mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2026-01-30 04:41:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2814 from flatcar/krnowak/move-stuff-over

Browse Source 
Move some packages from overlay to portage-stable
This commit is contained in:
Krzesimir Nowak 2025-04-24 15:31:36 +02:00 committed by GitHub
commit 538fd076e9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
332 changed files with 12676 additions and 3511 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
.github/workflows/portage-stable-packages-list vendored
View File

@ -66,6 +66,7 @@ acct-user/systemd-timesync
acct-user/tss
app-admin/eselect
app-admin/logrotate
app-admin/perl-cleaner
app-admin/sudo
@ -117,6 +118,7 @@ app-containers/docker-cli
app-containers/netavark
app-containers/podman
app-containers/runc
app-containers/syft
app-crypt/adcli
app-crypt/argon2
@ -129,8 +131,10 @@ app-crypt/mit-krb5
app-crypt/p11-kit
app-crypt/pinentry
app-crypt/rhash
app-crypt/sbsigntools
app-crypt/tpm2-tools
app-crypt/tpm2-tss
app-crypt/trousers
app-doc/eclass-manpages
@ -222,6 +226,7 @@ dev-lang/yasm
dev-libs/cJSON
dev-libs/cyrus-sasl
dev-libs/dbus-glib
dev-libs/ding-libs
dev-libs/elfutils
dev-libs/expat
@ -352,6 +357,7 @@ dev-python/urllib3
dev-python/wheel
dev-util/bpftool
dev-util/bsdiff
dev-util/catalyst
dev-util/gdbus-codegen
dev-util/glib-utils
@ -498,9 +504,14 @@ net-dns/dnsmasq
net-dns/libidn2
net-firewall/conntrack-tools
net-firewall/ebtables
net-firewall/ipset
net-firewall/iptables
net-firewall/nftables
net-fs/cifs-utils
net-fs/nfs-utils
net-fs/samba
net-libs/gnutls
net-libs/libmicrohttpd
@ -515,6 +526,7 @@ net-libs/libnsl
net-libs/libpcap
net-libs/libpsl
net-libs/libslirp
net-libs/libtirpc
net-libs/nghttp2
net-libs/rpcsvc-proto
@ -558,6 +570,7 @@ sys-apps/bubblewrap
sys-apps/checkpolicy
sys-apps/config-site
sys-apps/coreutils
sys-apps/dbus
sys-apps/debianutils
sys-apps/diffutils
sys-apps/dtc
@ -576,6 +589,7 @@ sys-apps/iproute2
sys-apps/iucode_tool
sys-apps/kbd
sys-apps/kexec-tools
sys-apps/keyutils
sys-apps/kmod
sys-apps/less
sys-apps/locale-gen
@ -594,6 +608,7 @@ sys-apps/pv
sys-apps/sandbox
sys-apps/sed
sys-apps/semodule-utils
sys-apps/shadow
sys-apps/smartmontools
sys-apps/texinfo
sys-apps/usbutils
@ -601,6 +616,7 @@ sys-apps/util-linux
sys-apps/which
sys-apps/zram-generator
sys-auth/polkit
sys-auth/sssd
sys-block/open-iscsi
@ -640,6 +656,8 @@ sys-fs/fuse
sys-fs/fuse-common
sys-fs/fuse-overlayfs
sys-fs/lsscsi
sys-fs/lvm2
sys-fs/mdadm
sys-fs/mtools
sys-fs/multipath-tools
sys-fs/quota
@ -672,6 +690,7 @@ sys-libs/readline
sys-libs/talloc
sys-libs/tdb
sys-libs/tevent
sys-libs/timezone-data
sys-libs/zlib
sys-power/acpid

2
build_library/build_image_util.sh
View File

@ -277,7 +277,7 @@ write_packages() {
# Generate an SPDX SBOM using syft
write_sbom() {
info "Writing ${2##*/}"
sudo syft packages "${1}" -o spdx-json="$2"
sudo syft scan "${1}" -o spdx-json="$2"
}
# Get metadata $key for package $pkg installed under $prefix

12
changelog/updates/2025-04-08-move-stuff-over.md Normal file
View File

@ -0,0 +1,12 @@
- base, dev: logrotate ([3.22.0](https://github.com/logrotate/logrotate/releases/tag/3.22.0) (includes [3.21.0](https://github.com/logrotate/logrotate/releases/tag/3.21.0)))
- base, dev: trousers ([0.3.15](https://sourceforge.net/p/trousers/trousers/ci/TROUSERS_0_3_15/tree/ChangeLog))
- base, dev: iptables ([1.8.11](https://netfilter.org/projects/iptables/files/changes-iptables-1.8.11.txt) (includes [1.8.10](https://netfilter.org/projects/iptables/files/changes-iptables-1.8.10.txt), [1.8.9](https://netfilter.org/projects/iptables/files/changes-iptables-1.8.9.txt)))
- base, dev: nftables ([1.1.1](https://netfilter.org/projects/nftables/files/changes-nftables-1.1.1.txt) (includes [1.1.0](https://netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt), [1.0.9](https://netfilter.org/projects/nftables/files/changes-nftables-1.0.9.txt), [1.0.8](https://netfilter.org/projects/nftables/files/changes-nftables-1.0.8.txt), [1.0.7](https://netfilter.org/projects/nftables/files/changes-nftables-1.0.7.txt), [1.0.6](https://netfilter.org/projects/nftables/files/changes-nftables-1.0.6.txt), [1.0.5](https://netfilter.org/projects/nftables/files/changes-nftables-1.0.5.txt), [1.0.4](https://netfilter.org/projects/nftables/files/changes-nftables-1.0.4.txt), [1.0.3](https://netfilter.org/projects/nftables/files/changes-nftables-1.0.3.txt), [1.0.2](https://netfilter.org/projects/nftables/files/changes-nftables-1.0.2.txt), [1.0.1](https://netfilter.org/projects/nftables/files/changes-nftables-1.0.1.txt), [1.0.0](https://netfilter.org/projects/nftables/files/changes-nftables-1.0.0.txt)))
- base, dev: nfs-utils ([2.7.1](https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=log;h=refs/tags/nfs-utils-2-7-1) (includes [2.6.4](https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=log;h=refs/tags/nfs-utils-2-6-4), [2.6.3](https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=log;h=refs/tags/nfs-utils-2-6-3), [2.6.2](https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=log;h=refs/tags/nfs-utils-2-6-2), [2.6.1](https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=log;h=refs/tags/nfs-utils-2-6-1)))
- base, dev: libtirpc ([1.3.6](https://git.linux-nfs.org/?p=steved/libtirpc.git;a=log;h=refs/tags/libtirpc-1-3-6) (includes [1.3.5](https://git.linux-nfs.org/?p=steved/libtirpc.git;a=log;h=refs/tags/libtirpc-1-3-5)))
- base, dev: dbus ([1.16.2](https://gitlab.freedesktop.org/dbus/dbus/-/blob/dbus-1.16.2/NEWS) (includes [1.16.0](https://gitlab.freedesktop.org/dbus/dbus/-/blob/dbus-1.16.0/NEWS), [1.14.8](https://gitlab.freedesktop.org/dbus/dbus/-/blob/dbus-1.14.8/NEWS), [1.14.6](https://gitlab.freedesktop.org/dbus/dbus/-/blob/dbus-1.14.6/NEWS)))
- base, dev: shadow ([4.14.8](https://github.com/shadow-maint/shadow/releases/tag/4.14.8) (includes [4.14.7](https://github.com/shadow-maint/shadow/releases/tag/4.14.7), [4.14.6](https://github.com/shadow-maint/shadow/releases/tag/4.14.6), [4.14.5](https://github.com/shadow-maint/shadow/releases/tag/4.14.5), [4.14.4](https://github.com/shadow-maint/shadow/releases/tag/4.14.4), [4.14.3](https://github.com/shadow-maint/shadow/releases/tag/4.14.3), [4.14.2](https://github.com/shadow-maint/shadow/releases/tag/4.14.2), [4.14.1](https://github.com/shadow-maint/shadow/releases/tag/4.14.1), [4.14.0](https://github.com/shadow-maint/shadow/releases/tag/4.14.0)))
- base, dev: polkit ([125](https://github.com/polkit-org/polkit/blob/125/NEWS.md) (includes [124](https://github.com/polkit-org/polkit/blob/124/NEWS.md), [123](https://github.com/polkit-org/polkit/blob/123/NEWS.md), [122](https://github.com/polkit-org/polkit/blob/122/NEWS.md)))
- base, dev: lvm2 ([2.03.22] (includes [2.03.21](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_21), [2.03.20](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_20), [2.03.19](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_19), [2.03.18](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_18), [2.03.17](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_17), [2.03.16](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_16), [2.03.15](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_15), [2.03.14](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_14), [2.03.13](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_13), [2.03.12](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_12), [2.03.11](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_11), [2.03.10](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_10), [2.03.09](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_09), [2.03.08](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_08), [2.03.07](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_07), [2.03.06](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_06), [2.03.05](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_05), [2.03.04](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_04), [2.03.03](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_03), [2.03.02](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_02), [2.03.01](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_01), [2.03.00](https://gitlab.com/lvmteam/lvm2/-/tags/v2_03_00)))
- base, dev: mdadm ([4.4](https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/tree/CHANGELOG.md?h=mdadm-4.4) (includes [4.3](https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/tree/CHANGELOG.md?h=mdadm-4.4#n36)))
- base, dev: timezone-data ([2025a](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/MWII7R3HMCEDNUCIYQKSSTYYR7UWK4OQ/) (includes [2024b](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/IZ7AO6WRE3W3TWBL5IR6PMQUL433BQIE/), [2024a](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/UXFL4DEZCXJVZW6E24Y2HLSXVB2ILFVE/), [2023d](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/WSF4TA5RFP7ECRKUKQFRHYN724HDMRTO/), [2023c](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/NPQOFZRXK5QKUW7F4CC24W52OTZ7YOOT/), [2023b](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/YXCVU55LIUZTZREUUH4VPMC75GYKKPE7/), [2023a](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/HLUTNGHZ5QPNOPZTZFS6F2QVMGQWEDMC/), [2022g](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/XIK47NMDAHCVOWE4MZIB7F44HFU3J2OB/), [2022f](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/65JMZVURDDM3XOABROYJX5ZN4N6TATZ5/), [2022e](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/CTWT3RFQXZHROH4VJKXAVQ77FYMF7BHY/), [2022d](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/TCLVCAIDB64WNEVHJV2ITDHFRUHVB7BN/), [2022c](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/GFXHZWBRVLDVX5QQUI4UCY5B4O2FRV5Z/), [2022b](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/IB5UMSJYN42GOMKHHWU5UCHD3WYRCVQ4/), [2022a](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/CU52CSKQNZRRZPRBDY4GKCCFWKZD4HAJ/), [2021e](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/ANTPUKJNFDF6ZA3NSIJEOZGDHUNJ4HL2/), [2021d](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/YPPIPGO3PLSMDNSVX6VOMASHRDL4GQWB/), [2021c](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/MFS2QPRANAWSPV2DKU46NQKDDPLMXH2H/), [2021b](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/422GNGI6F26NIV2JNHI726UO2TDTO2MD/)))

2
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/Manifest vendored
View File

@ -1,2 +0,0 @@
DIST logrotate-3.20.1.tar.xz 166712 BLAKE2B 8481e0d746c6bcbe10f2686a921334c6f957c8d92520927de7bc8fb0b7631a444fedaa80f35bc2de7961b3d5833ce4ab885b1298b235b7f8b33cc3ae05438da6 SHA512 a9ed5796ab254f511d0029a8f29ef7557f62e12e3ea9af24e30b5b9f348b1c1a16df26d44314b78299916fb3b5000b9cd9eed7cee2cee8df11cfd8e40c79b092
DIST logrotate-3.20.1.tar.xz.asc 833 BLAKE2B afc02177335bcd580e0617af8c50846b371c2d00ecd8fe329c2e298dc8c48823137625f455cea3d983a0d9971733297fa2c4d98ba3c6f72d2c07f8f21108cfe4 SHA512 2dd207feec431b223ff12f09f6cce14409d45e5bb3abaf2275dd773c7ee7c59ed7d32395e5869bfed70c970be4158fd299e6e269838378843dcb63ca5ebfa029

147
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/files/logrotate-3.20.1-log-changes.patch vendored
View File

@ -1,147 +0,0 @@
https://bugs.gentoo.org/847382#c3
https://github.com/logrotate/logrotate/commit/31cf1099ab8514dfcae5a980bc77352edd5292f8
https://github.com/logrotate/logrotate/commit/7b1fa328bf70eb8434166f151bd075cd1440d0dc
From 31cf1099ab8514dfcae5a980bc77352edd5292f8 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 27 May 2022 09:56:07 +0200
Subject: [PATCH] lockState: do not print `error:` when exit code is unaffected
Closes: https://github.com/logrotate/logrotate/pull/448
--- a/logrotate.c
+++ b/logrotate.c
@@ -3050,8 +3050,8 @@ static int lockState(const char *stateFilename, int skip_state_lock)
}
if (sb.st_mode & S_IROTH) {
- message(MESS_ERROR, "state file %s is world-readable and thus can"
- " be locked from other unprivileged users."
+ message(MESS_NORMAL, "warning: state file %s is world-readable"
+ " and thus can be locked from other unprivileged users."
" Skipping lock acquisition...\n",
stateFilename);
close(lockFd);
From 7b1fa328bf70eb8434166f151bd075cd1440d0dc Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 27 May 2022 16:02:57 +0200
Subject: [PATCH] log: unify handling of log levels
Use MESS_WARN instead of MESS_NORMAL and make it always use
the `warning:` prefix. MESS_WARN is now mapped to LOG_WARNING
for syslog.
Also drop MESS_VERBOSE, which was not set anywhere.
Closes: https://github.com/logrotate/logrotate/pull/239
Closes: https://github.com/logrotate/logrotate/pull/449
--- a/config.c
+++ b/config.c
@@ -643,7 +643,7 @@ static void set_criterium(enum criterium *pDst, enum criterium src, int *pSet)
{
if (*pSet && (*pDst != src)) {
/* we are overriding a previously set criterium */
- message(MESS_VERBOSE, "warning: '%s' overrides previously specified '%s'\n",
+ message(MESS_DEBUG, "note: '%s' overrides previously specified '%s'\n",
crit_to_string(src), crit_to_string(*pDst));
}
*pDst = src;
@@ -1021,7 +1021,7 @@ static int readConfigFile(const char *configFile, struct logInfo *defConfig)
if (getuid() == ROOT_UID) {
if ((sb_config.st_mode & 07533) != 0400) {
- message(MESS_NORMAL,
+ message(MESS_WARN,
"Potentially dangerous mode on %s: 0%o\n",
configFile, (unsigned) (sb_config.st_mode & 07777));
}
@@ -1386,7 +1386,7 @@ static int readConfigFile(const char *configFile, struct logInfo *defConfig)
RAISE_ERROR();
}
} else if (!strcmp(key, "errors")) {
- message(MESS_NORMAL,
+ message(MESS_WARN,
"%s: %d: the errors directive is deprecated and no longer used.\n",
configFile, lineNum);
} else if (!strcmp(key, "mail")) {
--- a/log.c
+++ b/log.c
@@ -40,9 +40,12 @@ static void log_once(FILE *where, int level, const char *format, va_list args)
{
switch (level) {
case MESS_DEBUG:
- case MESS_NORMAL:
- case MESS_VERBOSE:
break;
+
+ case MESS_WARN:
+ fprintf(where, "warning: ");
+ break;
+
default:
fprintf(where, "error: ");
break;
@@ -78,10 +81,11 @@ void message(int level, const char *format, ...)
priority |= LOG_DEBUG;
break;
case MESS_DEBUG:
- case MESS_VERBOSE:
- case MESS_NORMAL:
priority |= LOG_INFO;
break;
+ case MESS_WARN:
+ priority |= LOG_WARNING;
+ break;
case MESS_ERROR:
priority |= LOG_ERR;
break;
--- a/log.h
+++ b/log.h
@@ -5,8 +5,7 @@
#define MESS_REALDEBUG 1
#define MESS_DEBUG 2
-#define MESS_VERBOSE 3
-#define MESS_NORMAL 4
+#define MESS_WARN 4
#define MESS_ERROR 5
#define MESS_FATAL 6
--- a/logrotate.c
+++ b/logrotate.c
@@ -3050,7 +3050,7 @@ static int lockState(const char *stateFilename, int skip_state_lock)
}
if (sb.st_mode & S_IROTH) {
- message(MESS_NORMAL, "warning: state file %s is world-readable"
+ message(MESS_WARN, "state file %s is world-readable"
" and thus can be locked from other unprivileged users."
" Skipping lock acquisition...\n",
stateFilename);
@@ -3106,7 +3106,7 @@ int main(int argc, const char **argv)
POPT_AUTOHELP { NULL, 0, 0, NULL, 0, NULL, NULL }
};
- logSetLevel(MESS_NORMAL);
+ logSetLevel(MESS_WARN);
setlocale (LC_ALL, "");
optCon = poptGetContext("logrotate", argc, argv, options, 0);
@@ -3117,7 +3117,7 @@ int main(int argc, const char **argv)
switch (arg) {
case 'd':
debug = 1;
- message(MESS_NORMAL, "WARNING: logrotate in debug mode does nothing"
+ message(MESS_WARN, "logrotate in debug mode does nothing"
" except printing debug messages! Consider using verbose"
" mode (-v) instead if this is not what you want.\n\n");
/* fallthrough */
--- a/test/test-0080.sh
+++ b/test/test-0080.sh
@@ -10,4 +10,4 @@ cleanup 80
preptest test.log 80 1 0
$RLR -d test-config.80 2>&1 | \
- grep -q "warning: 'daily' overrides previously specified 'size'"
+ grep -q "note: 'daily' overrides previously specified 'size'"

5
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/files/logrotate.service vendored
View File

@ -1,5 +0,0 @@
[Unit]
Description=Rotate and Compress System Logs
[Service]
ExecStart=/usr/bin/logrotate /usr/share/logrotate/logrotate.conf

2
sdk_container/src/third_party/coreos-overlay/app-admin/logrotate/files/logrotate.tmpfiles vendored
View File

@ -1,2 +0,0 @@
d /var/lib/misc
d /etc/logrotate.d - - - - -

2
sdk_container/src/third_party/coreos-overlay/app-containers/syft/Manifest vendored
View File

@ -1,2 +0,0 @@
DIST syft-0.51.0-deps.tar.xz 632084588 BLAKE2B f9b3e4e41521c25b6e338f2b8f3bba0be08e7608d95de7dba6f5f104e22b8de8a4b419e574e19634099a3bbc55556f83949c68abd5ae52d14b5e97cb9306bf22 SHA512 819236c275762cc42c60339ee2d6886f0998f34609ab0bbef3150b23fbcf3cecaea63d92f6e2e161bf3ec30edae00ef467755900fd1c98389db2f9cd8113fbf4
DIST syft-0.51.0.tar.gz 3727474 BLAKE2B ae9f54f421faa530aabbbadd985071f603ccaa32c6cd5f0dd400ea9163a218e8ddd5e7035042a7eda6cd06910ce96ae0f42b7422c932992fad812431a42ac059 SHA512 fb844a76d3f3f303e781cea40ac6fb573927f6465a39da10fe9cffeb08ce7b1e8b8ed4acb219206e53159f802eaa12dce73ce5bc3b868f6f4270a30498b6b767

8
sdk_container/src/third_party/coreos-overlay/app-containers/syft/metadata.xml vendored
View File

@ -1,8 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>williamh@gentoo.org</email>
<name>William Hubbs</name>
</maintainer>
</pkgmetadata>

24
sdk_container/src/third_party/coreos-overlay/app-containers/syft/syft-0.51.0.ebuild vendored
View File

@ -1,24 +0,0 @@
# Copyright 2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-module
DESCRIPTION="Generate a Software Bill of Materials from container images and filesystems"
HOMEPAGE="https://www.anchore.com"
SRC_URI="https://github.com/anchore/syft/archive/v${PV}.tar.gz -> ${P}.tar.gz"
SRC_URI+=" https://dev.gentoo.org/~williamh/dist/${P}-deps.tar.xz"
LICENSE="Apache-2.0"
SLOT="0"
# Flatcar: keyword for arm64 and amd64
KEYWORDS="amd64 arm64"
src_compile() {
# Flatcar: add ldflags to set version
ego build -o bin/syft -ldflags "-X github.com/anchore/syft/internal/version.version=${PV}" ./cmd/syft
}
src_install() {
dobin bin/*
}

15
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/files/openssl-3-compat.patch vendored
View File

@ -1,15 +0,0 @@
diff --git a/src/idc.c b/src/idc.c
index 6d87bd4..0a82218 100644
--- a/src/idc.c
+++ b/src/idc.c
@@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image)
idc->data->type = OBJ_nid2obj(peid_nid);
idc->data->value = ASN1_TYPE_new();
- type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it);
+ type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID));
idc->digest->alg->parameter = ASN1_TYPE_new();
idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256);
--
2.25.1

1
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/Manifest vendored
View File

@ -1 +0,0 @@
DIST trousers-0.3.14.tar.gz 1378438 BLAKE2B 3dc2824fa2ca1b1f1181f98d59e85276e7d38af4bfc07ee8246431d9ccb300a8e0820b318643d4cf5d757d2a49492c8686e2fe9de03484263d2189d4bbaa32d0 SHA512 bf87f00329cf1d76a12cf6b6181fa22f90e76af3c5786e6e2db98438d2d3f0c0e05364374664173f45e3a2f6c0e2364948d0b958a7845cb23fcb340150cd9b21

1
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/system.data vendored
View File

@ -1 +0,0 @@
/

9
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tcsd.confd vendored
View File

@ -1,9 +0,0 @@
# /etc/conf.d/tscd
# Configuration file for the TrouSerS' TCS daemon (tcsd) init script
# Have a look on /etc/tcsd.conf too, there is more to configure there.
# TPM_MODULES: name of the module(s) that should be loaded. You only need to
# set this if your driver is not compiled in kernel and is not already loaded
# on boot. (default: unset)
#TPM_MODULES="tpm_atmel"

38
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tcsd.initd vendored
View File

@ -1,38 +0,0 @@
#!/sbin/openrc-run
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
depend() {
use logger
need net
}
checkconfig() {
local mod
if [ -n "${TPM_MODULES}" ] ; then
for mod in ${TPM_MODULES} ; do
lsmod | grep -q "^${mod}\b" \
|| modprobe ${mod} &>/dev/null \
|| ewarn "Failed to load module ${mod}"
done
# Should we sleep or something to wait for device creation?
fi
if [ ! -c /dev/tpm ] && [ ! -c /dev/tpm0 ] ; then
eerror "No TPM device found!"
return 1
fi
return 0
}
start() {
ebegin "Starting TrouSerS' TCS daemon (tcsd)"
checkconfig || eend $?
start-stop-daemon --start --user tss --exec /usr/sbin/tcsd
eend $?
}
stop() {
ebegin "Stopping TrouSerS' TCS daemon (tcsd)"
start-stop-daemon --stop --quiet --exec /usr/sbin/tcsd --user tss
eend $?
}

13
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tcsd.service vendored
View File

@ -1,13 +0,0 @@
[Unit]
Description=TCG Core Services Daemon
ConditionPathExists=/dev/tpm0
ConditionSecurity=!tpm2
[Service]
User=tss
ExecCondition=/bin/bash -c "/usr/bin/test $(cat /sys/class/tpm/*/tpm_version_major | grep -m 1 1 || echo 0) -eq 1"
ExecStart=/usr/sbin/tcsd -f
[Install]
WantedBy=multi-user.target

3
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/tmpfiles.d/trousers.conf vendored
View File

@ -1,3 +0,0 @@
d /var/lib/tpm 0755 tss tss - -
C /etc/tcsd.conf 0640 root tss - /usr/share/trousers/tcsd.conf
C /var/lib/tpm/system.data 0600 tss tss - /usr/share/trousers/system.data

58
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.14-CVE-2020-24330_CVE-2020-24331_CVE-2020-24332.patch vendored
View File

@ -1,58 +0,0 @@
Index: trousers-0.3.14/src/tcs/ps/tcsps.c
===================================================================
--- trousers-0.3.14.orig/src/tcs/ps/tcsps.c
+++ trousers-0.3.14/src/tcs/ps/tcsps.c
@@ -72,7 +72,7 @@ get_file()
}
/* open and lock the file */
- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
+ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
if (system_ps_fd < 0) {
LogError("system PS: open() of %s failed: %s",
tcsd_options.system_ps_file, strerror(errno));
Index: trousers-0.3.14/src/tcsd/svrside.c
===================================================================
--- trousers-0.3.14.orig/src/tcsd/svrside.c
+++ trousers-0.3.14/src/tcsd/svrside.c
@@ -473,6 +473,7 @@ main(int argc, char **argv)
}
return TCSERR(TSS_E_INTERNAL_ERROR);
}
+ setgid(pwd->pw_gid);
setuid(pwd->pw_uid);
#endif
#endif
Index: trousers-0.3.14/src/tcsd/tcsd_conf.c
===================================================================
--- trousers-0.3.14.orig/src/tcsd/tcsd_conf.c
+++ trousers-0.3.14/src/tcsd/tcsd_conf.c
@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
#ifndef SOLARIS
struct group *grp;
struct passwd *pw;
- mode_t mode = (S_IRUSR|S_IWUSR);
+ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
#endif /* SOLARIS */
TSS_RESULT result;
@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
}
/* make sure user/group TSS owns the conf file */
- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
+ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
- TSS_USER_NAME, TSS_GROUP_NAME);
+ "root", TSS_GROUP_NAME);
return TCSERR(TSS_E_INTERNAL_ERROR);
}
- /* make sure only the tss user can manipulate the config file */
+ /* make sure only the tss user can read (but not manipulate) the config file */
if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
+ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
return TCSERR(TSS_E_INTERNAL_ERROR);
}
#endif /* SOLARIS */

15
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.14-fno-common.patch vendored
View File

@ -1,15 +0,0 @@
diff --git a/src/include/tcsd.h b/src/include/tcsd.h
index 5b9462b..05bae97 100644
--- a/src/include/tcsd.h
+++ b/src/include/tcsd.h
@@ -166,8 +166,8 @@ void thread_signal_init();
/* signal handling */
#ifndef __APPLE__
-struct sigaction tcsd_sa_int;
-struct sigaction tcsd_sa_chld;
+extern struct sigaction tcsd_sa_int;
+extern struct sigaction tcsd_sa_chld;
#endif
#endif

28
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/files/trousers-0.3.14-libressl.patch vendored
View File

@ -1,28 +0,0 @@
From b8b1cda430270f03dc556cf9cf7d2fd478101525 Mon Sep 17 00:00:00 2001
From: Alon Bar-Lev <alon.barlev@gmail.com>
Date: Wed, 7 Dec 2016 09:36:34 +0200
Subject: [PATCH] tspi: support libressl
Bug: https://sourceforge.net/p/trousers/bugs/222/
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
---
src/trspi/crypto/openssl/rsa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/trspi/crypto/openssl/rsa.c b/src/trspi/crypto/openssl/rsa.c
index 2b1205f..3e56015 100644
--- a/src/trspi/crypto/openssl/rsa.c
+++ b/src/trspi/crypto/openssl/rsa.c
@@ -38,7 +38,7 @@
#define DEBUG_print_openssl_errors()
#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100001L
+#if OPENSSL_VERSION_NUMBER < 0x10100001L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
static int
RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
{
--
2.7.3

91
sdk_container/src/third_party/coreos-overlay/app-crypt/trousers/trousers-0.3.14-r2.ebuild vendored
View File

@ -1,91 +0,0 @@
# Flatcar modifications:
# - added "Flatcar:" customizations
# - added condition to files/tcsd.service
# - created files/tmpfiles.d/trousers.conf
# - created files/system.data
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
TMPFILES_OPTIONAL=1
inherit autotools linux-info readme.gentoo-r1 systemd tmpfiles udev
DESCRIPTION="An open-source TCG Software Stack (TSS) v1.1 implementation"
HOMEPAGE="http://trousers.sf.net"
SRC_URI="mirror://sourceforge/trousers/${PN}/${P}.tar.gz"
LICENSE="CPL-1.0 GPL-2"
SLOT="0"
KEYWORDS="amd64 arm arm64 ~m68k ~ppc ppc64 ~s390 x86"
IUSE="doc libressl selinux" # gtk
# gtk support presently does NOT compile.
# gtk? ( >=x11-libs/gtk+-2 )
DEPEND="acct-group/tss
acct-user/tss
>=dev-libs/glib-2
!libressl? ( >=dev-libs/openssl-0.9.7:0= )
libressl? ( dev-libs/libressl:0= )"
RDEPEND="${DEPEND}
selinux? ( sec-policy/selinux-tcsd )"
BDEPEND="virtual/pkgconfig"
PATCHES=(
"${FILESDIR}/${PN}-0.3.13-nouseradd.patch"
"${FILESDIR}/${P}-libressl.patch"
"${FILESDIR}/${P}-fno-common.patch"
"${FILESDIR}/${P}-Makefile.am-Mark-tddl.a-nodist.patch"
"${FILESDIR}/${P}-CVE-2020-24330_CVE-2020-24331_CVE-2020-24332.patch"
)
DOCS="AUTHORS ChangeLog NICETOHAVES README TODO"
DOC_CONTENTS="
If you have problems starting tcsd, please check permissions and
ownership on /dev/tpm* and ~tss/system.data
"
S="${WORKDIR}"
CONFIG_CHECK="~TCG_TPM"
src_prepare() {
default
eautoreconf
}
src_configure() {
# econf --with-gui=$(usex gtk gtk openssl)
econf --with-gui=openssl
}
src_install() {
default
find "${D}" -name '*.la' -delete || die
keepdir /var/lib/tpm
use doc && dodoc doc/*
# Flatcar: Comment out the openrc stuff.
# newinitd "${FILESDIR}"/tcsd.initd tcsd
# newconfd "${FILESDIR}"/tcsd.confd tcsd
fowners root:tss /etc/tcsd.conf
systemd_dounit "${FILESDIR}"/tcsd.service
# Flatcar:
systemd_enable_service multi-user.target tcsd.service
udev_dorules "${FILESDIR}"/61-trousers.rules
fowners tss:tss /var/lib/tpm
readme.gentoo_create_doc
# Flatcar:
insinto /usr/share/trousers/
doins "${FILESDIR}"/system.data
# stash a copy of the config so we can restore it from tmpfiles
doins "${D}"/etc/tcsd.conf
fowners tss:tss /usr/share/trousers/system.data
fowners root:tss /usr/share/trousers/tcsd.conf
dotmpfiles "${FILESDIR}"/tmpfiles.d/trousers.conf
}

0
sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r198.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-0.0.1-r199.ebuild vendored
View File

2
sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild vendored
View File

@ -8,7 +8,7 @@ EGIT_REPO_URI="https://github.com/flatcar/init.git"
if [[ "${PV}" == 9999 ]]; then
KEYWORDS="~amd64 ~arm ~arm64 ~x86"
else
EGIT_COMMIT="c818ad2c1923ff6fad2c01895f635e172990a48c" # flatcar-master
EGIT_COMMIT="ac4adc6903e060d49afd7a527ed1b555e94847f8" # flatcar-master
KEYWORDS="amd64 arm arm64 x86"
fi

45
sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-admin/logrotate vendored Normal file
View File

@ -0,0 +1,45 @@
cros_post_src_install_logrotate_flatcar_modifications() {
insinto /etc
newins - logrotate.conf <<'EOF'
# keep only the most recent old log.
rotate 1
# create new (empty) log files after rotating old ones.
create
# use date as a suffix of the rotated file.
dateext
# compress rotated log files.
compress
# if a file to rotate is missing, don't log an error.
missingok
notifempty
nomail
noolddir
# packages can drop log rotation information into this directory.
include /etc/logrotate.d
# no packages own wtmp and btmp -- we'll rotate them here.
# must match creation rules in /usr/lib/tmpfiles.d/var.conf
/var/log/wtmp {
create 0664 root utmp
size 1M
}
/var/log/btmp {
create 0600 root utmp
size 1M
}
# system-specific logs may also be configured here.
EOF
# install this for backward compatibility
dosym -r /usr/share/flatcar/etc/logrotate.conf /usr/share/logrotate/logrotate.conf
insinto /usr/share/flatcar/etc
newins - logrotate.conf
# needs systemd eclass to be inherited by the ebuild
systemd_enable_service multi-user.target logrotate.timer
}

5
sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/syft vendored Normal file
View File

@ -0,0 +1,5 @@
# there are only examples installed
syft_install_mask=" /usr/share/syft/examples "
INSTALL_MASK+="${syft_install_mask}"
PKG_INSTALL_MASK+="${syft_install_mask}"
unset syft_install_mask

42
sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-crypt/trousers vendored Normal file
View File

@ -0,0 +1,42 @@
cros_post_src_install_trousers_flatcar_modifications() {
# override the systemd unit file and enable it
systemd_newunit - tcsd.service <<'EOF'
[Unit]
Description=TCG Core Services Daemon
ConditionPathExists=/dev/tpm0
ConditionSecurity=!tpm2
[Service]
User=tss
ExecCondition=/bin/bash -c "/usr/bin/test $(cat /sys/class/tpm/*/tpm_version_major | grep -m 1 1 || echo 0) -eq 1"
ExecStart=/usr/sbin/tcsd -f
[Install]
WantedBy=multi-user.target
EOF
systemd_enable_service multi-user.target tcsd.service
# handle system.data file - put into /usr and install a tmpfiles
# conf copying it into /var/lib/tpm
(
insinto /usr/share/trousers/
insopts -o tss -g tss
newins - system.data <<<"/"
)
(
insopts -m 0644
insinto /usr/lib/tmpfiles.d
newins - trousers.conf <<'EOF'
C /var/lib/tpm/system.data 0600 tss tss - /usr/share/trousers/system.data
EOF
)
# symlink for backward compatibility, can't use "dosym -r",
# because ebuild has EAPI 7, while "dosym -r" is supported only
# since EAPI 8.
#
# dosym -r /usr/share/flatcar/etc/tcsd.conf /usr/share/trousers/tcsd.conf
ln -sTr "${ED}/usr/share/flatcar/etc/tcsd.conf" "${ED}/usr/share/trousers/tcsd.conf" || die
insinto /usr/share/flatcar/etc
newins - tcsd.conf
}

4
sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-libs/openssl vendored
View File

@ -1,5 +1,7 @@
# A hack to avoid rehashing certs in a nonexistent directory.
flatcar_hacked_openssl=$(command -v openssl)
if [[ -z ${flatcar_hacked_openssl:-} ]]; then
flatcar_hacked_openssl=$(command -v openssl)
fi
openssl() {
if [[ ${#} -gt 0 && ${1} = 'rehash' ]]; then
return;

16
sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-util/bsdiff vendored Normal file
View File

@ -0,0 +1,16 @@
# Hacks to build bsdiff that now requires linking both bsdiff.o and
# sais.o to produce an executable. The original required only bsdiff.o
# - sais.o is a result of compiling a third-party code we added in our
# user patches. We replace bsdiff.c with a simple source file, so
# src_compile succeeds. In post hook we build actual bsdiff.
cros_pre_src_compile_bsdiff_flatcar_modifications() {
mv bsdiff.c "${T}/bsdiff.c"
echo "int main(void) { return 0; }" >bsdiff.c
}
cros_post_src_compile_bsdiff_flatcar_modifications() {
rm bsdiff bsdiff.c || die
mv "${T}/bsdiff.c" bsdiff.c || die
edo $(tc-getCC) ${CPPFLAGS} ${CFLAGS} ${LDFLAGS} -o bsdiff bsdiff.c sais.c -lbz2
}

6
sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-dns/bind vendored
View File

@ -22,12 +22,14 @@ unset ndb_install_mask
# only files that this happens for are files that we have put into
# {PKG_,}INSTALL_MASK. This will help us avoid installing
# acct-user/named and acct-user/group.
fowners_script=$(command -v fowners)
if [[ -z ${flatcar_hacked_fowners:-} ]]; then
flatcar_hacked_fowners=$(command -v fowners)
fi
fowners() {
if [[ ${#} -gt 0 && ( ${1} = named:* || ${1} = *:named ) ]]; then
return 0
fi
"${fowners_script}" "${@}"
"${flatcar_hacked_fowners}" "${@}"
}
# The pkg_postinst phase function wants to generate an rndc.key file

13
sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-firewall/ebtables vendored Normal file
View File

@ -0,0 +1,13 @@
# A hack to set ebtables to xtables-nft-multi instead of
# ebtables-legacy.
if [[ -z ${flatcar_hacked_eselect:-} ]]; then
flatcar_hacked_eselect=$(command -v eselect)
fi
eselect() {
if [[ ${#} -gt 2 && ${1} = 'ebtables' && ${2} = 'set' && ${3} = 'ebtables-legacy' ]]; then
elog "Ackchyually, we are setting it to xtables-nft-multi"
"${flatcar_hacked_eselect}" ebtables set xtables-nft-multi
else
"${flatcar_hacked_eselect}" "${@}"
fi
}

56
sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-firewall/iptables vendored Normal file
View File

@ -0,0 +1,56 @@
# A hack to avoid removing ebtables binaries
if [[ -z ${flatcar_hacked_rm:-} ]]; then
flatcar_hacked_rm=$(command -v rm)
fi
rm() {
local -a new_f=()
local f
for f; do
if [[ ${f} != */sbin/ebtables* ]]; then
new_f+=( "${f}" )
fi
done
"${flatcar_hacked_rm}" "${new_f[@]}"
}
# A hack to set iptables to xtables-nft-multi instead of
# xtables-legacy-multi, and to avoid tinkering with arptables.
if [[ -z ${flatcar_hacked_eselect:-} ]]; then
flatcar_hacked_eselect=$(command -v eselect)
fi
eselect() {
if [[ ${#} -gt 2 && ${1} = 'iptables' && ${2} = 'set' && ${3} = 'xtables-legacy-multi' ]]; then
elog "Ackchyually, we are setting it to xtables-nft-multi"
"${flatcar_hacked_eselect}" iptables set xtables-nft-multi
elif [[ ${#} -gt 1 && ${1} = 'arptables' && ${2} = 'show' ]]; then
# Nothing to do, we will just return success, so ebuild will
# not be doing anything with arptables
:
else
"${flatcar_hacked_eselect}" "${@}"
fi
}
cros_post_src_install_iptables_flatcar_modifications() {
# Drop the rest of the arptables binaries.
rm "${ED}"/sbin/arptables-{translate,nft{,-{save,restore}}} || die
# Gentoo upstream dropped the iptables & ip6tables services but we
# continue to ship them.
systemd_newunit - ip6tables.service <<EOF
[Unit]
Description=Store and restore ip6tables firewall rules
[Install]
Also=ip6tables-store.service
Also=ip6tables-restore.service
EOF
systemd_newunit - iptables.service <<EOF
[Unit]
Description=Store and restore iptables firewall rules
[Install]
Also=iptables-store.service
Also=iptables-restore.service
EOF
}

5
sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-firewall/nftables vendored Normal file
View File

@ -0,0 +1,5 @@
nftables_install_mask=" /usr/libexec/nftables /var/lib/nftables /usr/lib/systemd/system/nftables-restore.service "
INSTALL_MASK+=${nftables_install_mask}
PKG_INSTALL_MASK+=${nftables_install_mask}
unset nftables_install_mask

32
sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-fs/nfs-utils vendored Normal file
View File

@ -0,0 +1,32 @@
nfs_utils_install_mask=" /etc/exports /etc/exports.d "
INSTALL_MASK+=${nfs_utils_install_mask}
PKG_INSTALL_MASK+=${nfs_utils_install_mask}
unset nfs_utils_install_mask
cros_post_src_install_nfs_utils_flatcar_modifications() {
(
insopts -m 0644
insinto /usr/lib/tmpfiles.d
newins - nfs-utils.conf <<'EOF'
d /var/lib/nfs/rpc_pipefs
d /var/lib/nfs/v4recovery
d /var/lib/nfs/v4root
C /var/lib/nfs/etab - - - - /usr/lib64/nfs/etab
C /var/lib/nfs/rmtab - - - - /usr/lib64/nfs/rmtab
C /var/lib/nfs/sm - - - - /usr/lib64/nfs/sm
C /var/lib/nfs/sm.bak - - - - /usr/lib64/nfs/sm.bak
C /var/lib/nfs/state - - - - /usr/lib64/nfs/state
C /var/lib/nfs/xtab - - - - /usr/lib64/nfs/xtab
EOF
)
# Provide an empty xtab for compatibility with the old tmpfiles config.
touch "${ED}"/usr/$(get_libdir)/nfs/xtab
# Maintain compatibility with the old gentoo systemd unit names,
# since nfs-utils has units upstream now.
dosym nfs-server.service "$(systemd_get_systemunitdir)"/nfsd.service
dosym nfs-idmapd.service "$(systemd_get_systemunitdir)"/rpc-idmapd.service
dosym nfs-mountd.service "$(systemd_get_systemunitdir)"/rpc-mountd.service
}

34
sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-fs/samba vendored Normal file
View File

@ -0,0 +1,34 @@
# A hack to ignore processing of samba.conf tmpfiles config file.
if [[ -z ${flatcar_hacked_systemd_tmpfiles:-} ]]; then
flatcar_hacked_systemd_tmpfiles=$(command -v systemd-tmpfiles)
fi
systemd-tmpfiles() {
local -a args=()
local f has_config_file=''
for f; do
if [[ ${f} != samba.conf ]]; then
args+=( "${f}" )
if [[ ${f} = *.conf ]]; then
has_config_file=x
fi
fi
done
if [[ -n ${has_config_file} ]]; then
"${flatcar_hacked_systemd_tmpfiles}" "${args[@]}"
fi
}
cros_post_src_install_samba_flatcar_modifications() {
# clean up unnecessary files
rm -f "${ED}/usr/lib/tmpfiles.d/samba.conf"
rm -f "${ED}/etc/samba/"*
rm -f "${ED}/usr/$(get_libdir)/samba/ldb/"*
mv "${ED}/usr/bin/net" "${T}/net"
rm -f "${ED}/usr/bin/"* "${ED}/usr/sbin/"*
mv "${T}/net" "${ED}/usr/bin/net"
rm -rf "${ED}/$(get_libdir)/security"
rm -rf "${ED}/usr/lib/systemd"
rm -rf "${ED}/usr/$(get_libdir)/perl"*
rm -rf "${ED}/usr/$(get_libdir)/python"*
rm -rf "${ED}/var"
}

14
sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/ntp vendored
View File

@ -1,9 +1,15 @@
ntp_install_mask=''
# Do not install ntpdate or sntp systemd files in /etc.
INSTALL_MASK+=" /etc/systemd"
ntp_install_mask+=" /etc/systemd"
# Do not install the default ntp.conf, we provide our own in
# coreos-base/misc-files.
INSTALL_MASK+=" /etc/ntp.conf"
ntp_install_mask+=" /etc/ntp.conf"
# Do not install perl scripts to /usr/bin.
INSTALL_MASK+=" /usr/bin/calc_tickadj /usr/bin/ntp-wait /usr/bin/ntptrace /usr/bin/update-leap"
ntp_install_mask+=" /usr/bin/calc_tickadj /usr/bin/ntp-wait /usr/bin/ntptrace /usr/bin/update-leap"
# Do not install perl package to /usr/share/ntp.
INSTALL_MASK+=" /usr/share/ntp"
ntp_install_mask+=" /usr/share/ntp"
ntp_install_mask+=' '
INSTALL_MASK+=${ntp_install_mask}
PKG_INSTALL_MASK+=${ntp_install_mask}
unset ntp_install_mask

6
sdk_container/src/third_party/coreos-overlay/coreos/config/env/net-misc/openssh vendored
View File

@ -3,8 +3,8 @@
# Do not install the config snippet that defines a subsystem. We have
# our own definition in coreos-init.
if [[ $(cros_target) != "cros_host" ]] ; then
openssh_mask="/usr/lib*/misc/ssh-keysign /etc/ssh/sshd_config.d/*gentoo-subsystem.conf"
PKG_INSTALL_MASK+=" ${openssh_mask}"
INSTALL_MASK+=" ${openssh_mask}"
openssh_mask=" /usr/lib*/misc/ssh-keysign /etc/ssh/sshd_config.d/*gentoo-subsystem.conf "
PKG_INSTALL_MASK+="${openssh_mask}"
INSTALL_MASK+="${openssh_mask}"
unset openssh_mask
fi

41
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/dbus vendored Normal file
View File

@ -0,0 +1,41 @@
# A hack to ignore processing of dbus.conf tmpfiles config file.
if [[ -z ${flatcar_hacked_systemd_tmpfiles:-} ]]; then
flatcar_hacked_systemd_tmpfiles=$(command -v systemd-tmpfiles)
fi
systemd-tmpfiles() {
local -a args=()
local f has_config_file=''
for f; do
if [[ ${f} != dbus.conf ]]; then
args+=( "${f}" )
if [[ ${f} = *.conf ]]; then
has_config_file=x
fi
fi
done
if [[ -n ${has_config_file} ]]; then
"${flatcar_hacked_systemd_tmpfiles}" "${args[@]}"
fi
}
# Hacks to avoid generating /etc/machine-id - we do it elsewhere, on
# our own.
if [[ -z ${flatcar_hacked_dbus_uuidgen:-} ]]; then
flatcar_hacked_dbus_uuidgen=$(command -v dbus-uuidgen)
fi
dbus-uuidgen() {
if [[ ${1:-} = "--ensure=${EROOT}/etc/machine-id" ]]; then
return 0
fi
"${flatcar_hacked_dbus_uuidgen}" "${@}"
}
if [[ -z ${flatcar_hacked_ln:-} ]]; then
flatcar_hacked_ln=$(command -v ln)
fi
ln() {
if [[ ${1:-} = '-sf' && ${2:-} = "${EPREFIX}"/etc/machine-id && ${3:-} = "${EROOT}"/var/lib/dbus/machine-id ]]; then
return 0
fi
"${flatcar_hacked_ln}" "${@}"
}

10
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/keyutils vendored Normal file
View File

@ -0,0 +1,10 @@
cros_post_src_install_keyutils_flatcar_modifications() {
# install a symlink for backward compatibility, can't use "dosym
# -r", because ebuild has EAPI 7, while "dosym -r" is supported
# only since EAPI 8.
#
# dosym -r /usr/share/flatcar/etc/request-key.conf /usr/share/keyutils/request-key.conf
ln -sTr "${ED}/usr/share/flatcar/etc/request-key.conf" "${ED}/usr/share/keyutils/request-key.conf" || die
insinto /usr/share/flatcar/etc
newins - request-key.conf
}

5
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/lsb-release vendored
View File

@ -1 +1,4 @@
INSTALL_MASK+=" /etc/lsb-release"
lsb_release_install_mask=" /etc/lsb-release "
INSTALL_MASK+="${lsb_release_install_mask}"
PKG_INSTALL_MASK+="${lsb_release_install_mask}"
unset lsb_release_install_mask

16
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/policycoreutils vendored Normal file
View File

@ -0,0 +1,16 @@
# sys-apps/policycoreutils creates /var/lib/selinux directory in
# src_install and then needs it to be available when running
# pkg_postinst, because it does a policy module rebuild there. We
# initially have put /var/lib/selinux into INSTALL_MASK and told
# coreos-base/misc-files to install the directory at
# /usr/lib/selinux/policy together with a symlink at /var/lib/selinux
# pointing to the directory. But this is done too late - at
# sys-apps/policycoreutils' pkg_postinst time, /var/lib/selinux does
# not exist, because coreos-base/misc-files was not yet emerged. So we
# need to fall back to this hack, where we set up /var/lib/selinux and
# /usr/lib/selinux/policy the way we want.
cros_post_src_install_set_up_var_lib_selinux() {
dodir /usr/lib/selinux
mv "${ED}/var/lib/selinux" "${ED}/usr/lib/selinux/policy"
dosym -r /usr/lib/selinux/policy /var/lib/selinux
}

75
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/shadow vendored Normal file
View File

@ -0,0 +1,75 @@
cros_post_src_install_shadow_flatcar_modifications() {
(
insopts -m 0644
insinto /usr/lib/tmpfiles.d
newins - var-shadow.conf <<'EOF'
f /var/log/faillog - - - - -
EOF
)
local f
# install these for backward compatibility
for f in 'securetty' 'login.defs'; do
dosym -r "/usr/share/flatcar/etc/${f}" "/usr/share/shadow/${f}"
insinto /usr/share/flatcar/etc
newins - "${f}"
done
dosym -r /usr/share/flatcar/etc/default/useradd /usr/share/shadow/useradd
insinto /usr/share/flatcar/etc/default
newins - useradd
# Install our own securetty file with additional arch-specific cruft
local devs=''
case $(tc-arch) in
ppc*)
devs="hvc0 hvsi0 ttyPSC0";;
hppa)
devs="ttyB0";;
arm)
devs="ttyFB0 ttySAC0 ttySAC1 ttySAC2 ttySAC3 ttymxc0 ttymxc1 ttymxc2 ttymxc3 ttyO0 ttyO1 ttyO2";;
sh)
devs="ttySC0 ttySC1";;
amd64|x86)
devs="hvc0";;
esac
insopts -m0600
insinto /etc/
newins - securetty <<EOF
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).
console
vc/0
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
vc/12
tty0
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
tty12
tts/0
ttyS0
${devs}
EOF
}

6
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub vendored
View File

@ -50,5 +50,7 @@ cros_post_src_install_sbat() {
# Flatcar does not use grub-install or grub-mkconfig. All the files under /etc
# relate to grub-mkconfig.
INSTALL_MASK+=" ${EPREFIX}/etc/ *grub-install* *mkconfig*"
PKG_INSTALL_MASK+=" ${EPREFIX}/etc/ *grub-install* *mkconfig*"
grub_install_mask=" ${EPREFIX}/etc/ *grub-install* *mkconfig* "
INSTALL_MASK+="${grub_install_mask}"
PKG_INSTALL_MASK+="${grub_install_mask}"
unset grub_install_mask

37
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-fs/mdadm vendored Normal file
View File

@ -0,0 +1,37 @@
cros_post_src_install_mdadm_flatcar_modifications() {
# Use systemd timers instead of cron.
rm "${ED}/etc/cron.weekly/mdadm" || die
rmdir "${ED}/etc/cron.weekly" || die
systemd_newunit - mdadm.service <<'EOF'
[Unit]
Description=Initiates a check run of an MD array's redundancy information.
[Service]
Type=oneshot
ExecStart=/usr/sbin/checkarray --cron --all --idle --quiet
EOF
systemd_newunit - mdadm.timer <<'EOF'
[Unit]
Description=Weekly check for MD array's redundancy information.
[Install]
WantedBy=timers.target
[Timer]
OnCalendar=weekly
Persistent=true
EOF
systemd_enable_service timers.target mdadm.timer
# Add --syslog parameter to mdadm in monitoring mode.
systemd_install_dropin mdmonitor.service - <<'EOF'
# We want to log the monitoring events to journal, so we need to pass
# --syslog. The original ExecStart line we want to override is:
#
# ExecStart=/usr/sbin/mdadm --monitor --scan
[Service]
ExecStart=
ExecStart=/usr/sbin/mdadm --monitor --scan --syslog
EOF
}

4
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-libs/glibc vendored
View File

@ -1,7 +1,9 @@
# A terrible hack to actually strip our binaries. We want to make
# "dostrip -x /" a no-op, otherwise pass everything to the original
# dostrip.
eval "$(echo 'flatcar_hacked_dostrip()'; declare -pf dostrip | tail -n + 2)"
if ! declare -pf flatcar_hacked_dostrip >/dev/null 2>&1; then
eval "$(echo 'flatcar_hacked_dostrip()'; declare -pf dostrip | tail -n +2)"
fi
dostrip() {
if [[ ${#} = 2 && ${1} = '-x' && ${2} = '/' ]]; then
return

4
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-libs/timezone-data vendored Normal file
View File

@ -0,0 +1,4 @@
cros_post_src_install_timezone_data_flatcar_modifications() {
# install the symlink by hand to not break existing timezones
dosym . /usr/share/zoneinfo/posix
}

12
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-process/audit vendored
View File

@ -1,11 +1,7 @@
# Do not install Gentoo-provided audit rules, we will install our own
# in coreos-base/misc-files. Also skip installing legacy initscripts
# stuff in /usr/libexec.
INSTALL_MASK+="
/etc/audit/audit.rules*
/usr/libexec
"
PKG_INSTALL_MASK+="
/etc/audit/audit.rules*
/usr/libexec
"
audit_install_mask=" /etc/audit/audit.rules* /usr/libexec "
INSTALL_MASK+="${audit_install_mask}"
PKG_INSTALL_MASK+="${audit_install_mask}"
unset audit_install_mask

0
sdk_container/src/third_party/coreos-overlay/dev-util/bsdiff/files/4.3_bsdiff-convert-to-sais-lite-suffix-sort.patch → sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-util/bsdiff/0001-convert-to-sais-lite-suffix-sort.patch vendored
View File

0
sdk_container/src/third_party/coreos-overlay/dev-util/bsdiff/files/bsdiff-4.3-CVE-2020-14315.patch → sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-util/bsdiff/0002-CVE-2020-14315.patch vendored
View File

24
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/dev-util/bsdiff/README.md vendored Normal file
View File

@ -0,0 +1,24 @@
About `0001-convert-to-sais-lite-suffix-sort.patch` - see the message
at the top of the patch.
About `0002-CVE-2020-14315.patch`:
Originally the security issue was published as
[FreeBSD-SA-16:29](https://www.freebsd.org/security/advisories/FreeBSD-SA-16:29.bspatch.asc),
which pointed to a FreeBSD
[patch](https://security.freebsd.org/patches/SA-16:29/bspatch.patch).
However, the patch was a set of huge changes including other unrelated
changes. That's why it was not simple at all to apply the patch to
bsdiff. Both Gentoo and Flatcar have not included the fix.
Fortunately X41 D-SEC
[examined](https://www.x41-dsec.de/security/news/working/research/2020/07/15/bspatch/)
the issue again, and nailed down to a simple patch that can be easily
applied to other trees. We simply take the patch with minimal changes.
See also
[CVE-2020-14315](https://nvd.nist.gov/vuln/detail/CVE-2020-14315).
Neither of the patches are unlikely to be applied to upstream, so we
will carry those indefinitely.

1
sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/Manifest vendored
View File

@ -1 +0,0 @@
DIST iptables-1.8.8.tar.bz2 746985 BLAKE2B 0da021cc7313b86af331768904956dab3eee3de245a7b03965129f3d7f13097fc03fbb1390167dcd971eff216eabad9e59b261a9c0f54bfc48a77453aa40d164 SHA512 f21df23279a77531a23f3fcb1b8f0f8ec0c726bda236dd0e33af74b06753baff6ce3f26fb9fcceb6fada560656ba901e68fc6452eb840ac1b206bc4654950f59

24
sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/iptables-1.8.2-link.patch vendored
View File

@ -1,24 +0,0 @@
From ee4fc7c558d9eb9c37035250046d4eac9af3fa28 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Thu, 27 Dec 2018 23:47:33 +0100
Subject: [PATCH] Fix link errors for USE="conntrack static-libs" (bug #586106)
---
iptables/Makefile.am | 1 +
1 file changed, 1 insertion(+)
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index 581dc32..2c3db86 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -26,6 +26,7 @@ xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a
endif
xtables_legacy_multi_SOURCES += xshared.c
xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm
+xtables_legacy_multi_LDADD += ${libnetfilter_conntrack_LIBS}
# iptables using nf_tables api
if ENABLE_NFTABLES
--
2.19.1

21
sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/iptables-1.8.8-format-security.patch vendored
View File

@ -1,21 +0,0 @@
https://git.netfilter.org/iptables/commit/?id=b72eb12ea5a61df0655ad99d5048994e916be83a
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 13 May 2022 16:51:58 +0200
Subject: xshared: Fix build for -Werror=format-security
Gcc complains about the omitted format string.
Signed-off-by: Phil Sutter <phil@nwl.cc>
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg)
return;
if (args->family != NFPROTO_ARP)
- xtables_error(PARAMETER_PROBLEM, msg);
+ xtables_error(PARAMETER_PROBLEM, "%s", msg);
fprintf(stderr, "%s", msg);
}
cgit v1.2.3

59
sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/iptables-1.8.8-musl-headers.patch vendored
View File

@ -1,59 +0,0 @@
https://git.netfilter.org/iptables/commit/?id=0e7cf0ad306cdf95dc3c28d15a254532206a888e
https://bugs.gentoo.org/846377
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 18 May 2022 16:04:09 +0200
Subject: Revert "fix build for missing ETH_ALEN definition"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This reverts commit c5d9a723b5159a28f547b577711787295a14fd84 as it broke
compiling against musl libc. Might be a bug in the latter, but for the
time being try to please both by avoiding the include and instead
defining ETH_ALEN if unset.
While being at it, move netinet/ether.h include up.
Fixes: 1bdb5535f561a ("libxtables: Extend MAC address printing/parsing support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Maciej Żenczykowski <maze@google.com>
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -28,6 +28,7 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <netinet/ether.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/statfs.h>
@@ -45,7 +46,6 @@
#include <xtables.h>
#include <limits.h> /* INT_MAX in ip_tables.h/ip6_tables.h */
-#include <linux/if_ether.h> /* ETH_ALEN */
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <libiptc/libxtc.h>
@@ -72,6 +72,10 @@
#define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
#endif
+#ifndef ETH_ALEN
+#define ETH_ALEN 6
+#endif
+
/* we need this for ip6?tables-restore. ip6?tables-restore.c sets line to the
* current line of the input file, in order to give a more precise error
* message. ip6?tables itself doesn't need this, so it is initialized to the
@@ -2245,8 +2249,6 @@ void xtables_print_num(uint64_t number, unsigned int format)
printf(FMT("%4lluT ","%lluT "), (unsigned long long)number);
}
-#include <netinet/ether.h>
-
static const unsigned char mac_type_unicast[ETH_ALEN] = {};
static const unsigned char msk_type_unicast[ETH_ALEN] = {1};
static const unsigned char mac_type_multicast[ETH_ALEN] = {1};
cgit v1.2.3

26
sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/iptables-1.8.8-out-of-tree-build.patch vendored
View File

@ -1,26 +0,0 @@
https://git.netfilter.org/iptables/commit/?id=0ebf52fc951b2a4d98a166afb34af4f364bbeece
From: Ben Brown <ben@demerara.io>
Date: Wed, 25 May 2022 16:26:13 +0100
Subject: build: Fix error during out of tree build
Fixes the following error:
../../libxtables/xtables.c:52:10: fatal error: libiptc/linux_list.h: No such file or directory
52 | #include <libiptc/linux_list.h>
Fixes: f58b0d7406451 ("libxtables: Implement notargets hash table")
Signed-off-by: Ben Brown <ben@demerara.io>
Signed-off-by: Phil Sutter <phil@nwl.cc>
--- a/libxtables/Makefile.am
+++ b/libxtables/Makefile.am
@@ -1,7 +1,7 @@
# -*- Makefile -*-
AM_CFLAGS = ${regular_CFLAGS}
-AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables ${kinclude_CPPFLAGS}
+AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables -I${top_srcdir} ${kinclude_CPPFLAGS}
lib_LTLIBRARIES = libxtables.la
libxtables_la_SOURCES = xtables.c xtoptions.c getethertype.c
cgit v1.2.3

135
sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/iptables-1.8.8-uint-musl.patch vendored
View File

@ -1,135 +0,0 @@
https://git.netfilter.org/iptables/commit/?id=f319389525b066b7dc6d389c88f16a0df3b8f189
From: Nick Hainke <vincent@systemli.org>
Date: Mon, 16 May 2022 18:16:41 +0200
Subject: treewide: use uint* instead of u_int*
Gcc complains about missing types. Some commits introduced u_int* instead
of uint*. Use uint treewide.
Fixes errors in the form of:
In file included from xtables-legacy-multi.c:5:
xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'?
83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
| ^~~~~~~~~
| uint16_t
make[6]: *** [Makefile:712: xtables_legacy_multi-xtables-legacy-multi.o] Error 1
Avoid libipq API breakage by adjusting libipq.h include accordingly. For
arpt_mangle.h kernel uAPI header, apply same change as in kernel commit
e91ded8db5747 ("uapi: netfilter_arp: use __u8 instead of u_int8_t").
Signed-off-by: Nick Hainke <vincent@systemli.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -778,7 +778,7 @@ matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric,
static void
conntrack_dump_ports(const char *prefix, const char *opt,
- u_int16_t port_low, u_int16_t port_high)
+ uint16_t port_low, uint16_t port_high)
{
if (port_high == 0 || port_low == port_high)
printf(" %s%s %u", prefix, opt, port_low);
--- a/include/libipq/libipq.h
+++ b/include/libipq/libipq.h
@@ -24,7 +24,7 @@
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
-#include <sys/types.h>
+#include <stdint.h>
#include <sys/socket.h>
#include <sys/uio.h>
#include <asm/types.h>
@@ -48,19 +48,19 @@ typedef unsigned long ipq_id_t;
struct ipq_handle
{
int fd;
- u_int8_t blocking;
+ uint8_t blocking;
struct sockaddr_nl local;
struct sockaddr_nl peer;
};
-struct ipq_handle *ipq_create_handle(u_int32_t flags, u_int32_t protocol);
+struct ipq_handle *ipq_create_handle(uint32_t flags, uint32_t protocol);
int ipq_destroy_handle(struct ipq_handle *h);
ssize_t ipq_read(const struct ipq_handle *h,
unsigned char *buf, size_t len, int timeout);
-int ipq_set_mode(const struct ipq_handle *h, u_int8_t mode, size_t len);
+int ipq_set_mode(const struct ipq_handle *h, uint8_t mode, size_t len);
ipq_packet_msg_t *ipq_get_packet(const unsigned char *buf);
--- a/include/libiptc/libxtc.h
+++ b/include/libiptc/libxtc.h
@@ -10,7 +10,7 @@ extern "C" {
#endif
#ifndef XT_MIN_ALIGN
-/* xt_entry has pointers and u_int64_t's in it, so if you align to
+/* xt_entry has pointers and uint64_t's in it, so if you align to
it, you'll also align to any crazy matches and targets someone
might write */
#define XT_MIN_ALIGN (__alignof__(struct xt_entry))
--- a/include/linux/netfilter_arp/arpt_mangle.h
+++ b/include/linux/netfilter_arp/arpt_mangle.h
@@ -13,7 +13,7 @@ struct arpt_mangle
union {
struct in_addr tgt_ip;
} u_t;
- u_int8_t flags;
+ __u8 flags;
int target;
};
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1025,7 +1025,7 @@ static const int inverse_for_options[NUMBER_OF_OPT] =
};
void
-set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
+set_option(unsigned int *options, unsigned int option, uint16_t *invflg,
bool invert)
{
if (*options & option)
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -80,7 +80,7 @@ struct xtables_target;
#define IPT_INV_ARPHRD 0x0800
void
-set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
+set_option(unsigned int *options, unsigned int option, uint16_t *invflg,
bool invert);
/**
--- a/libipq/ipq_create_handle.3
+++ b/libipq/ipq_create_handle.3
@@ -24,7 +24,7 @@ ipq_create_handle, ipq_destroy_handle \(em create and destroy libipq handles.
.br
.B #include <libipq.h>
.sp
-.BI "struct ipq_handle *ipq_create_handle(u_int32_t " flags ", u_int32_t " protocol ");"
+.BI "struct ipq_handle *ipq_create_handle(uint32_t " flags ", uint32_t " protocol ");"
.br
.BI "int ipq_destroy_handle(struct ipq_handle *" h );
.SH DESCRIPTION
--- a/libipq/ipq_set_mode.3
+++ b/libipq/ipq_set_mode.3
@@ -24,7 +24,7 @@ ipq_set_mode \(em set the ip_queue queuing mode
.br
.B #include <libipq.h>
.sp
-.BI "int ipq_set_mode(const struct ipq_handle *" h ", u_int8_t " mode ", size_t " range );
+.BI "int ipq_set_mode(const struct ipq_handle *" h ", uint8_t " mode ", size_t " range );
.SH DESCRIPTION
The
.B ipq_set_mode
cgit v1.2.3

6
sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/ip6tables.service vendored
View File

@ -1,6 +0,0 @@
[Unit]
Description=Store and restore ip6tables firewall rules
[Install]
Also=ip6tables-store.service
Also=ip6tables-restore.service

6
sdk_container/src/third_party/coreos-overlay/net-firewall/iptables/files/systemd/iptables.service vendored
View File

@ -1,6 +0,0 @@
[Unit]
Description=Store and restore iptables firewall rules
[Install]
Also=iptables-store.service
Also=iptables-restore.service

1
sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/Manifest vendored
View File

@ -1 +0,0 @@
DIST nftables-0.9.9.tar.bz2 922624 BLAKE2B 8de2709576a26ca84a8d694f7cb06cad2bb2fb4671ba21ffc32c0d5997e8124ae7cd794dafddf4db48d8a49c280b48b07d2a31b6c18f6647fdb67cfe7f065b61 SHA512 dfdd3ffc0ffc1742ca0494a3f8fac1c7b2fe942849e60d33fc3cb8a51e27bd39e1ccfeda2195191377a32bb5363ea244f4c3e71b4a6d930f33bf87e17a534fab

13
sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/files/nftables-0.9.8-slibtool.patch vendored
View File

@ -1,13 +0,0 @@
This fixes build with sys-devel/slibtool
--- nftables-0.9.8/src/Makefile.am
+++ nftables-0.9.8/src/Makefile.am
@@ -90,7 +90,7 @@
libnftables_la_LIBADD = ${LIBMNL_LIBS} ${LIBNFTNL_LIBS} libparser.la
libnftables_la_LDFLAGS = -version-info ${libnftables_LIBVERSION} \
- --version-script=$(srcdir)/libnftables.map
+ -Wl,--version-script=$(srcdir)/libnftables.map
if BUILD_MINIGMP
noinst_LTLIBRARIES += libminigmp.la

121
sdk_container/src/third_party/coreos-overlay/net-firewall/nftables/nftables-0.9.9-r2.ebuild vendored
View File

@ -1,121 +0,0 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
PYTHON_COMPAT=( python3_{6..11} )
inherit autotools linux-info python-r1 systemd
DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
HOMEPAGE="https://netfilter.org/projects/nftables/"
if [[ ${PV} =~ ^[9]{4,}$ ]]; then
inherit git-r3
EGIT_REPO_URI="https://git.netfilter.org/${PN}"
BDEPEND="
sys-devel/bison
sys-devel/flex
"
else
SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2"
KEYWORDS="amd64 arm arm64 ~ia64 ppc ~ppc64 ~riscv sparc x86"
fi
LICENSE="GPL-2"
SLOT="0/1"
IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables"
RDEPEND="
>=net-libs/libmnl-1.0.4:0=
>=net-libs/libnftnl-1.2.0:0=
gmp? ( dev-libs/gmp:0= )
json? ( dev-libs/jansson:= )
python? ( ${PYTHON_DEPS} )
readline? ( sys-libs/readline:0= )
xtables? ( >=net-firewall/iptables-1.6.1 )
"
DEPEND="${RDEPEND}"
BDEPEND+="
doc? (
app-text/asciidoc
>=app-text/docbook2X-0.8.8-r4
)
virtual/pkgconfig
"
REQUIRED_USE="
python? ( ${PYTHON_REQUIRED_USE} )
libedit? ( !readline )
"
PATCHES=(
"${FILESDIR}/${PN}-0.9.8-slibtool.patch"
)
python_make() {
emake \
-C py \
abs_builddir="${S}" \
DESTDIR="${D}" \
PYTHON_BIN="${PYTHON}" \
"${@}"
}
pkg_setup() {
if kernel_is ge 3 13; then
if use modern-kernel && kernel_is lt 3 18; then
eerror "The modern-kernel USE flag requires kernel version 3.18 or newer to work properly."
fi
CONFIG_CHECK="~NF_TABLES"
linux-info_pkg_setup
else
eerror "This package requires kernel version 3.13 or newer to work properly."
fi
}
src_prepare() {
default
# fix installation path for doc stuff
sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \
-i files/nftables/Makefile.am || die
sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \
-i files/osf/Makefile.am || die
eautoreconf
}
src_configure() {
local myeconfargs=(
# We handle python separately
--disable-python
--sbindir="${EPREFIX}"/sbin
--sysconfdir="${EPREFIX}"/usr/share
$(use_enable debug)
$(use_enable doc man-doc)
$(use_with !gmp mini_gmp)
$(use_with json)
$(use_with libedit cli editline)
$(use_with readline cli readline)
$(use_enable static-libs static)
$(use_with xtables)
)
econf "${myeconfargs[@]}"
}
src_compile() {
default
if use python; then
python_foreach_impl python_make
fi
}
src_install() {
default
find "${ED}" -type f -name "*.la" -delete || die
}

1
sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/Manifest vendored
View File

@ -1 +0,0 @@
DIST nfs-utils-2.5.4.tar.bz2 943373 BLAKE2B 72ed871613701f5b035941a7aed957771fe3b6a19fefee203130442c292bbbefde35721f2287fef19046d2d837faeda43b06a93a5acdb8ac6240eef90e6dd12c SHA512 b1395c5b06a06246666c48174594b1e08b71cf40b8f94b533497bd92625401a669e2c40e48dbd665891ad2247bc94d7d604d0c5d0f0b66bfe957b03d42e5d305

32
sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs-utils-2.5.4-kernel-5.3-nfsv4.patch vendored
View File

@ -1,32 +0,0 @@
https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=feb3dfc7127cf1337530ccb06ed90e818b026a07#patch1
https://bugzilla.redhat.com/show_bug.cgi?id=1979816
https://bugs.gentoo.org/808183
Slightly rebased by sam@ to account for version.h moving around.
From feb3dfc7127cf1337530ccb06ed90e818b026a07 Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: Wed, 22 Sep 2021 11:31:56 -0400
Subject: [PATCH] mountd: only do NFSv4 logging on supported kernels.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1979816
Signed-off-by: Steve Dickson <steved@redhat.com>
--- a/support/export/v4clients.c
+++ b/support/export/v4clients.c
@@ -10,6 +10,7 @@
#include <sys/inotify.h>
#include <errno.h>
#include "export.h"
+#include "../../utils/mount/version.h"
/* search.h declares 'struct entry' and nfs_prot.h
* does too. Easiest fix is to trick search.h into
@@ -23,6 +24,8 @@ static int clients_fd = -1;
void v4clients_init(void)
{
+ if (linux_version_code() < MAKE_VERSION(5, 3, 0))
+ return;
if (clients_fd >= 0)
return;
clients_fd = inotify_init1(IN_NONBLOCK);

9
sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/files/nfs-utils.conf vendored
View File

@ -1,9 +0,0 @@
d /var/lib/nfs/rpc_pipefs
d /var/lib/nfs/v4recovery
d /var/lib/nfs/v4root
C /var/lib/nfs/etab - - - - /usr/lib64/nfs/etab
C /var/lib/nfs/rmtab - - - - /usr/lib64/nfs/rmtab
C /var/lib/nfs/sm - - - - /usr/lib64/nfs/sm
C /var/lib/nfs/sm.bak - - - - /usr/lib64/nfs/sm.bak
C /var/lib/nfs/state - - - - /usr/lib64/nfs/state
C /var/lib/nfs/xtab - - - - /usr/lib64/nfs/xtab

21
sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/metadata.xml vendored
View File

@ -1,21 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>base-system@gentoo.org</email>
<name>Gentoo Base System</name>
</maintainer>
<use>
<flag name="junction">Enable NFS junction support in nfsref</flag>
<flag name="ldap">Add ldap support</flag>
<flag name="libmount">Link mount.nfs with libmount</flag>
<flag name="nfsdcld">Enable nfsdcld NFSv4 clientid tracking daemon</flag>
<flag name="nfsidmap">Enable support for newer nfsidmap helper</flag>
<flag name="nfsv4">Enable support for NFSv4</flag>
<flag name="nfsv41">Enable support for NFSv4.1</flag>
<flag name="uuid">Support UUID lookups in rpc.mountd</flag>
</use>
<upstream>
<remote-id type="sourceforge">nfs</remote-id>
</upstream>
</pkgmetadata>

170
sdk_container/src/third_party/coreos-overlay/net-fs/nfs-utils/nfs-utils-2.5.4-r3.ebuild vendored
View File

@ -1,170 +0,0 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
TMPFILES_OPTIONAL=1
inherit autotools linux-info systemd tmpfiles
DESCRIPTION="NFS client and server daemons"
HOMEPAGE="http://linux-nfs.org/"
if [[ "${PV}" = *_rc* ]] ; then
MY_PV="$(ver_rs 1- -)"
SRC_URI="http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=snapshot;h=refs/tags/${PN}-${MY_PV};sf=tgz -> ${P}.tar.gz"
S="${WORKDIR}/${PN}-${PN}-${MY_PV}"
else
SRC_URI="mirror://sourceforge/nfs/${P}.tar.bz2"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv ~s390 sparc x86"
fi
LICENSE="GPL-2"
SLOT="0"
IUSE="caps ipv6 junction kerberos ldap +libmount nfsdcld +nfsidmap +nfsv4 nfsv41 sasl selinux tcpd +uuid"
REQUIRED_USE="kerberos? ( nfsv4 )"
RESTRICT="test" #315573
# kth-krb doesn't provide the right include
# files, and nfs-utils doesn't build against heimdal either,
# so don't depend on virtual/krb.
# (04 Feb 2005 agriffis)
COMMON_DEPEND="
dev-db/sqlite:3
dev-libs/libxml2
net-libs/libtirpc:=
>=net-nds/rpcbind-0.2.4
sys-fs/e2fsprogs
caps? ( sys-libs/libcap )
ldap? (
net-nds/openldap
sasl? (
app-crypt/mit-krb5
dev-libs/cyrus-sasl:2
)
)
libmount? ( sys-apps/util-linux )
nfsv4? (
dev-libs/libevent:=
>=sys-apps/keyutils-1.5.9:=
kerberos? (
>=net-libs/libtirpc-0.2.4-r1[kerberos]
app-crypt/mit-krb5
)
)
nfsv41? (
sys-fs/lvm2
)
tcpd? ( sys-apps/tcp-wrappers )
uuid? ( sys-apps/util-linux )"
DEPEND="${COMMON_DEPEND}
elibc_musl? ( sys-libs/queue-standalone )
"
RDEPEND="${COMMON_DEPEND}
!net-libs/libnfsidmap
!net-nds/portmap
!<sys-apps/openrc-0.13.9
selinux? (
sec-policy/selinux-rpc
sec-policy/selinux-rpcbind
)
"
BDEPEND="
net-libs/rpcsvc-proto
virtual/pkgconfig
"
PATCHES=(
"${FILESDIR}"/${PN}-2.5.2-no-werror.patch
# Upstream, see bug #808183
"${FILESDIR}"/${P}-kernel-5.3-nfsv4.patch
)
pkg_setup() {
linux-info_pkg_setup
if use nfsv4 && ! use nfsdcld && linux_config_exists && ! linux_chkconfig_present CRYPTO_MD5 ; then
ewarn "Your NFS server will be unable to track clients across server restarts!"
ewarn "Please enable the \"${HILITE}nfsdcld${NORMAL}\" USE flag to install the nfsdcltrack usermode"
ewarn "helper upcall program, or enable ${HILITE}CONFIG_CRYPTO_MD5${NORMAL} in your kernel to"
ewarn "support the legacy, in-kernel client tracker."
fi
}
src_prepare() {
default
sed \
-e "/^sbindir/s:= := \"${EPREFIX}\":g" \
-i utils/*/Makefile.am || die
eautoreconf
}
src_configure() {
export libsqlite3_cv_is_recent=yes # Our DEPEND forces this.
export ac_cv_header_keyutils_h=$(usex nfsidmap)
# SASL is consumed in a purely automagic way
export ac_cv_header_sasl_h=no
export ac_cv_header_sasl_sasl_h=$(usex sasl)
local myeconfargs=(
--disable-static
--with-statedir="${EPREFIX}"/var/lib/nfs
--enable-tirpc
--with-tirpcinclude="${ESYSROOT}"/usr/include/tirpc/
--with-pluginpath="${EPREFIX}"/usr/$(get_libdir)/libnfsidmap
--with-rpcgen
--with-systemd="$(systemd_get_systemunitdir)"
--without-gssglue
$(use_enable caps)
$(use_enable ipv6)
$(use_enable junction)
$(use_enable kerberos gss)
$(use_enable kerberos svcgss)
$(use_enable ldap)
$(use_enable libmount libmount-mount)
$(use_enable nfsdcld nfsdcltrack)
$(use_enable nfsv4)
$(use_enable nfsv41)
$(use_enable uuid)
$(use_with tcpd tcp-wrappers)
)
econf "${myeconfargs[@]}"
}
src_compile() {
# remove compiled files bundled in the tarball
emake clean
default
}
src_install() {
default
rm linux-nfs/Makefile* || die
dodoc -r linux-nfs README
# Don't overwrite existing xtab/etab, install the original
# versions somewhere safe... more info in pkg_postinst
keepdir /var/lib/nfs/{,sm,sm.bak}
mv "${ED}"/var/lib/nfs "${ED}"/usr/$(get_libdir)/ || die
if use nfsv4 && use nfsidmap ; then
insinto /etc
doins support/nfsidmap/idmapd.conf
# Install a config file for idmappers in newer kernels. #415625
insinto /etc/request-key.d
echo 'create id_resolver * * /usr/sbin/nfsidmap -t 600 %k %d' > id_resolver.conf
doins id_resolver.conf
fi
dotmpfiles "${FILESDIR}"/nfs-utils.conf
# Provide an empty xtab for compatibility with the old tmpfiles config.
touch "${ED}"/usr/$(get_libdir)/nfs/xtab
# Maintain compatibility with the old gentoo systemd unit names, since nfs-utils has units upstream now.
dosym nfs-server.service "$(systemd_get_systemunitdir)"/nfsd.service
dosym nfs-idmapd.service "$(systemd_get_systemunitdir)"/rpc-idmapd.service
dosym nfs-mountd.service "$(systemd_get_systemunitdir)"/rpc-mountd.service
}

1
sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest vendored
View File

@ -1 +0,0 @@
DIST samba-4.19.7.tar.gz 41851647 BLAKE2B 9bd58363d4cd30f900b286be7c7e172ed0308c4527308d15309a5f3881ba9b1d4c3dd2a37f19d63fdf80a36bd89c9b6001ab2a5aefb724f10721e3a0dc09fa94 SHA512 a837a6255be6268a48c9f41ccad5db040c69b596936a37b011a4c8e3ec68f27ebd1947b86d26b544a7b546ed426dadc450353dff9553698ca4e6e0a3af162ad3

2
sdk_container/src/third_party/coreos-overlay/net-libs/libtirpc/Manifest vendored
View File

@ -1,2 +0,0 @@
DIST libtirpc-1.3.4.tar.bz2 563292 BLAKE2B 33371e83e9f54e9d6d434b75d3a95bedefce63050846483471e302b1fbb3b63a18db90b652050c43e1c6e42b03e34bafb2fb6ae89787f05af0cf747319825424 SHA512 004e61b5853717324790c46cda5ff227d525909f189194ae72a1ec8f476ca35d7f4c1f03c0fbc690c1696d60a212675b09246dbe627fdbf1a9a47f5664e82b00
DIST libtirpc-glibc-nfs.tar.xz 8948 BLAKE2B 7316623d9f2b6928e296137fe2bf6794b208d549c2ffba9e4a35b47f7b04bf023798a09f38c02d039debf6adc466d7689cf3c8274d71a22eaff08729642c0a28 SHA512 90255bf0a27af16164e0710dd940778609925d473f4343093ff19d98cc4f23023788bf4edf0178eae1961afc0ba8b69b273de95b7d7e2afdb706701d8ba6f7ba

7
sdk_container/src/third_party/coreos-overlay/net-libs/libtirpc/README.md vendored
View File

@ -1,7 +0,0 @@
This is a fork of gentoo package. We have it on overlay because:
- We change the NETCONFIG macro value from `"/etc/netconfig"` to
`"/usr/share/tirpc/netconfig"`.
- We update the installation of the netconfig accordingly to the
previous point.

6
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords vendored
View File

@ -13,6 +13,9 @@
# Needed to address CVE-2025-24965.
=app-containers/crun-1.20 ~amd64 ~arm64
# No stable keywords.
=app-containers/syft-1.18.1 ~amd64 ~arm64
# Seems to be the only available ebuild in portage-stable right now.
=app-crypt/adcli-0.9.2 ~arm64
@ -52,6 +55,9 @@
# The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
=dev-libs/luksmeta-9-r1 **
# No arm64 keyword in package.
=dev-util/bsdiff-4.3-r4 **
# Catalyst 4 is not stable yet, but earlier versions are masked now.
=dev-util/catalyst-4.0.0 ~amd64 ~arm64

2
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use vendored
View File

@ -126,7 +126,7 @@ sys-apps/shadow su
sys-apps/util-linux -su
# Enable kerberos support for NFS
net-fs/nfs-utils kerberos nfsv41 nfsv4 junction ldap libmount nfsdcld uuid
net-fs/nfs-utils junction kerberos ldap libmount nfsv3 nfsv4 uuid
net-libs/libtirpc kerberos
# Disable enabled-by-default support for 16-bit and 32-bit characters,

20
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc vendored
View File

@ -87,26 +87,6 @@ cros_pre_pkg_postinst_no_modifications_of_users() {
export ACCT_USER_NO_MODIFY=x
}
# sys-apps/policycoreutils creates /var/lib/selinux directory in
# src_install and then needs it to be available when running
# pkg_postinst, because it does a policy module rebuild there. We
# initially have put /var/lib/selinux into INSTALL_MASK and told
# coreos-base/misc-files to install the directory at
# /usr/lib/selinux/policy together with a symlink at /var/lib/selinux
# pointing to the directory. But this is done too late - at
# sys-apps/policycoreutils' pkg_postinst time, /var/lib/selinux does
# not exist, because coreos-base/misc-files was not yet emerged. So we
# need to fall back to this hack, where we set up /var/lib/selinux and
# /usr/lib/selinux/policy the way we want.
cros_post_src_install_set_up_var_lib_selinux() {
if [[ ${CATEGORY} != 'sys-apps' ]] || [[ ${PN} != 'policycoreutils' ]]; then
return 0;
fi
dodir /usr/lib/selinux
mv "${ED}/var/lib/selinux" "${ED}/usr/lib/selinux/policy"
dosym ../../usr/lib/selinux/policy /var/lib/selinux
}
# Source hooks for SLSA build provenance report generation
source "${BASH_SOURCE[0]}.slsa-provenance"

2
sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults vendored
View File

@ -32,8 +32,6 @@ INSTALL_MASK="${INSTALL_MASK}
/etc/dmtab
/etc/e2fsck.conf
/etc/libnl
/etc/logrotate.conf
/etc/logrotate.d
/etc/lvm/*
/etc/mdadm.conf
/etc/rsyncd.conf

6
sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.provided vendored
View File

@ -24,3 +24,9 @@ sys-process/psmisc-23.7
# Pulled in by app-admin/sudo
dev-lang/perl-5.40.0
# Pulled in by net-fs/samba
dev-lang/perl-5.40.0-r1
dev-libs/icu-76.1-r1
dev-perl/Parse-Yapp-1.210.0-r1
dev-perl/JSON-4.100.0

2
sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use vendored
View File

@ -21,7 +21,7 @@ net-misc/dhcp -server
net-misc/ntp caps
sys-apps/smartmontools -daemon -update-drivedb -systemd
sys-block/parted device-mapper
sys-fs/lvm2 -readline
sys-fs/lvm2 -readline thin lvm
sys-libs/ncurses minimal
sys-libs/pam audit

1
sdk_container/src/third_party/coreos-overlay/sys-apps/dbus/Manifest vendored
View File

@ -1 +0,0 @@
DIST dbus-1.14.4.tar.xz 1368196 BLAKE2B 7da5cd8f09eaef7a64f35f8ccbeb81c5687b3fad02d6ac05dd4c232e0f731dbcf4c76c36b615e6216815c8f8631bf9cb32543665440153a1199b1b35922cdda4 SHA512 7c8ce95b8a4c63cf51cc9f10bebbc19e66d6a96c4806befad48c3fe73b4468bb2b50f9570b73fe05ff12223e5e6815032139d316995eb670c28b23c028f293d6

15
sdk_container/src/third_party/coreos-overlay/sys-apps/dbus/README.md vendored
View File

@ -1,15 +0,0 @@
Modifications done in this fork:
- Disable user sessions. We don't need them in Flatcar. At some point
Gentoo dropped the dedicated USE flag for it and enables user
sessions with systemd USE flag.
- Drop the dependency on sec-policy/selinux-dbus which is brought by
the selinux USE flag. We enable the flag because we still want DBus
to be selinux-aware, but for some reason we didn't want to pull in
the `sec-policy/selinux-dbus` package. We may want to revisit this
with our SELinux work.
- Drop /etc/machine-id generation. We do it elsewhere (bootengine?).
- Mark it as stable for amd64 and arm64.

297
sdk_container/src/third_party/coreos-overlay/sys-apps/dbus/dbus-1.14.4-r2.ebuild vendored
View File

@ -1,297 +0,0 @@
# Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
PYTHON_COMPAT=( python3_{8..11} )
TMPFILES_OPTIONAL=1
# At least at the moment, while a CMake port exists, it's not recommended
# for distributions.
# https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/CONTRIBUTING.md#L189
inherit autotools flag-o-matic linux-info python-any-r1 readme.gentoo-r1 systemd tmpfiles virtualx multilib-minimal
DESCRIPTION="A message bus system, a simple way for applications to talk to each other"
HOMEPAGE="https://www.freedesktop.org/wiki/Software/dbus/"
SRC_URI="https://dbus.freedesktop.org/releases/dbus/${P}.tar.xz"
LICENSE="|| ( AFL-2.1 GPL-2 )"
SLOT="0"
# Flatcar: Mark it as stable for amd64 and arm64.
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
IUSE="debug doc elogind selinux static-libs systemd test X"
RESTRICT="!test? ( test )"
REQUIRED_USE="?? ( elogind systemd )"
BDEPEND="
acct-user/messagebus
app-text/xmlto
app-text/docbook-xml-dtd:4.4
dev-build/autoconf-archive
virtual/pkgconfig
doc? ( app-doc/doxygen )
"
COMMON_DEPEND="
>=dev-libs/expat-2.1.0
elogind? ( sys-auth/elogind )
selinux? (
sys-process/audit
sys-libs/libselinux
)
systemd? ( sys-apps/systemd:0= )
X? (
x11-libs/libX11
x11-libs/libXt
)
"
DEPEND="${COMMON_DEPEND}
dev-libs/expat
test? (
${PYTHON_DEPS}
>=dev-libs/glib-2.40:2
)
"
# Flatcar: Drop the following dependency to avoid pulling in
# unnecessary ebuilds into rootfs:
#
# selinux? ( sec-policy/selinux-dbus )
#
# We may want to revisit that, actually.
RDEPEND="${COMMON_DEPEND}
acct-user/messagebus
systemd? ( virtual/tmpfiles )
"
DOC_CONTENTS="
Some applications require a session bus in addition to the system
bus. Please see \`man dbus-launch\` for more information.
"
# out of sources build dir for make check
TBD="${WORKDIR}/${P}-tests-build"
PATCHES=(
"${FILESDIR}/dbus-enable-elogind.patch"
"${FILESDIR}/dbus-daemon-optional.patch" # bug #653136
)
pkg_setup() {
use test && python-any-r1_pkg_setup
if use kernel_linux; then
CONFIG_CHECK="~EPOLL"
linux-info_pkg_setup
fi
}
src_prepare() {
default
if [[ ${CHOST} == *-solaris* ]]; then
# fix standards conflict, due to gcc being c99 by default nowadays
sed -i \
-e 's/_XOPEN_SOURCE=500/_XOPEN_SOURCE=600/' \
configure.ac || die
fi
# required for bug #263909, cross-compile so don't remove eautoreconf
eautoreconf
}
src_configure() {
local rundir=$(usex kernel_linux /run /var/run)
sed -e "s;@rundir@;${EPREFIX}${rundir};g" "${FILESDIR}"/dbus.initd.in \
> "${T}"/dbus.initd || die
multilib-minimal_src_configure
}
multilib_src_configure() {
local docconf myconf testconf
# so we can get backtraces from apps
case ${CHOST} in
*-mingw*)
# error: unrecognized command line option '-rdynamic', bug #488036
;;
*)
append-flags -rdynamic
;;
esac
# libaudit is *only* used in DBus wrt SELinux support, so disable it, if
# not on an SELinux profile.
myconf=(
--localstatedir="${EPREFIX}/var"
--runstatedir="${EPREFIX}${rundir}"
$(use_enable static-libs static)
$(use_enable debug verbose-mode)
--disable-asserts
--disable-checks
$(use_enable selinux)
$(use_enable selinux libaudit)
--disable-apparmor
$(use_enable kernel_linux inotify)
--disable-kqueue
$(use_enable elogind)
$(use_enable systemd)
$(use_enable systemd user-session)
--disable-embedded-tests
--disable-modular-tests
$(use_enable debug stats)
--with-session-socket-dir="${EPREFIX}"/tmp
--with-system-pid-file="${EPREFIX}${rundir}"/dbus.pid
--with-system-socket="${EPREFIX}${rundir}"/dbus/system_bus_socket
--with-systemdsystemunitdir="$(systemd_get_systemunitdir)"
--with-systemduserunitdir="$(systemd_get_userunitdir)"
--with-dbus-user=messagebus
$(use_with X x)
)
if [[ ${CHOST} == *-darwin* ]]; then
myconf+=(
--enable-launchd
--with-launchd-agent-dir="${EPREFIX}"/Library/LaunchAgents
)
fi
if multilib_is_native_abi; then
docconf=(
--enable-xml-docs
$(use_enable doc doxygen-docs)
)
else
docconf=(
--disable-xml-docs
--disable-doxygen-docs
)
myconf+=(
--disable-daemon
--disable-selinux
--disable-libaudit
--disable-elogind
--disable-systemd
--without-x
)
fi
einfo "Running configure in ${BUILD_DIR}"
ECONF_SOURCE="${S}" econf "${myconf[@]}" "${docconf[@]}"
if multilib_is_native_abi && use test; then
mkdir "${TBD}" || die
cd "${TBD}" || die
testconf=(
$(use_enable test asserts)
$(use_enable test checks)
$(use_enable test embedded-tests)
$(use_enable test stats)
$(has_version dev-libs/dbus-glib && echo --enable-modular-tests)
)
einfo "Running configure in ${TBD}"
ECONF_SOURCE="${S}" econf "${myconf[@]}" "${testconf[@]}"
fi
}
multilib_src_compile() {
if multilib_is_native_abi; then
# After the compile, it uses a selinuxfs interface to
# check if the SELinux policy has the right support
use selinux && addwrite /selinux/access
einfo "Running make in ${BUILD_DIR}"
emake
if use test; then
einfo "Running make in ${TBD}"
emake -C "${TBD}"
fi
else
emake -C dbus libdbus-1.la
fi
}
src_test() {
# DBUS_TEST_MALLOC_FAILURES=0 to avoid huge test logs
# https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/CONTRIBUTING.md#L231
DBUS_TEST_MALLOC_FAILURES=0 DBUS_VERBOSE=1 virtx emake -j1 -C "${TBD}" check
}
multilib_src_install() {
if multilib_is_native_abi; then
emake DESTDIR="${D}" install
else
emake DESTDIR="${D}" install-pkgconfigDATA
emake DESTDIR="${D}" -C dbus \
install-libLTLIBRARIES install-dbusincludeHEADERS \
install-nodist_dbusarchincludeHEADERS
fi
}
multilib_src_install_all() {
newinitd "${T}"/dbus.initd dbus
if use X; then
# dbus X session script (bug #77504)
# turns out to only work for GDM (and startx). has been merged into
# other desktop (kdm and such scripts)
exeinto /etc/X11/xinit/xinitrc.d
newexe "${FILESDIR}"/80-dbus-r1 80-dbus
fi
# Needs to exist for dbus sessions to launch
keepdir /usr/share/dbus-1/services
keepdir /etc/dbus-1/{session,system}.d
# machine-id symlink from pkg_postinst()
keepdir /var/lib/dbus
# Let the init script create the /var/run/dbus directory
rm -rf "${ED}"/var/run
# bug #761763
rm -rf "${ED}"/usr/lib/sysusers.d
dodoc AUTHORS NEWS README doc/TODO
readme.gentoo_create_doc
find "${ED}" -name '*.la' -delete || die
}
pkg_postinst() {
readme.gentoo_print_elog
# Flatcar: Drop machine-id generation.
# if use systemd; then
# tmpfiles_process dbus.conf
# fi
#
# # Ensure unique id is generated and put it in /etc bug wrt #370451 but symlink
# # for DBUS_MACHINE_UUID_FILE (see tools/dbus-launch.c) and reverse
# # dependencies with hardcoded paths (although the known ones got fixed already)
# # TODO: should be safe to remove at least the ln because of the above tmpfiles_process?
# dbus-uuidgen --ensure="${EROOT}"/etc/machine-id
# ln -sf "${EPREFIX}"/etc/machine-id "${EROOT}"/var/lib/dbus/machine-id
if [[ ${CHOST} == *-darwin* ]]; then
local plist="org.freedesktop.dbus-session.plist"
elog
elog
elog "For MacOS/Darwin we now ship launchd support for dbus."
elog "This enables autolaunch of dbus at session login and makes"
elog "dbus usable under MacOS/Darwin."
elog
elog "The launchd plist file ${plist} has been"
elog "installed in ${EPREFIX}/Library/LaunchAgents."
elog "For it to be used, you will have to do all of the following:"
elog " + cd ~/Library/LaunchAgents"
elog " + ln -s ${EPREFIX}/Library/LaunchAgents/${plist}"
elog " + logout and log back in"
elog
elog "If your application needs a proper DBUS_SESSION_BUS_ADDRESS"
elog "specified and refused to start otherwise, then export the"
elog "the following to your environment:"
elog " DBUS_SESSION_BUS_ADDRESS=\"launchd:env=DBUS_LAUNCHD_SESSION_BUS_SOCKET\""
fi
}

75
sdk_container/src/third_party/coreos-overlay/sys-apps/dbus/files/dbus-daemon-optional.patch vendored
View File

@ -1,75 +0,0 @@
From 3c08d28fbae8b0ef3839ef26f8d2a713a9a684f9 Mon Sep 17 00:00:00 2001
From: Andreas Sturmlechner <asturm@gentoo.org>
Date: Thu, 21 Feb 2019 23:53:19 +0100
Subject: [PATCH] Make dbus daemon build optional
---
bus/Makefile.am | 2 ++
configure.ac | 17 ++++++++++++++++-
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/bus/Makefile.am b/bus/Makefile.am
index 9ae3071..26a770c 100644
--- a/bus/Makefile.am
+++ b/bus/Makefile.am
@@ -70,6 +70,7 @@ agentdir=$(LAUNCHD_AGENT_DIR)
agent_DATA=org.freedesktop.dbus-session.plist
endif
+if DBUS_DAEMON
if DBUS_BUS_ENABLE_KQUEUE
DIR_WATCH_SOURCE=dir-watch-kqueue.c
else
@@ -241,6 +242,7 @@ test_bus_LDADD = \
$(top_builddir)/dbus/libdbus-internal.la \
$(DBUS_BUS_LIBS) \
$(NULL)
+endif DBUS_DAEMON
install-data-hook:
$(mkinstalldirs) $(DESTDIR)$(dbusdatadir)/session.d
diff --git a/configure.ac b/configure.ac
index be6b065..854e846 100644
--- a/configure.ac
+++ b/configure.ac
@@ -202,6 +202,7 @@ AC_ARG_ENABLE([apparmor],
[enable_apparmor=$enableval],
[enable_apparmor=auto])
AC_ARG_ENABLE(libaudit,AS_HELP_STRING([--enable-libaudit],[build audit daemon support for SELinux]),enable_libaudit=$enableval,enable_libaudit=auto)
+AC_ARG_ENABLE(daemon, AS_HELP_STRING([--enable-daemon],[build with the dbus daemon]),enable_daemon=$enableval,enable_daemon=yes)
AC_ARG_ENABLE(inotify, AS_HELP_STRING([--enable-inotify],[build with inotify support (linux only)]),enable_inotify=$enableval,enable_inotify=auto)
AC_ARG_ENABLE(kqueue, AS_HELP_STRING([--enable-kqueue],[build with kqueue support]),enable_kqueue=$enableval,enable_kqueue=auto)
AC_ARG_ENABLE(console-owner-file, AS_HELP_STRING([--enable-console-owner-file],[enable console owner file]),enable_console_owner_file=$enableval,enable_console_owner_file=auto)
@@ -830,7 +831,20 @@ AC_CHECK_FUNCS(getpeerucred getpeereid)
AC_CHECK_FUNCS(pipe2 accept4)
-PKG_CHECK_MODULES([EXPAT], [expat])
+# dbusdaemon checks
+if test x$enable_daemon = xno ; then
+ have_daemon=no
+else
+ have_daemon=yes
+fi
+
+dnl check if daemon shall be built
+if test x$have_daemon = xyes; then
+ AC_DEFINE(DBUS_DAEMON,1,[Use daemon])
+ PKG_CHECK_MODULES([EXPAT], [expat])
+fi
+
+AM_CONDITIONAL(DBUS_DAEMON, test x$have_daemon = xyes)
save_cflags="$CFLAGS"
save_libs="$LIBS"
@@ -1824,6 +1838,7 @@ echo "
Building bus stats API: ${enable_stats}
Building SELinux support: ${have_selinux}
Building AppArmor support: ${have_apparmor}
+ Building daemon: ${have_daemon}
Building inotify support: ${have_inotify}
Building kqueue support: ${have_kqueue}
Building systemd support: ${have_systemd}
--
2.20.1

73
sdk_container/src/third_party/coreos-overlay/sys-apps/dbus/files/dbus-enable-elogind.patch vendored
View File

@ -1,73 +0,0 @@
--- a/dbus/dbus-userdb-util.c 2015-09-30 16:48:40.000000000 +0200
+++ b/dbus/dbus-userdb-util.c 2016-11-03 11:09:42.550520587 +0100
@@ -32,6 +32,9 @@
#if HAVE_SYSTEMD
#include <systemd/sd-login.h>
#endif
+#if HAVE_ELOGIND
+#include <elogind/sd-login.h>
+#endif
/**
* @addtogroup DBusInternalsUtils
@@ -54,7 +57,7 @@
const DBusUserInfo *info;
dbus_bool_t result = FALSE;
-#ifdef HAVE_SYSTEMD
+#if defined(HAVE_SYSTEMD) || defined(HAVE_ELOGIND)
/* check if we have logind */
if (access ("/run/systemd/seats/", F_OK) >= 0)
{
--- a/configure.ac 2016-11-03 11:13:58.286528265 +0100
+++ b/configure.ac 2016-11-03 11:22:11.210543063 +0100
@@ -185,6 +185,7 @@
AC_ARG_ENABLE(kqueue, AS_HELP_STRING([--enable-kqueue],[build with kqueue support]),enable_kqueue=$enableval,enable_kqueue=auto)
AC_ARG_ENABLE(console-owner-file, AS_HELP_STRING([--enable-console-owner-file],[enable console owner file]),enable_console_owner_file=$enableval,enable_console_owner_file=auto)
AC_ARG_ENABLE(launchd, AS_HELP_STRING([--enable-launchd],[build with launchd auto-launch support]),enable_launchd=$enableval,enable_launchd=auto)
+AC_ARG_ENABLE(elogind, AS_HELP_STRING([--enable-elogind],[build with elogind user seat support]),enable_elogind=$enableval,enable_elogind=auto)
AC_ARG_ENABLE(systemd, AS_HELP_STRING([--enable-systemd],[build with systemd at_console support]),enable_systemd=$enableval,enable_systemd=auto)
AC_ARG_WITH(init-scripts, AS_HELP_STRING([--with-init-scripts=[redhat]],[Style of init scripts to install]))
@@ -1184,6 +1185,24 @@
AM_CONDITIONAL(HAVE_CONSOLE_OWNER_FILE, test x$have_console_owner_file = xyes)
+dnl elogind detection
+if test x$enable_elogind = xno ; then
+ have_elogind=no;
+else
+ PKG_CHECK_MODULES([ELOGIND],
+ [libelogind >= 209],
+ [have_elogind=yes],
+ [have_elogind=no])
+fi
+
+if test x$have_elogind = xyes; then
+ AC_DEFINE(HAVE_ELOGIND,1,[Have elogind])
+fi
+
+if test x$enable_elogind = xyes -a x$have_elogind != xyes ; then
+ AC_MSG_ERROR([Explicitly requested elogind support, but libelogind not found])
+fi
+
dnl systemd detection
if test x$enable_systemd = xno ; then
have_systemd=no;
@@ -1290,7 +1309,7 @@
fi
#### Set up final flags
-LIBDBUS_LIBS="$THREAD_LIBS $NETWORK_libs $SYSTEMD_LIBS"
+LIBDBUS_LIBS="$THREAD_LIBS $NETWORK_libs $SYSTEMD_LIBS $ELOGIND_LIBS"
AC_SUBST([LIBDBUS_LIBS])
### X11 detection
@@ -1949,6 +1968,7 @@
Building AppArmor support: ${have_apparmor}
Building inotify support: ${have_inotify}
Building kqueue support: ${have_kqueue}
+ Building elogind support: ${have_elogind}
Building systemd support: ${have_systemd}
Building X11 code: ${have_x11}
Building Doxygen docs: ${enable_doxygen_docs}

3
sdk_container/src/third_party/coreos-overlay/sys-apps/keyutils/README.md vendored
View File

@ -1,3 +0,0 @@
We keep this package in overlay, because we install the keyutils
config file in /usr instead of /etc, and then establish some symlinks
during installation and with systemd's tmpfiles.d utility.

3
sdk_container/src/third_party/coreos-overlay/sys-apps/keyutils/files/tmpfiles.d/keyutils.conf vendored
View File

@ -1,3 +0,0 @@
L /etc/request-key.conf - - - - ../usr/share/keyutils/request-key.conf
d /etc/request-key.d - - - - -
d /etc/keyutils - - - - -

2
sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest vendored
View File

@ -1,2 +0,0 @@
DIST shadow-4.13.tar.xz 1762908 BLAKE2B 315ab8a7e598aeefb50c11293e20cfa0982c3c3ae21c35ae243d09a4facf97a13c1d672990876e74ef94f5284402acf14997663743e2aaefa6cfc4369b7d24dc SHA512 2949a728c3312bef13d23138d6b79caf402781b1cb179e33b5be546c1790971ec20778d0e9cd3dbe09691d928ffcbe88e60da42fab58c69a90d5ebe5e3e2ab8e
DIST shadow-4.13.tar.xz.asc 488 BLAKE2B de1f8285c5713a772343a2a7c638d1d13429dd4fa867d4f91d4922aa0d083b4a3110d38e8a8ab82137fdf4fecb12ba3677f3fb235401fc6438ae663fbd9bfbd2 SHA512 f8549c4e699c65721d53946d61b6127712572f7ad9ee13018ef3a25307002992aa727471c948d1bb22dcddf112715bed387d28f436123f30e153ae6bc0cd3648

33
sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/securetty vendored
View File

@ -1,33 +0,0 @@
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).
console
vc/0
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
vc/12
tty0
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
tty12
tts/0
ttyS0

100
sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch vendored
View File

@ -1,100 +0,0 @@
From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
Date: Thu, 23 Mar 2023 23:39:38 +0000
Subject: [PATCH] Added control character check
Added control character check, returning -1 (to "err") if control characters are present.
---
lib/fields.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/lib/fields.c b/lib/fields.c
index 640be931f..fb51b5829 100644
--- a/lib/fields.c
+++ b/lib/fields.c
@@ -21,9 +21,9 @@
*
* The supplied field is scanned for non-printable and other illegal
* characters.
- * + -1 is returned if an illegal character is present.
- * + 1 is returned if no illegal characters are present, but the field
- * contains a non-printable character.
+ * + -1 is returned if an illegal or control character is present.
+ * + 1 is returned if no illegal or control characters are present,
+ * but the field contains a non-printable character.
* + 0 is returned otherwise.
*/
int valid_field (const char *field, const char *illegal)
@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
}
if (0 == err) {
- /* Search if there are some non-printable characters */
+ /* Search if there are non-printable or control characters */
for (cp = field; '\0' != *cp; cp++) {
if (!isprint (*cp)) {
err = 1;
+ }
+ if (!iscntrl (*cp)) {
+ err = -1;
break;
}
}
From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 31 Mar 2023 14:46:50 +0200
Subject: [PATCH] Overhaul valid_field()
e5905c4b ("Added control character check") introduced checking for
control characters but had the logic inverted, so it rejects all
characters that are not control ones.
Cast the character to `unsigned char` before passing to the character
checking functions to avoid UB.
Use strpbrk(3) for the illegal character test and return early.
---
lib/fields.c | 24 ++++++++++--------------
1 file changed, 10 insertions(+), 14 deletions(-)
diff --git a/lib/fields.c b/lib/fields.c
index fb51b5829..539292485 100644
--- a/lib/fields.c
+++ b/lib/fields.c
@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
/* For each character of field, search if it appears in the list
* of illegal characters. */
+ if (illegal && NULL != strpbrk (field, illegal)) {
+ return -1;
+ }
+
+ /* Search if there are non-printable or control characters */
for (cp = field; '\0' != *cp; cp++) {
- if (strchr (illegal, *cp) != NULL) {
+ unsigned char c = *cp;
+ if (!isprint (c)) {
+ err = 1;
+ }
+ if (iscntrl (c)) {
err = -1;
break;
}
}
- if (0 == err) {
- /* Search if there are non-printable or control characters */
- for (cp = field; '\0' != *cp; cp++) {
- if (!isprint (*cp)) {
- err = 1;
- }
- if (!iscntrl (*cp)) {
- err = -1;
- break;
- }
- }
- }
-
return err;
}

38
sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.13-configure-clang16.patch vendored
View File

@ -1,38 +0,0 @@
https://github.com/shadow-maint/shadow/commit/a281f241b592aec636d1b93a99e764499d68c7ef
https://github.com/shadow-maint/shadow/pull/595
From a281f241b592aec636d1b93a99e764499d68c7ef Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 21 Nov 2022 11:52:45 +0100
Subject: [PATCH] Fix HAVE_SHADOWGRP configure check
The missing #include <gshadow.h> causes the configure check to fail
spuriously, resulting in HAVE_SHADOWGRP not being defined even
on systems that actually have sgetsgent (such as current glibc).
--- a/configure.ac
+++ b/configure.ac
@@ -116,6 +116,10 @@ if test "$ac_cv_header_shadow_h" = "yes"; then
ac_cv_libc_shadowgrp,
AC_RUN_IFELSE([AC_LANG_SOURCE([
#include <shadow.h>
+ #ifdef HAVE_GSHADOW_H
+ #include <gshadow.h>
+ #endif
+ int
main()
{
struct sgrp *sg = sgetsgent("test:x::");
--- a/configure
+++ b/configure
@@ -15684,6 +15684,10 @@ else $as_nop
/* end confdefs.h. */
#include <shadow.h>
+ #ifdef HAVE_GSHADOW_H
+ #include <gshadow.h>
+ #endif
+ int
main()
{
struct sgrp *sg = sgetsgent("test:x::");

135
sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.13-password-leak.patch vendored
View File

@ -1,135 +0,0 @@
https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001
From: Alejandro Colomar <alx@kernel.org>
Date: Sat, 10 Jun 2023 16:20:05 +0200
Subject: [PATCH] gpasswd(1): Fix password leak
How to trigger this password leak?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When gpasswd(1) asks for the new password, it asks twice (as is usual
for confirming the new password). Each of those 2 password prompts
uses agetpass() to get the password. If the second agetpass() fails,
the first password, which has been copied into the 'static' buffer
'pass' via STRFCPY(), wasn't being zeroed.
agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
can fail for any of the following reasons:
- malloc(3) or readpassphrase(3) failure.
These are going to be difficult to trigger. Maybe getting the system
to the limits of memory utilization at that exact point, so that the
next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
About readpassphrase(3), ENFILE and EINTR seem the only plausible
ones, and EINTR probably requires privilege or being the same user;
but I wouldn't discard ENFILE so easily, if a process starts opening
files.
- The password is longer than PASS_MAX.
The is plausible with physical access. However, at that point, a
keylogger will be a much simpler attack.
And, the attacker must be able to know when the second password is being
introduced, which is not going to be easy.
How to read the password after the leak?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Provoking the leak yourself at the right point by entering a very long
password is easy, and inspecting the process stack at that point should
be doable. Try to find some consistent patterns.
Then, search for those patterns in free memory, right after the victim
leaks their password.
Once you get the leak, a program should read all the free memory
searching for patterns that gpasswd(1) leaves nearby the leaked
password.
On 6/10/23 03:14, Seth Arnold wrote:
> An attacker process wouldn't be able to use malloc(3) for this task.
> There's a handful of tools available for userspace to allocate memory:
>
> - brk / sbrk
> - mmap MAP_ANONYMOUS
> - mmap /dev/zero
> - mmap some other file
> - shm_open
> - shmget
>
> Most of these return only pages of zeros to a process. Using mmap of an
> existing file, you can get some of the contents of the file demand-loaded
> into the memory space on the first use.
>
> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare.
>
> malloc(3) doesn't zero memory, to our collective frustration, but all the
> garbage in the allocations is from previous allocations in the current
> process. It isn't leftover from other processes.
>
> The avenues available for reading the memory:
> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
> - ptrace (requires ptrace privileges, mediated by YAMA)
> - causing memory to be swapped to disk, and then inspecting the swap
>
> These all require a certain amount of privileges.
How to fix it?
~~~~~~~~~~~~~
memzero(), which internally calls explicit_bzero(3), or whatever
alternative the system provides with a slightly different name, will
make sure that the buffer is zeroed in memory, and optimizations are not
allowed to impede this zeroing.
This is not really 100% effective, since compilers may place copies of
the string somewhere hidden in the stack. Those copies won't get zeroed
by explicit_bzero(3). However, that's arguably a compiler bug, since
compilers should make everything possible to avoid optimizing strings
that are later passed to explicit_bzero(3). But we all know that
sometimes it's impossible to have perfect knowledge in the compiler, so
this is plausible. Nevertheless, there's nothing we can do against such
issues, except minimizing the time such passwords are stored in plain
text.
Security concerns
~~~~~~~~~~~~~~~~
We believe this isn't easy to exploit. Nevertheless, and since the fix
is trivial, this fix should probably be applied soon, and backported to
all supported distributions, to prevent someone else having more
imagination than us to find a way.
Affected versions
~~~~~~~~~~~~~~~~
All. Bug introduced in shadow 19990709. That's the second commit in
the git history.
Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
Reported-by: Alejandro Colomar <alx@kernel.org>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Seth Arnold <seth.arnold@canonical.com>
Cc: Christian Brauner <christian@brauner.io>
Cc: Balint Reczey <rbalint@debian.org>
Cc: Sam James <sam@gentoo.org>
Cc: David Runge <dvzrv@archlinux.org>
Cc: Andreas Jaeger <aj@suse.de>
Cc: <~hallyn/shadow@lists.sr.ht>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
--- a/src/gpasswd.c
+++ b/src/gpasswd.c
@@ -898,6 +898,7 @@ static void change_passwd (struct group *gr)
erase_pass (cp);
cp = agetpass (_("Re-enter new password: "));
if (NULL == cp) {
+ memzero (pass, sizeof pass);
exit (1);
}

33
sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch vendored
View File

@ -1,33 +0,0 @@
https://bugs.gentoo.org/903083
https://github.com/shadow-maint/shadow/pull/691
https://github.com/shadow-maint/shadow/commit/bd2d0079c90241f24671a7946a3ad175dc1a3aeb
From fcb04de38a0ddc263288a1c450b35bfb1503d523 Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Sat, 25 Mar 2023 21:16:55 -0400
Subject: [PATCH] usermod: respect --prefix for --gid option
The --gid option accepts a group name or id. When a name is provided, it
is resolved to an id by looking up the name in the group database
(/etc/group).
The --prefix option overides the location of the passwd and group
databases. I suspect the --gid option was overlooked when wiring up the
--prefix option.
useradd --gid already respects --prefix; this change makes usermod
behave the same way.
Fixes: b6b2c756c91806b1c3e150ea0ee4721c6cdaf9d0
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -1072,7 +1072,7 @@ static void process_flags (int argc, char **argv)
fflg = true;
break;
case 'g':
- grp = getgr_nam_gid (optarg);
+ grp = prefix_getgr_nam_gid (optarg);
if (NULL == grp) {
fprintf (stderr,
_("%s: group '%s' does not exist\n"),

5
sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf vendored
View File

@ -1,5 +0,0 @@
L /etc/login.defs - - - - ../usr/share/shadow/login.defs
L /etc/securetty - - - - ../usr/share/shadow/securetty
d /etc/default - - - - -
L /etc/default/useradd - - - - ../../usr/share/shadow/useradd

1
sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf vendored
View File

@ -1 +0,0 @@
f /var/log/faillog - - - - -

1
sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/Manifest vendored
View File

@ -1 +0,0 @@
DIST polkit-121.tar.gz 743287 BLAKE2B 6ebda8fc866ef960281ef912a3d3c45572da3ba90a84026e386b78ced8eaadc6cfc0e88d6e5a75133bf99e28041f8b29b236bb0e9666dd1ffc43af2227a5cb2d SHA512 f565027b80f32833c558900b612e089ab25027da5bf9a90c421a292467d4db9a291f6dc9850c4bca8f9ee890d476fd064a643a5f7e28497661ba1e31d4227624

231
sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit-0.120_p20220509-make-netgroup-support-optional.patch vendored
View File

@ -1,231 +0,0 @@
Pulled in from https://github.com/gentoo/musl/blob/master/sys-auth/polkit/files/polkit-0.118-make-netgroup-support-optional.patch.
https://bugs.gentoo.org/833753
https://bugs.gentoo.org/561672
https://bugs.freedesktop.org/show_bug.cgi?id=50145
https://gitlab.freedesktop.org/polkit/polkit/-/issues/14
Patch has been rebased a bit since but keeping original headers.
From c7ad7cb3ca8fca32b9b64b0fc33867b98935b76b Mon Sep 17 00:00:00 2001
From: "A. Wilcox" <AWilcox@Wilcox-Tech.com>
Date: Wed, 11 Jul 2018 04:54:26 -0500
Subject: [PATCH] make netgroup support optional
On at least Linux/musl and Linux/uclibc, netgroup support is not
available. PolKit fails to compile on these systems for that reason.
This change makes netgroup support conditional on the presence of the
setnetgrent(3) function which is required for the support to work. If
that function is not available on the system, an error will be returned
to the administrator if unix-netgroup: is specified in configuration.
Fixes bug 50145.
Signed-off-by: A. Wilcox <AWilcox@Wilcox-Tech.com>
--- a/meson.build
+++ b/meson.build
@@ -89,6 +89,7 @@ config_h.set('_GNU_SOURCE', true)
check_functions = [
'clearenv',
'fdatasync',
+ 'setnetgrent',
]
foreach func: check_functions
--- a/src/polkit/polkitidentity.c
+++ b/src/polkit/polkitidentity.c
@@ -182,7 +182,15 @@ polkit_identity_from_string (const gchar *str,
}
else if (g_str_has_prefix (str, "unix-netgroup:"))
{
+#ifndef HAVE_SETNETGRENT
+ g_set_error (error,
+ POLKIT_ERROR,
+ POLKIT_ERROR_FAILED,
+ "Netgroups are not available on this machine ('%s')",
+ str);
+#else
identity = polkit_unix_netgroup_new (str + sizeof "unix-netgroup:" - 1);
+#endif
}
if (identity == NULL && (error != NULL && *error == NULL))
@@ -344,6 +352,14 @@ polkit_identity_new_for_gvariant (GVariant *variant,
GVariant *v;
const char *name;
+#ifndef HAVE_SETNETGRENT
+ g_set_error (error,
+ POLKIT_ERROR,
+ POLKIT_ERROR_FAILED,
+ "Netgroups are not available on this machine");
+ goto out;
+#else
+
v = lookup_asv (details_gvariant, "name", G_VARIANT_TYPE_STRING, error);
if (v == NULL)
{
@@ -353,6 +369,7 @@ polkit_identity_new_for_gvariant (GVariant *variant,
name = g_variant_get_string (v, NULL);
ret = polkit_unix_netgroup_new (name);
g_variant_unref (v);
+#endif
}
else
{
--- a/src/polkit/polkitunixnetgroup.c
+++ b/src/polkit/polkitunixnetgroup.c
@@ -194,6 +194,9 @@ polkit_unix_netgroup_set_name (PolkitUnixNetgroup *group,
PolkitIdentity *
polkit_unix_netgroup_new (const gchar *name)
{
+#ifndef HAVE_SETNETGRENT
+ g_assert_not_reached();
+#endif
g_return_val_if_fail (name != NULL, NULL);
return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_NETGROUP,
"name", name,
--- a/src/polkitbackend/polkitbackendduktapeauthority.c
+++ b/src/polkitbackend/polkitbackendduktapeauthority.c
@@ -1035,7 +1035,7 @@ js_polkit_user_is_in_netgroup (duk_context *cx)
user = duk_require_string (cx, 0);
netgroup = duk_require_string (cx, 1);
-
+#ifdef HAVE_SETNETGRENT
if (innetgr (netgroup,
NULL, /* host */
user,
@@ -1043,7 +1043,7 @@ js_polkit_user_is_in_netgroup (duk_context *cx)
{
is_in_netgroup = TRUE;
}
-
+#endif
duk_push_boolean (cx, is_in_netgroup);
return 1;
}
--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
@@ -2248,25 +2248,26 @@ get_users_in_net_group (PolkitIdentity *group,
GList *ret;
ret = NULL;
+#ifdef HAVE_SETNETGRENT
name = polkit_unix_netgroup_get_name (POLKIT_UNIX_NETGROUP (group));
-#ifdef HAVE_SETNETGRENT_RETURN
+# ifdef HAVE_SETNETGRENT_RETURN
if (setnetgrent (name) == 0)
{
g_warning ("Error looking up net group with name %s: %s", name, g_strerror (errno));
goto out;
}
-#else
+# else
setnetgrent (name);
-#endif
+# endif /* HAVE_SETNETGRENT_RETURN */
for (;;)
{
-#if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD)
+# if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD)
const char *hostname, *username, *domainname;
-#else
+# else
char *hostname, *username, *domainname;
-#endif
+# endif /* defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) */
PolkitIdentity *user;
GError *error = NULL;
@@ -2297,6 +2298,7 @@ get_users_in_net_group (PolkitIdentity *group,
out:
endnetgrent ();
+#endif /* HAVE_SETNETGRENT */
return ret;
}
--- a/src/polkitbackend/polkitbackendjsauthority.cpp
+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
@@ -1271,6 +1271,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx,
JS::CallArgs args = JS::CallArgsFromVp (argc, vp);
+#ifdef HAVE_SETNETGRENT
JS::RootedString usrstr (authority->priv->cx);
usrstr = args[0].toString();
user = JS_EncodeStringToUTF8 (cx, usrstr);
@@ -1285,6 +1286,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx,
{
is_in_netgroup = true;
}
+#endif
ret = true;
--- a/test/polkit/polkitidentitytest.c
+++ b/test/polkit/polkitidentitytest.c
@@ -145,11 +145,15 @@ struct ComparisonTestData comparison_test_data [] = {
{"unix-group:root", "unix-group:jane", FALSE},
{"unix-group:jane", "unix-group:jane", TRUE},
+#ifdef HAVE_SETNETGRENT
{"unix-netgroup:foo", "unix-netgroup:foo", TRUE},
{"unix-netgroup:foo", "unix-netgroup:bar", FALSE},
+#endif
{"unix-user:root", "unix-group:root", FALSE},
+#ifdef HAVE_SETNETGRENT
{"unix-user:jane", "unix-netgroup:foo", FALSE},
+#endif
{NULL},
};
@@ -181,11 +185,13 @@ main (int argc, char *argv[])
g_test_add_data_func ("/PolkitIdentity/group_string_2", "unix-group:jane", test_string);
g_test_add_data_func ("/PolkitIdentity/group_string_3", "unix-group:users", test_string);
+#ifdef HAVE_SETNETGRENT
g_test_add_data_func ("/PolkitIdentity/netgroup_string", "unix-netgroup:foo", test_string);
+ g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant);
+#endif
g_test_add_data_func ("/PolkitIdentity/user_gvariant", "unix-user:root", test_gvariant);
g_test_add_data_func ("/PolkitIdentity/group_gvariant", "unix-group:root", test_gvariant);
- g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant);
add_comparison_tests ();
--- a/test/polkit/polkitunixnetgrouptest.c
+++ b/test/polkit/polkitunixnetgrouptest.c
@@ -69,7 +69,9 @@ int
main (int argc, char *argv[])
{
g_test_init (&argc, &argv, NULL);
+#ifdef HAVE_SETNETGRENT
g_test_add_func ("/PolkitUnixNetgroup/new", test_new);
g_test_add_func ("/PolkitUnixNetgroup/set_name", test_set_name);
+#endif
return g_test_run ();
}
--- a/test/polkitbackend/test-polkitbackendjsauthority.c
+++ b/test/polkitbackend/test-polkitbackendjsauthority.c
@@ -137,12 +137,14 @@ test_get_admin_identities (void)
"unix-group:users"
}
},
+#ifdef HAVE_SETNETGRENT
{
"net.company.action3",
{
"unix-netgroup:foo"
}
},
+#endif
};
guint n;

3
sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit.conf vendored
View File

@ -1,3 +0,0 @@
d /etc/polkit-1 - - - - -
d /etc/polkit-1/rules.d 0700 polkitd root - -
d /var/lib/polkit-1 0700 polkitd polkitd - -

1
sdk_container/src/third_party/coreos-overlay/sys-fs/lvm2/Manifest vendored
View File

@ -1 +0,0 @@
DIST LVM2.2.02.188.tgz 2421550 BLAKE2B bed90c8454cd4b20fdeec6dcbf5a9f97c9310671aea3b2252f8069cfa439fcb050f5ad95f928a7125a1734a4dc5ac985da99a4a570538e377a7205191a505476 SHA512 8c9db17c49dc8ebcab6c7f246ab85870a80658be811cf7f4d8f36abbebafa355b030bfc1e3bcbad73ccccb7fcd06d4a95ac547ca15d18d33715126da92703dca

20
sdk_container/src/third_party/coreos-overlay/sys-fs/lvm2/README.md vendored
View File

@ -1,20 +0,0 @@
We keep this package in overlay, because we carry one extra patch for
the unit generator. It was posted upstream and remains
unacknowledged. We could try sending the patch to gentoo, so we can
bring this package back to portage-stable.
The lvm2-activation(-early).service was triggered multiple times which
if done too quickly leads to a failure like this:
systemd[1]: Finished Activation of LVM2 logical volumes.
systemd[1]: lvm2-activation-early.service: Start request repeated too quickly.
systemd[1]: lvm2-activation-early.service: Failed with result 'start-limit-hit'.
Set RemainAfterExit=yes as done for the other oneshot services to
prevent the unit from running multiple times in a row and hitting the
restart limit.
We also patch the configure script to use the correct path for systemd
util directory.

12
sdk_container/src/third_party/coreos-overlay/sys-fs/lvm2/files/lvm2-2.02.145-oneshot.patch vendored
View File

@ -1,12 +0,0 @@
diff -ur LVM2.2.02.145/scripts/lvm2_activation_generator_systemd_red_hat.c LVM2.2.02.145-patch/scripts/lvm2_activation_generator_systemd_red_hat.c
--- LVM2.2.02.145/scripts/lvm2_activation_generator_systemd_red_hat.c 2016-03-04 19:03:29.000000000 +0100
+++ LVM2.2.02.145-patch/scripts/lvm2_activation_generator_systemd_red_hat.c 2020-07-28 18:15:35.766505354 +0200
@@ -153,7 +153,7 @@
fputs("ExecStart=" LVM_PATH " vgchange -aay --ignoreskippedcluster", f);
if (sysinit_needed)
fputs (" --sysinit", f);
- fputs("\nType=oneshot\n", f);
+ fputs("\nType=oneshot\nRemainAfterExit=yes\n", f);
if (fclose(f) < 0) {
kmsg(LOG_ERR, "LVM: Failed to write unit file %s: %m.\n", unit_name);

12
sdk_container/src/third_party/coreos-overlay/sys-fs/lvm2/files/lvm2-2.02.166-HPPA-no-O_DIRECT.patch vendored
View File

@ -1,12 +0,0 @@
--- a/lib/device/dev-io.c
+++ b/lib/device/dev-io.c
@@ -505,7 +505,9 @@
dev->flags |= DEV_NOT_O_NOATIME;
if ((dev->fd = open(name, flags, 0777)) >= 0) {
log_debug_devs("%s: Not using O_NOATIME", name);
+#ifdef O_DIRECT_SUPPORT
goto opened;
+#endif
}
}
#endif

13
sdk_container/src/third_party/coreos-overlay/sys-fs/lvm2/files/lvm2-2.02.171-static-libm.patch vendored
View File

@ -1,13 +0,0 @@
diff --git a/make.tmpl.in b/make.tmpl.in
index a40eaaa15..7eea943aa 100644
--- a/make.tmpl.in
+++ b/make.tmpl.in
@@ -53,7 +53,7 @@ PYCOMPILE = $(top_srcdir)/autoconf/py-compile
LIBS = @LIBS@
# Extra libraries always linked with static binaries
-STATIC_LIBS = $(SELINUX_STATIC_LIBS) $(UDEV_STATIC_LIBS) $(BLKID_STATIC_LIBS)
+STATIC_LIBS = $(SELINUX_STATIC_LIBS) $(UDEV_STATIC_LIBS) $(BLKID_STATIC_LIBS) $(M_LIBS)
DEFS += @DEFS@
# FIXME set this only where it's needed, not globally?
CFLAGS ?= @COPTIMISE_FLAG@ @CFLAGS@

29
sdk_container/src/third_party/coreos-overlay/sys-fs/lvm2/files/lvm2-2.02.176-pthread-pkgconfig.patch vendored
View File

@ -1,29 +0,0 @@
--- LVM2.2.02.176/libdm/libdevmapper.pc.in
+++ LVM2.2.02.176/libdm/libdevmapper.pc.in
@@ -9,4 +9,4 @@
Cflags: -I${includedir}
Libs: -L${libdir} -ldevmapper
Requires.private: @SELINUX_PC@ @UDEV_PC@
-Libs.private: -lm @RT_LIBS@
+Libs.private: -lm @RT_LIBS@ @PTHREAD_LIBS@
--- LVM2.2.02.176/tools/Makefile.in
+++ LVM2.2.02.176/tools/Makefile.in
@@ -93,6 +93,7 @@
INSTALL_LVM_TARGETS += install_tools_static
INSTALL_DMSETUP_TARGETS += install_dmsetup_static
INSTALL_CMDLIB_TARGETS += install_cmdlib_static
+ STATIC_LIBS += @PTHREAD_LIBS@
endif
LVMLIBS = $(LVMINTERNAL_LIBS) -ldevmapper
@@ -118,6 +119,10 @@
include $(top_builddir)/make.tmpl
+ifeq ("@STATIC_LINK@", "yes")
+ STATIC_LIBS += @PTHREAD_LIBS@
+endif
+
device-mapper: $(TARGETS_DM)
CFLAGS_dmsetup.o += $(UDEV_CFLAGS) $(EXTRA_EXEC_CFLAGS)

15
sdk_container/src/third_party/coreos-overlay/sys-fs/lvm2/files/lvm2-2.02.178-asneeded.patch vendored
View File

@ -1,15 +0,0 @@
http://bugs.gentoo.org/330255
liblvm2app.so: undefined reference to `floor'
--- LVM2.2.02.178/liblvm/Makefile.in
+++ LVM2.2.02.178/liblvm/Makefile.in
@@ -43,7 +43,7 @@
include $(top_builddir)/make.tmpl
LDFLAGS += -L$(top_builddir)/lib -L$(top_builddir)/daemons/dmeventd
-LIBS += $(LVMINTERNAL_LIBS) -ldevmapper -laio
+LIBS += $(LVMINTERNAL_LIBS) -ldevmapper -laio -lm
.PHONY: install_dynamic install_static install_include install_pkgconfig

59
sdk_container/src/third_party/coreos-overlay/sys-fs/lvm2/files/lvm2-2.02.178-dynamic-static-ldflags.patch vendored
View File

@ -1,59 +0,0 @@
--- LVM2.2.02.178/configure.ac
+++ LVM2.2.02.178/configure.ac
@@ -33,6 +33,7 @@
CLDFLAGS="$CLDFLAGS -Wl,--version-script,.export.sym"
# equivalent to -rdynamic
ELDFLAGS="-Wl,--export-dynamic"
+ STATIC_LDFLAGS="-Wl,--no-export-dynamic"
# FIXME Generate list and use --dynamic-list=.dlopen.sym
CLDWHOLEARCHIVE="-Wl,-whole-archive"
CLDNOWHOLEARCHIVE="-Wl,-no-whole-archive"
@@ -2042,6 +2043,7 @@
AC_SUBST(SYSTEMD_LIBS)
AC_SUBST(SNAPSHOTS)
AC_SUBST(STATICDIR)
+AC_SUBST(STATIC_LDFLAGS)
AC_SUBST(STATIC_LINK)
AC_SUBST(TESTSUITE_DATA)
AC_SUBST(THIN)
--- LVM2.2.02.178/daemons/dmeventd/Makefile.in
+++ LVM2.2.02.178/daemons/dmeventd/Makefile.in
@@ -64,7 +64,7 @@
-o $@ $(DL_LIBS) $(DMEVENT_LIBS) $(LIBS)
dmeventd.static: $(LIB_STATIC) dmeventd.o $(interfacebuilddir)/libdevmapper.a
- $(CC) $(CFLAGS) $(LDFLAGS) -static -L. -L$(interfacebuilddir) dmeventd.o \
+ $(CC) $(CFLAGS) $(LDFLAGS) $(STATIC_LDFLAGS) -static -L. -L$(interfacebuilddir) dmeventd.o \
-o $@ $(DL_LIBS) $(DMEVENT_LIBS) $(LIBS) $(STATIC_LIBS)
ifeq ("@PKGCONFIG@", "yes")
--- LVM2.2.02.178/make.tmpl.in
+++ LVM2.2.02.178/make.tmpl.in
@@ -64,6 +64,7 @@
# FIXME set this only where it's needed, not globally?
CFLAGS ?= @COPTIMISE_FLAG@ @CFLAGS@
LDFLAGS ?= @LDFLAGS@
+STATIC_LDFLAGS += @STATIC_LDFLAGS@
CLDFLAGS += @CLDFLAGS@
ELDFLAGS += @ELDFLAGS@
LDDEPS += @LDDEPS@
--- LVM2.2.02.178/tools/Makefile.in
+++ LVM2.2.02.178/tools/Makefile.in
@@ -129,7 +129,7 @@
dmsetup.static: dmsetup.o $(interfacebuilddir)/libdevmapper.a
@echo " [CC] $@"
- $(Q) $(CC) $(CFLAGS) $(LDFLAGS) -static -L$(interfacebuilddir) \
+ $(Q) $(CC) $(CFLAGS) $(LDFLAGS) $(STATIC_LDFLAGS) -static -L$(interfacebuilddir) \
-o $@ dmsetup.o -ldevmapper $(M_LIBS) $(PTHREAD_LIBS) $(STATIC_LIBS) $(LIBS)
all: device-mapper
@@ -159,7 +159,7 @@
lvm.static: $(OBJECTS) lvm-static.o $(top_builddir)/lib/liblvm-internal.a $(interfacebuilddir)/libdevmapper.a
@echo " [CC] $@"
- $(Q) $(CC) $(CFLAGS) $(LDFLAGS) -static -L$(interfacebuilddir) -o $@ \
+ $(Q) $(CC) $(CFLAGS) $(LDFLAGS) $(STATIC_LDFLAGS) -static -L$(interfacebuilddir) -o $@ \
$(OBJECTS) lvm-static.o $(LVMLIBS) $(STATIC_LIBS) $(LIBS)
liblvm2cmd.a: $(top_builddir)/lib/liblvm-internal.a $(OBJECTS) lvmcmdlib.o lvm2cmd.o

Some files were not shown because too many files have changed in this diff Show More