From e43d18f0da6801be25bff2d84a0834a1ed0d7070 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 19 Jun 2020 11:30:55 +0200 Subject: [PATCH 1/2] sys-libs/glibc: update to 2.30-r8 Update glibc to 2.30-r8 to sync with upstream Gentoo, to address security issues reported as [GLSA 202006-04](https://security.gentoo.org/glsa/202006-04). --- .../coreos-overlay/sys-libs/glibc/Manifest | 4 +- .../glibc-2.25-gshadow-handle-erange.patch | 114 ------ .../sys-libs/glibc/files/host.conf-1 | 24 ++ .../sys-libs/glibc/files/nscd-1 | 85 ++++ .../sys-libs/glibc/files/nscd-conf.tmpfiles | 2 - .../sys-libs/glibc/files/nscd.service | 15 + .../sys-libs/glibc/files/nscd.tmpfilesd | 4 + ...bc-2.29-r2.ebuild => glibc-2.30-r8.ebuild} | 381 +++++++++--------- .../sys-libs/glibc/metadata.xml | 2 + 9 files changed, 327 insertions(+), 304 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.25/glibc-2.25-gshadow-handle-erange.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/host.conf-1 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-1 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd.service create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd.tmpfilesd rename sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/{glibc-2.29-r2.ebuild => glibc-2.30-r8.ebuild} (83%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest index f75ed2896f..f1a1af01c9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest @@ -1,3 +1,3 @@ DIST gcc-multilib-bootstrap-20180511.tar.xz 2392908 BLAKE2B f3cf614399368acd8908f60d894c6344a2fa09383b30c1633a0682bc668367c8a2f8c6fec2d41b6e2178d709a2bd8db57e8b2ab56ba263c7d56f819c15acd061 SHA512 98c766e913693ab42ff790557acde2a36a8001e2648046a685b21964200df8d4d52d8452d499c0068c6648284d086ce062c2d36e2c6c2fd8aacd232d193f2853 -DIST glibc-2.29-patches-3.tar.xz 35812 BLAKE2B 90b8bc57b7a63f03617795c368b92e525eccfec462d638dbc25c581e5b7a2a72ffd5191842f5ac443a868cbc950838d7e5120e866d343a14b80c55dcbfa48f30 SHA512 4c9b78d9d1a8aa629418f2d758ef800857780b8a1fd8d3582b88348a513ca26ca7f6ac9110a8c6bae16949b360ba36840d184f42293cd4324760273592d1b438 -DIST glibc-2.29.tar.xz 16515488 BLAKE2B b754e6825176538a2b8ca03fce014f0d87d333dc4d038bf0cda5ee8a2f484cd3ce93ad78ec126737e093ab64b55ceedf04cd08aecb4f8041daaa329e99717afa SHA512 146bc0769fe853d9edbf93cea7f74c5b3d84d69cb7614c62588e7acdecd1ec789a9d8949f3e8b99f8f36f2ccac740a003bed94f32b07817baf780b06cfeb6ed0 +DIST glibc-2.30-patches-10.tar.xz 72808 BLAKE2B a7a95c99482524b2896d15539766f1e6b1fe34a22f32119248c6dd44f42632076e86fdcbbdc2d604ec73ceccdd8a7f5936a62a6f4c3d039fae8f6901dfc6be77 SHA512 af5e213ff08bf38f6f529816c36b4e38df27207c2df254609ebe45b2f039ab553bbe563aa6f64b6667d328fd2c120dc21b6e2676540bdd94e58079237089eac3 +DIST glibc-2.30.tar.xz 16576920 BLAKE2B bd5aae4c9854f40785b91f83c3b632de6d48d811027ddfe61651cb1bc617db8017d7914c23a770cdd3feed06fcc316da841eea916cdba54179e7eace4ea45484 SHA512 37483990cd653685873e96c45dd1651b32b441b6d7919a68ebe3bae31a0c3f7ce183fc9b110f0b268b353f80312f18370559a1e7aecea0e5aa755c8f2aef1d6b diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.25/glibc-2.25-gshadow-handle-erange.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.25/glibc-2.25-gshadow-handle-erange.patch deleted file mode 100644 index d223e9f088..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.25/glibc-2.25-gshadow-handle-erange.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 74250a7cdf106d4ca7d9506e6d5dc7c448dc3434 Mon Sep 17 00:00:00 2001 -From: David Michael -Date: Thu, 15 Dec 2016 15:22:57 -0800 -Subject: [PATCH] gshadow: Sync fgetsgent_r.c with grp/fgetgrent_r.c - - [BZ #20338] - * gshadow/fgetsgent_r.c: Include . - (flockfile): New macro. - (funlockfile): Likewise. - (__fgetsgent_r): Sync with __fgetgrent_r. - * nss/nss_files/files-sgrp.c: Fix "fgetsgent_r.c" typo. ---- - gshadow/fgetsgent_r.c | 35 ++++++++++++++++++++++++----------- - nss/nss_files/files-sgrp.c | 2 +- - 2 files changed, 25 insertions(+), 12 deletions(-) - -diff --git a/gshadow/fgetsgent_r.c b/gshadow/fgetsgent_r.c -index b70f6fa..02cd33a 100644 ---- a/gshadow/fgetsgent_r.c -+++ b/gshadow/fgetsgent_r.c -@@ -20,39 +20,44 @@ - #include - #include - -+#include -+#define flockfile(s) _IO_flockfile (s) -+#define funlockfile(s) _IO_funlockfile (s) -+ - /* Define a line parsing function using the common code - used in the nss_files module. */ - - #define STRUCTURE sgrp - #define ENTNAME sgent --#define EXTERN_PARSER 1 -+#define EXTERN_PARSER 1 - struct sgent_data {}; - - #include - - --/* Read one shadow entry from the given stream. */ -+/* Read one entry from the given stream. */ - int - __fgetsgent_r (FILE *stream, struct sgrp *resbuf, char *buffer, size_t buflen, - struct sgrp **result) - { - char *p; -+ int parse_result; - -- _IO_flockfile (stream); -+ flockfile (stream); - do - { - buffer[buflen - 1] = '\xff'; - p = fgets_unlocked (buffer, buflen, stream); -- if (p == NULL && feof_unlocked (stream)) -+ if (__builtin_expect (p == NULL, 0) && feof_unlocked (stream)) - { -- _IO_funlockfile (stream); -+ funlockfile (stream); - *result = NULL; - __set_errno (ENOENT); - return errno; - } -- if (p == NULL || buffer[buflen - 1] != '\xff') -+ if (__builtin_expect (p == NULL, 0) || buffer[buflen - 1] != '\xff') - { -- _IO_funlockfile (stream); -+ funlockfile (stream); - *result = NULL; - __set_errno (ERANGE); - return errno; -@@ -61,13 +66,21 @@ __fgetsgent_r (FILE *stream, struct sgrp *resbuf, char *buffer, size_t buflen, - /* Skip leading blanks. */ - while (isspace (*p)) - ++p; -- } while (*p == '\0' || *p == '#' || /* Ignore empty and comment lines. */ -+ } while (*p == '\0' || *p == '#' /* Ignore empty and comment lines. */ - /* Parse the line. If it is invalid, loop to - get the next line of the file to parse. */ -- ! parse_line (buffer, (void *) resbuf, (void *) buffer, buflen, -- &errno)); -+ || ! (parse_result = parse_line (p, resbuf, -+ (void *) buffer, buflen, -+ &errno))); -+ -+ funlockfile (stream); - -- _IO_funlockfile (stream); -+ if (__builtin_expect (parse_result, 0) == -1) -+ { -+ /* The parser ran out of space. */ -+ *result = NULL; -+ return errno; -+ } - - *result = resbuf; - return 0; -diff --git a/nss/nss_files/files-sgrp.c b/nss/nss_files/files-sgrp.c -index 15dc659..05c3805 100644 ---- a/nss/nss_files/files-sgrp.c -+++ b/nss/nss_files/files-sgrp.c -@@ -23,7 +23,7 @@ - #define DATABASE "gshadow" - struct sgent_data {}; - --/* Our parser function is already defined in sgetspent_r.c, so use that -+/* Our parser function is already defined in sgetsgent_r.c, so use that - to parse lines from the database file. */ - #define EXTERN_PARSER - #include "files-parse.c" --- -2.7.4 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/host.conf-1 b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/host.conf-1 new file mode 100644 index 0000000000..4c58e52d6b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/host.conf-1 @@ -0,0 +1,24 @@ +# /etc/host.conf: +# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/host.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $ + +# The file /etc/host.conf contains configuration information specific to +# the resolver library. It should contain one configuration keyword per +# line, followed by appropriate configuration information. The keywords +# recognized are order, trim, mdns, multi, nospoof, spoof, and reorder. + + + +# This keyword specifies how host lookups are to be performed. It +# should be followed by one or more lookup methods, separated by +# commas. Valid methods are bind, hosts, and nis. +# +order hosts, bind + + +# Valid values are on and off. If set to on, the resolv+ library +# will return all valid addresses for a host that appears in the +# /etc/hosts file, instead of only the first. This is off by +# default, as it may cause a substantial performance loss at sites +# with large hosts files. +# +multi off diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-1 b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-1 new file mode 100644 index 0000000000..f69c8e2eac --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-1 @@ -0,0 +1,85 @@ +#!/sbin/openrc-run +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +description="The 'Name Service Cache Daemon' is a daemon that provides a cache" +description="${description} for the most common name service requests" + +extra_started_commands="flush_all flush_hosts flush_group flush_passwd flush_netgroup flush_services" + +description_flush_all="Will invalidate hosts, group, passwd, netgroup and services cache" +description_flush_hosts="Will invalidate hosts cache" +description_flush_group="Will invalidate group cache" +description_flush_passwd="Will invalidate passwd cache" +description_flush_netgroup="Will invalidate netgroup cache" +description_flush_services="Will invalidate services cache" + +pidfile="/run/nscd/nscd.pid" +command="/usr/sbin/nscd" + +depend() { + use dns ldap net slapd logger +} + +checkconfig() { + if [ ! -d /run/nscd ] ; then + checkpath -d -m 755 /run/nscd + fi + + if [ -z "${NSCD_PERMS_OK}" ] && [ "$(stat -c %a /run/nscd)" != "755" ] ; then + ewarn "nscd run dir is not world readable, you should reset the perms:" + ewarn "chmod 755 /run/nscd" + ewarn "chmod a+rw /run/nscd/socket" + ewarn "To disable this warning, set 'NSCD_PERMS_OK' in /etc/conf.d/nscd" + fi + + if grep -qs '^[[:space:]]*persistent\>' /etc/nscd.conf ; then + checkpath -d -m 700 /var/db/nscd + fi +} + +_flush() { + local table=$1 + + ebegin "Flushing ${table} table" + ${command} --invalidate ${table} + eend $? +} + +flush_all() { + local has_errors=0 + + ebegin "Flushing all caches" + + local table= + for table in passwd group hosts netgroup services; do + ${command} --invalidate ${table} + [ $? -ne 0 ] && has_errors=1 + done + + eend ${has_errors} +} + +flush_hosts() { + _flush hosts +} + +flush_group() { + _flush group +} + +flush_passwd() { + _flush passwd +} + +flush_netgroup() { + _flush netgroup +} + +flush_services() { + _flush services +} + +start_pre() { + checkconfig +} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles deleted file mode 100644 index 0cf43dcb7a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles +++ /dev/null @@ -1,2 +0,0 @@ -L /etc/nscd.conf - - - - ../usr/share/baselayout/nscd.conf -d /var/db/nscd - - - - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd.service b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd.service new file mode 100644 index 0000000000..25a3b1d9be --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd.service @@ -0,0 +1,15 @@ +[Unit] +Description=Name Service Cache Daemon +After=network.target + +[Service] +ExecStart=/usr/sbin/nscd -F +ExecStop=/usr/sbin/nscd --shutdown +ExecReload=/usr/sbin/nscd -i passwd +ExecReload=/usr/sbin/nscd -i group +ExecReload=/usr/sbin/nscd -i hosts +ExecReload=/usr/sbin/nscd -i services +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd.tmpfilesd b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd.tmpfilesd new file mode 100644 index 0000000000..52edbba673 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd.tmpfilesd @@ -0,0 +1,4 @@ +# Configuration to create /run/nscd directory +# Used as part of systemd's tmpfiles + +d /run/nscd 0755 root root diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.29-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.30-r8.ebuild similarity index 83% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.29-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.30-r8.ebuild index b92b9a2e2a..91e14345d4 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.29-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.30-r8.ebuild @@ -1,17 +1,16 @@ -# Copyright 1999-2019 Gentoo Authors +# Copyright 1999-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=6 +EAPI=7 -PYTHON_COMPAT=( python3_{5,6,7} ) +PYTHON_COMPAT=( python3_{6,7} ) -inherit python-any-r1 prefix eutils eapi7-ver toolchain-funcs flag-o-matic gnuconfig \ +inherit python-any-r1 prefix eutils toolchain-funcs flag-o-matic gnuconfig \ multilib systemd multiprocessing DESCRIPTION="GNU libc C library" HOMEPAGE="https://www.gnu.org/software/libc/" LICENSE="LGPL-2.1+ BSD HPND ISC inner-net rc PCRE" -RESTRICT="strip" # Strip ourself #46186 SLOT="2.2" EMULTILIB_PKG="true" @@ -20,7 +19,7 @@ if [[ ${PV} == 9999* ]]; then EGIT_REPO_URI="https://sourceware.org/git/glibc.git" inherit git-r3 else - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc x86" + KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86" SRC_URI="mirror://gnu/glibc/${P}.tar.xz" fi @@ -29,12 +28,13 @@ RELEASE_VER=${PV} GCC_BOOTSTRAP_VER=20180511 # Gentoo patchset -PATCH_VER=3 +PATCH_VER=10 +PATCH_DEV=dilfridge -SRC_URI+=" https://dev.gentoo.org/~dilfridge/distfiles/${P}-patches-${PATCH_VER}.tar.xz" +SRC_URI+=" https://dev.gentoo.org/~${PATCH_DEV}/distfiles/${P}-patches-${PATCH_VER}.tar.xz" SRC_URI+=" multilib? ( https://dev.gentoo.org/~dilfridge/distfiles/gcc-multilib-bootstrap-${GCC_BOOTSTRAP_VER}.tar.xz )" -IUSE="audit caps cet compile-locales doc gd headers-only +multiarch multilib nscd profile selinux +ssp suid systemtap test vanilla" +IUSE="audit caps cet compile-locales +crypt custom-cflags doc gd headers-only +multiarch multilib nscd profile selinux +ssp +static-libs suid systemtap test vanilla" # Minimum kernel version that glibc requires MIN_KERN_VER="3.2.0" @@ -61,10 +61,38 @@ if [[ ${CTARGET} == ${CHOST} ]] ; then fi fi +# Note [Disable automatic stripping] +# Disabling automatic stripping for a few reasons: +# - portage's attempt to strip breaks non-native binaries at least on +# arm: bug #697428 +# - portage's attempt to strip libpthread.so.0 breaks gdb thread +# enumeration: bug #697910. This is quite subtle: +# * gdb uses glibc's libthread_db-1.0.so to enumerate threads. +# * libthread_db-1.0.so needs access to libpthread.so.0 local symbols +# via 'ps_pglobal_lookup' symbol defined in gdb. +# * 'ps_pglobal_lookup' uses '.symtab' section table to resolve all +# known symbols in 'libpthread.so.0'. Specifically 'nptl_version' +# (unexported) is used to sanity check compatibility before enabling +# debugging. +# Also see https://sourceware.org/gdb/wiki/FAQ#GDB_does_not_see_any_threads_besides_the_one_in_which_crash_occurred.3B_or_SIGTRAP_kills_my_program_when_I_set_a_breakpoint +# * normal 'strip' command trims '.symtab' +# Thus our main goal here is to prevent 'libpthread.so.0' from +# losing it's '.symtab' entries. +# As Gentoo's strip does not allow us to pass less aggressive stripping +# options and does not check the machine target we strip selectively. + # We need a new-enough binutils/gcc to match upstream baseline. # Also we need to make sure our binutils/gcc supports TLS, # and that gcc already contains the hardened patches. +BDEPEND=" + ${PYTHON_DEPS} + >=app-misc/pax-utils-0.1.10 + sys-devel/bison + !=${CATEGORY}/binutils-2.24 >=${CATEGORY}/gcc-6 )" [[ ${CATEGORY} == *-linux* ]] && DEPEND+=" ${CATEGORY}/linux-headers" else - DEPEND+=" + BDEPEND+=" >=sys-devel/binutils-2.24 >=sys-devel/gcc-6 - virtual/os-headers " + DEPEND+=" virtual/os-headers " RDEPEND+=" + >=net-dns/libidn2-2.3.0 vanilla? ( !sys-libs/timezone-data ) " PDEPEND+=" !vanilla? ( sys-libs/timezone-data )" fi +# Ignore tests whitelisted below +GENTOO_GLIBC_XFAIL_TESTS="${GENTOO_GLIBC_XFAIL_TESTS:-yes}" + +# The following tests fail due to the Gentoo build system and are thus +# executed but ignored: +XFAIL_TEST_LIST=( + # 1) Sandbox + tst-ldconfig-bad-aux-cache + tst-pldd + tst-mallocfork2 + tst-nss-db-endgrent + tst-nss-db-endpwent + tst-nss-files-hosts-long + tst-nss-test3 + # 2) Namespaces and cgroup + tst-locale-locpath + # 9) Failures of unknown origin + tst-latepthread + + # buggy test, fixed in glibc-2.31 in 70ba28f7ab29 + tst-pkey + + # buggy test, assumes /dev/ and /dev/null on a single filesystem + # 'mount --bind /dev/null /chroot/dev/null' breaks it. + # https://sourceware.org/PR25909 + tst-support_descriptors + + # Flaky test, known to fail occasionally: + # https://sourceware.org/PR19329 + # https://bugs.gentoo.org/719674#c12 + tst-stack4 +) + # # Small helper functions # @@ -124,6 +178,18 @@ alt_prefix() { is_crosscompile && echo /usr/${CTARGET} } +# This prefix is applicable to CHOST when building against this +# glibc. It is baked into the library at configure time. +host_eprefix() { + is_crosscompile || echo "${EPREFIX}" +} + +# This prefix is applicable to CBUILD when building against this +# glibc. It determines the destination path at install time. +build_eprefix() { + is_crosscompile && echo "${EPREFIX}" +} + # We need to be able to set alternative headers for compiling for non-native # platform. Will also become useful for testing kernel-headers without screwing # up the whole system. @@ -133,7 +199,7 @@ alt_headers() { alt_build_headers() { if [[ -z ${ALT_BUILD_HEADERS} ]] ; then - ALT_BUILD_HEADERS="${EPREFIX}$(alt_headers)" + ALT_BUILD_HEADERS="$(host_eprefix)$(alt_headers)" if tc-is-cross-compiler ; then ALT_BUILD_HEADERS=${SYSROOT}$(alt_headers) if [[ ! -e ${ALT_BUILD_HEADERS}/linux/version.h ]] ; then @@ -166,7 +232,7 @@ do_compile_test() { rm -f glibc-test* printf '%b' "$*" > glibc-test.c - nonfatal emake -s glibc-test + nonfatal emake glibc-test ret=$? popd >/dev/null @@ -214,7 +280,7 @@ setup_target_flags() { # We could change main to _start and pass -nostdlib here so that we # only test the gcc code compilation. Or we could do a compile and # then look for the symbol via scanelf. - if ! do_compile_test "" 'void f(int i, void *p) {if (__sync_fetch_and_add(&i, 1)) f(i, p);}\nint main(){return 0;}\n' 2>/dev/null ; then + if ! do_compile_test "" 'void f(int i, void *p) {if (__sync_fetch_and_add(&i, 1)) f(i, p);}\nint main(){return 0;}\n'; then local t=${CTARGET_OPT:-${CTARGET}} t=${t%%-*} filter-flags '-march=*' @@ -224,10 +290,9 @@ setup_target_flags() { ;; amd64) # -march needed for #185404 #199334 - # Note: This test only matters when the x86 ABI is enabled, so we could - # optimize a bit and elide it. # TODO: See cross-compile issues listed above for x86. - if ! do_compile_test "${CFLAGS_x86}" 'void f(int i, void *p) {if (__sync_fetch_and_add(&i, 1)) f(i, p);}\nint main(){return 0;}\n' 2>/dev/null ; then + [[ ${ABI} == x86 ]] && + if ! do_compile_test "${CFLAGS_x86}" 'void f(int i, void *p) {if (__sync_fetch_and_add(&i, 1)) f(i, p);}\nint main(){return 0;}\n'; then local t=${CTARGET_OPT:-${CTARGET}} t=${t%%-*} # Normally the target is x86_64-xxx, so turn that into the -march that @@ -237,9 +302,15 @@ setup_target_flags() { # ugly, ugly, ugly. ugly. CFLAGS_x86=$(CFLAGS=${CFLAGS_x86} filter-flags '-march=*'; echo "${CFLAGS}") export CFLAGS_x86="${CFLAGS_x86} -march=${t}" - einfo "Auto adding -march=${t} to CFLAGS_x86 #185404" + einfo "Auto adding -march=${t} to CFLAGS_x86 #185404 (ABI=${ABI})" fi ;; + ia64) + # Workaround GPREL22 overflow by slightly pessimizing global + # references to go via 64-bit relocations instead of 22-bit ones. + # This allows building glibc on ia64 without an overflow: #723268 + append-flags -fcommon + ;; mips) # The mips abi cannot support the GNU style hashes. #233233 filter-ldflags -Wl,--hash-style=gnu -Wl,--hash-style=both @@ -249,77 +320,27 @@ setup_target_flags() { filter-flags "-fcall-used-g7" append-flags "-fcall-used-g6" - # If the CHOST is the basic one (e.g. not sparcv9-xxx already), - # try to pick a better one so glibc can use cpu-specific .S files. - # We key off the CFLAGS to get a good value. Also need to handle - # version skew. - # We can't force users to set their CHOST to their exact machine - # as many of these are not recognized by config.sub/gcc and such :(. - # Note: If the mcpu values don't scale, we might try probing CPP defines. - # Note: Should we factor in -Wa,-AvXXX flags too ? Or -mvis/etc... ? - local cpu case ${CTARGET} in sparc64-*) + cpu="sparc64" case $(get-flag mcpu) in - niagara[234]) - if ver_test -ge 2.8 ; then - cpu="sparc64v2" - elif ver_test -ge 2.4 ; then - cpu="sparc64v" - elif ver_test -ge 2.2.3 ; then - cpu="sparc64b" - fi - ;; - niagara) - if ver_test -ge 2.4 ; then - cpu="sparc64v" - elif ver_test -ge 2.2.3 ; then - cpu="sparc64b" - fi - ;; - ultrasparc3) - cpu="sparc64b" - ;; - *) + v9) # We need to force at least v9a because the base build doesn't # work with just v9. # https://sourceware.org/bugzilla/show_bug.cgi?id=19477 - [[ -z ${cpu} ]] && append-flags "-Wa,-xarch=v9a" + append-flags "-Wa,-xarch=v9a" ;; esac ;; sparc-*) case $(get-flag mcpu) in - niagara[234]) - if ver_test -ge 2.8 ; then - cpu="sparcv9v2" - elif ver_test -ge 2.4 ; then - cpu="sparcv9v" - elif ver_test -ge 2.2.3 ; then - cpu="sparcv9b" - else - cpu="sparcv9" - fi - ;; - niagara) - if ver_test -ge 2.4 ; then - cpu="sparcv9v" - elif ver_test -ge 2.2.3 ; then - cpu="sparcv9b" - else - cpu="sparcv9" - fi - ;; - ultrasparc3) - cpu="sparcv9b" - ;; - v9|ultrasparc) - cpu="sparcv9" - ;; v8|supersparc|hypersparc|leon|leon3) cpu="sparcv8" ;; + *) + cpu="sparcv9" + ;; esac ;; esac @@ -343,11 +364,18 @@ setup_flags() { ASFLAGS_BASE=${ASFLAGS_BASE-${ASFLAGS}} ASFLAGS=${ASFLAGS_BASE} - # Over-zealous CFLAGS can often cause problems. What may work for one - # person may not work for another. To avoid a large influx of bugs - # relating to failed builds, we strip most CFLAGS out to ensure as few - # problems as possible. - strip-flags + # Allow users to explicitly avoid flag sanitization via + # USE=custom-cflags. + if ! use custom-cflags; then + # Over-zealous CFLAGS can often cause problems. What may work for one + # person may not work for another. To avoid a large influx of bugs + # relating to failed builds, we strip most CFLAGS out to ensure as few + # problems as possible. + strip-flags + # Lock glibc at -O2; we want to be conservative here. + filter-flags '-O?' + append-flags -O2 + fi strip-unsupported-flags filter-flags -m32 -m64 '-mabi=*' @@ -369,10 +397,9 @@ setup_flags() { CBUILD_OPT=${CTARGET_OPT} fi - # Lock glibc at -O2; we want to be conservative here. - # -fno-strict-aliasing is to work around #155906. - filter-flags '-O?' - append-flags -O2 -fno-strict-aliasing + # glibc's headers disallow -O0 and fail at build time: + # include/libc-symbols.h:75:3: #error "glibc cannot be compiled without optimization" + replace-flags -O0 -O1 filter-flags '-fstack-protector*' } @@ -464,7 +491,7 @@ setup_env() { # configure script checks CFLAGS for some targets (like mips). Keep # around the original clean value to avoid appending multiple ABIs on # top of each other. - : ${__GLIBC_CC:=$(tc-getCC ${CTARGET_OPT:-${CTARGET}})} + : ${__GLIBC_CC:=$(tc-getCC ${CTARGET})} export __GLIBC_CC CC="${__GLIBC_CC} ${!VAR}" einfo " $(printf '%15s' 'Manual CC:') ${CC}" } @@ -495,27 +522,6 @@ glibc_banner() { echo "${b}" } -check_devpts() { - # Make sure devpts is mounted correctly for use w/out setuid pt_chown. - - # If merely building the binary package, then there's nothing to verify. - [[ ${MERGE_TYPE} == "buildonly" ]] && return - - # Only sanity check when installing the native glibc. - [[ ${ROOT} != "/" ]] && return - - # If they're opting in to the old suid code, then no need to check. - use suid && return - - if awk '$3 == "devpts" && $4 ~ /[, ]gid=5[, ]/ { exit 1 }' /proc/mounts ; then - eerror "In order to use glibc with USE=-suid, you must make sure that" - eerror "you have devpts mounted at /dev/pts with the gid=5 option." - eerror "Openrc should do this for you, so you should check /etc/fstab" - eerror "and make sure you do not have any invalid settings there." - die "mount & fix your /dev/pts settings" - fi -} - # The following Kernel version handling functions are mostly copied from portage # source. It's better not to use linux-info.eclass here since a) it adds too # much magic, see bug 326693 for some of the arguments, and b) some of the @@ -577,7 +583,7 @@ eend_KV() { get_kheader_version() { printf '#include \nLINUX_VERSION_CODE\n' | \ - $(tc-getCPP ${CTARGET}) -I "${EPREFIX}/$(alt_build_headers)" - | \ + $(tc-getCPP ${CTARGET}) -I "$(build_eprefix)$(alt_build_headers)" - | \ tail -n 1 } @@ -587,7 +593,7 @@ get_kheader_version() { sanity_prechecks() { # Prevent native builds from downgrading if [[ ${MERGE_TYPE} != "buildonly" ]] && \ - [[ ${ROOT} == "/" ]] && \ + [[ -z ${ROOT} ]] && \ [[ ${CBUILD} == ${CHOST} ]] && \ [[ ${CHOST} == ${CTARGET} ]] ; then @@ -598,7 +604,7 @@ sanity_prechecks() { if has_version ">${CATEGORY}/${P}-r10000" ; then eerror "Sanity check to keep you from breaking your system:" eerror " Downgrading glibc is not supported and a sure way to destruction." - die "Aborting to save your system." + [[ ${I_ALLOW_TO_BREAK_MY_SYSTEM} = yes ]] || die "Aborting to save your system." fi if ! do_run_test '#include \n#include \nint main(){return syscall(1000)!=-1;}\n' ; then @@ -707,6 +713,14 @@ sanity_prechecks() { # the phases # +# pkg_pretend + +pkg_pretend() { + # All the checks... + einfo "Checking general environment sanity." + sanity_prechecks +} + pkg_setup() { # see bug 682570 [[ -z ${BOOTSTRAP_RAP} ]] && python-any-r1_pkg_setup @@ -732,10 +746,6 @@ src_unpack() { unpack glibc-${RELEASE_VER}-patches-${PATCH_VER}.tar.xz } -PATCHES=( - "${FILESDIR}"/2.25/glibc-2.25-gshadow-handle-erange.patch -) - src_prepare() { if ! use vanilla ; then elog "Applying Gentoo Glibc Patchset ${RELEASE_VER}-${PATCH_VER}" @@ -823,7 +833,11 @@ glibc_do_configure() { myconf+=( --enable-stack-protector=no ) ;; *) - myconf+=( --enable-stack-protector=$(usex ssp all no) ) + # Use '=strong' instead of '=all' to protect only functions + # worth protecting from stack smashes. + # '=all' is also known to have a problem in IFUNC resolution + # tests: https://sourceware.org/PR25680, bug #712356. + myconf+=( --enable-stack-protector=$(usex ssp strong no) ) ;; esac myconf+=( --enable-stackguard-randomization ) @@ -883,16 +897,17 @@ glibc_do_configure() { --host=${CTARGET_OPT:-${CTARGET}} $(use_enable profile) $(use_with gd) - --with-headers=$(alt_build_headers) - --prefix="${EPREFIX}/usr" - --sysconfdir="${EPREFIX}/etc" - --localstatedir="${EPREFIX}/var" + --with-headers=$(build_eprefix)$(alt_build_headers) + --prefix="$(host_eprefix)/usr" + --sysconfdir="$(host_eprefix)/etc" + --localstatedir="$(host_eprefix)/var" --libdir='$(prefix)'/$(get_libdir) --mandir='$(prefix)'/share/man --infodir='$(prefix)'/share/info --libexecdir='$(libdir)'/misc/glibc --with-bugurl=https://bugs.gentoo.org/ --with-pkgversion="$(glibc_banner)" + $(use_enable crypt) $(use_multiarch || echo --disable-multi-arch) $(use_enable systemtap) $(use_enable nscd) @@ -908,8 +923,8 @@ glibc_do_configure() { # There is no configure option for this and we need to export it # since the glibc build will re-run configure on itself - export libc_cv_rootsbindir="${EPREFIX}/sbin" - export libc_cv_slibdir="${EPREFIX}/$(get_libdir)" + export libc_cv_rootsbindir="$(host_eprefix)/sbin" + export libc_cv_slibdir="$(host_eprefix)/$(get_libdir)" # We take care of patching our binutils to use both hash styles, # and many people like to force gnu hash style only, so disable @@ -1037,8 +1052,8 @@ glibc_headers_configure() { --enable-bind-now --build=${CBUILD_OPT:-${CBUILD}} --host=${CTARGET_OPT:-${CTARGET}} - --with-headers=$(alt_build_headers) - --prefix="${EPREFIX}/usr" + --with-headers=$(build_eprefix)$(alt_build_headers) + --prefix="$(host_eprefix)/usr" ${EXTRA_ECONF} ) @@ -1075,7 +1090,7 @@ src_configure() { } do_src_compile() { - emake -C "$(builddir nptl)" || die "make nptl for ${ABI} failed" + emake -C "$(builddir nptl)" } src_compile() { @@ -1088,7 +1103,15 @@ src_compile() { glibc_src_test() { cd "$(builddir nptl)" - emake check + + local myxfailparams="" + if [[ "${GENTOO_GLIBC_XFAIL_TESTS}" == "yes" ]] ; then + for myt in ${XFAIL_TEST_LIST[@]} ; do + myxfailparams+="test-xfail-${myt}=yes " + done + fi + + emake ${myxfailparams} check } do_src_test() { @@ -1114,21 +1137,33 @@ src_test() { run_locale_gen() { # if the host locales.gen contains no entries, we'll install everything local root="$1" + local inplace="" + + if [[ "${root}" == "--inplace-glibc" ]] ; then + inplace="--inplace-glibc" + root="$2" + fi + local locale_list="${root}/etc/locale.gen" + + pushd "${ED}"/$(get_libdir) >/dev/null + if [[ -z $(locale-gen --list --config "${locale_list}") ]] ; then - ewarn "Generating all locales; edit /etc/locale.gen to save time/space" + [[ -z ${inplace} ]] && ewarn "Generating all locales; edit /etc/locale.gen to save time/space" locale_list="${root}/usr/share/i18n/SUPPORTED" fi - locale-gen --jobs $(makeopts_jobs) --config "${locale_list}" \ + locale-gen ${inplace} --jobs $(makeopts_jobs) --config "${locale_list}" \ --destdir "${root}" + + popd >/dev/null } glibc_do_src_install() { local builddir=$(builddir nptl) cd "${builddir}" - emake install_root="${D}$(alt_prefix)" install || die + emake install_root="${D}/$(build_eprefix)$(alt_prefix)" install # This version (2.26) provides some compatibility libraries for the NIS/NIS+ support # which come without headers etc. Only needed for binary packages since the @@ -1141,13 +1176,20 @@ glibc_do_src_install() { # '#define VERSION "2.26.90"' -> '2.26.90' local upstream_pv=$(sed -n -r 's/#define VERSION "(.*)"/\1/p' "${S}"/version.h) - if [[ -e ${ED}$(alt_usrlibdir)/libm-${upstream_pv}.a ]] ; then + # Avoid stripping binaries not targeted by ${CHOST}. Or else + # ${CHOST}-strip would break binaries build for ${CTARGET}. + is_crosscompile && dostrip -x / + # gdb thread introspection relies on local libpthreas symbols. stripping breaks it + # See Note [Disable automatic stripping] + dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so + + if [[ -e ${ED}/$(alt_usrlibdir)/libm-${upstream_pv}.a ]] ; then # Move versioned .a file out of libdir to evade portage QA checks # instead of using gen_usr_ldscript(). We fix ldscript as: # "GROUP ( /usr/lib64/libm-.a ..." -> "GROUP ( /usr/lib64/glibc-/libm-.a ..." - sed -i "s@\(libm-${upstream_pv}.a\)@${P}/\1@" "${ED}"$(alt_usrlibdir)/libm.a || die + sed -i "s@\(libm-${upstream_pv}.a\)@${P}/\1@" "${ED}"/$(alt_usrlibdir)/libm.a || die dodir $(alt_usrlibdir)/${P} - mv "${ED}"$(alt_usrlibdir)/libm-${upstream_pv}.a "${ED}"$(alt_usrlibdir)/${P}/libm-${upstream_pv}.a || die + mv "${ED}"/$(alt_usrlibdir)/libm-${upstream_pv}.a "${ED}"/$(alt_usrlibdir)/${P}/libm-${upstream_pv}.a || die fi # We'll take care of the cache ourselves @@ -1305,31 +1347,15 @@ glibc_do_src_install() { # Generate all locales if this is a native build as locale generation if use compile-locales && ! is_crosscompile ; then - run_locale_gen "${ED}" + run_locale_gen --inplace-glibc "${ED}/" + sed -e 's:COMPILED_LOCALES="":COMPILED_LOCALES="1":' -i "${ED}"/usr/sbin/locale-gen || die fi - - ## COREOS: Add some local changes: - # - Config files are installed by baselayout, not glibc. - # - Install nscd/systemd stuff in /usr. - - # Use tmpfiles to put nscd.conf in /etc and create directories. - insinto /usr/share/baselayout - if ! in_iuse nscd || use nscd ; then - doins "${S}"/nscd/nscd.conf || die - systemd_newtmpfilesd "${FILESDIR}"/nscd-conf.tmpfiles nscd-conf.conf || die - fi - - # Clean out any default configs. - rm -rf "${ED}"/etc - - # Restore this one for the SDK. - test ! -e "${T}"/00glibc || doenvd "${T}"/00glibc } glibc_headers_install() { local builddir=$(builddir "headers") cd "${builddir}" - emake install_root="${D}$(alt_prefix)" install-headers + emake install_root="${D}/$(build_eprefix)$(alt_prefix)" install-headers insinto $(alt_headers)/gnu doins "${S}"/include/gnu/stubs.h @@ -1340,23 +1366,6 @@ glibc_headers_install() { dosym usr/include $(alt_prefix)/sys-include } -src_strip() { - # gdb is lame and requires some debugging information to remain in - # libpthread, so we need to strip it by hand. libthread_db makes no - # sense stripped as it is only used when debugging. - local pthread=$(has splitdebug ${FEATURES} && echo "libthread_db" || echo "lib{pthread,thread_db}") - env \ - -uRESTRICT \ - CHOST=${CTARGET} \ - STRIP_MASK="/*/{,tls/}${pthread}*" \ - prepallstrip - # if user has stripping enabled and does not have split debug turned on, - # then leave the debugging sections in libpthread. - if ! has nostrip ${FEATURES} && ! has splitdebug ${FEATURES} ; then - ${STRIP:-${CTARGET}-strip} --strip-debug "${ED}"$(alt_prefix)/*/libpthread-*.so - fi -} - src_install() { if just_headers ; then export ABI=default @@ -1365,7 +1374,11 @@ src_install() { fi foreach_abi glibc_do_src_install - src_strip + + if ! use static-libs ; then + elog "Not installing static glibc libraries" + find "${ED}" -name "*.a" -and -not -name "*_nonshared.a" -delete + fi } # Simple test to make sure our new glibc isn't completely broken. @@ -1418,7 +1431,7 @@ pkg_preinst() { einfo "Defaulting /etc/host.conf:multi to on" fi - [[ ${ROOT} != "/" ]] && return 0 + [[ -n ${ROOT} ]] && return 0 [[ -d ${ED}/$(get_libdir) ]] || return 0 [[ -z ${BOOTSTRAP_RAP} ]] && glibc_sanity_check } @@ -1429,15 +1442,11 @@ pkg_postinst() { if ! tc-is-cross-compiler && [[ -x ${EROOT}/usr/sbin/iconvconfig ]] ; then # Generate fastloading iconv module configuration file. - "${EROOT}"/usr/sbin/iconvconfig --prefix="${ROOT}" + "${EROOT}"/usr/sbin/iconvconfig --prefix="${ROOT}/" fi - if ! is_crosscompile && [[ ${ROOT} == "/" ]] ; then - # Reload init ... if in a chroot or a diff init package, ignore - # errors from this step #253697 - /sbin/telinit U 2>/dev/null - - use compile-locales || run_locale_gen "${EROOT}" + if ! is_crosscompile && [[ -z ${ROOT} ]] ; then + use compile-locales || run_locale_gen "${EROOT}/" fi # Check for sanity of /etc/nsswitch.conf, take 2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/metadata.xml index 58d861be03..6630fde73e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/metadata.xml @@ -8,12 +8,14 @@ Enable Intel Control-flow Enforcement Technology (needs binutils 2.29 and gcc 8) build *all* locales in src_install; this is generally meant for stage building only as it ignores /etc/locale.gen file and can be pretty slow + build and install libcrypt and crypt.h When USE=hardened, allow fortify/stack violations to dump core (SIGABRT) and not kill self (SIGKILL) build memusage and memusagestat tools enable optimizations for multiple CPU architectures (detected at runtime) Build, and enable support for, the Name Service Cache Daemon Enable obsolete RPC/NIS layers protect stack of glibc internals + Enable static PIE support (runtime files for -static-pie gcc option). Make internal pt_chown helper setuid -- not needed if using Linux and have /dev/pts mounted with gid=5 enable systemtap static probe points From 930c8a40fad268c6404fd67b76950407b7d911cc Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Fri, 19 Jun 2020 15:48:47 +0200 Subject: [PATCH 2/2] sys-libs/glibc: Apply Flatcar changes Drop pkg_pretend since it breaks build_image if cross-compilers are not installed yet (e.g. in Jenkins jobs). Drop the libidn2 runtime dependency since it breaks bootstrapping, and it's dlopen()ed so the resolver can work without it. Drop the host /dev/pts checks since the SDK doesn't control it. Apply our gshadow segfault patch, and adapt into glibc 2.30. Install nscd.conf in /usr and set up tmpfiles to link it in /etc. Wipe out /etc files (except for an environment file that is still needed in the SDK). Originally comes from eb07324f4de3 ("sys-libs/glibc: Apply CoreOS changes"). --- .../glibc-2.25-gshadow-handle-erange.patch | 112 ++++++++++++++++++ .../sys-libs/glibc/files/nscd-conf.tmpfiles | 2 + .../sys-libs/glibc/glibc-2.30-r8.ebuild | 30 +++-- 3 files changed, 135 insertions(+), 9 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.25/glibc-2.25-gshadow-handle-erange.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.25/glibc-2.25-gshadow-handle-erange.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.25/glibc-2.25-gshadow-handle-erange.patch new file mode 100644 index 0000000000..53df574233 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.25/glibc-2.25-gshadow-handle-erange.patch @@ -0,0 +1,112 @@ +From 74250a7cdf106d4ca7d9506e6d5dc7c448dc3434 Mon Sep 17 00:00:00 2001 +From: Dongsu Park +Date: Fri Jun 19 15:48:47 2020 +0200 +Subject: [PATCH] gshadow: Sync fgetsgent_r.c with grp/fgetgrent_r.c + + [BZ #20338] + * gshadow/fgetsgent_r.c: Include . + (flockfile): New macro. + (funlockfile): Likewise. + (__fgetsgent_r): Sync with __fgetgrent_r. + * nss/nss_files/files-sgrp.c: Fix "fgetsgent_r.c" typo. + + Originally written by David Michael. +--- + gshadow/fgetsgent_r.c | 35 ++++++++++++++++++++++++----------- + nss/nss_files/files-sgrp.c | 2 +- + 2 files changed, 25 insertions(+), 12 deletions(-) + +diff --git a/gshadow/fgetsgent_r.c b/gshadow/fgetsgent_r.c +index b70f6fa..02cd33a 100644 +--- a/gshadow/fgetsgent_r.c ++++ b/gshadow/fgetsgent_r.c +@@ -20,39 +20,44 @@ + #include + #include + ++#include ++#define flockfile(s) _IO_flockfile (s) ++#define funlockfile(s) _IO_funlockfile (s) ++ + /* Define a line parsing function using the common code + used in the nss_files module. */ + + #define STRUCTURE sgrp + #define ENTNAME sgent +-#define EXTERN_PARSER 1 ++#define EXTERN_PARSER 1 + struct sgent_data {}; + + #include + + +-/* Read one shadow entry from the given stream. */ ++/* Read one entry from the given stream. */ + int + __fgetsgent_r (FILE *stream, struct sgrp *resbuf, char *buffer, size_t buflen, + struct sgrp **result) + { + char *p; ++ int parse_result; + +- _IO_flockfile (stream); ++ flockfile (stream); + do + { + buffer[buflen - 1] = '\xff'; + p = fgets_unlocked (buffer, buflen, stream); +- if (p == NULL && feof_unlocked (stream)) ++ if (__builtin_expect (p == NULL, 0) && feof_unlocked (stream)) + { +- _IO_funlockfile (stream); ++ funlockfile (stream); + *result = NULL; + __set_errno (ENOENT); + return errno; + } +- if (p == NULL || buffer[buflen - 1] != '\xff') ++ if (__builtin_expect (p == NULL, 0) || buffer[buflen - 1] != '\xff') + { +- _IO_funlockfile (stream); ++ funlockfile (stream); + *result = NULL; + __set_errno (ERANGE); + return errno; +@@ -61,10 +66,18 @@ __fgetsgent_r (FILE *stream, struct sgrp *resbuf, char *buffer, size_t buflen, + } while (*p == '\0' || *p == '#' /* Ignore empty and comment lines. */ + /* Parse the line. If it is invalid, loop to + get the next line of the file to parse. */ +- || ! parse_line (buffer, (void *) resbuf, (void *) buffer, buflen, +- &errno)); ++ || ! (parse_result = parse_line (p, resbuf, ++ (void *) buffer, buflen, ++ &errno))); ++ ++ funlockfile (stream); + +- _IO_funlockfile (stream); ++ if (__builtin_expect (parse_result, 0) == -1) ++ { ++ /* The parser ran out of space. */ ++ *result = NULL; ++ return errno; ++ } + + *result = resbuf; + return 0; +diff --git a/nss/nss_files/files-sgrp.c b/nss/nss_files/files-sgrp.c +index 15dc659..05c3805 100644 +--- a/nss/nss_files/files-sgrp.c ++++ b/nss/nss_files/files-sgrp.c +@@ -23,7 +23,7 @@ + #define DATABASE "gshadow" + struct sgent_data {}; + +-/* Our parser function is already defined in sgetspent_r.c, so use that ++/* Our parser function is already defined in sgetsgent_r.c, so use that + to parse lines from the database file. */ + #define EXTERN_PARSER + #include "files-parse.c" +-- +2.7.4 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles new file mode 100644 index 0000000000..0cf43dcb7a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles @@ -0,0 +1,2 @@ +L /etc/nscd.conf - - - - ../usr/share/baselayout/nscd.conf +d /var/db/nscd - - - - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.30-r8.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.30-r8.ebuild index 91e14345d4..e99b7fcf34 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.30-r8.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.30-r8.ebuild @@ -123,7 +123,6 @@ else " DEPEND+=" virtual/os-headers " RDEPEND+=" - >=net-dns/libidn2-2.3.0 vanilla? ( !sys-libs/timezone-data ) " PDEPEND+=" !vanilla? ( sys-libs/timezone-data )" @@ -713,14 +712,6 @@ sanity_prechecks() { # the phases # -# pkg_pretend - -pkg_pretend() { - # All the checks... - einfo "Checking general environment sanity." - sanity_prechecks -} - pkg_setup() { # see bug 682570 [[ -z ${BOOTSTRAP_RAP} ]] && python-any-r1_pkg_setup @@ -746,6 +737,10 @@ src_unpack() { unpack glibc-${RELEASE_VER}-patches-${PATCH_VER}.tar.xz } +PATCHES=( + "${FILESDIR}"/2.25/glibc-2.25-gshadow-handle-erange.patch +) + src_prepare() { if ! use vanilla ; then elog "Applying Gentoo Glibc Patchset ${RELEASE_VER}-${PATCH_VER}" @@ -1350,6 +1345,23 @@ glibc_do_src_install() { run_locale_gen --inplace-glibc "${ED}/" sed -e 's:COMPILED_LOCALES="":COMPILED_LOCALES="1":' -i "${ED}"/usr/sbin/locale-gen || die fi + + ## Flatcar: Add some local changes: + # - Config files are installed by baselayout, not glibc. + # - Install nscd/systemd stuff in /usr. + + # Use tmpfiles to put nscd.conf in /etc and create directories. + insinto /usr/share/baselayout + if ! in_iuse nscd || use nscd ; then + doins "${S}"/nscd/nscd.conf || die + systemd_newtmpfilesd "${FILESDIR}"/nscd-conf.tmpfiles nscd-conf.conf || die + fi + + # Clean out any default configs. + rm -rf "${ED}"/etc + + # Restore this one for the SDK. + test ! -e "${T}"/00glibc || doenvd "${T}"/00glibc } glibc_headers_install() {