mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-21 21:51:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

sdk_container/src/third_party/coreos-overlay : merge contents of version main

Browse Source
This commit is contained in:
Thilo Fromm 2023-04-13 12:22:51 +02:00
commit 3629545e72
1393 changed files with 128027 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sdk_container/src/third_party/coreos-overlay/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
metadata/md5-cache

21
sdk_container/src/third_party/coreos-overlay/.travis.yml vendored Normal file
View File

@ -0,0 +1,21 @@
# Derived from https://github.com/mrueg/repoman-travis/
sudo: required
language: python
python:
- pypy
# For some reason portage is defaulting to lbzip2/lbunzip2 here and then complaining when they don't
# exist, so use plain old b{,un}zip2.
env:
- PORTAGE_VER="2.3.40" PORTAGE_BZIP2_COMMAND="bzip2" PORTAGE_BUNZIP2_COMMAND="bunzip2"
before_install:
- sudo apt-get -qq update
- pip install lxml pyyaml
before_script: ./.travis/setup_repoman.sh
script:
- cd /usr/coreos-overlay
- /tmp/portage/portage-${PORTAGE_VER}/repoman/bin/repoman --experimental-repository-modules=y -dx full

8
sdk_container/src/third_party/coreos-overlay/.travis/coreos.conf vendored Normal file
View File

@ -0,0 +1,8 @@
[DEFAULT]
main-repo = portage-stable
[coreos]
location = /usr/coreos-overlay
[portage-stable]
location = /usr/portage

23
sdk_container/src/third_party/coreos-overlay/.travis/setup_repoman.sh vendored Executable file
View File

@ -0,0 +1,23 @@
#!/bin/bash
set -euo pipefail
# Set up directory permissions/portage user and group.
sudo chmod a+rwX /etc/passwd /etc/group /etc /usr
echo "portage:x:250:250:portage:/var/tmp/portage:/bin/false" >> /etc/passwd
echo "portage::250:portage,travis" >> /etc/group
# Shuffle portage repositories around into the right places.
mkdir -p /etc/portage/repos.conf /usr/coreos-overlay
mv * /usr/coreos-overlay/
mv .git /usr/coreos-overlay/
git clone https://github.com/coreos/portage-stable /usr/portage/
cp .travis/coreos.conf /etc/portage/repos.conf/
ln -s /usr/coreos-overlay/profiles/coreos/amd64/sdk /etc/portage/make.profile
mkdir -p /usr/portage/metadata/{dtd,xml-schema}
wget -O /usr/portage/metadata/dtd/metadata.dtd https://www.gentoo.org/dtd/metadata.dtd
wget -O /usr/portage/metadata/xml-schema/metadata.xsd https://www.gentoo.org/xml-schema/metadata.xsd
# Download portage.
mkdir /tmp/portage && cd /tmp/portage
wget -qO - "https://gitweb.gentoo.org/proj/portage.git/snapshot/portage-${PORTAGE_VER}.tar.gz" | tar xz

0
sdk_container/src/third_party/coreos-overlay/CHANGELOG.md vendored Normal file
View File

8
sdk_container/src/third_party/coreos-overlay/MAINTAINERS.md vendored Normal file
View File

@ -0,0 +1,8 @@
# Maintainers
* Krzesimir Nowak @krnowak
* Thilo Fromm @t-lo
See [Governance](https://github.com/flatcar/Flatcar/blob/main/governance.md) for governance, commit, and vote guidelines as well as maintainer responsibilities. Everybody listed in this file is a committer as per governance definition.
The contents of this file are synchronized from [Flatcar/MAINTAINERS.md](https://github.com/flatcar/Flatcar/blob/main/MAINTAINERS.md).

57
sdk_container/src/third_party/coreos-overlay/README.md vendored Normal file
View File

@ -0,0 +1,57 @@
# Overview
This overlay contains Container Linux specific packages and Gentoo packages
that differ from their upstream Gentoo versions.
See the [portage-stable](https://github.com/coreos/portage-stable) repo
for packages which do not have Container Linux specific changes.
Licensing information can be found in the respective files, so consult
them directly. Most ebuilds are licensed under the GPL version 2.
Upstream Gentoo sources: https://gitweb.gentoo.org/repo/gentoo.git
# Important packages
`coreos-base/coreos` is the package responsible for everything that gets
built into a production image and is not OEM specific.
`coreos-base/coreos-dev` is the package responsible for everything that
gets built into a developer image and is not OEM specific.
`coreos-devel/sdk-depends` is the package responsible for everything that
gets built into the Container Linux SDK.
`coreos-devel/board-packages` is everything that could be built into a
development or production image, plus any OEM specific packages.
`coreos-base/oem-*` are the OEM specific packages. They mostly install things
that belong in the OEM partition. Any RDEPENDS from these packages should
be copied to the RDEPENDS in `board-packages` to ensure they are built.
`coreos-base/coreos-oem-*` are metapackages for OEM specific ACIs.
# Updating
To update follow the following steps:
* Remove or rename the whole folder of the package to prepare the import from
upstream Gentoo, not only resetting the ebuild file but also any additional
files like patches or downstream additions under `files`.
* Run `~/trunk/src/scripts/update_ebuilds --portage_stable . CATEGORY/PACKAGE`
in the `coreos-overlay` folder to import a new version from upstream Gentoo.
Drop the ebuild files that you don't plan to use.
* Commit the changes with a message like `CATEGORY/PACKAGE: Sync from Gentoo`,
and mention the the commit ID in the body (`git show update_ebuilds/master`).
* Now find all downstream patches for the package by running
`git log CATEGORY/PACKAGE`. If everybody followed the process of resetting
before importing an upstream update, you only have to look for the commits
after the last update and port them to the new version. Otherwise you have
to compare the files manually to their upstream versions from older
[portage](https://github.com/gentoo/portage/) revisions.
* You can combine all old and new downstream patches into a single new commit
with the message `CATEGORY/PACKAGE: Apply Flatcar patches` to keep the number of
commits to port low, or have separate commits. Make sure that you explain
the changes and carry the explanations from old commits over, either in the
commit message, through comments in the ebuild file, or through a `README.md`
in the folder.

36
sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/etcd-wrapper-3.5.0-r1.ebuild vendored Normal file
View File

@ -0,0 +1,36 @@
# Copyright (c) 2016 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=6
TMPFILES_OPTIONAL=1
inherit systemd tmpfiles
DESCRIPTION="etcd (System Application Container)"
HOMEPAGE="https://github.com/etcd-io/etcd"
KEYWORDS="amd64 arm64"
LICENSE="Apache-2.0"
IUSE=""
SLOT=0
DEPEND=""
RDEPEND=">=app-admin/sdnotify-proxy-0.1.0"
S=${WORKDIR}
src_install() {
local tag="v${PV}"
if [[ "${ARCH}" != "amd64" ]]; then
tag+="-${ARCH}"
fi
exeinto /usr/lib/flatcar
doexe "${FILESDIR}"/etcd-wrapper
sed "s|@ETCD_IMAGE_TAG@|${tag}|g" \
"${FILESDIR}"/etcd-member.service > ${T}/etcd-member.service
systemd_dounit ${T}/etcd-member.service
dotmpfiles "${FILESDIR}"/etcd-wrapper.conf
}

29
sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/files/etcd-member.service vendored Normal file
View File

@ -0,0 +1,29 @@
[Unit]
Description=etcd (System Application Container)
Documentation=https://github.com/etcd-io/etcd
Wants=network-online.target network.target
After=network-online.target
Conflicts=etcd.service
Conflicts=etcd2.service
[Service]
Type=notify
NotifyAccess=all
Restart=always
RestartSec=10s
TimeoutStartSec=0
LimitNOFILE=40000
Environment="ETCD_IMAGE_URL=quay.io/coreos/etcd"
Environment="ETCD_IMAGE_TAG=@ETCD_IMAGE_TAG@"
Environment="ETCD_NAME=%m"
Environment="ETCD_USER=etcd"
Environment="ETCD_DATA_DIR=/var/lib/etcd"
Environment="ETCD_SSL_DIR=/etc/ssl/certs"
ExecStart=/usr/lib/flatcar/etcd-wrapper $ETCD_OPTS
ExecStop=/usr/bin/docker stop etcd-member
ExecStopPost=/usr/bin/docker rm etcd-member
[Install]
WantedBy=multi-user.target

36
sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/files/etcd-wrapper vendored Executable file
View File

@ -0,0 +1,36 @@
#!/bin/bash
# The "etcd-wrapper" script can't be deleted because ct overwrites
# the ExecStart directive with etcd-wrapper. Do the new action of
# ExecStart here.
set -e
# Since etcd/v3 we can't use both `--name` and `ETCD_NAME` at the same time.
# We parse the etcd command line options to find a `--name/-name` flag if we found one,
# we unset the `ETCD_NAME` to not conflict with it.
for f in "${@}"; do
if [[ $f =~ ^-?-name=? ]]; then
unset ETCD_NAME
break
fi
done
# Do not pass ETCD_DATA_DIR through to the container. The default path,
# /var/lib/etcd is always used inside the container.
etcd_data_dir="${ETCD_DATA_DIR}"
ETCD_DATA_DIR="/var/lib/etcd"
mkdir -p ${etcd_data_dir}
chown -R etcd:etcd ${etcd_data_dir}
chmod 700 ${etcd_data_dir}
# A better way to run the Flannel/etcd container image is Podman because
# Flannel depends on etcd but wants to be run before Docker so that it
# can set up the Docker networking. Etcd and Flannel are part of the
# Container Linux Config specification and thus can't be dropped easily.
# For now we have to resort to running these services with Docker and try
# to restart Docker for the Flannel options to take effect.
/usr/bin/docker stop etcd-member || true
/usr/bin/docker rm -f etcd-member || true
# set umask so that sdnotify-proxy creates /run/etcd-notify with the same relaxed permissions as NOTIFY_SOCKET (/run/systemd/notify) normally has, to allow ETCD_USER to write to it
umask 000
# mapping only /run/etcd-notify does not work and we use the full /run, also we must set NOTIFY_SOCKET in the container but use the original for /usr/libexec/sdnotify-proxy
/usr/libexec/sdnotify-proxy /run/etcd-notify /usr/bin/docker run --name etcd-member --network=host --ipc=host -u $(id -u ${ETCD_USER}):$(id -g ${ETCD_USER}) -v /run:/run -v /usr/share/ca-certificates:/usr/share/ca-certificates:ro -v ${etcd_data_dir}:/var/lib/etcd:rw -v ${ETCD_SSL_DIR}:/etc/ssl/certs:ro --env-file <(env; echo PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; echo NOTIFY_SOCKET=/run/etcd-notify) --entrypoint /usr/local/bin/etcd ${ETCD_IMAGE:-${ETCD_IMAGE_URL}:${ETCD_IMAGE_TAG}} "$@"

1
sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/files/etcd-wrapper.conf vendored Normal file
View File

@ -0,0 +1 @@
d /var/lib/etcd 0700 etcd etcd - -

4
sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

5
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/files/50-flannel.link vendored Normal file
View File

@ -0,0 +1,5 @@
[Match]
OriginalName=flannel*
[Link]
MACAddressPolicy=none

5
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/files/50-flannel.network vendored Normal file
View File

@ -0,0 +1,5 @@
[Match]
Name=flannel*
[Link]
Unmanaged=yes

24
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/files/flannel-docker-opts.service vendored Normal file
View File

@ -0,0 +1,24 @@
[Unit]
Description=flannel docker export service - Network fabric for containers (System Application Container)
Documentation=https://github.com/coreos/flannel
PartOf=flanneld.service
Requires=flanneld.service
After=flanneld.service
[Service]
Type=oneshot
RemainAfterExit=true
Restart=on-failure
RestartSec=5s
Environment="FLANNEL_IMAGE_URL=quay.io/coreos/flannel"
Environment="FLANNEL_IMAGE_TAG=@FLANNEL_IMAGE_TAG@"
Environment="FLANNEL_CMD=/opt/bin/mk-docker-opts.sh"
Environment="FLANNEL_CONTAINER=flannel-docker-opts"
ExecStart=/usr/lib/flatcar/flannel-wrapper -d /run/flannel/flannel_docker_opts.env -i
ExecStop=/usr/bin/docker stop flannel-docker-opts
ExecStopPost=/usr/bin/docker rm flannel-docker-opts
[Install]
WantedBy=multi-user.target

42
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/files/flannel-wrapper vendored Executable file
View File

@ -0,0 +1,42 @@
#!/bin/bash
# The "flannel-wrapper" script can't be deleted because ct overwrites
# the ExecStart directive with flannel-wrapper. Do the new action of
# ExecStart here.
set -e
ETCD_SSL_DIR="${ETCD_SSL_DIR:-/etc/ssl/etcd}"
RUN_ARGS=""
if [[ -d "${ETCD_SSL_DIR}" ]]; then
RUN_ARGS="-v ${ETCD_SSL_DIR}:${ETCD_SSL_DIR}:ro"
fi
mkdir --parents /run/flannel
WRAP=""
if [[ -S "${NOTIFY_SOCKET}" ]]; then
WRAP="/usr/libexec/sdnotify-proxy /run/${FLANNEL_CONTAINER}-notify"
fi
# A better way to run the Flannel/etcd container image is Podman because
# Flannel depends on etcd but wants to be run before Docker so that it
# can set up the Docker networking. Etcd and Flannel are part of the
# Container Linux Config specification and thus can't be dropped easily.
# For now we have to resort to running these services with Docker and try
# to restart Docker for the Flannel options to take effect (but that also
# terminates the etcd and flannel containers, causing the services to
# restart).
RESTART_DOCKER=0
if [ "${FLANNEL_CMD}" = "/opt/bin/mk-docker-opts.sh" ] && [ "$1" = "-d" ] && [ ! -f "$2" ]; then
# only restart Docker only on first run, propagating updates on later runs was not done before in the rkt version, so keep the behavior
# (which also helps to break the loop which otherwise exists because "restart docker" mentioned above)
RESTART_DOCKER=1
fi
/usr/bin/docker stop ${FLANNEL_CONTAINER} || true
/usr/bin/docker rm -f ${FLANNEL_CONTAINER} || true
# mapping only /run/${FLANNEL_CONTAINER}-notify does not work and we map the full /run (using /run:/run covers /run/flannel, too), also we must set NOTIFY_SOCKET in the container but use the original for /usr/libexec/sdnotify-proxy
${WRAP} /usr/bin/docker run --name ${FLANNEL_CONTAINER} --privileged --network=host --ipc=host ${RUN_ARGS} -v /run:/run:rw -v /etc/ssl/certs:/etc/ssl/certs:ro -v /usr/share/ca-certificates:/usr/share/ca-certificates:ro --env-file <(env; echo PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; echo NOTIFY_SOCKET=/run/${FLANNEL_CONTAINER}-notify) --entrypoint ${FLANNEL_CMD} ${FLANNEL_IMAGE:-${FLANNEL_IMAGE_URL}:${FLANNEL_IMAGE_TAG}} "$@"
if [ "${RESTART_DOCKER}" = 1 ]; then
systemctl restart docker
echo "Restarted Docker to apply Flannel options"
fi

29
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/files/flanneld.service vendored Normal file
View File

@ -0,0 +1,29 @@
[Unit]
Description=flannel - Network fabric for containers (System Application Container)
Documentation=https://github.com/coreos/flannel
After=etcd.service etcd2.service etcd-member.service
Requires=flannel-docker-opts.service
[Service]
Type=notify
NotifyAccess=all
Restart=always
RestartSec=10s
TimeoutStartSec=300
LimitNOFILE=40000
LimitNPROC=1048576
Environment="FLANNEL_IMAGE_URL=quay.io/coreos/flannel"
Environment="FLANNEL_IMAGE_TAG=@FLANNEL_IMAGE_TAG@"
Environment="FLANNEL_OPTS=--ip-masq=true"
Environment="FLANNEL_CMD=/opt/bin/flanneld"
Environment="FLANNEL_CONTAINER=flannel"
EnvironmentFile=-/run/flannel/options.env
ExecStartPre=/sbin/modprobe ip_tables
ExecStart=/usr/lib/flatcar/flannel-wrapper $FLANNEL_OPTS
ExecStop=/usr/bin/docker stop flannel
ExecStopPost=/usr/bin/docker rm flannel
[Install]
WantedBy=multi-user.target

45
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/flannel-wrapper-0.14.0.ebuild vendored Normal file
View File

@ -0,0 +1,45 @@
# Copyright (c) 2014 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=6
inherit systemd
DESCRIPTION="flannel (System Application Container)"
HOMEPAGE="https://github.com/coreos/flannel"
KEYWORDS="amd64 arm64"
SRC_URI=""
LICENSE="Apache-2.0"
SLOT="0"
IUSE=""
RDEPEND="
!app-admin/flannel
>=app-admin/sdnotify-proxy-0.1.0
"
S="$WORKDIR"
src_install() {
local tag="v${PV}"
if [[ "${ARCH}" != "amd64" ]]; then
tag+="-${ARCH}"
fi
exeinto /usr/lib/flatcar
doexe "${FILESDIR}"/flannel-wrapper
sed "s|@FLANNEL_IMAGE_TAG@|${tag}|g" \
"${FILESDIR}"/flanneld.service > ${T}/flanneld.service
systemd_dounit ${T}/flanneld.service
sed "s|@FLANNEL_IMAGE_TAG@|${tag}|g" \
"${FILESDIR}"/flannel-docker-opts.service > ${T}/flannel-docker-opts.service
systemd_dounit ${T}/flannel-docker-opts.service
insinto /usr/lib/systemd/network
doins "${FILESDIR}"/50-flannel.network
doins "${FILESDIR}"/50-flannel.link
}

4
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

1
sdk_container/src/third_party/coreos-overlay/app-admin/locksmith/locksmith-0.7.0.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
locksmith-9999.ebuild

37
sdk_container/src/third_party/coreos-overlay/app-admin/locksmith/locksmith-9999.ebuild vendored Normal file
View File

@ -0,0 +1,37 @@
# Copyright (c) 2014 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=7
CROS_WORKON_PROJECT="flatcar/locksmith"
CROS_WORKON_LOCALNAME="locksmith"
CROS_WORKON_REPO="https://github.com"
COREOS_GO_PACKAGE="github.com/flatcar/locksmith"
inherit cros-workon systemd coreos-go
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
CROS_WORKON_COMMIT="c4cca93a15c7b7fd175e6687a83fc2725029a17a" # flatcar-master
KEYWORDS="amd64 arm64"
fi
DESCRIPTION="locksmith"
HOMEPAGE="https://github.com/flatcar/locksmith"
SRC_URI=""
LICENSE="Apache-2.0"
SLOT="0"
IUSE=""
src_compile() {
COREOS_GO_MOD=vendor go_build "${COREOS_GO_PACKAGE}/locksmithctl"
}
src_install() {
dobin ${GOBIN}/locksmithctl
dodir /usr/lib/locksmith
dosym ../../../bin/locksmithctl /usr/lib/locksmith/locksmithd
systemd_dounit "${S}"/systemd/locksmithd.service
systemd_enable_service multi-user.target locksmithd.service
}

4
sdk_container/src/third_party/coreos-overlay/app-admin/locksmith/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

2
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/Manifest vendored Normal file
View File

@ -0,0 +1,2 @@
DIST logrotate-3.20.1.tar.xz 166712 BLAKE2B 8481e0d746c6bcbe10f2686a921334c6f957c8d92520927de7bc8fb0b7631a444fedaa80f35bc2de7961b3d5833ce4ab885b1298b235b7f8b33cc3ae05438da6 SHA512 a9ed5796ab254f511d0029a8f29ef7557f62e12e3ea9af24e30b5b9f348b1c1a16df26d44314b78299916fb3b5000b9cd9eed7cee2cee8df11cfd8e40c79b092
DIST logrotate-3.20.1.tar.xz.asc 833 BLAKE2B afc02177335bcd580e0617af8c50846b371c2d00ecd8fe329c2e298dc8c48823137625f455cea3d983a0d9971733297fa2c4d98ba3c6f72d2c07f8f21108cfe4 SHA512 2dd207feec431b223ff12f09f6cce14409d45e5bb3abaf2275dd773c7ee7c59ed7d32395e5869bfed70c970be4158fd299e6e269838378843dcb63ca5ebfa029

14
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/files/logrotate-3.15.0-ignore-hidden.patch vendored Normal file
View File

@ -0,0 +1,14 @@
diff -Nuar a/config.c b/config.c
--- a/config.c 2018-10-05 17:01:21.000000000 +0200
+++ b/config.c 2018-12-19 16:33:52.280129804 +0100
@@ -417,7 +417,9 @@
int i;
/* Check if fname is '.' or '..'; if so, return false */
- if (fname[0] == '.' && (!fname[1] || (fname[1] == '.' && !fname[2])))
+ /* Don't include 'hidden' files either; this breaks Gentoo
+ portage config file management http://bugs.gentoo.org/87683 */
+ if (fname[0] == '.')
return 0;
/* Check if fname is ending in a taboo-extension; if so, return false */

147
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/files/logrotate-3.20.1-log-changes.patch vendored Normal file
View File

@ -0,0 +1,147 @@
https://bugs.gentoo.org/847382#c3
https://github.com/logrotate/logrotate/commit/31cf1099ab8514dfcae5a980bc77352edd5292f8
https://github.com/logrotate/logrotate/commit/7b1fa328bf70eb8434166f151bd075cd1440d0dc
From 31cf1099ab8514dfcae5a980bc77352edd5292f8 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 27 May 2022 09:56:07 +0200
Subject: [PATCH] lockState: do not print `error:` when exit code is unaffected
Closes: https://github.com/logrotate/logrotate/pull/448
--- a/logrotate.c
+++ b/logrotate.c
@@ -3050,8 +3050,8 @@ static int lockState(const char *stateFilename, int skip_state_lock)
}
if (sb.st_mode & S_IROTH) {
- message(MESS_ERROR, "state file %s is world-readable and thus can"
- " be locked from other unprivileged users."
+ message(MESS_NORMAL, "warning: state file %s is world-readable"
+ " and thus can be locked from other unprivileged users."
" Skipping lock acquisition...\n",
stateFilename);
close(lockFd);
From 7b1fa328bf70eb8434166f151bd075cd1440d0dc Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 27 May 2022 16:02:57 +0200
Subject: [PATCH] log: unify handling of log levels
Use MESS_WARN instead of MESS_NORMAL and make it always use
the `warning:` prefix. MESS_WARN is now mapped to LOG_WARNING
for syslog.
Also drop MESS_VERBOSE, which was not set anywhere.
Closes: https://github.com/logrotate/logrotate/pull/239
Closes: https://github.com/logrotate/logrotate/pull/449
--- a/config.c
+++ b/config.c
@@ -643,7 +643,7 @@ static void set_criterium(enum criterium *pDst, enum criterium src, int *pSet)
{
if (*pSet && (*pDst != src)) {
/* we are overriding a previously set criterium */
- message(MESS_VERBOSE, "warning: '%s' overrides previously specified '%s'\n",
+ message(MESS_DEBUG, "note: '%s' overrides previously specified '%s'\n",
crit_to_string(src), crit_to_string(*pDst));
}
*pDst = src;
@@ -1021,7 +1021,7 @@ static int readConfigFile(const char *configFile, struct logInfo *defConfig)
if (getuid() == ROOT_UID) {
if ((sb_config.st_mode & 07533) != 0400) {
- message(MESS_NORMAL,
+ message(MESS_WARN,
"Potentially dangerous mode on %s: 0%o\n",
configFile, (unsigned) (sb_config.st_mode & 07777));
}
@@ -1386,7 +1386,7 @@ static int readConfigFile(const char *configFile, struct logInfo *defConfig)
RAISE_ERROR();
}
} else if (!strcmp(key, "errors")) {
- message(MESS_NORMAL,
+ message(MESS_WARN,
"%s: %d: the errors directive is deprecated and no longer used.\n",
configFile, lineNum);
} else if (!strcmp(key, "mail")) {
--- a/log.c
+++ b/log.c
@@ -40,9 +40,12 @@ static void log_once(FILE *where, int level, const char *format, va_list args)
{
switch (level) {
case MESS_DEBUG:
- case MESS_NORMAL:
- case MESS_VERBOSE:
break;
+
+ case MESS_WARN:
+ fprintf(where, "warning: ");
+ break;
+
default:
fprintf(where, "error: ");
break;
@@ -78,10 +81,11 @@ void message(int level, const char *format, ...)
priority |= LOG_DEBUG;
break;
case MESS_DEBUG:
- case MESS_VERBOSE:
- case MESS_NORMAL:
priority |= LOG_INFO;
break;
+ case MESS_WARN:
+ priority |= LOG_WARNING;
+ break;
case MESS_ERROR:
priority |= LOG_ERR;
break;
--- a/log.h
+++ b/log.h
@@ -5,8 +5,7 @@
#define MESS_REALDEBUG 1
#define MESS_DEBUG 2
-#define MESS_VERBOSE 3
-#define MESS_NORMAL 4
+#define MESS_WARN 4
#define MESS_ERROR 5
#define MESS_FATAL 6
--- a/logrotate.c
+++ b/logrotate.c
@@ -3050,7 +3050,7 @@ static int lockState(const char *stateFilename, int skip_state_lock)
}
if (sb.st_mode & S_IROTH) {
- message(MESS_NORMAL, "warning: state file %s is world-readable"
+ message(MESS_WARN, "state file %s is world-readable"
" and thus can be locked from other unprivileged users."
" Skipping lock acquisition...\n",
stateFilename);
@@ -3106,7 +3106,7 @@ int main(int argc, const char **argv)
POPT_AUTOHELP { NULL, 0, 0, NULL, 0, NULL, NULL }
};
- logSetLevel(MESS_NORMAL);
+ logSetLevel(MESS_WARN);
setlocale (LC_ALL, "");
optCon = poptGetContext("logrotate", argc, argv, options, 0);
@@ -3117,7 +3117,7 @@ int main(int argc, const char **argv)
switch (arg) {
case 'd':
debug = 1;
- message(MESS_NORMAL, "WARNING: logrotate in debug mode does nothing"
+ message(MESS_WARN, "logrotate in debug mode does nothing"
" except printing debug messages! Consider using verbose"
" mode (-v) instead if this is not what you want.\n\n");
/* fallthrough */
--- a/test/test-0080.sh
+++ b/test/test-0080.sh
@@ -10,4 +10,4 @@ cleanup 80
preptest test.log 80 1 0
$RLR -d test-config.80 2>&1 | \
- grep -q "warning: 'daily' overrides previously specified 'size'"
+ grep -q "note: 'daily' overrides previously specified 'size'"

47
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/files/logrotate.conf vendored Normal file
View File

@ -0,0 +1,47 @@
# Flatcar: This is a modified version of the default config that came
# with Gentoo Linux.
#
# Default logrotate(8) configuration file for Gentoo Linux.
# See "man logrotate" for details.
# rotate log files weekly.
#weekly
#daily
# keep 4 weeks worth of backlogs.
#rotate 4
# Flatcar: keep only the most recent old log.
rotate 1
# create new (empty) log files after rotating old ones.
create
# use date as a suffix of the rotated file.
dateext
# compress rotated log files.
compress
# Flatcar: If a file to rotate is missing, don't log an error.
missingok
notifempty
nomail
noolddir
# packages can drop log rotation information into this directory.
include /etc/logrotate.d
# no packages own wtmp and btmp -- we'll rotate them here.
# must match creation rules in /usr/lib/tmpfiles.d/var.conf
/var/log/wtmp {
create 0664 root utmp
size 1M
}
/var/log/btmp {
create 0600 root utmp
size 1M
}
# system-specific logs may also be configured here.

5
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/files/logrotate.service vendored Normal file
View File

@ -0,0 +1,5 @@
[Unit]
Description=Rotate and Compress System Logs
[Service]
ExecStart=/usr/bin/logrotate /usr/share/logrotate/logrotate.conf

2
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/files/logrotate.tmpfiles vendored Normal file
View File

@ -0,0 +1,2 @@
d /var/lib/misc
d /etc/logrotate.d - - - - -

109
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/logrotate-3.20.1-r1.ebuild vendored Normal file
View File

@ -0,0 +1,109 @@
# Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/kamildudka.asc
inherit systemd tmpfiles verify-sig
DESCRIPTION="Rotates, compresses, and mails system logs"
HOMEPAGE="https://github.com/logrotate/logrotate"
SRC_URI="https://github.com/${PN}/${PN}/releases/download/${PV}/${P}.tar.xz"
SRC_URI+=" verify-sig? ( https://github.com/${PN}/${PN}/releases/download/${PV}/${P}.tar.xz.asc )"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
IUSE="acl +cron selinux"
DEPEND=">=dev-libs/popt-1.5
selinux? ( sys-libs/libselinux )
acl? ( virtual/acl )"
RDEPEND="${DEPEND}
selinux? ( sec-policy/selinux-logrotate )
cron? ( virtual/cron )"
BDEPEND="verify-sig? ( sec-keys/openpgp-keys-kamildudka )"
STATEFILE="${EPREFIX}/var/lib/misc/logrotate.status"
OLDSTATEFILE="${EPREFIX}/var/lib/logrotate.status"
PATCHES=(
"${FILESDIR}"/${PN}-3.15.0-ignore-hidden.patch
"${FILESDIR}"/${P}-log-changes.patch
)
move_old_state_file() {
elog "logrotate state file is now located at ${STATEFILE}"
elog "See bug #357275"
if [[ -e "${OLDSTATEFILE}" ]] ; then
elog "Moving your current state file to new location: ${STATEFILE}"
mv -n "${OLDSTATEFILE}" "${STATEFILE}" || die
fi
}
install_cron_file() {
exeinto /etc/cron.daily
newexe "${S}"/examples/logrotate.cron "${PN}"
}
src_prepare() {
default
sed -i -e 's#/usr/sbin/logrotate#/usr/bin/logrotate#' examples/logrotate.{cron,service} || die
}
src_configure() {
econf \
$(use_with acl) \
$(use_with selinux) \
--with-state-file-path="${STATEFILE}"
}
src_install() {
dobin logrotate
doman logrotate.8
dodoc ChangeLog.md
# Flatcar: Put our config under /usr. We will point logrotate
# to use this configuration in the systemd unit we install
# below. User can always customize logrotate configuration by
# using drop-ins to point to a different path or by adding
# logrotate config files to /etc/logrotate.d.
insinto /usr/share/logrotate
doins "${FILESDIR}"/logrotate.conf
use cron && install_cron_file
# Flatcar: Install our own systemd service file and enable it
# by default.
#
# TODO: We probably should just patch the example logrotate
# service unit, as it has a bunch of hardening and performance
# tuning stuff done.
systemd_dounit examples/logrotate.timer
systemd_dounit "${FILESDIR}"/logrotate.service
systemd_enable_service multi-user.target logrotate.timer
newtmpfiles "${FILESDIR}"/${PN}.tmpfiles ${PN}.conf
keepdir /etc/logrotate.d
}
pkg_postinst() {
elog
elog "The ${PN} binary is now installed under /usr/bin. Please"
elog "update your links"
elog
move_old_state_file
tmpfiles_process ${PN}.conf
if [[ -z ${REPLACING_VERSIONS} ]] ; then
elog "If you wish to have logrotate e-mail you updates, please"
elog "emerge virtual/mailx and configure logrotate in"
elog "/etc/logrotate.conf appropriately"
elog
elog "Additionally, /etc/logrotate.conf may need to be modified"
elog "for your particular needs. See man logrotate for details."
fi
}

30
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/metadata.xml vendored Normal file
View File

@ -0,0 +1,30 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>base-system@gentoo.org</email>
<name>Gentoo Base System</name>
</maintainer>
<longdescription lang="en">
Logrotate allows for the automatic rotation compression, removal
and mailing of log files. Logrotate can be set to handle a log
file daily, weekly, monthly or when the log file gets to a certain
size.
</longdescription>
<longdescription lang="es">
Logrotate permite la rotación, compresión, eliminación y
notificación por correo electrónico de forma automática de ficheros
de registro (logs). Logrotate se puede configurar para gestionar
estos ficheros diariamente, semanalmente, mensualmente o cuando
su tamaño alcanza cierto valor.
</longdescription>
<use>
<flag name="acl">Installs acl support</flag>
<flag name="cron">Installs cron file</flag>
<flag name="selinux">Installs Security Enhanced Linux support</flag>
</use>
<upstream>
<remote-id type="github">logrotate/logrotate</remote-id>
<remote-id type="cpe">cpe:/a:logrotate_project:logrotate</remote-id>
</upstream>
</pkgmetadata>

1
sdk_container/src/third_party/coreos-overlay/app-admin/mayday/mayday-1.0.0-r2.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
mayday-9999.ebuild

35
sdk_container/src/third_party/coreos-overlay/app-admin/mayday/mayday-9999.ebuild vendored Normal file
View File

@ -0,0 +1,35 @@
# Copyright (c) 2015 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=7
CROS_WORKON_PROJECT="flatcar/mayday"
CROS_WORKON_LOCALNAME="mayday"
CROS_WORKON_REPO="https://github.com"
COREOS_GO_PACKAGE="github.com/flatcar/mayday"
inherit coreos-go cros-workon
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
CROS_WORKON_COMMIT="9de08c8f9f4360fe52cb3a56a7fb8f4bc4e75dcc" # flatcar-master
KEYWORDS="amd64 arm64"
fi
DESCRIPTION="mayday"
HOMEPAGE="https://github.com/flatcar/mayday"
SRC_URI=""
LICENSE="Apache-2.0"
SLOT="0"
IUSE=""
src_compile() {
COREOS_GO_MOD=vendor go_build "${COREOS_GO_PACKAGE}"
}
src_install() {
newbin ${GOBIN}/mayday mayday
insinto /usr/share/mayday
doins "${S}/default.json"
}

4
sdk_container/src/third_party/coreos-overlay/app-admin/mayday/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

4
sdk_container/src/third_party/coreos-overlay/app-admin/sdnotify-proxy/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

1
sdk_container/src/third_party/coreos-overlay/app-admin/sdnotify-proxy/sdnotify-proxy-0.1.0-r3.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
sdnotify-proxy-9999.ebuild

31
sdk_container/src/third_party/coreos-overlay/app-admin/sdnotify-proxy/sdnotify-proxy-9999.ebuild vendored Normal file
View File

@ -0,0 +1,31 @@
# Copyright (c) 2014 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=7
CROS_WORKON_PROJECT="kinvolk/sdnotify-proxy"
CROS_WORKON_LOCALNAME="sdnotify-proxy"
CROS_WORKON_REPO="https://github.com"
COREOS_GO_PACKAGE="github.com/coreos/sdnotify-proxy"
COREOS_GO_GO111MODULE="off"
inherit coreos-go cros-workon
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
CROS_WORKON_COMMIT="0f8ef1aa86c59fc6d54eadaffb248feaccd1018b" # master
KEYWORDS="amd64 arm64"
fi
DESCRIPTION="sdnotify-proxy"
HOMEPAGE="https://github.com/coreos/sdnotify-proxy"
SRC_URI=""
LICENSE="Apache-2.0"
SLOT="0"
IUSE=""
src_install() {
# Put sdnotify-proxy into its well-know location.
exeinto /usr/libexec
doexe ${GOBIN}/sdnotify-proxy
}

2
sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest vendored Normal file
View File

@ -0,0 +1,2 @@
DIST sudo-1.9.12p2.tar.gz 4909431 BLAKE2B 79eac710b757acae7aa98e6e6f495a475e5236be456e4687fb1441345ee296672ff80a5a60902cffcd257aa81a01fbc3857f3c52e51bb46f56c060fd299e0c05 SHA512 5e035246137d5820691f7ddfc13faec3886e3cf1563ed56633667d86ab4f1306f34cc0e27808f56790b6c6a4614826e54c5b7e47b31eb009b96dde3e52170c45
DIST sudo-1.9.12p2.tar.gz.sig 566 BLAKE2B fa679038c33d2bf1476b56944872d3a18b66bf5c5fb2e660d1f8777cdb209928912ddd8d89d878bd2218df3acd1e7fee5aa850e8d01a1cfac6ab310c788149fa SHA512 0b2f10488c44bfcd94eed97002865d89f4a03a92ef3b890fac3121ef0f9e6c55387771ddead1a94dc92d85c35e3d28b4730f35cdc2aafb51128594555ea29876

8
sdk_container/src/third_party/coreos-overlay/app-admin/sudo/README.md vendored Normal file
View File

@ -0,0 +1,8 @@
## Flatcar changes
- Remove Perl Runtime Dependency
- Remove OpenLDAP schema files for sudo
```
insinto /etc/openldap/schema
newins doc/schema.OpenLDAP sudo.schema
```
- Remove sudo.conf file as it is shipped via baselayout

25
sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml vendored Normal file
View File

@ -0,0 +1,25 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>base-system@gentoo.org</email>
<name>Gentoo Base System</name>
</maintainer>
<longdescription lang="en">
Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all)
commands as root or another user while logging the commands and
arguments.
</longdescription>
<use>
<flag name="gcrypt">Use message digest functions from <pkg>dev-libs/libgcrypt</pkg> instead of sudo's</flag>
<flag name="offensive">Let sudo print insults when the user types the wrong password</flag>
<flag name="sendmail">Allow sudo to send emails with sendmail</flag>
<flag name="sssd">Add System Security Services Daemon support</flag>
<flag name="secure-path">Replace PATH variable with compile time secure paths</flag>
</use>
<upstream>
<remote-id type="cpe">cpe:/a:todd_miller:sudo</remote-id>
<remote-id type="github">sudo-project/sudo</remote-id>
</upstream>
</pkgmetadata>

291
sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.12_p2.ebuild vendored Normal file
View File

@ -0,0 +1,291 @@
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit pam libtool tmpfiles toolchain-funcs
MY_P="${P/_/}"
MY_P="${MY_P/beta/b}"
DESCRIPTION="Allows users or groups to run commands as other users"
HOMEPAGE="https://www.sudo.ws/"
if [[ ${PV} == 9999 ]] ; then
inherit mercurial
EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
else
VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/sudo.ws.asc
inherit verify-sig
uri_prefix=
case ${P} in
*_beta*|*_rc*) uri_prefix=beta/ ;;
esac
SRC_URI="
https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
verify-sig? (
https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
)
"
if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~sparc-solaris"
fi
BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-sudo )"
fi
S="${WORKDIR}/${MY_P}"
# Basic license is ISC-style as-is, some files are released under
# 3-clause BSD license
LICENSE="ISC BSD"
SLOT="0"
IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
DEPEND="
sys-libs/zlib:=
virtual/libcrypt:=
gcrypt? ( dev-libs/libgcrypt:= )
ldap? (
>=net-nds/openldap-2.1.30-r1:=
sasl? (
dev-libs/cyrus-sasl
net-nds/openldap:=[sasl]
)
)
pam? ( sys-libs/pam )
sasl? ( dev-libs/cyrus-sasl )
selinux? ( sys-libs/libselinux )
skey? ( >=sys-auth/skey-1.1.5-r1 )
ssl? ( dev-libs/openssl:0= )
sssd? ( sys-auth/sssd[sudo] )
"
#Flatcar: Remove Perl runtime dependency
# ldap? ( dev-lang/perl )
RDEPEND="
${DEPEND}
>=app-misc/editor-wrapper-3
virtual/editor
pam? ( sys-auth/pambase )
selinux? ( sec-policy/selinux-sudo )
sendmail? ( virtual/mta )
"
BDEPEND+="
sys-devel/bison
virtual/pkgconfig
"
REQUIRED_USE="
?? ( pam skey )
?? ( gcrypt ssl )
"
MAKEOPTS+=" SAMPLES="
src_prepare() {
default
elibtoolize
}
set_secure_path() {
# First extract the default ROOTPATH from build env
SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
case "${SECURE_PATH}" in
*/usr/sbin*)
;;
*)
SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
;;
esac
if [[ -z ${SECURE_PATH} ]] ; then
ewarn " Failed to detect SECURE_PATH, please report this"
fi
# Then remove duplicate path entries
cleanpath() {
local newpath thisp IFS=:
for thisp in $1 ; do
if [[ :${newpath}: != *:${thisp}:* ]] ; then
newpath+=:${thisp}
else
einfo " Duplicate entry ${thisp} removed..."
fi
done
SECURE_PATH=${newpath#:}
}
cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
# Finally, strip gcc paths, bug #136027
rmpath() {
local e newpath thisp IFS=:
for thisp in ${SECURE_PATH} ; do
for e ; do
[[ ${thisp} == ${e} ]] && continue 2 ;
done
newpath+=:${thisp}
done
SECURE_PATH=${newpath#:}
}
rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
}
src_configure() {
local SECURE_PATH
set_secure_path
# bug #767712
tc-export PKG_CONFIG
# - audit: somebody got to explain me how I can test this before I
# enable it.. - Diego
# - plugindir: autoconf code is crappy and does not delay evaluation
# until `make` time, so we have to use a full path here rather than
# basing off other values.
local myeconfargs=(
# We set all of the relevant options by ourselves (patched
# into the toolchain) and setting these in the build system
# actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
# (it'll downgrade to =2). So, this has no functional effect on
# the hardening for users. It's safe.
--disable-hardening
# requires some python eclass
--disable-python
--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
--enable-zlib=system
--with-editor="${EPREFIX}"/usr/libexec/editor
--with-env-editor
--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
--with-rundir="${EPREFIX}"/run/sudo
--with-vardir="${EPREFIX}"/var/db/sudo
--without-linux-audit
--without-opie
$(use_enable gcrypt)
$(use_enable nls)
$(use_enable sasl)
$(use_enable ssl openssl)
$(use_with ldap)
$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
$(use_with offensive insults)
$(use_with offensive all-insults)
$(use_with pam)
$(use_with pam pam-login)
$(use_with secure-path secure-path "${SECURE_PATH}")
$(use_with selinux)
$(use_with sendmail)
$(use_with skey)
$(use_with sssd)
)
econf "${myeconfargs[@]}"
}
src_install() {
default
if use ldap ; then
dodoc README.LDAP.md
cat <<-EOF > "${T}"/ldap.conf.sudo
# See ldap.conf(5) and README.LDAP.md for details
# This file should only be readable by root
# supported directives: host, port, ssl, ldap_version
# uri, binddn, bindpw, sudoers_base, sudoers_debug
# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
EOF
if use sasl ; then
cat <<-EOF >> "${T}"/ldap.conf.sudo
# SASL directives: use_sasl, sasl_mech, sasl_auth_id
# sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
EOF
fi
insinto /etc
doins "${T}"/ldap.conf.sudo
fperms 0440 /etc/ldap.conf.sudo
#Flatcar: we don't ship OpenLDAP schemas
fi
if use pam ; then
pamd_mimic system-auth sudo auth account session
pamd_mimic system-auth sudo-i auth account session
fi
keepdir /var/db/sudo/lectured
fperms 0700 /var/db/sudo/lectured
# bug #652958
fperms 0711 /var/db/sudo
# Don't install into /run as that is a tmpfs most of the time
# (bug #504854)
rm -rf "${ED}"/run || die
# bug #697812
find "${ED}" -type f -name "*.la" -delete || die
# Flatcar: Remove sudo.conf as it is shipped via baselayout
rm "${ED}/etc/sudo.conf" || die
}
pkg_postinst() {
tmpfiles_process sudo.conf
# bug #652958
local sudo_db="${EROOT}/var/db/sudo"
if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
chmod 711 "${sudo_db}" || die
fi
if use ldap ; then
ewarn
ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
ewarn
if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
ewarn "configured in ${ROOT}/etc/nsswitch.conf."
ewarn
ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
ewarn " sudoers: ldap files"
ewarn
fi
fi
if use prefix ; then
ewarn
ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
ewarn "with root privileges, as follows:"
ewarn
ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
ewarn
fi
elog "To use the -A (askpass) option, you need to install a compatible"
elog "password program from the following list. Starred packages will"
elog "automatically register for the use with sudo (but will not force"
elog "the -A option):"
elog ""
elog " [*] net-misc/ssh-askpass-fullscreen"
elog " net-misc/x11-ssh-askpass"
elog ""
elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
elog "variable to the program you want to use."
}

4
sdk_container/src/third_party/coreos-overlay/app-admin/toolbox/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

1
sdk_container/src/third_party/coreos-overlay/app-admin/toolbox/toolbox-0.0.0-r16.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
toolbox-9999.ebuild

28
sdk_container/src/third_party/coreos-overlay/app-admin/toolbox/toolbox-9999.ebuild vendored Normal file
View File

@ -0,0 +1,28 @@
# Copyright (c) 2014 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=7
CROS_WORKON_PROJECT="flatcar/toolbox"
CROS_WORKON_LOCALNAME="toolbox"
CROS_WORKON_REPO="https://github.com"
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
CROS_WORKON_COMMIT="9695c9b42036ac958fae10a6268f95ae5c3fcc2b" # flatcar-master
KEYWORDS="amd64 arm64"
fi
inherit cros-workon
DESCRIPTION="toolbox"
HOMEPAGE="https://github.com/flatcar/toolbox"
SRC_URI=""
LICENSE="Apache-2.0"
SLOT="0"
IUSE=""
src_install() {
dobin ${S}/toolbox
}

4
sdk_container/src/third_party/coreos-overlay/app-admin/updateservicectl/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

1
sdk_container/src/third_party/coreos-overlay/app-admin/updateservicectl/updateservicectl-2.1.0-r1.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
updateservicectl-9999.ebuild

32
sdk_container/src/third_party/coreos-overlay/app-admin/updateservicectl/updateservicectl-9999.ebuild vendored Normal file
View File

@ -0,0 +1,32 @@
# Copyright (c) 2014 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=7
CROS_WORKON_PROJECT="flatcar/updateservicectl"
CROS_WORKON_LOCALNAME="updateservicectl"
CROS_WORKON_REPO="https://github.com"
COREOS_GO_PACKAGE="github.com/flatcar/updateservicectl"
COREOS_GO_GO111MODULE="on"
inherit cros-workon coreos-go
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
CROS_WORKON_COMMIT="446f13594465503a3fdfc9106fd8a0c3123249c2" # main
KEYWORDS="amd64 arm64"
fi
DESCRIPTION="CoreUpdate Management CLI"
HOMEPAGE="https://github.com/flatcar/updateservicectl"
SRC_URI=""
LICENSE="Apache-2.0"
SLOT="0"
IUSE=""
RDEPEND="!app-admin/updatectl"
src_prepare() {
coreos-go_src_prepare
GOPATH+=":${S}/Godeps/_workspace"
}

33
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/compat-wrapper.sh vendored Normal file
View File

@ -0,0 +1,33 @@
#!/bin/bash
set -e
bin=${0##*/}
seal=/run/metadata/torcx
if [ -z "${bin}" ]
then
echo 'Failed to determine the executed program name.' 1>&2
exit 1
fi
if [ -s "${seal}" ]
then
. "${seal}"
else
echo "The program ${bin} is managed by torcx, which did not run." 1>&2
exit 1
fi
if [ -z "${TORCX_BINDIR-}" ]
then
echo "The torcx seal file ${seal} is invalid." 1>&2
exit 1
fi
if [ ! -x "${TORCX_BINDIR}/${bin}" ]
then
echo "The current torcx profile did not install a ${bin} program." 1>&2
exit 1
fi
PATH="${TORCX_BINDIR}${PATH:+:${PATH}}" exec "${TORCX_BINDIR}/${bin}" "$@"

11
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/docker-1.12-no.json vendored Normal file
View File

@ -0,0 +1,11 @@
{
"kind": "profile-manifest-v0",
"value": {
"images": [
{
"name": "docker",
"reference": "com.coreos.cl"
}
]
}
}

41
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/dockerd-wrapper.sh vendored Normal file
View File

@ -0,0 +1,41 @@
#!/bin/bash
# Wrapper for launching docker daemons with selinux default on
# This wrapper script has been deprecated (euank: 2017-05-09) and is retained
# for backwards compatibility.
set -e
parse_docker_args() {
local flag
while [[ $# -gt 0 ]]; do
flag="$1"
shift
# treat --flag=foo and --flag foo identically
if [[ "${flag}" == *=* ]]; then
set -- "${flag#*=}" "$@"
flag="${flag%=*}"
fi
case "${flag}" in
--selinux-enabled)
ARG_SELINUX="$1"
shift
;;
*)
# ignore everything else
;;
esac
done
}
parse_docker_args "$@"
USE_SELINUX=""
# Do not override selinux if it is already explicitly configured.
if [[ -z "${ARG_SELINUX}" ]]; then
# If unspecified, default off
USE_SELINUX="--selinux-enabled=false"
fi
exec dockerd "$@" ${USE_SELINUX}

7
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/torcx.target vendored Normal file
View File

@ -0,0 +1,7 @@
[Unit]
Description=Verify torcx succeeded
DefaultDependencies=no
AssertPathExists=/run/metadata/torcx
[Install]
WantedBy=basic.target

11
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/vendor.json vendored Normal file
View File

@ -0,0 +1,11 @@
{
"kind": "profile-manifest-v0",
"value": {
"images": [
{
"name": "docker",
"reference": "com.coreos.cl"
}
]
}
}

4
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

1
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/torcx-0.2.0-r8.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
torcx-9999.ebuild

58
sdk_container/src/third_party/coreos-overlay/app-arch/torcx/torcx-9999.ebuild vendored Normal file
View File

@ -0,0 +1,58 @@
# Copyright (c) 2017-2018 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
EAPI=7
CROS_WORKON_PROJECT="flatcar/torcx"
CROS_WORKON_LOCALNAME="torcx"
CROS_WORKON_REPO="https://github.com"
COREOS_GO_PACKAGE="github.com/flatcar/torcx"
COREOS_GO_GO111MODULE="off"
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
CROS_WORKON_COMMIT="3e7173395658a7e43ec0cb0dd2077795931d857f" # flatcar-master
KEYWORDS="amd64 arm64"
fi
inherit coreos-go cros-workon systemd
DESCRIPTION="torcx is a boot-time addon manager for immutable systems"
HOMEPAGE="https://github.com/flatcar/torcx"
LICENSE="Apache-2.0"
SLOT="0"
src_compile() {
CGO_ENABLED=0 go_export
${EGO} build -v \
-p "$(makeopts_jobs)" \
-ldflags "-X ${COREOS_GO_PACKAGE}/pkg/version.VERSION=${PV}" \
-o "bin/${ARCH}/torcx" \
-tags containers_image_openpgp \
"${COREOS_GO_PACKAGE}"
}
src_install() {
local generatordir=/usr/lib/systemd/system-generators
local vendordir=/usr/share/torcx
local libcoreosdir=/usr/lib/flatcar
# Install generator and userland.
exeinto "${generatordir}"
newexe "${S}/bin/${ARCH}/torcx" torcx-generator
dosym ../systemd/system-generators/torcx-generator "${libcoreosdir}/torcx"
systemd_dounit "${FILESDIR}/torcx.target"
insinto "${vendordir}/profiles"
doins "${FILESDIR}/docker-1.12-no.json"
doins "${FILESDIR}/vendor.json"
dodir "${vendordir}/store"
# Preserve program paths for torcx packages.
newbin "${FILESDIR}/compat-wrapper.sh" docker
for link in {docker-,}{containerd{,-shim},runc} ctr docker-{init,proxy} dockerd tini
do ln -fns docker "${ED}/usr/bin/${link}"
done
exeinto /usr/lib/flatcar
newexe "${FILESDIR}/dockerd-wrapper.sh" dockerd
}

2
sdk_container/src/third_party/coreos-overlay/app-containers/syft/Manifest vendored Normal file
View File

@ -0,0 +1,2 @@
DIST syft-0.51.0-deps.tar.xz 632084588 BLAKE2B f9b3e4e41521c25b6e338f2b8f3bba0be08e7608d95de7dba6f5f104e22b8de8a4b419e574e19634099a3bbc55556f83949c68abd5ae52d14b5e97cb9306bf22 SHA512 819236c275762cc42c60339ee2d6886f0998f34609ab0bbef3150b23fbcf3cecaea63d92f6e2e161bf3ec30edae00ef467755900fd1c98389db2f9cd8113fbf4
DIST syft-0.51.0.tar.gz 3727474 BLAKE2B ae9f54f421faa530aabbbadd985071f603ccaa32c6cd5f0dd400ea9163a218e8ddd5e7035042a7eda6cd06910ce96ae0f42b7422c932992fad812431a42ac059 SHA512 fb844a76d3f3f303e781cea40ac6fb573927f6465a39da10fe9cffeb08ce7b1e8b8ed4acb219206e53159f802eaa12dce73ce5bc3b868f6f4270a30498b6b767

8
sdk_container/src/third_party/coreos-overlay/app-containers/syft/metadata.xml vendored Normal file
View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>williamh@gentoo.org</email>
<name>William Hubbs</name>
</maintainer>
</pkgmetadata>

24
sdk_container/src/third_party/coreos-overlay/app-containers/syft/syft-0.51.0.ebuild vendored Normal file
View File

@ -0,0 +1,24 @@
# Copyright 2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-module
DESCRIPTION="Generate a Software Bill of Materials from container images and filesystems"
HOMEPAGE="https://www.anchore.com"
SRC_URI="https://github.com/anchore/syft/archive/v${PV}.tar.gz -> ${P}.tar.gz"
SRC_URI+=" https://dev.gentoo.org/~williamh/dist/${P}-deps.tar.xz"
LICENSE="Apache-2.0"
SLOT="0"
# Flatcar: keyword for arm64 and amd64
KEYWORDS="amd64 arm64"
src_compile() {
# Flatcar: add ldflags to set version
ego build -o bin/syft -ldflags "-X github.com/anchore/syft/internal/version.version=${PV}" ./cmd/syft
}
src_install() {
dobin bin/*
}

2
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest vendored Normal file
View File

@ -0,0 +1,2 @@
DIST gnupg-2.2.35.tar.bz2 7262687 BLAKE2B 18b5965151ded3b3f28d139824e14d7a6f1673c5192ec5f5a80366a6d5f2e04ed7fa035e2bff105e1752753584f992626ccc9ea8840c2bfa39ffe7ca39b81f7f SHA512 ad9f8d10890b7fafb15a7422e2cebaf0f85ce7cf5f880f4edd8d1dec46aa73c01f9096e601f6edd665f8684d1f5892634991a400e00b3185e6b201f549004d3e
DIST gnupg-2.2.35.tar.bz2.sig 119 BLAKE2B d95323703c12c9474b21fa91ddb70d4d4d464c794223e21f6ae5d4de955f07a5cabde50612e977168ea6071c4b12be3262cbafe9bcaa8e9a0b009318c0ff6718 SHA512 9043894730520e974e7bc17e0f95419c319fbcd514f102faf644e2f5580e238719cecb8b5e778ecf20f9212ee2554206eb0686e8b5fce7f8c556146657660fe2

33
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch vendored Normal file
View File

@ -0,0 +1,33 @@
From e3bdb7d17264b8d5bd9abab97c96d9c4a50e4f61 Mon Sep 17 00:00:00 2001
From: Kristian Fiskerstrand <kf@sumptuouscapital.com>
Date: Mon, 3 Apr 2017 23:44:56 +0300
Subject: [PATCH] gpgscm: Use shorter socket path lengts to improve test
reliability
--
As socket lengths are normally restricted to 108 characters
(UNIX_PATH_MAX variable in /usr/include/linux/un.h), using 42 characters
by default easily results in errors.
---
tests/gpgscm/tests.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/gpgscm/tests.scm b/tests/gpgscm/tests.scm
index 592b36f..f54a387 100644
--- a/tests/gpgscm/tests.scm
+++ b/tests/gpgscm/tests.scm
@@ -273,9 +273,9 @@
(canonical-path (_mkdtemp (if (null? components)
(path-join
(get-temp-path)
- (string-append "gpgscm-" (get-isotime) "-"
+ (string-append "gscm"
(basename-suffix *scriptname* ".scm")
- "-XXXXXX"))
+ "XXXXXX"))
(apply path-join components)))))
;; Make a temporary directory and remove it at interpreter shutdown.
--
2.10.2

45
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch vendored Normal file
View File

@ -0,0 +1,45 @@
https://bugs.gentoo.org/855395
https://marc.info/?l=oss-security&m=165657063921408&w=2
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=7b1db7192e6e4d0cfc439b23b13831837c85bc21
From 7b1db7192e6e4d0cfc439b23b13831837c85bc21 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 14 Jun 2022 11:33:27 +0200
Subject: [PATCH] g10: Fix garbled status messages in NOTATION_DATA
* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
--
Depending on the escaping and line wrapping the computed remaining
buffer length could be wrong. Fixed by always using a break to
terminate the escape detection loop. Might have happened for all
status lines which may wrap.
GnuPG-bug-id: T6027
--- a/g10/cpr.c
+++ b/g10/cpr.c
@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string,
}
first = 0;
}
- for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
+ for (esc=0, s=buffer, n=len; n; s++, n--)
{
if (*s == '%' || *(const byte*)s <= lower_limit
|| *(const byte*)s == 127 )
esc = 1;
if (wrap && ++count > wrap)
- {
- dowrap=1;
- break;
- }
- }
- if (esc)
- {
- s--; n++;
+ dowrap=1;
+ if (esc || dowrap)
+ break;
}
if (s != buffer)
es_fwrite (buffer, s-buffer, 1, statusfp);

32
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch vendored Normal file
View File

@ -0,0 +1,32 @@
From: Vincent Breitmoser <look@my.amazin.horse>
Date: Thu, 13 Jun 2019 21:27:43 +0200
Subject: gpg: accept subkeys with a good revocation but no self-sig during
import
* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we
encounter a valid revocation signature. This allows import of subkey
revocation signatures, even in the absence of a corresponding subkey
binding signature.
--
This fixes the remaining test in import-incomplete.scm.
GnuPG-Bug-id: 4393
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
g10/import.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/g10/import.c b/g10/import.c
index f9acf95..9217911 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -3602,6 +3602,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self)
/* It's valid, so is it newer? */
if (sig->timestamp >= rsdate)
{
+ knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid. */
if (rsnode)
{
/* Delete the last revocation sig since

106
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch vendored Normal file
View File

@ -0,0 +1,106 @@
From: Vincent Breitmoser <look@my.amazin.horse>
Date: Thu, 13 Jun 2019 21:27:42 +0200
Subject: gpg: allow import of previously known keys, even without UIDs
* g10/import.c (import_one): Accept an incoming OpenPGP certificate that
has no user id, as long as we already have a local variant of the cert
that matches the primary key.
--
This fixes two of the three broken tests in import-incomplete.scm.
GnuPG-Bug-id: 4393
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
g10/import.c | 44 +++++++++++---------------------------------
1 file changed, 11 insertions(+), 33 deletions(-)
diff --git a/g10/import.c b/g10/import.c
index 5d3162c..f9acf95 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl,
size_t an;
char pkstrbuf[PUBKEY_STRING_SIZE];
int merge_keys_done = 0;
- int any_filter = 0;
KEYDB_HANDLE hd = NULL;
if (r_valid)
@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl,
log_printf ("\n");
}
-
- if (!uidnode )
- {
- if (!silent)
- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
- return 0;
- }
-
if (screener && screener (keyblock, screener_arg))
{
log_error (_("key %s: %s\n"), keystr_from_pk (pk),
@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl,
}
}
- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) )
- {
- if (!silent)
- {
- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
- if (!opt.quiet )
- log_info(_("this may be caused by a missing self-signature\n"));
- }
- stats->no_user_id++;
- return 0;
- }
+ /* Delete invalid parts, and note if we have any valid ones left.
+ * We will later abort import if this key is new but contains
+ * no valid uids. */
+ delete_inv_parts (ctrl, keyblock, keyid, options);
/* Get rid of deleted nodes. */
commit_kbnode (&keyblock);
@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl,
{
apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
commit_kbnode (&keyblock);
- any_filter = 1;
}
if (import_filter.drop_sig)
{
apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig);
commit_kbnode (&keyblock);
- any_filter = 1;
- }
-
- /* If we ran any filter we need to check that at least one user id
- * is left in the keyring. Note that we do not use log_error in
- * this case. */
- if (any_filter && !any_uid_left (keyblock))
- {
- if (!opt.quiet )
- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk));
- stats->no_user_id++;
- return 0;
}
/* The keyblock is valid and ready for real import. */
@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl,
err = 0;
stats->skipped_new_keys++;
}
+ else if (err && !any_uid_left (keyblock))
+ {
+ if (!silent)
+ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid));
+ err = 0;
+ stats->no_user_id++;
+ }
else if (err) /* Insert this key. */
{
/* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */

165
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild vendored Normal file
View File

@ -0,0 +1,165 @@
# Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
# Flatcar: use EAPI=7, until EAPI 8 could be fully supported
EAPI=7
VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc
inherit flag-o-matic systemd toolchain-funcs verify-sig
MY_P="${P/_/-}"
DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
HOMEPAGE="https://gnupg.org/"
SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
S="${WORKDIR}/${MY_P}"
LICENSE="GPL-3"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server"
RESTRICT="!test? ( test )"
# Existence of executables is checked during configuration.
# Note: On each bump, update dep bounds on each version from configure.ac!
DEPEND=">=dev-libs/libassuan-2.5.0
>=dev-libs/libgcrypt-1.8.0:=
>=dev-libs/libgpg-error-1.29
>=dev-libs/libksba-1.3.5
>=dev-libs/npth-1.2
>=net-misc/curl-7.10
sys-libs/zlib
bzip2? ( app-arch/bzip2 )
ldap? ( net-nds/openldap:= )
readline? ( sys-libs/readline:0= )
smartcard? ( usb? ( virtual/libusb:1 ) )
ssl? ( >=net-libs/gnutls-3.0:0= )
tofu? ( >=dev-db/sqlite-3.7 )"
RDEPEND="${DEPEND}
app-crypt/pinentry
nls? ( virtual/libintl )
selinux? ( sec-policy/selinux-gpg )
wks-server? ( virtual/mta )"
BDEPEND="virtual/pkgconfig
doc? ( sys-apps/texinfo )
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-gnupg )"
DOCS=(
ChangeLog NEWS README THANKS TODO VERSION
doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
)
PATCHES=(
"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
"${FILESDIR}"/${P}-status-messages-garbled.patch
# Flatcar: the patches below are added only for Flatcar, to address the
# upstream gnupg issue https://dev.gnupg.org/T4393.
"${FILESDIR}/${PN}-allow-import-of-previously-known-keys-even-without-UI.patch"
"${FILESDIR}/${PN}-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch"
)
src_prepare() {
default
# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
# idea borrowed from libdbus, see
# https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
#
# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
# which in turn requires discovery in Autoconf, something that upstream deeply resents.
sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
-i doc/examples/systemd-user/gpg-agent-ssh.socket || die
}
src_configure() {
local myconf=(
$(use_enable bzip2)
$(use_enable nls)
$(use_enable smartcard scdaemon)
$(use_enable ssl gnutls)
$(use_enable test all-tests)
$(use_enable test tests)
$(use_enable tofu)
$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
$(use_enable wks-server wks-tools)
$(use_with ldap)
$(use_with readline)
--with-mailprog=/usr/libexec/sendmail
--disable-ntbtls
--enable-gpg
--enable-gpgsm
--enable-large-secmem
CC_FOR_BUILD="$(tc-getBUILD_CC)"
GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
)
if use prefix && use usb; then
# bug #649598
append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0"
fi
# bug #663142
if use user-socket; then
myconf+=( --enable-run-gnupg-user-socket )
fi
# glib fails and picks up clang's internal stdint.h causing weird errors
tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
# As of GnuPG 2.3, the mailprog substitution is used for the binary called
# by wks-client & wks-server; and if it's autodetected but not not exist at
# build time, then then 'gpg-wks-client --send' functionality will not
# work. This has an unwanted side-effect in stage3 builds: there was a
# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
# the build where the install guide previously make the user chose the
# logger & mta early in the install.
econf "${myconf[@]}"
}
src_compile() {
default
use doc && emake -C doc html
}
src_test() {
# bug #638574
use tofu && export TESTFLAGS=--parallel
default
}
src_install() {
default
use tools &&
dobin \
tools/{convert-from-106,gpg-check-pattern} \
tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys} \
tools/make-dns-cert
dosym gpg /usr/bin/gpg2
dosym gpgv /usr/bin/gpgv2
echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
dodir /etc/env.d
echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
use doc && dodoc doc/gnupg.html/* doc/*.png
systemd_douserunit doc/examples/systemd-user/*.{service,socket}
}

40
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml vendored Normal file
View File

@ -0,0 +1,40 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>zlogene@gentoo.org</email>
<name>Mikle Kolyada</name>
</maintainer>
<maintainer type="project">
<email>base-system@gentoo.org</email>
<name>Gentoo Base System</name>
</maintainer>
<use>
<flag name="smartcard">
Build scdaemon software. Enables usage of OpenPGP cards. For
other type of smartcards, try <pkg>app-crypt/gnupg-pkcs11-scd</pkg>.
Bring in <pkg>dev-libs/libusb</pkg> as a dependency; enable scdaemon.
</flag>
<flag name="usb">
Build direct CCID access for scdaemon; requires <pkg>dev-libs/libusb</pkg>.
</flag>
<flag name="user-socket">
try a socket directory which is not removed by init manager at session end
</flag>
<flag name="tofu">
Enable support for Trust on First use trust model; requires <pkg>dev-db/sqlite</pkg>.
</flag>
<flag name="tools">
Install extra tools (including gpgsplit and gpg-zip).
</flag>
<flag name="tpm">
Enable TPM support via <pkg>app-crypt/tpm2-tss</pkg> and build tpm2d.
</flag>
<flag name="wks-server">
Install the wks-server
</flag>
</use>
<upstream>
<remote-id type="cpe">cpe:/a:gnupg:gnupg</remote-id>
</upstream>
</pkgmetadata>

11
sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/files/tpmd.service vendored Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=TPM remote access daemon
Requires=tcsd.service
[Service]
ExecStart=/bin/tpmd 23179
Restart=always
RestartSec=0
[Install]
WantedBy=multi-user.target

1
sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-0.1-r4.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
go-tspi-9999.ebuild

31
sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-9999.ebuild vendored Normal file
View File

@ -0,0 +1,31 @@
EAPI=7
inherit coreos-go eutils git-r3 systemd
COREOS_GO_PACKAGE="github.com/coreos/go-tspi"
COREOS_GO_GO111MODULE="off"
EGIT_REPO_URI="https://github.com/coreos/go-tspi.git"
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
EGIT_COMMIT="27182e3e7b1dfcfb398b5408a619abc4f652a38b"
KEYWORDS="amd64 arm64"
fi
IUSE=""
LICENSE="Apache-2.0"
SLOT="0"
RDEPEND="app-crypt/trousers"
DEPEND="${RDEPEND}"
src_compile() {
go_build "${COREOS_GO_PACKAGE}/tpmd"
go_build "${COREOS_GO_PACKAGE}/tpmown"
}
src_install() {
dobin ${GOBIN}/*
systemd_dounit "${FILESDIR}"/tpmd.service
}

1
sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/Manifest vendored Normal file
View File

@ -0,0 +1 @@
DIST p11-kit-0.23.22.tar.xz 830016 BLAKE2B 4e1edfd9e2441d237c07a16c003aee5ffde38f1cf545c26e435645429f2cfa4fe7ca61cdc3c3940390aa040ba991f2ee3995b14cc31bb886d5eeffa8ed5e1721 SHA512 098819e6ca4ad9cc2a0bc2e478aea67354d051a4f03e6c7d75d13d2469b6dc7654f26b15530052f6ed51acb35531c2539e0f971b31e29e6673e857c903afb080

4
sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/README.md vendored Normal file
View File

@ -0,0 +1,4 @@
We forked this package to fix the systemd user unit directory and bash
completion directory detection in the cross-compilation scenario.
These fixes could be upstreamed to gentoo.

15
sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/metadata.xml vendored Normal file
View File

@ -0,0 +1,15 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>zlogene@gentoo.org</email>
<name>Mikle Kolyada</name>
</maintainer>
<use>
<flag name="asn1">Enable ASN.1 certificate support</flag>
<flag name="trust">Build the trust policy module</flag>
</use>
<upstream>
<remote-id type="github">p11-glue/p11-kit</remote-id>
</upstream>
</pkgmetadata>

69
sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/p11-kit-0.23.22.ebuild vendored Normal file
View File

@ -0,0 +1,69 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
# Flatcar: inherit systemd eclass for the systemd user unit directory
# getter, and bash-completion-r1 for bash completion directory getter.
inherit multilib-minimal systemd bash-completion-r1
DESCRIPTION="Provides a standard configuration setup for installing PKCS#11"
HOMEPAGE="https://p11-glue.github.io/p11-glue/p11-kit.html"
SRC_URI="https://github.com/p11-glue/p11-kit/releases/download/${PV}/${P}.tar.xz"
LICENSE="MIT"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
IUSE="+asn1 debug +libffi systemd +trust"
REQUIRED_USE="trust? ( asn1 )"
RDEPEND="asn1? ( >=dev-libs/libtasn1-3.4:=[${MULTILIB_USEDEP}] )
libffi? ( dev-libs/libffi:=[${MULTILIB_USEDEP}] )
systemd? ( sys-apps/systemd:= )
trust? ( app-misc/ca-certificates )"
DEPEND="${RDEPEND}"
BDEPEND="virtual/pkgconfig"
pkg_setup() {
# disable unsafe tests, bug#502088
export FAKED_MODE=1
}
src_prepare() {
if [[ ${CHOST} == *-solaris2.* && ${CHOST##*-solaris2.} -lt 11 ]] ; then
# Solaris 10 and before doesn't know about XPG7 (XOPEN_SOURCE=700)
# drop to XPG6 to make feature_tests.h happy
sed -i -e '/define _XOPEN_SOURCE/s/700/600/' common/compat.c || die
# paths.h isn't available, oddly enough also not used albeit included
sed -i -e '/#include <paths.h>/d' trust/test-trust.c || die
# we don't have SUN_LEN here
sed -i -e 's/SUN_LEN \(([^)]\+)\)/strlen (\1->sun_path)/' \
p11-kit/server.c || die
fi
default
}
multilib_src_configure() {
# Flatcar: Override the detection of the systemd user unit
# directory and bash completion directory with these
# environment variables.
local -x systemduserunitdir=$(systemd_get_userunitdir)
local -x bashcompdir=$(get_bashcompdir)
ECONF_SOURCE="${S}" econf \
$(use_enable trust trust-module) \
$(use_with trust trust-paths ${EPREFIX}/etc/ssl/certs/ca-certificates.crt) \
$(use_enable debug) \
$(use_with libffi) \
$(use_with asn1 libtasn1) \
$(multilib_native_use_with systemd)
if multilib_is_native_abi; then
# re-use provided documentation
ln -s "${S}"/doc/manual/html doc/manual/html || die
fi
}
multilib_src_install_all() {
einstalldocs
find "${D}" -name '*.la' -delete || die
}

2
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/Manifest vendored Normal file
View File

@ -0,0 +1,2 @@
DIST sbsigntool-0.8-ccan.tar.gz 113537 BLAKE2B 8fbf27463d30c1895930628a145be2d521ae4f6adb7af3299bf2f5f4319fd643df0a07347ef6851bd41d233af4c3fc5f77002771af1c43aa0f20665aef2390b8 SHA512 6857096879f116f1802eb6b44789cbea7bb24440bc0f16503aeadf5f276fa45943f322f844dbb9abee717655205d82b830143be3a7f4424fd4146b9360674a09
DIST sbsigntools-0.9.4.tar.gz 57714 BLAKE2B 94797af6c98a9c13cb71e52ba6f7ff07de70660af2194b14061e0cb618d6effff52ef7a4dd2fd4e44e75f022b979442d4290b1d65d63017b2fbebdca5951c5c9 SHA512 953d3d9a7f92b837da966eabe3572163a29c5292e792d5ef17cf842d7373ffaa901377cb4ec68006a6ef2f9c97d48db8ffdd3a6d2853be67016d3484a118bba9

15
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/files/openssl-3-compat.patch vendored Normal file
View File

@ -0,0 +1,15 @@
diff --git a/src/idc.c b/src/idc.c
index 6d87bd4..0a82218 100644
--- a/src/idc.c
+++ b/src/idc.c
@@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image)
idc->data->type = OBJ_nid2obj(peid_nid);
idc->data->value = ASN1_TYPE_new();
- type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it);
+ type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID));
idc->digest->alg->parameter = ASN1_TYPE_new();
idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256);
--
2.25.1

10
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/metadata.xml vendored Normal file
View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>tamiko@gentoo.org</email>
</maintainer>
<upstream>
<remote-id type="launchpad">ubuntu</remote-id>
</upstream>
</pkgmetadata>

54
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/sbsigntools-0.9.4.ebuild vendored Normal file
View File

@ -0,0 +1,54 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
MY_PN="${PN::-1}"
inherit autotools toolchain-funcs
DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot"
HOMEPAGE="https://git.kernel.org/cgit/linux/kernel/git/jejb/sbsigntools.git/"
SRC_URI="https://git.kernel.org/pub/scm/linux/kernel/git/jejb/${PN}.git/snapshot/${P}.tar.gz
https://dev.gentoo.org/~tamiko/distfiles/${MY_PN}-0.8-ccan.tar.gz"
LICENSE="GPL-3 LGPL-3 LGPL-2.1 CC0-1.0"
SLOT="0"
KEYWORDS="amd64 arm64 ~x86"
IUSE=""
RDEPEND="
dev-libs/openssl:0=
sys-apps/util-linux"
DEPEND="${RDEPEND}
sys-apps/help2man
sys-boot/gnu-efi
sys-libs/binutils-libs
virtual/pkgconfig"
PATCHES=(
"${FILESDIR}"/openssl-3-compat.patch
)
src_prepare() {
mv "${WORKDIR}"/lib/ccan "${S}"/lib || die "mv failed"
rmdir "${WORKDIR}"/lib || die "rmdir failed"
local iarch
case ${ARCH} in
amd64) iarch=x86_64 ;;
arm64) iarch=aarch64 ;;
ia64) iarch=ia64 ;;
x86) iarch=ia32 ;;
*) die "unsupported architecture: ${ARCH}" ;;
esac
sed -i "/^EFI_ARCH=/s:=.*:=${iarch}:" configure.ac || die
sed -i 's/-m64$/& -march=x86-64/' tests/Makefile.am || die
sed -i "/^AR /s:=.*:= $(tc-getAR):" lib/ccan/Makefile.in || die #481480
# Flatcar change required to compile with OpenSSLv3
sed -i "s/-Werror//g" src/Makefile.am || die
default
eautoreconf
}

33
sdk_container/src/third_party/coreos-overlay/app-crypt/tpmpolicy/files/tpm_hostpolicy vendored Executable file
View File

@ -0,0 +1,33 @@
#!/bin/bash
set -e
if [ ! -c /dev/tpm0 ]; then
>&2 echo "System has no TPM"
exit 1
fi
echo -n '{'
VALUES=();
while read PCR value type event; do
if [ $PCR = 4 ] && [ $type != 0d ]; then
VALUES+=("{\"value\": \"$value\", \"description\": \"$event\"}");
fi;
done </sys/kernel/security/tpm0/ascii_bios_measurements
IFS=, eval 'values="${VALUES[*]}"'
echo '"4": {"binaryvalues": [{"values": ['${values}']}]},'
while read PCR value; do
if [ $PCR = PCR-00: ] || [ $PCR = PCR-01: ] || [ $PCR = PCR-02: ] || [ $PCR = PCR-03: ] || [ $PCR = PCR-05: ] || [ $PCR = PCR-06: ] || [ $PCR = PCR-07: ]; then
PCR=`echo ${PCR/PCR-0/}`
PCR=`echo ${PCR/:/}`
value=`echo ${value// /}`
echo -n '"'$PCR'": {"rawvalues": [{"value": "'$value'", "description": "Initial boot PCR"}]}'
if [ $PCR != 7 ]; then
echo ","
fi
fi
done </sys/class/tpm/tpm0/device/pcrs
echo '}'

8
sdk_container/src/third_party/coreos-overlay/app-crypt/tpmpolicy/metadata.xml vendored Normal file
View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer>
<email>mjg59@srcf.ucam.org</email>
<description>Tools for generating TPM policy</description>
</maintainer>
</pkgmetadata>

18
sdk_container/src/third_party/coreos-overlay/app-crypt/tpmpolicy/tpmpolicy-20160404.ebuild vendored Normal file
View File

@ -0,0 +1,18 @@
# Copyright 1999-2013 Gentoo Foundation
# Copyright 2016 CoreOS, Inc
# Distributed under the terms of the GNU General Public License v2
EAPI=7
DESCRIPTION="Tools for generating TPM policy"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="amd64 x86 arm64"
IUSE=""
S="${WORKDIR}"
src_install() {
dosbin "${FILESDIR}"/tpm_hostpolicy
}

1
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/Manifest vendored Normal file
View File

@ -0,0 +1 @@
DIST trousers-0.3.14.tar.gz 1378438 BLAKE2B 3dc2824fa2ca1b1f1181f98d59e85276e7d38af4bfc07ee8246431d9ccb300a8e0820b318643d4cf5d757d2a49492c8686e2fe9de03484263d2189d4bbaa32d0 SHA512 bf87f00329cf1d76a12cf6b6181fa22f90e76af3c5786e6e2db98438d2d3f0c0e05364374664173f45e3a2f6c0e2364948d0b958a7845cb23fcb340150cd9b21

2
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/61-trousers.rules vendored Normal file
View File

@ -0,0 +1,2 @@
KERNEL=="tpm[0-9]*", MODE="0660", OWNER="tss", GROUP="tss", SYMLINK+="tpm"
# vim: ft=udevrules:

1
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/system.data vendored Normal file
View File

@ -0,0 +1 @@
/

9
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tcsd.confd vendored Normal file
View File

@ -0,0 +1,9 @@
# /etc/conf.d/tscd
# Configuration file for the TrouSerS' TCS daemon (tcsd) init script
# Have a look on /etc/tcsd.conf too, there is more to configure there.
# TPM_MODULES: name of the module(s) that should be loaded. You only need to
# set this if your driver is not compiled in kernel and is not already loaded
# on boot. (default: unset)
#TPM_MODULES="tpm_atmel"

38
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tcsd.initd vendored Normal file
View File

@ -0,0 +1,38 @@
#!/sbin/openrc-run
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
depend() {
use logger
need net
}
checkconfig() {
local mod
if [ -n "${TPM_MODULES}" ] ; then
for mod in ${TPM_MODULES} ; do
lsmod | grep -q "^${mod}\b" \
|| modprobe ${mod} &>/dev/null \
|| ewarn "Failed to load module ${mod}"
done
# Should we sleep or something to wait for device creation?
fi
if [ ! -c /dev/tpm ] && [ ! -c /dev/tpm0 ] ; then
eerror "No TPM device found!"
return 1
fi
return 0
}
start() {
ebegin "Starting TrouSerS' TCS daemon (tcsd)"
checkconfig || eend $?
start-stop-daemon --start --user tss --exec /usr/sbin/tcsd
eend $?
}
stop() {
ebegin "Stopping TrouSerS' TCS daemon (tcsd)"
start-stop-daemon --stop --quiet --exec /usr/sbin/tcsd --user tss
eend $?
}

13
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tcsd.service vendored Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=TCG Core Services Daemon
ConditionPathExists=/dev/tpm0
ConditionSecurity=!tpm2
[Service]
User=tss
ExecCondition=/bin/bash -c "/usr/bin/test $(cat /sys/class/tpm/*/tpm_version_major | grep -m 1 1 || echo 0) -eq 1"
ExecStart=/usr/sbin/tcsd -f
[Install]
WantedBy=multi-user.target

3
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tmpfiles.d/trousers.conf vendored Normal file
View File

@ -0,0 +1,3 @@
d /var/lib/tpm 0755 tss tss - -
C /etc/tcsd.conf 0640 root tss - /usr/share/trousers/tcsd.conf
C /var/lib/tpm/system.data 0600 tss tss - /usr/share/trousers/system.data

12
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.13-nouseradd.patch vendored Normal file
View File

@ -0,0 +1,12 @@
diff -urNp trousers-0.3.13.org/dist/Makefile.am trousers-0.3.13/dist/Makefile.am
--- trousers-0.3.13.org/dist/Makefile.am 2014-04-24 21:05:43.000000000 +0300
+++ trousers-0.3.13/dist/Makefile.am 2015-04-08 10:05:51.018955728 +0300
@@ -11,8 +11,6 @@ endif
install-exec-hook:
/bin/sh -c 'if [ ! -e ${DESTDIR}/@localstatedir@/lib/tpm ];then mkdir -p ${DESTDIR}/@localstatedir@/lib/tpm; fi'
if !NOUSERCHECK
- /usr/sbin/groupadd tss || true
- /usr/sbin/useradd -r tss -g tss || true
/bin/chown tss:tss ${DESTDIR}/@localstatedir@/lib/tpm || true
/bin/chmod 0700 ${DESTDIR}/@localstatedir@/lib/tpm
endif

58
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.14-CVE-2020-24330_CVE-2020-24331_CVE-2020-24332.patch vendored Normal file
View File

@ -0,0 +1,58 @@
Index: trousers-0.3.14/src/tcs/ps/tcsps.c
===================================================================
--- trousers-0.3.14.orig/src/tcs/ps/tcsps.c
+++ trousers-0.3.14/src/tcs/ps/tcsps.c
@@ -72,7 +72,7 @@ get_file()
}
/* open and lock the file */
- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
+ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
if (system_ps_fd < 0) {
LogError("system PS: open() of %s failed: %s",
tcsd_options.system_ps_file, strerror(errno));
Index: trousers-0.3.14/src/tcsd/svrside.c
===================================================================
--- trousers-0.3.14.orig/src/tcsd/svrside.c
+++ trousers-0.3.14/src/tcsd/svrside.c
@@ -473,6 +473,7 @@ main(int argc, char **argv)
}
return TCSERR(TSS_E_INTERNAL_ERROR);
}
+ setgid(pwd->pw_gid);
setuid(pwd->pw_uid);
#endif
#endif
Index: trousers-0.3.14/src/tcsd/tcsd_conf.c
===================================================================
--- trousers-0.3.14.orig/src/tcsd/tcsd_conf.c
+++ trousers-0.3.14/src/tcsd/tcsd_conf.c
@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
#ifndef SOLARIS
struct group *grp;
struct passwd *pw;
- mode_t mode = (S_IRUSR|S_IWUSR);
+ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
#endif /* SOLARIS */
TSS_RESULT result;
@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
}
/* make sure user/group TSS owns the conf file */
- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
+ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
- TSS_USER_NAME, TSS_GROUP_NAME);
+ "root", TSS_GROUP_NAME);
return TCSERR(TSS_E_INTERNAL_ERROR);
}
- /* make sure only the tss user can manipulate the config file */
+ /* make sure only the tss user can read (but not manipulate) the config file */
if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
+ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
return TCSERR(TSS_E_INTERNAL_ERROR);
}
#endif /* SOLARIS */

25
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.14-Makefile.am-Mark-tddl.a-nodist.patch vendored Normal file
View File

@ -0,0 +1,25 @@
From 5b1dbb5f8eada9002ec10f4ebc0bc418272e58b2 Mon Sep 17 00:00:00 2001
From: Salah Coronya <salah.coronya@gmail.com>
Date: Sun, 7 Jun 2020 12:34:03 -0500
Subject: [PATCH] src/tddl/Makefile.am: Mark tddl.a nodist
This makes tddl.a nodist like the others, so it is not installed
Signed-off-by: Salah Coronya <salah.coronya@gmail.com>
---
src/tddl/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tddl/Makefile.am b/src/tddl/Makefile.am
index 607eb8e..2cd599b 100644
--- a/src/tddl/Makefile.am
+++ b/src/tddl/Makefile.am
@@ -1,4 +1,4 @@
-lib_LIBRARIES=libtddl.a
+noinst_LIBRARIES=libtddl.a
libtddl_a_SOURCES=tddl.c
libtddl_a_CFLAGS=-DAPPID=\"TCSD\ TDDL\" -I${top_srcdir}/src/include -fPIE -DPIE
--
2.26.2

15
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.14-fno-common.patch vendored Normal file
View File

@ -0,0 +1,15 @@
diff --git a/src/include/tcsd.h b/src/include/tcsd.h
index 5b9462b..05bae97 100644
--- a/src/include/tcsd.h
+++ b/src/include/tcsd.h
@@ -166,8 +166,8 @@ void thread_signal_init();
/* signal handling */
#ifndef __APPLE__
-struct sigaction tcsd_sa_int;
-struct sigaction tcsd_sa_chld;
+extern struct sigaction tcsd_sa_int;
+extern struct sigaction tcsd_sa_chld;
#endif
#endif

28
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.14-libressl.patch vendored Normal file
View File

@ -0,0 +1,28 @@
From b8b1cda430270f03dc556cf9cf7d2fd478101525 Mon Sep 17 00:00:00 2001
From: Alon Bar-Lev <alon.barlev@gmail.com>
Date: Wed, 7 Dec 2016 09:36:34 +0200
Subject: [PATCH] tspi: support libressl
Bug: https://sourceforge.net/p/trousers/bugs/222/
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
---
src/trspi/crypto/openssl/rsa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/trspi/crypto/openssl/rsa.c b/src/trspi/crypto/openssl/rsa.c
index 2b1205f..3e56015 100644
--- a/src/trspi/crypto/openssl/rsa.c
+++ b/src/trspi/crypto/openssl/rsa.c
@@ -38,7 +38,7 @@
#define DEBUG_print_openssl_errors()
#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100001L
+#if OPENSSL_VERSION_NUMBER < 0x10100001L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
static int
RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
{
--
2.7.3

16
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/metadata.xml vendored Normal file
View File

@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>salah.coronya@gmail.com</email>
<name>Salah Coronya</name>
</maintainer>
<maintainer type="project">
<email>proxy-maint@gentoo.org</email>
<name>Proxy Maintainers</name>
</maintainer>
<upstream>
<remote-id type="cpe">cpe:/a:debian:trousers</remote-id>
<remote-id type="sourceforge">trousers</remote-id>
</upstream>
</pkgmetadata>

91
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/trousers-0.3.14-r2.ebuild vendored Normal file
View File

@ -0,0 +1,91 @@
# Flatcar modifications:
# - added "Flatcar:" customizations
# - added condition to files/tcsd.service
# - created files/tmpfiles.d/trousers.conf
# - created files/system.data
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
TMPFILES_OPTIONAL=1
inherit autotools linux-info readme.gentoo-r1 systemd tmpfiles udev
DESCRIPTION="An open-source TCG Software Stack (TSS) v1.1 implementation"
HOMEPAGE="http://trousers.sf.net"
SRC_URI="mirror://sourceforge/trousers/${PN}/${P}.tar.gz"
LICENSE="CPL-1.0 GPL-2"
SLOT="0"
KEYWORDS="amd64 arm arm64 ~m68k ~ppc ppc64 ~s390 x86"
IUSE="doc libressl selinux" # gtk
# gtk support presently does NOT compile.
# gtk? ( >=x11-libs/gtk+-2 )
DEPEND="acct-group/tss
acct-user/tss
>=dev-libs/glib-2
!libressl? ( >=dev-libs/openssl-0.9.7:0= )
libressl? ( dev-libs/libressl:0= )"
RDEPEND="${DEPEND}
selinux? ( sec-policy/selinux-tcsd )"
BDEPEND="virtual/pkgconfig"
PATCHES=(
"${FILESDIR}/${PN}-0.3.13-nouseradd.patch"
"${FILESDIR}/${P}-libressl.patch"
"${FILESDIR}/${P}-fno-common.patch"
"${FILESDIR}/${P}-Makefile.am-Mark-tddl.a-nodist.patch"
"${FILESDIR}/${P}-CVE-2020-24330_CVE-2020-24331_CVE-2020-24332.patch"
)
DOCS="AUTHORS ChangeLog NICETOHAVES README TODO"
DOC_CONTENTS="
If you have problems starting tcsd, please check permissions and
ownership on /dev/tpm* and ~tss/system.data
"
S="${WORKDIR}"
CONFIG_CHECK="~TCG_TPM"
src_prepare() {
default
eautoreconf
}
src_configure() {
# econf --with-gui=$(usex gtk gtk openssl)
econf --with-gui=openssl
}
src_install() {
default
find "${D}" -name '*.la' -delete || die
keepdir /var/lib/tpm
use doc && dodoc doc/*
# Flatcar: Comment out the openrc stuff.
# newinitd "${FILESDIR}"/tcsd.initd tcsd
# newconfd "${FILESDIR}"/tcsd.confd tcsd
fowners root:tss /etc/tcsd.conf
systemd_dounit "${FILESDIR}"/tcsd.service
# Flatcar:
systemd_enable_service multi-user.target tcsd.service
udev_dorules "${FILESDIR}"/61-trousers.rules
fowners tss:tss /var/lib/tpm
readme.gentoo_create_doc
# Flatcar:
insinto /usr/share/trousers/
doins "${FILESDIR}"/system.data
# stash a copy of the config so we can restore it from tmpfiles
doins "${D}"/etc/tcsd.conf
fowners tss:tss /usr/share/trousers/system.data
fowners root:tss /usr/share/trousers/tcsd.conf
dotmpfiles "${FILESDIR}"/tmpfiles.d/trousers.conf
}

1
sdk_container/src/third_party/coreos-overlay/app-emulation/acbuild/acbuild-0.4.0.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
acbuild-9999.ebuild

49
sdk_container/src/third_party/coreos-overlay/app-emulation/acbuild/acbuild-9999.ebuild vendored Normal file
View File

@ -0,0 +1,49 @@
# Copyright (c) 2015 CoreOS, Inc.
# Distributed under the terms of the GNU General Public License v2
EAPI=7
CROS_WORKON_PROJECT="appc/acbuild"
CROS_WORKON_REPO="https://github.com"
CROS_WORKON_LOCALNAME="appc-acbuild"
COREOS_GO_PACKAGE="github.com/appc/acbuild"
COREOS_GO_GO111MODULE="off"
inherit coreos-go toolchain-funcs cros-workon
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
CROS_WORKON_COMMIT="2d120a832bd4c3601ca307bf7dd1612a12b55d29" # v0.4.0
KEYWORDS="amd64 arm64"
fi
DESCRIPTION="A build tool for ACIs"
HOMEPAGE="https://github.com/appc/acbuild"
SRC_URI=""
LICENSE="Apache-2.0"
SLOT="0"
IUSE=""
RDEPEND="sys-apps/kmod
app-crypt/gnupg
sys-apps/systemd"
src_compile(){
if [[ "${PV}" == 9999 ]]; then
# set semver
local v
v=$(git describe --long --dirty) || die
v=${v#v}
v=${v/-/+}
GO_LDFLAGS="-X ${COREOS_GO_PACKAGE}/lib.Version=${v}"
else
GO_LDFLAGS="-X ${COREOS_GO_PACKAGE}/lib.Version=${PV}"
fi
go_build "${COREOS_GO_PACKAGE}/acbuild"
}
src_install(){
dobin "${WORKDIR}/gopath/bin/acbuild"
}

1
sdk_container/src/third_party/coreos-overlay/app-emulation/actool/actool-0.8.11.ebuild vendored Symbolic link
View File

@ -0,0 +1 @@
actool-9999.ebuild

33
sdk_container/src/third_party/coreos-overlay/app-emulation/actool/actool-9999.ebuild vendored Normal file
View File

@ -0,0 +1,33 @@
# Copyright (c) 2015 CoreOS, Inc.
# Distributed under the terms of the GNU General Public License v2
EAPI=7
CROS_WORKON_PROJECT="appc/spec"
CROS_WORKON_REPO="https://github.com"
CROS_WORKON_LOCALNAME="appc-spec"
COREOS_GO_PACKAGE="github.com/appc/spec"
COREOS_GO_GO111MODULE="off"
inherit coreos-go cros-workon
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm64"
else
CROS_WORKON_COMMIT="cbe99b7160b1397bf89f9c8bb1418f69c9424049" # v0.8.11
KEYWORDS="amd64 arm64"
fi
DESCRIPTION="App Container builder and validator"
HOMEPAGE="https://github.com/appc/spec"
SRC_URI=""
LICENSE="Apache-2.0"
SLOT="0"
IUSE=""
src_compile() {
go_build "${COREOS_GO_PACKAGE}/actool"
}
src_install() {
dobin "${WORKDIR}/gopath/bin/actool"
}

4
sdk_container/src/third_party/coreos-overlay/app-emulation/actool/metadata.xml vendored Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
</pkgmetadata>

1
sdk_container/src/third_party/coreos-overlay/app-emulation/amazon-ssm-agent/Manifest vendored Normal file
View File

@ -0,0 +1 @@
DIST amazon-ssm-agent-2.3.1319.0.tar.gz 22207875 BLAKE2B 9c94f6837079d8117dffea09b1f793d261ac0cb2321c5e0f5a422ea1c57f5abeb3eb38fae74f91481d70ab3bb55dd2098fca4136c37a692d182b45560ed05900 SHA512 bb1d09704981277701bd0b70fadb8c6c917b72fce3f228511def621ea85ee4f401b20456e82bd7e9eed28350260b63076d49cf5f4004555fa16d645bafbecc41

60
sdk_container/src/third_party/coreos-overlay/app-emulation/amazon-ssm-agent/amazon-ssm-agent-2.3.1319.0-r1.ebuild vendored Normal file
View File

@ -0,0 +1,60 @@
# Distributed under the terms of the GNU General Public License v2
EAPI=7
COREOS_GO_PACKAGE="${GITHUB_URI}"
COREOS_GO_VERSION="go1.12"
inherit coreos-go-depend golang-vcs-snapshot
EGO_PN="github.com/aws/${PN}"
DESCRIPTION="AWS Systems Manager Agent"
HOMEPAGE="https://github.com/aws/amazon-ssm-agent"
LICENSE="Apache-2.0"
SRC_URI="https://${EGO_PN}/archive/${PV}.tar.gz -> ${P}.tar.gz ${EGO_VENDOR_URI}"
SLOT="0"
KEYWORDS="amd64 arm64"
S="${WORKDIR}/${PN}-${PV}/src/${EGO_PN}"
PATCHES=(
# patch generated by `goimports -w ./agent` command
"${FILESDIR}"/${P}-goimports.patch
)
src_prepare() {
default
ln -s ${PWD}/vendor/src/* ${PWD}/vendor/
}
src_compile() {
go_export
# this is replication of commands from the vendor makefile
# but without network activity during build phase
local GO_LDFLAGS="-s -w -extldflags=-Wl,-z,now,-z,relro,-z,defs"
export GOPATH="${WORKDIR}/${PN}-${PV}"
export GO111MODULE="off"
# set agent release version
BRAZIL_PACKAGE_VERSION=${PV} ${EGO} run ./agent/version/versiongenerator/version-gen.go
# build all the tools
${EGO} build -v -ldflags "${GO_LDFLAGS}" -buildmode=pie \
-o bin/amazon-ssm-agent ./agent || die
${EGO} build -v -ldflags "${GO_LDFLAGS}" -buildmode=pie \
-o bin/ssm-cli ./agent/cli-main || die
${EGO} build -v -ldflags "${GO_LDFLAGS}" -buildmode=pie \
-o bin/ssm-document-worker ./agent/framework/processor/executer/outofproc/worker || die
${EGO} build -v -ldflags "${GO_LDFLAGS}" -buildmode=pie \
-o bin/ssm-session-logger ./agent/session/logging || die
${EGO} build -v -ldflags "${GO_LDFLAGS}" -buildmode=pie \
-o bin/ssm-session-worker ./agent/framework/processor/executer/outofproc/sessionworker || die
}
src_install() {
into "/usr/share/oem"
dobin bin/amazon-ssm-agent bin/ssm-cli bin/ssm-document-worker bin/ssm-session-logger bin/ssm-session-worker
# files used by ignition on a first run
insinto "/usr/share/oem/ssm"
newins seelog_unix.xml seelog.xml.template
doins amazon-ssm-agent.json.template
}

23
sdk_container/src/third_party/coreos-overlay/app-emulation/amazon-ssm-agent/files/amazon-ssm-agent-2.3.1319.0-goimports.patch vendored Normal file
View File

@ -0,0 +1,23 @@
diff --git a/agent/plugins/inventory/gatherers/application/dataProvider.go b/agent/plugins/inventory/gatherers/application/dataProvider.go
index d252ffb4..d1a010ed 100644
--- a/agent/plugins/inventory/gatherers/application/dataProvider.go
+++ b/agent/plugins/inventory/gatherers/application/dataProvider.go
@@ -7,7 +7,6 @@ import (
"fmt"
"github.com/aws/amazon-ssm-agent/agent/context"
- "github.com/aws/amazon-ssm-agent/agent/plugins/configurepackage/localpackages"
"github.com/aws/amazon-ssm-agent/agent/plugins/inventory/model"
)
diff --git a/agent/plugins/inventory/gatherers/application/dataProvider_unix_test.go b/agent/plugins/inventory/gatherers/application/dataProvider_unix_test.go
index af51fa2d..a2757005 100644
--- a/agent/plugins/inventory/gatherers/application/dataProvider_unix_test.go
+++ b/agent/plugins/inventory/gatherers/application/dataProvider_unix_test.go
@@ -241,4 +241,4 @@ func TestApplicationDataWithPackageRepositoryData(t *testing.T) {
data := CollectApplicationData(mockContext)
assert.Equal(t, len(sampleDataParsed), len(data))
assert.NotEqual(t, len(mockData), len(data))
-}
\ No newline at end of file
+}

Some files were not shown because too many files have changed in this diff Show More