
+	spotlight? ( dev-libs/icu:=[${MULTILIB_USEDEP}] )
 	dev-libs/libbsd[${MULTILIB_USEDEP}]
-	dev-libs/libtasn1[${MULTILIB_USEDEP}]
+	!minimal? ( dev-libs/libtasn1[${MULTILIB_USEDEP}] )
 	dev-libs/popt[${MULTILIB_USEDEP}]
-	dev-perl/Parse-Yapp
 	>=net-libs/gnutls-3.4.7[${MULTILIB_USEDEP}]
-	net-libs/libnsl:=[${MULTILIB_USEDEP}]
 	sys-libs/e2fsprogs-libs[${MULTILIB_USEDEP}]
-	>=sys-libs/ldb-2.1.4[ldap(+)?,python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}]
-	<sys-libs/ldb-2.2.0[ldap(+)?,python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}]
 	sys-libs/libcap[${MULTILIB_USEDEP}]
 	sys-libs/liburing:=[${MULTILIB_USEDEP}]
 	sys-libs/ncurses:0=
 	sys-libs/readline:0=
-	>=sys-libs/talloc-2.3.1[python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}]
-	>=sys-libs/tdb-1.4.3[python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}]
-	>=sys-libs/tevent-0.10.2[python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}]
 	sys-libs/zlib[${MULTILIB_USEDEP}]
 	virtual/libiconv
 	pam? ( sys-libs/pam )
 	acl? ( virtual/acl )
-	$(python_gen_cond_dep "
-		dev-python/subunit[\${PYTHON_MULTI_USEDEP},${MULTILIB_USEDEP}]
-		addns? (
-			net-dns/bind-tools[gssapi]
-			dev-python/dnspython:=[\${PYTHON_MULTI_USEDEP}]
-		)
-	")
+	addns? (
+		net-dns/bind-tools[gssapi]
+		dev-python/dnspython
+	)
 	ceph? ( sys-cluster/ceph )
 	cluster? (
 		net-libs/rpcsvc-proto
@@ -89,8 +81,7 @@ CDEPEND="
 "
 DEPEND="${CDEPEND}
 	${PYTHON_DEPS}
-	app-text/docbook-xsl-stylesheets
-	dev-libs/libxslt
+	dev-lang/perl:=
 	>=dev-util/cmocka-1.1.3[${MULTILIB_USEDEP}]
 	net-libs/libtirpc[${MULTILIB_USEDEP}]
 	virtual/pkgconfig
@@ -98,6 +89,10 @@ DEPEND="${CDEPEND}
 		net-libs/rpcsvc-proto
 		<sys-libs/glibc-2.26[rpc(+)]
 	)
+	spotlight? (
+		app-misc/tracker
+		dev-libs/glib
+	)
 	test? (
 		!system-mitkrb5? (
 			>=sys-libs/nss_wrapper-1.1.3
@@ -112,12 +107,19 @@ RDEPEND="${CDEPEND}
 	selinux? ( sec-policy/selinux-samba )
 "
 
+BDEPEND="
+	app-text/docbook-xsl-stylesheets
+	dev-libs/libxslt
+"
+
 REQUIRED_USE="
 	addc? ( python json winbind )
 	addns? ( python )
 	ads? ( acl ldap winbind )
 	cluster? ( ads )
 	gpg? ( addc )
+	ntvfs? ( addc )
+	spotlight? ( json )
 	test? ( python )
 	?? ( system-heimdal system-mitkrb5 )
 	${PYTHON_REQUIRED_USE}
@@ -168,9 +170,6 @@ src_prepare() {
 		sed -i -e '/"iso8601":/d' "${S}"/third_party/wscript || die
 	fi
 
-	## ugly hackaround for bug #592502
-	#cp /usr/include/tevent_internal.h "${S}"/lib/tevent/ || die
-
 	sed -e 's:<gpgme\.h>:<gpgme/gpgme.h>:' \
 		-i source4/dsdb/samdb/ldb_modules/password_hash.c \
 		|| die
@@ -187,6 +186,10 @@ multilib_src_configure() {
 		bundled_libs="heimbase,heimntlm,hdb,kdc,krb5,wind,gssapi,hcrypto,hx509,roken,asn1,com_err,NONE"
 	fi
 
+	# Flatcar: we need only the mandatory bundled library, ldb by default.
+	# Without that, configure will fail because of a missing bundled library.
+	bundled_libs="ldb"
+
 	local myconf=(
 		--enable-fhs
 		--sysconfdir="${EPREFIX}/etc"
@@ -200,6 +203,7 @@ multilib_src_configure() {
 		--nopyc
 		--nopyo
 		--without-winexe
+		--disable-python
 		$(multilib_native_use_with acl acl-support)
 		$(multilib_native_usex addc '' '--without-ad-dc')
 		$(multilib_native_use_with addns dnsupdate)
@@ -209,13 +213,17 @@ multilib_src_configure() {
 		$(multilib_native_use_enable cups)
 		$(multilib_native_use_with dmapi)
 		$(multilib_native_use_with fam)
+		$(multilib_native_use_enable glusterfs)
 		$(multilib_native_use_with gpg gpgme)
 		$(multilib_native_use_with json)
 		$(multilib_native_use_enable iprint)
+		$(multilib_native_use_with ntvfs ntvfs-fileserver)
 		$(multilib_native_use_with pam)
 		$(multilib_native_usex pam "--with-pammodulesdir=${EPREFIX}/$(get_libdir)/security" '')
 		$(multilib_native_use_with quota quotas)
+		$(multilib_native_use_with regedit regedit)
 		$(multilib_native_use_enable snapper)
+		$(multilib_native_use_enable spotlight)
 		$(multilib_native_use_with syslog)
 		$(multilib_native_use_with systemd)
 		--systemd-install-services
@@ -277,7 +285,7 @@ multilib_src_install() {
 		newinitd "${CONFDIR}/samba4.initd-r1" samba
 		newconfd "${CONFDIR}/samba4.confd" samba
 
-		systemd_dotmpfilesd "${FILESDIR}"/samba.conf
+		[[ ! use_minimal ]] && dotmpfiles "${FILESDIR}"/samba.conf
 		use addc || rm "${D}/$(systemd_get_systemunitdir)/samba.service" || die
 
 		# Preserve functionality for old gentoo-specific unit names
@@ -298,6 +306,20 @@ multilib_src_install() {
 	keepdir /var/lib/samba/{bind-dns,private}
 	keepdir /var/lock/samba
 	keepdir /var/log/samba
+
+
+	rm -f "${ED%/}"/etc/samba/*
+	rm -f "${ED%/}"/usr/lib*/samba/ldb/*
+	if use minimal ; then
+		mv "${ED%/}"/usr/bin/net "${T}"/
+		rm -f "${ED%/}"/usr/bin/* "${ED%/}"/usr/sbin/*
+		mv "${T}"/net "${ED%/}"/usr/bin/net
+		rm -rf ${ED%/}/lib*/security
+		rm -rf ${ED%/}/usr/lib/systemd
+		rm -rf ${ED%/}/usr/lib*/perl*
+		rm -rf ${ED%/}/usr/lib*/python*
+		rm -rf ${ED%/}/var
+	fi
 }
 
 multilib_src_test() {

From e5a4653591a06ae0aebc029cbf3165dd94f3eb5b Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 19:51:09 +0100
Subject: [PATCH 14/37] net-misc/ntp: Clean slate to reapply our changes

---
 .../net-misc/ntp/files/ntp-client.confd       | 21 +++++++++
 .../net-misc/ntp/files/ntp-client.rc          | 31 ++++++++++++
 .../net-misc/ntp/files/ntp.conf               | 47 ++++++++++++++++---
 .../net-misc/ntp/files/ntpd.confd             |  6 +++
 .../net-misc/ntp/files/ntpd.rc-r1             | 22 +++++++++
 .../net-misc/ntp/files/ntpd.service-r2        | 11 +++++
 .../net-misc/ntp/files/ntpdate.service-r2     | 14 ++++++
 .../net-misc/ntp/files/ntpdate.service.conf   |  2 +
 .../net-misc/ntp/files/sntp.confd             |  4 ++
 .../coreos-overlay/net-misc/ntp/files/sntp.rc | 26 ++++++++++
 .../net-misc/ntp/files/sntp.service-r3        | 14 ++++++
 .../net-misc/ntp/files/sntp.service.conf      |  2 +
 .../net-misc/ntp/ntp-4.2.8_p15.ebuild         | 36 ++++++++++----
 13 files changed, 222 insertions(+), 14 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.confd
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.rc
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.confd
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.rc-r1
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.service-r2
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service-r2
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service.conf
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.confd
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.rc
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service-r3
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service.conf

diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.confd b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.confd
new file mode 100644
index 0000000000..786004da83
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.confd
@@ -0,0 +1,21 @@
+# /etc/conf.d/ntp-client
+
+# Command to run to set the clock initially
+# Most people should just leave this line alone ...
+# however, if you know what you're doing, and you
+# want to use ntpd to set the clock, change this to 'ntpd'
+NTPCLIENT_CMD="ntpdate"
+
+# Options to pass to the above command
+# This default setting should work fine but you should
+# change the default 'pool.ntp.org' to something closer
+# to your machine.  See http://www.pool.ntp.org/ or
+# try running `netselect -s 3 pool.ntp.org`.
+NTPCLIENT_OPTS="-s -b -u \
+	0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org \
+	2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
+
+# If you use hostnames above, then you should depend on dns
+# being up & running before we try to run.  Otherwise, you
+# can disable this.
+rc_use="dns"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.rc b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.rc
new file mode 100644
index 0000000000..5b5d594473
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.rc
@@ -0,0 +1,31 @@
+#!/sbin/openrc-run
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+depend() {
+	before cron portmap
+	after net
+	use dns logger
+}
+
+checkconfig() {
+	if ! type "${NTPCLIENT_CMD}" >/dev/null 2>&1 ; then
+		eerror "Please edit /etc/conf.d/ntp-client"
+		eerror "Unable to locate the client command ${NTPCLIENT_CMD}!"
+		return 1
+	fi
+	if [ -z "${NTPCLIENT_OPTS}" ] ; then
+		eerror "Please edit /etc/conf.d/ntp-client"
+		eerror "I need to know what server/options to use!"
+		return 1
+	fi
+	return 0
+}
+
+start() {
+	checkconfig || return $?
+
+	ebegin "Setting clock via the NTP client '${NTPCLIENT_CMD}'"
+	"${NTPCLIENT_CMD}" ${NTPCLIENT_OPTS}
+	eend $? "Failed to set clock"
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp.conf b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp.conf
index c0cd2271f9..97bed8dd13 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp.conf
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp.conf
@@ -1,8 +1,34 @@
-# Common pool
-server 0.flatcar.pool.ntp.org
-server 1.flatcar.pool.ntp.org
-server 2.flatcar.pool.ntp.org
-server 3.flatcar.pool.ntp.org
+# NOTES:
+# DHCP clients can append or replace NTP configuration files.
+# You should consult your DHCP client documentation about its
+# default behaviour and how to change it.
+
+# Name of the servers ntpd should sync with
+# Please respect the access policy as stated by the responsible person.
+#server		ntp.example.tld		iburst
+
+# Common pool for random people
+#server pool.ntp.org
+
+# Pools for Gentoo users
+server 0.gentoo.pool.ntp.org
+server 1.gentoo.pool.ntp.org
+server 2.gentoo.pool.ntp.org
+server 3.gentoo.pool.ntp.org
+
+##
+# A list of available servers can be found here:
+# http://www.pool.ntp.org/
+# http://www.pool.ntp.org/#use
+# A good way to get servers for your machine is:
+# netselect -s 3 pool.ntp.org
+##
+
+# you should not need to modify the following paths
+driftfile	/var/lib/ntp/ntp.drift
+
+#server ntplocal.example.com prefer 
+#server timeserver.example.org 
 
 # Warning: Using default NTP settings will leave your NTP
 # server accessible to all hosts on the Internet.
@@ -11,9 +37,18 @@ server 3.flatcar.pool.ntp.org
 # from accessing the NTP server, uncomment:
 #restrict default ignore
 
+
 # Default configuration:
 # - Allow only time queries, at a limited rate, sending KoD when in excess.
 # - Allow all local queries (IPv4, IPv6)
-restrict default nomodify nopeer noquery notrap limited kod
+restrict default nomodify nopeer noquery limited kod
 restrict 127.0.0.1
 restrict [::1]
+
+
+# To allow machines within your network to synchronize
+# their clocks with your server, but ensure they are
+# not allowed to configure the server or used as peers
+# to synchronize against, uncomment this line.
+#
+#restrict 192.168.0.0 mask 255.255.255.0 nomodify nopeer notrap
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.confd b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.confd
new file mode 100644
index 0000000000..2b74282c57
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.confd
@@ -0,0 +1,6 @@
+# /etc/conf.d/ntpd
+
+# Options to pass to the ntpd process
+# Most people should leave this line alone ...
+# however, if you know what you're doing, feel free to tweak
+NTPD_OPTS="-g -u ntp:ntp"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.rc-r1 b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.rc-r1
new file mode 100644
index 0000000000..7573411c99
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.rc-r1
@@ -0,0 +1,22 @@
+#!/sbin/openrc-run
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+description="ntpd - the network time protocol daemon"
+pidfile="/var/run/ntpd.pid"
+command="/usr/sbin/ntpd"
+command_args="-p ${pidfile} ${NTPD_OPTS}"
+start_stop_daemon_args="--pidfile ${pidfile}"
+
+depend() {
+	use net dns logger
+	after ntp-client
+}
+
+start_pre() {
+	if [ ! -f /etc/ntp.conf ] ; then
+		eerror "Please create /etc/ntp.conf"
+		return 1
+	fi
+	return 0
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.service-r2 b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.service-r2
new file mode 100644
index 0000000000..5f11b27e92
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.service-r2
@@ -0,0 +1,11 @@
+[Unit]
+Description=Network Time Service
+After=ntpdate.service sntp.service
+Conflicts=systemd-timesyncd.service
+
+[Service]
+ExecStart=/usr/sbin/ntpd -g -n
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service-r2 b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service-r2
new file mode 100644
index 0000000000..7ad294eccd
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service-r2
@@ -0,0 +1,14 @@
+[Unit]
+Description=Set time via NTP using ntpdate
+After=network-online.target nss-lookup.target
+Before=time-sync.target
+Wants=network-online.target time-sync.target
+Conflicts=systemd-timesyncd.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/ntpdate -b -u $SERVER
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service.conf b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service.conf
new file mode 100644
index 0000000000..75e4f41b41
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service.conf
@@ -0,0 +1,2 @@
+[Service]
+Environment="SERVER=0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.confd b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.confd
new file mode 100644
index 0000000000..d11983a3fb
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.confd
@@ -0,0 +1,4 @@
+# /etc/conf.d/sntp
+
+# Options to pass to sntp
+SNTP_OPTS="-s 0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.rc b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.rc
new file mode 100644
index 0000000000..4ed56ae2bf
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.rc
@@ -0,0 +1,26 @@
+#!/sbin/openrc-run
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+command="/usr/bin/sntp"
+
+depend() {
+	before cron portmap
+	after net
+	use dns logger
+}
+
+start_pre() {
+	if [ -z "${SNTP_OPTS}" ] ; then
+		eerror "Please edit /etc/conf.d/sntp"
+		eerror "I need to know what server/options to use!"
+		return 1
+	fi
+	return 0
+}
+
+start() {
+	ebegin "Setting clock via SNTP"
+	${command} ${SNTP_OPTS}
+	eend $? "Failed to set clock"
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service-r3 b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service-r3
new file mode 100644
index 0000000000..2ab722f2c6
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service-r3
@@ -0,0 +1,14 @@
+[Unit]
+Description=Set time via SNTP
+After=network.target network-online.target nss-lookup.target
+Before=time-sync.target
+Wants=network-online.target time-sync.target
+Conflicts=systemd-timesyncd.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/sntp -s $SERVER
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service.conf b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service.conf
new file mode 100644
index 0000000000..75e4f41b41
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service.conf
@@ -0,0 +1,2 @@
+[Service]
+Environment="SERVER=0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/ntp-4.2.8_p15.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/ntp-4.2.8_p15.ebuild
index ea2e33085d..57803acb84 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/ntp-4.2.8_p15.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/ntp-4.2.8_p15.ebuild
@@ -14,7 +14,7 @@ SRC_URI="http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-${PV:0:3}/${MY_P}.tar
 LICENSE="HPND BSD ISC"
 SLOT="0"
 KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~amd64-linux ~x86-linux ~m68k-mint"
-IUSE="caps debug ipv6 libressl openntpd parse-clocks perl readline samba selinux snmp ssl threads vim-syntax zeroconf"
+IUSE="caps debug ipv6 libressl openntpd parse-clocks readline samba selinux snmp ssl +threads vim-syntax zeroconf"
 
 COMMON_DEPEND="readline? ( >=sys-libs/readline-4.1:0= )
 	>=dev-libs/libevent-2.0.9:=[threads?]
@@ -52,7 +52,6 @@ PATCHES=(
 
 src_prepare() {
 	default
-    use perl || sed -i -e '/^SUBDIRS *=/,/[^\\]$/{/scripts/d;}' Makefile.am || die
 	append-cppflags -D_GNU_SOURCE #264109
 	# Make sure every build uses the same install layout. #539092
 	find sntp/loc/ -type f '!' -name legacy -delete || die
@@ -96,10 +95,19 @@ src_install() {
 	dodoc INSTALL WHERE-TO-START
 	doman "${WORKDIR}"/man/*.[58]
 
-	insinto /usr/share/ntp
+	insinto /etc
 	doins "${FILESDIR}"/ntp.conf
-	use ipv6 || sed -i '/^restrict .*::1/d' "${ED%/}"/usr/share/ntp/ntp.conf #524726
-	systemd_newtmpfilesd "${FILESDIR}"/ntp.tmpfiles ntp.conf
+	use ipv6 || sed -i '/^restrict .*::1/d' "${ED}"/etc/ntp.conf #524726
+	newinitd "${FILESDIR}"/ntpd.rc-r1 ntpd
+	newconfd "${FILESDIR}"/ntpd.confd ntpd
+	newinitd "${FILESDIR}"/ntp-client.rc ntp-client
+	newconfd "${FILESDIR}"/ntp-client.confd ntp-client
+	newinitd "${FILESDIR}"/sntp.rc sntp
+	newconfd "${FILESDIR}"/sntp.confd sntp
+	if ! use caps ; then
+		sed -i "s|-u ntp:ntp||" "${ED}"/etc/conf.d/ntpd || die
+	fi
+	sed -i "s:/usr/bin:/usr/sbin:" "${ED}"/etc/init.d/ntpd || die
 
 	keepdir /var/lib/ntp
 	use prefix || fowners ntp:ntp /var/lib/ntp
@@ -108,9 +116,10 @@ src_install() {
 		cd "${ED}" || die
 		rm usr/sbin/ntpd || die
 		rm -r var/lib || die
+		rm etc/{conf,init}.d/ntpd || die
 		rm usr/share/man/*/ntpd.8 || die
 	else
-		systemd_dounit "${FILESDIR}"/ntpd.service
+		systemd_newunit "${FILESDIR}"/ntpd.service-r2 ntpd.service
 		if use caps ; then
 			sed -i '/ExecStart/ s|$| -u ntp:ntp|' \
 				"${D}$(systemd_get_systemunitdir)"/ntpd.service \
@@ -119,6 +128,17 @@ src_install() {
 		systemd_enable_ntpunit 60-ntpd ntpd.service
 	fi
 
-	systemd_dounit "${FILESDIR}"/ntpdate.service
-	systemd_dounit "${FILESDIR}"/sntp.service
+	systemd_newunit "${FILESDIR}"/ntpdate.service-r2 ntpdate.service
+	systemd_install_serviced "${FILESDIR}"/ntpdate.service.conf
+	systemd_newunit "${FILESDIR}"/sntp.service-r3 sntp.service
+	systemd_install_serviced "${FILESDIR}"/sntp.service.conf
+}
+
+pkg_postinst() {
+	if grep -qs '^[^#].*notrust' "${EROOT}"/etc/ntp.conf ; then
+		eerror "The notrust option was found in your /etc/ntp.conf!"
+		ewarn "If your ntpd starts sending out weird responses,"
+		ewarn "then make sure you have keys properly setup and see"
+		ewarn "https://bugs.gentoo.org/41827"
+	fi
 }

From 076251ff56a2cd53ec3b87ee54fd3f23e47d772e Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 19:51:49 +0100
Subject: [PATCH 15/37] net-misc/ntp: Apply Flatcar modifications

  - Check out our previous ntp.conf and service units
  - Disable USE=threads
  - Add USE=perl, disabled to skip the scripts subdir
  - Do the /etc -> /usr/share + tmpfiles dance for ntp.conf
  - Drop unused init scripts and pkg_postinst
---
 .../net-misc/ntp/files/ntp-client.confd       | 21 ---------
 .../net-misc/ntp/files/ntp-client.rc          | 31 ------------
 .../net-misc/ntp/files/ntp.conf               | 47 +++----------------
 .../net-misc/ntp/files/ntpd.confd             |  6 ---
 .../net-misc/ntp/files/ntpd.rc-r1             | 22 ---------
 .../net-misc/ntp/files/ntpd.service-r2        | 11 -----
 .../net-misc/ntp/files/ntpdate.service-r2     | 14 ------
 .../net-misc/ntp/files/ntpdate.service.conf   |  2 -
 .../net-misc/ntp/files/sntp.confd             |  4 --
 .../coreos-overlay/net-misc/ntp/files/sntp.rc | 26 ----------
 .../net-misc/ntp/files/sntp.service-r3        | 14 ------
 .../net-misc/ntp/files/sntp.service.conf      |  2 -
 .../net-misc/ntp/ntp-4.2.8_p15.ebuild         | 39 ++++-----------
 13 files changed, 16 insertions(+), 223 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.confd
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.rc
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.confd
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.rc-r1
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.service-r2
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service-r2
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service.conf
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.confd
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.rc
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service-r3
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service.conf

diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.confd b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.confd
deleted file mode 100644
index 786004da83..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.confd
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/conf.d/ntp-client
-
-# Command to run to set the clock initially
-# Most people should just leave this line alone ...
-# however, if you know what you're doing, and you
-# want to use ntpd to set the clock, change this to 'ntpd'
-NTPCLIENT_CMD="ntpdate"
-
-# Options to pass to the above command
-# This default setting should work fine but you should
-# change the default 'pool.ntp.org' to something closer
-# to your machine.  See http://www.pool.ntp.org/ or
-# try running `netselect -s 3 pool.ntp.org`.
-NTPCLIENT_OPTS="-s -b -u \
-	0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org \
-	2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
-
-# If you use hostnames above, then you should depend on dns
-# being up & running before we try to run.  Otherwise, you
-# can disable this.
-rc_use="dns"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.rc b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.rc
deleted file mode 100644
index 5b5d594473..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp-client.rc
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2013 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-depend() {
-	before cron portmap
-	after net
-	use dns logger
-}
-
-checkconfig() {
-	if ! type "${NTPCLIENT_CMD}" >/dev/null 2>&1 ; then
-		eerror "Please edit /etc/conf.d/ntp-client"
-		eerror "Unable to locate the client command ${NTPCLIENT_CMD}!"
-		return 1
-	fi
-	if [ -z "${NTPCLIENT_OPTS}" ] ; then
-		eerror "Please edit /etc/conf.d/ntp-client"
-		eerror "I need to know what server/options to use!"
-		return 1
-	fi
-	return 0
-}
-
-start() {
-	checkconfig || return $?
-
-	ebegin "Setting clock via the NTP client '${NTPCLIENT_CMD}'"
-	"${NTPCLIENT_CMD}" ${NTPCLIENT_OPTS}
-	eend $? "Failed to set clock"
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp.conf b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp.conf
index 97bed8dd13..c0cd2271f9 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp.conf
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntp.conf
@@ -1,34 +1,8 @@
-# NOTES:
-# DHCP clients can append or replace NTP configuration files.
-# You should consult your DHCP client documentation about its
-# default behaviour and how to change it.
-
-# Name of the servers ntpd should sync with
-# Please respect the access policy as stated by the responsible person.
-#server		ntp.example.tld		iburst
-
-# Common pool for random people
-#server pool.ntp.org
-
-# Pools for Gentoo users
-server 0.gentoo.pool.ntp.org
-server 1.gentoo.pool.ntp.org
-server 2.gentoo.pool.ntp.org
-server 3.gentoo.pool.ntp.org
-
-##
-# A list of available servers can be found here:
-# http://www.pool.ntp.org/
-# http://www.pool.ntp.org/#use
-# A good way to get servers for your machine is:
-# netselect -s 3 pool.ntp.org
-##
-
-# you should not need to modify the following paths
-driftfile	/var/lib/ntp/ntp.drift
-
-#server ntplocal.example.com prefer 
-#server timeserver.example.org 
+# Common pool
+server 0.flatcar.pool.ntp.org
+server 1.flatcar.pool.ntp.org
+server 2.flatcar.pool.ntp.org
+server 3.flatcar.pool.ntp.org
 
 # Warning: Using default NTP settings will leave your NTP
 # server accessible to all hosts on the Internet.
@@ -37,18 +11,9 @@ driftfile	/var/lib/ntp/ntp.drift
 # from accessing the NTP server, uncomment:
 #restrict default ignore
 
-
 # Default configuration:
 # - Allow only time queries, at a limited rate, sending KoD when in excess.
 # - Allow all local queries (IPv4, IPv6)
-restrict default nomodify nopeer noquery limited kod
+restrict default nomodify nopeer noquery notrap limited kod
 restrict 127.0.0.1
 restrict [::1]
-
-
-# To allow machines within your network to synchronize
-# their clocks with your server, but ensure they are
-# not allowed to configure the server or used as peers
-# to synchronize against, uncomment this line.
-#
-#restrict 192.168.0.0 mask 255.255.255.0 nomodify nopeer notrap
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.confd b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.confd
deleted file mode 100644
index 2b74282c57..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.confd
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/conf.d/ntpd
-
-# Options to pass to the ntpd process
-# Most people should leave this line alone ...
-# however, if you know what you're doing, feel free to tweak
-NTPD_OPTS="-g -u ntp:ntp"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.rc-r1 b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.rc-r1
deleted file mode 100644
index 7573411c99..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.rc-r1
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-description="ntpd - the network time protocol daemon"
-pidfile="/var/run/ntpd.pid"
-command="/usr/sbin/ntpd"
-command_args="-p ${pidfile} ${NTPD_OPTS}"
-start_stop_daemon_args="--pidfile ${pidfile}"
-
-depend() {
-	use net dns logger
-	after ntp-client
-}
-
-start_pre() {
-	if [ ! -f /etc/ntp.conf ] ; then
-		eerror "Please create /etc/ntp.conf"
-		return 1
-	fi
-	return 0
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.service-r2 b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.service-r2
deleted file mode 100644
index 5f11b27e92..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpd.service-r2
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=Network Time Service
-After=ntpdate.service sntp.service
-Conflicts=systemd-timesyncd.service
-
-[Service]
-ExecStart=/usr/sbin/ntpd -g -n
-PrivateTmp=true
-
-[Install]
-WantedBy=multi-user.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service-r2 b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service-r2
deleted file mode 100644
index 7ad294eccd..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service-r2
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=Set time via NTP using ntpdate
-After=network-online.target nss-lookup.target
-Before=time-sync.target
-Wants=network-online.target time-sync.target
-Conflicts=systemd-timesyncd.service
-
-[Service]
-Type=oneshot
-ExecStart=/usr/sbin/ntpdate -b -u $SERVER
-RemainAfterExit=yes
-
-[Install]
-WantedBy=multi-user.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service.conf b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service.conf
deleted file mode 100644
index 75e4f41b41..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/ntpdate.service.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-[Service]
-Environment="SERVER=0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.confd b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.confd
deleted file mode 100644
index d11983a3fb..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.confd
+++ /dev/null
@@ -1,4 +0,0 @@
-# /etc/conf.d/sntp
-
-# Options to pass to sntp
-SNTP_OPTS="-s 0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.rc b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.rc
deleted file mode 100644
index 4ed56ae2bf..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.rc
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-command="/usr/bin/sntp"
-
-depend() {
-	before cron portmap
-	after net
-	use dns logger
-}
-
-start_pre() {
-	if [ -z "${SNTP_OPTS}" ] ; then
-		eerror "Please edit /etc/conf.d/sntp"
-		eerror "I need to know what server/options to use!"
-		return 1
-	fi
-	return 0
-}
-
-start() {
-	ebegin "Setting clock via SNTP"
-	${command} ${SNTP_OPTS}
-	eend $? "Failed to set clock"
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service-r3 b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service-r3
deleted file mode 100644
index 2ab722f2c6..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service-r3
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=Set time via SNTP
-After=network.target network-online.target nss-lookup.target
-Before=time-sync.target
-Wants=network-online.target time-sync.target
-Conflicts=systemd-timesyncd.service
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/sntp -s $SERVER
-RemainAfterExit=yes
-
-[Install]
-WantedBy=multi-user.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service.conf b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service.conf
deleted file mode 100644
index 75e4f41b41..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/files/sntp.service.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-[Service]
-Environment="SERVER=0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org"
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/ntp-4.2.8_p15.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/ntp-4.2.8_p15.ebuild
index 57803acb84..591c3f1cdf 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/ntp-4.2.8_p15.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/ntp/ntp-4.2.8_p15.ebuild
@@ -3,7 +3,8 @@
 
 EAPI=7
 
-inherit autotools toolchain-funcs flag-o-matic systemd
+TMPFILES_OPTIONAL=1
+inherit autotools toolchain-funcs flag-o-matic systemd tmpfiles
 
 MY_P=${P/_p/p}
 DESCRIPTION="Network Time Protocol suite/programs"
@@ -14,7 +15,7 @@ SRC_URI="http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-${PV:0:3}/${MY_P}.tar
 LICENSE="HPND BSD ISC"
 SLOT="0"
 KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~amd64-linux ~x86-linux ~m68k-mint"
-IUSE="caps debug ipv6 libressl openntpd parse-clocks readline samba selinux snmp ssl +threads vim-syntax zeroconf"
+IUSE="caps debug ipv6 libressl openntpd parse-clocks perl readline samba selinux snmp ssl threads vim-syntax zeroconf"
 
 COMMON_DEPEND="readline? ( >=sys-libs/readline-4.1:0= )
 	>=dev-libs/libevent-2.0.9:=[threads?]
@@ -52,6 +53,7 @@ PATCHES=(
 
 src_prepare() {
 	default
+    use perl || sed -i -e '/^SUBDIRS *=/,/[^\\]$/{/scripts/d;}' Makefile.am || die
 	append-cppflags -D_GNU_SOURCE #264109
 	# Make sure every build uses the same install layout. #539092
 	find sntp/loc/ -type f '!' -name legacy -delete || die
@@ -95,19 +97,10 @@ src_install() {
 	dodoc INSTALL WHERE-TO-START
 	doman "${WORKDIR}"/man/*.[58]
 
-	insinto /etc
+	insinto /usr/share/ntp
 	doins "${FILESDIR}"/ntp.conf
-	use ipv6 || sed -i '/^restrict .*::1/d' "${ED}"/etc/ntp.conf #524726
-	newinitd "${FILESDIR}"/ntpd.rc-r1 ntpd
-	newconfd "${FILESDIR}"/ntpd.confd ntpd
-	newinitd "${FILESDIR}"/ntp-client.rc ntp-client
-	newconfd "${FILESDIR}"/ntp-client.confd ntp-client
-	newinitd "${FILESDIR}"/sntp.rc sntp
-	newconfd "${FILESDIR}"/sntp.confd sntp
-	if ! use caps ; then
-		sed -i "s|-u ntp:ntp||" "${ED}"/etc/conf.d/ntpd || die
-	fi
-	sed -i "s:/usr/bin:/usr/sbin:" "${ED}"/etc/init.d/ntpd || die
+	use ipv6 || sed -i '/^restrict .*::1/d' "${ED%/}"/usr/share/ntp/ntp.conf #524726
+	newtmpfiles "${FILESDIR}"/ntp.tmpfiles ntp.conf
 
 	keepdir /var/lib/ntp
 	use prefix || fowners ntp:ntp /var/lib/ntp
@@ -116,10 +109,9 @@ src_install() {
 		cd "${ED}" || die
 		rm usr/sbin/ntpd || die
 		rm -r var/lib || die
-		rm etc/{conf,init}.d/ntpd || die
 		rm usr/share/man/*/ntpd.8 || die
 	else
-		systemd_newunit "${FILESDIR}"/ntpd.service-r2 ntpd.service
+		systemd_dounit "${FILESDIR}"/ntpd.service
 		if use caps ; then
 			sed -i '/ExecStart/ s|$| -u ntp:ntp|' \
 				"${D}$(systemd_get_systemunitdir)"/ntpd.service \
@@ -128,17 +120,6 @@ src_install() {
 		systemd_enable_ntpunit 60-ntpd ntpd.service
 	fi
 
-	systemd_newunit "${FILESDIR}"/ntpdate.service-r2 ntpdate.service
-	systemd_install_serviced "${FILESDIR}"/ntpdate.service.conf
-	systemd_newunit "${FILESDIR}"/sntp.service-r3 sntp.service
-	systemd_install_serviced "${FILESDIR}"/sntp.service.conf
-}
-
-pkg_postinst() {
-	if grep -qs '^[^#].*notrust' "${EROOT}"/etc/ntp.conf ; then
-		eerror "The notrust option was found in your /etc/ntp.conf!"
-		ewarn "If your ntpd starts sending out weird responses,"
-		ewarn "then make sure you have keys properly setup and see"
-		ewarn "https://bugs.gentoo.org/41827"
-	fi
+	systemd_dounit "${FILESDIR}"/ntpdate.service
+	systemd_dounit "${FILESDIR}"/sntp.service
 }

From 3fe352040ad56c7df2781f72691bf522d7a843c9 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 19:58:16 +0100
Subject: [PATCH 16/37] sec-policy/selinux-base: Clean slate to reapply our
 changes

---
 ...s-kernel-all-more-actions-for-kernel.patch | 24 ---------
 ...-policy-ms-MCS-restricts-relabelfrom.patch | 27 ----------
 .../sec-policy/selinux-base/files/booleans    |  1 +
 .../sec-policy/selinux-base/files/config      |  2 +-
 .../selinux-base/files/lxc_contexts           | 10 ----
 .../files/tmpfiles.d/selinux-base.conf        |  4 --
 .../selinux-base-2.20200818-r2.ebuild         | 50 +++----------------
 7 files changed, 8 insertions(+), 110 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf

diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
deleted file mode 100644
index cf6406da73..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 607ff9b67848aafd1bdefa6eda7ade0fd7161d04 Mon Sep 17 00:00:00 2001
-From: Mathieu Tortuyaux <mathieu@kinvolk.io>
-Date: Fri, 4 Jun 2021 13:17:44 +0200
-Subject: [PATCH] policy/modules/kernel: all more actions for kernel
-
-Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
----
- policy/modules/kernel/kernel.te | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
---- refpolicy/policy/modules/kernel/kernel.te
-+++ refpolicy/policy/modules/kernel/kernel.te
-@@ -351,6 +351,10 @@ files_list_home(kernel_t)
- files_read_usr_files(kernel_t)
- 
- mcs_process_set_categories(kernel_t)
-+mcs_killall(kernel_t)
-+mcs_file_read_all(kernel_t)
-+mcs_file_write_all(kernel_t)
-+mcs_ptrace_all(kernel_t)
- 
- mls_process_read_all_levels(kernel_t)
- mls_process_write_all_levels(kernel_t)
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch
deleted file mode 100644
index 5cce12771a..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- refpolicy/policy/mcs
-+++ refpolicy/policy/mcs
-@@ -1,4 +1,6 @@
- ifdef(`enable_mcs',`
-+
-+default_range dir_file_class_set target low-high;
- #
- # Define sensitivities
- #
-@@ -99,14 +101,14 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
- # New filesystem object labels must be dominated by the relabeling subject
- # clearance, also the objects are single-level.
- mlsconstrain file { create relabelto }
--	(( h1 dom h2 ) and ( l2 eq h2 ));
-+	((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall));
- 
- # new file labels must be dominated by the relabeling subject clearance
- mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
--	( h1 dom h2 );
-+	(( h1 dom h2 ) or (t1 == mcswriteall));
- 
- mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
--	(( h1 dom h2 ) and ( l2 eq h2 ));
-+	((( h1 dom h2 ) and ( l2 eq h2 ) or (t1 == mcswriteall)));
- 
- mlsconstrain process { transition dyntransition }
- 	(( h1 dom h2 ) or ( t1 == mcssetcats ));
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
new file mode 100644
index 0000000000..c12771d473
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
@@ -0,0 +1 @@
+allow_execmem = true
\ No newline at end of file
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config
index 7b66367667..55933ea0e5 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config
@@ -12,4 +12,4 @@ SELINUX=permissive
 #	mls      - Full SELinux protection with Multi-Level Security
 #	mcs      - Full SELinux protection with Multi-Category Security 
 #	           (mls, but only one sensitivity level)
-SELINUXTYPE=mcs
+SELINUXTYPE=strict
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
deleted file mode 100644
index b9ce512118..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
+++ /dev/null
@@ -1,10 +0,0 @@
-# This file is used to configure the per-instance contexts of rkt and other
-# applications that use libvirt for lxc container support.
-#
-# See:
-#    https://coreos.com/rkt/docs/latest/selinux.html
-#    https://selinuxproject.org/page/PolicyConfigurationFiles#contexts.2Flxc_contexts_File
-
-process = "system_u:system_r:svirt_lxc_net_t:s0"
-content = "system_u:object_r:virt_var_lib_t:s0"
-file = "system_u:object_r:svirt_lxc_file_t:s0"
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf
deleted file mode 100644
index a123a51d15..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-#Type	Path			Mode	UID 	GID 	Age	Argument
-d	/etc/selinux/		-	-	-	-	-
-L	/etc/selinux/config	-	-	-	-	../../usr/lib/selinux/config
-L	/etc/selinux/mcs	-	-	-	-	../../usr/lib/selinux/mcs
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
index 17d06e1149..9eaddb863d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
@@ -3,9 +3,6 @@
 
 EAPI="7"
 
-# flatcar changes
-inherit systemd
-
 if [[ ${PV} == 9999* ]]; then
 	EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
 	EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
@@ -26,23 +23,11 @@ HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
 LICENSE="GPL-2"
 SLOT="0"
 
-# flatcar changes
-RDEPEND=">=sys-apps/policycoreutils-2.8
-	>=sys-apps/checkpolicy-2.8
-"
+RDEPEND=">=sys-apps/policycoreutils-2.8"
 DEPEND="${RDEPEND}"
-# flatcar: BDEPEND on python3[xml] - normally pulled in through policycoreutils
-# but we made that dep conditional on USE=python
-BDEPEND="sys-devel/m4
-    >=dev-lang/python-3[xml]
-"
-
-
-# flatcar changes
-PATCHES=(
-	"${FILESDIR}"/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
-	"${FILESDIR}"/0001-policy-ms-MCS-restricts-relabelfrom.patch
-)
+BDEPEND="
+	>=sys-apps/checkpolicy-2.8
+	sys-devel/m4"
 
 S=${WORKDIR}/
 
@@ -52,8 +37,6 @@ src_prepare() {
 		eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
 	fi
 
-	# flatcar changes
-	eapply -p0 "${PATCHES[@]}"
 	eapply_user
 
 	cd "${S}/refpolicy" || die
@@ -95,10 +78,6 @@ src_configure() {
 
 		sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die
 
-		# flatcar changes: it's required to run polkit without segfault
-		# we need to pass this argument now before the compilation of the policy
-		sed -i "s/allow_execmem = false/allow_execmem = true/" "${S}/${i}/policy/booleans.conf" || die
-
 		sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \
 			"${S}/${i}/build.conf" || die "build.conf setup failed."
 
@@ -128,9 +107,7 @@ src_compile() {
 
 	for i in ${POLICY_TYPES}; do
 		cd "${S}/${i}" || die
-		# flatcar changes
-		emake base BINDIR="${ROOT}/usr/bin" NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux \
-			LD_LIBRARY_PATH="${ROOT}/usr/lib64:${LD_LIBRARY_PATH}" -C "${S}"/${i}
+		emake base
 		if use doc; then
 			emake html
 		fi
@@ -163,29 +140,14 @@ src_install() {
 
 	done
 
-	# flatcar changes
-	systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/selinux-base.conf"
-	systemd-tmpfiles --root="${D}" --create selinux-base.conf
-
 	docinto /
 	dodoc doc/Makefile.example doc/example.{te,fc,if}
 
 	doman man/man8/*.8;
 
-	# flatcar changes
-	insinto /usr/lib/selinux
+	insinto /etc/selinux
 	doins "${FILESDIR}/config"
 
-	insinto /etc/selinux/mcs/contexts
-	doins "${FILESDIR}/lxc_contexts"
-
-	# flatcar changes
-	mkdir -p "${D}/usr/lib/selinux"
-	for i in ${POLICY_TYPES}; do
-		mv "${D}/etc/selinux/${i}" "${D}/usr/lib/selinux"
-		dosym "../../usr/lib/selinux/${i}" "/etc/selinux/${i}"
-	done
-
 	insinto /usr/share/portage/config/sets
 	doins "${FILESDIR}/selinux.conf"
 }

From 3227e5614cc1cb25c618cd5bb36fe7ac883e4f75 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:00:22 +0100
Subject: [PATCH 17/37] sec-policy/selinux-base: Apply Flatcar modifications

  - run sshd (and child) as unconfined_t
  - add init.patch to allow execute_no_trans,map and exec from init to
    unconfined
  - add AVC patch for local login and journald
  - add python[lxml] to BDEPEND (not pulled through policycoreutils
    any more due to our changes there)
---
 ...s-kernel-all-more-actions-for-kernel.patch | 24 +++++++++
 ...-policy-ms-MCS-restricts-relabelfrom.patch | 27 ++++++++++
 .../sec-policy/selinux-base/files/booleans    |  1 -
 .../sec-policy/selinux-base/files/config      |  2 +-
 .../selinux-base/files/lxc_contexts           | 10 ++++
 .../files/tmpfiles.d/selinux-base.conf        |  4 ++
 .../selinux-base-2.20200818-r2.ebuild         | 51 ++++++++++++++++---
 7 files changed, 111 insertions(+), 8 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf

diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
new file mode 100644
index 0000000000..cf6406da73
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
@@ -0,0 +1,24 @@
+From 607ff9b67848aafd1bdefa6eda7ade0fd7161d04 Mon Sep 17 00:00:00 2001
+From: Mathieu Tortuyaux <mathieu@kinvolk.io>
+Date: Fri, 4 Jun 2021 13:17:44 +0200
+Subject: [PATCH] policy/modules/kernel: all more actions for kernel
+
+Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
+---
+ policy/modules/kernel/kernel.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
+--- refpolicy/policy/modules/kernel/kernel.te
++++ refpolicy/policy/modules/kernel/kernel.te
+@@ -351,6 +351,10 @@ files_list_home(kernel_t)
+ files_read_usr_files(kernel_t)
+ 
+ mcs_process_set_categories(kernel_t)
++mcs_killall(kernel_t)
++mcs_file_read_all(kernel_t)
++mcs_file_write_all(kernel_t)
++mcs_ptrace_all(kernel_t)
+ 
+ mls_process_read_all_levels(kernel_t)
+ mls_process_write_all_levels(kernel_t)
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch
new file mode 100644
index 0000000000..5cce12771a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch
@@ -0,0 +1,27 @@
+--- refpolicy/policy/mcs
++++ refpolicy/policy/mcs
+@@ -1,4 +1,6 @@
+ ifdef(`enable_mcs',`
++
++default_range dir_file_class_set target low-high;
+ #
+ # Define sensitivities
+ #
+@@ -99,14 +101,14 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+ # New filesystem object labels must be dominated by the relabeling subject
+ # clearance, also the objects are single-level.
+ mlsconstrain file { create relabelto }
+-	(( h1 dom h2 ) and ( l2 eq h2 ));
++	((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall));
+ 
+ # new file labels must be dominated by the relabeling subject clearance
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+-	( h1 dom h2 );
++	(( h1 dom h2 ) or (t1 == mcswriteall));
+ 
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+-	(( h1 dom h2 ) and ( l2 eq h2 ));
++	((( h1 dom h2 ) and ( l2 eq h2 ) or (t1 == mcswriteall)));
+ 
+ mlsconstrain process { transition dyntransition }
+ 	(( h1 dom h2 ) or ( t1 == mcssetcats ));
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
deleted file mode 100644
index c12771d473..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans
+++ /dev/null
@@ -1 +0,0 @@
-allow_execmem = true
\ No newline at end of file
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config
index 55933ea0e5..7b66367667 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config
@@ -12,4 +12,4 @@ SELINUX=permissive
 #	mls      - Full SELinux protection with Multi-Level Security
 #	mcs      - Full SELinux protection with Multi-Category Security 
 #	           (mls, but only one sensitivity level)
-SELINUXTYPE=strict
+SELINUXTYPE=mcs
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
new file mode 100644
index 0000000000..b9ce512118
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
@@ -0,0 +1,10 @@
+# This file is used to configure the per-instance contexts of rkt and other
+# applications that use libvirt for lxc container support.
+#
+# See:
+#    https://coreos.com/rkt/docs/latest/selinux.html
+#    https://selinuxproject.org/page/PolicyConfigurationFiles#contexts.2Flxc_contexts_File
+
+process = "system_u:system_r:svirt_lxc_net_t:s0"
+content = "system_u:object_r:virt_var_lib_t:s0"
+file = "system_u:object_r:svirt_lxc_file_t:s0"
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf
new file mode 100644
index 0000000000..a123a51d15
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf
@@ -0,0 +1,4 @@
+#Type	Path			Mode	UID 	GID 	Age	Argument
+d	/etc/selinux/		-	-	-	-	-
+L	/etc/selinux/config	-	-	-	-	../../usr/lib/selinux/config
+L	/etc/selinux/mcs	-	-	-	-	../../usr/lib/selinux/mcs
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
index 9eaddb863d..63859fde4d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
@@ -3,6 +3,10 @@
 
 EAPI="7"
 
+# flatcar changes
+TMPFILES_OPTIONAL=1
+inherit systemd tmpfiles
+
 if [[ ${PV} == 9999* ]]; then
 	EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
 	EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
@@ -23,11 +27,23 @@ HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
 LICENSE="GPL-2"
 SLOT="0"
 
-RDEPEND=">=sys-apps/policycoreutils-2.8"
-DEPEND="${RDEPEND}"
-BDEPEND="
+# flatcar changes
+RDEPEND=">=sys-apps/policycoreutils-2.8
 	>=sys-apps/checkpolicy-2.8
-	sys-devel/m4"
+"
+DEPEND="${RDEPEND}"
+# flatcar: BDEPEND on python3[xml] - normally pulled in through policycoreutils
+# but we made that dep conditional on USE=python
+BDEPEND="sys-devel/m4
+    >=dev-lang/python-3[xml]
+"
+
+
+# flatcar changes
+PATCHES=(
+	"${FILESDIR}"/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
+	"${FILESDIR}"/0001-policy-ms-MCS-restricts-relabelfrom.patch
+)
 
 S=${WORKDIR}/
 
@@ -37,6 +53,8 @@ src_prepare() {
 		eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
 	fi
 
+	# flatcar changes
+	eapply -p0 "${PATCHES[@]}"
 	eapply_user
 
 	cd "${S}/refpolicy" || die
@@ -78,6 +96,10 @@ src_configure() {
 
 		sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die
 
+		# flatcar changes: it's required to run polkit without segfault
+		# we need to pass this argument now before the compilation of the policy
+		sed -i "s/allow_execmem = false/allow_execmem = true/" "${S}/${i}/policy/booleans.conf" || die
+
 		sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \
 			"${S}/${i}/build.conf" || die "build.conf setup failed."
 
@@ -107,7 +129,9 @@ src_compile() {
 
 	for i in ${POLICY_TYPES}; do
 		cd "${S}/${i}" || die
-		emake base
+		# flatcar changes
+		emake base BINDIR="${ROOT}/usr/bin" NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux \
+			LD_LIBRARY_PATH="${ROOT}/usr/lib64:${LD_LIBRARY_PATH}" -C "${S}"/${i}
 		if use doc; then
 			emake html
 		fi
@@ -140,14 +164,29 @@ src_install() {
 
 	done
 
+	# flatcar changes
+	dotmpfiles "${FILESDIR}/tmpfiles.d/selinux-base.conf"
+	systemd-tmpfiles --root="${D}" --create selinux-base.conf
+
 	docinto /
 	dodoc doc/Makefile.example doc/example.{te,fc,if}
 
 	doman man/man8/*.8;
 
-	insinto /etc/selinux
+	# flatcar changes
+	insinto /usr/lib/selinux
 	doins "${FILESDIR}/config"
 
+	insinto /etc/selinux/mcs/contexts
+	doins "${FILESDIR}/lxc_contexts"
+
+	# flatcar changes
+	mkdir -p "${D}/usr/lib/selinux"
+	for i in ${POLICY_TYPES}; do
+		mv "${D}/etc/selinux/${i}" "${D}/usr/lib/selinux"
+		dosym "../../usr/lib/selinux/${i}" "/etc/selinux/${i}"
+	done
+
 	insinto /usr/share/portage/config/sets
 	doins "${FILESDIR}/selinux.conf"
 }

From 03c56caf2ea246ef3c02d8f73e71712b8a0acf1b Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 3 Dec 2021 19:25:11 +0100
Subject: [PATCH 18/37] sys-apps/baselayout: Port to tmpfiles eclass

---
 ...baselayout-3.6.8-r3.ebuild => baselayout-3.6.8-r4.ebuild} | 0
 .../sys-apps/baselayout/baselayout-9999.ebuild               | 5 +++--
 2 files changed, 3 insertions(+), 2 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/{baselayout-3.6.8-r3.ebuild => baselayout-3.6.8-r4.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r4.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r3.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r4.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild
index 8d0ae46551..b432b9f7b0 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild
@@ -13,7 +13,8 @@ else
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 
-inherit cros-workon multilib systemd
+TMPFILES_OPTIONAL=1
+inherit cros-workon multilib systemd tmpfiles
 
 DESCRIPTION="Filesystem baselayout for CoreOS"
 HOMEPAGE="http://www.coreos.com/"
@@ -131,7 +132,7 @@ src_install() {
 	fi
 
 	if use symlink-usr; then
-		systemd_dotmpfilesd "${T}/baselayout-usr.conf"
+		dotmpfiles "${T}/baselayout-usr.conf"
 		systemd-tmpfiles --root="${D}" --create
 	fi
 

From f6a355da10f3ecdfc29a98003c0e19055e1f9f4c Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:20:25 +0100
Subject: [PATCH 19/37] sys-apps/keyutils: Clean slate to reapply our changes

---
 .../sys-apps/keyutils/keyutils-1.6.1.ebuild               | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/keyutils/keyutils-1.6.1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/keyutils/keyutils-1.6.1.ebuild
index 219ba006a0..96aead1e27 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/keyutils/keyutils-1.6.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/keyutils/keyutils-1.6.1.ebuild
@@ -3,7 +3,7 @@
 
 EAPI=7
 
-inherit toolchain-funcs linux-info multilib-minimal usr-ldscript systemd
+inherit toolchain-funcs linux-info multilib-minimal usr-ldscript
 
 DESCRIPTION="Linux Key Management Utilities"
 HOMEPAGE="https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git"
@@ -26,8 +26,6 @@ PATCHES=(
 	"${FILESDIR}"/${PN}-1.5.9-header-extern-c.patch
 )
 
-MAKEOPTS+=" ETCDIR=/usr/share/keyutils"
-
 pkg_setup() {
 	# To prevent a failure in test phase and false positive bug reports
 	# we are enforcing the following options because testsuite expects
@@ -112,15 +110,11 @@ multilib_src_test() {
 }
 
 multilib_src_install() {
-	systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/keyutils.conf"
 	# Possibly undo the setting for USE=static (see src_compile).
 	export NO_ARLIB=$(usex static-libs 0 1)
 
 	default
 	use static || gen_usr_ldscript -a keyutils
-	dosym ../usr/share/keyutils/request-key.conf /etc/request-key.conf
-	dodir /etc/request-key.d
-	dodir /etc/keyutils
 }
 
 multilib_src_install_all() {

From c5e8ec0fc90b84d3edcfce6a9d470c5cafd86e8f Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:21:52 +0100
Subject: [PATCH 20/37] sys-apps/keyutils: Apply Flatcar modifications

---
 .../sys-apps/keyutils/keyutils-1.6.1.ebuild              | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/keyutils/keyutils-1.6.1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/keyutils/keyutils-1.6.1.ebuild
index 96aead1e27..7fd949a2f9 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/keyutils/keyutils-1.6.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/keyutils/keyutils-1.6.1.ebuild
@@ -3,7 +3,8 @@
 
 EAPI=7
 
-inherit toolchain-funcs linux-info multilib-minimal usr-ldscript
+TMPFILES_OPTIONAL=1
+inherit toolchain-funcs linux-info multilib-minimal usr-ldscript systemd tmpfiles
 
 DESCRIPTION="Linux Key Management Utilities"
 HOMEPAGE="https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git"
@@ -26,6 +27,8 @@ PATCHES=(
 	"${FILESDIR}"/${PN}-1.5.9-header-extern-c.patch
 )
 
+MAKEOPTS+=" ETCDIR=/usr/share/keyutils"
+
 pkg_setup() {
 	# To prevent a failure in test phase and false positive bug reports
 	# we are enforcing the following options because testsuite expects
@@ -110,11 +113,15 @@ multilib_src_test() {
 }
 
 multilib_src_install() {
+	dotmpfiles "${FILESDIR}/tmpfiles.d/keyutils.conf"
 	# Possibly undo the setting for USE=static (see src_compile).
 	export NO_ARLIB=$(usex static-libs 0 1)
 
 	default
 	use static || gen_usr_ldscript -a keyutils
+	dosym ../usr/share/keyutils/request-key.conf /etc/request-key.conf
+	dodir /etc/request-key.d
+	dodir /etc/keyutils
 }
 
 multilib_src_install_all() {

From 221b8f345534510dfa959c74c64bd32a86f2d135 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:23:12 +0100
Subject: [PATCH 21/37] sys-apps/shadow: Clean slate to reapply our changes

---
 .../sys-apps/shadow/shadow-4.8-r5.ebuild      | 71 ++++++++++---------
 1 file changed, 39 insertions(+), 32 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.8-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.8-r5.ebuild
index f5d73554c9..b04fd057bc 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.8-r5.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.8-r5.ebuild
@@ -3,7 +3,7 @@
 
 EAPI=7
 
-inherit autotools libtool pam systemd
+inherit autotools libtool pam
 
 DESCRIPTION="Utilities to deal with user accounts"
 HOMEPAGE="https://github.com/shadow-maint/shadow"
@@ -93,14 +93,14 @@ set_login_opt() {
 		comment="#"
 		sed -i \
 			-e "/^${opt}\>/s:^:#:" \
-			"${ED}"/usr/share/shadow/login.defs || die
+			"${ED}"/etc/login.defs || die
 	else
 		sed -i -r \
 			-e "/^#?${opt}\>/s:.*:${opt} ${val}:" \
-			"${ED}"/usr/share/shadow/login.defs
+			"${ED}"/etc/login.defs
 	fi
-	local res=$(grep "^${comment}${opt}\>" "${ED}"/usr/share/shadow/login.defs)
-	einfo "${res:-Unable to find ${opt} in /usr/share/shadow/login.defs}"
+	local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs)
+	einfo "${res:-Unable to find ${opt} in /etc/login.defs}"
 }
 
 src_install() {
@@ -113,41 +113,29 @@ src_install() {
 	#   remove it.
 	rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}
 
-	# Remove files from /etc, they will be symlinks to /usr instead.
-	rm -f "${ED}"/etc/{limits,login.access,login.defs,securetty,default/useradd}
-
-	# CoreOS: break shadow.conf into two files so that we only have to apply
-	# etc-shadow.conf in the initrd.
-	systemd_dotmpfilesd "${FILESDIR}"/tmpfiles.d/etc-shadow.conf
-	systemd_dotmpfilesd "${FILESDIR}"/tmpfiles.d/var-shadow.conf
-	# Package the symlinks for the SDK and containers.
-	systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/tmpfiles.d/*
-
-	insinto /usr/share/shadow
+	insinto /etc
 	if ! use pam ; then
 		insopts -m0600
 		doins etc/login.access etc/limits
 	fi
-	# Using a securetty with devfs device names added
-	# (compat names kept for non-devfs compatibility)
-	insopts -m0600 ; doins "${FILESDIR}"/securetty
-	# Output arch-specific cruft
-	local devs
-	case $(tc-arch) in
-		ppc*)  devs="hvc0 hvsi0 ttyPSC0";;
-		hppa)  devs="ttyB0";;
-		arm)   devs="ttyFB0 ttySAC0 ttySAC1 ttySAC2 ttySAC3 ttymxc0 ttymxc1 ttymxc2 ttymxc3 ttyO0 ttyO1 ttyO2";;
-		sh)    devs="ttySC0 ttySC1";;
-		amd64|x86)      devs="hvc0";;
-	esac
-	if [[ -n ${devs} ]]; then
-		printf '%s\n' ${devs} >> "${ED}"/usr/share/shadow/securetty
-	fi
 
 	# needed for 'useradd -D'
+	insinto /etc/default
 	insopts -m0600
 	doins "${FILESDIR}"/default/useradd
 
+	if use split-usr ; then
+		# move passwd to / to help recover broke systems #64441
+		# We cannot simply remove this or else net-misc/scponly
+		# and other tools will break because of hardcoded passwd
+		# location
+		dodir /bin
+		mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die
+		dosym ../../bin/passwd /usr/bin/passwd
+	fi
+
+	cd "${S}" || die
+	insinto /etc
 	insopts -m0644
 	newins etc/login.defs login.defs
 
@@ -201,7 +189,7 @@ src_install() {
 			-e 'b exit' \
 			-e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \
 			-e ': exit' \
-			"${ED}"/usr/share/shadow/login.defs || die
+			"${ED}"/etc/login.defs || die
 
 		# remove manpages that pam will install for us
 		# and/or don't apply when using pam
@@ -232,3 +220,22 @@ pkg_preinst() {
 	rm -f "${EROOT}"/etc/pam.d/system-auth.new \
 		"${EROOT}/etc/login.defs.new"
 }
+
+pkg_postinst() {
+	# Enable shadow groups.
+	if [ ! -f "${EROOT}"/etc/gshadow ] ; then
+		if grpck -r -R "${EROOT}" 2>/dev/null ; then
+			grpconv -R "${EROOT}"
+		else
+			ewarn "Running 'grpck' returned errors.  Please run it by hand, and then"
+			ewarn "run 'grpconv' afterwards!"
+		fi
+	fi
+
+	[[ ! -f "${EROOT}"/etc/subgid ]] &&
+		touch "${EROOT}"/etc/subgid
+	[[ ! -f "${EROOT}"/etc/subuid ]] &&
+		touch "${EROOT}"/etc/subuid
+
+	einfo "The 'adduser' symlink to 'useradd' has been dropped."
+}

From 0a907f6ffb2a1174d00112084e2770cce147b0d8 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:23:44 +0100
Subject: [PATCH 22/37] sys-apps/shadow: Apply Flatcar modifications

  - Carry over our custom tmpfiles and securetty files
  - Remove /etc files and install them to /usr, use tmpfiles
  - Switch /etc/login.defs edits to /usr/share/shadow/login.defs
  - Drop moving passwd out of /usr since we don't have split-usr
  - Drop pkg_postinst
---
 .../sys-apps/shadow/shadow-4.8-r5.ebuild      | 72 +++++++++----------
 1 file changed, 33 insertions(+), 39 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.8-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.8-r5.ebuild
index b04fd057bc..8419e240b0 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.8-r5.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.8-r5.ebuild
@@ -3,7 +3,8 @@
 
 EAPI=7
 
-inherit autotools libtool pam
+TMPFILES_OPTIONAL=1
+inherit autotools libtool pam systemd tmpfiles
 
 DESCRIPTION="Utilities to deal with user accounts"
 HOMEPAGE="https://github.com/shadow-maint/shadow"
@@ -93,14 +94,14 @@ set_login_opt() {
 		comment="#"
 		sed -i \
 			-e "/^${opt}\>/s:^:#:" \
-			"${ED}"/etc/login.defs || die
+			"${ED}"/usr/share/shadow/login.defs || die
 	else
 		sed -i -r \
 			-e "/^#?${opt}\>/s:.*:${opt} ${val}:" \
-			"${ED}"/etc/login.defs
+			"${ED}"/usr/share/shadow/login.defs
 	fi
-	local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs)
-	einfo "${res:-Unable to find ${opt} in /etc/login.defs}"
+	local res=$(grep "^${comment}${opt}\>" "${ED}"/usr/share/shadow/login.defs)
+	einfo "${res:-Unable to find ${opt} in /usr/share/shadow/login.defs}"
 }
 
 src_install() {
@@ -113,29 +114,41 @@ src_install() {
 	#   remove it.
 	rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}
 
-	insinto /etc
+	# Remove files from /etc, they will be symlinks to /usr instead.
+	rm -f "${ED}"/etc/{limits,login.access,login.defs,securetty,default/useradd}
+
+	# CoreOS: break shadow.conf into two files so that we only have to apply
+	# etc-shadow.conf in the initrd.
+	dotmpfiles "${FILESDIR}"/tmpfiles.d/etc-shadow.conf
+	dotmpfiles "${FILESDIR}"/tmpfiles.d/var-shadow.conf
+	# Package the symlinks for the SDK and containers.
+	systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/tmpfiles.d/*
+
+	insinto /usr/share/shadow
 	if ! use pam ; then
 		insopts -m0600
 		doins etc/login.access etc/limits
 	fi
+	# Using a securetty with devfs device names added
+	# (compat names kept for non-devfs compatibility)
+	insopts -m0600 ; doins "${FILESDIR}"/securetty
+	# Output arch-specific cruft
+	local devs
+	case $(tc-arch) in
+		ppc*)  devs="hvc0 hvsi0 ttyPSC0";;
+		hppa)  devs="ttyB0";;
+		arm)   devs="ttyFB0 ttySAC0 ttySAC1 ttySAC2 ttySAC3 ttymxc0 ttymxc1 ttymxc2 ttymxc3 ttyO0 ttyO1 ttyO2";;
+		sh)    devs="ttySC0 ttySC1";;
+		amd64|x86)      devs="hvc0";;
+	esac
+	if [[ -n ${devs} ]]; then
+		printf '%s\n' ${devs} >> "${ED}"/usr/share/shadow/securetty
+	fi
 
 	# needed for 'useradd -D'
-	insinto /etc/default
 	insopts -m0600
 	doins "${FILESDIR}"/default/useradd
 
-	if use split-usr ; then
-		# move passwd to / to help recover broke systems #64441
-		# We cannot simply remove this or else net-misc/scponly
-		# and other tools will break because of hardcoded passwd
-		# location
-		dodir /bin
-		mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die
-		dosym ../../bin/passwd /usr/bin/passwd
-	fi
-
-	cd "${S}" || die
-	insinto /etc
 	insopts -m0644
 	newins etc/login.defs login.defs
 
@@ -189,7 +202,7 @@ src_install() {
 			-e 'b exit' \
 			-e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \
 			-e ': exit' \
-			"${ED}"/etc/login.defs || die
+			"${ED}"/usr/share/shadow/login.defs || die
 
 		# remove manpages that pam will install for us
 		# and/or don't apply when using pam
@@ -220,22 +233,3 @@ pkg_preinst() {
 	rm -f "${EROOT}"/etc/pam.d/system-auth.new \
 		"${EROOT}/etc/login.defs.new"
 }
-
-pkg_postinst() {
-	# Enable shadow groups.
-	if [ ! -f "${EROOT}"/etc/gshadow ] ; then
-		if grpck -r -R "${EROOT}" 2>/dev/null ; then
-			grpconv -R "${EROOT}"
-		else
-			ewarn "Running 'grpck' returned errors.  Please run it by hand, and then"
-			ewarn "run 'grpconv' afterwards!"
-		fi
-	fi
-
-	[[ ! -f "${EROOT}"/etc/subgid ]] &&
-		touch "${EROOT}"/etc/subgid
-	[[ ! -f "${EROOT}"/etc/subuid ]] &&
-		touch "${EROOT}"/etc/subuid
-
-	einfo "The 'adduser' symlink to 'useradd' has been dropped."
-}

From 0949fb6ee33d26fb705fb1bdc5a3a5303cc7a5f3 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 3 Dec 2021 20:11:34 +0100
Subject: [PATCH 23/37] sys-apps/systemd: Port to tmpfiles eclass

---
 .../coreos-overlay/sys-apps/systemd/systemd-9999.ebuild  | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild
index 7a4d195ca7..d89acb289e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild
@@ -21,7 +21,8 @@ else
 fi
 
 # Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript
-inherit bash-completion-r1 linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev user
+TMPFILES_OPTIONAL=1
+inherit bash-completion-r1 linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev user tmpfiles
 
 DESCRIPTION="System and service manager for Linux"
 HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd"
@@ -409,7 +410,7 @@ multilib_src_install_all() {
 	# directories.
 	#
 	# Flatcar: TODO: Consider using that instead of
-	# systemd_dotmpfilesd "${FILESDIR}"/systemd-flatcar.conf below.
+	# dotmpfiles "${FILESDIR}"/systemd-flatcar.conf below.
 
 	if use hwdb; then
 		rm -r "${ED}${rootprefix}"/lib/udev/hwdb.d || die
@@ -436,11 +437,11 @@ multilib_src_install_all() {
 	#
 	# Flatcar: TODO: Upstream probably fixed it in different way -
 	# it's using some keepdir commands.
-	systemd_dotmpfilesd "${FILESDIR}"/systemd-flatcar.conf
+	dotmpfiles "${FILESDIR}"/systemd-flatcar.conf
 	# Flatcar: Add tmpfiles rule for resolv.conf. This path has
 	# changed after v213 so it must be handled here instead of
 	# baselayout now.
-	systemd_dotmpfilesd "${FILESDIR}"/systemd-resolv.conf
+	dotmpfiles "${FILESDIR}"/systemd-resolv.conf
 
 	# Flatcar: Don't default to graphical.target.
 	local unitdir=$(builddir_systemd_get_systemunitdir)

From f09c1fe20e47f1758844a0c406ab3077d817c745 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:28:37 +0100
Subject: [PATCH 24/37] sys-auth/polkit: Clean slate to reapply our changes

---
 ...WIP_Add_duktape_as_javascript_engine.patch | 1596 -----------------
 .../sys-auth/polkit/files/polkit.conf         |    3 -
 .../sys-auth/polkit/polkit-0.119-r2.ebuild    |   21 +-
 3 files changed, 6 insertions(+), 1614 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/35_WIP_Add_duktape_as_javascript_engine.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit.conf

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/35_WIP_Add_duktape_as_javascript_engine.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/35_WIP_Add_duktape_as_javascript_engine.patch
deleted file mode 100644
index 2dba8094ab..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/35_WIP_Add_duktape_as_javascript_engine.patch
+++ /dev/null
@@ -1,1596 +0,0 @@
-diff --git a/configure.ac b/configure.ac
-index 4ac2219770513e41b10605a48bc445144bfc8c06..d51cfbd922e289d30e0fdc0c3df745d0c9bd947f 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -80,11 +80,22 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
- AC_SUBST(GLIB_CFLAGS)
- AC_SUBST(GLIB_LIBS)
- 
--PKG_CHECK_MODULES(LIBJS, [mozjs-78])
--
--AC_SUBST(LIBJS_CFLAGS)
--AC_SUBST(LIBJS_CXXFLAGS)
--AC_SUBST(LIBJS_LIBS)
-+dnl ---------------------------------------------------------------------------
-+dnl - Check javascript backend
-+dnl ---------------------------------------------------------------------------
-+AC_ARG_WITH(duktape, AS_HELP_STRING([--with-duktape],[Use Duktape as javascript backend]),with_duktape=yes,with_duktape=no)
-+AS_IF([test x${with_duktape} == xyes], [
-+  PKG_CHECK_MODULES(LIBJS, [duktape >= 2.0.0 ])
-+  AC_SUBST(LIBJS_CFLAGS)
-+  AC_SUBST(LIBJS_LIBS)
-+], [
-+  PKG_CHECK_MODULES(LIBJS, [mozjs-78])
-+
-+  AC_SUBST(LIBJS_CFLAGS)
-+  AC_SUBST(LIBJS_CXXFLAGS)
-+  AC_SUBST(LIBJS_LIBS)
-+])
-+AM_CONDITIONAL(USE_DUKTAPE, [test x$with_duktape == xyes], [Using duktape as javascript engine library])
- 
- EXPAT_LIB=""
- AC_ARG_WITH(expat, [  --with-expat=<dir>      Use expat from here],
-@@ -581,6 +592,13 @@ echo "
-         PAM support:                ${have_pam}
-         systemdsystemunitdir:       ${systemdsystemunitdir}
-         polkitd user:               ${POLKITD_USER}"
-+if test "x${with_duktape}" = xyes; then
-+echo "
-+        Javascript engine:          Duktape"
-+else
-+echo "
-+        Javascript engine:          Mozjs"
-+fi
- 
- if test "$have_pam" = yes ; then
- echo "
-diff --git a/meson.build b/meson.build
-index 6997e7f7c6812cc58ac8b74246e557e9c0b03085..75513c2caf3a6fae7744675f9b4bcecd94d59d42 100644
---- a/meson.build
-+++ b/meson.build
-@@ -126,7 +126,13 @@ expat_dep = dependency('expat')
- assert(cc.has_header('expat.h', dependencies: expat_dep), 'Can\'t find expat.h. Please install expat.')
- assert(cc.has_function('XML_ParserCreate', dependencies: expat_dep), 'Can\'t find expat library. Please install expat.')
- 
--mozjs_dep = dependency('mozjs-78')
-+js_engine = get_option('js_engine')
-+if js_engine == 'duktape'
-+  js_dep = dependency('duktape')
-+  libm_dep = cc.find_library('m')
-+elif js_engine == 'mozjs'
-+  js_dep = dependency('mozjs-78')
-+endif
- 
- dbus_dep = dependency('dbus-1')
- dbus_sysconfdir = dbus_dep.get_pkgconfig_variable('sysconfdir', define_variable: ['sysconfdir', pk_prefix / pk_sysconfdir])
-@@ -350,6 +356,9 @@ if enable_logind
-   output += '        systemdsystemunitdir:     ' + systemd_systemdsystemunitdir + '\n'
- endif
- output += '        polkitd user:             ' + polkitd_user + ' \n'
-+output += '        Javascript engine:        ' + js_engine + '\n'
-+if enable_logind
-+endif
- output += '        PAM support:              ' + enable_pam.to_string() + '\n\n'
- if enable_pam
-   output += '        PAM file auth:            ' + pam_conf['PAM_FILE_INCLUDE_AUTH'] + '\n'
-diff --git a/meson_options.txt b/meson_options.txt
-index 25e3e7793ae1671fc65e172386b9392abf4e9352..76aa311c99620129b3594b0d95d675df91dc483b 100644
---- a/meson_options.txt
-+++ b/meson_options.txt
-@@ -16,3 +16,4 @@ option('introspection', type: 'boolean', value: true, description: 'Enable intro
- 
- option('gtk_doc', type: 'boolean', value: false, description: 'use gtk-doc to build documentation')
- option('man', type: 'boolean', value: false, description: 'build manual pages')
-+option('js_engine', type: 'combo', choices: ['mozjs', 'duktape'], value: 'duktape', description: 'javascript engine')
-diff --git a/src/polkitbackend/Makefile.am b/src/polkitbackend/Makefile.am
-index 7e3c0809984987d8e77ff6c7717248f132e990f3..abcbc6ff7457965bbedce95a702921bbcd626428 100644
---- a/src/polkitbackend/Makefile.am
-+++ b/src/polkitbackend/Makefile.am
-@@ -33,7 +33,7 @@ libpolkit_backend_1_la_SOURCES =                                   			\
- 	polkitbackendprivate.h								\
- 	polkitbackendauthority.h		polkitbackendauthority.c		\
- 	polkitbackendinteractiveauthority.h	polkitbackendinteractiveauthority.c	\
--	polkitbackendjsauthority.h		polkitbackendjsauthority.cpp		\
-+	polkitbackendjsauthority.h				\
- 	polkitbackendactionpool.h		polkitbackendactionpool.c		\
- 	polkitbackendactionlookup.h		polkitbackendactionlookup.c		\
-         $(NULL)
-@@ -51,19 +51,27 @@ libpolkit_backend_1_la_CFLAGS =                                        	\
-         -D_POLKIT_BACKEND_COMPILATION                                  	\
-         $(GLIB_CFLAGS)							\
- 	$(LIBSYSTEMD_CFLAGS)						\
--	$(LIBJS_CFLAGS)							\
-+	$(LIBJS_CFLAGS)						\
-         $(NULL)
- 
- libpolkit_backend_1_la_CXXFLAGS = $(libpolkit_backend_1_la_CFLAGS)
- 
- libpolkit_backend_1_la_LIBADD =                               		\
-         $(GLIB_LIBS)							\
-+        $(DUKTAPE_LIBS)							\
- 	$(LIBSYSTEMD_LIBS)						\
- 	$(top_builddir)/src/polkit/libpolkit-gobject-1.la		\
- 	$(EXPAT_LIBS)							\
--	$(LIBJS_LIBS)							\
-+	$(LIBJS_LIBS)                                                   \
-         $(NULL)
- 
-+if USE_DUKTAPE
-+libpolkit_backend_1_la_SOURCES += polkitbackendduktapeauthority.c
-+libpolkit_backend_1_la_LIBADD += -lm
-+else
-+libpolkit_backend_1_la_SOURCES += polkitbackendjsauthority.cpp
-+endif
-+
- rulesdir = $(sysconfdir)/polkit-1/rules.d
- rules_DATA = 50-default.rules
- 
-diff --git a/src/polkitbackend/meson.build b/src/polkitbackend/meson.build
-index 93c3c34574efbedb62cb8f3cc63f6acdfef5563f..d7d3b025679dee94f658e3562172f72de0bf9ddf 100644
---- a/src/polkitbackend/meson.build
-+++ b/src/polkitbackend/meson.build
-@@ -5,7 +5,6 @@ sources = files(
-   'polkitbackendactionpool.c',
-   'polkitbackendauthority.c',
-   'polkitbackendinteractiveauthority.c',
--  'polkitbackendjsauthority.cpp',
- )
- 
- output = 'initjs.h'
-@@ -21,7 +20,7 @@ sources += custom_target(
- deps = [
-   expat_dep,
-   libpolkit_gobject_dep,
--  mozjs_dep,
-+  js_dep,
- ]
- 
- c_flags = [
-@@ -31,6 +30,13 @@ c_flags = [
-   '-DPACKAGE_SYSCONF_DIR="@0@"'.format(pk_prefix / pk_sysconfdir),
- ]
- 
-+if js_engine == 'duktape'
-+  sources += files('polkitbackendduktapeauthority.c')
-+  deps += libm_dep
-+elif js_engine == 'mozjs'
-+  sources += files('polkitbackendjsauthority.cpp')
-+endif
-+
- if enable_logind
-   sources += files('polkitbackendsessionmonitor-systemd.c')
- 
-diff --git a/src/polkitbackend/polkitbackendduktapeauthority.c b/src/polkitbackend/polkitbackendduktapeauthority.c
-new file mode 100644
-index 0000000000000000000000000000000000000000..4b4f8fda7102223de1300e9ba9f2fa943708b653
---- /dev/null
-+++ b/src/polkitbackend/polkitbackendduktapeauthority.c
-@@ -0,0 +1,1428 @@
-+/*
-+ * Copyright (C) 2008-2012 Red Hat, Inc.
-+ * Copyright (C) 2015 Tangent Space <jstpierre@mecheye.net>
-+ * Copyright (C) 2019 Wu Xiaotian <yetist@gmail.com>
-+ *
-+ * This library is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public
-+ * License as published by the Free Software Foundation; either
-+ * version 2 of the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General
-+ * Public License along with this library; if not, write to the
-+ * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
-+ * Boston, MA 02111-1307, USA.
-+ *
-+ * Author: David Zeuthen <davidz@redhat.com>
-+ */
-+
-+#include "config.h"
-+#include <sys/wait.h>
-+#include <errno.h>
-+#include <pwd.h>
-+#include <grp.h>
-+#ifdef HAVE_NETGROUP_H
-+#include <netgroup.h>
-+#else
-+#include <netdb.h>
-+#endif
-+#include <string.h>
-+#include <glib/gstdio.h>
-+#include <locale.h>
-+#include <glib/gi18n-lib.h>
-+
-+#include <polkit/polkit.h>
-+#include "polkitbackendjsauthority.h"
-+
-+#include <polkit/polkitprivate.h>
-+
-+#ifdef HAVE_LIBSYSTEMD
-+#include <systemd/sd-login.h>
-+#endif /* HAVE_LIBSYSTEMD */
-+
-+#include "initjs.h" /* init.js */
-+#include "duktape.h"
-+
-+/**
-+ * SECTION:polkitbackendjsauthority
-+ * @title: PolkitBackendJsAuthority
-+ * @short_description: JS Authority
-+ * @stability: Unstable
-+ *
-+ * An implementation of #PolkitBackendAuthority that reads and
-+ * evalates Javascript files and supports interaction with
-+ * authentication agents (virtue of being based on
-+ * #PolkitBackendInteractiveAuthority).
-+ */
-+
-+/* ---------------------------------------------------------------------------------------------------- */
-+
-+struct _PolkitBackendJsAuthorityPrivate
-+{
-+  gchar **rules_dirs;
-+  GFileMonitor **dir_monitors; /* NULL-terminated array of GFileMonitor instances */
-+  duk_context *cx;
-+};
-+
-+
-+static void utils_spawn (const gchar *const  *argv,
-+                         guint                timeout_seconds,
-+                         GCancellable        *cancellable,
-+                         GAsyncReadyCallback  callback,
-+                         gpointer             user_data);
-+
-+gboolean utils_spawn_finish (GAsyncResult   *res,
-+                             gint           *out_exit_status,
-+                             gchar         **out_standard_output,
-+                             gchar         **out_standard_error,
-+                             GError        **error);
-+
-+static void on_dir_monitor_changed (GFileMonitor     *monitor,
-+                                    GFile            *file,
-+                                    GFile            *other_file,
-+                                    GFileMonitorEvent event_type,
-+                                    gpointer          user_data);
-+
-+/* ---------------------------------------------------------------------------------------------------- */
-+
-+enum
-+{
-+  PROP_0,
-+  PROP_RULES_DIRS,
-+};
-+
-+/* ---------------------------------------------------------------------------------------------------- */
-+
-+static GList *polkit_backend_js_authority_get_admin_auth_identities (PolkitBackendInteractiveAuthority *authority,
-+                                                                     PolkitSubject                     *caller,
-+                                                                     PolkitSubject                     *subject,
-+                                                                     PolkitIdentity                    *user_for_subject,
-+                                                                     gboolean                           subject_is_local,
-+                                                                     gboolean                           subject_is_active,
-+                                                                     const gchar                       *action_id,
-+                                                                     PolkitDetails                     *details);
-+
-+static PolkitImplicitAuthorization polkit_backend_js_authority_check_authorization_sync (
-+                                                          PolkitBackendInteractiveAuthority *authority,
-+                                                          PolkitSubject                     *caller,
-+                                                          PolkitSubject                     *subject,
-+                                                          PolkitIdentity                    *user_for_subject,
-+                                                          gboolean                           subject_is_local,
-+                                                          gboolean                           subject_is_active,
-+                                                          const gchar                       *action_id,
-+                                                          PolkitDetails                     *details,
-+                                                          PolkitImplicitAuthorization        implicit);
-+
-+G_DEFINE_TYPE (PolkitBackendJsAuthority, polkit_backend_js_authority, POLKIT_BACKEND_TYPE_INTERACTIVE_AUTHORITY);
-+
-+/* ---------------------------------------------------------------------------------------------------- */
-+
-+/* ---------------------------------------------------------------------------------------------------- */
-+
-+static duk_ret_t js_polkit_log (duk_context *cx);
-+static duk_ret_t js_polkit_spawn (duk_context *cx);
-+static duk_ret_t js_polkit_user_is_in_netgroup (duk_context *cx);
-+
-+static const duk_function_list_entry js_polkit_functions[] =
-+{
-+  { "log", js_polkit_log, 1 },
-+  { "spawn", js_polkit_spawn, 1 },
-+  { "_userIsInNetGroup", js_polkit_user_is_in_netgroup, 2 },
-+  { NULL, NULL, 0 },
-+};
-+
-+static void
-+polkit_backend_js_authority_init (PolkitBackendJsAuthority *authority)
-+{
-+  authority->priv = G_TYPE_INSTANCE_GET_PRIVATE (authority,
-+                                                 POLKIT_BACKEND_TYPE_JS_AUTHORITY,
-+                                                 PolkitBackendJsAuthorityPrivate);
-+}
-+
-+static gint
-+rules_file_name_cmp (const gchar *a,
-+                     const gchar *b)
-+{
-+  gint ret;
-+  const gchar *a_base;
-+  const gchar *b_base;
-+
-+  a_base = strrchr (a, '/');
-+  b_base = strrchr (b, '/');
-+
-+  g_assert (a_base != NULL);
-+  g_assert (b_base != NULL);
-+  a_base += 1;
-+  b_base += 1;
-+
-+  ret = g_strcmp0 (a_base, b_base);
-+  if (ret == 0)
-+    {
-+      /* /etc wins over /usr */
-+      ret = g_strcmp0 (a, b);
-+      g_assert (ret != 0);
-+    }
-+
-+  return ret;
-+}
-+
-+static void
-+load_scripts (PolkitBackendJsAuthority  *authority)
-+{
-+  duk_context *cx = authority->priv->cx;
-+  GList *files = NULL;
-+  GList *l;
-+  guint num_scripts = 0;
-+  GError *error = NULL;
-+  guint n;
-+
-+  files = NULL;
-+
-+  for (n = 0; authority->priv->rules_dirs != NULL && authority->priv->rules_dirs[n] != NULL; n++)
-+    {
-+      const gchar *dir_name = authority->priv->rules_dirs[n];
-+      GDir *dir = NULL;
-+
-+      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                    "Loading rules from directory %s",
-+                                    dir_name);
-+
-+      dir = g_dir_open (dir_name,
-+                        0,
-+                        &error);
-+      if (dir == NULL)
-+        {
-+          polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                        "Error opening rules directory: %s (%s, %d)",
-+                                        error->message, g_quark_to_string (error->domain), error->code);
-+          g_clear_error (&error);
-+        }
-+      else
-+        {
-+          const gchar *name;
-+          while ((name = g_dir_read_name (dir)) != NULL)
-+            {
-+              if (g_str_has_suffix (name, ".rules"))
-+                files = g_list_prepend (files, g_strdup_printf ("%s/%s", dir_name, name));
-+            }
-+          g_dir_close (dir);
-+        }
-+    }
-+
-+  files = g_list_sort (files, (GCompareFunc) rules_file_name_cmp);
-+
-+  for (l = files; l != NULL; l = l->next)
-+    {
-+      const gchar *filename = (gchar *)l->data;
-+#if (DUK_VERSION >= 20000)
-+      GFile *file = g_file_new_for_path (filename);
-+      char *contents;
-+      gsize len;
-+      if (!g_file_load_contents (file, NULL, &contents, &len, NULL, NULL))
-+        {
-+          polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                        "Error compiling script %s",
-+                                        filename);
-+          g_object_unref (file);
-+          continue;
-+        }
-+
-+      g_object_unref (file);
-+      if (duk_peval_lstring_noresult(cx, contents,len) != 0)
-+#else
-+      if (duk_peval_file_noresult (cx, filename) != 0)
-+#endif
-+        {
-+          polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                        "Error compiling script %s: %s",
-+                                        filename, duk_safe_to_string (authority->priv->cx, -1));
-+#if (DUK_VERSION >= 20000)
-+          g_free (contents);
-+#endif
-+          continue;
-+        }
-+#if (DUK_VERSION >= 20000)
-+      g_free (contents);
-+#endif
-+      num_scripts++;
-+    }
-+
-+  polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                "Finished loading, compiling and executing %d rules",
-+                                num_scripts);
-+  g_list_free_full (files, g_free);
-+}
-+
-+static void
-+reload_scripts (PolkitBackendJsAuthority *authority)
-+{
-+  duk_context *cx = authority->priv->cx;
-+
-+  duk_set_top (cx, 0);
-+  if (!duk_get_global_string (cx, "polkit")) {
-+      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                    "Error deleting old rules, not loading new ones");
-+      return;
-+  }
-+  duk_push_string (cx, "_deleteRules");
-+
-+  duk_call_prop (cx, 0, 0);
-+
-+  polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                "Collecting garbage unconditionally...");
-+
-+  load_scripts (authority);
-+
-+  /* Let applications know we have new rules... */
-+  g_signal_emit_by_name (authority, "changed");
-+}
-+
-+static void
-+on_dir_monitor_changed (GFileMonitor     *monitor,
-+                        GFile            *file,
-+                        GFile            *other_file,
-+                        GFileMonitorEvent event_type,
-+                        gpointer          user_data)
-+{
-+  PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (user_data);
-+
-+  /* TODO: maybe rate-limit so storms of events are collapsed into one with a 500ms resolution?
-+   *       Because when editing a file with emacs we get 4-8 events..
-+   */
-+
-+  if (file != NULL)
-+    {
-+      gchar *name;
-+
-+      name = g_file_get_basename (file);
-+
-+      /* g_print ("event_type=%d file=%p name=%s\n", event_type, file, name); */
-+      if (!g_str_has_prefix (name, ".") &&
-+          !g_str_has_prefix (name, "#") &&
-+          g_str_has_suffix (name, ".rules") &&
-+          (event_type == G_FILE_MONITOR_EVENT_CREATED ||
-+           event_type == G_FILE_MONITOR_EVENT_DELETED ||
-+           event_type == G_FILE_MONITOR_EVENT_CHANGES_DONE_HINT))
-+        {
-+          polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                        "Reloading rules");
-+          reload_scripts (authority);
-+        }
-+      g_free (name);
-+    }
-+}
-+
-+
-+static void
-+setup_file_monitors (PolkitBackendJsAuthority *authority)
-+{
-+  guint n;
-+  GPtrArray *p;
-+
-+  p = g_ptr_array_new ();
-+  for (n = 0; authority->priv->rules_dirs != NULL && authority->priv->rules_dirs[n] != NULL; n++)
-+    {
-+      GFile *file;
-+      GError *error;
-+      GFileMonitor *monitor;
-+
-+      file = g_file_new_for_path (authority->priv->rules_dirs[n]);
-+      error = NULL;
-+      monitor = g_file_monitor_directory (file,
-+                                          G_FILE_MONITOR_NONE,
-+                                          NULL,
-+                                          &error);
-+      g_object_unref (file);
-+      if (monitor == NULL)
-+        {
-+          g_warning ("Error monitoring directory %s: %s",
-+                     authority->priv->rules_dirs[n],
-+                     error->message);
-+          g_clear_error (&error);
-+        }
-+      else
-+        {
-+          g_signal_connect (monitor,
-+                            "changed",
-+                            G_CALLBACK (on_dir_monitor_changed),
-+                            authority);
-+          g_ptr_array_add (p, monitor);
-+        }
-+    }
-+  g_ptr_array_add (p, NULL);
-+  authority->priv->dir_monitors = (GFileMonitor**) g_ptr_array_free (p, FALSE);
-+}
-+
-+static void
-+polkit_backend_js_authority_constructed (GObject *object)
-+{
-+  PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (object);
-+  duk_context *cx;
-+
-+  cx = duk_create_heap (NULL, NULL, NULL, authority, NULL);
-+  if (cx == NULL)
-+    goto fail;
-+
-+  authority->priv->cx = cx;
-+
-+  duk_push_global_object (cx);
-+  duk_push_object (cx);
-+  duk_put_function_list (cx, -1, js_polkit_functions);
-+  duk_put_prop_string (cx, -2, "polkit");
-+
-+  duk_eval_string (cx, init_js);
-+
-+  if (authority->priv->rules_dirs == NULL)
-+    {
-+      authority->priv->rules_dirs = g_new0 (gchar *, 3);
-+      authority->priv->rules_dirs[0] = g_strdup (PACKAGE_SYSCONF_DIR "/polkit-1/rules.d");
-+      authority->priv->rules_dirs[1] = g_strdup (PACKAGE_DATA_DIR "/polkit-1/rules.d");
-+    }
-+
-+  setup_file_monitors (authority);
-+  load_scripts (authority);
-+
-+  G_OBJECT_CLASS (polkit_backend_js_authority_parent_class)->constructed (object);
-+  return;
-+
-+ fail:
-+  g_critical ("Error initializing JavaScript environment");
-+  g_assert_not_reached ();
-+}
-+
-+static void
-+polkit_backend_js_authority_finalize (GObject *object)
-+{
-+  PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (object);
-+  guint n;
-+
-+  for (n = 0; authority->priv->dir_monitors != NULL && authority->priv->dir_monitors[n] != NULL; n++)
-+    {
-+      GFileMonitor *monitor = authority->priv->dir_monitors[n];
-+      g_signal_handlers_disconnect_by_func (monitor,
-+                                            G_CALLBACK (on_dir_monitor_changed),
-+                                            authority);
-+      g_object_unref (monitor);
-+    }
-+  g_free (authority->priv->dir_monitors);
-+  g_strfreev (authority->priv->rules_dirs);
-+
-+  duk_destroy_heap (authority->priv->cx);
-+
-+  G_OBJECT_CLASS (polkit_backend_js_authority_parent_class)->finalize (object);
-+}
-+
-+static void
-+polkit_backend_js_authority_set_property (GObject      *object,
-+                                          guint         property_id,
-+                                          const GValue *value,
-+                                          GParamSpec   *pspec)
-+{
-+  PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (object);
-+
-+  switch (property_id)
-+    {
-+      case PROP_RULES_DIRS:
-+        g_assert (authority->priv->rules_dirs == NULL);
-+        authority->priv->rules_dirs = (gchar **) g_value_dup_boxed (value);
-+        break;
-+
-+      default:
-+        G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
-+        break;
-+    }
-+}
-+
-+static const gchar *
-+polkit_backend_js_authority_get_name (PolkitBackendAuthority *authority)
-+{
-+  return "js";
-+}
-+
-+static const gchar *
-+polkit_backend_js_authority_get_version (PolkitBackendAuthority *authority)
-+{
-+  return PACKAGE_VERSION;
-+}
-+
-+static PolkitAuthorityFeatures
-+polkit_backend_js_authority_get_features (PolkitBackendAuthority *authority)
-+{
-+  return POLKIT_AUTHORITY_FEATURES_TEMPORARY_AUTHORIZATION;
-+}
-+
-+static void
-+polkit_backend_js_authority_class_init (PolkitBackendJsAuthorityClass *klass)
-+{
-+  GObjectClass *gobject_class;
-+  PolkitBackendAuthorityClass *authority_class;
-+  PolkitBackendInteractiveAuthorityClass *interactive_authority_class;
-+
-+
-+  gobject_class = G_OBJECT_CLASS (klass);
-+  gobject_class->finalize                               = polkit_backend_js_authority_finalize;
-+  gobject_class->set_property                           = polkit_backend_js_authority_set_property;
-+  gobject_class->constructed                            = polkit_backend_js_authority_constructed;
-+
-+  authority_class = POLKIT_BACKEND_AUTHORITY_CLASS (klass);
-+  authority_class->get_name                             = polkit_backend_js_authority_get_name;
-+  authority_class->get_version                          = polkit_backend_js_authority_get_version;
-+  authority_class->get_features                         = polkit_backend_js_authority_get_features;
-+
-+  interactive_authority_class = POLKIT_BACKEND_INTERACTIVE_AUTHORITY_CLASS (klass);
-+  interactive_authority_class->get_admin_identities     = polkit_backend_js_authority_get_admin_auth_identities;
-+  interactive_authority_class->check_authorization_sync = polkit_backend_js_authority_check_authorization_sync;
-+
-+  g_object_class_install_property (gobject_class,
-+                                   PROP_RULES_DIRS,
-+                                   g_param_spec_boxed ("rules-dirs",
-+                                                       NULL,
-+                                                       NULL,
-+                                                       G_TYPE_STRV,
-+                                                       G_PARAM_CONSTRUCT_ONLY | G_PARAM_WRITABLE));
-+
-+
-+  g_type_class_add_private (klass, sizeof (PolkitBackendJsAuthorityPrivate));
-+}
-+
-+/* ---------------------------------------------------------------------------------------------------- */
-+
-+static void
-+set_property_str (duk_context *cx,
-+                  const gchar *name,
-+                  const gchar *value)
-+{
-+  duk_push_string (cx, value);
-+  duk_put_prop_string (cx, -2, name);
-+}
-+
-+static void
-+set_property_strv (duk_context *cx,
-+                   const gchar *name,
-+                   GPtrArray   *value)
-+{
-+  guint n;
-+  duk_push_array (cx);
-+  for (n = 0; n < value->len; n++)
-+    {
-+      duk_push_string (cx, g_ptr_array_index (value, n));
-+      duk_put_prop_index (cx, -2, n);
-+    }
-+  duk_put_prop_string (cx, -2, name);
-+}
-+
-+static void
-+set_property_int32 (duk_context *cx,
-+                    const gchar *name,
-+                    gint32       value)
-+{
-+  duk_push_int (cx, value);
-+  duk_put_prop_string (cx, -2, name);
-+}
-+
-+static void
-+set_property_bool (duk_context *cx,
-+                   const char  *name,
-+                   gboolean     value)
-+{
-+  duk_push_boolean (cx, value);
-+  duk_put_prop_string (cx, -2, name);
-+}
-+
-+/* ---------------------------------------------------------------------------------------------------- */
-+
-+static gboolean
-+push_subject (duk_context               *cx,
-+              PolkitSubject             *subject,
-+              PolkitIdentity            *user_for_subject,
-+              gboolean                   subject_is_local,
-+              gboolean                   subject_is_active,
-+              GError                   **error)
-+{
-+  gboolean ret = FALSE;
-+  pid_t pid;
-+  uid_t uid;
-+  gchar *user_name = NULL;
-+  GPtrArray *groups = NULL;
-+  struct passwd *passwd;
-+  char *seat_str = NULL;
-+  char *session_str = NULL;
-+
-+  if (!duk_get_global_string (cx, "Subject")) {
-+    return FALSE;
-+  }
-+
-+  duk_new (cx, 0);
-+
-+  if (POLKIT_IS_UNIX_PROCESS (subject))
-+    {
-+      pid = polkit_unix_process_get_pid (POLKIT_UNIX_PROCESS (subject));
-+    }
-+  else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
-+    {
-+      PolkitSubject *process;
-+      process = polkit_system_bus_name_get_process_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error);
-+      if (process == NULL)
-+        goto out;
-+      pid = polkit_unix_process_get_pid (POLKIT_UNIX_PROCESS (process));
-+      g_object_unref (process);
-+    }
-+  else
-+    {
-+      g_assert_not_reached ();
-+    }
-+
-+#ifdef HAVE_LIBSYSTEMD
-+  if (sd_pid_get_session (pid, &session_str) == 0)
-+    {
-+      if (sd_session_get_seat (session_str, &seat_str) == 0)
-+        {
-+          /* do nothing */
-+        }
-+    }
-+#endif /* HAVE_LIBSYSTEMD */
-+
-+  g_assert (POLKIT_IS_UNIX_USER (user_for_subject));
-+  uid = polkit_unix_user_get_uid (POLKIT_UNIX_USER (user_for_subject));
-+
-+  groups = g_ptr_array_new_with_free_func (g_free);
-+
-+  passwd = getpwuid (uid);
-+  if (passwd == NULL)
-+    {
-+      user_name = g_strdup_printf ("%d", (gint) uid);
-+      g_warning ("Error looking up info for uid %d: %m", (gint) uid);
-+    }
-+  else
-+    {
-+      gid_t gids[512];
-+      int num_gids = 512;
-+
-+      user_name = g_strdup (passwd->pw_name);
-+
-+      if (getgrouplist (passwd->pw_name,
-+                        passwd->pw_gid,
-+                        gids,
-+                        &num_gids) < 0)
-+        {
-+          g_warning ("Error looking up groups for uid %d: %m", (gint) uid);
-+        }
-+      else
-+        {
-+          gint n;
-+          for (n = 0; n < num_gids; n++)
-+            {
-+              struct group *group;
-+              group = getgrgid (gids[n]);
-+              if (group == NULL)
-+                {
-+                  g_ptr_array_add (groups, g_strdup_printf ("%d", (gint) gids[n]));
-+                }
-+              else
-+                {
-+                  g_ptr_array_add (groups, g_strdup (group->gr_name));
-+                }
-+            }
-+        }
-+    }
-+
-+  set_property_int32 (cx, "pid", pid);
-+  set_property_str (cx, "user", user_name);
-+  set_property_strv (cx, "groups", groups);
-+  set_property_str (cx, "seat", seat_str);
-+  set_property_str (cx, "session", session_str);
-+  set_property_bool (cx, "local", subject_is_local);
-+  set_property_bool (cx, "active", subject_is_active);
-+
-+  ret = TRUE;
-+
-+ out:
-+  free (session_str);
-+  free (seat_str);
-+  g_free (user_name);
-+  if (groups != NULL)
-+    g_ptr_array_unref (groups);
-+
-+  return ret;
-+}
-+
-+/* ---------------------------------------------------------------------------------------------------- */
-+
-+static gboolean
-+push_action_and_details (duk_context               *cx,
-+                         const gchar               *action_id,
-+                         PolkitDetails             *details,
-+                         GError                   **error)
-+{
-+  gchar **keys;
-+  guint n;
-+
-+  if (!duk_get_global_string (cx, "Action")) {
-+    return FALSE;
-+  }
-+
-+  duk_new (cx, 0);
-+
-+  set_property_str (cx, "id", action_id);
-+
-+  keys = polkit_details_get_keys (details);
-+  for (n = 0; keys != NULL && keys[n] != NULL; n++)
-+    {
-+      gchar *key;
-+      const gchar *value;
-+      key = g_strdup_printf ("_detail_%s", keys[n]);
-+      value = polkit_details_lookup (details, keys[n]);
-+      set_property_str (cx, key, value);
-+      g_free (key);
-+    }
-+  g_strfreev (keys);
-+
-+  return TRUE;
-+}
-+
-+/* ---------------------------------------------------------------------------------------------------- */
-+
-+/* ---------------------------------------------------------------------------------------------------- */
-+
-+static GList *
-+polkit_backend_js_authority_get_admin_auth_identities (PolkitBackendInteractiveAuthority *_authority,
-+                                                       PolkitSubject                     *caller,
-+                                                       PolkitSubject                     *subject,
-+                                                       PolkitIdentity                    *user_for_subject,
-+                                                       gboolean                           subject_is_local,
-+                                                       gboolean                           subject_is_active,
-+                                                       const gchar                       *action_id,
-+                                                       PolkitDetails                     *details)
-+{
-+  PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
-+  GList *ret = NULL;
-+  guint n;
-+  GError *error = NULL;
-+  const char *ret_str = NULL;
-+  gchar **ret_strs = NULL;
-+  duk_context *cx = authority->priv->cx;
-+
-+  duk_set_top (cx, 0);
-+  if (!duk_get_global_string (cx, "polkit")) {
-+      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                    "Error deleting old rules, not loading new ones");
-+      goto out;
-+  }
-+
-+  duk_push_string (cx, "_runAdminRules");
-+
-+  if (!push_action_and_details (cx, action_id, details, &error))
-+    {
-+      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                    "Error converting action and details to JS object: %s",
-+                                    error->message);
-+      g_clear_error (&error);
-+      goto out;
-+    }
-+
-+  if (!push_subject (cx, subject, user_for_subject, subject_is_local, subject_is_active, &error))
-+    {
-+      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                    "Error converting subject to JS object: %s",
-+                                    error->message);
-+      g_clear_error (&error);
-+      goto out;
-+    }
-+
-+  if (duk_pcall_prop (cx, 0, 2) != DUK_ERR_NONE)
-+    {
-+      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                    "Error evaluating admin rules: ",
-+                                    duk_safe_to_string (cx, -1));
-+      goto out;
-+    }
-+
-+  ret_str = duk_require_string (cx, -1);
-+
-+  ret_strs = g_strsplit (ret_str, ",", -1);
-+  for (n = 0; ret_strs != NULL && ret_strs[n] != NULL; n++)
-+    {
-+      const gchar *identity_str = ret_strs[n];
-+      PolkitIdentity *identity;
-+
-+      error = NULL;
-+      identity = polkit_identity_from_string (identity_str, &error);
-+      if (identity == NULL)
-+        {
-+          polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                        "Identity `%s' is not valid, ignoring: %s",
-+                                        identity_str, error->message);
-+          g_clear_error (&error);
-+        }
-+      else
-+        {
-+          ret = g_list_prepend (ret, identity);
-+        }
-+    }
-+  ret = g_list_reverse (ret);
-+
-+ out:
-+  g_strfreev (ret_strs);
-+  /* fallback to root password auth */
-+  if (ret == NULL)
-+    ret = g_list_prepend (ret, polkit_unix_user_new (0));
-+
-+  return ret;
-+}
-+
-+/* ---------------------------------------------------------------------------------------------------- */
-+
-+static PolkitImplicitAuthorization
-+polkit_backend_js_authority_check_authorization_sync (PolkitBackendInteractiveAuthority *_authority,
-+                                                      PolkitSubject                     *caller,
-+                                                      PolkitSubject                     *subject,
-+                                                      PolkitIdentity                    *user_for_subject,
-+                                                      gboolean                           subject_is_local,
-+                                                      gboolean                           subject_is_active,
-+                                                      const gchar                       *action_id,
-+                                                      PolkitDetails                     *details,
-+                                                      PolkitImplicitAuthorization        implicit)
-+{
-+  PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
-+  PolkitImplicitAuthorization ret = implicit;
-+  GError *error = NULL;
-+  gchar *ret_str = NULL;
-+  gboolean good = FALSE;
-+  duk_context *cx = authority->priv->cx;
-+
-+  duk_set_top (cx, 0);
-+  if (!duk_get_global_string (cx, "polkit")) {
-+      goto out;
-+  }
-+
-+  duk_push_string (cx, "_runRules");
-+
-+  if (!push_action_and_details (cx, action_id, details, &error))
-+    {
-+      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                    "Error converting action and details to JS object: %s",
-+                                    error->message);
-+      g_clear_error (&error);
-+      goto out;
-+    }
-+
-+  if (!push_subject (cx, subject, user_for_subject, subject_is_local, subject_is_active, &error))
-+    {
-+      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                    "Error converting subject to JS object: %s",
-+                                    error->message);
-+      g_clear_error (&error);
-+      goto out;
-+    }
-+
-+  if (duk_pcall_prop (cx, 0, 2) != DUK_ERR_NONE)
-+  {
-+      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                    "Error evaluating authorization rules: ",
-+                                    duk_safe_to_string (cx, -1));
-+      goto out;
-+  }
-+
-+  if (duk_is_null(cx, -1)) {
-+    good = TRUE;
-+    goto out;
-+  }
-+  ret_str = g_strdup (duk_require_string (cx, -1));
-+  if (!polkit_implicit_authorization_from_string (ret_str, &ret))
-+    {
-+      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
-+                                    "Returned result `%s' is not valid",
-+                                    ret_str);
-+      goto out;
-+    }
-+
-+  good = TRUE;
-+
-+ out:
-+  if (!good)
-+    ret = POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED;
-+  if (ret_str != NULL)
-+      g_free (ret_str);
-+
-+  return ret;
-+}
-+
-+/* ---------------------------------------------------------------------------------------------------- */
-+
-+static duk_ret_t
-+js_polkit_log (duk_context *cx)
-+{
-+  const char *str = duk_require_string (cx, 0);
-+  fprintf (stderr, "%s\n", str);
-+  return 0;
-+}
-+
-+/* ---------------------------------------------------------------------------------------------------- */
-+
-+static const gchar *
-+get_signal_name (gint signal_number)
-+{
-+  switch (signal_number)
-+    {
-+#define _HANDLE_SIG(sig) case sig: return #sig;
-+    _HANDLE_SIG (SIGHUP);
-+    _HANDLE_SIG (SIGINT);
-+    _HANDLE_SIG (SIGQUIT);
-+    _HANDLE_SIG (SIGILL);
-+    _HANDLE_SIG (SIGABRT);
-+    _HANDLE_SIG (SIGFPE);
-+    _HANDLE_SIG (SIGKILL);
-+    _HANDLE_SIG (SIGSEGV);
-+    _HANDLE_SIG (SIGPIPE);
-+    _HANDLE_SIG (SIGALRM);
-+    _HANDLE_SIG (SIGTERM);
-+    _HANDLE_SIG (SIGUSR1);
-+    _HANDLE_SIG (SIGUSR2);
-+    _HANDLE_SIG (SIGCHLD);
-+    _HANDLE_SIG (SIGCONT);
-+    _HANDLE_SIG (SIGSTOP);
-+    _HANDLE_SIG (SIGTSTP);
-+    _HANDLE_SIG (SIGTTIN);
-+    _HANDLE_SIG (SIGTTOU);
-+    _HANDLE_SIG (SIGBUS);
-+#ifdef SIGPOLL
-+    _HANDLE_SIG (SIGPOLL);
-+#endif
-+    _HANDLE_SIG (SIGPROF);
-+    _HANDLE_SIG (SIGSYS);
-+    _HANDLE_SIG (SIGTRAP);
-+    _HANDLE_SIG (SIGURG);
-+    _HANDLE_SIG (SIGVTALRM);
-+    _HANDLE_SIG (SIGXCPU);
-+    _HANDLE_SIG (SIGXFSZ);
-+#undef _HANDLE_SIG
-+    default:
-+      break;
-+    }
-+  return "UNKNOWN_SIGNAL";
-+}
-+
-+typedef struct
-+{
-+  GMainLoop *loop;
-+  GAsyncResult *res;
-+} SpawnData;
-+
-+static void
-+spawn_cb (GObject       *source_object,
-+          GAsyncResult  *res,
-+          gpointer       user_data)
-+{
-+  SpawnData *data = (SpawnData *)user_data;
-+  data->res = (GAsyncResult*)g_object_ref (res);
-+  g_main_loop_quit (data->loop);
-+}
-+
-+static duk_ret_t
-+js_polkit_spawn (duk_context *cx)
-+{
-+#if (DUK_VERSION >= 20000)
-+  duk_ret_t ret = DUK_RET_ERROR;
-+#else
-+  duk_ret_t ret = DUK_RET_INTERNAL_ERROR;
-+#endif
-+  gchar *standard_output = NULL;
-+  gchar *standard_error = NULL;
-+  gint exit_status;
-+  GError *error = NULL;
-+  guint32 array_len;
-+  gchar **argv = NULL;
-+  GMainContext *context = NULL;
-+  GMainLoop *loop = NULL;
-+  SpawnData data = {0};
-+  char *err_str = NULL;
-+  guint n;
-+
-+  if (!duk_is_array (cx, 0))
-+    goto out;
-+
-+  array_len = duk_get_length (cx, 0);
-+
-+  argv = g_new0 (gchar*, array_len + 1);
-+  for (n = 0; n < array_len; n++)
-+    {
-+      duk_get_prop_index (cx, 0, n);
-+      argv[n] = g_strdup (duk_to_string (cx, -1));
-+      duk_pop (cx);
-+    }
-+
-+  context = g_main_context_new ();
-+  loop = g_main_loop_new (context, FALSE);
-+
-+  g_main_context_push_thread_default (context);
-+
-+  data.loop = loop;
-+  utils_spawn ((const gchar *const *) argv,
-+               10, /* timeout_seconds */
-+               NULL, /* cancellable */
-+               spawn_cb,
-+               &data);
-+
-+  g_main_loop_run (loop);
-+
-+  g_main_context_pop_thread_default (context);
-+
-+  if (!utils_spawn_finish (data.res,
-+                           &exit_status,
-+                           &standard_output,
-+                           &standard_error,
-+                           &error))
-+    {
-+      err_str = g_strdup_printf ("Error spawning helper: %s (%s, %d)",
-+                                 error->message, g_quark_to_string (error->domain), error->code);
-+      g_clear_error (&error);
-+      goto out;
-+    }
-+
-+  if (!(WIFEXITED (exit_status) && WEXITSTATUS (exit_status) == 0))
-+    {
-+      GString *gstr;
-+      gstr = g_string_new (NULL);
-+      if (WIFEXITED (exit_status))
-+        {
-+          g_string_append_printf (gstr,
-+                                  "Helper exited with non-zero exit status %d",
-+                                  WEXITSTATUS (exit_status));
-+        }
-+      else if (WIFSIGNALED (exit_status))
-+        {
-+          g_string_append_printf (gstr,
-+                                  "Helper was signaled with signal %s (%d)",
-+                                  get_signal_name (WTERMSIG (exit_status)),
-+                                  WTERMSIG (exit_status));
-+        }
-+      g_string_append_printf (gstr, ", stdout=`%s', stderr=`%s'",
-+                              standard_output, standard_error);
-+      err_str = g_string_free (gstr, FALSE);
-+      goto out;
-+    }
-+
-+  duk_push_string (cx, standard_output);
-+  ret = 1;
-+
-+ out:
-+  g_strfreev (argv);
-+  g_free (standard_output);
-+  g_free (standard_error);
-+  g_clear_object (&data.res);
-+  if (loop != NULL)
-+    g_main_loop_unref (loop);
-+  if (context != NULL)
-+    g_main_context_unref (context);
-+
-+  if (err_str)
-+    duk_error (cx, DUK_ERR_ERROR, err_str);
-+
-+  return ret;
-+}
-+
-+/* ---------------------------------------------------------------------------------------------------- */
-+
-+
-+static duk_ret_t
-+js_polkit_user_is_in_netgroup (duk_context *cx)
-+{
-+  const char *user;
-+  const char *netgroup;
-+  gboolean is_in_netgroup = FALSE;
-+
-+  user = duk_require_string (cx, 0);
-+  netgroup = duk_require_string (cx, 1);
-+
-+  if (innetgr (netgroup,
-+               NULL,  /* host */
-+               user,
-+               NULL)) /* domain */
-+    {
-+      is_in_netgroup = TRUE;
-+    }
-+
-+  duk_push_boolean (cx, is_in_netgroup);
-+  return 1;
-+}
-+
-+/* ---------------------------------------------------------------------------------------------------- */
-+
-+typedef struct
-+{
-+  GSimpleAsyncResult *simple; /* borrowed reference */
-+  GMainContext *main_context; /* may be NULL */
-+
-+  GCancellable *cancellable;  /* may be NULL */
-+  gulong cancellable_handler_id;
-+
-+  GPid child_pid;
-+  gint child_stdout_fd;
-+  gint child_stderr_fd;
-+
-+  GIOChannel *child_stdout_channel;
-+  GIOChannel *child_stderr_channel;
-+
-+  GSource *child_watch_source;
-+  GSource *child_stdout_source;
-+  GSource *child_stderr_source;
-+
-+  guint timeout_seconds;
-+  gboolean timed_out;
-+  GSource *timeout_source;
-+
-+  GString *child_stdout;
-+  GString *child_stderr;
-+
-+  gint exit_status;
-+} UtilsSpawnData;
-+
-+static void
-+utils_child_watch_from_release_cb (GPid     pid,
-+                                   gint     status,
-+                                   gpointer user_data)
-+{
-+}
-+
-+static void
-+utils_spawn_data_free (UtilsSpawnData *data)
-+{
-+  if (data->timeout_source != NULL)
-+    {
-+      g_source_destroy (data->timeout_source);
-+      data->timeout_source = NULL;
-+    }
-+
-+  /* Nuke the child, if necessary */
-+  if (data->child_watch_source != NULL)
-+    {
-+      g_source_destroy (data->child_watch_source);
-+      data->child_watch_source = NULL;
-+    }
-+
-+  if (data->child_pid != 0)
-+    {
-+      GSource *source;
-+      kill (data->child_pid, SIGTERM);
-+      /* OK, we need to reap for the child ourselves - we don't want
-+       * to use waitpid() because that might block the calling
-+       * thread (the child might handle SIGTERM and use several
-+       * seconds for cleanup/rollback).
-+       *
-+       * So we use GChildWatch instead.
-+       *
-+       * Avoid taking a references to ourselves. but note that we need
-+       * to pass the GSource so we can nuke it once handled.
-+       */
-+      source = g_child_watch_source_new (data->child_pid);
-+      g_source_set_callback (source,
-+                             (GSourceFunc) utils_child_watch_from_release_cb,
-+                             source,
-+                             (GDestroyNotify) g_source_destroy);
-+      g_source_attach (source, data->main_context);
-+      g_source_unref (source);
-+      data->child_pid = 0;
-+    }
-+
-+  if (data->child_stdout != NULL)
-+    {
-+      g_string_free (data->child_stdout, TRUE);
-+      data->child_stdout = NULL;
-+    }
-+
-+  if (data->child_stderr != NULL)
-+    {
-+      g_string_free (data->child_stderr, TRUE);
-+      data->child_stderr = NULL;
-+    }
-+
-+  if (data->child_stdout_channel != NULL)
-+    {
-+      g_io_channel_unref (data->child_stdout_channel);
-+      data->child_stdout_channel = NULL;
-+    }
-+  if (data->child_stderr_channel != NULL)
-+    {
-+      g_io_channel_unref (data->child_stderr_channel);
-+      data->child_stderr_channel = NULL;
-+    }
-+
-+  if (data->child_stdout_source != NULL)
-+    {
-+      g_source_destroy (data->child_stdout_source);
-+      data->child_stdout_source = NULL;
-+    }
-+  if (data->child_stderr_source != NULL)
-+    {
-+      g_source_destroy (data->child_stderr_source);
-+      data->child_stderr_source = NULL;
-+    }
-+
-+  if (data->child_stdout_fd != -1)
-+    {
-+      g_warn_if_fail (close (data->child_stdout_fd) == 0);
-+      data->child_stdout_fd = -1;
-+    }
-+  if (data->child_stderr_fd != -1)
-+    {
-+      g_warn_if_fail (close (data->child_stderr_fd) == 0);
-+      data->child_stderr_fd = -1;
-+    }
-+
-+  if (data->cancellable_handler_id > 0)
-+    {
-+      g_cancellable_disconnect (data->cancellable, data->cancellable_handler_id);
-+      data->cancellable_handler_id = 0;
-+    }
-+
-+  if (data->main_context != NULL)
-+    g_main_context_unref (data->main_context);
-+
-+  if (data->cancellable != NULL)
-+    g_object_unref (data->cancellable);
-+
-+  g_slice_free (UtilsSpawnData, data);
-+}
-+
-+/* called in the thread where @cancellable was cancelled */
-+static void
-+utils_on_cancelled (GCancellable *cancellable,
-+                    gpointer      user_data)
-+{
-+  UtilsSpawnData *data = (UtilsSpawnData *)user_data;
-+  GError *error;
-+
-+  error = NULL;
-+  g_warn_if_fail (g_cancellable_set_error_if_cancelled (cancellable, &error));
-+  g_simple_async_result_take_error (data->simple, error);
-+  g_simple_async_result_complete_in_idle (data->simple);
-+  g_object_unref (data->simple);
-+}
-+
-+static gboolean
-+utils_read_child_stderr (GIOChannel *channel,
-+                         GIOCondition condition,
-+                         gpointer user_data)
-+{
-+  UtilsSpawnData *data = (UtilsSpawnData *)user_data;
-+  gchar buf[1024];
-+  gsize bytes_read;
-+
-+  g_io_channel_read_chars (channel, buf, sizeof buf, &bytes_read, NULL);
-+  g_string_append_len (data->child_stderr, buf, bytes_read);
-+  return TRUE;
-+}
-+
-+static gboolean
-+utils_read_child_stdout (GIOChannel *channel,
-+                         GIOCondition condition,
-+                         gpointer user_data)
-+{
-+  UtilsSpawnData *data = (UtilsSpawnData *)user_data;
-+  gchar buf[1024];
-+  gsize bytes_read;
-+
-+  g_io_channel_read_chars (channel, buf, sizeof buf, &bytes_read, NULL);
-+  g_string_append_len (data->child_stdout, buf, bytes_read);
-+  return TRUE;
-+}
-+
-+static void
-+utils_child_watch_cb (GPid     pid,
-+                      gint     status,
-+                      gpointer user_data)
-+{
-+  UtilsSpawnData *data = (UtilsSpawnData *)user_data;
-+  gchar *buf;
-+  gsize buf_size;
-+
-+  if (g_io_channel_read_to_end (data->child_stdout_channel, &buf, &buf_size, NULL) == G_IO_STATUS_NORMAL)
-+    {
-+      g_string_append_len (data->child_stdout, buf, buf_size);
-+      g_free (buf);
-+    }
-+  if (g_io_channel_read_to_end (data->child_stderr_channel, &buf, &buf_size, NULL) == G_IO_STATUS_NORMAL)
-+    {
-+      g_string_append_len (data->child_stderr, buf, buf_size);
-+      g_free (buf);
-+    }
-+
-+  data->exit_status = status;
-+
-+  /* ok, child watch is history, make sure we don't free it in spawn_data_free() */
-+  data->child_pid = 0;
-+  data->child_watch_source = NULL;
-+
-+  /* we're done */
-+  g_simple_async_result_complete_in_idle (data->simple);
-+  g_object_unref (data->simple);
-+}
-+
-+static gboolean
-+utils_timeout_cb (gpointer user_data)
-+{
-+  UtilsSpawnData *data = (UtilsSpawnData *)user_data;
-+
-+  data->timed_out = TRUE;
-+
-+  /* ok, timeout is history, make sure we don't free it in spawn_data_free() */
-+  data->timeout_source = NULL;
-+
-+  /* we're done */
-+  g_simple_async_result_complete_in_idle (data->simple);
-+  g_object_unref (data->simple);
-+
-+  return FALSE; /* remove source */
-+}
-+
-+static void
-+utils_spawn (const gchar *const  *argv,
-+             guint                timeout_seconds,
-+             GCancellable        *cancellable,
-+             GAsyncReadyCallback  callback,
-+             gpointer             user_data)
-+{
-+  UtilsSpawnData *data;
-+  GError *error;
-+
-+  data = g_slice_new0 (UtilsSpawnData);
-+  data->timeout_seconds = timeout_seconds;
-+  data->simple = g_simple_async_result_new (NULL,
-+                                            callback,
-+                                            user_data,
-+                                            (gpointer*)utils_spawn);
-+  data->main_context = g_main_context_get_thread_default ();
-+  if (data->main_context != NULL)
-+    g_main_context_ref (data->main_context);
-+
-+  data->cancellable = cancellable != NULL ? (GCancellable*)g_object_ref (cancellable) : NULL;
-+
-+  data->child_stdout = g_string_new (NULL);
-+  data->child_stderr = g_string_new (NULL);
-+  data->child_stdout_fd = -1;
-+  data->child_stderr_fd = -1;
-+
-+  /* the life-cycle of UtilsSpawnData is tied to its GSimpleAsyncResult */
-+  g_simple_async_result_set_op_res_gpointer (data->simple, data, (GDestroyNotify) utils_spawn_data_free);
-+
-+  error = NULL;
-+  if (data->cancellable != NULL)
-+    {
-+      /* could already be cancelled */
-+      error = NULL;
-+      if (g_cancellable_set_error_if_cancelled (data->cancellable, &error))
-+        {
-+          g_simple_async_result_take_error (data->simple, error);
-+          g_simple_async_result_complete_in_idle (data->simple);
-+          g_object_unref (data->simple);
-+          goto out;
-+        }
-+
-+      data->cancellable_handler_id = g_cancellable_connect (data->cancellable,
-+                                                            G_CALLBACK (utils_on_cancelled),
-+                                                            data,
-+                                                            NULL);
-+    }
-+
-+  error = NULL;
-+  if (!g_spawn_async_with_pipes (NULL, /* working directory */
-+                                 (gchar **) argv,
-+                                 NULL, /* envp */
-+                                 G_SPAWN_SEARCH_PATH | G_SPAWN_DO_NOT_REAP_CHILD,
-+                                 NULL, /* child_setup */
-+                                 NULL, /* child_setup's user_data */
-+                                 &(data->child_pid),
-+                                 NULL, /* gint *stdin_fd */
-+                                 &(data->child_stdout_fd),
-+                                 &(data->child_stderr_fd),
-+                                 &error))
-+    {
-+      g_prefix_error (&error, "Error spawning: ");
-+      g_simple_async_result_take_error (data->simple, error);
-+      g_simple_async_result_complete_in_idle (data->simple);
-+      g_object_unref (data->simple);
-+      goto out;
-+    }
-+
-+  if (timeout_seconds > 0)
-+    {
-+      data->timeout_source = g_timeout_source_new_seconds (timeout_seconds);
-+      g_source_set_priority (data->timeout_source, G_PRIORITY_DEFAULT);
-+      g_source_set_callback (data->timeout_source, utils_timeout_cb, data, NULL);
-+      g_source_attach (data->timeout_source, data->main_context);
-+      g_source_unref (data->timeout_source);
-+    }
-+
-+  data->child_watch_source = g_child_watch_source_new (data->child_pid);
-+  g_source_set_callback (data->child_watch_source, (GSourceFunc) utils_child_watch_cb, data, NULL);
-+  g_source_attach (data->child_watch_source, data->main_context);
-+  g_source_unref (data->child_watch_source);
-+
-+  data->child_stdout_channel = g_io_channel_unix_new (data->child_stdout_fd);
-+  g_io_channel_set_flags (data->child_stdout_channel, G_IO_FLAG_NONBLOCK, NULL);
-+  data->child_stdout_source = g_io_create_watch (data->child_stdout_channel, G_IO_IN);
-+  g_source_set_callback (data->child_stdout_source, (GSourceFunc) utils_read_child_stdout, data, NULL);
-+  g_source_attach (data->child_stdout_source, data->main_context);
-+  g_source_unref (data->child_stdout_source);
-+
-+  data->child_stderr_channel = g_io_channel_unix_new (data->child_stderr_fd);
-+  g_io_channel_set_flags (data->child_stderr_channel, G_IO_FLAG_NONBLOCK, NULL);
-+  data->child_stderr_source = g_io_create_watch (data->child_stderr_channel, G_IO_IN);
-+  g_source_set_callback (data->child_stderr_source, (GSourceFunc) utils_read_child_stderr, data, NULL);
-+  g_source_attach (data->child_stderr_source, data->main_context);
-+  g_source_unref (data->child_stderr_source);
-+
-+ out:
-+  ;
-+}
-+
-+gboolean
-+utils_spawn_finish (GAsyncResult   *res,
-+                    gint           *out_exit_status,
-+                    gchar         **out_standard_output,
-+                    gchar         **out_standard_error,
-+                    GError        **error)
-+{
-+  GSimpleAsyncResult *simple = G_SIMPLE_ASYNC_RESULT (res);
-+  UtilsSpawnData *data;
-+  gboolean ret = FALSE;
-+
-+  g_return_val_if_fail (G_IS_ASYNC_RESULT (res), FALSE);
-+  g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
-+
-+  g_warn_if_fail (g_simple_async_result_get_source_tag (simple) == utils_spawn);
-+
-+  if (g_simple_async_result_propagate_error (simple, error))
-+    goto out;
-+
-+  data = (UtilsSpawnData*)g_simple_async_result_get_op_res_gpointer (simple);
-+
-+  if (data->timed_out)
-+    {
-+      g_set_error (error,
-+                   G_IO_ERROR,
-+                   G_IO_ERROR_TIMED_OUT,
-+                   "Timed out after %d seconds",
-+                   data->timeout_seconds);
-+      goto out;
-+    }
-+
-+  if (out_exit_status != NULL)
-+    *out_exit_status = data->exit_status;
-+
-+  if (out_standard_output != NULL)
-+    *out_standard_output = g_strdup (data->child_stdout->str);
-+
-+  if (out_standard_error != NULL)
-+    *out_standard_error = g_strdup (data->child_stderr->str);
-+
-+  ret = TRUE;
-+
-+ out:
-+  return ret;
-+}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit.conf
deleted file mode 100644
index 9734ff4ba6..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-d   /etc/polkit-1           -       -       -       -   -
-d   /etc/polkit-1/rules.d   0700    polkitd root    -   -
-d   /var/lib/polkit-1       0700    polkitd polkitd -   -
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-0.119-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-0.119-r2.ebuild
index 5acbca3381..1fd9a3e3fe 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-0.119-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-0.119-r2.ebuild
@@ -32,7 +32,7 @@ BDEPEND="
 	introspection? ( dev-libs/gobject-introspection )
 "
 DEPEND="
-	dev-lang/duktape
+	dev-lang/spidermonkey:78[-debug]
 	dev-libs/glib:2
 	dev-libs/expat
 	elogind? ( sys-auth/elogind )
@@ -59,9 +59,6 @@ DOCS=( docs/TODO HACKING NEWS README )
 
 PATCHES=(
 	"${FILESDIR}"/${PN}-0.115-elogind.patch # bug 660880
-
-	# from https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/35
-	"${FILESDIR}"/35_WIP_Add_duktape_as_javascript_engine.patch
 )
 
 QA_MULTILIB_PATHS="
@@ -95,7 +92,6 @@ src_configure() {
 		--enable-man-pages
 		--disable-gtk-doc
 		--disable-examples
-		--with-duktape
 		$(use_enable elogind libelogind)
 		$(use_enable introspection)
 		$(use_enable nls)
@@ -119,16 +115,6 @@ src_compile() {
 src_install() {
 	default
 
-	dodir /usr/share/polkit-1/rules.d
-	dodir /usr/lib/pam.d
-
-	mv "${D}"/{etc,usr/share}/polkit-1/rules.d/50-default.rules || die
-	mv "${D}"/{etc,usr/lib}/pam.d/polkit-1 || die
-	rmdir "${D}"/etc/polkit-1/rules.d "${D}"/etc/polkit-1 || die
-	rmdir "${D}"/etc/pam.d || die
-
-	systemd_dotmpfilesd "${FILESDIR}/polkit.conf"
-
 	if use examples; then
 		docinto examples
 		dodoc src/examples/{*.c,*.policy*}
@@ -139,3 +125,8 @@ src_install() {
 
 	find "${ED}" -name '*.la' -delete || die
 }
+
+pkg_postinst() {
+	chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+	chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+}

From 32b5a0dee7b85bf3393c76acc34bf261b55308bc Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:29:22 +0100
Subject: [PATCH 25/37] sys-auth/polkit: Apply Flatcar modifications

  - apply duktape patchset from
    https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/35
    (this should be re-fetched from the above MR when forward-porting
    to updated polkit versions.)
  - fix config install paths, use systemd-tmpfiles (All configs should
    be installed to /usr and tmpfiles should be used to create and fix
    directory permissions instead of the ebuild's postinst.)
---
 ...WIP_Add_duktape_as_javascript_engine.patch | 1596 +++++++++++++++++
 .../sys-auth/polkit/files/polkit.conf         |    3 +
 .../sys-auth/polkit/polkit-0.119-r2.ebuild    |   24 +-
 3 files changed, 1616 insertions(+), 7 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/35_WIP_Add_duktape_as_javascript_engine.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit.conf

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/35_WIP_Add_duktape_as_javascript_engine.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/35_WIP_Add_duktape_as_javascript_engine.patch
new file mode 100644
index 0000000000..2dba8094ab
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/35_WIP_Add_duktape_as_javascript_engine.patch
@@ -0,0 +1,1596 @@
+diff --git a/configure.ac b/configure.ac
+index 4ac2219770513e41b10605a48bc445144bfc8c06..d51cfbd922e289d30e0fdc0c3df745d0c9bd947f 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -80,11 +80,22 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
+ AC_SUBST(GLIB_CFLAGS)
+ AC_SUBST(GLIB_LIBS)
+ 
+-PKG_CHECK_MODULES(LIBJS, [mozjs-78])
+-
+-AC_SUBST(LIBJS_CFLAGS)
+-AC_SUBST(LIBJS_CXXFLAGS)
+-AC_SUBST(LIBJS_LIBS)
++dnl ---------------------------------------------------------------------------
++dnl - Check javascript backend
++dnl ---------------------------------------------------------------------------
++AC_ARG_WITH(duktape, AS_HELP_STRING([--with-duktape],[Use Duktape as javascript backend]),with_duktape=yes,with_duktape=no)
++AS_IF([test x${with_duktape} == xyes], [
++  PKG_CHECK_MODULES(LIBJS, [duktape >= 2.0.0 ])
++  AC_SUBST(LIBJS_CFLAGS)
++  AC_SUBST(LIBJS_LIBS)
++], [
++  PKG_CHECK_MODULES(LIBJS, [mozjs-78])
++
++  AC_SUBST(LIBJS_CFLAGS)
++  AC_SUBST(LIBJS_CXXFLAGS)
++  AC_SUBST(LIBJS_LIBS)
++])
++AM_CONDITIONAL(USE_DUKTAPE, [test x$with_duktape == xyes], [Using duktape as javascript engine library])
+ 
+ EXPAT_LIB=""
+ AC_ARG_WITH(expat, [  --with-expat=<dir>      Use expat from here],
+@@ -581,6 +592,13 @@ echo "
+         PAM support:                ${have_pam}
+         systemdsystemunitdir:       ${systemdsystemunitdir}
+         polkitd user:               ${POLKITD_USER}"
++if test "x${with_duktape}" = xyes; then
++echo "
++        Javascript engine:          Duktape"
++else
++echo "
++        Javascript engine:          Mozjs"
++fi
+ 
+ if test "$have_pam" = yes ; then
+ echo "
+diff --git a/meson.build b/meson.build
+index 6997e7f7c6812cc58ac8b74246e557e9c0b03085..75513c2caf3a6fae7744675f9b4bcecd94d59d42 100644
+--- a/meson.build
++++ b/meson.build
+@@ -126,7 +126,13 @@ expat_dep = dependency('expat')
+ assert(cc.has_header('expat.h', dependencies: expat_dep), 'Can\'t find expat.h. Please install expat.')
+ assert(cc.has_function('XML_ParserCreate', dependencies: expat_dep), 'Can\'t find expat library. Please install expat.')
+ 
+-mozjs_dep = dependency('mozjs-78')
++js_engine = get_option('js_engine')
++if js_engine == 'duktape'
++  js_dep = dependency('duktape')
++  libm_dep = cc.find_library('m')
++elif js_engine == 'mozjs'
++  js_dep = dependency('mozjs-78')
++endif
+ 
+ dbus_dep = dependency('dbus-1')
+ dbus_sysconfdir = dbus_dep.get_pkgconfig_variable('sysconfdir', define_variable: ['sysconfdir', pk_prefix / pk_sysconfdir])
+@@ -350,6 +356,9 @@ if enable_logind
+   output += '        systemdsystemunitdir:     ' + systemd_systemdsystemunitdir + '\n'
+ endif
+ output += '        polkitd user:             ' + polkitd_user + ' \n'
++output += '        Javascript engine:        ' + js_engine + '\n'
++if enable_logind
++endif
+ output += '        PAM support:              ' + enable_pam.to_string() + '\n\n'
+ if enable_pam
+   output += '        PAM file auth:            ' + pam_conf['PAM_FILE_INCLUDE_AUTH'] + '\n'
+diff --git a/meson_options.txt b/meson_options.txt
+index 25e3e7793ae1671fc65e172386b9392abf4e9352..76aa311c99620129b3594b0d95d675df91dc483b 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -16,3 +16,4 @@ option('introspection', type: 'boolean', value: true, description: 'Enable intro
+ 
+ option('gtk_doc', type: 'boolean', value: false, description: 'use gtk-doc to build documentation')
+ option('man', type: 'boolean', value: false, description: 'build manual pages')
++option('js_engine', type: 'combo', choices: ['mozjs', 'duktape'], value: 'duktape', description: 'javascript engine')
+diff --git a/src/polkitbackend/Makefile.am b/src/polkitbackend/Makefile.am
+index 7e3c0809984987d8e77ff6c7717248f132e990f3..abcbc6ff7457965bbedce95a702921bbcd626428 100644
+--- a/src/polkitbackend/Makefile.am
++++ b/src/polkitbackend/Makefile.am
+@@ -33,7 +33,7 @@ libpolkit_backend_1_la_SOURCES =                                   			\
+ 	polkitbackendprivate.h								\
+ 	polkitbackendauthority.h		polkitbackendauthority.c		\
+ 	polkitbackendinteractiveauthority.h	polkitbackendinteractiveauthority.c	\
+-	polkitbackendjsauthority.h		polkitbackendjsauthority.cpp		\
++	polkitbackendjsauthority.h				\
+ 	polkitbackendactionpool.h		polkitbackendactionpool.c		\
+ 	polkitbackendactionlookup.h		polkitbackendactionlookup.c		\
+         $(NULL)
+@@ -51,19 +51,27 @@ libpolkit_backend_1_la_CFLAGS =                                        	\
+         -D_POLKIT_BACKEND_COMPILATION                                  	\
+         $(GLIB_CFLAGS)							\
+ 	$(LIBSYSTEMD_CFLAGS)						\
+-	$(LIBJS_CFLAGS)							\
++	$(LIBJS_CFLAGS)						\
+         $(NULL)
+ 
+ libpolkit_backend_1_la_CXXFLAGS = $(libpolkit_backend_1_la_CFLAGS)
+ 
+ libpolkit_backend_1_la_LIBADD =                               		\
+         $(GLIB_LIBS)							\
++        $(DUKTAPE_LIBS)							\
+ 	$(LIBSYSTEMD_LIBS)						\
+ 	$(top_builddir)/src/polkit/libpolkit-gobject-1.la		\
+ 	$(EXPAT_LIBS)							\
+-	$(LIBJS_LIBS)							\
++	$(LIBJS_LIBS)                                                   \
+         $(NULL)
+ 
++if USE_DUKTAPE
++libpolkit_backend_1_la_SOURCES += polkitbackendduktapeauthority.c
++libpolkit_backend_1_la_LIBADD += -lm
++else
++libpolkit_backend_1_la_SOURCES += polkitbackendjsauthority.cpp
++endif
++
+ rulesdir = $(sysconfdir)/polkit-1/rules.d
+ rules_DATA = 50-default.rules
+ 
+diff --git a/src/polkitbackend/meson.build b/src/polkitbackend/meson.build
+index 93c3c34574efbedb62cb8f3cc63f6acdfef5563f..d7d3b025679dee94f658e3562172f72de0bf9ddf 100644
+--- a/src/polkitbackend/meson.build
++++ b/src/polkitbackend/meson.build
+@@ -5,7 +5,6 @@ sources = files(
+   'polkitbackendactionpool.c',
+   'polkitbackendauthority.c',
+   'polkitbackendinteractiveauthority.c',
+-  'polkitbackendjsauthority.cpp',
+ )
+ 
+ output = 'initjs.h'
+@@ -21,7 +20,7 @@ sources += custom_target(
+ deps = [
+   expat_dep,
+   libpolkit_gobject_dep,
+-  mozjs_dep,
++  js_dep,
+ ]
+ 
+ c_flags = [
+@@ -31,6 +30,13 @@ c_flags = [
+   '-DPACKAGE_SYSCONF_DIR="@0@"'.format(pk_prefix / pk_sysconfdir),
+ ]
+ 
++if js_engine == 'duktape'
++  sources += files('polkitbackendduktapeauthority.c')
++  deps += libm_dep
++elif js_engine == 'mozjs'
++  sources += files('polkitbackendjsauthority.cpp')
++endif
++
+ if enable_logind
+   sources += files('polkitbackendsessionmonitor-systemd.c')
+ 
+diff --git a/src/polkitbackend/polkitbackendduktapeauthority.c b/src/polkitbackend/polkitbackendduktapeauthority.c
+new file mode 100644
+index 0000000000000000000000000000000000000000..4b4f8fda7102223de1300e9ba9f2fa943708b653
+--- /dev/null
++++ b/src/polkitbackend/polkitbackendduktapeauthority.c
+@@ -0,0 +1,1428 @@
++/*
++ * Copyright (C) 2008-2012 Red Hat, Inc.
++ * Copyright (C) 2015 Tangent Space <jstpierre@mecheye.net>
++ * Copyright (C) 2019 Wu Xiaotian <yetist@gmail.com>
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General
++ * Public License along with this library; if not, write to the
++ * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
++ * Boston, MA 02111-1307, USA.
++ *
++ * Author: David Zeuthen <davidz@redhat.com>
++ */
++
++#include "config.h"
++#include <sys/wait.h>
++#include <errno.h>
++#include <pwd.h>
++#include <grp.h>
++#ifdef HAVE_NETGROUP_H
++#include <netgroup.h>
++#else
++#include <netdb.h>
++#endif
++#include <string.h>
++#include <glib/gstdio.h>
++#include <locale.h>
++#include <glib/gi18n-lib.h>
++
++#include <polkit/polkit.h>
++#include "polkitbackendjsauthority.h"
++
++#include <polkit/polkitprivate.h>
++
++#ifdef HAVE_LIBSYSTEMD
++#include <systemd/sd-login.h>
++#endif /* HAVE_LIBSYSTEMD */
++
++#include "initjs.h" /* init.js */
++#include "duktape.h"
++
++/**
++ * SECTION:polkitbackendjsauthority
++ * @title: PolkitBackendJsAuthority
++ * @short_description: JS Authority
++ * @stability: Unstable
++ *
++ * An implementation of #PolkitBackendAuthority that reads and
++ * evalates Javascript files and supports interaction with
++ * authentication agents (virtue of being based on
++ * #PolkitBackendInteractiveAuthority).
++ */
++
++/* ---------------------------------------------------------------------------------------------------- */
++
++struct _PolkitBackendJsAuthorityPrivate
++{
++  gchar **rules_dirs;
++  GFileMonitor **dir_monitors; /* NULL-terminated array of GFileMonitor instances */
++  duk_context *cx;
++};
++
++
++static void utils_spawn (const gchar *const  *argv,
++                         guint                timeout_seconds,
++                         GCancellable        *cancellable,
++                         GAsyncReadyCallback  callback,
++                         gpointer             user_data);
++
++gboolean utils_spawn_finish (GAsyncResult   *res,
++                             gint           *out_exit_status,
++                             gchar         **out_standard_output,
++                             gchar         **out_standard_error,
++                             GError        **error);
++
++static void on_dir_monitor_changed (GFileMonitor     *monitor,
++                                    GFile            *file,
++                                    GFile            *other_file,
++                                    GFileMonitorEvent event_type,
++                                    gpointer          user_data);
++
++/* ---------------------------------------------------------------------------------------------------- */
++
++enum
++{
++  PROP_0,
++  PROP_RULES_DIRS,
++};
++
++/* ---------------------------------------------------------------------------------------------------- */
++
++static GList *polkit_backend_js_authority_get_admin_auth_identities (PolkitBackendInteractiveAuthority *authority,
++                                                                     PolkitSubject                     *caller,
++                                                                     PolkitSubject                     *subject,
++                                                                     PolkitIdentity                    *user_for_subject,
++                                                                     gboolean                           subject_is_local,
++                                                                     gboolean                           subject_is_active,
++                                                                     const gchar                       *action_id,
++                                                                     PolkitDetails                     *details);
++
++static PolkitImplicitAuthorization polkit_backend_js_authority_check_authorization_sync (
++                                                          PolkitBackendInteractiveAuthority *authority,
++                                                          PolkitSubject                     *caller,
++                                                          PolkitSubject                     *subject,
++                                                          PolkitIdentity                    *user_for_subject,
++                                                          gboolean                           subject_is_local,
++                                                          gboolean                           subject_is_active,
++                                                          const gchar                       *action_id,
++                                                          PolkitDetails                     *details,
++                                                          PolkitImplicitAuthorization        implicit);
++
++G_DEFINE_TYPE (PolkitBackendJsAuthority, polkit_backend_js_authority, POLKIT_BACKEND_TYPE_INTERACTIVE_AUTHORITY);
++
++/* ---------------------------------------------------------------------------------------------------- */
++
++/* ---------------------------------------------------------------------------------------------------- */
++
++static duk_ret_t js_polkit_log (duk_context *cx);
++static duk_ret_t js_polkit_spawn (duk_context *cx);
++static duk_ret_t js_polkit_user_is_in_netgroup (duk_context *cx);
++
++static const duk_function_list_entry js_polkit_functions[] =
++{
++  { "log", js_polkit_log, 1 },
++  { "spawn", js_polkit_spawn, 1 },
++  { "_userIsInNetGroup", js_polkit_user_is_in_netgroup, 2 },
++  { NULL, NULL, 0 },
++};
++
++static void
++polkit_backend_js_authority_init (PolkitBackendJsAuthority *authority)
++{
++  authority->priv = G_TYPE_INSTANCE_GET_PRIVATE (authority,
++                                                 POLKIT_BACKEND_TYPE_JS_AUTHORITY,
++                                                 PolkitBackendJsAuthorityPrivate);
++}
++
++static gint
++rules_file_name_cmp (const gchar *a,
++                     const gchar *b)
++{
++  gint ret;
++  const gchar *a_base;
++  const gchar *b_base;
++
++  a_base = strrchr (a, '/');
++  b_base = strrchr (b, '/');
++
++  g_assert (a_base != NULL);
++  g_assert (b_base != NULL);
++  a_base += 1;
++  b_base += 1;
++
++  ret = g_strcmp0 (a_base, b_base);
++  if (ret == 0)
++    {
++      /* /etc wins over /usr */
++      ret = g_strcmp0 (a, b);
++      g_assert (ret != 0);
++    }
++
++  return ret;
++}
++
++static void
++load_scripts (PolkitBackendJsAuthority  *authority)
++{
++  duk_context *cx = authority->priv->cx;
++  GList *files = NULL;
++  GList *l;
++  guint num_scripts = 0;
++  GError *error = NULL;
++  guint n;
++
++  files = NULL;
++
++  for (n = 0; authority->priv->rules_dirs != NULL && authority->priv->rules_dirs[n] != NULL; n++)
++    {
++      const gchar *dir_name = authority->priv->rules_dirs[n];
++      GDir *dir = NULL;
++
++      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                    "Loading rules from directory %s",
++                                    dir_name);
++
++      dir = g_dir_open (dir_name,
++                        0,
++                        &error);
++      if (dir == NULL)
++        {
++          polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                        "Error opening rules directory: %s (%s, %d)",
++                                        error->message, g_quark_to_string (error->domain), error->code);
++          g_clear_error (&error);
++        }
++      else
++        {
++          const gchar *name;
++          while ((name = g_dir_read_name (dir)) != NULL)
++            {
++              if (g_str_has_suffix (name, ".rules"))
++                files = g_list_prepend (files, g_strdup_printf ("%s/%s", dir_name, name));
++            }
++          g_dir_close (dir);
++        }
++    }
++
++  files = g_list_sort (files, (GCompareFunc) rules_file_name_cmp);
++
++  for (l = files; l != NULL; l = l->next)
++    {
++      const gchar *filename = (gchar *)l->data;
++#if (DUK_VERSION >= 20000)
++      GFile *file = g_file_new_for_path (filename);
++      char *contents;
++      gsize len;
++      if (!g_file_load_contents (file, NULL, &contents, &len, NULL, NULL))
++        {
++          polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                        "Error compiling script %s",
++                                        filename);
++          g_object_unref (file);
++          continue;
++        }
++
++      g_object_unref (file);
++      if (duk_peval_lstring_noresult(cx, contents,len) != 0)
++#else
++      if (duk_peval_file_noresult (cx, filename) != 0)
++#endif
++        {
++          polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                        "Error compiling script %s: %s",
++                                        filename, duk_safe_to_string (authority->priv->cx, -1));
++#if (DUK_VERSION >= 20000)
++          g_free (contents);
++#endif
++          continue;
++        }
++#if (DUK_VERSION >= 20000)
++      g_free (contents);
++#endif
++      num_scripts++;
++    }
++
++  polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                "Finished loading, compiling and executing %d rules",
++                                num_scripts);
++  g_list_free_full (files, g_free);
++}
++
++static void
++reload_scripts (PolkitBackendJsAuthority *authority)
++{
++  duk_context *cx = authority->priv->cx;
++
++  duk_set_top (cx, 0);
++  if (!duk_get_global_string (cx, "polkit")) {
++      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                    "Error deleting old rules, not loading new ones");
++      return;
++  }
++  duk_push_string (cx, "_deleteRules");
++
++  duk_call_prop (cx, 0, 0);
++
++  polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                "Collecting garbage unconditionally...");
++
++  load_scripts (authority);
++
++  /* Let applications know we have new rules... */
++  g_signal_emit_by_name (authority, "changed");
++}
++
++static void
++on_dir_monitor_changed (GFileMonitor     *monitor,
++                        GFile            *file,
++                        GFile            *other_file,
++                        GFileMonitorEvent event_type,
++                        gpointer          user_data)
++{
++  PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (user_data);
++
++  /* TODO: maybe rate-limit so storms of events are collapsed into one with a 500ms resolution?
++   *       Because when editing a file with emacs we get 4-8 events..
++   */
++
++  if (file != NULL)
++    {
++      gchar *name;
++
++      name = g_file_get_basename (file);
++
++      /* g_print ("event_type=%d file=%p name=%s\n", event_type, file, name); */
++      if (!g_str_has_prefix (name, ".") &&
++          !g_str_has_prefix (name, "#") &&
++          g_str_has_suffix (name, ".rules") &&
++          (event_type == G_FILE_MONITOR_EVENT_CREATED ||
++           event_type == G_FILE_MONITOR_EVENT_DELETED ||
++           event_type == G_FILE_MONITOR_EVENT_CHANGES_DONE_HINT))
++        {
++          polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                        "Reloading rules");
++          reload_scripts (authority);
++        }
++      g_free (name);
++    }
++}
++
++
++static void
++setup_file_monitors (PolkitBackendJsAuthority *authority)
++{
++  guint n;
++  GPtrArray *p;
++
++  p = g_ptr_array_new ();
++  for (n = 0; authority->priv->rules_dirs != NULL && authority->priv->rules_dirs[n] != NULL; n++)
++    {
++      GFile *file;
++      GError *error;
++      GFileMonitor *monitor;
++
++      file = g_file_new_for_path (authority->priv->rules_dirs[n]);
++      error = NULL;
++      monitor = g_file_monitor_directory (file,
++                                          G_FILE_MONITOR_NONE,
++                                          NULL,
++                                          &error);
++      g_object_unref (file);
++      if (monitor == NULL)
++        {
++          g_warning ("Error monitoring directory %s: %s",
++                     authority->priv->rules_dirs[n],
++                     error->message);
++          g_clear_error (&error);
++        }
++      else
++        {
++          g_signal_connect (monitor,
++                            "changed",
++                            G_CALLBACK (on_dir_monitor_changed),
++                            authority);
++          g_ptr_array_add (p, monitor);
++        }
++    }
++  g_ptr_array_add (p, NULL);
++  authority->priv->dir_monitors = (GFileMonitor**) g_ptr_array_free (p, FALSE);
++}
++
++static void
++polkit_backend_js_authority_constructed (GObject *object)
++{
++  PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (object);
++  duk_context *cx;
++
++  cx = duk_create_heap (NULL, NULL, NULL, authority, NULL);
++  if (cx == NULL)
++    goto fail;
++
++  authority->priv->cx = cx;
++
++  duk_push_global_object (cx);
++  duk_push_object (cx);
++  duk_put_function_list (cx, -1, js_polkit_functions);
++  duk_put_prop_string (cx, -2, "polkit");
++
++  duk_eval_string (cx, init_js);
++
++  if (authority->priv->rules_dirs == NULL)
++    {
++      authority->priv->rules_dirs = g_new0 (gchar *, 3);
++      authority->priv->rules_dirs[0] = g_strdup (PACKAGE_SYSCONF_DIR "/polkit-1/rules.d");
++      authority->priv->rules_dirs[1] = g_strdup (PACKAGE_DATA_DIR "/polkit-1/rules.d");
++    }
++
++  setup_file_monitors (authority);
++  load_scripts (authority);
++
++  G_OBJECT_CLASS (polkit_backend_js_authority_parent_class)->constructed (object);
++  return;
++
++ fail:
++  g_critical ("Error initializing JavaScript environment");
++  g_assert_not_reached ();
++}
++
++static void
++polkit_backend_js_authority_finalize (GObject *object)
++{
++  PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (object);
++  guint n;
++
++  for (n = 0; authority->priv->dir_monitors != NULL && authority->priv->dir_monitors[n] != NULL; n++)
++    {
++      GFileMonitor *monitor = authority->priv->dir_monitors[n];
++      g_signal_handlers_disconnect_by_func (monitor,
++                                            G_CALLBACK (on_dir_monitor_changed),
++                                            authority);
++      g_object_unref (monitor);
++    }
++  g_free (authority->priv->dir_monitors);
++  g_strfreev (authority->priv->rules_dirs);
++
++  duk_destroy_heap (authority->priv->cx);
++
++  G_OBJECT_CLASS (polkit_backend_js_authority_parent_class)->finalize (object);
++}
++
++static void
++polkit_backend_js_authority_set_property (GObject      *object,
++                                          guint         property_id,
++                                          const GValue *value,
++                                          GParamSpec   *pspec)
++{
++  PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (object);
++
++  switch (property_id)
++    {
++      case PROP_RULES_DIRS:
++        g_assert (authority->priv->rules_dirs == NULL);
++        authority->priv->rules_dirs = (gchar **) g_value_dup_boxed (value);
++        break;
++
++      default:
++        G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
++        break;
++    }
++}
++
++static const gchar *
++polkit_backend_js_authority_get_name (PolkitBackendAuthority *authority)
++{
++  return "js";
++}
++
++static const gchar *
++polkit_backend_js_authority_get_version (PolkitBackendAuthority *authority)
++{
++  return PACKAGE_VERSION;
++}
++
++static PolkitAuthorityFeatures
++polkit_backend_js_authority_get_features (PolkitBackendAuthority *authority)
++{
++  return POLKIT_AUTHORITY_FEATURES_TEMPORARY_AUTHORIZATION;
++}
++
++static void
++polkit_backend_js_authority_class_init (PolkitBackendJsAuthorityClass *klass)
++{
++  GObjectClass *gobject_class;
++  PolkitBackendAuthorityClass *authority_class;
++  PolkitBackendInteractiveAuthorityClass *interactive_authority_class;
++
++
++  gobject_class = G_OBJECT_CLASS (klass);
++  gobject_class->finalize                               = polkit_backend_js_authority_finalize;
++  gobject_class->set_property                           = polkit_backend_js_authority_set_property;
++  gobject_class->constructed                            = polkit_backend_js_authority_constructed;
++
++  authority_class = POLKIT_BACKEND_AUTHORITY_CLASS (klass);
++  authority_class->get_name                             = polkit_backend_js_authority_get_name;
++  authority_class->get_version                          = polkit_backend_js_authority_get_version;
++  authority_class->get_features                         = polkit_backend_js_authority_get_features;
++
++  interactive_authority_class = POLKIT_BACKEND_INTERACTIVE_AUTHORITY_CLASS (klass);
++  interactive_authority_class->get_admin_identities     = polkit_backend_js_authority_get_admin_auth_identities;
++  interactive_authority_class->check_authorization_sync = polkit_backend_js_authority_check_authorization_sync;
++
++  g_object_class_install_property (gobject_class,
++                                   PROP_RULES_DIRS,
++                                   g_param_spec_boxed ("rules-dirs",
++                                                       NULL,
++                                                       NULL,
++                                                       G_TYPE_STRV,
++                                                       G_PARAM_CONSTRUCT_ONLY | G_PARAM_WRITABLE));
++
++
++  g_type_class_add_private (klass, sizeof (PolkitBackendJsAuthorityPrivate));
++}
++
++/* ---------------------------------------------------------------------------------------------------- */
++
++static void
++set_property_str (duk_context *cx,
++                  const gchar *name,
++                  const gchar *value)
++{
++  duk_push_string (cx, value);
++  duk_put_prop_string (cx, -2, name);
++}
++
++static void
++set_property_strv (duk_context *cx,
++                   const gchar *name,
++                   GPtrArray   *value)
++{
++  guint n;
++  duk_push_array (cx);
++  for (n = 0; n < value->len; n++)
++    {
++      duk_push_string (cx, g_ptr_array_index (value, n));
++      duk_put_prop_index (cx, -2, n);
++    }
++  duk_put_prop_string (cx, -2, name);
++}
++
++static void
++set_property_int32 (duk_context *cx,
++                    const gchar *name,
++                    gint32       value)
++{
++  duk_push_int (cx, value);
++  duk_put_prop_string (cx, -2, name);
++}
++
++static void
++set_property_bool (duk_context *cx,
++                   const char  *name,
++                   gboolean     value)
++{
++  duk_push_boolean (cx, value);
++  duk_put_prop_string (cx, -2, name);
++}
++
++/* ---------------------------------------------------------------------------------------------------- */
++
++static gboolean
++push_subject (duk_context               *cx,
++              PolkitSubject             *subject,
++              PolkitIdentity            *user_for_subject,
++              gboolean                   subject_is_local,
++              gboolean                   subject_is_active,
++              GError                   **error)
++{
++  gboolean ret = FALSE;
++  pid_t pid;
++  uid_t uid;
++  gchar *user_name = NULL;
++  GPtrArray *groups = NULL;
++  struct passwd *passwd;
++  char *seat_str = NULL;
++  char *session_str = NULL;
++
++  if (!duk_get_global_string (cx, "Subject")) {
++    return FALSE;
++  }
++
++  duk_new (cx, 0);
++
++  if (POLKIT_IS_UNIX_PROCESS (subject))
++    {
++      pid = polkit_unix_process_get_pid (POLKIT_UNIX_PROCESS (subject));
++    }
++  else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
++    {
++      PolkitSubject *process;
++      process = polkit_system_bus_name_get_process_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error);
++      if (process == NULL)
++        goto out;
++      pid = polkit_unix_process_get_pid (POLKIT_UNIX_PROCESS (process));
++      g_object_unref (process);
++    }
++  else
++    {
++      g_assert_not_reached ();
++    }
++
++#ifdef HAVE_LIBSYSTEMD
++  if (sd_pid_get_session (pid, &session_str) == 0)
++    {
++      if (sd_session_get_seat (session_str, &seat_str) == 0)
++        {
++          /* do nothing */
++        }
++    }
++#endif /* HAVE_LIBSYSTEMD */
++
++  g_assert (POLKIT_IS_UNIX_USER (user_for_subject));
++  uid = polkit_unix_user_get_uid (POLKIT_UNIX_USER (user_for_subject));
++
++  groups = g_ptr_array_new_with_free_func (g_free);
++
++  passwd = getpwuid (uid);
++  if (passwd == NULL)
++    {
++      user_name = g_strdup_printf ("%d", (gint) uid);
++      g_warning ("Error looking up info for uid %d: %m", (gint) uid);
++    }
++  else
++    {
++      gid_t gids[512];
++      int num_gids = 512;
++
++      user_name = g_strdup (passwd->pw_name);
++
++      if (getgrouplist (passwd->pw_name,
++                        passwd->pw_gid,
++                        gids,
++                        &num_gids) < 0)
++        {
++          g_warning ("Error looking up groups for uid %d: %m", (gint) uid);
++        }
++      else
++        {
++          gint n;
++          for (n = 0; n < num_gids; n++)
++            {
++              struct group *group;
++              group = getgrgid (gids[n]);
++              if (group == NULL)
++                {
++                  g_ptr_array_add (groups, g_strdup_printf ("%d", (gint) gids[n]));
++                }
++              else
++                {
++                  g_ptr_array_add (groups, g_strdup (group->gr_name));
++                }
++            }
++        }
++    }
++
++  set_property_int32 (cx, "pid", pid);
++  set_property_str (cx, "user", user_name);
++  set_property_strv (cx, "groups", groups);
++  set_property_str (cx, "seat", seat_str);
++  set_property_str (cx, "session", session_str);
++  set_property_bool (cx, "local", subject_is_local);
++  set_property_bool (cx, "active", subject_is_active);
++
++  ret = TRUE;
++
++ out:
++  free (session_str);
++  free (seat_str);
++  g_free (user_name);
++  if (groups != NULL)
++    g_ptr_array_unref (groups);
++
++  return ret;
++}
++
++/* ---------------------------------------------------------------------------------------------------- */
++
++static gboolean
++push_action_and_details (duk_context               *cx,
++                         const gchar               *action_id,
++                         PolkitDetails             *details,
++                         GError                   **error)
++{
++  gchar **keys;
++  guint n;
++
++  if (!duk_get_global_string (cx, "Action")) {
++    return FALSE;
++  }
++
++  duk_new (cx, 0);
++
++  set_property_str (cx, "id", action_id);
++
++  keys = polkit_details_get_keys (details);
++  for (n = 0; keys != NULL && keys[n] != NULL; n++)
++    {
++      gchar *key;
++      const gchar *value;
++      key = g_strdup_printf ("_detail_%s", keys[n]);
++      value = polkit_details_lookup (details, keys[n]);
++      set_property_str (cx, key, value);
++      g_free (key);
++    }
++  g_strfreev (keys);
++
++  return TRUE;
++}
++
++/* ---------------------------------------------------------------------------------------------------- */
++
++/* ---------------------------------------------------------------------------------------------------- */
++
++static GList *
++polkit_backend_js_authority_get_admin_auth_identities (PolkitBackendInteractiveAuthority *_authority,
++                                                       PolkitSubject                     *caller,
++                                                       PolkitSubject                     *subject,
++                                                       PolkitIdentity                    *user_for_subject,
++                                                       gboolean                           subject_is_local,
++                                                       gboolean                           subject_is_active,
++                                                       const gchar                       *action_id,
++                                                       PolkitDetails                     *details)
++{
++  PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
++  GList *ret = NULL;
++  guint n;
++  GError *error = NULL;
++  const char *ret_str = NULL;
++  gchar **ret_strs = NULL;
++  duk_context *cx = authority->priv->cx;
++
++  duk_set_top (cx, 0);
++  if (!duk_get_global_string (cx, "polkit")) {
++      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                    "Error deleting old rules, not loading new ones");
++      goto out;
++  }
++
++  duk_push_string (cx, "_runAdminRules");
++
++  if (!push_action_and_details (cx, action_id, details, &error))
++    {
++      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                    "Error converting action and details to JS object: %s",
++                                    error->message);
++      g_clear_error (&error);
++      goto out;
++    }
++
++  if (!push_subject (cx, subject, user_for_subject, subject_is_local, subject_is_active, &error))
++    {
++      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                    "Error converting subject to JS object: %s",
++                                    error->message);
++      g_clear_error (&error);
++      goto out;
++    }
++
++  if (duk_pcall_prop (cx, 0, 2) != DUK_ERR_NONE)
++    {
++      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                    "Error evaluating admin rules: ",
++                                    duk_safe_to_string (cx, -1));
++      goto out;
++    }
++
++  ret_str = duk_require_string (cx, -1);
++
++  ret_strs = g_strsplit (ret_str, ",", -1);
++  for (n = 0; ret_strs != NULL && ret_strs[n] != NULL; n++)
++    {
++      const gchar *identity_str = ret_strs[n];
++      PolkitIdentity *identity;
++
++      error = NULL;
++      identity = polkit_identity_from_string (identity_str, &error);
++      if (identity == NULL)
++        {
++          polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                        "Identity `%s' is not valid, ignoring: %s",
++                                        identity_str, error->message);
++          g_clear_error (&error);
++        }
++      else
++        {
++          ret = g_list_prepend (ret, identity);
++        }
++    }
++  ret = g_list_reverse (ret);
++
++ out:
++  g_strfreev (ret_strs);
++  /* fallback to root password auth */
++  if (ret == NULL)
++    ret = g_list_prepend (ret, polkit_unix_user_new (0));
++
++  return ret;
++}
++
++/* ---------------------------------------------------------------------------------------------------- */
++
++static PolkitImplicitAuthorization
++polkit_backend_js_authority_check_authorization_sync (PolkitBackendInteractiveAuthority *_authority,
++                                                      PolkitSubject                     *caller,
++                                                      PolkitSubject                     *subject,
++                                                      PolkitIdentity                    *user_for_subject,
++                                                      gboolean                           subject_is_local,
++                                                      gboolean                           subject_is_active,
++                                                      const gchar                       *action_id,
++                                                      PolkitDetails                     *details,
++                                                      PolkitImplicitAuthorization        implicit)
++{
++  PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
++  PolkitImplicitAuthorization ret = implicit;
++  GError *error = NULL;
++  gchar *ret_str = NULL;
++  gboolean good = FALSE;
++  duk_context *cx = authority->priv->cx;
++
++  duk_set_top (cx, 0);
++  if (!duk_get_global_string (cx, "polkit")) {
++      goto out;
++  }
++
++  duk_push_string (cx, "_runRules");
++
++  if (!push_action_and_details (cx, action_id, details, &error))
++    {
++      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                    "Error converting action and details to JS object: %s",
++                                    error->message);
++      g_clear_error (&error);
++      goto out;
++    }
++
++  if (!push_subject (cx, subject, user_for_subject, subject_is_local, subject_is_active, &error))
++    {
++      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                    "Error converting subject to JS object: %s",
++                                    error->message);
++      g_clear_error (&error);
++      goto out;
++    }
++
++  if (duk_pcall_prop (cx, 0, 2) != DUK_ERR_NONE)
++  {
++      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                    "Error evaluating authorization rules: ",
++                                    duk_safe_to_string (cx, -1));
++      goto out;
++  }
++
++  if (duk_is_null(cx, -1)) {
++    good = TRUE;
++    goto out;
++  }
++  ret_str = g_strdup (duk_require_string (cx, -1));
++  if (!polkit_implicit_authorization_from_string (ret_str, &ret))
++    {
++      polkit_backend_authority_log (POLKIT_BACKEND_AUTHORITY (authority),
++                                    "Returned result `%s' is not valid",
++                                    ret_str);
++      goto out;
++    }
++
++  good = TRUE;
++
++ out:
++  if (!good)
++    ret = POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED;
++  if (ret_str != NULL)
++      g_free (ret_str);
++
++  return ret;
++}
++
++/* ---------------------------------------------------------------------------------------------------- */
++
++static duk_ret_t
++js_polkit_log (duk_context *cx)
++{
++  const char *str = duk_require_string (cx, 0);
++  fprintf (stderr, "%s\n", str);
++  return 0;
++}
++
++/* ---------------------------------------------------------------------------------------------------- */
++
++static const gchar *
++get_signal_name (gint signal_number)
++{
++  switch (signal_number)
++    {
++#define _HANDLE_SIG(sig) case sig: return #sig;
++    _HANDLE_SIG (SIGHUP);
++    _HANDLE_SIG (SIGINT);
++    _HANDLE_SIG (SIGQUIT);
++    _HANDLE_SIG (SIGILL);
++    _HANDLE_SIG (SIGABRT);
++    _HANDLE_SIG (SIGFPE);
++    _HANDLE_SIG (SIGKILL);
++    _HANDLE_SIG (SIGSEGV);
++    _HANDLE_SIG (SIGPIPE);
++    _HANDLE_SIG (SIGALRM);
++    _HANDLE_SIG (SIGTERM);
++    _HANDLE_SIG (SIGUSR1);
++    _HANDLE_SIG (SIGUSR2);
++    _HANDLE_SIG (SIGCHLD);
++    _HANDLE_SIG (SIGCONT);
++    _HANDLE_SIG (SIGSTOP);
++    _HANDLE_SIG (SIGTSTP);
++    _HANDLE_SIG (SIGTTIN);
++    _HANDLE_SIG (SIGTTOU);
++    _HANDLE_SIG (SIGBUS);
++#ifdef SIGPOLL
++    _HANDLE_SIG (SIGPOLL);
++#endif
++    _HANDLE_SIG (SIGPROF);
++    _HANDLE_SIG (SIGSYS);
++    _HANDLE_SIG (SIGTRAP);
++    _HANDLE_SIG (SIGURG);
++    _HANDLE_SIG (SIGVTALRM);
++    _HANDLE_SIG (SIGXCPU);
++    _HANDLE_SIG (SIGXFSZ);
++#undef _HANDLE_SIG
++    default:
++      break;
++    }
++  return "UNKNOWN_SIGNAL";
++}
++
++typedef struct
++{
++  GMainLoop *loop;
++  GAsyncResult *res;
++} SpawnData;
++
++static void
++spawn_cb (GObject       *source_object,
++          GAsyncResult  *res,
++          gpointer       user_data)
++{
++  SpawnData *data = (SpawnData *)user_data;
++  data->res = (GAsyncResult*)g_object_ref (res);
++  g_main_loop_quit (data->loop);
++}
++
++static duk_ret_t
++js_polkit_spawn (duk_context *cx)
++{
++#if (DUK_VERSION >= 20000)
++  duk_ret_t ret = DUK_RET_ERROR;
++#else
++  duk_ret_t ret = DUK_RET_INTERNAL_ERROR;
++#endif
++  gchar *standard_output = NULL;
++  gchar *standard_error = NULL;
++  gint exit_status;
++  GError *error = NULL;
++  guint32 array_len;
++  gchar **argv = NULL;
++  GMainContext *context = NULL;
++  GMainLoop *loop = NULL;
++  SpawnData data = {0};
++  char *err_str = NULL;
++  guint n;
++
++  if (!duk_is_array (cx, 0))
++    goto out;
++
++  array_len = duk_get_length (cx, 0);
++
++  argv = g_new0 (gchar*, array_len + 1);
++  for (n = 0; n < array_len; n++)
++    {
++      duk_get_prop_index (cx, 0, n);
++      argv[n] = g_strdup (duk_to_string (cx, -1));
++      duk_pop (cx);
++    }
++
++  context = g_main_context_new ();
++  loop = g_main_loop_new (context, FALSE);
++
++  g_main_context_push_thread_default (context);
++
++  data.loop = loop;
++  utils_spawn ((const gchar *const *) argv,
++               10, /* timeout_seconds */
++               NULL, /* cancellable */
++               spawn_cb,
++               &data);
++
++  g_main_loop_run (loop);
++
++  g_main_context_pop_thread_default (context);
++
++  if (!utils_spawn_finish (data.res,
++                           &exit_status,
++                           &standard_output,
++                           &standard_error,
++                           &error))
++    {
++      err_str = g_strdup_printf ("Error spawning helper: %s (%s, %d)",
++                                 error->message, g_quark_to_string (error->domain), error->code);
++      g_clear_error (&error);
++      goto out;
++    }
++
++  if (!(WIFEXITED (exit_status) && WEXITSTATUS (exit_status) == 0))
++    {
++      GString *gstr;
++      gstr = g_string_new (NULL);
++      if (WIFEXITED (exit_status))
++        {
++          g_string_append_printf (gstr,
++                                  "Helper exited with non-zero exit status %d",
++                                  WEXITSTATUS (exit_status));
++        }
++      else if (WIFSIGNALED (exit_status))
++        {
++          g_string_append_printf (gstr,
++                                  "Helper was signaled with signal %s (%d)",
++                                  get_signal_name (WTERMSIG (exit_status)),
++                                  WTERMSIG (exit_status));
++        }
++      g_string_append_printf (gstr, ", stdout=`%s', stderr=`%s'",
++                              standard_output, standard_error);
++      err_str = g_string_free (gstr, FALSE);
++      goto out;
++    }
++
++  duk_push_string (cx, standard_output);
++  ret = 1;
++
++ out:
++  g_strfreev (argv);
++  g_free (standard_output);
++  g_free (standard_error);
++  g_clear_object (&data.res);
++  if (loop != NULL)
++    g_main_loop_unref (loop);
++  if (context != NULL)
++    g_main_context_unref (context);
++
++  if (err_str)
++    duk_error (cx, DUK_ERR_ERROR, err_str);
++
++  return ret;
++}
++
++/* ---------------------------------------------------------------------------------------------------- */
++
++
++static duk_ret_t
++js_polkit_user_is_in_netgroup (duk_context *cx)
++{
++  const char *user;
++  const char *netgroup;
++  gboolean is_in_netgroup = FALSE;
++
++  user = duk_require_string (cx, 0);
++  netgroup = duk_require_string (cx, 1);
++
++  if (innetgr (netgroup,
++               NULL,  /* host */
++               user,
++               NULL)) /* domain */
++    {
++      is_in_netgroup = TRUE;
++    }
++
++  duk_push_boolean (cx, is_in_netgroup);
++  return 1;
++}
++
++/* ---------------------------------------------------------------------------------------------------- */
++
++typedef struct
++{
++  GSimpleAsyncResult *simple; /* borrowed reference */
++  GMainContext *main_context; /* may be NULL */
++
++  GCancellable *cancellable;  /* may be NULL */
++  gulong cancellable_handler_id;
++
++  GPid child_pid;
++  gint child_stdout_fd;
++  gint child_stderr_fd;
++
++  GIOChannel *child_stdout_channel;
++  GIOChannel *child_stderr_channel;
++
++  GSource *child_watch_source;
++  GSource *child_stdout_source;
++  GSource *child_stderr_source;
++
++  guint timeout_seconds;
++  gboolean timed_out;
++  GSource *timeout_source;
++
++  GString *child_stdout;
++  GString *child_stderr;
++
++  gint exit_status;
++} UtilsSpawnData;
++
++static void
++utils_child_watch_from_release_cb (GPid     pid,
++                                   gint     status,
++                                   gpointer user_data)
++{
++}
++
++static void
++utils_spawn_data_free (UtilsSpawnData *data)
++{
++  if (data->timeout_source != NULL)
++    {
++      g_source_destroy (data->timeout_source);
++      data->timeout_source = NULL;
++    }
++
++  /* Nuke the child, if necessary */
++  if (data->child_watch_source != NULL)
++    {
++      g_source_destroy (data->child_watch_source);
++      data->child_watch_source = NULL;
++    }
++
++  if (data->child_pid != 0)
++    {
++      GSource *source;
++      kill (data->child_pid, SIGTERM);
++      /* OK, we need to reap for the child ourselves - we don't want
++       * to use waitpid() because that might block the calling
++       * thread (the child might handle SIGTERM and use several
++       * seconds for cleanup/rollback).
++       *
++       * So we use GChildWatch instead.
++       *
++       * Avoid taking a references to ourselves. but note that we need
++       * to pass the GSource so we can nuke it once handled.
++       */
++      source = g_child_watch_source_new (data->child_pid);
++      g_source_set_callback (source,
++                             (GSourceFunc) utils_child_watch_from_release_cb,
++                             source,
++                             (GDestroyNotify) g_source_destroy);
++      g_source_attach (source, data->main_context);
++      g_source_unref (source);
++      data->child_pid = 0;
++    }
++
++  if (data->child_stdout != NULL)
++    {
++      g_string_free (data->child_stdout, TRUE);
++      data->child_stdout = NULL;
++    }
++
++  if (data->child_stderr != NULL)
++    {
++      g_string_free (data->child_stderr, TRUE);
++      data->child_stderr = NULL;
++    }
++
++  if (data->child_stdout_channel != NULL)
++    {
++      g_io_channel_unref (data->child_stdout_channel);
++      data->child_stdout_channel = NULL;
++    }
++  if (data->child_stderr_channel != NULL)
++    {
++      g_io_channel_unref (data->child_stderr_channel);
++      data->child_stderr_channel = NULL;
++    }
++
++  if (data->child_stdout_source != NULL)
++    {
++      g_source_destroy (data->child_stdout_source);
++      data->child_stdout_source = NULL;
++    }
++  if (data->child_stderr_source != NULL)
++    {
++      g_source_destroy (data->child_stderr_source);
++      data->child_stderr_source = NULL;
++    }
++
++  if (data->child_stdout_fd != -1)
++    {
++      g_warn_if_fail (close (data->child_stdout_fd) == 0);
++      data->child_stdout_fd = -1;
++    }
++  if (data->child_stderr_fd != -1)
++    {
++      g_warn_if_fail (close (data->child_stderr_fd) == 0);
++      data->child_stderr_fd = -1;
++    }
++
++  if (data->cancellable_handler_id > 0)
++    {
++      g_cancellable_disconnect (data->cancellable, data->cancellable_handler_id);
++      data->cancellable_handler_id = 0;
++    }
++
++  if (data->main_context != NULL)
++    g_main_context_unref (data->main_context);
++
++  if (data->cancellable != NULL)
++    g_object_unref (data->cancellable);
++
++  g_slice_free (UtilsSpawnData, data);
++}
++
++/* called in the thread where @cancellable was cancelled */
++static void
++utils_on_cancelled (GCancellable *cancellable,
++                    gpointer      user_data)
++{
++  UtilsSpawnData *data = (UtilsSpawnData *)user_data;
++  GError *error;
++
++  error = NULL;
++  g_warn_if_fail (g_cancellable_set_error_if_cancelled (cancellable, &error));
++  g_simple_async_result_take_error (data->simple, error);
++  g_simple_async_result_complete_in_idle (data->simple);
++  g_object_unref (data->simple);
++}
++
++static gboolean
++utils_read_child_stderr (GIOChannel *channel,
++                         GIOCondition condition,
++                         gpointer user_data)
++{
++  UtilsSpawnData *data = (UtilsSpawnData *)user_data;
++  gchar buf[1024];
++  gsize bytes_read;
++
++  g_io_channel_read_chars (channel, buf, sizeof buf, &bytes_read, NULL);
++  g_string_append_len (data->child_stderr, buf, bytes_read);
++  return TRUE;
++}
++
++static gboolean
++utils_read_child_stdout (GIOChannel *channel,
++                         GIOCondition condition,
++                         gpointer user_data)
++{
++  UtilsSpawnData *data = (UtilsSpawnData *)user_data;
++  gchar buf[1024];
++  gsize bytes_read;
++
++  g_io_channel_read_chars (channel, buf, sizeof buf, &bytes_read, NULL);
++  g_string_append_len (data->child_stdout, buf, bytes_read);
++  return TRUE;
++}
++
++static void
++utils_child_watch_cb (GPid     pid,
++                      gint     status,
++                      gpointer user_data)
++{
++  UtilsSpawnData *data = (UtilsSpawnData *)user_data;
++  gchar *buf;
++  gsize buf_size;
++
++  if (g_io_channel_read_to_end (data->child_stdout_channel, &buf, &buf_size, NULL) == G_IO_STATUS_NORMAL)
++    {
++      g_string_append_len (data->child_stdout, buf, buf_size);
++      g_free (buf);
++    }
++  if (g_io_channel_read_to_end (data->child_stderr_channel, &buf, &buf_size, NULL) == G_IO_STATUS_NORMAL)
++    {
++      g_string_append_len (data->child_stderr, buf, buf_size);
++      g_free (buf);
++    }
++
++  data->exit_status = status;
++
++  /* ok, child watch is history, make sure we don't free it in spawn_data_free() */
++  data->child_pid = 0;
++  data->child_watch_source = NULL;
++
++  /* we're done */
++  g_simple_async_result_complete_in_idle (data->simple);
++  g_object_unref (data->simple);
++}
++
++static gboolean
++utils_timeout_cb (gpointer user_data)
++{
++  UtilsSpawnData *data = (UtilsSpawnData *)user_data;
++
++  data->timed_out = TRUE;
++
++  /* ok, timeout is history, make sure we don't free it in spawn_data_free() */
++  data->timeout_source = NULL;
++
++  /* we're done */
++  g_simple_async_result_complete_in_idle (data->simple);
++  g_object_unref (data->simple);
++
++  return FALSE; /* remove source */
++}
++
++static void
++utils_spawn (const gchar *const  *argv,
++             guint                timeout_seconds,
++             GCancellable        *cancellable,
++             GAsyncReadyCallback  callback,
++             gpointer             user_data)
++{
++  UtilsSpawnData *data;
++  GError *error;
++
++  data = g_slice_new0 (UtilsSpawnData);
++  data->timeout_seconds = timeout_seconds;
++  data->simple = g_simple_async_result_new (NULL,
++                                            callback,
++                                            user_data,
++                                            (gpointer*)utils_spawn);
++  data->main_context = g_main_context_get_thread_default ();
++  if (data->main_context != NULL)
++    g_main_context_ref (data->main_context);
++
++  data->cancellable = cancellable != NULL ? (GCancellable*)g_object_ref (cancellable) : NULL;
++
++  data->child_stdout = g_string_new (NULL);
++  data->child_stderr = g_string_new (NULL);
++  data->child_stdout_fd = -1;
++  data->child_stderr_fd = -1;
++
++  /* the life-cycle of UtilsSpawnData is tied to its GSimpleAsyncResult */
++  g_simple_async_result_set_op_res_gpointer (data->simple, data, (GDestroyNotify) utils_spawn_data_free);
++
++  error = NULL;
++  if (data->cancellable != NULL)
++    {
++      /* could already be cancelled */
++      error = NULL;
++      if (g_cancellable_set_error_if_cancelled (data->cancellable, &error))
++        {
++          g_simple_async_result_take_error (data->simple, error);
++          g_simple_async_result_complete_in_idle (data->simple);
++          g_object_unref (data->simple);
++          goto out;
++        }
++
++      data->cancellable_handler_id = g_cancellable_connect (data->cancellable,
++                                                            G_CALLBACK (utils_on_cancelled),
++                                                            data,
++                                                            NULL);
++    }
++
++  error = NULL;
++  if (!g_spawn_async_with_pipes (NULL, /* working directory */
++                                 (gchar **) argv,
++                                 NULL, /* envp */
++                                 G_SPAWN_SEARCH_PATH | G_SPAWN_DO_NOT_REAP_CHILD,
++                                 NULL, /* child_setup */
++                                 NULL, /* child_setup's user_data */
++                                 &(data->child_pid),
++                                 NULL, /* gint *stdin_fd */
++                                 &(data->child_stdout_fd),
++                                 &(data->child_stderr_fd),
++                                 &error))
++    {
++      g_prefix_error (&error, "Error spawning: ");
++      g_simple_async_result_take_error (data->simple, error);
++      g_simple_async_result_complete_in_idle (data->simple);
++      g_object_unref (data->simple);
++      goto out;
++    }
++
++  if (timeout_seconds > 0)
++    {
++      data->timeout_source = g_timeout_source_new_seconds (timeout_seconds);
++      g_source_set_priority (data->timeout_source, G_PRIORITY_DEFAULT);
++      g_source_set_callback (data->timeout_source, utils_timeout_cb, data, NULL);
++      g_source_attach (data->timeout_source, data->main_context);
++      g_source_unref (data->timeout_source);
++    }
++
++  data->child_watch_source = g_child_watch_source_new (data->child_pid);
++  g_source_set_callback (data->child_watch_source, (GSourceFunc) utils_child_watch_cb, data, NULL);
++  g_source_attach (data->child_watch_source, data->main_context);
++  g_source_unref (data->child_watch_source);
++
++  data->child_stdout_channel = g_io_channel_unix_new (data->child_stdout_fd);
++  g_io_channel_set_flags (data->child_stdout_channel, G_IO_FLAG_NONBLOCK, NULL);
++  data->child_stdout_source = g_io_create_watch (data->child_stdout_channel, G_IO_IN);
++  g_source_set_callback (data->child_stdout_source, (GSourceFunc) utils_read_child_stdout, data, NULL);
++  g_source_attach (data->child_stdout_source, data->main_context);
++  g_source_unref (data->child_stdout_source);
++
++  data->child_stderr_channel = g_io_channel_unix_new (data->child_stderr_fd);
++  g_io_channel_set_flags (data->child_stderr_channel, G_IO_FLAG_NONBLOCK, NULL);
++  data->child_stderr_source = g_io_create_watch (data->child_stderr_channel, G_IO_IN);
++  g_source_set_callback (data->child_stderr_source, (GSourceFunc) utils_read_child_stderr, data, NULL);
++  g_source_attach (data->child_stderr_source, data->main_context);
++  g_source_unref (data->child_stderr_source);
++
++ out:
++  ;
++}
++
++gboolean
++utils_spawn_finish (GAsyncResult   *res,
++                    gint           *out_exit_status,
++                    gchar         **out_standard_output,
++                    gchar         **out_standard_error,
++                    GError        **error)
++{
++  GSimpleAsyncResult *simple = G_SIMPLE_ASYNC_RESULT (res);
++  UtilsSpawnData *data;
++  gboolean ret = FALSE;
++
++  g_return_val_if_fail (G_IS_ASYNC_RESULT (res), FALSE);
++  g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
++
++  g_warn_if_fail (g_simple_async_result_get_source_tag (simple) == utils_spawn);
++
++  if (g_simple_async_result_propagate_error (simple, error))
++    goto out;
++
++  data = (UtilsSpawnData*)g_simple_async_result_get_op_res_gpointer (simple);
++
++  if (data->timed_out)
++    {
++      g_set_error (error,
++                   G_IO_ERROR,
++                   G_IO_ERROR_TIMED_OUT,
++                   "Timed out after %d seconds",
++                   data->timeout_seconds);
++      goto out;
++    }
++
++  if (out_exit_status != NULL)
++    *out_exit_status = data->exit_status;
++
++  if (out_standard_output != NULL)
++    *out_standard_output = g_strdup (data->child_stdout->str);
++
++  if (out_standard_error != NULL)
++    *out_standard_error = g_strdup (data->child_stderr->str);
++
++  ret = TRUE;
++
++ out:
++  return ret;
++}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit.conf
new file mode 100644
index 0000000000..9734ff4ba6
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit.conf
@@ -0,0 +1,3 @@
+d   /etc/polkit-1           -       -       -       -   -
+d   /etc/polkit-1/rules.d   0700    polkitd root    -   -
+d   /var/lib/polkit-1       0700    polkitd polkitd -   -
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-0.119-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-0.119-r2.ebuild
index 1fd9a3e3fe..287131c247 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-0.119-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-0.119-r2.ebuild
@@ -3,7 +3,8 @@
 
 EAPI=7
 
-inherit autotools pam pax-utils systemd xdg-utils
+TMPFILES_OPTIONAL=1
+inherit autotools pam pax-utils systemd xdg-utils tmpfiles
 
 DESCRIPTION="Policy framework for controlling privileges for system-wide services"
 HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://gitlab.freedesktop.org/polkit/polkit"
@@ -32,7 +33,7 @@ BDEPEND="
 	introspection? ( dev-libs/gobject-introspection )
 "
 DEPEND="
-	dev-lang/spidermonkey:78[-debug]
+	dev-lang/duktape
 	dev-libs/glib:2
 	dev-libs/expat
 	elogind? ( sys-auth/elogind )
@@ -59,6 +60,9 @@ DOCS=( docs/TODO HACKING NEWS README )
 
 PATCHES=(
 	"${FILESDIR}"/${PN}-0.115-elogind.patch # bug 660880
+
+	# from https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/35
+	"${FILESDIR}"/35_WIP_Add_duktape_as_javascript_engine.patch
 )
 
 QA_MULTILIB_PATHS="
@@ -92,6 +96,7 @@ src_configure() {
 		--enable-man-pages
 		--disable-gtk-doc
 		--disable-examples
+		--with-duktape
 		$(use_enable elogind libelogind)
 		$(use_enable introspection)
 		$(use_enable nls)
@@ -115,6 +120,16 @@ src_compile() {
 src_install() {
 	default
 
+	dodir /usr/share/polkit-1/rules.d
+	dodir /usr/lib/pam.d
+
+	mv "${D}"/{etc,usr/share}/polkit-1/rules.d/50-default.rules || die
+	mv "${D}"/{etc,usr/lib}/pam.d/polkit-1 || die
+	rmdir "${D}"/etc/polkit-1/rules.d "${D}"/etc/polkit-1 || die
+	rmdir "${D}"/etc/pam.d || die
+
+	dotmpfiles "${FILESDIR}/polkit.conf"
+
 	if use examples; then
 		docinto examples
 		dodoc src/examples/{*.c,*.policy*}
@@ -125,8 +140,3 @@ src_install() {
 
 	find "${ED}" -name '*.la' -delete || die
 }
-
-pkg_postinst() {
-	chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
-	chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
-}

From 4901c02cd67bd56626b9c2094d8d63026c3eddd2 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 3 Dec 2021 20:14:20 +0100
Subject: [PATCH 26/37] sys-auth/realmd: Port to tmpfiles eclass

---
 .../realmd/{realmd-0.17.0.ebuild => realmd-0.17.0-r1.ebuild} | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-auth/realmd/{realmd-0.17.0.ebuild => realmd-0.17.0-r1.ebuild} (91%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/realmd/realmd-0.17.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/realmd/realmd-0.17.0-r1.ebuild
similarity index 91%
rename from sdk_container/src/third_party/coreos-overlay/sys-auth/realmd/realmd-0.17.0.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-auth/realmd/realmd-0.17.0-r1.ebuild
index deffd89ac5..1a05d9e614 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/realmd/realmd-0.17.0.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/realmd/realmd-0.17.0-r1.ebuild
@@ -3,7 +3,8 @@
 
 EAPI=7
 
-inherit autotools systemd
+TMPFILES_OPTIONAL=1
+inherit autotools systemd tmpfiles
 
 DESCRIPTION="DBus service for configuring kerberos and other online identities"
 HOMEPAGE="http://cgit.freedesktop.org/realmd/realmd/"
@@ -47,6 +48,6 @@ src_configure() {
 }
 
 src_install() {
-	systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/${PN}.conf"
+	dotmpfiles "${FILESDIR}/tmpfiles.d/${PN}.conf"
 	default
 }

From 8701aa0a72720ee7688ed6f12c5fdc786084c0a1 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:35:21 +0100
Subject: [PATCH 27/37] sys-auth/sssd: Clean slate to reapply our changes

---
 .../sssd/files/sssd-2.3.1-CVE-2021-3621.patch | 284 ------------------
 .../sssd-2.3.1-disable-nsupdate-realm.patch   |  10 -
 .../sys-auth/sssd/files/sssd.service          |   9 +-
 .../sys-auth/sssd/files/tmpfiles.d/sssd.conf  |  13 -
 ...d-2.3.1-r4.ebuild => sssd-2.3.1-r2.ebuild} |  66 ++--
 5 files changed, 33 insertions(+), 349 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf
 rename sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/{sssd-2.3.1-r4.ebuild => sssd-2.3.1-r2.ebuild} (80%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch
deleted file mode 100644
index 477f5b9c22..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch
+++ /dev/null
@@ -1,284 +0,0 @@
-From 9377cc4c25a1d889e241f23ec7efcd40fced3c63 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Fri, 18 Jun 2021 13:17:19 +0200
-Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
- user supplied command
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-:relnote: A flaw was found in SSSD, where the sssctl command was
-vulnerable to shell command injection via the logs-fetch and
-cache-expire subcommands. This flaw allows an attacker to trick
-the root user into running a specially crafted sssctl command,
-such as via sudo, to gain root access. The highest threat from this
-vulnerability is to confidentiality, integrity, as well as system
-availability.
-This patch fixes a flaw by replacing system() with execvp().
-
-:fixes: CVE-2021-3621
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/tools/sssctl/sssctl.c      | 39 ++++++++++++++++-------
- src/tools/sssctl/sssctl.h      |  2 +-
- src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
- src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
- 4 files changed, 73 insertions(+), 57 deletions(-)
-
-diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
-index 2997dbf96..8adaf3091 100644
---- a/src/tools/sssctl/sssctl.c
-+++ b/src/tools/sssctl/sssctl.c
-@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
-     return SSSCTL_PROMPT_ERROR;
- }
- 
--errno_t sssctl_run_command(const char *command)
-+errno_t sssctl_run_command(const char *const argv[])
- {
-     int ret;
-+    int wstatus;
- 
--    DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
-+    DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
- 
--    ret = system(command);
-+    ret = fork();
-     if (ret == -1) {
--        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
-         ERROR("Error while executing external command\n");
-         return EFAULT;
--    } else if (WEXITSTATUS(ret) != 0) {
--        DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
--              command, WEXITSTATUS(ret));
-+    }
-+
-+    if (ret == 0) {
-+        /* cast is safe - see
-+        https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
-+        "The statement about argv[] and envp[] being constants ... "
-+        */
-+        execvp(argv[0], discard_const_p(char * const, argv));
-         ERROR("Error while executing external command\n");
--        return EIO;
-+        _exit(1);
-+    } else {
-+        if (waitpid(ret, &wstatus, 0) == -1) {
-+            ERROR("Error while executing external command '%s'\n", argv[0]);
-+            return EFAULT;
-+        } else if (WEXITSTATUS(wstatus) != 0) {
-+            ERROR("Command '%s' failed with [%d]\n",
-+                  argv[0], WEXITSTATUS(wstatus));
-+            return EIO;
-+        }
-     }
- 
-     return EOK;
-@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
- #elif defined(HAVE_SERVICE)
-     switch (action) {
-     case SSSCTL_SVC_START:
--        return sssctl_run_command(SERVICE_PATH" sssd start");
-+        return sssctl_run_command(
-+                      (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
-     case SSSCTL_SVC_STOP:
--        return sssctl_run_command(SERVICE_PATH" sssd stop");
-+        return sssctl_run_command(
-+                      (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
-     case SSSCTL_SVC_RESTART:
--        return sssctl_run_command(SERVICE_PATH" sssd restart");
-+        return sssctl_run_command(
-+                      (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
-     }
- #endif
- 
-diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
-index 0115b2457..599ef6519 100644
---- a/src/tools/sssctl/sssctl.h
-+++ b/src/tools/sssctl/sssctl.h
-@@ -47,7 +47,7 @@ enum sssctl_prompt_result
- sssctl_prompt(const char *message,
-               enum sssctl_prompt_result defval);
- 
--errno_t sssctl_run_command(const char *command);
-+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
- bool sssctl_start_sssd(bool force);
- bool sssctl_stop_sssd(bool force);
- bool sssctl_restart_sssd(bool force);
-diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
-index 8d79b977f..bf2291341 100644
---- a/src/tools/sssctl/sssctl_data.c
-+++ b/src/tools/sssctl/sssctl_data.c
-@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
-         }
-     }
- 
--    ret = sssctl_run_command("sss_override user-export "
--                             SSS_BACKUP_USER_OVERRIDES);
-+    ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
-+                                              SSS_BACKUP_USER_OVERRIDES, NULL});
-     if (ret != EOK) {
-         ERROR("Unable to export user overrides\n");
-         return ret;
-     }
- 
--    ret = sssctl_run_command("sss_override group-export "
--                             SSS_BACKUP_GROUP_OVERRIDES);
-+    ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
-+                                              SSS_BACKUP_GROUP_OVERRIDES, NULL});
-     if (ret != EOK) {
-         ERROR("Unable to export group overrides\n");
-         return ret;
-@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
-     }
- 
-     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
--        ret = sssctl_run_command("sss_override user-import "
--                                 SSS_BACKUP_USER_OVERRIDES);
-+        ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
-+                                                  SSS_BACKUP_USER_OVERRIDES, NULL});
-         if (ret != EOK) {
-             ERROR("Unable to import user overrides\n");
-             return ret;
-@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
-     }
- 
-     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
--        ret = sssctl_run_command("sss_override group-import "
--                                 SSS_BACKUP_GROUP_OVERRIDES);
-+        ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
-+                                                  SSS_BACKUP_GROUP_OVERRIDES, NULL});
-         if (ret != EOK) {
-             ERROR("Unable to import group overrides\n");
-             return ret;
-@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
-                             void *pvt)
- {
-     errno_t ret;
--    char *cmd_args = NULL;
--    const char *cachecmd = SSS_CACHE;
--    char *cmd = NULL;
--    int i;
--
--    if (cmdline->argc == 0) {
--        ret = sssctl_run_command(cachecmd);
--        goto done;
--    }
- 
--    cmd_args = talloc_strdup(tool_ctx, "");
--    if (cmd_args == NULL) {
--        ret = ENOMEM;
--        goto done;
-+    const char **args = talloc_array_size(tool_ctx,
-+                                          sizeof(char *),
-+                                          cmdline->argc + 2);
-+    if (!args) {
-+        return ENOMEM;
-     }
-+    memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
-+    args[0] = SSS_CACHE;
-+    args[cmdline->argc + 1] = NULL;
- 
--    for (i = 0; i < cmdline->argc; i++) {
--        cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
--        if (i != cmdline->argc - 1) {
--            cmd_args = talloc_strdup_append(cmd_args, " ");
--        }
--    }
--
--    cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
--    if (cmd == NULL) {
--        ret = ENOMEM;
--        goto done;
--    }
--
--    ret = sssctl_run_command(cmd);
--
--done:
--    talloc_free(cmd_args);
--    talloc_free(cmd);
-+    ret = sssctl_run_command(args);
- 
-+    talloc_free(args);
-     return ret;
- }
-diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
-index 04a32bad8..ebb2c4571 100644
---- a/src/tools/sssctl/sssctl_logs.c
-+++ b/src/tools/sssctl/sssctl_logs.c
-@@ -31,6 +31,7 @@
- #include <ldb.h>
- #include <popt.h>
- #include <stdio.h>
-+#include <glob.h>
- 
- #include "util/util.h"
- #include "tools/common/sss_process.h"
-@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
- {
-     struct sssctl_logs_opts opts = {0};
-     errno_t ret;
-+    glob_t globbuf;
- 
-     /* Parse command line. */
-     struct poptOption options[] = {
-@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
- 
-         sss_signal(SIGHUP);
-     } else {
-+        globbuf.gl_offs = 4;
-+        ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
-+        if (ret != 0) {
-+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
-+            return ret;
-+        }
-+        globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
-+        globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
-+        globbuf.gl_pathv[2] = discard_const_p(char, "--size");
-+        globbuf.gl_pathv[3] = discard_const_p(char, "0");
-+
-         PRINT("Truncating log files...\n");
--        ret = sssctl_run_command("truncate --size 0 " LOG_FILES);
-+        ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
-+        globfree(&globbuf);
-         if (ret != EOK) {
-             ERROR("Unable to truncate log files\n");
-             return ret;
-@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
-                           void *pvt)
- {
-     const char *file;
--    const char *cmd;
-     errno_t ret;
-+    glob_t globbuf;
- 
-     /* Parse command line. */
-     ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
-@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
-         return ret;
-     }
- 
--    cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
--    if (cmd == NULL) {
--        ERROR("Out of memory!");
-+    globbuf.gl_offs = 3;
-+    ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
-+    if (ret != 0) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
-+        return ret;
-     }
-+    globbuf.gl_pathv[0] = discard_const_p(char, "tar");
-+    globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
-+    globbuf.gl_pathv[2] = discard_const_p(char, file);
- 
-     PRINT("Archiving log files into %s...\n", file);
--    ret = sssctl_run_command(cmd);
-+    ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
-+    globfree(&globbuf);
-     if (ret != EOK) {
-         ERROR("Unable to archive log files\n");
-         return ret;
--- 
-2.25.1
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch
deleted file mode 100644
index 7d80dc8415..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- a/src/external/nsupdate.m4	2020-11-05 16:27:14.661566136 +0100
-+++ b/src/external/nsupdate.m4	2020-11-05 16:27:30.060674381 +0100
-@@ -9,7 +9,6 @@
-     AC_MSG_RESULT([yes])
-   else
-     AC_MSG_RESULT([no])
--    AC_MSG_ERROR([nsupdate does not support 'realm'])
-   fi
- 
- else
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service
index a6afb4682c..1821089a60 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service
@@ -1,10 +1,15 @@
 [Unit]
 Description=System Security Services Daemon
-After=nscd.service
+# SSSD will not be started until syslog is
+After=syslog.target
 
 [Service]
-ExecStart=/usr/sbin/sssd -i
+ExecStart=/usr/sbin/sssd -D -f
+# These two should be used with traditional UNIX forking daemons
+# consult systemd.service(5) for more details
+Type=forking
 PIDFile=/run/sssd.pid
 
 [Install]
 WantedBy=multi-user.target
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf
deleted file mode 100644
index f8074a4332..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-d /etc/sssd			0700	root	root	-	-
-C /etc/sssd/sssd.conf		0600	root	root	-	/usr/share/sssd/sssd-example.conf
-d /var/lib/sss			-	root	root	-	-
-d /var/lib/sss/deskprofile	0755	root	root	-	-
-d /var/lib/sss/db		0700	root	root	-	-
-d /var/lib/sss/gpo_cache	0755	root	root	-	-
-d /var/lib/sss/keytabs		0700	root	root	-	-
-d /var/lib/sss/mc		0700	root	root	-	-
-d /var/lib/sss/pipes		-	root	root	-	-
-d /var/lib/sss/pipes/private	0700	root	root	-	-
-d /var/lib/sss/pubconf		0700	root	root	-	-
-d /var/lib/sss/pubconf/krb5.include.d	0700	root	root	-	-
-d /var/lib/sss/secrets		0755	root	root	-	-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild
similarity index 80%
rename from sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild
index a6ffb73404..c5c20e6794 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild
@@ -1,22 +1,16 @@
-# Flatcar modifications:
-# - changed files/sssd.service
-# - added files/tmpfiles.d/sssd.conf
-# - other ebuild modifications marked below
-#
 # Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 
-PYTHON_COMPAT=( python3_{6..10} )
+PYTHON_COMPAT=( python3_7 )
 
 inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam systemd toolchain-funcs
 
 DESCRIPTION="System Security Services Daemon provides access to identity and authentication"
 HOMEPAGE="https://github.com/SSSD/sssd"
 SRC_URI="https://github.com/SSSD/sssd/releases/download/${PN}-${PV//./_}/${P}.tar.gz"
-# Flatcar: stabilize arm64
-KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86"
+KEYWORDS="amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86"
 
 LICENSE="GPL-3"
 SLOT="0"
@@ -26,8 +20,6 @@ RESTRICT="!test? ( test )"
 REQUIRED_USE="pac? ( samba )
 	python? ( ${PYTHON_REQUIRED_USE} )"
 
-# Flatcar: do not force gssapi for >=net-dns/bind-tools-9.9
-# do not force winbind for net-fs/samba
 DEPEND="
 	>=app-crypt/mit-krb5-1.10.3
 	app-crypt/p11-kit
@@ -37,7 +29,7 @@ DEPEND="
 	>=dev-libs/libpcre-8.30:=
 	>=dev-libs/popt-1.16
 	>=dev-libs/openssl-1.0.2:0=
-	>=net-dns/bind-tools-9.9
+	>=net-dns/bind-tools-9.9[gssapi]
 	>=net-dns/c-ares-1.7.4
 	>=net-nds/openldap-2.4.30[sasl]
 	>=sys-apps/dbus-1.6
@@ -61,7 +53,7 @@ DEPEND="
 		net-fs/samba
 	)
 	python? ( ${PYTHON_DEPS} )
-	samba? ( >=net-fs/samba-4.10.2 )
+	samba? ( >=net-fs/samba-4.10.2[winbind] )
 	selinux? (
 		>=sys-libs/libselinux-2.1.9
 		>=sys-libs/libsemanage-2.1
@@ -77,9 +69,8 @@ RDEPEND="${DEPEND}
 	>=sys-libs/glibc-2.17[nscd]
 	selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )
 	"
-# Flatcar: require only autoconf:2.69
-BDEPEND="
-	sys-devel/autoconf:2.69
+BDEPEND="${DEPEND}
+	>=sys-devel/autoconf-2.69-r5
 	doc? ( app-doc/doxygen )
 	test? (
 		dev-libs/check
@@ -113,9 +104,6 @@ MULTILIB_WRAPPED_HEADERS=(
 
 PATCHES=(
 	"${FILESDIR}"/${P}-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch
-	"${FILESDIR}"/${P}-disable-nsupdate-realm.patch
-	# Flatcar: add a patch for CVE-2021-3621
-	"${FILESDIR}"/${P}-CVE-2021-3621.patch
 )
 
 pkg_setup() {
@@ -145,6 +133,7 @@ multilib_src_configure() {
 
 	myconf+=(
 		--localstatedir="${EPREFIX}"/var
+		--runstatedir="${EPREFIX}"/run
 		--with-pid-path="${EPREFIX}"/run
 		--with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd
 		--enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir)
@@ -160,12 +149,6 @@ multilib_src_configure() {
 		--with-nscd="${EPREFIX}"/usr/sbin/nscd
 		--with-unicode-lib="glib2"
 		--disable-rpath
-		# Flatcar: make nss lookups succeed when not running
-		--enable-sss-default-nss-plugin
-		# Flatcar: prevent cross-compilation error
-		# when autotools does not want to compile and run the test
-		$(use_with samba smb-idmap-interface-version=6)
-		#
 		--sbindir=/usr/sbin
 		--with-crypto="libcrypto"
 		--enable-local-provider
@@ -195,11 +178,6 @@ multilib_src_configure() {
 		myconf+=(
 			--with-initscript="systemd"
 			--with-systemdunitdir=$(systemd_get_systemunitdir)
-			# Flatcar: Set the systemd system
-			# configuration directory explicitly through
-			# _systemd_get_dir, as it will do the right
-			# thing in cross-compilation environment.
-			--with-systemdconfdir=$(_systemd_get_dir systemdsystemconfdir /etc/systemd/system)
 		)
 	else
 		myconf+=(--with-initscript="sysv")
@@ -230,8 +208,7 @@ multilib_src_configure() {
 
 multilib_src_compile() {
 	if multilib_is_native_abi; then
-		# Flatcar: add runstatedir to make commands to avoid configure error
-		default runstatedir="${EPREFIX}"/run
+		default
 		use doc && emake docs
 		if use man || use nls; then
 			emake update-po
@@ -245,9 +222,7 @@ multilib_src_compile() {
 
 multilib_src_install() {
 	if multilib_is_native_abi; then
-		# Flatcar: add runstatedir, sysconfdir
-		emake -j1 DESTDIR="${D}" runstatedir="${EPREFIX}"/run \
-			sysconfdir="/usr/share" "${_at_args[@]}" install
+		emake -j1 DESTDIR="${D}" "${_at_args[@]}" install
 		if use python; then
 			python_optimize
 			python_fix_shebang "${ED}"
@@ -276,15 +251,26 @@ multilib_src_install_all() {
 	einstalldocs
 	find "${ED}" -type f -name '*.la' -delete || die
 
-	# Flatcar: store on /usr
-	insinto /usr/share/sssd
+	insinto /etc/sssd
+	insopts -m600
 	doins "${S}"/src/examples/sssd-example.conf
 
-	# Flatcar: delete, remove /var files taken care of by tmpfiles
+	insinto /etc/logrotate.d
+	insopts -m644
+	newins "${S}"/src/examples/logrotate sssd
+
+	newconfd "${FILESDIR}"/sssd.conf sssd
+
+	keepdir /var/lib/sss/db
+	keepdir /var/lib/sss/deskprofile
+	keepdir /var/lib/sss/gpo_cache
+	keepdir /var/lib/sss/keytabs
+	keepdir /var/lib/sss/mc
+	keepdir /var/lib/sss/pipes/private
+	keepdir /var/lib/sss/pubconf/krb5.include.d
+	keepdir /var/lib/sss/secrets
+	keepdir /var/log/sssd
 
-	# Flatcar: add tmpfile directive and remove /etc/rc.d
-	systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/sssd.conf"
-	rm -rf "${D}/etc/rc.d"
 	# strip empty dirs
 	if ! use doc ; then
 		rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die

From d21dfd4f93c12c84ac6f3460e9d95f818e987191 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:36:25 +0100
Subject: [PATCH 28/37] sys-auth/sssd: Apply Flatcar modifications

  - Make BDEPEND independent from DEPEND (The `BDEPEND` is a
    build-time requirement, so it should not be included in the whole
    `DEPEND` list. If it does, an installation of `sys-auth/sssd`
    causes other dependencies to be installed not only in the
    `/build`, but also under the SDK. That's not what we want, so we
    need to exclude `BDEPEND` from the list.)

  - Move runstatedir option from configure to make (Now that the
    upstream sssd 2.3.1 does not support `--runstatedir` option from
    its configure script, we need to remove the option, to unblock the
    configure issue like `unrecognized option --runstatedir`.  Instead
    we need to pass `runstatedir=` to emake commands.)

  - Disable realm check for nsupdate (At the moment bind-tools does
    not enable `gssapi`, so its `nsupdate` tool is also not able to
    run `realm` command. As a result, configure script of `sssd` fails
    when running `echo realm | nsupdate`, like `syntax error`.

    To avoid such issues, we need to disable the nsupdate check for
    now.  After we could enable `gssapi` for the SDK correctly, we can
    bring back the nsupdate check in the future.)

  - Add patch for CVE-2021-3621

  - Set the conf dir path explicitly (Without passing the
    --with-systemdconfdir flag, the configure script will query
    pkg-config for the directory itself. In the cross-compilation
    setup that we have, this will result in a path sysroot prepended
    to the path twice. systemd.eclass has a workaround for this issue,
    but it does not provide an elegant getter of the system
    configuration directory, thus we call `_systemd_get_dir`
    ourselves.)

  - Make it compatible with newer python versions.
---
 .../sssd/files/sssd-2.3.1-CVE-2021-3621.patch | 284 ++++++++++++++++++
 .../sssd-2.3.1-disable-nsupdate-realm.patch   |  10 +
 .../sys-auth/sssd/files/sssd.service          |   9 +-
 .../sys-auth/sssd/files/tmpfiles.d/sssd.conf  |  13 +
 ...d-2.3.1-r2.ebuild => sssd-2.3.1-r4.ebuild} |  69 +++--
 5 files changed, 351 insertions(+), 34 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf
 rename sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/{sssd-2.3.1-r2.ebuild => sssd-2.3.1-r4.ebuild} (79%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch
new file mode 100644
index 0000000000..477f5b9c22
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch
@@ -0,0 +1,284 @@
+From 9377cc4c25a1d889e241f23ec7efcd40fced3c63 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 18 Jun 2021 13:17:19 +0200
+Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
+ user supplied command
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+:relnote: A flaw was found in SSSD, where the sssctl command was
+vulnerable to shell command injection via the logs-fetch and
+cache-expire subcommands. This flaw allows an attacker to trick
+the root user into running a specially crafted sssctl command,
+such as via sudo, to gain root access. The highest threat from this
+vulnerability is to confidentiality, integrity, as well as system
+availability.
+This patch fixes a flaw by replacing system() with execvp().
+
+:fixes: CVE-2021-3621
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/tools/sssctl/sssctl.c      | 39 ++++++++++++++++-------
+ src/tools/sssctl/sssctl.h      |  2 +-
+ src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
+ src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
+ 4 files changed, 73 insertions(+), 57 deletions(-)
+
+diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
+index 2997dbf96..8adaf3091 100644
+--- a/src/tools/sssctl/sssctl.c
++++ b/src/tools/sssctl/sssctl.c
+@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
+     return SSSCTL_PROMPT_ERROR;
+ }
+ 
+-errno_t sssctl_run_command(const char *command)
++errno_t sssctl_run_command(const char *const argv[])
+ {
+     int ret;
++    int wstatus;
+ 
+-    DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
++    DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
+ 
+-    ret = system(command);
++    ret = fork();
+     if (ret == -1) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
+         ERROR("Error while executing external command\n");
+         return EFAULT;
+-    } else if (WEXITSTATUS(ret) != 0) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
+-              command, WEXITSTATUS(ret));
++    }
++
++    if (ret == 0) {
++        /* cast is safe - see
++        https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
++        "The statement about argv[] and envp[] being constants ... "
++        */
++        execvp(argv[0], discard_const_p(char * const, argv));
+         ERROR("Error while executing external command\n");
+-        return EIO;
++        _exit(1);
++    } else {
++        if (waitpid(ret, &wstatus, 0) == -1) {
++            ERROR("Error while executing external command '%s'\n", argv[0]);
++            return EFAULT;
++        } else if (WEXITSTATUS(wstatus) != 0) {
++            ERROR("Command '%s' failed with [%d]\n",
++                  argv[0], WEXITSTATUS(wstatus));
++            return EIO;
++        }
+     }
+ 
+     return EOK;
+@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
+ #elif defined(HAVE_SERVICE)
+     switch (action) {
+     case SSSCTL_SVC_START:
+-        return sssctl_run_command(SERVICE_PATH" sssd start");
++        return sssctl_run_command(
++                      (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
+     case SSSCTL_SVC_STOP:
+-        return sssctl_run_command(SERVICE_PATH" sssd stop");
++        return sssctl_run_command(
++                      (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
+     case SSSCTL_SVC_RESTART:
+-        return sssctl_run_command(SERVICE_PATH" sssd restart");
++        return sssctl_run_command(
++                      (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
+     }
+ #endif
+ 
+diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
+index 0115b2457..599ef6519 100644
+--- a/src/tools/sssctl/sssctl.h
++++ b/src/tools/sssctl/sssctl.h
+@@ -47,7 +47,7 @@ enum sssctl_prompt_result
+ sssctl_prompt(const char *message,
+               enum sssctl_prompt_result defval);
+ 
+-errno_t sssctl_run_command(const char *command);
++errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
+ bool sssctl_start_sssd(bool force);
+ bool sssctl_stop_sssd(bool force);
+ bool sssctl_restart_sssd(bool force);
+diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
+index 8d79b977f..bf2291341 100644
+--- a/src/tools/sssctl/sssctl_data.c
++++ b/src/tools/sssctl/sssctl_data.c
+@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
+         }
+     }
+ 
+-    ret = sssctl_run_command("sss_override user-export "
+-                             SSS_BACKUP_USER_OVERRIDES);
++    ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
++                                              SSS_BACKUP_USER_OVERRIDES, NULL});
+     if (ret != EOK) {
+         ERROR("Unable to export user overrides\n");
+         return ret;
+     }
+ 
+-    ret = sssctl_run_command("sss_override group-export "
+-                             SSS_BACKUP_GROUP_OVERRIDES);
++    ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
++                                              SSS_BACKUP_GROUP_OVERRIDES, NULL});
+     if (ret != EOK) {
+         ERROR("Unable to export group overrides\n");
+         return ret;
+@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+     }
+ 
+     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
+-        ret = sssctl_run_command("sss_override user-import "
+-                                 SSS_BACKUP_USER_OVERRIDES);
++        ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
++                                                  SSS_BACKUP_USER_OVERRIDES, NULL});
+         if (ret != EOK) {
+             ERROR("Unable to import user overrides\n");
+             return ret;
+@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+     }
+ 
+     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
+-        ret = sssctl_run_command("sss_override group-import "
+-                                 SSS_BACKUP_GROUP_OVERRIDES);
++        ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
++                                                  SSS_BACKUP_GROUP_OVERRIDES, NULL});
+         if (ret != EOK) {
+             ERROR("Unable to import group overrides\n");
+             return ret;
+@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
+                             void *pvt)
+ {
+     errno_t ret;
+-    char *cmd_args = NULL;
+-    const char *cachecmd = SSS_CACHE;
+-    char *cmd = NULL;
+-    int i;
+-
+-    if (cmdline->argc == 0) {
+-        ret = sssctl_run_command(cachecmd);
+-        goto done;
+-    }
+ 
+-    cmd_args = talloc_strdup(tool_ctx, "");
+-    if (cmd_args == NULL) {
+-        ret = ENOMEM;
+-        goto done;
++    const char **args = talloc_array_size(tool_ctx,
++                                          sizeof(char *),
++                                          cmdline->argc + 2);
++    if (!args) {
++        return ENOMEM;
+     }
++    memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
++    args[0] = SSS_CACHE;
++    args[cmdline->argc + 1] = NULL;
+ 
+-    for (i = 0; i < cmdline->argc; i++) {
+-        cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
+-        if (i != cmdline->argc - 1) {
+-            cmd_args = talloc_strdup_append(cmd_args, " ");
+-        }
+-    }
+-
+-    cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
+-    if (cmd == NULL) {
+-        ret = ENOMEM;
+-        goto done;
+-    }
+-
+-    ret = sssctl_run_command(cmd);
+-
+-done:
+-    talloc_free(cmd_args);
+-    talloc_free(cmd);
++    ret = sssctl_run_command(args);
+ 
++    talloc_free(args);
+     return ret;
+ }
+diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
+index 04a32bad8..ebb2c4571 100644
+--- a/src/tools/sssctl/sssctl_logs.c
++++ b/src/tools/sssctl/sssctl_logs.c
+@@ -31,6 +31,7 @@
+ #include <ldb.h>
+ #include <popt.h>
+ #include <stdio.h>
++#include <glob.h>
+ 
+ #include "util/util.h"
+ #include "tools/common/sss_process.h"
+@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+ {
+     struct sssctl_logs_opts opts = {0};
+     errno_t ret;
++    glob_t globbuf;
+ 
+     /* Parse command line. */
+     struct poptOption options[] = {
+@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+ 
+         sss_signal(SIGHUP);
+     } else {
++        globbuf.gl_offs = 4;
++        ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
++        if (ret != 0) {
++            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
++            return ret;
++        }
++        globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
++        globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
++        globbuf.gl_pathv[2] = discard_const_p(char, "--size");
++        globbuf.gl_pathv[3] = discard_const_p(char, "0");
++
+         PRINT("Truncating log files...\n");
+-        ret = sssctl_run_command("truncate --size 0 " LOG_FILES);
++        ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
++        globfree(&globbuf);
+         if (ret != EOK) {
+             ERROR("Unable to truncate log files\n");
+             return ret;
+@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+                           void *pvt)
+ {
+     const char *file;
+-    const char *cmd;
+     errno_t ret;
++    glob_t globbuf;
+ 
+     /* Parse command line. */
+     ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
+@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+         return ret;
+     }
+ 
+-    cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
+-    if (cmd == NULL) {
+-        ERROR("Out of memory!");
++    globbuf.gl_offs = 3;
++    ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
++    if (ret != 0) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
++        return ret;
+     }
++    globbuf.gl_pathv[0] = discard_const_p(char, "tar");
++    globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
++    globbuf.gl_pathv[2] = discard_const_p(char, file);
+ 
+     PRINT("Archiving log files into %s...\n", file);
+-    ret = sssctl_run_command(cmd);
++    ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
++    globfree(&globbuf);
+     if (ret != EOK) {
+         ERROR("Unable to archive log files\n");
+         return ret;
+-- 
+2.25.1
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch
new file mode 100644
index 0000000000..7d80dc8415
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch
@@ -0,0 +1,10 @@
+--- a/src/external/nsupdate.m4	2020-11-05 16:27:14.661566136 +0100
++++ b/src/external/nsupdate.m4	2020-11-05 16:27:30.060674381 +0100
+@@ -9,7 +9,6 @@
+     AC_MSG_RESULT([yes])
+   else
+     AC_MSG_RESULT([no])
+-    AC_MSG_ERROR([nsupdate does not support 'realm'])
+   fi
+ 
+ else
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service
index 1821089a60..a6afb4682c 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service
@@ -1,15 +1,10 @@
 [Unit]
 Description=System Security Services Daemon
-# SSSD will not be started until syslog is
-After=syslog.target
+After=nscd.service
 
 [Service]
-ExecStart=/usr/sbin/sssd -D -f
-# These two should be used with traditional UNIX forking daemons
-# consult systemd.service(5) for more details
-Type=forking
+ExecStart=/usr/sbin/sssd -i
 PIDFile=/run/sssd.pid
 
 [Install]
 WantedBy=multi-user.target
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf
new file mode 100644
index 0000000000..f8074a4332
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf
@@ -0,0 +1,13 @@
+d /etc/sssd			0700	root	root	-	-
+C /etc/sssd/sssd.conf		0600	root	root	-	/usr/share/sssd/sssd-example.conf
+d /var/lib/sss			-	root	root	-	-
+d /var/lib/sss/deskprofile	0755	root	root	-	-
+d /var/lib/sss/db		0700	root	root	-	-
+d /var/lib/sss/gpo_cache	0755	root	root	-	-
+d /var/lib/sss/keytabs		0700	root	root	-	-
+d /var/lib/sss/mc		0700	root	root	-	-
+d /var/lib/sss/pipes		-	root	root	-	-
+d /var/lib/sss/pipes/private	0700	root	root	-	-
+d /var/lib/sss/pubconf		0700	root	root	-	-
+d /var/lib/sss/pubconf/krb5.include.d	0700	root	root	-	-
+d /var/lib/sss/secrets		0755	root	root	-	-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild
similarity index 79%
rename from sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild
index c5c20e6794..f1c75c95f1 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild
@@ -1,16 +1,23 @@
+# Flatcar modifications:
+# - changed files/sssd.service
+# - added files/tmpfiles.d/sssd.conf
+# - other ebuild modifications marked below
+#
 # Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 
-PYTHON_COMPAT=( python3_7 )
+PYTHON_COMPAT=( python3_{6..10} )
 
-inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam systemd toolchain-funcs
+TMPFILES_OPTIONAL=1
+inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam systemd toolchain-funcs tmpfiles
 
 DESCRIPTION="System Security Services Daemon provides access to identity and authentication"
 HOMEPAGE="https://github.com/SSSD/sssd"
 SRC_URI="https://github.com/SSSD/sssd/releases/download/${PN}-${PV//./_}/${P}.tar.gz"
-KEYWORDS="amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86"
+# Flatcar: stabilize arm64
+KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86"
 
 LICENSE="GPL-3"
 SLOT="0"
@@ -20,6 +27,8 @@ RESTRICT="!test? ( test )"
 REQUIRED_USE="pac? ( samba )
 	python? ( ${PYTHON_REQUIRED_USE} )"
 
+# Flatcar: do not force gssapi for >=net-dns/bind-tools-9.9
+# do not force winbind for net-fs/samba
 DEPEND="
 	>=app-crypt/mit-krb5-1.10.3
 	app-crypt/p11-kit
@@ -29,7 +38,7 @@ DEPEND="
 	>=dev-libs/libpcre-8.30:=
 	>=dev-libs/popt-1.16
 	>=dev-libs/openssl-1.0.2:0=
-	>=net-dns/bind-tools-9.9[gssapi]
+	>=net-dns/bind-tools-9.9
 	>=net-dns/c-ares-1.7.4
 	>=net-nds/openldap-2.4.30[sasl]
 	>=sys-apps/dbus-1.6
@@ -53,7 +62,7 @@ DEPEND="
 		net-fs/samba
 	)
 	python? ( ${PYTHON_DEPS} )
-	samba? ( >=net-fs/samba-4.10.2[winbind] )
+	samba? ( >=net-fs/samba-4.10.2 )
 	selinux? (
 		>=sys-libs/libselinux-2.1.9
 		>=sys-libs/libsemanage-2.1
@@ -69,8 +78,9 @@ RDEPEND="${DEPEND}
 	>=sys-libs/glibc-2.17[nscd]
 	selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )
 	"
-BDEPEND="${DEPEND}
-	>=sys-devel/autoconf-2.69-r5
+# Flatcar: require only autoconf:2.69
+BDEPEND="
+	sys-devel/autoconf:2.69
 	doc? ( app-doc/doxygen )
 	test? (
 		dev-libs/check
@@ -104,6 +114,9 @@ MULTILIB_WRAPPED_HEADERS=(
 
 PATCHES=(
 	"${FILESDIR}"/${P}-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch
+	"${FILESDIR}"/${P}-disable-nsupdate-realm.patch
+	# Flatcar: add a patch for CVE-2021-3621
+	"${FILESDIR}"/${P}-CVE-2021-3621.patch
 )
 
 pkg_setup() {
@@ -133,7 +146,6 @@ multilib_src_configure() {
 
 	myconf+=(
 		--localstatedir="${EPREFIX}"/var
-		--runstatedir="${EPREFIX}"/run
 		--with-pid-path="${EPREFIX}"/run
 		--with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd
 		--enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir)
@@ -149,6 +161,12 @@ multilib_src_configure() {
 		--with-nscd="${EPREFIX}"/usr/sbin/nscd
 		--with-unicode-lib="glib2"
 		--disable-rpath
+		# Flatcar: make nss lookups succeed when not running
+		--enable-sss-default-nss-plugin
+		# Flatcar: prevent cross-compilation error
+		# when autotools does not want to compile and run the test
+		$(use_with samba smb-idmap-interface-version=6)
+		#
 		--sbindir=/usr/sbin
 		--with-crypto="libcrypto"
 		--enable-local-provider
@@ -178,6 +196,11 @@ multilib_src_configure() {
 		myconf+=(
 			--with-initscript="systemd"
 			--with-systemdunitdir=$(systemd_get_systemunitdir)
+			# Flatcar: Set the systemd system
+			# configuration directory explicitly through
+			# _systemd_get_dir, as it will do the right
+			# thing in cross-compilation environment.
+			--with-systemdconfdir=$(_systemd_get_dir systemdsystemconfdir /etc/systemd/system)
 		)
 	else
 		myconf+=(--with-initscript="sysv")
@@ -208,7 +231,8 @@ multilib_src_configure() {
 
 multilib_src_compile() {
 	if multilib_is_native_abi; then
-		default
+		# Flatcar: add runstatedir to make commands to avoid configure error
+		default runstatedir="${EPREFIX}"/run
 		use doc && emake docs
 		if use man || use nls; then
 			emake update-po
@@ -222,7 +246,9 @@ multilib_src_compile() {
 
 multilib_src_install() {
 	if multilib_is_native_abi; then
-		emake -j1 DESTDIR="${D}" "${_at_args[@]}" install
+		# Flatcar: add runstatedir, sysconfdir
+		emake -j1 DESTDIR="${D}" runstatedir="${EPREFIX}"/run \
+			sysconfdir="/usr/share" "${_at_args[@]}" install
 		if use python; then
 			python_optimize
 			python_fix_shebang "${ED}"
@@ -251,26 +277,15 @@ multilib_src_install_all() {
 	einstalldocs
 	find "${ED}" -type f -name '*.la' -delete || die
 
-	insinto /etc/sssd
-	insopts -m600
+	# Flatcar: store on /usr
+	insinto /usr/share/sssd
 	doins "${S}"/src/examples/sssd-example.conf
 
-	insinto /etc/logrotate.d
-	insopts -m644
-	newins "${S}"/src/examples/logrotate sssd
-
-	newconfd "${FILESDIR}"/sssd.conf sssd
-
-	keepdir /var/lib/sss/db
-	keepdir /var/lib/sss/deskprofile
-	keepdir /var/lib/sss/gpo_cache
-	keepdir /var/lib/sss/keytabs
-	keepdir /var/lib/sss/mc
-	keepdir /var/lib/sss/pipes/private
-	keepdir /var/lib/sss/pubconf/krb5.include.d
-	keepdir /var/lib/sss/secrets
-	keepdir /var/log/sssd
+	# Flatcar: delete, remove /var files taken care of by tmpfiles
 
+	# Flatcar: add tmpfile directive and remove /etc/rc.d
+	dotmpfiles "${FILESDIR}/tmpfiles.d/sssd.conf"
+	rm -rf "${D}/etc/rc.d"
 	# strip empty dirs
 	if ! use doc ; then
 		rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die

From 926b66861ca72f0a4b08424d24b52ac0f72a60be Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:43:13 +0100
Subject: [PATCH 29/37] sys-block/open-iscsi: Clean slate to reapply our
 changes

---
 .../open-iscsi/open-iscsi-2.1.4-r1.ebuild     | 65 ++++++++++++++-----
 1 file changed, 47 insertions(+), 18 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-block/open-iscsi/open-iscsi-2.1.4-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-block/open-iscsi/open-iscsi-2.1.4-r1.ebuild
index 81b755c11e..48c3a385ff 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-block/open-iscsi/open-iscsi-2.1.4-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-block/open-iscsi/open-iscsi-2.1.4-r1.ebuild
@@ -11,7 +11,7 @@ SRC_URI="https://github.com/${PN}/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
 
 LICENSE="GPL-2"
 SLOT="0/0.2"
-KEYWORDS="~alpha amd64 arm arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
 IUSE="debug infiniband libressl +tcp rdma systemd"
 
 DEPEND="
@@ -37,9 +37,8 @@ PATCHES=(
 pkg_setup() {
 	linux-info_pkg_setup
 
-	# Flatcar: use ewarn instead of die
 	if kernel_is -lt 2 6 16; then
-		ewarn "Sorry, your kernel must be 2.6.16-rc5 or newer!"
+		die "Sorry, your kernel must be 2.6.16-rc5 or newer!"
 	fi
 
 	# Needs to be done, as iscsid currently only starts, when having the iSCSI
@@ -47,19 +46,34 @@ pkg_setup() {
 	# more information:
 	# https://groups.google.com/group/open-iscsi/browse_thread/thread/cc10498655b40507/fd6a4ba0c8e91966
 	# If there's a new release, check whether this is still valid!
-	CONFIG_MODULES="SCSI_ISCSI_ATTRS ISCSI_TCP"
+	TCP_MODULES="SCSI_ISCSI_ATTRS ISCSI_TCP"
+	RDMA_MODULES="INFINIBAND_ISER"
+	INFINIBAND_MODULES="INFINIBAND_IPOIB INIBAND_USER_MAD INFINIBAND_USER_ACCESS"
+	CONFIG_CHECK_MODULES="tcp? ( ${TCP_MODULES} ) rdma? ( ${RDMA_MODULES} ) infiniband? ( ${INFINIBAND_MODULES} )"
 	if linux_config_exists; then
-		for module in ${CONFIG_CHECK_MODULES}; do
-			linux_chkconfig_module ${module} || ewarn "${module} needs to be built as module (builtin doesn't work)"
+		if use tcp; then
+			for module in ${TCP_MODULES}; do
+				linux_chkconfig_module ${module} || ewarn "${module} needs to be built as module (builtin doesn't work)"
 		done
+		fi
+		if use infiniband; then
+			for module in ${INFINIBAND_MODULES}; do
+				linux_chkconfig_module ${module} || ewarn "${module} needs to be built as module (builtin doesn't work)"
+		done
+		fi
+		if use rdma; then
+			for module in ${RDMA_MODULES}; do
+				linux_chkconfig_module ${module} || ewarn "${module} needs to be built as module (builtin doesn't work)"$
+			done
+		fi
 	fi
 }
 
 src_prepare() {
 	sed -e 's:^\(iscsid.startup\)\s*=.*:\1 = /usr/sbin/iscsid:' \
 		-i etc/iscsid.conf || die
-	sed -e 's:^node.startup = manual:node.startup = automatic:' \
-	     -i etc/iscsid.conf || die
+	sed -e '/[^usr]\/sbin/s@\(/sbin/\)@/usr\1@' \
+		-i etc/systemd/iscsi* || die
 	default
 
 	pushd iscsiuio >/dev/null || die
@@ -73,9 +87,9 @@ src_configure() {
 }
 
 src_compile() {
-	use debug && append-flags -DDEBUG_TCP -DDEBUG_SCSI
-
-	CFLAGS="" \
+	# Stuffing CPPFLAGS into CFLAGS isn't entirely correct, but the build
+	# is messed up already here, so it's not making it that much worse.
+	KSRC="${KV_DIR}" CFLAGS="" \
 	emake \
 		OPTFLAGS="${CFLAGS} ${CPPFLAGS} $(usex systemd '' -DNO_SYSTEMD)" \
 		AR="$(tc-getAR)" CC="$(tc-getCC)" \
@@ -84,28 +98,43 @@ src_compile() {
 }
 
 src_install() {
-	emake DESTDIR="${D}" sbindir="/usr/sbin" install
+	emake DESTDIR="${ED}" sbindir="/usr/sbin" install
 	# Upstream make is not deterministic, per bug #601514
-	rm -f "${D}"/etc/initiatorname.iscsi
+	rm -f "${ED}"/etc/initiatorname.iscsi
 
 	dodoc README THANKS
 
 	docinto test/
 	dodoc $(find test -maxdepth 1 -type f ! -name ".*")
 
+	insinto /etc/iscsi
+	newins "${FILESDIR}"/initiatorname.iscsi initiatorname.iscsi.example
+
+	newconfd "${FILESDIR}"/iscsid-conf.d iscsid
+	newinitd "${FILESDIR}"/iscsid-init.d iscsid
+
 	local unit
 	local units=(
-		iscsi.service
+		iscsi{,-init}.service
 		iscsid.{service,socket}
 		iscsiuio.{service,socket}
 	)
 	for unit in ${units[@]} ; do
 		systemd_dounit etc/systemd/${unit}
 	done
-	systemd_dounit "${FILESDIR}"/iscsi-init.service
-	systemd_dotmpfilesd "${FILESDIR}"/open-iscsi.conf
 
+	keepdir /var/db/iscsi
+	fperms 700 /var/db/iscsi
 	fperms 600 /etc/iscsi/iscsid.conf
-	rm "${D}"/etc/iscsi/initiatorname.iscsi
-	mv "${D}"/etc/iscsi "${D}"/usr/share/iscsi
+}
+
+pkg_postinst() {
+	in='/etc/iscsi/initiatorname.iscsi'
+	if [[ ! -f "${EROOT}${in}" ]] && [[ -f "${EROOT}${in}.example" ]] ; then
+		{
+		  cat "${EROOT}${in}.example"
+		  echo "# InitiatorName generated by ${CATEGORY}/${PF} at $(date -uR)"
+		  echo "InitiatorName=$(${ROOT}/usr/sbin/iscsi-iname)"
+		} >> "${EROOT}${in}.tmp" && mv -f "${EROOT}${in}.tmp" "${EROOT}${in}"
+	fi
 }

From c82e4e92f98eca733df88c2e391161da07719841 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:43:51 +0100
Subject: [PATCH 30/37] sys-block/open-iscsi: Apply Flatcar modifications

---
 .../open-iscsi/open-iscsi-2.1.4-r1.ebuild     | 68 ++++++-------------
 1 file changed, 20 insertions(+), 48 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-block/open-iscsi/open-iscsi-2.1.4-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-block/open-iscsi/open-iscsi-2.1.4-r1.ebuild
index 48c3a385ff..3ce0e49421 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-block/open-iscsi/open-iscsi-2.1.4-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-block/open-iscsi/open-iscsi-2.1.4-r1.ebuild
@@ -3,7 +3,8 @@
 
 EAPI=7
 
-inherit autotools linux-info flag-o-matic toolchain-funcs udev systemd
+TMPFILES_OPTIONAL=1
+inherit autotools linux-info flag-o-matic toolchain-funcs udev systemd tmpfiles
 
 DESCRIPTION="A performant, transport independent, multi-platform implementation of RFC3720"
 HOMEPAGE="http://www.open-iscsi.com/"
@@ -11,7 +12,7 @@ SRC_URI="https://github.com/${PN}/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
 
 LICENSE="GPL-2"
 SLOT="0/0.2"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
+KEYWORDS="~alpha amd64 arm arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
 IUSE="debug infiniband libressl +tcp rdma systemd"
 
 DEPEND="
@@ -37,8 +38,9 @@ PATCHES=(
 pkg_setup() {
 	linux-info_pkg_setup
 
+	# Flatcar: use ewarn instead of die
 	if kernel_is -lt 2 6 16; then
-		die "Sorry, your kernel must be 2.6.16-rc5 or newer!"
+		ewarn "Sorry, your kernel must be 2.6.16-rc5 or newer!"
 	fi
 
 	# Needs to be done, as iscsid currently only starts, when having the iSCSI
@@ -46,34 +48,19 @@ pkg_setup() {
 	# more information:
 	# https://groups.google.com/group/open-iscsi/browse_thread/thread/cc10498655b40507/fd6a4ba0c8e91966
 	# If there's a new release, check whether this is still valid!
-	TCP_MODULES="SCSI_ISCSI_ATTRS ISCSI_TCP"
-	RDMA_MODULES="INFINIBAND_ISER"
-	INFINIBAND_MODULES="INFINIBAND_IPOIB INIBAND_USER_MAD INFINIBAND_USER_ACCESS"
-	CONFIG_CHECK_MODULES="tcp? ( ${TCP_MODULES} ) rdma? ( ${RDMA_MODULES} ) infiniband? ( ${INFINIBAND_MODULES} )"
+	CONFIG_MODULES="SCSI_ISCSI_ATTRS ISCSI_TCP"
 	if linux_config_exists; then
-		if use tcp; then
-			for module in ${TCP_MODULES}; do
-				linux_chkconfig_module ${module} || ewarn "${module} needs to be built as module (builtin doesn't work)"
+		for module in ${CONFIG_CHECK_MODULES}; do
+			linux_chkconfig_module ${module} || ewarn "${module} needs to be built as module (builtin doesn't work)"
 		done
-		fi
-		if use infiniband; then
-			for module in ${INFINIBAND_MODULES}; do
-				linux_chkconfig_module ${module} || ewarn "${module} needs to be built as module (builtin doesn't work)"
-		done
-		fi
-		if use rdma; then
-			for module in ${RDMA_MODULES}; do
-				linux_chkconfig_module ${module} || ewarn "${module} needs to be built as module (builtin doesn't work)"$
-			done
-		fi
 	fi
 }
 
 src_prepare() {
 	sed -e 's:^\(iscsid.startup\)\s*=.*:\1 = /usr/sbin/iscsid:' \
 		-i etc/iscsid.conf || die
-	sed -e '/[^usr]\/sbin/s@\(/sbin/\)@/usr\1@' \
-		-i etc/systemd/iscsi* || die
+	sed -e 's:^node.startup = manual:node.startup = automatic:' \
+	     -i etc/iscsid.conf || die
 	default
 
 	pushd iscsiuio >/dev/null || die
@@ -87,9 +74,9 @@ src_configure() {
 }
 
 src_compile() {
-	# Stuffing CPPFLAGS into CFLAGS isn't entirely correct, but the build
-	# is messed up already here, so it's not making it that much worse.
-	KSRC="${KV_DIR}" CFLAGS="" \
+	use debug && append-flags -DDEBUG_TCP -DDEBUG_SCSI
+
+	CFLAGS="" \
 	emake \
 		OPTFLAGS="${CFLAGS} ${CPPFLAGS} $(usex systemd '' -DNO_SYSTEMD)" \
 		AR="$(tc-getAR)" CC="$(tc-getCC)" \
@@ -98,43 +85,28 @@ src_compile() {
 }
 
 src_install() {
-	emake DESTDIR="${ED}" sbindir="/usr/sbin" install
+	emake DESTDIR="${D}" sbindir="/usr/sbin" install
 	# Upstream make is not deterministic, per bug #601514
-	rm -f "${ED}"/etc/initiatorname.iscsi
+	rm -f "${D}"/etc/initiatorname.iscsi
 
 	dodoc README THANKS
 
 	docinto test/
 	dodoc $(find test -maxdepth 1 -type f ! -name ".*")
 
-	insinto /etc/iscsi
-	newins "${FILESDIR}"/initiatorname.iscsi initiatorname.iscsi.example
-
-	newconfd "${FILESDIR}"/iscsid-conf.d iscsid
-	newinitd "${FILESDIR}"/iscsid-init.d iscsid
-
 	local unit
 	local units=(
-		iscsi{,-init}.service
+		iscsi.service
 		iscsid.{service,socket}
 		iscsiuio.{service,socket}
 	)
 	for unit in ${units[@]} ; do
 		systemd_dounit etc/systemd/${unit}
 	done
+	systemd_dounit "${FILESDIR}"/iscsi-init.service
+	dotmpfiles "${FILESDIR}"/open-iscsi.conf
 
-	keepdir /var/db/iscsi
-	fperms 700 /var/db/iscsi
 	fperms 600 /etc/iscsi/iscsid.conf
-}
-
-pkg_postinst() {
-	in='/etc/iscsi/initiatorname.iscsi'
-	if [[ ! -f "${EROOT}${in}" ]] && [[ -f "${EROOT}${in}.example" ]] ; then
-		{
-		  cat "${EROOT}${in}.example"
-		  echo "# InitiatorName generated by ${CATEGORY}/${PF} at $(date -uR)"
-		  echo "InitiatorName=$(${ROOT}/usr/sbin/iscsi-iname)"
-		} >> "${EROOT}${in}.tmp" && mv -f "${EROOT}${in}.tmp" "${EROOT}${in}"
-	fi
+	rm "${D}"/etc/iscsi/initiatorname.iscsi
+	mv "${D}"/etc/iscsi "${D}"/usr/share/iscsi
 }

From ac02d91d1f25d3cafc8fea9210418474d4040119 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Fri, 3 Dec 2021 20:18:44 +0100
Subject: [PATCH 31/37] sys-libs/glibc: Port to tmpfiles eclass

---
 .../coreos-overlay/sys-libs/glibc/glibc-2.33-r8.ebuild      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r8.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r8.ebuild
index fdba9d2a4c..534ca99cef 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r8.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r8.ebuild
@@ -7,7 +7,7 @@ PYTHON_COMPAT=( python3_{6..10} )
 TMPFILES_OPTIONAL=1
 
 inherit python-any-r1 prefix preserve-libs toolchain-funcs flag-o-matic gnuconfig \
-	multilib systemd multiprocessing
+	multilib systemd multiprocessing tmpfiles
 
 DESCRIPTION="GNU libc C library"
 HOMEPAGE="https://www.gnu.org/software/libc/"
@@ -1392,7 +1392,7 @@ glibc_do_src_install() {
 		sed -i "${nscd_args[@]}" "${ED}"/etc/init.d/nscd
 
 		use systemd && systemd_dounit nscd/nscd.service
-		systemd_newtmpfilesd nscd/nscd.tmpfiles nscd.conf
+		newtmpfiles nscd/nscd.tmpfiles nscd.conf
 	fi
 
 	echo 'LDPATH="include ld.so.conf.d/*.conf"' > "${T}"/00glibc
@@ -1421,7 +1421,7 @@ glibc_do_src_install() {
 	insinto /usr/share/baselayout
 	if ! in_iuse nscd || use nscd ; then
 		doins "${S}"/nscd/nscd.conf || die
-		systemd_newtmpfilesd "${FILESDIR}"/nscd-conf.tmpfiles nscd-conf.conf || die
+		newtmpfiles "${FILESDIR}"/nscd-conf.tmpfiles nscd-conf.conf || die
 	fi
 
 	# Clean out any default configs.

From c434f9b25f28e55772555d86fb68035abc7d6f97 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:48:06 +0100
Subject: [PATCH 32/37] sys-libs/glibc: Clean slate to reapply our changes

---
 .../sys-libs/glibc/files/nscd-conf.tmpfiles   |  2 --
 ...bc-2.33-r8.ebuild => glibc-2.33-r7.ebuild} | 34 ++++---------------
 2 files changed, 7 insertions(+), 29 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles
 rename sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/{glibc-2.33-r8.ebuild => glibc-2.33-r7.ebuild} (97%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles
deleted file mode 100644
index 0cf43dcb7a..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles
+++ /dev/null
@@ -1,2 +0,0 @@
-L /etc/nscd.conf	-	-	-	-	../usr/share/baselayout/nscd.conf
-d /var/db/nscd		-	-	-	-	-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r8.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r7.ebuild
similarity index 97%
rename from sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r8.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r7.ebuild
index 534ca99cef..2f9ce004d3 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r8.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r7.ebuild
@@ -3,7 +3,7 @@
 
 EAPI=7
 
-PYTHON_COMPAT=( python3_{6..10} )
+PYTHON_COMPAT=( python3_{7,8,9,10} )
 TMPFILES_OPTIONAL=1
 
 inherit python-any-r1 prefix preserve-libs toolchain-funcs flag-o-matic gnuconfig \
@@ -23,7 +23,7 @@ PATCH_DEV=dilfridge
 if [[ ${PV} == 9999* ]]; then
 	inherit git-r3
 else
-	KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 	SRC_URI="mirror://gnu/glibc/${P}.tar.xz"
 	SRC_URI+=" https://dev.gentoo.org/~${PATCH_DEV}/distfiles/${P}-patches-${PATCH_VER}.tar.xz"
 fi
@@ -719,12 +719,10 @@ sanity_prechecks() {
 
 # pkg_pretend
 
-# Flatcar: Skip sanity checks at pretend time because we don't ship a compiler
-#  in the OS image. This test fails when installing the glibc binpkg and no
-#  compiler is present.
 pkg_pretend() {
-	einfo "Flatcar: Skipping sanity_prechecks for binpkg installation. src_unpack will take care of compile-time prechecks."
-	# sanity_prechecks
+	# All the checks...
+	einfo "Checking general environment sanity."
+	sanity_prechecks
 }
 
 pkg_setup() {
@@ -1223,13 +1221,12 @@ glibc_do_src_install() {
 	# '#define VERSION "2.26.90"' -> '2.26.90'
 	local upstream_pv=$(sed -n -r 's/#define VERSION "(.*)"/\1/p' "${S}"/version.h)
 
-	# Flatcar: override this and strip everything to keep image size at bay
 	# Avoid stripping binaries not targeted by ${CHOST}. Or else
 	# ${CHOST}-strip would break binaries build for ${CTARGET}.
-	# is_crosscompile && dostrip -x /
+	is_crosscompile && dostrip -x /
 	# gdb thread introspection relies on local libpthreas symbols. stripping breaks it
 	# See Note [Disable automatic stripping]
-	# dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so
+	dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so
 
 	if [[ -e ${ED}/$(alt_usrlibdir)/libm-${upstream_pv}.a ]] ; then
 		# Move versioned .a file out of libdir to evade portage QA checks
@@ -1412,23 +1409,6 @@ glibc_do_src_install() {
 		run_locale_gen --inplace-glibc "${ED}/"
 		sed -e 's:COMPILED_LOCALES="":COMPILED_LOCALES="1":' -i "${ED}"/usr/sbin/locale-gen || die
 	fi
-
-	## Flatcar Container Linux: Add some local changes:
-	# - Config files are installed by baselayout, not glibc.
-	# - Install nscd/systemd stuff in /usr.
-
-	# Use tmpfiles to put nscd.conf in /etc and create directories.
-	insinto /usr/share/baselayout
-	if ! in_iuse nscd || use nscd ; then
-		doins "${S}"/nscd/nscd.conf || die
-		newtmpfiles "${FILESDIR}"/nscd-conf.tmpfiles nscd-conf.conf || die
-	fi
-
-	# Clean out any default configs.
-	rm -rf "${ED}"/etc
-
-	# Restore this one for the SDK.
-	test ! -e "${T}"/00glibc || doenvd "${T}"/00glibc
 }
 
 glibc_headers_install() {

From f20b390fca65e8edf4b1eea2f7f6ff9076c303c9 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:48:57 +0100
Subject: [PATCH 33/37] sys-libs/glibc: Apply Flatcar modifications

  - unmask amd64 and arm64
  - take care of nscd.conf via tmpfiles, add files/nscd-conf.tmpfiles.
  - don't run sanity checks in pkg_pretend to prevent gcc checks when
    only the binary package is installed.
  - comment out 'dostrip -x' to force the OS image binaries to be stripped
  - remove everything glibc wants to put under /etc since we use
    baselayout to provide that
---
 .../sys-libs/glibc/files/nscd-conf.tmpfiles   |  2 ++
 .../sys-libs/glibc/glibc-2.33-r7.ebuild       | 34 +++++++++++++++----
 2 files changed, 29 insertions(+), 7 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles
new file mode 100644
index 0000000000..0cf43dcb7a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles
@@ -0,0 +1,2 @@
+L /etc/nscd.conf	-	-	-	-	../usr/share/baselayout/nscd.conf
+d /var/db/nscd		-	-	-	-	-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r7.ebuild
index 2f9ce004d3..534ca99cef 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r7.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r7.ebuild
@@ -3,7 +3,7 @@
 
 EAPI=7
 
-PYTHON_COMPAT=( python3_{7,8,9,10} )
+PYTHON_COMPAT=( python3_{6..10} )
 TMPFILES_OPTIONAL=1
 
 inherit python-any-r1 prefix preserve-libs toolchain-funcs flag-o-matic gnuconfig \
@@ -23,7 +23,7 @@ PATCH_DEV=dilfridge
 if [[ ${PV} == 9999* ]]; then
 	inherit git-r3
 else
-	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+	KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 	SRC_URI="mirror://gnu/glibc/${P}.tar.xz"
 	SRC_URI+=" https://dev.gentoo.org/~${PATCH_DEV}/distfiles/${P}-patches-${PATCH_VER}.tar.xz"
 fi
@@ -719,10 +719,12 @@ sanity_prechecks() {
 
 # pkg_pretend
 
+# Flatcar: Skip sanity checks at pretend time because we don't ship a compiler
+#  in the OS image. This test fails when installing the glibc binpkg and no
+#  compiler is present.
 pkg_pretend() {
-	# All the checks...
-	einfo "Checking general environment sanity."
-	sanity_prechecks
+	einfo "Flatcar: Skipping sanity_prechecks for binpkg installation. src_unpack will take care of compile-time prechecks."
+	# sanity_prechecks
 }
 
 pkg_setup() {
@@ -1221,12 +1223,13 @@ glibc_do_src_install() {
 	# '#define VERSION "2.26.90"' -> '2.26.90'
 	local upstream_pv=$(sed -n -r 's/#define VERSION "(.*)"/\1/p' "${S}"/version.h)
 
+	# Flatcar: override this and strip everything to keep image size at bay
 	# Avoid stripping binaries not targeted by ${CHOST}. Or else
 	# ${CHOST}-strip would break binaries build for ${CTARGET}.
-	is_crosscompile && dostrip -x /
+	# is_crosscompile && dostrip -x /
 	# gdb thread introspection relies on local libpthreas symbols. stripping breaks it
 	# See Note [Disable automatic stripping]
-	dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so
+	# dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so
 
 	if [[ -e ${ED}/$(alt_usrlibdir)/libm-${upstream_pv}.a ]] ; then
 		# Move versioned .a file out of libdir to evade portage QA checks
@@ -1409,6 +1412,23 @@ glibc_do_src_install() {
 		run_locale_gen --inplace-glibc "${ED}/"
 		sed -e 's:COMPILED_LOCALES="":COMPILED_LOCALES="1":' -i "${ED}"/usr/sbin/locale-gen || die
 	fi
+
+	## Flatcar Container Linux: Add some local changes:
+	# - Config files are installed by baselayout, not glibc.
+	# - Install nscd/systemd stuff in /usr.
+
+	# Use tmpfiles to put nscd.conf in /etc and create directories.
+	insinto /usr/share/baselayout
+	if ! in_iuse nscd || use nscd ; then
+		doins "${S}"/nscd/nscd.conf || die
+		newtmpfiles "${FILESDIR}"/nscd-conf.tmpfiles nscd-conf.conf || die
+	fi
+
+	# Clean out any default configs.
+	rm -rf "${ED}"/etc
+
+	# Restore this one for the SDK.
+	test ! -e "${T}"/00glibc || doenvd "${T}"/00glibc
 }
 
 glibc_headers_install() {

From c73223ae755b845e52b8bb13a120f51ff0b893c7 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:56:01 +0100
Subject: [PATCH 34/37] sys-libs/libsemanage: Clean slate to reapply our
 changes

---
 .../coreos/arm64/package.accept_keywords      |  2 +-
 .../files/tmpfiles.d/libsemanage.conf         |  2 --
 ....1-r2.ebuild => libsemanage-3.1-r1.ebuild} | 34 +++++--------------
 ...e-3.2-r1.ebuild => libsemanage-3.2.ebuild} |  2 +-
 .../libsemanage/libsemanage-9999.ebuild       |  2 +-
 5 files changed, 12 insertions(+), 30 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/{libsemanage-3.1-r2.ebuild => libsemanage-3.1-r1.ebuild} (84%)
 rename sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/{libsemanage-3.2-r1.ebuild => libsemanage-3.2.ebuild} (99%)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
index 8e30ebe915..cd44f84481 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
@@ -92,7 +92,7 @@ sys-apps/debianutils *
 =sys-fs/quota-4.04-r1 ~arm64
 =sys-libs/efivar-31 ~arm64
 =sys-libs/libselinux-3.1-r2 ~arm64
-=sys-libs/libsemanage-3.1-r2 ~arm64
+=sys-libs/libsemanage-3.1-r1 ~arm64
 =sys-libs/libsepol-3.1 ~arm64
 =sys-power/iasl-20161222 ~arm64
 =sys-process/tini-0.18.0 ~arm64
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf
index 168b972069..32f68ae9dd 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf
@@ -1,3 +1 @@
-#Type	Path				Mode	UID 	GID 	Age	Argument
-d	/etc/selinux/		-	-	-	-	-
 L	/etc/selinux/semanage.conf	-	-	-	-	../../usr/lib/selinux/semanage.conf
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r1.ebuild
similarity index 84%
rename from sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r2.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r1.ebuild
index 432c33ddab..45551c0f2f 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r1.ebuild
@@ -2,10 +2,9 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
-PYTHON_COMPAT=( python3_{6..10} )
+PYTHON_COMPAT=( python3_6 )
 
-# flatcar changes
-inherit python-r1 toolchain-funcs multilib-minimal systemd
+inherit python-r1 toolchain-funcs multilib-minimal
 
 MY_P="${P//_/-}"
 MY_RELEASEDATE="20200710"
@@ -28,21 +27,17 @@ fi
 
 LICENSE="GPL-2"
 SLOT="0"
-IUSE="python"
-REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+REQUIRED_USE="${PYTHON_REQUIRED_USE}"
 
 RDEPEND=">=sys-libs/libsepol-${SEPOL_VER}[${MULTILIB_USEDEP}]
 	>=sys-libs/libselinux-${SELNX_VER}[${MULTILIB_USEDEP}]
 	>=sys-process/audit-2.2.2[${MULTILIB_USEDEP}]
-	python? ( ${PYTHON_DEPS} )"
+	${PYTHON_DEPS}"
 DEPEND="${RDEPEND}"
-BDEPEND="
-	python? (
-		>=dev-lang/swig-2.0.4-r1
-		virtual/pkgconfig
-	)
+BDEPEND=">=dev-lang/swig-2.0.4-r1
 	sys-devel/bison
-	sys-devel/flex"
+	sys-devel/flex
+	virtual/pkgconfig"
 
 # tests are not meant to be run outside of the
 # full SELinux userland repo
@@ -85,8 +80,7 @@ multilib_src_compile() {
 		LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
 		all
 
-	# flatcar changes
-	if multilib_is_native_abi && use python; then
+	if multilib_is_native_abi; then
 		building_py() {
 			emake \
 				AR="$(tc-getAR)" \
@@ -100,29 +94,19 @@ multilib_src_compile() {
 }
 
 multilib_src_install() {
-	# flatcar changes
 	emake \
-		DEFAULT_SEMANAGE_CONF_LOCATION="/usr/lib/selinux/semanage.conf" \
 		LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-		SHLIBDIR="/usr/$(get_libdir)" \
 		DESTDIR="${ED}" install
 
-	# flatcar changes
-	if multilib_is_native_abi && use python; then
+	if multilib_is_native_abi; then
 		installation_py() {
-			# flatcar changes
 			emake DESTDIR="${ED}" \
 				LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-				SHLIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-				LIBSEPOLA="${EPREFIX%/}/usr/$(get_libdir)/libsepol.a" \
 				install-pywrap
 			python_optimize # bug 531638
 		}
 		python_foreach_impl installation_py
 	fi
-
-	# flatcar changes
-	systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/libsemanage.conf"
 }
 
 multiib_src_install_all() {
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2.ebuild
similarity index 99%
rename from sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2.ebuild
index 3860e725b3..fdc4c482d1 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2.ebuild
@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
-PYTHON_COMPAT=( python3_{6..10} )
+PYTHON_COMPAT=( python3_6 )
 
 inherit python-r1 toolchain-funcs multilib-minimal
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild
index 3860e725b3..fdc4c482d1 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild
@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
-PYTHON_COMPAT=( python3_{6..10} )
+PYTHON_COMPAT=( python3_6 )
 
 inherit python-r1 toolchain-funcs multilib-minimal
 

From f00411020d65d76d2df4e120146ad6dc54f35600 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:57:55 +0100
Subject: [PATCH 35/37] sys-libs/libsemanage: Apply Flatcar modifications

---
 .../files/tmpfiles.d/libsemanage.conf         |  2 ++
 .../libsemanage/libsemanage-3.1-r1.ebuild     | 35 ++++++++++++++-----
 .../libsemanage/libsemanage-3.2.ebuild        |  2 +-
 .../libsemanage/libsemanage-9999.ebuild       |  2 +-
 4 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf
index 32f68ae9dd..168b972069 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf
@@ -1 +1,3 @@
+#Type	Path				Mode	UID 	GID 	Age	Argument
+d	/etc/selinux/		-	-	-	-	-
 L	/etc/selinux/semanage.conf	-	-	-	-	../../usr/lib/selinux/semanage.conf
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r1.ebuild
index 45551c0f2f..c75996eed8 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r1.ebuild
@@ -2,9 +2,11 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
-PYTHON_COMPAT=( python3_6 )
+PYTHON_COMPAT=( python3_{6..10} )
 
-inherit python-r1 toolchain-funcs multilib-minimal
+# flatcar changes
+TMPFILES_OPTIONAL=1
+inherit python-r1 toolchain-funcs multilib-minimal tmpfiles
 
 MY_P="${P//_/-}"
 MY_RELEASEDATE="20200710"
@@ -27,17 +29,21 @@ fi
 
 LICENSE="GPL-2"
 SLOT="0"
-REQUIRED_USE="${PYTHON_REQUIRED_USE}"
+IUSE="python"
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
 
 RDEPEND=">=sys-libs/libsepol-${SEPOL_VER}[${MULTILIB_USEDEP}]
 	>=sys-libs/libselinux-${SELNX_VER}[${MULTILIB_USEDEP}]
 	>=sys-process/audit-2.2.2[${MULTILIB_USEDEP}]
-	${PYTHON_DEPS}"
+	python? ( ${PYTHON_DEPS} )"
 DEPEND="${RDEPEND}"
-BDEPEND=">=dev-lang/swig-2.0.4-r1
+BDEPEND="
+	python? (
+		>=dev-lang/swig-2.0.4-r1
+		virtual/pkgconfig
+	)
 	sys-devel/bison
-	sys-devel/flex
-	virtual/pkgconfig"
+	sys-devel/flex"
 
 # tests are not meant to be run outside of the
 # full SELinux userland repo
@@ -80,7 +86,8 @@ multilib_src_compile() {
 		LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
 		all
 
-	if multilib_is_native_abi; then
+	# flatcar changes
+	if multilib_is_native_abi && use python; then
 		building_py() {
 			emake \
 				AR="$(tc-getAR)" \
@@ -94,19 +101,29 @@ multilib_src_compile() {
 }
 
 multilib_src_install() {
+	# flatcar changes
 	emake \
+		DEFAULT_SEMANAGE_CONF_LOCATION="/usr/lib/selinux/semanage.conf" \
 		LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
+		SHLIBDIR="/usr/$(get_libdir)" \
 		DESTDIR="${ED}" install
 
-	if multilib_is_native_abi; then
+	# flatcar changes
+	if multilib_is_native_abi && use python; then
 		installation_py() {
+			# flatcar changes
 			emake DESTDIR="${ED}" \
 				LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
+				SHLIBDIR="${EPREFIX}/usr/$(get_libdir)" \
+				LIBSEPOLA="${EPREFIX%/}/usr/$(get_libdir)/libsepol.a" \
 				install-pywrap
 			python_optimize # bug 531638
 		}
 		python_foreach_impl installation_py
 	fi
+
+	# flatcar changes
+	dotmpfiles "${FILESDIR}/tmpfiles.d/libsemanage.conf"
 }
 
 multiib_src_install_all() {
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2.ebuild
index fdc4c482d1..3860e725b3 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2.ebuild
@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
-PYTHON_COMPAT=( python3_6 )
+PYTHON_COMPAT=( python3_{6..10} )
 
 inherit python-r1 toolchain-funcs multilib-minimal
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild
index fdc4c482d1..3860e725b3 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild
@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
-PYTHON_COMPAT=( python3_6 )
+PYTHON_COMPAT=( python3_{6..10} )
 
 inherit python-r1 toolchain-funcs multilib-minimal
 

From 25b036f4546333dd683d5389cdd0f66074d2e294 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 20:59:46 +0100
Subject: [PATCH 36/37] sys-process/audit: Clean slate to reapply our changes

---
 .../sys-process/audit/README.md               | 24 -----
 .../sys-process/audit/audit-3.0.6.ebuild      | 69 ++++----------
 .../audit/files/audit-rules.service           | 16 ----
 .../audit/files/audit-rules.tmpfiles          |  5 --
 .../sys-process/audit/files/audit.rules-2.1.3 | 25 ++++++
 .../audit/files/audit.rules.stop.post         | 12 +++
 .../audit/files/audit.rules.stop.pre          | 15 ++++
 .../audit/files/auditd-conf.d-2.1.3           | 22 +++++
 .../audit/files/auditd-init.d-2.4.3           | 90 +++++++++++++++++++
 .../audit/files/rules.d/00-clear.rules        |  3 -
 .../audit/files/rules.d/80-selinux.rules      |  4 -
 .../audit/files/rules.d/99-default.rules      |  5 --
 12 files changed, 181 insertions(+), 109 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md
deleted file mode 100644
index 20ef8bab00..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md
+++ /dev/null
@@ -1,24 +0,0 @@
-This is a fork of gentoo's `sys-process/audit` package. The main
-reasons for having our fork seem to be:
-
-1. We have our own audit rules (see files in `files/rules.d`
-   directory).
-
-  - These seem to be mostly similar to what gentoo provides, but split
-    into several files and they have an additional rule for SELinux
-    events.
-
-  - We also install it in a different place and place symlinks with
-    systemd's tmpfiles functionality.
-
-2. We install a systemd service that loads our rules at startup.
-
-3. We build and install only a subset of binaries in the project.
-   Namely, we skip all the daemon stuff that puts the logs in
-   `/var/log/audit` and some tools that process those logs. Since
-   audit logs are also written to journal, writing them to disk seems
-   redundant, thus auditd and the tools seem to be unnecessary. This
-   also reduces the final image size a bit.
-
-4. Since we do not install the daemon, we don't do the permissions
-   lockdown on some auditd files.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild
index 8319056101..515bd1b841 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild
@@ -3,8 +3,7 @@
 
 EAPI=7
 
-# Flatcar: Support python 3.6.
-PYTHON_COMPAT=( python3_{6..10} )
+PYTHON_COMPAT=( python3_{8..10} )
 
 inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript
 
@@ -14,8 +13,7 @@ SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz"
 
 LICENSE="GPL-2+ LGPL-2.1+"
 SLOT="0"
-# Flatcar: Build amd64 and arm64 by default.
-KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 IUSE="gssapi ldap python static-libs test"
 
 REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
@@ -41,20 +39,6 @@ src_prepare() {
 	# Disable installing sample rules so they can be installed as docs.
 	echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null
 
-	# Flatcar: Do not build daemon stuff.
-	sed -e '/^SUBDIRS =/s/audisp//' \
-		-i Makefile.am || die
-	# Flatcar: Some legacy stuff is being installed when systemd
-	# is enabled. Drop all the lines that try doing it.
-	sed -e '/${DESTDIR}${initdir}/d' \
-		-e '/${DESTDIR}${legacydir}/d' \
-		-i init.d/Makefile.am || die
-	# Flatcar: Do not build daemon stuff.
-	sed -e '/^sbin_PROGRAMS =/s/auditd//' \
-		-e '/^sbin_PROGRAMS =/s/aureport//' \
-		-e '/^sbin_PROGRAMS =/s/ausearch//' \
-		-i src/Makefile.am || die
-
 	default
 	eautoreconf
 }
@@ -132,46 +116,30 @@ multilib_src_install_all() {
 	dodoc AUTHORS ChangeLog README* THANKS
 	docinto contrib
 	dodoc contrib/avc_snap
-	# Flatcar: Do not install any plugin stuff, these are parts of
-	# auditd that we don't build and install anyway.
-	# docinto contrib/plugin
-	# dodoc contrib/plugin/*
+	docinto contrib/plugin
+	dodoc contrib/plugin/*
 	docinto rules
 	dodoc rules/*rules
 
-	# Flatcar: Do not install stuff auditd stuff.
-	# newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
-	# newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
+	newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
+	newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
 
-	# Flatcar: We are not installing audisp too.
-	# [ -f "${ED}"/sbin/audisp-remote ] && \
-	# dodir /usr/sbin && \
-	# mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
+	[ -f "${ED}"/sbin/audisp-remote ] && \
+	dodir /usr/sbin && \
+	mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
 
-	# Flatcar: Do not install gentoo rules.
 	# Gentoo rules
-	# insinto /etc/audit
-	# newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
-	# Flatcar: We are installing our own rules.
-	insinto /usr/share/audit/rules.d
-	doins "${FILESDIR}"/rules.d/*.rules
-	# Flatcar: Do not install deamon stuff.
-	# doins "${FILESDIR}"/audit.rules.stop*
+	insinto /etc/audit
+	newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
+	doins "${FILESDIR}"/audit.rules.stop*
 
 	# audit logs go here
-	# Flatcar: This is where auditd puts its logs. We don't have
-	# the daemon, so get rid of the unnecessary directory.
-	# keepdir /var/log/audit
+	keepdir /var/log/audit
 
 	find "${ED}" -type f -name '*.la' -delete || die
 
 	# Security
 	lockdown_perms "${ED}"
-
-	# Flatcar: Our systemd stuff.
-	systemd_newtmpfilesd "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf
-	systemd_dounit "${FILESDIR}"/audit-rules.service
-	systemd_enable_service multi-user.target audit-rules.service
 }
 
 pkg_postinst() {
@@ -181,11 +149,8 @@ pkg_postinst() {
 lockdown_perms() {
 	# Upstream wants these to have restrictive perms.
 	# Should not || die as not all paths may exist.
-	# Flatcar: No lockdown of permissions - it's probably only
-	# related to auditd.
-	# local basedir="${1}"
-	# chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
-	# chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
-	# chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
-	:
+	local basedir="${1}"
+	chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
+	chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
+	chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service
deleted file mode 100644
index 8c54802fb5..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=Load Security Auditing Rules
-DefaultDependencies=no
-After=local-fs.target systemd-tmpfiles-setup.service
-Conflicts=shutdown.target
-Before=sysinit.target shutdown.target
-ConditionSecurity=audit
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/sbin/augenrules --load
-ExecStop=-/sbin/auditctl -D
-
-[Install]
-WantedBy=multi-user.target
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
deleted file mode 100644
index 2c15b63d23..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
+++ /dev/null
@@ -1,5 +0,0 @@
-d   /etc/audit                          -   -   -   -   -
-d   /etc/audit/rules.d                  -   -   -   -   -
-L   /etc/audit/rules.d/00-clear.rules   -   -   -   -   /usr/share/audit/rules.d/00-clear.rules
-L   /etc/audit/rules.d/80-selinux.rules -   -   -   -   /usr/share/audit/rules.d/80-selinux.rules
-L   /etc/audit/rules.d/99-default.rules -   -   -   -   /usr/share/audit/rules.d/99-default.rules
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3
new file mode 100644
index 0000000000..25dbedfd1d
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3
@@ -0,0 +1,25 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+#
+# This file contains the auditctl rules that are loaded
+# whenever the audit daemon is started via the initscripts.
+# The rules are simply the parameters that would be passed
+# to auditctl.
+
+# First rule - delete all
+# This is to clear out old rules, so we don't append to them.
+-D
+
+# Feel free to add below this line. See auditctl man page
+
+# The following rule would cause all of the syscalls listed to be ignored in logging.
+-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
+-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
+
+# The following rule would cause the capture of all systems not caught above.
+# -a exit,always -S all
+
+# Increase the buffers to survive stress events
+-b 8192
+
+# vim:ft=conf:
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post
new file mode 100644
index 0000000000..29ae197f18
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post
@@ -0,0 +1,12 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+#
+# This file contains the auditctl rules that are loaded immediately after the
+# audit deamon is stopped via the initscripts.
+# The rules are simply the parameters that would be passed
+# to auditctl.
+
+# Not used for the default Gentoo configuration as of v1.2.3
+# Paranoid security types might wish to reconfigure kauditd here.
+
+# vim:ft=conf:
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre
new file mode 100644
index 0000000000..1f34173369
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre
@@ -0,0 +1,15 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+#
+# This file contains the auditctl rules that are loaded immediately before the
+# audit deamon is stopped via the initscripts.
+# The rules are simply the parameters that would be passed
+# to auditctl.
+
+# auditd is stopping, don't capture events anymore
+-D
+
+# Disable kernel generating audit events
+-e 0
+
+# vim:ft=conf:
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3 b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3
new file mode 100644
index 0000000000..c66be166ce
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3
@@ -0,0 +1,22 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# Configuration options for auditd
+# -f for foreground mode
+# There are some other options as well, but you'll have to look in the source
+# code to find them as they aren't ready for use yet.
+EXTRAOPTIONS=''
+
+# Audit rules file to run after starting auditd
+RULEFILE_STARTUP=/etc/audit/audit.rules
+
+# Audit rules file to run before and after stopping auditd
+RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre
+RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post
+
+# If you want to enforce a certain locale for auditd, 
+# uncomment one of the next lines:
+#AUDITD_LANG=none
+AUDITD_LANG=C
+#AUDITD_LANG=en_US
+#AUDITD_LANG=en_US.UTF-8
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3 b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3
new file mode 100644
index 0000000000..c952554df2
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3
@@ -0,0 +1,90 @@
+#!/sbin/openrc-run
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_started_commands='reload reload_auditd reload_rules'
+description='Linux Auditing System'
+description_reload='Reload daemon configuration and rules'
+description_reload_rules='Reload daemon rules'
+description_reload_auditd='Reload daemon configuration'
+
+name='auditd'
+pidfile='/var/run/auditd.pid'
+command='/sbin/auditd'
+
+start_auditd() {
+	# Env handling taken from the upstream init script
+	if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then
+		unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
+	else
+		LANG="$AUDITD_LANG"
+		LC_TIME="$AUDITD_LANG"
+		LC_ALL="$AUDITD_LANG"
+		LC_MESSAGES="$AUDITD_LANG"
+		LC_NUMERIC="$AUDITD_LANG"
+		LC_MONETARY="$AUDITD_LANG"
+		LC_COLLATE="$AUDITD_LANG"
+		export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
+	fi
+	unset HOME MAIL USER USERNAME
+
+	ebegin "Starting ${name}"
+	start-stop-daemon \
+		--start --quiet --pidfile ${pidfile} \
+		--exec ${command} -- ${EXTRAOPTIONS}
+	local ret=$?
+	eend $ret
+	return $ret
+}
+
+stop_auditd() {
+	ebegin "Stopping ${name}"
+	start-stop-daemon --stop --quiet --pidfile ${pidfile}
+	local ret=$?
+	eend $ret
+	return $ret
+}
+
+loadfile() {
+	local rules="$1"
+	if [ -n "${rules}" -a -f "${rules}" ]; then
+		einfo "Loading audit rules from ${rules}"
+		/sbin/auditctl -R "${rules}" >/dev/null
+		return $?
+	else
+		return 0
+	fi
+}
+
+start() {
+	start_auditd
+	local ret=$?
+	if [ $ret -eq 0 -a "${RC_CMD}" != "restart" ]; then
+		loadfile "${RULEFILE_STARTUP}"
+	fi
+	return $ret
+}
+
+reload_rules() {
+	loadfile "${RULEFILE_STARTUP}"
+}
+
+reload_auditd() {
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --signal HUP \
+	    --exec "${command}" --pidfile "${pidfile}"
+	eend $?
+}
+
+reload() {
+	reload_auditd
+	reload_rules
+}
+
+stop() {
+	[ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_PRE}"
+	stop_auditd
+	local ret=$?
+	[ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_POST}"
+	return $ret
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules
deleted file mode 100644
index f43e62771c..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules
+++ /dev/null
@@ -1,3 +0,0 @@
-# First rule - delete all
-# This is to clear out old rules, so we don't append to them.
--D
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules
deleted file mode 100644
index 627b17db3f..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules
+++ /dev/null
@@ -1,4 +0,0 @@
-# Enable all SELinux related events
-# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h)
-
--a exclude,never -F msgtype>=1400 -F msgtype<=1499
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules
deleted file mode 100644
index cc373d8406..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules
+++ /dev/null
@@ -1,5 +0,0 @@
-# Always report changes to the audit subsystem itself.
--a exclude,never -F msgtype=CONFIG_CHANGE
-
-# Ignore everything else.
--a exclude,always -F msgtype>0

From 52c0685d0fde3d1dc85a5c22b2c0c6c3014f021d Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 15 Dec 2021 21:00:38 +0100
Subject: [PATCH 37/37] sys-process/audit: Apply Flatcar modifications

---
 .../sys-process/audit/README.md               | 24 +++++
 .../sys-process/audit/audit-3.0.6.ebuild      | 72 +++++++++++----
 .../audit/files/audit-rules.service           | 16 ++++
 .../audit/files/audit-rules.tmpfiles          |  5 ++
 .../sys-process/audit/files/audit.rules-2.1.3 | 25 ------
 .../audit/files/audit.rules.stop.post         | 12 ---
 .../audit/files/audit.rules.stop.pre          | 15 ----
 .../audit/files/auditd-conf.d-2.1.3           | 22 -----
 .../audit/files/auditd-init.d-2.4.3           | 90 -------------------
 .../audit/files/rules.d/00-clear.rules        |  3 +
 .../audit/files/rules.d/80-selinux.rules      |  4 +
 .../audit/files/rules.d/99-default.rules      |  5 ++
 12 files changed, 111 insertions(+), 182 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md
new file mode 100644
index 0000000000..20ef8bab00
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md
@@ -0,0 +1,24 @@
+This is a fork of gentoo's `sys-process/audit` package. The main
+reasons for having our fork seem to be:
+
+1. We have our own audit rules (see files in `files/rules.d`
+   directory).
+
+  - These seem to be mostly similar to what gentoo provides, but split
+    into several files and they have an additional rule for SELinux
+    events.
+
+  - We also install it in a different place and place symlinks with
+    systemd's tmpfiles functionality.
+
+2. We install a systemd service that loads our rules at startup.
+
+3. We build and install only a subset of binaries in the project.
+   Namely, we skip all the daemon stuff that puts the logs in
+   `/var/log/audit` and some tools that process those logs. Since
+   audit logs are also written to journal, writing them to disk seems
+   redundant, thus auditd and the tools seem to be unnecessary. This
+   also reduces the final image size a bit.
+
+4. Since we do not install the daemon, we don't do the permissions
+   lockdown on some auditd files.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild
index 515bd1b841..9b96ede524 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild
@@ -3,9 +3,11 @@
 
 EAPI=7
 
-PYTHON_COMPAT=( python3_{8..10} )
+# Flatcar: Support python 3.6.
+PYTHON_COMPAT=( python3_{6..10} )
 
-inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript
+TMPFILES_OPTIONAL=1
+inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript tmpfiles
 
 DESCRIPTION="Userspace utilities for storing and processing auditing records"
 HOMEPAGE="https://people.redhat.com/sgrubb/audit/"
@@ -13,7 +15,8 @@ SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz"
 
 LICENSE="GPL-2+ LGPL-2.1+"
 SLOT="0"
-KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+# Flatcar: Build amd64 and arm64 by default.
+KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 IUSE="gssapi ldap python static-libs test"
 
 REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
@@ -39,6 +42,20 @@ src_prepare() {
 	# Disable installing sample rules so they can be installed as docs.
 	echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null
 
+	# Flatcar: Do not build daemon stuff.
+	sed -e '/^SUBDIRS =/s/audisp//' \
+		-i Makefile.am || die
+	# Flatcar: Some legacy stuff is being installed when systemd
+	# is enabled. Drop all the lines that try doing it.
+	sed -e '/${DESTDIR}${initdir}/d' \
+		-e '/${DESTDIR}${legacydir}/d' \
+		-i init.d/Makefile.am || die
+	# Flatcar: Do not build daemon stuff.
+	sed -e '/^sbin_PROGRAMS =/s/auditd//' \
+		-e '/^sbin_PROGRAMS =/s/aureport//' \
+		-e '/^sbin_PROGRAMS =/s/ausearch//' \
+		-i src/Makefile.am || die
+
 	default
 	eautoreconf
 }
@@ -116,30 +133,46 @@ multilib_src_install_all() {
 	dodoc AUTHORS ChangeLog README* THANKS
 	docinto contrib
 	dodoc contrib/avc_snap
-	docinto contrib/plugin
-	dodoc contrib/plugin/*
+	# Flatcar: Do not install any plugin stuff, these are parts of
+	# auditd that we don't build and install anyway.
+	# docinto contrib/plugin
+	# dodoc contrib/plugin/*
 	docinto rules
 	dodoc rules/*rules
 
-	newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
-	newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
+	# Flatcar: Do not install stuff auditd stuff.
+	# newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
+	# newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
 
-	[ -f "${ED}"/sbin/audisp-remote ] && \
-	dodir /usr/sbin && \
-	mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
+	# Flatcar: We are not installing audisp too.
+	# [ -f "${ED}"/sbin/audisp-remote ] && \
+	# dodir /usr/sbin && \
+	# mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
 
+	# Flatcar: Do not install gentoo rules.
 	# Gentoo rules
-	insinto /etc/audit
-	newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
-	doins "${FILESDIR}"/audit.rules.stop*
+	# insinto /etc/audit
+	# newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
+	# Flatcar: We are installing our own rules.
+	insinto /usr/share/audit/rules.d
+	doins "${FILESDIR}"/rules.d/*.rules
+	# Flatcar: Do not install deamon stuff.
+	# doins "${FILESDIR}"/audit.rules.stop*
 
 	# audit logs go here
-	keepdir /var/log/audit
+	# Flatcar: This is where auditd puts its logs. We don't have
+	# the daemon, so get rid of the unnecessary directory.
+	# keepdir /var/log/audit
 
 	find "${ED}" -type f -name '*.la' -delete || die
 
 	# Security
 	lockdown_perms "${ED}"
+
+	# Flatcar: Our systemd stuff.
+	newtmpfiles "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf
+	systemd_dounit "${FILESDIR}"/audit-rules.service
+	systemd_enable_service multi-user.target audit-rules.service
 }
 
 pkg_postinst() {
@@ -149,8 +182,11 @@ pkg_postinst() {
 lockdown_perms() {
 	# Upstream wants these to have restrictive perms.
 	# Should not || die as not all paths may exist.
-	local basedir="${1}"
-	chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
-	chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
-	chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
+	# Flatcar: No lockdown of permissions - it's probably only
+	# related to auditd.
+	# local basedir="${1}"
+	# chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
+	# chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
+	# chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
+	:
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service
new file mode 100644
index 0000000000..8c54802fb5
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Load Security Auditing Rules
+DefaultDependencies=no
+After=local-fs.target systemd-tmpfiles-setup.service
+Conflicts=shutdown.target
+Before=sysinit.target shutdown.target
+ConditionSecurity=audit
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/augenrules --load
+ExecStop=-/sbin/auditctl -D
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
new file mode 100644
index 0000000000..2c15b63d23
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
@@ -0,0 +1,5 @@
+d   /etc/audit                          -   -   -   -   -
+d   /etc/audit/rules.d                  -   -   -   -   -
+L   /etc/audit/rules.d/00-clear.rules   -   -   -   -   /usr/share/audit/rules.d/00-clear.rules
+L   /etc/audit/rules.d/80-selinux.rules -   -   -   -   /usr/share/audit/rules.d/80-selinux.rules
+L   /etc/audit/rules.d/99-default.rules -   -   -   -   /usr/share/audit/rules.d/99-default.rules
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3
deleted file mode 100644
index 25dbedfd1d..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-#
-# This file contains the auditctl rules that are loaded
-# whenever the audit daemon is started via the initscripts.
-# The rules are simply the parameters that would be passed
-# to auditctl.
-
-# First rule - delete all
-# This is to clear out old rules, so we don't append to them.
--D
-
-# Feel free to add below this line. See auditctl man page
-
-# The following rule would cause all of the syscalls listed to be ignored in logging.
--a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
--a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
-
-# The following rule would cause the capture of all systems not caught above.
-# -a exit,always -S all
-
-# Increase the buffers to survive stress events
--b 8192
-
-# vim:ft=conf:
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post
deleted file mode 100644
index 29ae197f18..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post
+++ /dev/null
@@ -1,12 +0,0 @@
-# Copyright 1999-2005 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-#
-# This file contains the auditctl rules that are loaded immediately after the
-# audit deamon is stopped via the initscripts.
-# The rules are simply the parameters that would be passed
-# to auditctl.
-
-# Not used for the default Gentoo configuration as of v1.2.3
-# Paranoid security types might wish to reconfigure kauditd here.
-
-# vim:ft=conf:
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre
deleted file mode 100644
index 1f34173369..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre
+++ /dev/null
@@ -1,15 +0,0 @@
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-#
-# This file contains the auditctl rules that are loaded immediately before the
-# audit deamon is stopped via the initscripts.
-# The rules are simply the parameters that would be passed
-# to auditctl.
-
-# auditd is stopping, don't capture events anymore
--D
-
-# Disable kernel generating audit events
--e 0
-
-# vim:ft=conf:
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3 b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3
deleted file mode 100644
index c66be166ce..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3
+++ /dev/null
@@ -1,22 +0,0 @@
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Configuration options for auditd
-# -f for foreground mode
-# There are some other options as well, but you'll have to look in the source
-# code to find them as they aren't ready for use yet.
-EXTRAOPTIONS=''
-
-# Audit rules file to run after starting auditd
-RULEFILE_STARTUP=/etc/audit/audit.rules
-
-# Audit rules file to run before and after stopping auditd
-RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre
-RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post
-
-# If you want to enforce a certain locale for auditd, 
-# uncomment one of the next lines:
-#AUDITD_LANG=none
-AUDITD_LANG=C
-#AUDITD_LANG=en_US
-#AUDITD_LANG=en_US.UTF-8
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3 b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3
deleted file mode 100644
index c952554df2..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-extra_started_commands='reload reload_auditd reload_rules'
-description='Linux Auditing System'
-description_reload='Reload daemon configuration and rules'
-description_reload_rules='Reload daemon rules'
-description_reload_auditd='Reload daemon configuration'
-
-name='auditd'
-pidfile='/var/run/auditd.pid'
-command='/sbin/auditd'
-
-start_auditd() {
-	# Env handling taken from the upstream init script
-	if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then
-		unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
-	else
-		LANG="$AUDITD_LANG"
-		LC_TIME="$AUDITD_LANG"
-		LC_ALL="$AUDITD_LANG"
-		LC_MESSAGES="$AUDITD_LANG"
-		LC_NUMERIC="$AUDITD_LANG"
-		LC_MONETARY="$AUDITD_LANG"
-		LC_COLLATE="$AUDITD_LANG"
-		export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
-	fi
-	unset HOME MAIL USER USERNAME
-
-	ebegin "Starting ${name}"
-	start-stop-daemon \
-		--start --quiet --pidfile ${pidfile} \
-		--exec ${command} -- ${EXTRAOPTIONS}
-	local ret=$?
-	eend $ret
-	return $ret
-}
-
-stop_auditd() {
-	ebegin "Stopping ${name}"
-	start-stop-daemon --stop --quiet --pidfile ${pidfile}
-	local ret=$?
-	eend $ret
-	return $ret
-}
-
-loadfile() {
-	local rules="$1"
-	if [ -n "${rules}" -a -f "${rules}" ]; then
-		einfo "Loading audit rules from ${rules}"
-		/sbin/auditctl -R "${rules}" >/dev/null
-		return $?
-	else
-		return 0
-	fi
-}
-
-start() {
-	start_auditd
-	local ret=$?
-	if [ $ret -eq 0 -a "${RC_CMD}" != "restart" ]; then
-		loadfile "${RULEFILE_STARTUP}"
-	fi
-	return $ret
-}
-
-reload_rules() {
-	loadfile "${RULEFILE_STARTUP}"
-}
-
-reload_auditd() {
-	ebegin "Reloading ${SVCNAME}"
-	start-stop-daemon --signal HUP \
-	    --exec "${command}" --pidfile "${pidfile}"
-	eend $?
-}
-
-reload() {
-	reload_auditd
-	reload_rules
-}
-
-stop() {
-	[ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_PRE}"
-	stop_auditd
-	local ret=$?
-	[ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_POST}"
-	return $ret
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules
new file mode 100644
index 0000000000..f43e62771c
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules
@@ -0,0 +1,3 @@
+# First rule - delete all
+# This is to clear out old rules, so we don't append to them.
+-D
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules
new file mode 100644
index 0000000000..627b17db3f
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules
@@ -0,0 +1,4 @@
+# Enable all SELinux related events
+# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h)
+
+-a exclude,never -F msgtype>=1400 -F msgtype<=1499
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules
new file mode 100644
index 0000000000..cc373d8406
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules
@@ -0,0 +1,5 @@
+# Always report changes to the audit subsystem itself.
+-a exclude,never -F msgtype=CONFIG_CHANGE
+
+# Ignore everything else.
+-a exclude,always -F msgtype>0