Merge pull request #1685 from flatcar/krnowak/selinux-followup

Prepare SELinux packages in overlay for upstreaming

.github/workflows/portage-stable-packages-list

@@ -186,6 +186,7 @@ dev-lang/perl
 dev-lang/python
 dev-lang/python-exec
 dev-lang/python-exec-conf
+dev-lang/swig
 dev-lang/yasm
 
 dev-libs/cJSON
@@ -565,6 +566,7 @@ sys-libs/zlib
 
 sys-power/acpid
 
+sys-process/audit
 sys-process/lsof
 sys-process/procps
 sys-process/psmisc

changelog/updates/2024-03-01-selinux-followup.md

@@ -0,0 +1,3 @@
+- policycoreutils ([3.6](https://github.com/SELinuxProject/selinux/releases/tag/3.6))
+- libsemanage ([3.6](https://github.com/SELinuxProject/selinux/releases/tag/3.6))
+- audit ([3.1.1](https://github.com/linux-audit/audit-userspace/releases/tag/v3.1.1))

sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild

@@ -12,7 +12,7 @@ HOMEPAGE='https://www.flatcar.org/'
 LICENSE='Apache-2.0'
 SLOT='0'
 KEYWORDS='amd64 arm64'
-IUSE="openssh ntp"
+IUSE="audit ntp openssh policycoreutils"
 
 # No source directory.
 S="${WORKDIR}"
@@ -23,15 +23,17 @@ S="${WORKDIR}"
 # net-misc/openssh must be installed on host for enabling its unit to
 # work during installation.
 DEPEND="
-	openssh? ( >=net-misc/openssh-9.4_p1 )
+        openssh? ( >=net-misc/openssh-9.4_p1 )
 "
 
 # Versions listed below are version of packages that shedded the
 # modifications in their ebuilds.
 RDEPEND="
-	${DEPEND}
-	>=app-shells/bash-5.2_p15-r2
-	ntp? ( >=net-misc/ntp-4.2.8_p17 )
+        ${DEPEND}
+        >=app-shells/bash-5.2_p15-r2
+        ntp? ( >=net-misc/ntp-4.2.8_p17 )
+        policycoreutils? ( >=sys-apps/policycoreutils-3.6 )
+        audit? ( >=sys-process/audit-3.1.1 )
 "
 
 declare -A CORE_BASH_SYMLINKS
@@ -98,10 +100,12 @@ src_install() {
         ['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs'
         ['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf'
     )
-    if use openssh; then
+    if use audit; then
         compat_symlinks+=(
-            ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf'
-            ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
+            ['/usr/share/audit/rules.d/00-clear.rules']='/usr/share/flatcar/etc/audit/rules.d/00-clear.rules'
+            ['/usr/share/audit/rules.d/80-selinux.rules']='/usr/share/flatcar/etc/audit/rules.d/80-selinux.rules'
+            ['/usr/share/audit/rules.d/99-default.rules']='/usr/share/flatcar/etc/audit/rules.d/99-default.rules'
+            ['/usr/share/auditd/auditd.conf']='/usr/share/flatcar/etc/audit/auditd.conf'
         )
     fi
     if use ntp; then
@@ -109,6 +113,12 @@ src_install() {
             ['/usr/share/ntp/ntp.conf']='/usr/share/flatcar/etc/ntp.conf'
         )
     fi
+    if use openssh; then
+        compat_symlinks+=(
+            ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf'
+            ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
+        )
+    fi
 
     local link target
     for link in "${!compat_symlinks[@]}"; do
@@ -121,10 +131,10 @@ src_install() {
     done
 
     insinto '/etc/selinux/'
-    newins "${FILESDIR}/selinux-config" config
+    doins "${FILESDIR}/selinux/config"
 
     insinto '/etc/bash/bashrc.d'
-    doins "${FILESDIR}/99-flatcar-bcc"
+    doins "${FILESDIR}/bash/99-flatcar-bcc"
 
     insinto '/usr/share/flatcar'
     # The "oems" folder should contain a file "$OEMID" for each expected OEM sysext and
@@ -148,27 +158,52 @@ src_install() {
         fowners --no-dereference 500:500 "${link}"
     done
 
+    if use audit; then
+        # Install our rules.
+        insinto /etc/audit/rules.d
+        for name in 00-clear.rules 80-selinux.rules 99-default.rules; do
+            doins "${FILESDIR}/audit/${name}"
+            # Upstream wants these to have restrictive perms.
+            fperms 0640 "/etc/audit/rules.d/${name}"
+        done
+        # Install a service that loads the rules (it's possibly
+        # something that a deamon does, but in our case the daemon is
+        # disabled by default).
+        systemd_dounit "${FILESDIR}/audit/audit-rules.service"
+        systemd_enable_service multi-user.target audit-rules.service
+    fi
+
+    if use ntp; then
+        insinto /etc
+        doins "${FILESDIR}/ntp/ntp.conf"
+        misc_files_install_dropin ntpd.service "${FILESDIR}/ntp/ntpd-always-restart.conf"
+        misc_files_install_dropin ntpdate.service "${FILESDIR}/ntp/ntp-environment.conf"
+        misc_files_install_dropin sntp.service "${FILESDIR}/ntp/ntp-environment.conf"
+    fi
+
     if use openssh; then
         # Install our configuration snippets.
         insinto /etc/ssh/ssh_config.d
-        doins "${FILESDIR}/50-flatcar-ssh.conf"
+        doins "${FILESDIR}/openssh/50-flatcar-ssh.conf"
         insinto /etc/ssh/sshd_config.d
-        doins "${FILESDIR}/50-flatcar-sshd.conf"
+        doins "${FILESDIR}/openssh/50-flatcar-sshd.conf"
 
         # Install our socket drop-in file that disables the rate
         # limiting on the sshd socket.
-        misc_files_install_dropin sshd.socket "${FILESDIR}/no-trigger-limit-burst.conf"
+        misc_files_install_dropin sshd.socket "${FILESDIR}/openssh/no-trigger-limit-burst.conf"
 
         # Enable some sockets that aren't enabled by their own ebuilds.
         systemd_enable_service sockets.target sshd.socket
     fi
 
-    if use ntp; then
-        insinto /etc
-        doins "${FILESDIR}/ntp.conf"
-        misc_files_install_dropin ntpd.service "${FILESDIR}/ntpd-always-restart.conf"
-        misc_files_install_dropin ntpdate.service "${FILESDIR}/ntp-environment.conf"
-        misc_files_install_dropin sntp.service "${FILESDIR}/ntp-environment.conf"
+    if use policycoreutils; then
+        # Exceptionally, the location for policy definitions is set up
+        # in profiles/coreos/base/profile.bashrc. See the comment for
+        # cros_post_src_install_set_up_var_lib_selinux for reasoning.
+        #
+        # Recreate the symlink in /var in case of wiping the root
+        # filesystem.
+        dotmpfiles "${FILESDIR}/selinux/10-var-lib-selinux.conf"
     fi
 
     # Create a symlink for Kubernetes to redirect writes from /usr/libexec/... to /var/kubernetes/...

sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-process/audit

@@ -0,0 +1,11 @@
+# Do not install Gentoo-provided audit rules, we will install our own
+# in coreos-base/misc-files.
+INSTALL_MASK+="
+/etc/audit/audit.rules*
+"
+
+# Do not install legacy initscripts stuff
+INSTALL_MASK+="
+/usr/libexec/audit-functions
+/usr/libexec/initscripts
+"

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/README.md

@@ -0,0 +1,4 @@
+We have a patch that modifies the semanage.conf file that is
+previously modified by the Gentoo ebuild. The patch enables the
+SELinux module compression to save some disk space (the modules went
+from 33MB to 3MB).

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/compress-modules.patch

@@ -0,0 +1,12 @@
+diff -r -u libsemanage-3.6-patched/src/semanage.conf libsemanage-3.6-flatcar/src/semanage.conf
+--- libsemanage-3.6-patched/src/semanage.conf	2024-02-21 14:33:06.055611733 +0100
++++ libsemanage-3.6-flatcar/src/semanage.conf	2024-02-21 14:42:13.566991009 +0100
+@@ -58,7 +58,7 @@
+ # 1-9 when compressing.  The higher the number,
+ # the more memory is traded off for disk space.
+ # Set to 0 to disable bzip2 compression.
+-bzip-blocksize=0
++bzip-blocksize=1
+ 
+ # Reduce memory usage for bzip2 compression and
+ # decompression of modules in the module store.

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use

@@ -150,3 +150,9 @@ sys-apps/findutils selinux
 app-containers/containerd btrfs device-mapper
 app-containers/docker btrfs device-mapper overlay seccomp
 app-containers/docker-cli hardened
+
+# Drop python dependencies from some SELinux packages.
+#
+# The vanilla USE flag must be enabled if python is disabled.
+sys-apps/policycoreutils vanilla -python
+sys-libs/libsemanage -python

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc

@@ -104,6 +104,26 @@ cros_pre_pkg_postinst_no_modifications_of_users() {
     export ACCT_USER_NO_MODIFY=x
 }
 
+# sys-apps/policycoreutils creates /var/lib/selinux directory in
+# src_install and then needs it to be available when running
+# pkg_postinst, because it does a policy module rebuild there. We
+# initially have put /var/lib/selinux into INSTALL_MASK and told
+# coreos-base/misc-files to install the directory at
+# /usr/lib/selinux/policy together with a symlink at /var/lib/selinux
+# pointing to the directory. But this is done too late - at
+# sys-apps/policycoreutils' pkg_postinst time, /var/lib/selinux does
+# not exist, because coreos-base/misc-files was not yet emerged. So we
+# need to fall back to this hack, where we set up /var/lib/selinux and
+# /usr/lib/selinux/policy the way we want.
+cros_post_src_install_set_up_var_lib_selinux() {
+    if [[ ${CATEGORY} != 'sys-apps' ]] || [[ ${PN} != 'policycoreutils' ]]; then
+        return 0;
+    fi
+    dodir /usr/lib/selinux
+    mv "${ED}/var/lib/selinux" "${ED}/usr/lib/selinux/policy"
+    dosym ../../usr/lib/selinux/policy /var/lib/selinux
+}
+
 # Source hooks for SLSA build provenance report generation
 source "${BASH_SOURCE[0]}.slsa-provenance"
 

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use

@@ -8,7 +8,9 @@ app-editors/vim		minimal -crypt
 app-editors/vim-core	minimal
 
 # Install our modifications and compatibility symlinks for ssh and ntp
-coreos-base/misc-files openssh ntp
+#
+# Install a SELinux policy directory symlink
+coreos-base/misc-files audit ntp openssh policycoreutils
 
 dev-lang/python		gdbm
 dev-libs/dbus-glib	tools

sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest

@@ -1,2 +1,2 @@
-DIST policycoreutils-3.5.tar.gz 775639 BLAKE2B 777b8564484e89385db7a184c4cad9a99aabf1fd1ac41abd5826c7e6ad29118ae9d6f0d0fd968b6ced87f2f04bc6d7cd207b67428151522915367f656fb8d3f8 SHA512 7978ef6b7a278c6384c9b397734d03c4932c8aefecceaa1e6a1345be27b253dbe276fdcd219ce83ad732c6ed55d53bbc3254e39bccadd67d2cd1152a14749444
+DIST policycoreutils-3.6.tar.gz 755682 BLAKE2B a8b180c8006989192d152651dcfa51856956780bfe1139cc1dc0162eb66ba1eef4f7d64f68a48479572b02e2e97a68c7082722a745d22a9453e8378373319e3c SHA512 e1f32e6e0310b879a5aadab157b103314a61bf3b8fd59c1212d701fbf39900e3b9a0b727338988103d784a7e505355a871ba519dd91520b135a3b9dae40bf1b0
 DIST policycoreutils-extra-1.37.tar.bz2 8809 BLAKE2B a7f6122c2e27f54b018174e962bd7f4c14af04e09bbb5300bde6967ea7f2dc5cd03b5787919a4e7f5288bcbc6747922962b5bd3b588ab1e3a035fbff4910d8f5 SHA512 0a85cd7cf279256b5e1927f9dfdd89626a1c8b77b0aeb62b496e7e8d1dccbaa315e39f9308fb2df7270f0bc1c10787b19990e7365cad74b47b61e30394c8b23f

sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild

@@ -1,150 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-PYTHON_COMPAT=( python3_{9..11} )
-PYTHON_REQ_USE="xml(+)"
-
-TMPFILES_OPTIONAL=1
-inherit multilib python-r1 toolchain-funcs bash-completion-r1 tmpfiles
-
-MY_PV="${PV//_/-}"
-MY_P="${PN}-${MY_PV}"
-EXTRAS_VER="1.37"
-
-DESCRIPTION="SELinux core utilities"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
-
-if [[ ${PV} == 9999 ]]; then
-	inherit git-r3
-	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
-	SRC_URI="https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2"
-	S1="${WORKDIR}/${P}/${PN}"
-	S2="${WORKDIR}/policycoreutils-extra"
-	S="${S1}"
-else
-	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz
-		https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2"
-	KEYWORDS="amd64 arm arm64 ~mips x86"
-	S1="${WORKDIR}/${MY_P}"
-	S2="${WORKDIR}/policycoreutils-extra"
-	S="${S1}"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-IUSE="audit pam split-usr"
-REQUIRED_USE="${PYTHON_REQUIRED_USE}"
-
-DEPEND=">=sys-libs/libselinux-${PV}:=
-	>=sys-libs/libsemanage-${PV}:=
-	>=sys-libs/libsepol-${PV}:=
-	sys-libs/libcap-ng:=
-	audit? ( >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}] )
-	pam? ( sys-libs/pam:= )"
-
-# Avoid dependency loop in the cross-compile case, bug #755173
-# (Still exists in native)
-BDEPEND="sys-devel/gettext"
-
-# pax-utils for scanelf used by rlpkg
-RDEPEND="${DEPEND}
-	app-misc/pax-utils"
-
-PDEPEND="sys-apps/semodule-utils"
-
-src_unpack() {
-	# Override default one because we need the SRC_URI ones even in case of 9999 ebuilds
-	default
-	if [[ ${PV} == 9999 ]] ; then
-		git-r3_src_unpack
-	fi
-}
-
-src_prepare() {
-	S="${S1}"
-	cd "${S}" || die "Failed to switch to ${S}"
-	if [[ ${PV} != 9999 ]] ; then
-		# If needed for live ebuilds please use /etc/portage/patches
-		eapply "${FILESDIR}/policycoreutils-3.1-0001-newrole-not-suid.patch"
-	fi
-
-	# rlpkg is more useful than fixfiles
-	sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \
-		|| die "fixfiles sed 1 failed"
-	sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \
-		|| die "fixfiles sed 2 failed"
-
-	eapply_user
-
-	sed -i 's/-Werror//g' "${S1}"/*/Makefile || die "Failed to remove Werror"
-}
-
-src_compile() {
-	building() {
-		emake -C "${BUILD_DIR}" \
-			AUDIT_LOG_PRIVS="y" \
-			AUDITH="$(usex audit y n)" \
-			PAMH="$(usex pam y n)" \
-			SESANDBOX="n" \
-			CC="$(tc-getCC)" \
-			LIBDIR="\$(PREFIX)/$(get_libdir)"
-	}
-	BUILD_DIR="${S1}"
-	building
-}
-
-src_install() {
-	# Python scripts are present in many places. There are no extension modules.
-	installation-policycoreutils() {
-		einfo "Installing policycoreutils"
-		emake -C "${BUILD_DIR}" DESTDIR="${D}" \
-			AUDIT_LOG_PRIVS="y" \
-			AUDITH="$(usex audit y n)" \
-			PAMH="$(usex pam y n)" \
-			SESANDBOX="n" \
-			CC="$(tc-getCC)" \
-			LIBDIR="\$(PREFIX)/$(get_libdir)" \
-			install
-	}
-
-	installation-extras() {
-		einfo "Installing policycoreutils-extra"
-		emake -C "${BUILD_DIR}" \
-			DESTDIR="${D}" \
-			install
-	}
-
-	BUILD_DIR="${S1}"
-	installation-policycoreutils
-
-
-	# remove redhat-style init script
-	rm -fR "${D}/etc/rc.d" || die
-
-	# compatibility symlinks
-	if use split-usr; then
-		dosym ../../sbin/setfiles /usr/sbin/setfiles
-	else
-		# remove sestatus symlink
-		rm -f "${D}"/usr/sbin/sestatus || die
-	fi
-
-	bashcomp_alias setsebool getsebool
-
-	dodir /usr/lib/selinux/policy
-	dosym ../../usr/lib/selinux/policy /var/lib/selinux
-	keepdir /usr/lib/selinux/policy
-
-	# Recreate the symlink in /var in case of wiping the root filesystem.
-	dotmpfiles "${FILESDIR}/tmpfiles.d/10-var-lib-selinux.conf"
-}
-
-pkg_postinst() {
-	for POLICY_TYPE in ${POLICY_TYPES} ; do
-		# There have been some changes to the policy store, rebuilding now.
-		# https://marc.info/?l=selinux&m=143757277819717&w=2
-		einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)."
-		semodule -p "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
-	done
-}

sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.6.ebuild

@@ -0,0 +1,210 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+PYTHON_COMPAT=( python3_{10..11} )
+PYTHON_REQ_USE="xml(+)"
+
+inherit python-r1 toolchain-funcs bash-completion-r1
+
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+EXTRAS_VER="1.37"
+
+DESCRIPTION="SELinux core utilities"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
+
+if [[ ${PV} == 9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
+	SRC_URI="!vanilla? ( https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2 )"
+	S1="${WORKDIR}/${P}/${PN}"
+	S2="${WORKDIR}/policycoreutils-extra"
+	S="${S1}"
+else
+	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz
+		!vanilla? ( https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2 )"
+	KEYWORDS="amd64 arm arm64 ~mips x86"
+	S1="${WORKDIR}/${MY_P}"
+	S2="${WORKDIR}/policycoreutils-extra"
+	S="${S1}"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="audit pam split-usr vanilla +python"
+REQUIRED_USE="
+	!vanilla? ( python ${PYTHON_REQUIRED_USE} )
+"
+
+DEPEND="
+	python? (
+		>=sys-libs/libselinux-${PV}:=[python,${PYTHON_USEDEP}]
+		>=sys-libs/libsemanage-${PV}:=[python(+),${PYTHON_USEDEP}]
+		audit? ( >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}] )
+		${PYTHON_DEPS}
+	)
+	!python? (
+		>=sys-libs/libselinux-${PV}:=
+		>=sys-libs/libsemanage-${PV}:=
+		audit? ( >=sys-process/audit-1.5.1 )
+	)
+	>=sys-libs/libsepol-${PV}:=
+	sys-libs/libcap-ng:=
+	pam? ( sys-libs/pam:= )
+	!vanilla? (
+		>=app-admin/setools-4.2.0[${PYTHON_USEDEP}]
+	)
+"
+
+# Avoid dependency loop in the cross-compile case, bug #755173
+# (Still exists in native)
+BDEPEND="sys-devel/gettext"
+
+# pax-utils for scanelf used by rlpkg
+RDEPEND="${DEPEND}
+	app-misc/pax-utils"
+
+PDEPEND="sys-apps/semodule-utils
+	python? ( sys-apps/selinux-python )"
+
+src_unpack() {
+	# Override default one because we need the SRC_URI ones even in case of 9999 ebuilds
+	default
+	if [[ ${PV} == 9999 ]] ; then
+		git-r3_src_unpack
+	fi
+}
+
+src_prepare() {
+	S="${S1}"
+	cd "${S}" || die "Failed to switch to ${S}"
+	if [[ ${PV} != 9999 ]] ; then
+		# If needed for live ebuilds please use /etc/portage/patches
+		eapply "${FILESDIR}/policycoreutils-3.1-0001-newrole-not-suid.patch"
+	fi
+
+	if ! use vanilla; then
+		# rlpkg is more useful than fixfiles
+		sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \
+			|| die "fixfiles sed 1 failed"
+		sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \
+			|| die "fixfiles sed 2 failed"
+	fi
+
+	eapply_user
+
+	sed -i 's/-Werror//g' "${S1}"/*/Makefile || die "Failed to remove Werror"
+
+	if ! use vanilla; then
+		python_copy_sources
+		# Our extra code is outside the regular directory, so set it to the extra
+		# directory. We really should optimize this as it is ugly, but the extra
+		# code is needed for Gentoo at the same time that policycoreutils is present
+		# (so we cannot use an additional package for now).
+		S="${S2}"
+		python_copy_sources
+	fi
+}
+
+src_compile() {
+	building() {
+		local build_dir=${1}
+		emake -C "${build_dir}" \
+			AUDIT_LOG_PRIVS="y" \
+			AUDITH="$(usex audit y n)" \
+			PAMH="$(usex pam y n)" \
+			SESANDBOX="n" \
+			CC="$(tc-getCC)" \
+			LIBDIR="\$(PREFIX)/$(get_libdir)"
+	}
+	if ! use vanilla; then
+		building_with_python() {
+			building "${BUILD_DIR}"
+		}
+		S="${S1}" # Regular policycoreutils
+		python_foreach_impl building_with_python
+		S="${S2}" # Extra set
+		python_foreach_impl building_with_python
+		unset -f building_with_python
+	else
+		S="${S1}" # Regular policycoreutils
+		building "${S}"
+	fi
+	unset -f building
+}
+
+src_install() {
+	installation-policycoreutils-base() {
+		local build_dir=${1}
+		einfo "Installing policycoreutils"
+		emake -C "${build_dir}" DESTDIR="${D}" \
+			AUDIT_LOG_PRIVS="y" \
+			AUDITH="$(usex audit y n)" \
+			PAMH="$(usex pam y n)" \
+			SESANDBOX="n" \
+			CC="$(tc-getCC)" \
+			LIBDIR="\$(PREFIX)/$(get_libdir)" \
+			install
+	}
+
+	if ! use vanilla; then
+		# Python scripts are present in many places. There are no extension modules.
+		installation-policycoreutils() {
+			installation-policycoreutils-base "${BUILD_DIR}"
+			python_optimize
+		}
+
+		installation-extras() {
+			einfo "Installing policycoreutils-extra"
+			emake -C "${BUILD_DIR}" \
+				DESTDIR="${D}" \
+				install
+			python_optimize
+		}
+
+		S="${S1}" # policycoreutils
+		python_foreach_impl installation-policycoreutils
+		S="${S2}" # extras
+		python_foreach_impl installation-extras
+		S="${S1}" # back for later
+		unset -f installation-extras installation-policycoreutils
+	else
+		S="${S1}" # policycoreutils
+		installation-policycoreutils-base "${S}"
+	fi
+	unset -f installation-policycoreutils-base
+
+	# remove redhat-style init script
+	rm -fR "${D}/etc/rc.d" || die
+
+	# compatibility symlinks
+	if use split-usr; then
+		dosym ../../sbin/setfiles /usr/sbin/setfiles
+	else
+		# remove sestatus symlink
+		rm -f "${D}"/usr/sbin/sestatus || die
+	fi
+
+	bashcomp_alias setsebool getsebool
+
+	# location for policy definitions
+	dodir /var/lib/selinux
+	keepdir /var/lib/selinux
+
+	if ! use vanilla; then
+		# Set version-specific scripts
+		for pyscript in rlpkg; do
+			python_replicate_script "${ED}/usr/sbin/${pyscript}"
+		done
+	fi
+}
+
+pkg_postinst() {
+	for POLICY_TYPE in ${POLICY_TYPES} ; do
+		# There have been some changes to the policy store, rebuilding now.
+		# https://marc.info/?l=selinux&m=143757277819717&w=2
+		einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)."
+		semodule -p "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
+	done
+}

sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest

@@ -1 +1 @@
-DIST libsemanage-3.5.tar.gz 185060 BLAKE2B 3e08b15cb6b335a2747bd5f0bd84f74abdd22a7e8ec91ebb443ca6fe3886d5e8cd2827fefdaa0e9caf2af3280cffbf593ee828fee54dd423a21b257493cc754c SHA512 959fbd0d6bc6849da6caa13dc41c3f8818cbbd29f04b5d2ac7246c4b395b4f370f113a04cc9cfcb52be2afebfa636013ac4ad4011384c58c7ce066a45cae2751
+DIST libsemanage-3.6.tar.gz 182583 BLAKE2B 3ed9ef06601093983fa41ad6ab9f7eeae241dce98937db04efca6f421afcfd3f59cf5e51d24c596ae03997a398949ed84fbdf629518e3c382a5453129b0a87ab SHA512 8998b6a1b254a9673b99ae4d70a1edc769bb728a44f573cdf62e0a9c9392b77644ee2d70e1936a2f8a9a7f8b063ce98a981f4b8b7060f5b82791889330d69364

sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/libsemanage-extra-config.patch

@@ -0,0 +1,30 @@
+diff -r -u libsemanage-3.6/src/semanage.conf libsemanage-3.6-patched/src/semanage.conf
+--- libsemanage-3.6/src/semanage.conf	2023-12-13 15:46:22.000000000 +0100
++++ libsemanage-3.6-patched/src/semanage.conf	2024-02-21 14:33:06.055611733 +0100
+@@ -40,3 +40,26 @@
+ # By default, semanage will generate policies for the SELinux target.
+ # To build policies for Xen, uncomment the following line.
+ #target-platform = xen
++
++# Set this to true to save the linked policy.
++# This is normally only useful for analysis
++# or debugging of policy.
++save-linked=false
++
++# Set this to 0 to disable assertion checking.
++# This should speed up building the kernel policy
++# from policy modules, but may leave you open to
++# dangerous rules which assertion checking
++# would catch.
++expand-check=1
++
++# Modules in the module store can be compressed
++# with bzip2.  Set this to the bzip2 blocksize
++# 1-9 when compressing.  The higher the number,
++# the more memory is traded off for disk space.
++# Set to 0 to disable bzip2 compression.
++bzip-blocksize=0
++
++# Reduce memory usage for bzip2 compression and
++# decompression of modules in the module store.
++bzip-small=true

sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.6.ebuild

@@ -1,8 +1,8 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
-PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_COMPAT=( python3_{10..11} )
 
 inherit python-r1 toolchain-funcs multilib-minimal
 
@@ -24,47 +24,36 @@ fi
 
 LICENSE="GPL-2"
 SLOT="0/2"
+IUSE="+python"
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
 
-RDEPEND="app-arch/bzip2[${MULTILIB_USEDEP}]
+RDEPEND="
+	app-arch/bzip2[${MULTILIB_USEDEP}]
 	>=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}]
 	>=sys-libs/libselinux-${PV}:=[${MULTILIB_USEDEP}]
-	>=sys-process/audit-2.2.2[${MULTILIB_USEDEP}]"
-
+	>=sys-process/audit-2.2.2[${MULTILIB_USEDEP}]
+	python? ( ${PYTHON_DEPS} )
+"
 DEPEND="${RDEPEND}"
-BDEPEND="sys-devel/bison
-	sys-devel/flex"
+BDEPEND="
+	app-alternatives/yacc
+	app-alternatives/lex
+	python? (
+		>=dev-lang/swig-2.0.4-r1
+		virtual/pkgconfig
+	)
+"
 
 # tests are not meant to be run outside of the
 # full SELinux userland repo
 RESTRICT="test"
 
+PATCHES=(
+    "${FILESDIR}/libsemanage-extra-config.patch"
+)
+
 src_prepare() {
-	eapply_user
-
-	echo >> "${S}/src/semanage.conf"
-	echo "# Set this to true to save the linked policy." >> "${S}/src/semanage.conf"
-	echo "# This is normally only useful for analysis" >> "${S}/src/semanage.conf"
-	echo "# or debugging of policy." >> "${S}/src/semanage.conf"
-	echo "save-linked=false" >> "${S}/src/semanage.conf"
-	echo >> "${S}/src/semanage.conf"
-	echo "# Set this to 0 to disable assertion checking." >> "${S}/src/semanage.conf"
-	echo "# This should speed up building the kernel policy" >> "${S}/src/semanage.conf"
-	echo "# from policy modules, but may leave you open to" >> "${S}/src/semanage.conf"
-	echo "# dangerous rules which assertion checking" >> "${S}/src/semanage.conf"
-	echo "# would catch." >> "${S}/src/semanage.conf"
-	echo "expand-check=1" >> "${S}/src/semanage.conf"
-	echo >> "${S}/src/semanage.conf"
-	echo "# Modules in the module store can be compressed" >> "${S}/src/semanage.conf"
-	echo "# with bzip2.  Set this to the bzip2 blocksize" >> "${S}/src/semanage.conf"
-	echo "# 1-9 when compressing.  The higher the number," >> "${S}/src/semanage.conf"
-	echo "# the more memory is traded off for disk space." >> "${S}/src/semanage.conf"
-	echo "# Set to 0 to disable bzip2 compression." >> "${S}/src/semanage.conf"
-	echo "bzip-blocksize=1" >> "${S}/src/semanage.conf"
-	echo >> "${S}/src/semanage.conf"
-	echo "# Reduce memory usage for bzip2 compression and" >> "${S}/src/semanage.conf"
-	echo "# decompression of modules in the module store." >> "${S}/src/semanage.conf"
-	echo "bzip-small=true" >> "${S}/src/semanage.conf"
-
+	default
 	multilib_copy_sources
 }
 
@@ -76,14 +65,43 @@ multilib_src_compile() {
 		CC="$(tc-getCC)" \
 		LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
 		all
+
+	if use python && multilib_is_native_abi; then
+		building_py() {
+			emake \
+				AR="$(tc-getAR)" \
+				CC="$(tc-getCC)" \
+				PKG_CONFIG="$(tc-getPKG_CONFIG)" \
+				LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
+				"$@"
+		}
+		python_foreach_impl building_py swigify
+		python_foreach_impl building_py pywrap
+	fi
 }
 
 multilib_src_install() {
 	emake \
 		LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-		SHLIBDIR="/usr/$(get_libdir)" \
-		DESTDIR="${ED}" \
-		install
+		DESTDIR="${ED}" install
+
+	if use python && multilib_is_native_abi; then
+		installation_py() {
+			emake DESTDIR="${ED}" \
+				LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
+				PKG_CONFIG="$(tc-getPKG_CONFIG)" \
+				install-pywrap
+			python_optimize # bug 531638
+		}
+		python_foreach_impl installation_py
+	fi
+}
+
+multiib_src_install_all() {
+	if use python; then
+		python_setup
+		python_fix_shebang "${ED}"/usr/libexec/selinux/semanage_migrate_store
+	fi
 }
 
 pkg_postinst() {

sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml

@@ -7,5 +7,6 @@
 	</maintainer>
 	<upstream>
 		<remote-id type="github">SELinuxProject/selinux</remote-id>
+		<remote-id type="cpe">cpe:/a:selinuxproject:libsemanage</remote-id>
 	</upstream>
 </pkgmetadata>

sdk_container/src/third_party/coreos-overlay/sys-process/audit/Manifest

@@ -1 +0,0 @@
-DIST audit-3.0.6.tar.gz 1190011 BLAKE2B 93a7efad1cbea6771a73222b05aacbabc4ac61d1efb9fc2532607a94804bcac6512d0be2f4d89aa62d94fb85ba5818ffae4bf0a72676e8d549ddbec766e83e9c SHA512 74734e1b1fddea086db9c5dc8c4b7817917fdf17bc7ca4e5b440aae975484d020a17c3f485f6a37b6b150a307d809e50d559d31a8cbd6f1e554933719551bcd1

sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md

@@ -1,24 +0,0 @@
-This is a fork of gentoo's `sys-process/audit` package. The main
-reasons for having our fork seem to be:
-
-1. We have our own audit rules (see files in `files/rules.d`
-   directory).
-
-  - These seem to be mostly similar to what gentoo provides, but split
-    into several files and they have an additional rule for SELinux
-    events.
-
-  - We also install it in a different place and place symlinks with
-    systemd's tmpfiles functionality.
-
-2. We install a systemd service that loads our rules at startup.
-
-3. We build and install only a subset of binaries in the project.
-   Namely, we skip all the daemon stuff that puts the logs in
-   `/var/log/audit` and some tools that process those logs. Since
-   audit logs are also written to journal, writing them to disk seems
-   redundant, thus auditd and the tools seem to be unnecessary. This
-   also reduces the final image size a bit.
-
-4. Since we do not install the daemon, we don't do the permissions
-   lockdown on some auditd files.

sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles

@@ -1,6 +0,0 @@
-d   /etc/audit                          750   -   -   -   -
-C   /etc/audit/auditd.conf              640  -   -   -   /usr/share/auditd/auditd.conf
-d   /etc/audit/rules.d                  750   -   -   -   -
-L   /etc/audit/rules.d/00-clear.rules   640   -   -   -   /usr/share/audit/rules.d/00-clear.rules
-L   /etc/audit/rules.d/80-selinux.rules 640   -   -   -   /usr/share/audit/rules.d/80-selinux.rules
-L   /etc/audit/rules.d/99-default.rules 640   -   -   -   /usr/share/audit/rules.d/99-default.rules

sdk_container/src/third_party/portage-stable/dev-lang/swig/Manifest

@@ -1,3 +1,2 @@
-DIST swig-3.0.12.tar.gz 8149820 BLAKE2B 05ce913dedbbde26592619e0edc65050cb31a517f309c1188252cb8c276147cb28ebf4d8534c31b75c4ed8be5d42223b432a7318bf8eb5b2d4d528e5ff9a781b SHA512 5eaa2e06d8e4197fd02194051db1e518325dbb074a4c55a91099ad9c55193874f577764afc9029409a41bd520a95154095f26e33ef5add5c102bb2c1d98d33eb
-DIST swig-4.0.0.tar.gz 8052518 BLAKE2B a34eb17d795ba5b34ea7362f8f07d6a6e82fd4394a0159fcf608ffb27580f37fc722c4907f1fd6fa3322663662f8e11fecbcb2bc7b90405834ef35d6218d65c7 SHA512 c897b87fb8b21caf8d1bee2c39cb9675a3b0ee047110e808c310a2787f8b89585738726e9f517c64e9d2f1b8311136365c569528f399b444b1081f69689b7165
-DIST swig-4.0.2.tar.gz 8097014 BLAKE2B 4c36b7e9b9bf1663779aa31b0eda8a1fe443695d945bcc1642c3404b22e45440def85e58dd65dc18a2ca8c00ffdcfe0f1d75373b7becc0b0e5402fda90b8c29a SHA512 05e7da70ce6d9a733b96c0bcfa3c1b82765bd859f48c74759bbf4bb1467acb1809caa310cba5e2b3280cd704fca249eaa0624821dffae1d2a75097c7f55d14ed
+DIST swig-4.1.1.tar.gz 8600805 BLAKE2B 898d3405f20c3e49626fb808b568e77c69b81ec2401c0a0c406f9e7a3d7d218353dc8b8ae88a3d485ddfc3be659971b961ee2c89d5b0c75aed0688e0952fd208 SHA512 1cea1918455a75ebc9b2653dd1715bd5dcd974554955f324295c6a6f14c0a715651b221b85fad4a8af5197e0c75bfe7b590bc6ba7178c26245fbbd9a7e110100
+DIST swig-4.2.0.tar.gz 8339586 BLAKE2B 4f1c3c7d4b1e218b67a2d796d2171df73971036a433e5fb80233b3050f022d578efdff28fc44d98a6d176ec6270b4942f5f56e9a74bbd8b30d6836c76c620a04 SHA512 b7f508b25bc6e882ed6123f6c7ad12b02a7b74de09ac6e5789968e9c2f51407d1e3dafd5ea495087b4fb0f447ecce17e6070471479c67c4265166d8342a10862

sdk_container/src/third_party/portage-stable/dev-lang/swig/files/swig-4.1.1-ccache-configure-clang16.patch

@@ -0,0 +1,32 @@
+https://github.com/swig/swig/pull/2483
+
+From 784dfc917e99429bdbb70fb9dd80c16dfeb73659 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 12 Jan 2023 17:49:40 +0100
+Subject: [PATCH] CCache: Do not rely on C89-only features in configure.ac
+
+Add missing #include directives to obtain additional function
+prototypes.  This avoids altering the result of this test with C99
+compilers which do not support implicit function declarations.
+--- a/CCache/configure.ac
++++ b/CCache/configure.ac
+@@ -63,6 +63,9 @@ AC_CACHE_CHECK([for C99 vsnprintf],ccache_cv_HAVE_C99_VSNPRINTF,[
+ AC_RUN_IFELSE([AC_LANG_SOURCE([[
+ #include <sys/types.h>
+ #include <stdarg.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
+ void foo(const char *format, ...) { 
+        va_list ap;
+        int len;
+@@ -77,7 +80,7 @@ void foo(const char *format, ...) {
+ 
+        exit(0);
+ }
+-main() { foo("hello"); }
++int main(void) { foo("hello"); }
+ ]])],[ccache_cv_HAVE_C99_VSNPRINTF=yes],[ccache_cv_HAVE_C99_VSNPRINTF=no],[ccache_cv_HAVE_C99_VSNPRINTF=cross])])
+ if test x"$ccache_cv_HAVE_C99_VSNPRINTF" = x"yes"; then
+     AC_DEFINE(HAVE_C99_VSNPRINTF, 1, [ ])
+

sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-3.0.12.ebuild

@@ -1,35 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-DESCRIPTION="Simplified Wrapper and Interface Generator"
-HOMEPAGE="http://www.swig.org/"
-SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
-
-LICENSE="GPL-3+ BSD BSD-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="ccache doc pcre"
-RESTRICT="test"
-
-DEPEND="pcre? ( dev-libs/libpcre )
-	ccache? ( sys-libs/zlib )"
-RDEPEND="${DEPEND}"
-
-DOCS=( ANNOUNCE CHANGES CHANGES.current README TODO )
-
-src_configure() {
-	econf \
-		$(use_enable ccache) \
-		$(use_with pcre)
-}
-
-src_install() {
-	default
-
-	if use doc; then
-		docinto html
-		dodoc -r Doc/{Devel,Manual}
-	fi
-}

sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.0.0.ebuild

@@ -1,51 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit toolchain-funcs
-
-DESCRIPTION="Simplified Wrapper and Interface Generator"
-HOMEPAGE="http://www.swig.org/"
-SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
-
-LICENSE="GPL-3+ BSD BSD-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="ccache doc pcre"
-RESTRICT="test"
-
-RDEPEND="
-	pcre? ( dev-libs/libpcre )
-	ccache? ( sys-libs/zlib )
-"
-DEPEND="
-	${RDEPEND}
-"
-BDEPEND="virtual/pkgconfig"
-
-DOCS=( ANNOUNCE CHANGES CHANGES.current README TODO )
-
-src_prepare() {
-	default
-	# https://github.com/swig/swig/pull/1796
-	sed -i \
-		-e '/if pkg-config javascriptcoregtk-1.0/s:pkg-config:$PKGCONFIG:' \
-		configure || die
-}
-
-src_configure() {
-	econf \
-		PKGCONFIG="$(tc-getPKG_CONFIG)" \
-		$(use_enable ccache) \
-		$(use_with pcre)
-}
-
-src_install() {
-	default
-
-	if use doc; then
-		docinto html
-		dodoc -r Doc/{Devel,Manual}
-	fi
-}

sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.1.1-r1.ebuild

@@ -0,0 +1,61 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools toolchain-funcs
+
+DESCRIPTION="Simplified Wrapper and Interface Generator"
+HOMEPAGE="http://www.swig.org/ https://github.com/swig/swig"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
+
+LICENSE="GPL-3+ BSD BSD-2"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="ccache doc pcre test"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	pcre? ( dev-libs/libpcre2 )
+	ccache? ( sys-libs/zlib )
+"
+DEPEND="
+	${RDEPEND}
+	test? ( dev-libs/boost )
+"
+BDEPEND="virtual/pkgconfig"
+
+DOCS=( ANNOUNCE CHANGES CHANGES.current README TODO )
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-4.1.1-ccache-configure-clang16.patch
+)
+
+src_prepare() {
+	default
+
+	# Only needed for Clang 16 patch
+	ln -s "${S}"/Tools CCache/ || die
+	AT_M4DIR="Tools/config" eautoreconf
+}
+
+src_configure() {
+	econf \
+		PKGCONFIG="$(tc-getPKG_CONFIG)" \
+		$(use_enable ccache) \
+		$(use_with pcre)
+}
+
+src_test() {
+	# The tests won't get run w/o an explicit call, broken Makefiles?
+	emake check
+}
+
+src_install() {
+	default
+
+	if use doc; then
+		docinto html
+		dodoc -r Doc/{Devel,Manual}
+	fi
+}

sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.2.0.ebuild

@@ -1,7 +1,7 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 
 inherit toolchain-funcs
 
@@ -11,15 +11,18 @@ SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
 
 LICENSE="GPL-3+ BSD BSD-2"
 SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="ccache doc pcre"
-RESTRICT="test"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="ccache doc pcre test"
+RESTRICT="!test? ( test )"
 
 RDEPEND="
-	pcre? ( dev-libs/libpcre )
+	pcre? ( dev-libs/libpcre2 )
 	ccache? ( sys-libs/zlib )
 "
-DEPEND="${RDEPEND}"
+DEPEND="
+	${RDEPEND}
+	test? ( dev-libs/boost )
+"
 BDEPEND="virtual/pkgconfig"
 
 DOCS=( ANNOUNCE CHANGES CHANGES.current README TODO )
@@ -31,6 +34,11 @@ src_configure() {
 		$(use_with pcre)
 }
 
+src_test() {
+	# The tests won't get run w/o an explicit call, broken Makefiles?
+	emake check
+}
+
 src_install() {
 	default
 

sdk_container/src/third_party/portage-stable/sys-process/audit/Manifest

@@ -0,0 +1,2 @@
+DIST audit-3.1.1.tar.gz 1218111 BLAKE2B a804684e438efc5f35b387708b3dc91bf857eeb56624261e0f75543556c436bfe638b792f63289f049c11541b10b2dc0e9f17b22f44b913da0168b1cf20684fc SHA512 4917970cc4c7f786c464a6d101bf66d55d55ac4716cf415ff97177f08176a6301e946716d28cf5b16054538469b3140b97db99d55a28686a9a807eea60c070f3
+DIST audit-3.1.2.tar.gz 1219860 BLAKE2B dfdec470bf12cce6c570b3d260e65e2b49e8ac0761e6a6fbf7b4f4a57f92e88367cd74bfcb88e6d718619b88fea27ce963a977c9f4346c95d18a5310e217accb SHA512 a97003a294ed3671df01e2952688e7d5eef59a35f6891feb53e67c4c7eab9ae8c2d18de41a5b5b20e0ad7156fac93aec05f32f6bc5eea706b42b6f27f676446a

sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.1.ebuild

@@ -1,13 +1,15 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 
-# Flatcar: Support python 3.6.
-PYTHON_COMPAT=( python3_{6..11} )
+# As with sys-libs/libcap-ng, same maintainer in Fedora as upstream, so
+# check Fedora's packaging (https://src.fedoraproject.org/rpms/audit/tree/rawhide)
+# on bumps (or if hitting a bug) to see what they've done there.
 
-TMPFILES_OPTIONAL=1
-inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript tmpfiles
+PYTHON_COMPAT=( python3_{9..11} )
+
+inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript
 
 DESCRIPTION="Userspace utilities for storing and processing auditing records"
 HOMEPAGE="https://people.redhat.com/sgrubb/audit/"
@@ -15,24 +17,34 @@ SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz"
 
 LICENSE="GPL-2+ LGPL-2.1+"
 SLOT="0"
-# Flatcar: Build amd64 and arm64 by default.
-KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
-IUSE="gssapi ldap python static-libs test"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+IUSE="gssapi io-uring ldap python static-libs test"
 
 REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
 RESTRICT="!test? ( test )"
 
-RDEPEND="gssapi? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )
+RDEPEND="
 	sys-libs/libcap-ng
-	python? ( ${PYTHON_DEPS} )"
-DEPEND="${RDEPEND}
+	gssapi? ( virtual/krb5 )
+	ldap? ( net-nds/openldap:= )
+	python? ( ${PYTHON_DEPS} )
+"
+DEPEND="
+	${RDEPEND}
 	>=sys-kernel/linux-headers-2.6.34
-	test? ( dev-libs/check )"
-BDEPEND="python? ( dev-lang/swig:0 )"
+	test? ( dev-libs/check )
+"
+BDEPEND="python? ( dev-lang/swig )"
 
 CONFIG_CHECK="~AUDIT"
 
+PATCHES=(
+	# See bug #836702 before removing / verify builds fine w/ USE=python
+	# with latest kernel headers.
+	"${FILESDIR}"/${PN}-3.0.8-linux-headers-5.17.patch
+	"${FILESDIR}"/${PN}-3.0.8-musl-malloc.patch
+)
+
 src_prepare() {
 	# audisp-remote moved in multilib_src_install_all
 	sed -i \
@@ -40,51 +52,48 @@ src_prepare() {
 		audisp/plugins/remote/au-remote.conf || die
 
 	# Disable installing sample rules so they can be installed as docs.
-	echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null
-
-	# Flatcar: Some legacy stuff is being installed when systemd
-	# is enabled. Drop all the lines that try doing it.
-	sed -e '/${DESTDIR}${initdir}/d' \
-		-e '/${DESTDIR}${legacydir}/d' \
-		-i init.d/Makefile.am || die
-	# Flatcar: Do not build daemon stuff.
-	sed -e '/^sbin_PROGRAMS =/s/aureport//' \
-		-e '/^sbin_PROGRAMS =/s/ausearch//' \
-		-i src/Makefile.am || die
+	echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null || die
 
 	default
 	eautoreconf
 }
 
 multilib_src_configure() {
-	local -a myeconfargs=(
-		--sbindir="${EPREFIX}/sbin"
+	local myeconfargs=(
+		--sbindir="${EPREFIX}"/sbin
 		$(use_enable gssapi gssapi-krb5)
 		$(use_enable ldap zos-remote)
 		$(use_enable static-libs static)
+		$(use_with io-uring io_uring)
 		--enable-systemd
 		--without-golang
+		--without-libwrap
 		--without-python
 		--without-python3
 	)
 
-	ECONF_SOURCE=${S} econf "${myeconfargs[@]}"
+	ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
 
 	if multilib_is_native_abi && use python; then
 		python_configure() {
-			mkdir -p "${BUILD_DIR}"
+			mkdir -p "${BUILD_DIR}" || die
 			pushd "${BUILD_DIR}" &>/dev/null || die
-			ECONF_SOURCE=${S} econf "${myeconfargs[@]}" --with-python3
+
+			ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" --with-python3
+
 			popd &>/dev/null || die
 		}
+
 		python_foreach_impl python_configure
 	fi
 }
 
 src_configure() {
 	tc-export_build_env BUILD_{CC,CPP}
+
 	local -x CC_FOR_BUILD="${BUILD_CC}"
 	local -x CPP_FOR_BUILD="${BUILD_CPP}"
+
 	multilib-minimal_src_configure
 }
 
@@ -93,10 +102,12 @@ multilib_src_compile() {
 		default
 
 		local native_build="${BUILD_DIR}"
+
 		python_compile() {
 			emake -C "${BUILD_DIR}"/bindings/swig top_builddir="${native_build}"
 			emake -C "${BUILD_DIR}"/bindings/python/python3 top_builddir="${native_build}"
 		}
+
 		use python && python_foreach_impl python_compile
 	else
 		emake -C common
@@ -110,14 +121,16 @@ multilib_src_install() {
 		emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install
 
 		local native_build="${BUILD_DIR}"
+
 		python_install() {
 			emake -C "${BUILD_DIR}"/bindings/swig DESTDIR="${D}" top_builddir="${native_build}" install
 			emake -C "${BUILD_DIR}"/bindings/python/python3 DESTDIR="${D}" top_builddir="${native_build}" install
 			python_optimize
 		}
+
 		use python && python_foreach_impl python_install
 
-		# things like shadow use this so we need to be in /
+		# Things like shadow use this so we need to be in /
 		gen_usr_ldscript -a audit auparse
 	else
 		emake -C lib DESTDIR="${D}" install
@@ -129,35 +142,24 @@ multilib_src_install_all() {
 	dodoc AUTHORS ChangeLog README* THANKS
 	docinto contrib
 	dodoc contrib/avc_snap
-	# Flatcar: Do not install any plugin stuff, these are parts of
-	# auditd that we don't build and install anyway.
-	# docinto contrib/plugin
-	# dodoc contrib/plugin/*
+	docinto contrib/plugin
+	dodoc contrib/plugin/*
 	docinto rules
 	dodoc rules/*rules
 
-	# Flatcar: Do not install stuff auditd stuff.
-	# newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
-	# newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
+	newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
+	newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
 
-	# Flatcar: install sample configuration
-	insinto /usr/share/auditd
-	doins "${S}"/init.d/auditd.conf
+	if [[ -f "${ED}"/sbin/audisp-remote ]] ; then
+		dodir /usr/sbin
+		mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
+	fi
 
-
-	# Flatcar: We are not installing audisp too.
-	# [ -f "${ED}"/sbin/audisp-remote ] && \
-	# dodir /usr/sbin && \
-	# mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
-
-	# Flatcar: Do not install gentoo rules.
 	# Gentoo rules
-	# newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
-	# Flatcar: We are installing our own rules.
-	insinto /usr/share/audit/rules.d
-	doins "${FILESDIR}"/rules.d/*.rules
-	# Flatcar: Do not install deamon stuff.
-	# doins "${FILESDIR}"/audit.rules.stop*
+	insinto /etc/audit
+	newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
+	doins "${FILESDIR}"/audit.rules.stop*
+	keepdir /etc/audit/rules.d
 
 	# audit logs go here
 	keepdir /var/log/audit
@@ -166,14 +168,6 @@ multilib_src_install_all() {
 
 	# Security
 	lockdown_perms "${ED}"
-
-	# Flatcar: We add the systemd unit but don't enable it.
-	systemd_dounit init.d/auditd.service
-
-	# Flatcar: Our systemd stuff.
-	newtmpfiles "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf
-	systemd_dounit "${FILESDIR}"/audit-rules.service
-	systemd_enable_service multi-user.target audit-rules.service
 }
 
 pkg_postinst() {
@@ -183,13 +177,8 @@ pkg_postinst() {
 lockdown_perms() {
 	# Upstream wants these to have restrictive perms.
 	# Should not || die as not all paths may exist.
-	# Flatcar: We don't include ausearch and aureport
-	# so they're removed from the hardening list
 	local basedir="${1}"
-	# chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
-	chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,trace} 2>/dev/null
+	chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
 	chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
-	# chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
-	rm -f  "${basedir}"/etc/audit/auditd.conf 2>/dev/null
-	:
+	chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
 }

sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.2.ebuild

@@ -0,0 +1,181 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# As with sys-libs/libcap-ng, same maintainer in Fedora as upstream, so
+# check Fedora's packaging (https://src.fedoraproject.org/rpms/audit/tree/rawhide)
+# on bumps (or if hitting a bug) to see what they've done there.
+
+PYTHON_COMPAT=( python3_{9..11} )
+
+inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript
+
+DESCRIPTION="Userspace utilities for storing and processing auditing records"
+HOMEPAGE="https://people.redhat.com/sgrubb/audit/"
+SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz"
+
+LICENSE="GPL-2+ LGPL-2.1+"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="gssapi io-uring ldap python static-libs test"
+
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	sys-libs/libcap-ng
+	gssapi? ( virtual/krb5 )
+	ldap? ( net-nds/openldap:= )
+	python? ( ${PYTHON_DEPS} )
+"
+DEPEND="
+	${RDEPEND}
+	>=sys-kernel/linux-headers-2.6.34
+	test? ( dev-libs/check )
+"
+BDEPEND="python? ( dev-lang/swig )"
+
+CONFIG_CHECK="~AUDIT"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-3.0.8-musl-malloc.patch
+)
+
+src_prepare() {
+	# audisp-remote moved in multilib_src_install_all
+	sed -i \
+		-e "s,/sbin/audisp-remote,${EPREFIX}/usr/sbin/audisp-remote," \
+		audisp/plugins/remote/au-remote.conf || die
+
+	# Disable installing sample rules so they can be installed as docs.
+	echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null || die
+
+	default
+	eautoreconf
+}
+
+multilib_src_configure() {
+	local myeconfargs=(
+		--sbindir="${EPREFIX}"/sbin
+		$(use_enable gssapi gssapi-krb5)
+		$(use_enable ldap zos-remote)
+		$(use_enable static-libs static)
+		$(use_with io-uring io_uring)
+		--enable-systemd
+		--without-golang
+		--without-libwrap
+		--without-python
+		--without-python3
+	)
+
+	ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+
+	if multilib_is_native_abi && use python; then
+		python_configure() {
+			mkdir -p "${BUILD_DIR}" || die
+			pushd "${BUILD_DIR}" &>/dev/null || die
+
+			ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" --with-python3
+
+			popd &>/dev/null || die
+		}
+
+		python_foreach_impl python_configure
+	fi
+}
+
+src_configure() {
+	tc-export_build_env BUILD_{CC,CPP}
+
+	local -x CC_FOR_BUILD="${BUILD_CC}"
+	local -x CPP_FOR_BUILD="${BUILD_CPP}"
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_compile() {
+	if multilib_is_native_abi; then
+		default
+
+		local native_build="${BUILD_DIR}"
+
+		python_compile() {
+			emake -C "${BUILD_DIR}"/bindings/swig top_builddir="${native_build}"
+			emake -C "${BUILD_DIR}"/bindings/python/python3 top_builddir="${native_build}"
+		}
+
+		use python && python_foreach_impl python_compile
+	else
+		emake -C common
+		emake -C lib
+		emake -C auparse
+	fi
+}
+
+multilib_src_install() {
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install
+
+		local native_build="${BUILD_DIR}"
+
+		python_install() {
+			emake -C "${BUILD_DIR}"/bindings/swig DESTDIR="${D}" top_builddir="${native_build}" install
+			emake -C "${BUILD_DIR}"/bindings/python/python3 DESTDIR="${D}" top_builddir="${native_build}" install
+			python_optimize
+		}
+
+		use python && python_foreach_impl python_install
+
+		# Things like shadow use this so we need to be in /
+		gen_usr_ldscript -a audit auparse
+	else
+		emake -C lib DESTDIR="${D}" install
+		emake -C auparse DESTDIR="${D}" install
+	fi
+}
+
+multilib_src_install_all() {
+	dodoc AUTHORS ChangeLog README* THANKS
+	docinto contrib
+	dodoc contrib/avc_snap
+	docinto contrib/plugin
+	dodoc contrib/plugin/*
+	docinto rules
+	dodoc rules/*rules
+
+	newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
+	newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
+
+	if [[ -f "${ED}"/sbin/audisp-remote ]] ; then
+		dodir /usr/sbin
+		mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
+	fi
+
+	# Gentoo rules
+	insinto /etc/audit
+	newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
+	doins "${FILESDIR}"/audit.rules.stop*
+	keepdir /etc/audit/rules.d
+
+	# audit logs go here
+	keepdir /var/log/audit
+
+	find "${ED}" -type f -name '*.la' -delete || die
+
+	# Security
+	lockdown_perms "${ED}"
+}
+
+pkg_postinst() {
+	lockdown_perms "${EROOT}"
+}
+
+lockdown_perms() {
+	# Upstream wants these to have restrictive perms.
+	# Should not || die as not all paths may exist.
+	local basedir="${1}"
+	chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
+	chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
+	chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
+}

sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch

@@ -0,0 +1,41 @@
+Upstream rejected a workaround/fix at https://github.com/linux-audit/audit-userspace/pull/253
+/ https://github.com/linux-audit/audit-userspace/issues/252#issuecomment-1078595249.
+
+Instead, in Fedora (same maintainer as upstream), they're patching the headers then unpatching before install.
+
+Apparently the swig bindings are on their way out but I'm not convinced that's going to be a quick migration given the API will.. surely change?
+
+It's not ideal but let's take the patch slyfox ended up using in nixpkgs anyway.
+
+https://bugs.gentoo.org/836702
+
+From beed138222421a2eb4212d83cb889404bd7efc49 Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyich@gmail.com>
+Date: Wed, 23 Mar 2022 07:27:05 +0000
+Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf
+
+As it's a flexible array generated code was never safe to use.
+With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574
+change it's a build failure now:
+
+    audit> audit_wrap.c:5010:15: error: invalid use of flexible array member
+    audit>  5010 |     arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
+    audit>       |               ^
+
+Let's avoid setter generation entirely.
+
+Closes: https://github.com/linux-audit/audit-userspace/issues/252
+--- a/bindings/swig/src/auditswig.i
++++ b/bindings/swig/src/auditswig.i
+@@ -39,6 +39,10 @@ signed
+ #define __attribute(X) /*nothing*/
+ typedef unsigned __u32;
+ typedef unsigned uid_t;
++/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not:
++ * generating setters against them: https://github.com/swig/swig/issues/1699
++ */
++%ignore audit_rule_data::buf;
+ %include "/usr/include/linux/audit.h"
+ #define __extension__ /*nothing*/
+ %include <stdint.i>
+

sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-musl-malloc.patch

@@ -0,0 +1,29 @@
+https://cgit.openembedded.org/meta-openembedded/tree/meta-oe/recipes-security/audit/audit/0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch?id=ad978133a1a10d609bb2545882a2f720a2572f3d
+https://github.com/linux-audit/audit-userspace/pull/311
+https://bugs.gentoo.org/837275
+
+From 79c8d6a2755c9dfa00a5e86378e89a94eef0504d Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 9 Aug 2022 23:57:03 -0700
+Subject: [PATCH] Replace __attribute_malloc__ with 
+ __attribute__((__malloc__))
+
+__attribute_malloc__ is not available on musl
+
+Fixes
+| ../../git/auparse/auparse.h:54:2: error: expected function body after function declarator
+|         __attribute_malloc__ __attr_dealloc (auparse_destroy, 1);
+|         ^
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+--- a/auparse/auparse.h
++++ b/auparse/auparse.h
+@@ -51,7 +51,7 @@ typedef void (*auparse_callback_ptr)(auparse_state_t *au,
+ void auparse_destroy(auparse_state_t *au);
+ void auparse_destroy_ext(auparse_state_t *au, auparse_destroy_what_t what);
+ auparse_state_t *auparse_init(ausource_t source, const void *b)
+-	__attribute_malloc__ __attr_dealloc (auparse_destroy, 1);
++	__attribute__((__malloc__)) __attr_dealloc (auparse_destroy, 1);
+ int auparse_new_buffer(auparse_state_t *au, const char *data, size_t data_len)
+ 	__attr_access ((__read_only__, 2, 3));
+ int auparse_feed(auparse_state_t *au, const char *data, size_t data_len)

sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules-2.1.3

@@ -0,0 +1,25 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+#
+# This file contains the auditctl rules that are loaded
+# whenever the audit daemon is started via the initscripts.
+# The rules are simply the parameters that would be passed
+# to auditctl.
+
+# First rule - delete all
+# This is to clear out old rules, so we don't append to them.
+-D
+
+# Feel free to add below this line. See auditctl man page
+
+# The following rule would cause all of the syscalls listed to be ignored in logging.
+-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
+-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
+
+# The following rule would cause the capture of all systems not caught above.
+# -a exit,always -S all
+
+# Increase the buffers to survive stress events
+-b 8192
+
+# vim:ft=conf:

sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.post

@@ -0,0 +1,12 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+#
+# This file contains the auditctl rules that are loaded immediately after the
+# audit deamon is stopped via the initscripts.
+# The rules are simply the parameters that would be passed
+# to auditctl.
+
+# Not used for the default Gentoo configuration as of v1.2.3
+# Paranoid security types might wish to reconfigure kauditd here.
+
+# vim:ft=conf:

sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.pre

@@ -0,0 +1,15 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+#
+# This file contains the auditctl rules that are loaded immediately before the
+# audit deamon is stopped via the initscripts.
+# The rules are simply the parameters that would be passed
+# to auditctl.
+
+# auditd is stopping, don't capture events anymore
+-D
+
+# Disable kernel generating audit events
+-e 0
+
+# vim:ft=conf:

sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-conf.d-2.1.3

@@ -0,0 +1,22 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# Configuration options for auditd
+# -f for foreground mode
+# There are some other options as well, but you'll have to look in the source
+# code to find them as they aren't ready for use yet.
+EXTRAOPTIONS=''
+
+# Audit rules file to run after starting auditd
+RULEFILE_STARTUP=/etc/audit/audit.rules
+
+# Audit rules file to run before and after stopping auditd
+RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre
+RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post
+
+# If you want to enforce a certain locale for auditd, 
+# uncomment one of the next lines:
+#AUDITD_LANG=none
+AUDITD_LANG=C
+#AUDITD_LANG=en_US
+#AUDITD_LANG=en_US.UTF-8

sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-init.d-2.4.3

@@ -0,0 +1,90 @@
+#!/sbin/openrc-run
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_started_commands='reload reload_auditd reload_rules'
+description='Linux Auditing System'
+description_reload='Reload daemon configuration and rules'
+description_reload_rules='Reload daemon rules'
+description_reload_auditd='Reload daemon configuration'
+
+name='auditd'
+pidfile='/var/run/auditd.pid'
+command='/sbin/auditd'
+
+start_auditd() {
+	# Env handling taken from the upstream init script
+	if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then
+		unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
+	else
+		LANG="$AUDITD_LANG"
+		LC_TIME="$AUDITD_LANG"
+		LC_ALL="$AUDITD_LANG"
+		LC_MESSAGES="$AUDITD_LANG"
+		LC_NUMERIC="$AUDITD_LANG"
+		LC_MONETARY="$AUDITD_LANG"
+		LC_COLLATE="$AUDITD_LANG"
+		export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
+	fi
+	unset HOME MAIL USER USERNAME
+
+	ebegin "Starting ${name}"
+	start-stop-daemon \
+		--start --quiet --pidfile ${pidfile} \
+		--exec ${command} -- ${EXTRAOPTIONS}
+	local ret=$?
+	eend $ret
+	return $ret
+}
+
+stop_auditd() {
+	ebegin "Stopping ${name}"
+	start-stop-daemon --stop --quiet --pidfile ${pidfile}
+	local ret=$?
+	eend $ret
+	return $ret
+}
+
+loadfile() {
+	local rules="$1"
+	if [ -n "${rules}" -a -f "${rules}" ]; then
+		einfo "Loading audit rules from ${rules}"
+		/sbin/auditctl -R "${rules}" >/dev/null
+		return $?
+	else
+		return 0
+	fi
+}
+
+start() {
+	start_auditd
+	local ret=$?
+	if [ $ret -eq 0 -a "${RC_CMD}" != "restart" ]; then
+		loadfile "${RULEFILE_STARTUP}"
+	fi
+	return $ret
+}
+
+reload_rules() {
+	loadfile "${RULEFILE_STARTUP}"
+}
+
+reload_auditd() {
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --signal HUP \
+	    --exec "${command}" --pidfile "${pidfile}"
+	eend $?
+}
+
+reload() {
+	reload_auditd
+	reload_rules
+}
+
+stop() {
+	[ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_PRE}"
+	stop_auditd
+	local ret=$?
+	[ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_POST}"
+	return $ret
+}

sdk_container/src/third_party/portage-stable/sys-process/audit/metadata.xml

@@ -9,8 +9,10 @@
 	</maintainer>
 	<use>
 		<flag name="gssapi">Enable GSSAPI support</flag>
+		<flag name="io-uring">Enable support for io-uring. Doesn't need the library but needs at least kernel 5.1.</flag>
 	</use>
 	<upstream>
 		<remote-id type="github">linux-audit/audit-userspace</remote-id>
+		<remote-id type="cpe">cpe:/a:linux:audit</remote-id>
 	</upstream>
 </pkgmetadata>