From 3e0a85a6f0b97853c934fe878bec96e302e6e1ab Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 22 Mar 2022 14:26:04 +0100 Subject: [PATCH 01/16] profiles: Drop sys-devel/binutils from accept_keywords The updated package is stable for both amd64 and arm64. --- .../coreos-overlay/profiles/coreos/base/package.accept_keywords | 1 - 1 file changed, 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index fd1b12628b..6c12e25fee 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -27,7 +27,6 @@ =net-misc/wget-1.21.2 ~amd64 ~arm64 # Upgrade to GCC 10.3.0 to support latest glibc builds -=sys-devel/binutils-2.37_p1 ~amd64 ~arm64 =sys-libs/binutils-libs-2.37_p1 ~amd64 ~arm64 # This needs to be kept in-sync otherwise dev container contains # different binutils than was used by crossdev to build kernel From 4c8cd9ffe63503758552a6b18e471318d22d7a5a Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 22 Mar 2022 14:44:13 +0100 Subject: [PATCH 02/16] profiles: Drop sys-libs/binutils-libs from accept_keywords The updated package is stable for both amd64 and arm64. --- .../profiles/coreos/base/package.accept_keywords | 8 -------- 1 file changed, 8 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 6c12e25fee..44ecd71e89 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -26,14 +26,6 @@ # keywords for wget 1.21.2. =net-misc/wget-1.21.2 ~amd64 ~arm64 -# Upgrade to GCC 10.3.0 to support latest glibc builds -=sys-libs/binutils-libs-2.37_p1 ~amd64 ~arm64 -# This needs to be kept in-sync otherwise dev container contains -# different binutils than was used by crossdev to build kernel -# which breaks kmod builds -=cross-x86_64-cros-linux-gnu/binutils-2.37_p1 ~amd64 -=cross-aarch64-cros-linux-gnu/binutils-2.37_p1 ~arm64 - =sys-fs/cryptsetup-2.4.1-r1 ~amd64 ~arm64 =sys-libs/libseccomp-2.5.0 ~amd64 ~arm64 From d458f790fdf550e72009e0179a611a7d8bd19bd8 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 4 Apr 2022 22:10:01 +0200 Subject: [PATCH 03/16] coreos/config: Drop unnecessary fix for perl We just updated dev-lang/perl to a version that contains the fix. --- .../coreos-overlay/coreos/config/env/dev-lang/perl | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-lang/perl diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-lang/perl b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-lang/perl deleted file mode 100644 index 38d1bf6f8d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-lang/perl +++ /dev/null @@ -1,5 +0,0 @@ -if [[ ${EBUILD_PHASE} == configure ]]; then - if tc-is-cross-compiler; then - append-cflags "-fwrapv -fno-strict-aliasing" - fi -fi From 864ea5fd61e6108dbf723d9d0dd38602e5704a54 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 5 Apr 2022 19:29:01 +0200 Subject: [PATCH 04/16] coreos/config: Drop libtool fixes These seem to be quite old and most likely not needed any more. Let's see if it's true, otherwise this commit will be reverted. --- .../coreos-overlay/coreos/config/env/sys-devel/libtool | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-devel/libtool diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-devel/libtool b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-devel/libtool deleted file mode 100644 index 47d205fa5f..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-devel/libtool +++ /dev/null @@ -1,4 +0,0 @@ -# Remove the *.la masking since libtool's autoconf detection code -# relies on its existence. -INSTALL_MASK=${INSTALL_MASK/\/usr\/lib\*\/\*.la} -PKG_INSTALL_MASK=${PKG_INSTALL_MASK/\/usr\/lib\*\/\*.la} From 60cfb42af6377ecfd50980b1dcfc1d93b74c1fa8 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 29 Jun 2022 20:30:22 +0200 Subject: [PATCH 05/16] coreos/config: Drop flex fixes Let's see if there are still problems with bootstrapping. --- .../third_party/coreos-overlay/coreos/config/env/sys-devel/flex | 1 - 1 file changed, 1 deletion(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-devel/flex diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-devel/flex b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-devel/flex deleted file mode 100644 index bfea8f4030..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-devel/flex +++ /dev/null @@ -1 +0,0 @@ -export EXTRA_ECONF="--disable-bootstrap" From 6fdfa6173866bf05156b2cce7faf3f763cbebe49 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 29 Jun 2022 20:34:02 +0200 Subject: [PATCH 06/16] profiles: gcc sanitize should be working on arm64 too Let's check if this is the case. --- .../coreos-overlay/profiles/coreos/arm64/package.use.mask | 2 -- .../profiles/coreos/targets/sdk/package.use.mask | 4 ---- 2 files changed, 6 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.mask diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.mask deleted file mode 100644 index 91f11200ab..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use.mask +++ /dev/null @@ -1,2 +0,0 @@ -# This fails from -Werror=implicit-fallthrough, and it's disabled in the SDK. -sys-devel/gcc sanitize diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use.mask index 8e6ec6044f..811692a9e5 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use.mask +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use.mask @@ -1,6 +1,2 @@ # Allow smartcard support in the SDK for image signing app-crypt/gnupg -smartcard - -# hardened and sanitize are masked for arm64, cross compilers should agree -cross-aarch64-cros-linux-gnu/gcc hardened sanitize -cross-aarch64-cros-linux-gnu/glibc hardened From 93e861952f73318714ecb0599959a5cbd542a48c Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 29 Jun 2022 20:55:20 +0200 Subject: [PATCH 07/16] coreos-config: Drop fixes for sys-devel/gettext Let's see if they are still necessary. --- .../coreos-overlay/coreos/config/env/sys-devel/gettext | 1 - 1 file changed, 1 deletion(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-devel/gettext diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-devel/gettext b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-devel/gettext deleted file mode 100644 index 7495dea677..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-devel/gettext +++ /dev/null @@ -1 +0,0 @@ -EXTRA_ECONF="--with-libncurses-prefix=${ROOT}usr --with-libxml2-prefix=${ROOT}usr" From 5089a6ee6e813109f37c1dca95b1e165ccb4f478 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 29 Jun 2022 21:01:35 +0200 Subject: [PATCH 08/16] profiles: Drop accept_keywords for sys-libs/zlib The updated package is stable for both amd64 and arm64. --- .../coreos-overlay/profiles/coreos/base/package.accept_keywords | 1 - 1 file changed, 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 44ecd71e89..d7abf3ba94 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -42,7 +42,6 @@ # Required for some CVEs =app-editors/vim-8.2.5066-r1 ~amd64 ~arm64 =app-editors/vim-core-8.2.5066-r1 ~amd64 ~arm64 -=sys-libs/zlib-1.2.12-r2 ~amd64 ~arm64 # Duktape is not yet stable =dev-lang/duktape-2.7.0-r1 ~amd64 ~arm64 From fd214759a96354bc5fe9964ef8ddba53ba766cd2 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 29 Jun 2022 21:04:57 +0200 Subject: [PATCH 09/16] app-torcx/docker: Bump dev-libs/libltdl dependency --- .../coreos-overlay/app-torcx/docker/docker-20.10.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-20.10.ebuild b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-20.10.ebuild index bca1033ac0..f74efd1bc8 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-20.10.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-20.10.ebuild @@ -16,7 +16,7 @@ RDEPEND=" ~app-emulation/containerd-1.6.8 ~app-emulation/docker-proxy-0.8.0_p20210525 ~app-emulation/docker-runc-1.1.3 - =dev-libs/libltdl-2.4.6 + =dev-libs/libltdl-2.4.7 ~sys-process/tini-0.19.0 " From 5b7f8b1525271a95ba65509263457209cf6f53fc Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 18 Jul 2022 18:51:16 +0200 Subject: [PATCH 10/16] profiles: Add accept keywords for sys-devel/crossdev --- .../profiles/coreos/base/package.accept_keywords | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index d7abf3ba94..094a082988 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -61,3 +61,6 @@ # Required for CVE-2022-27239, CVE-2022-29869 =net-fs/cifs-utils-6.15 ~amd64 ~arm64 + +# Required to fix toolchains build during fsscript in stage 4 of SDK build. +=sys-devel/crossdev-20220709 ~amd64 ~arm64 From 26475e5ebfbbdc383955fae6fbfd03685bb970b5 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Thu, 4 Aug 2022 15:31:17 +0200 Subject: [PATCH 11/16] sys-libs/glibc: Sync with Gentoo It's from Gentoo commit 77cec48da70c6d6424ed6dba4357dd8eacd262c2. --- .../coreos-overlay/sys-libs/glibc/Manifest | 2 +- .../coreos-overlay/sys-libs/glibc/README.md | 9 --- .../sys-libs/glibc/files/nscd-conf.tmpfiles | 2 - ...-2.33-r10.ebuild => glibc-2.33-r14.ebuild} | 74 +++---------------- .../sys-libs/glibc/metadata.xml | 46 ++++++------ 5 files changed, 35 insertions(+), 98 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles rename sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/{glibc-2.33-r10.ebuild => glibc-2.33-r14.ebuild} (95%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest index 2127377bbc..306e9e4f39 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest @@ -1,5 +1,5 @@ DIST gcc-multilib-bootstrap-20201208.tar.xz 5528452 BLAKE2B 16699a6e4df5b2f28a21776ae9e3728b26a9ea251f5580aa5349545ad7c9f6145b9cb6a12ca8f5f96b9cb2a3c70b7e66ca702e4c6f083ac00408e0a20a69e613 SHA512 a243f505e17d0a7e144e8713c077582412f61d6cf7f79baa846de4fb77f5e0f27e11c9a785e14624e04ac52287b32164e7995323aa11caef59113ac438254347 -DIST glibc-2.33-patches-8.tar.xz 91220 BLAKE2B 1c9aeaf2d3a58e83aec8ea6eb19776dd05e16430f25de675b467ab18d4fb438374254d06b2072b4272d089237e5f11da6d94a84c38f588b79e94e26b650f6faf SHA512 58d3f444c50e64bbf867cbcc38f4281156c7da3878674038674e1c6706b90919468af9fbd424c2dd949bc2d7d6cb36ed7be2120bb957636cad6b76e56eb54031 +DIST glibc-2.33-patches-11.tar.xz 143916 BLAKE2B ac13b3ccf9681bb6d3c35ecc33e268ea3f67c1809f916019e692dc83e3ce809402a45548da5ca6c7c30d2a45a2638f9fa4254c0355bd4c53bdb216f17aa4e28b SHA512 0ee1dfcf9574543d49ab4fbfe53571258422b6e82b9d12a33e411cee7e517821a4c45c24962b5120783a4efc898afdfa170d33486cc74d94c526bdd14cc84300 DIST glibc-2.33.tar.xz 17031280 BLAKE2B 703d12121c1e2c5d9e0c6ba5341f5fb5c4d9111611a83f2360029b5de9c6e5a5611249d1833684a58ed4afdf49cae614365d87ec8721ba0e5d218f593b1f229d SHA512 4cb5777b68b22b746cc51669e0e9282b43c83f6944e42656e6db7195ebb68f2f9260f130fdeb4e3cfc64efae4f58d96c43d388f52be1eb024ca448084684abdb DIST glibc-systemd-20210814.tar.gz 1469 BLAKE2B 10fa7bcb46d4fdce9c0ab353cbd30871e9b09a347a13a9c9a3b5777f931aa3c826c158d2e49532c604d4a834f2fab4089b67495fb88d0398945dc50d45ad9ef1 SHA512 5346a9ea459a1e6ccf665389f2a294de1e16f1e3e05cdf07e3dd99ed0e4f6f8b52cc333d4bff3c75ac90ab6ce70cd4ab2b3e126f920ce7979abd6dda56315efc DIST locale-gen-2.22.tar.gz 7971 BLAKE2B 2dc66fa69bf51799d0c34459b654fba6998b80a7e322e9b670036c967e269ad921f50195e6e34c4a83c1f0bad191fd5aa3f37defb82271b73acbca07b7e49d08 SHA512 9798b10dbbc792345a7b7a121dec5f4bba9839a8aec010f01a09f3402fd5bf2376f79e03a6a19bc357010db780037a8811c381136ce19be1f1370374906dff38 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md deleted file mode 100644 index 0bcb9dd9ee..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# GLibc - -The system's C library, sometimes referred to as "service pack for the C -language". The build recipe has a single modification over the one Gentoo -upstream uses: in the installation callback `glibc_do_src_install`, we remove -all of glibc's `/etc` files right after the stock glibc build diligently -installed them, since we ship our own `/etc` stuff via the `baseimage` recipe. -The addition sits at the end of the `glibc_do_src_install` function and is duly -labelled `## Flatcar Container Linux: ...`. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles deleted file mode 100644 index 0cf43dcb7a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles +++ /dev/null @@ -1,2 +0,0 @@ -L /etc/nscd.conf - - - - ../usr/share/baselayout/nscd.conf -d /var/db/nscd - - - - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r10.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r14.ebuild similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r10.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r14.ebuild index 0a9c733319..98877549d3 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r10.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r14.ebuild @@ -9,7 +9,7 @@ EAPI=7 # We avoid Python 3.10 here _for now_ (it does work!) to avoid circular dependencies # on upgrades as people migrate to libxcrypt. # https://wiki.gentoo.org/wiki/User:Sam/Portage_help/Circular_dependencies#Python_and_libcrypt -PYTHON_COMPAT=( python3_{7,8,9} ) +PYTHON_COMPAT=( python3_{8,9} ) TMPFILES_OPTIONAL=1 inherit python-any-r1 prefix preserve-libs toolchain-funcs flag-o-matic gnuconfig \ @@ -23,13 +23,13 @@ SLOT="2.2" EMULTILIB_PKG="true" # Gentoo patchset (ignored for live ebuilds) -PATCH_VER=8 +PATCH_VER=11 PATCH_DEV=dilfridge if [[ ${PV} == 9999* ]]; then inherit git-r3 else - KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" + KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" SRC_URI="mirror://gnu/glibc/${P}.tar.xz" SRC_URI+=" https://dev.gentoo.org/~${PATCH_DEV}/distfiles/${P}-patches-${PATCH_VER}.tar.xz" fi @@ -438,33 +438,6 @@ setup_flags() { filter-flags '-fstack-protector*' } -want_tls() { - # Archs that can use TLS (Thread Local Storage) - case $(tc-arch) in - x86) - # requires i486 or better #106556 - [[ ${CTARGET} == i[4567]86* ]] && return 0 - return 1 - ;; - esac - return 0 -} - -want__thread() { - want_tls || return 1 - - # For some reason --with-tls --with__thread is causing segfaults on sparc32. - [[ ${PROFILE_ARCH} == "sparc" ]] && return 1 - - [[ -n ${WANT__THREAD} ]] && return ${WANT__THREAD} - - # only test gcc -- can't test linking yet - tc-has-tls -c ${CTARGET} - WANT__THREAD=$? - - return ${WANT__THREAD} -} - use_multiarch() { # Allow user to disable runtime arch detection in multilib. use multiarch || return 1 @@ -783,14 +756,6 @@ sanity_prechecks() { # When we actually have to compile something... if ! just_headers && [[ ${MERGE_TYPE} != "binary" ]] ; then - ebegin "Checking gcc for __thread support" - if ! eend $(want__thread ; echo $?) ; then - echo - eerror "Could not find a gcc that supports the __thread directive!" - eerror "Please update your binutils/gcc and try again." - die "No __thread support in gcc!" - fi - if [[ ${CTARGET} == *-linux* ]] ; then local run_kv build_kv want_kv @@ -838,12 +803,10 @@ upgrade_warning() { # pkg_pretend -# Flatcar: Skip sanity checks at pretend time because we don't ship a compiler -# in the OS image. This test fails when installing the glibc binpkg and no -# compiler is present. pkg_pretend() { - einfo "Flatcar: Skipping sanity_prechecks for binpkg installation. src_unpack will take care of compile-time prechecks." - # sanity_prechecks + # All the checks... + einfo "Checking general environment sanity." + sanity_prechecks upgrade_warning } @@ -1168,6 +1131,7 @@ glibc_headers_configure() { --host=${CTARGET_OPT:-${CTARGET}} --with-headers=$(build_eprefix)$(alt_build_headers) --prefix="$(host_eprefix)/usr" + $(use_enable crypt) ${EXTRA_ECONF} ) @@ -1295,13 +1259,12 @@ glibc_do_src_install() { # '#define VERSION "2.26.90"' -> '2.26.90' local upstream_pv=$(sed -n -r 's/#define VERSION "(.*)"/\1/p' "${S}"/version.h) - # Flatcar: override this and strip everything to keep image size at bay # Avoid stripping binaries not targeted by ${CHOST}. Or else # ${CHOST}-strip would break binaries build for ${CTARGET}. - # is_crosscompile && dostrip -x / + is_crosscompile && dostrip -x / # gdb thread introspection relies on local libpthreas symbols. stripping breaks it # See Note [Disable automatic stripping] - # dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so + dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so if [[ -e ${ED}/$(alt_usrlibdir)/libm-${upstream_pv}.a ]] ; then # Move versioned .a file out of libdir to evade portage QA checks @@ -1484,23 +1447,6 @@ glibc_do_src_install() { run_locale_gen --inplace-glibc "${ED}/" sed -e 's:COMPILED_LOCALES="":COMPILED_LOCALES="1":' -i "${ED}"/usr/sbin/locale-gen || die fi - - ## Flatcar Container Linux: Add some local changes: - # - Config files are installed by baselayout, not glibc. - # - Install nscd/systemd stuff in /usr. - - # Use tmpfiles to put nscd.conf in /etc and create directories. - insinto /usr/share/baselayout - if ! in_iuse nscd || use nscd ; then - doins "${S}"/nscd/nscd.conf || die - newtmpfiles "${FILESDIR}"/nscd-conf.tmpfiles nscd-conf.conf || die - fi - - # Clean out any default configs. - rm -rf "${ED}"/etc - - # Restore this one for the SDK. - test ! -e "${T}"/00glibc || doenvd "${T}"/00glibc } glibc_headers_install() { @@ -1628,7 +1574,7 @@ pkg_postinst() { if [[ -e ${EROOT}/etc/nsswitch.conf ]] && ! has_version sys-auth/libnss-nis ; then local entry for entry in passwd group shadow; do - if egrep -q "^[ \t]*${entry}:.*nis" "${EROOT}"/etc/nsswitch.conf; then + if grep -E -q "^[ \t]*${entry}:.*nis" "${EROOT}"/etc/nsswitch.conf; then ewarn "" ewarn "Your ${EROOT}/etc/nsswitch.conf uses NIS. Support for that has been" ewarn "removed from glibc and is now provided by the package" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/metadata.xml index 613e58eff7..eb25b52087 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/metadata.xml @@ -1,26 +1,28 @@ - - toolchain@gentoo.org - Gentoo Toolchain Project - - - Enable Intel Control-flow Enforcement Technology (needs binutils 2.29 and gcc 8) - Enable the new clone3 syscall within glibc. Can be disabled to allow compatibility with older Electron applications. - build *all* locales in src_install; this is generally meant for stage building only as it ignores /etc/locale.gen file and can be pretty slow - build and install libcrypt and crypt.h - When USE=hardened, allow fortify/stack violations to dump core (SIGABRT) and not kill self (SIGKILL) - build memusage and memusagestat tools - enable optimizations for multiple CPU architectures (detected at runtime) - Provide prebuilt libgcc.a and crt files if missing. Only needed for ABI switch. - Build, and enable support for, the Name Service Cache Daemon - protect stack of glibc internals - Enable static PIE support (runtime files for -static-pie gcc option). - Make internal pt_chown helper setuid -- not needed if using Linux and have /dev/pts mounted with gid=5 - enable systemtap static probe points - - - cpe:/a:gnu:glibc - + + toolchain@gentoo.org + Gentoo Toolchain Project + + + Enable Intel Control-flow Enforcement Technology (needs binutils 2.29 and gcc 8) + Enable the new clone3 syscall within glibc. Can be disabled to allow compatibility with older Electron applications. + build *all* locales in src_install; this is generally meant for stage building only as it ignores /etc/locale.gen file and can be pretty slow + build and install libcrypt and crypt.h + When USE=hardened, allow fortify/stack violations to dump core (SIGABRT) and not kill self (SIGKILL) + Add experimental LoongArch patchset + build memusage and memusagestat tools + enable optimizations for multiple CPU architectures (detected at runtime) + Provide prebuilt libgcc.a and crt files if missing. Only needed for ABI switch. + Build, and enable support for, the Name Service Cache Daemon + protect stack of glibc internals + Realign the stack in the 32-bit build for compatibility with older binaries at some performance cost + Enable static PIE support (runtime files for -static-pie gcc option). + Make internal pt_chown helper setuid -- not needed if using Linux and have /dev/pts mounted with gid=5 + enable systemtap static probe points + + + cpe:/a:gnu:glibc + From 66b8c112f7cb0aa6b8177c9ca39d35c715443e8e Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 15 Dec 2021 20:48:57 +0100 Subject: [PATCH 12/16] sys-libs/glibc: Apply Flatcar modifications - take care of nscd.conf via tmpfiles, add files/nscd-conf.tmpfiles. - don't run sanity checks in pkg_pretend to prevent gcc checks when only the binary package is installed. - comment out 'dostrip -x' to force the OS image binaries to be stripped - remove everything glibc wants to put under /etc since we use baselayout to provide that --- .../coreos-overlay/sys-libs/glibc/README.md | 9 ++++++ .../sys-libs/glibc/files/nscd-conf.tmpfiles | 2 ++ .../sys-libs/glibc/glibc-2.33-r14.ebuild | 30 +++++++++++++++---- 3 files changed, 36 insertions(+), 5 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md new file mode 100644 index 0000000000..0bcb9dd9ee --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md @@ -0,0 +1,9 @@ +# GLibc + +The system's C library, sometimes referred to as "service pack for the C +language". The build recipe has a single modification over the one Gentoo +upstream uses: in the installation callback `glibc_do_src_install`, we remove +all of glibc's `/etc` files right after the stock glibc build diligently +installed them, since we ship our own `/etc` stuff via the `baseimage` recipe. +The addition sits at the end of the `glibc_do_src_install` function and is duly +labelled `## Flatcar Container Linux: ...`. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles new file mode 100644 index 0000000000..0cf43dcb7a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles @@ -0,0 +1,2 @@ +L /etc/nscd.conf - - - - ../usr/share/baselayout/nscd.conf +d /var/db/nscd - - - - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r14.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r14.ebuild index 98877549d3..421f7ec0c3 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r14.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.33-r14.ebuild @@ -803,10 +803,12 @@ upgrade_warning() { # pkg_pretend +# Flatcar: Skip sanity checks at pretend time because we don't ship a compiler +# in the OS image. This test fails when installing the glibc binpkg and no +# compiler is present. pkg_pretend() { - # All the checks... - einfo "Checking general environment sanity." - sanity_prechecks + einfo "Flatcar: Skipping sanity_prechecks for binpkg installation. src_unpack will take care of compile-time prechecks." + # sanity_prechecks upgrade_warning } @@ -1259,12 +1261,13 @@ glibc_do_src_install() { # '#define VERSION "2.26.90"' -> '2.26.90' local upstream_pv=$(sed -n -r 's/#define VERSION "(.*)"/\1/p' "${S}"/version.h) + # Flatcar: override this and strip everything to keep image size at bay # Avoid stripping binaries not targeted by ${CHOST}. Or else # ${CHOST}-strip would break binaries build for ${CTARGET}. - is_crosscompile && dostrip -x / + # is_crosscompile && dostrip -x / # gdb thread introspection relies on local libpthreas symbols. stripping breaks it # See Note [Disable automatic stripping] - dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so + # dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so if [[ -e ${ED}/$(alt_usrlibdir)/libm-${upstream_pv}.a ]] ; then # Move versioned .a file out of libdir to evade portage QA checks @@ -1447,6 +1450,23 @@ glibc_do_src_install() { run_locale_gen --inplace-glibc "${ED}/" sed -e 's:COMPILED_LOCALES="":COMPILED_LOCALES="1":' -i "${ED}"/usr/sbin/locale-gen || die fi + + ## Flatcar Container Linux: Add some local changes: + # - Config files are installed by baselayout, not glibc. + # - Install nscd/systemd stuff in /usr. + + # Use tmpfiles to put nscd.conf in /etc and create directories. + insinto /usr/share/baselayout + if ! in_iuse nscd || use nscd ; then + doins "${S}"/nscd/nscd.conf || die + newtmpfiles "${FILESDIR}"/nscd-conf.tmpfiles nscd-conf.conf || die + fi + + # Clean out any default configs. + rm -rf "${ED}"/etc + + # Restore this one for the SDK. + test ! -e "${T}"/00glibc || doenvd "${T}"/00glibc } glibc_headers_install() { From 7dbd5615d1e0e485bdd14295355333762990a6b6 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 17 Aug 2022 09:39:03 +0200 Subject: [PATCH 13/16] sys-devel/make: Copy from portage-stable --- .../coreos-overlay/sys-devel/make/Manifest | 2 + ...ake-3.82-darwin-library_search-dylib.patch | 17 ++++++ .../make/files/make-4.2-default-cxx.patch | 11 ++++ .../sys-devel/make/make-4.3.ebuild | 54 +++++++++++++++++++ .../sys-devel/make/metadata.xml | 11 ++++ 5 files changed, 95 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-devel/make/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-devel/make/files/make-3.82-darwin-library_search-dylib.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-devel/make/files/make-4.2-default-cxx.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-devel/make/make-4.3.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-devel/make/metadata.xml diff --git a/sdk_container/src/third_party/coreos-overlay/sys-devel/make/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/Manifest new file mode 100644 index 0000000000..f9cbb5a172 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/Manifest @@ -0,0 +1,2 @@ +DIST make-4.3.tar.gz 2317073 BLAKE2B 5a82ce1f30eb034366ac3b87d2ec6698aae17d7b1a611941cf42136b2453b34236ab55382eab0a593c43cee8b036ba4a054f966c41ba766fdbd2862942be5dff SHA512 9a1185cc468368f4ec06478b1cfa343bf90b5cd7c92c0536567db0315b0ee909af53ecce3d44cfd93dd137dbca1ed13af5713e8663590c4fdd21ea635d78496b +DIST make-4.3.tar.gz.sig 566 BLAKE2B 75bf71602e60f97ec8efa81676329047746d960257ef310b89a059144c00628b6a1ddf7a16a2ac2c3e935b8591475f5043a7c7546668ab39abbc4717c75a6528 SHA512 bf13e2943593b153457c8111179e8ae11cef2d9185a986106a1e70946a260bd930505a5e10002c5a60888e11affc07713c367b8680fd511ad87b2e124d303a99 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-devel/make/files/make-3.82-darwin-library_search-dylib.patch b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/files/make-3.82-darwin-library_search-dylib.patch new file mode 100644 index 0000000000..743583b5a0 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/files/make-3.82-darwin-library_search-dylib.patch @@ -0,0 +1,17 @@ +Fixed default libpatttern on Darwin, imported from prefix overlay. +Got merged upstream: +https://savannah.gnu.org/bugs/?37197 +--- a/src/default.c ++++ b/src/default.c +@@ -509,7 +509,11 @@ + #ifdef __MSDOS__ + ".LIBPATTERNS", "lib%.a $(DJDIR)/lib/lib%.a", + #else ++#ifdef __APPLE__ ++ ".LIBPATTERNS", "lib%.dylib lib%.a", ++#else + ".LIBPATTERNS", "lib%.so lib%.a", ++#endif + #endif + #endif + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-devel/make/files/make-4.2-default-cxx.patch b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/files/make-4.2-default-cxx.patch new file mode 100644 index 0000000000..39e3ee0dd9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/files/make-4.2-default-cxx.patch @@ -0,0 +1,11 @@ +--- a/src/default.c ++++ b/src/default.c +@@ -530,7 +530,7 @@ static const char *default_variables[] = + "OBJC", "gcc", + #else + "CC", "cc", +- "CXX", "g++", ++ "CXX", "c++", + "OBJC", "cc", + #endif + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-devel/make/make-4.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/make-4.3.ebuild new file mode 100644 index 0000000000..50caf0365b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/make-4.3.ebuild @@ -0,0 +1,54 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/make.asc +inherit flag-o-matic verify-sig + +DESCRIPTION="Standard tool to compile source trees" +HOMEPAGE="https://www.gnu.org/software/make/make.html" +if [[ "$(ver_cut 3)" -ge 90 ]] ; then + SRC_URI="https://alpha.gnu.org/gnu//make/${P}.tar.gz" + SRC_URI+=" verify-sig? ( https://alpha.gnu.org/gnu//make/${P}.tar.gz.sig )" +else + SRC_URI="mirror://gnu//make/${P}.tar.gz" + SRC_URI+=" verify-sig? ( mirror://gnu//make/${P}.tar.gz.sig )" + KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +fi + +LICENSE="GPL-3+" +SLOT="0" +IUSE="guile nls static" + +DEPEND="guile? ( >=dev-scheme/guile-1.8:= )" +BDEPEND="nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-make )" +RDEPEND="${DEPEND} + nls? ( virtual/libintl )" + +PATCHES=( + "${FILESDIR}"/${PN}-3.82-darwin-library_search-dylib.patch + "${FILESDIR}"/${PN}-4.2-default-cxx.patch +) + +src_configure() { + use static && append-ldflags -static + local myeconfargs=( + --program-prefix=g + $(use_with guile) + $(use_enable nls) + ) + econf "${myeconfargs[@]}" +} + +src_install() { + emake DESTDIR="${D}" install + dodoc AUTHORS NEWS README* + if [[ ${USERLAND} == "GNU" ]] ; then + # we install everywhere as 'gmake' but on GNU systems, + # symlink 'make' to 'gmake' + dosym gmake /usr/bin/make + dosym gmake.1 /usr/share/man/man1/make.1 + fi +} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-devel/make/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/metadata.xml new file mode 100644 index 0000000000..1e62dd9102 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/metadata.xml @@ -0,0 +1,11 @@ + + + + + base-system@gentoo.org + Gentoo Base System + + + cpe:/a:gnu:make + + From c6683a158e6a566c9eb7d1efca5b4af84552e726 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 17 Aug 2022 09:41:46 +0200 Subject: [PATCH 14/16] sys-devel/make: Apply Flatcar modifications --- .../coreos-overlay/sys-devel/make/README.md | 2 ++ .../files/make-4.3-handle-tmpfile-fail.patch | 23 +++++++++++++++++++ .../sys-devel/make/make-4.3.ebuild | 1 + 3 files changed, 26 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-devel/make/README.md create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-devel/make/files/make-4.3-handle-tmpfile-fail.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-devel/make/README.md b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/README.md new file mode 100644 index 0000000000..6eed06d4d8 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/README.md @@ -0,0 +1,2 @@ +We forked this package to carry a patch that we will try to upstream +to both GNU Make and to Gentoo. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-devel/make/files/make-4.3-handle-tmpfile-fail.patch b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/files/make-4.3-handle-tmpfile-fail.patch new file mode 100644 index 0000000000..340b744673 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/files/make-4.3-handle-tmpfile-fail.patch @@ -0,0 +1,23 @@ +diff -u -r make-4.3/src/output.c make-4.3-fix/src/output.c +--- make-4.3/src/output.c 2020-01-03 07:11:27.000000000 -0000 ++++ make-4.3-fix/src/output.c 2022-08-17 07:35:01.473471281 -0000 +@@ -286,15 +286,16 @@ + FILE *tfile = tmpfile (); + + if (! tfile) +- pfatal_with_name ("tmpfile"); ++ return -1; + + /* Create a duplicate so we can close the stream. */ + fd = dup (fileno (tfile)); +- if (fd < 0) +- pfatal_with_name ("dup"); + + fclose (tfile); + ++ if (fd < 0) ++ return -1; ++ + set_append_mode (fd); + + umask (mask); diff --git a/sdk_container/src/third_party/coreos-overlay/sys-devel/make/make-4.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/make-4.3.ebuild index 50caf0365b..533a77aceb 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-devel/make/make-4.3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-devel/make/make-4.3.ebuild @@ -30,6 +30,7 @@ RDEPEND="${DEPEND} PATCHES=( "${FILESDIR}"/${PN}-3.82-darwin-library_search-dylib.patch "${FILESDIR}"/${PN}-4.2-default-cxx.patch + "${FILESDIR}"/${PN}-4.3-handle-tmpfile-fail.patch ) src_configure() { From a9747570bd7260202febe6f5240edf970a3ce616 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 19 Aug 2022 15:34:31 +0200 Subject: [PATCH 15/16] sys-auth/sssd: Clean slate to reapply our changes --- .../sssd/files/sssd-2.3.1-CVE-2021-3621.patch | 284 ------------------ .../sssd-2.3.1-disable-nsupdate-realm.patch | 10 - .../sys-auth/sssd/files/sssd.service | 9 +- .../sys-auth/sssd/files/tmpfiles.d/sssd.conf | 13 - ...d-2.3.1-r4.ebuild => sssd-2.3.1-r2.ebuild} | 69 ++--- 5 files changed, 34 insertions(+), 351 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf rename sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/{sssd-2.3.1-r4.ebuild => sssd-2.3.1-r2.ebuild} (79%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch deleted file mode 100644 index 477f5b9c22..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch +++ /dev/null @@ -1,284 +0,0 @@ -From 9377cc4c25a1d889e241f23ec7efcd40fced3c63 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 18 Jun 2021 13:17:19 +0200 -Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of - user supplied command -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -:relnote: A flaw was found in SSSD, where the sssctl command was -vulnerable to shell command injection via the logs-fetch and -cache-expire subcommands. This flaw allows an attacker to trick -the root user into running a specially crafted sssctl command, -such as via sudo, to gain root access. The highest threat from this -vulnerability is to confidentiality, integrity, as well as system -availability. -This patch fixes a flaw by replacing system() with execvp(). - -:fixes: CVE-2021-3621 - -Reviewed-by: Pavel Březina ---- - src/tools/sssctl/sssctl.c | 39 ++++++++++++++++------- - src/tools/sssctl/sssctl.h | 2 +- - src/tools/sssctl/sssctl_data.c | 57 +++++++++++----------------------- - src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++---- - 4 files changed, 73 insertions(+), 57 deletions(-) - -diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c -index 2997dbf96..8adaf3091 100644 ---- a/src/tools/sssctl/sssctl.c -+++ b/src/tools/sssctl/sssctl.c -@@ -97,22 +97,36 @@ sssctl_prompt(const char *message, - return SSSCTL_PROMPT_ERROR; - } - --errno_t sssctl_run_command(const char *command) -+errno_t sssctl_run_command(const char *const argv[]) - { - int ret; -+ int wstatus; - -- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command); -+ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]); - -- ret = system(command); -+ ret = fork(); - if (ret == -1) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command); - ERROR("Error while executing external command\n"); - return EFAULT; -- } else if (WEXITSTATUS(ret) != 0) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n", -- command, WEXITSTATUS(ret)); -+ } -+ -+ if (ret == 0) { -+ /* cast is safe - see -+ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html -+ "The statement about argv[] and envp[] being constants ... " -+ */ -+ execvp(argv[0], discard_const_p(char * const, argv)); - ERROR("Error while executing external command\n"); -- return EIO; -+ _exit(1); -+ } else { -+ if (waitpid(ret, &wstatus, 0) == -1) { -+ ERROR("Error while executing external command '%s'\n", argv[0]); -+ return EFAULT; -+ } else if (WEXITSTATUS(wstatus) != 0) { -+ ERROR("Command '%s' failed with [%d]\n", -+ argv[0], WEXITSTATUS(wstatus)); -+ return EIO; -+ } - } - - return EOK; -@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action) - #elif defined(HAVE_SERVICE) - switch (action) { - case SSSCTL_SVC_START: -- return sssctl_run_command(SERVICE_PATH" sssd start"); -+ return sssctl_run_command( -+ (const char *[]){SERVICE_PATH, "sssd", "start", NULL}); - case SSSCTL_SVC_STOP: -- return sssctl_run_command(SERVICE_PATH" sssd stop"); -+ return sssctl_run_command( -+ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL}); - case SSSCTL_SVC_RESTART: -- return sssctl_run_command(SERVICE_PATH" sssd restart"); -+ return sssctl_run_command( -+ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL}); - } - #endif - -diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h -index 0115b2457..599ef6519 100644 ---- a/src/tools/sssctl/sssctl.h -+++ b/src/tools/sssctl/sssctl.h -@@ -47,7 +47,7 @@ enum sssctl_prompt_result - sssctl_prompt(const char *message, - enum sssctl_prompt_result defval); - --errno_t sssctl_run_command(const char *command); -+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */ - bool sssctl_start_sssd(bool force); - bool sssctl_stop_sssd(bool force); - bool sssctl_restart_sssd(bool force); -diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c -index 8d79b977f..bf2291341 100644 ---- a/src/tools/sssctl/sssctl_data.c -+++ b/src/tools/sssctl/sssctl_data.c -@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force) - } - } - -- ret = sssctl_run_command("sss_override user-export " -- SSS_BACKUP_USER_OVERRIDES); -+ ret = sssctl_run_command((const char *[]){"sss_override", "user-export", -+ SSS_BACKUP_USER_OVERRIDES, NULL}); - if (ret != EOK) { - ERROR("Unable to export user overrides\n"); - return ret; - } - -- ret = sssctl_run_command("sss_override group-export " -- SSS_BACKUP_GROUP_OVERRIDES); -+ ret = sssctl_run_command((const char *[]){"sss_override", "group-export", -+ SSS_BACKUP_GROUP_OVERRIDES, NULL}); - if (ret != EOK) { - ERROR("Unable to export group overrides\n"); - return ret; -@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) - } - - if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { -- ret = sssctl_run_command("sss_override user-import " -- SSS_BACKUP_USER_OVERRIDES); -+ ret = sssctl_run_command((const char *[]){"sss_override", "user-import", -+ SSS_BACKUP_USER_OVERRIDES, NULL}); - if (ret != EOK) { - ERROR("Unable to import user overrides\n"); - return ret; -@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) - } - - if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { -- ret = sssctl_run_command("sss_override group-import " -- SSS_BACKUP_GROUP_OVERRIDES); -+ ret = sssctl_run_command((const char *[]){"sss_override", "group-import", -+ SSS_BACKUP_GROUP_OVERRIDES, NULL}); - if (ret != EOK) { - ERROR("Unable to import group overrides\n"); - return ret; -@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline, - void *pvt) - { - errno_t ret; -- char *cmd_args = NULL; -- const char *cachecmd = SSS_CACHE; -- char *cmd = NULL; -- int i; -- -- if (cmdline->argc == 0) { -- ret = sssctl_run_command(cachecmd); -- goto done; -- } - -- cmd_args = talloc_strdup(tool_ctx, ""); -- if (cmd_args == NULL) { -- ret = ENOMEM; -- goto done; -+ const char **args = talloc_array_size(tool_ctx, -+ sizeof(char *), -+ cmdline->argc + 2); -+ if (!args) { -+ return ENOMEM; - } -+ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc); -+ args[0] = SSS_CACHE; -+ args[cmdline->argc + 1] = NULL; - -- for (i = 0; i < cmdline->argc; i++) { -- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]); -- if (i != cmdline->argc - 1) { -- cmd_args = talloc_strdup_append(cmd_args, " "); -- } -- } -- -- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args); -- if (cmd == NULL) { -- ret = ENOMEM; -- goto done; -- } -- -- ret = sssctl_run_command(cmd); -- --done: -- talloc_free(cmd_args); -- talloc_free(cmd); -+ ret = sssctl_run_command(args); - -+ talloc_free(args); - return ret; - } -diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c -index 04a32bad8..ebb2c4571 100644 ---- a/src/tools/sssctl/sssctl_logs.c -+++ b/src/tools/sssctl/sssctl_logs.c -@@ -31,6 +31,7 @@ - #include - #include - #include -+#include - - #include "util/util.h" - #include "tools/common/sss_process.h" -@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, - { - struct sssctl_logs_opts opts = {0}; - errno_t ret; -+ glob_t globbuf; - - /* Parse command line. */ - struct poptOption options[] = { -@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, - - sss_signal(SIGHUP); - } else { -+ globbuf.gl_offs = 4; -+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); -+ if (ret != 0) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); -+ return ret; -+ } -+ globbuf.gl_pathv[0] = discard_const_p(char, "truncate"); -+ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create"); -+ globbuf.gl_pathv[2] = discard_const_p(char, "--size"); -+ globbuf.gl_pathv[3] = discard_const_p(char, "0"); -+ - PRINT("Truncating log files...\n"); -- ret = sssctl_run_command("truncate --size 0 " LOG_FILES); -+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); -+ globfree(&globbuf); - if (ret != EOK) { - ERROR("Unable to truncate log files\n"); - return ret; -@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, - void *pvt) - { - const char *file; -- const char *cmd; - errno_t ret; -+ glob_t globbuf; - - /* Parse command line. */ - ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL, -@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, - return ret; - } - -- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES); -- if (cmd == NULL) { -- ERROR("Out of memory!"); -+ globbuf.gl_offs = 3; -+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); -+ if (ret != 0) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); -+ return ret; - } -+ globbuf.gl_pathv[0] = discard_const_p(char, "tar"); -+ globbuf.gl_pathv[1] = discard_const_p(char, "-czf"); -+ globbuf.gl_pathv[2] = discard_const_p(char, file); - - PRINT("Archiving log files into %s...\n", file); -- ret = sssctl_run_command(cmd); -+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); -+ globfree(&globbuf); - if (ret != EOK) { - ERROR("Unable to archive log files\n"); - return ret; --- -2.25.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch deleted file mode 100644 index 7d80dc8415..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- a/src/external/nsupdate.m4 2020-11-05 16:27:14.661566136 +0100 -+++ b/src/external/nsupdate.m4 2020-11-05 16:27:30.060674381 +0100 -@@ -9,7 +9,6 @@ - AC_MSG_RESULT([yes]) - else - AC_MSG_RESULT([no]) -- AC_MSG_ERROR([nsupdate does not support 'realm']) - fi - - else diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service index a6afb4682c..1821089a60 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service @@ -1,10 +1,15 @@ [Unit] Description=System Security Services Daemon -After=nscd.service +# SSSD will not be started until syslog is +After=syslog.target [Service] -ExecStart=/usr/sbin/sssd -i +ExecStart=/usr/sbin/sssd -D -f +# These two should be used with traditional UNIX forking daemons +# consult systemd.service(5) for more details +Type=forking PIDFile=/run/sssd.pid [Install] WantedBy=multi-user.target + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf deleted file mode 100644 index f8074a4332..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf +++ /dev/null @@ -1,13 +0,0 @@ -d /etc/sssd 0700 root root - - -C /etc/sssd/sssd.conf 0600 root root - /usr/share/sssd/sssd-example.conf -d /var/lib/sss - root root - - -d /var/lib/sss/deskprofile 0755 root root - - -d /var/lib/sss/db 0700 root root - - -d /var/lib/sss/gpo_cache 0755 root root - - -d /var/lib/sss/keytabs 0700 root root - - -d /var/lib/sss/mc 0700 root root - - -d /var/lib/sss/pipes - root root - - -d /var/lib/sss/pipes/private 0700 root root - - -d /var/lib/sss/pubconf 0700 root root - - -d /var/lib/sss/pubconf/krb5.include.d 0700 root root - - -d /var/lib/sss/secrets 0755 root root - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild similarity index 79% rename from sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild index f1c75c95f1..c5c20e6794 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild @@ -1,23 +1,16 @@ -# Flatcar modifications: -# - changed files/sssd.service -# - added files/tmpfiles.d/sssd.conf -# - other ebuild modifications marked below -# # Copyright 1999-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_{6..10} ) +PYTHON_COMPAT=( python3_7 ) -TMPFILES_OPTIONAL=1 -inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam systemd toolchain-funcs tmpfiles +inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam systemd toolchain-funcs DESCRIPTION="System Security Services Daemon provides access to identity and authentication" HOMEPAGE="https://github.com/SSSD/sssd" SRC_URI="https://github.com/SSSD/sssd/releases/download/${PN}-${PV//./_}/${P}.tar.gz" -# Flatcar: stabilize arm64 -KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86" +KEYWORDS="amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86" LICENSE="GPL-3" SLOT="0" @@ -27,8 +20,6 @@ RESTRICT="!test? ( test )" REQUIRED_USE="pac? ( samba ) python? ( ${PYTHON_REQUIRED_USE} )" -# Flatcar: do not force gssapi for >=net-dns/bind-tools-9.9 -# do not force winbind for net-fs/samba DEPEND=" >=app-crypt/mit-krb5-1.10.3 app-crypt/p11-kit @@ -38,7 +29,7 @@ DEPEND=" >=dev-libs/libpcre-8.30:= >=dev-libs/popt-1.16 >=dev-libs/openssl-1.0.2:0= - >=net-dns/bind-tools-9.9 + >=net-dns/bind-tools-9.9[gssapi] >=net-dns/c-ares-1.7.4 >=net-nds/openldap-2.4.30[sasl] >=sys-apps/dbus-1.6 @@ -62,7 +53,7 @@ DEPEND=" net-fs/samba ) python? ( ${PYTHON_DEPS} ) - samba? ( >=net-fs/samba-4.10.2 ) + samba? ( >=net-fs/samba-4.10.2[winbind] ) selinux? ( >=sys-libs/libselinux-2.1.9 >=sys-libs/libsemanage-2.1 @@ -78,9 +69,8 @@ RDEPEND="${DEPEND} >=sys-libs/glibc-2.17[nscd] selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 ) " -# Flatcar: require only autoconf:2.69 -BDEPEND=" - sys-devel/autoconf:2.69 +BDEPEND="${DEPEND} + >=sys-devel/autoconf-2.69-r5 doc? ( app-doc/doxygen ) test? ( dev-libs/check @@ -114,9 +104,6 @@ MULTILIB_WRAPPED_HEADERS=( PATCHES=( "${FILESDIR}"/${P}-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch - "${FILESDIR}"/${P}-disable-nsupdate-realm.patch - # Flatcar: add a patch for CVE-2021-3621 - "${FILESDIR}"/${P}-CVE-2021-3621.patch ) pkg_setup() { @@ -146,6 +133,7 @@ multilib_src_configure() { myconf+=( --localstatedir="${EPREFIX}"/var + --runstatedir="${EPREFIX}"/run --with-pid-path="${EPREFIX}"/run --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir) @@ -161,12 +149,6 @@ multilib_src_configure() { --with-nscd="${EPREFIX}"/usr/sbin/nscd --with-unicode-lib="glib2" --disable-rpath - # Flatcar: make nss lookups succeed when not running - --enable-sss-default-nss-plugin - # Flatcar: prevent cross-compilation error - # when autotools does not want to compile and run the test - $(use_with samba smb-idmap-interface-version=6) - # --sbindir=/usr/sbin --with-crypto="libcrypto" --enable-local-provider @@ -196,11 +178,6 @@ multilib_src_configure() { myconf+=( --with-initscript="systemd" --with-systemdunitdir=$(systemd_get_systemunitdir) - # Flatcar: Set the systemd system - # configuration directory explicitly through - # _systemd_get_dir, as it will do the right - # thing in cross-compilation environment. - --with-systemdconfdir=$(_systemd_get_dir systemdsystemconfdir /etc/systemd/system) ) else myconf+=(--with-initscript="sysv") @@ -231,8 +208,7 @@ multilib_src_configure() { multilib_src_compile() { if multilib_is_native_abi; then - # Flatcar: add runstatedir to make commands to avoid configure error - default runstatedir="${EPREFIX}"/run + default use doc && emake docs if use man || use nls; then emake update-po @@ -246,9 +222,7 @@ multilib_src_compile() { multilib_src_install() { if multilib_is_native_abi; then - # Flatcar: add runstatedir, sysconfdir - emake -j1 DESTDIR="${D}" runstatedir="${EPREFIX}"/run \ - sysconfdir="/usr/share" "${_at_args[@]}" install + emake -j1 DESTDIR="${D}" "${_at_args[@]}" install if use python; then python_optimize python_fix_shebang "${ED}" @@ -277,15 +251,26 @@ multilib_src_install_all() { einstalldocs find "${ED}" -type f -name '*.la' -delete || die - # Flatcar: store on /usr - insinto /usr/share/sssd + insinto /etc/sssd + insopts -m600 doins "${S}"/src/examples/sssd-example.conf - # Flatcar: delete, remove /var files taken care of by tmpfiles + insinto /etc/logrotate.d + insopts -m644 + newins "${S}"/src/examples/logrotate sssd + + newconfd "${FILESDIR}"/sssd.conf sssd + + keepdir /var/lib/sss/db + keepdir /var/lib/sss/deskprofile + keepdir /var/lib/sss/gpo_cache + keepdir /var/lib/sss/keytabs + keepdir /var/lib/sss/mc + keepdir /var/lib/sss/pipes/private + keepdir /var/lib/sss/pubconf/krb5.include.d + keepdir /var/lib/sss/secrets + keepdir /var/log/sssd - # Flatcar: add tmpfile directive and remove /etc/rc.d - dotmpfiles "${FILESDIR}/tmpfiles.d/sssd.conf" - rm -rf "${D}/etc/rc.d" # strip empty dirs if ! use doc ; then rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die From 3e25e23ae4639ccb2fdb73c648cea57c639899de Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 15 Dec 2021 20:36:25 +0100 Subject: [PATCH 16/16] sys-auth/sssd: Apply Flatcar modifications - Make BDEPEND independent from DEPEND (The `BDEPEND` is a build-time requirement, so it should not be included in the whole `DEPEND` list. If it does, an installation of `sys-auth/sssd` causes other dependencies to be installed not only in the `/build`, but also under the SDK. That's not what we want, so we need to exclude `BDEPEND` from the list.) - Move runstatedir option from configure to make (Now that the upstream sssd 2.3.1 does not support `--runstatedir` option from its configure script, we need to remove the option, to unblock the configure issue like `unrecognized option --runstatedir`. Instead we need to pass `runstatedir=` to emake commands.) - Disable realm check for nsupdate (At the moment bind-tools does not enable `gssapi`, so its `nsupdate` tool is also not able to run `realm` command. As a result, configure script of `sssd` fails when running `echo realm | nsupdate`, like `syntax error`. To avoid such issues, we need to disable the nsupdate check for now. After we could enable `gssapi` for the SDK correctly, we can bring back the nsupdate check in the future.) - Add patch for CVE-2021-3621 - Set the conf dir path explicitly (Without passing the --with-systemdconfdir flag, the configure script will query pkg-config for the directory itself. In the cross-compilation setup that we have, this will result in a path sysroot prepended to the path twice. systemd.eclass has a workaround for this issue, but it does not provide an elegant getter of the system configuration directory, thus we call `_systemd_get_dir` ourselves.) - Make it compatible with newer python versions. - Fix samba version detection by exporting the CPP variable. For some reason it was empty after the toolchain updates. --- .../sssd/files/sssd-2.3.1-CVE-2021-3621.patch | 284 ++++++++++++++++++ .../sssd-2.3.1-disable-nsupdate-realm.patch | 10 + .../sys-auth/sssd/files/sssd.service | 9 +- .../sys-auth/sssd/files/tmpfiles.d/sssd.conf | 13 + ...d-2.3.1-r2.ebuild => sssd-2.3.1-r4.ebuild} | 72 +++-- 5 files changed, 354 insertions(+), 34 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf rename sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/{sssd-2.3.1-r2.ebuild => sssd-2.3.1-r4.ebuild} (78%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch new file mode 100644 index 0000000000..477f5b9c22 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch @@ -0,0 +1,284 @@ +From 9377cc4c25a1d889e241f23ec7efcd40fced3c63 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 18 Jun 2021 13:17:19 +0200 +Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of + user supplied command +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +:relnote: A flaw was found in SSSD, where the sssctl command was +vulnerable to shell command injection via the logs-fetch and +cache-expire subcommands. This flaw allows an attacker to trick +the root user into running a specially crafted sssctl command, +such as via sudo, to gain root access. The highest threat from this +vulnerability is to confidentiality, integrity, as well as system +availability. +This patch fixes a flaw by replacing system() with execvp(). + +:fixes: CVE-2021-3621 + +Reviewed-by: Pavel Březina +--- + src/tools/sssctl/sssctl.c | 39 ++++++++++++++++------- + src/tools/sssctl/sssctl.h | 2 +- + src/tools/sssctl/sssctl_data.c | 57 +++++++++++----------------------- + src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++---- + 4 files changed, 73 insertions(+), 57 deletions(-) + +diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c +index 2997dbf96..8adaf3091 100644 +--- a/src/tools/sssctl/sssctl.c ++++ b/src/tools/sssctl/sssctl.c +@@ -97,22 +97,36 @@ sssctl_prompt(const char *message, + return SSSCTL_PROMPT_ERROR; + } + +-errno_t sssctl_run_command(const char *command) ++errno_t sssctl_run_command(const char *const argv[]) + { + int ret; ++ int wstatus; + +- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command); ++ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]); + +- ret = system(command); ++ ret = fork(); + if (ret == -1) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command); + ERROR("Error while executing external command\n"); + return EFAULT; +- } else if (WEXITSTATUS(ret) != 0) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n", +- command, WEXITSTATUS(ret)); ++ } ++ ++ if (ret == 0) { ++ /* cast is safe - see ++ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html ++ "The statement about argv[] and envp[] being constants ... " ++ */ ++ execvp(argv[0], discard_const_p(char * const, argv)); + ERROR("Error while executing external command\n"); +- return EIO; ++ _exit(1); ++ } else { ++ if (waitpid(ret, &wstatus, 0) == -1) { ++ ERROR("Error while executing external command '%s'\n", argv[0]); ++ return EFAULT; ++ } else if (WEXITSTATUS(wstatus) != 0) { ++ ERROR("Command '%s' failed with [%d]\n", ++ argv[0], WEXITSTATUS(wstatus)); ++ return EIO; ++ } + } + + return EOK; +@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action) + #elif defined(HAVE_SERVICE) + switch (action) { + case SSSCTL_SVC_START: +- return sssctl_run_command(SERVICE_PATH" sssd start"); ++ return sssctl_run_command( ++ (const char *[]){SERVICE_PATH, "sssd", "start", NULL}); + case SSSCTL_SVC_STOP: +- return sssctl_run_command(SERVICE_PATH" sssd stop"); ++ return sssctl_run_command( ++ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL}); + case SSSCTL_SVC_RESTART: +- return sssctl_run_command(SERVICE_PATH" sssd restart"); ++ return sssctl_run_command( ++ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL}); + } + #endif + +diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h +index 0115b2457..599ef6519 100644 +--- a/src/tools/sssctl/sssctl.h ++++ b/src/tools/sssctl/sssctl.h +@@ -47,7 +47,7 @@ enum sssctl_prompt_result + sssctl_prompt(const char *message, + enum sssctl_prompt_result defval); + +-errno_t sssctl_run_command(const char *command); ++errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */ + bool sssctl_start_sssd(bool force); + bool sssctl_stop_sssd(bool force); + bool sssctl_restart_sssd(bool force); +diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c +index 8d79b977f..bf2291341 100644 +--- a/src/tools/sssctl/sssctl_data.c ++++ b/src/tools/sssctl/sssctl_data.c +@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force) + } + } + +- ret = sssctl_run_command("sss_override user-export " +- SSS_BACKUP_USER_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "user-export", ++ SSS_BACKUP_USER_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to export user overrides\n"); + return ret; + } + +- ret = sssctl_run_command("sss_override group-export " +- SSS_BACKUP_GROUP_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "group-export", ++ SSS_BACKUP_GROUP_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to export group overrides\n"); + return ret; +@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { +- ret = sssctl_run_command("sss_override user-import " +- SSS_BACKUP_USER_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "user-import", ++ SSS_BACKUP_USER_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to import user overrides\n"); + return ret; +@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { +- ret = sssctl_run_command("sss_override group-import " +- SSS_BACKUP_GROUP_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "group-import", ++ SSS_BACKUP_GROUP_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to import group overrides\n"); + return ret; +@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline, + void *pvt) + { + errno_t ret; +- char *cmd_args = NULL; +- const char *cachecmd = SSS_CACHE; +- char *cmd = NULL; +- int i; +- +- if (cmdline->argc == 0) { +- ret = sssctl_run_command(cachecmd); +- goto done; +- } + +- cmd_args = talloc_strdup(tool_ctx, ""); +- if (cmd_args == NULL) { +- ret = ENOMEM; +- goto done; ++ const char **args = talloc_array_size(tool_ctx, ++ sizeof(char *), ++ cmdline->argc + 2); ++ if (!args) { ++ return ENOMEM; + } ++ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc); ++ args[0] = SSS_CACHE; ++ args[cmdline->argc + 1] = NULL; + +- for (i = 0; i < cmdline->argc; i++) { +- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]); +- if (i != cmdline->argc - 1) { +- cmd_args = talloc_strdup_append(cmd_args, " "); +- } +- } +- +- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args); +- if (cmd == NULL) { +- ret = ENOMEM; +- goto done; +- } +- +- ret = sssctl_run_command(cmd); +- +-done: +- talloc_free(cmd_args); +- talloc_free(cmd); ++ ret = sssctl_run_command(args); + ++ talloc_free(args); + return ret; + } +diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c +index 04a32bad8..ebb2c4571 100644 +--- a/src/tools/sssctl/sssctl_logs.c ++++ b/src/tools/sssctl/sssctl_logs.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + #include "util/util.h" + #include "tools/common/sss_process.h" +@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, + { + struct sssctl_logs_opts opts = {0}; + errno_t ret; ++ glob_t globbuf; + + /* Parse command line. */ + struct poptOption options[] = { +@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, + + sss_signal(SIGHUP); + } else { ++ globbuf.gl_offs = 4; ++ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); ++ if (ret != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); ++ return ret; ++ } ++ globbuf.gl_pathv[0] = discard_const_p(char, "truncate"); ++ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create"); ++ globbuf.gl_pathv[2] = discard_const_p(char, "--size"); ++ globbuf.gl_pathv[3] = discard_const_p(char, "0"); ++ + PRINT("Truncating log files...\n"); +- ret = sssctl_run_command("truncate --size 0 " LOG_FILES); ++ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); ++ globfree(&globbuf); + if (ret != EOK) { + ERROR("Unable to truncate log files\n"); + return ret; +@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, + void *pvt) + { + const char *file; +- const char *cmd; + errno_t ret; ++ glob_t globbuf; + + /* Parse command line. */ + ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL, +@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, + return ret; + } + +- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES); +- if (cmd == NULL) { +- ERROR("Out of memory!"); ++ globbuf.gl_offs = 3; ++ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); ++ if (ret != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); ++ return ret; + } ++ globbuf.gl_pathv[0] = discard_const_p(char, "tar"); ++ globbuf.gl_pathv[1] = discard_const_p(char, "-czf"); ++ globbuf.gl_pathv[2] = discard_const_p(char, file); + + PRINT("Archiving log files into %s...\n", file); +- ret = sssctl_run_command(cmd); ++ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); ++ globfree(&globbuf); + if (ret != EOK) { + ERROR("Unable to archive log files\n"); + return ret; +-- +2.25.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch new file mode 100644 index 0000000000..7d80dc8415 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch @@ -0,0 +1,10 @@ +--- a/src/external/nsupdate.m4 2020-11-05 16:27:14.661566136 +0100 ++++ b/src/external/nsupdate.m4 2020-11-05 16:27:30.060674381 +0100 +@@ -9,7 +9,6 @@ + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) +- AC_MSG_ERROR([nsupdate does not support 'realm']) + fi + + else diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service index 1821089a60..a6afb4682c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service @@ -1,15 +1,10 @@ [Unit] Description=System Security Services Daemon -# SSSD will not be started until syslog is -After=syslog.target +After=nscd.service [Service] -ExecStart=/usr/sbin/sssd -D -f -# These two should be used with traditional UNIX forking daemons -# consult systemd.service(5) for more details -Type=forking +ExecStart=/usr/sbin/sssd -i PIDFile=/run/sssd.pid [Install] WantedBy=multi-user.target - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf new file mode 100644 index 0000000000..f8074a4332 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf @@ -0,0 +1,13 @@ +d /etc/sssd 0700 root root - - +C /etc/sssd/sssd.conf 0600 root root - /usr/share/sssd/sssd-example.conf +d /var/lib/sss - root root - - +d /var/lib/sss/deskprofile 0755 root root - - +d /var/lib/sss/db 0700 root root - - +d /var/lib/sss/gpo_cache 0755 root root - - +d /var/lib/sss/keytabs 0700 root root - - +d /var/lib/sss/mc 0700 root root - - +d /var/lib/sss/pipes - root root - - +d /var/lib/sss/pipes/private 0700 root root - - +d /var/lib/sss/pubconf 0700 root root - - +d /var/lib/sss/pubconf/krb5.include.d 0700 root root - - +d /var/lib/sss/secrets 0755 root root - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild similarity index 78% rename from sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild index c5c20e6794..03d0a0476a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild @@ -1,16 +1,23 @@ +# Flatcar modifications: +# - changed files/sssd.service +# - added files/tmpfiles.d/sssd.conf +# - other ebuild modifications marked below +# # Copyright 1999-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_7 ) +PYTHON_COMPAT=( python3_{6..10} ) -inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam systemd toolchain-funcs +TMPFILES_OPTIONAL=1 +inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam systemd toolchain-funcs tmpfiles DESCRIPTION="System Security Services Daemon provides access to identity and authentication" HOMEPAGE="https://github.com/SSSD/sssd" SRC_URI="https://github.com/SSSD/sssd/releases/download/${PN}-${PV//./_}/${P}.tar.gz" -KEYWORDS="amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86" +# Flatcar: stabilize arm64 +KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86" LICENSE="GPL-3" SLOT="0" @@ -20,6 +27,8 @@ RESTRICT="!test? ( test )" REQUIRED_USE="pac? ( samba ) python? ( ${PYTHON_REQUIRED_USE} )" +# Flatcar: do not force gssapi for >=net-dns/bind-tools-9.9 +# do not force winbind for net-fs/samba DEPEND=" >=app-crypt/mit-krb5-1.10.3 app-crypt/p11-kit @@ -29,7 +38,7 @@ DEPEND=" >=dev-libs/libpcre-8.30:= >=dev-libs/popt-1.16 >=dev-libs/openssl-1.0.2:0= - >=net-dns/bind-tools-9.9[gssapi] + >=net-dns/bind-tools-9.9 >=net-dns/c-ares-1.7.4 >=net-nds/openldap-2.4.30[sasl] >=sys-apps/dbus-1.6 @@ -53,7 +62,7 @@ DEPEND=" net-fs/samba ) python? ( ${PYTHON_DEPS} ) - samba? ( >=net-fs/samba-4.10.2[winbind] ) + samba? ( >=net-fs/samba-4.10.2 ) selinux? ( >=sys-libs/libselinux-2.1.9 >=sys-libs/libsemanage-2.1 @@ -69,8 +78,9 @@ RDEPEND="${DEPEND} >=sys-libs/glibc-2.17[nscd] selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 ) " -BDEPEND="${DEPEND} - >=sys-devel/autoconf-2.69-r5 +# Flatcar: require only autoconf:2.69 +BDEPEND=" + sys-devel/autoconf:2.69 doc? ( app-doc/doxygen ) test? ( dev-libs/check @@ -104,6 +114,9 @@ MULTILIB_WRAPPED_HEADERS=( PATCHES=( "${FILESDIR}"/${P}-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch + "${FILESDIR}"/${P}-disable-nsupdate-realm.patch + # Flatcar: add a patch for CVE-2021-3621 + "${FILESDIR}"/${P}-CVE-2021-3621.patch ) pkg_setup() { @@ -133,7 +146,6 @@ multilib_src_configure() { myconf+=( --localstatedir="${EPREFIX}"/var - --runstatedir="${EPREFIX}"/run --with-pid-path="${EPREFIX}"/run --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir) @@ -149,6 +161,12 @@ multilib_src_configure() { --with-nscd="${EPREFIX}"/usr/sbin/nscd --with-unicode-lib="glib2" --disable-rpath + # Flatcar: make nss lookups succeed when not running + --enable-sss-default-nss-plugin + # Flatcar: prevent cross-compilation error + # when autotools does not want to compile and run the test + $(use_with samba smb-idmap-interface-version=6) + # --sbindir=/usr/sbin --with-crypto="libcrypto" --enable-local-provider @@ -178,6 +196,11 @@ multilib_src_configure() { myconf+=( --with-initscript="systemd" --with-systemdunitdir=$(systemd_get_systemunitdir) + # Flatcar: Set the systemd system + # configuration directory explicitly through + # _systemd_get_dir, as it will do the right + # thing in cross-compilation environment. + --with-systemdconfdir=$(_systemd_get_dir systemdsystemconfdir /etc/systemd/system) ) else myconf+=(--with-initscript="sysv") @@ -203,12 +226,16 @@ multilib_src_configure() { ) fi + # Flatcar: Apparently CPP is undefined, which breaks samba + # version detection. + tc-export CPP econf "${myconf[@]}" } multilib_src_compile() { if multilib_is_native_abi; then - default + # Flatcar: add runstatedir to make commands to avoid configure error + default runstatedir="${EPREFIX}"/run use doc && emake docs if use man || use nls; then emake update-po @@ -222,7 +249,9 @@ multilib_src_compile() { multilib_src_install() { if multilib_is_native_abi; then - emake -j1 DESTDIR="${D}" "${_at_args[@]}" install + # Flatcar: add runstatedir, sysconfdir + emake -j1 DESTDIR="${D}" runstatedir="${EPREFIX}"/run \ + sysconfdir="/usr/share" "${_at_args[@]}" install if use python; then python_optimize python_fix_shebang "${ED}" @@ -251,26 +280,15 @@ multilib_src_install_all() { einstalldocs find "${ED}" -type f -name '*.la' -delete || die - insinto /etc/sssd - insopts -m600 + # Flatcar: store on /usr + insinto /usr/share/sssd doins "${S}"/src/examples/sssd-example.conf - insinto /etc/logrotate.d - insopts -m644 - newins "${S}"/src/examples/logrotate sssd - - newconfd "${FILESDIR}"/sssd.conf sssd - - keepdir /var/lib/sss/db - keepdir /var/lib/sss/deskprofile - keepdir /var/lib/sss/gpo_cache - keepdir /var/lib/sss/keytabs - keepdir /var/lib/sss/mc - keepdir /var/lib/sss/pipes/private - keepdir /var/lib/sss/pubconf/krb5.include.d - keepdir /var/lib/sss/secrets - keepdir /var/log/sssd + # Flatcar: delete, remove /var files taken care of by tmpfiles + # Flatcar: add tmpfile directive and remove /etc/rc.d + dotmpfiles "${FILESDIR}/tmpfiles.d/sssd.conf" + rm -rf "${D}/etc/rc.d" # strip empty dirs if ! use doc ; then rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die