diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list
index 006e5ab99b..1e521d54ff 100644
--- a/.github/workflows/portage-stable-packages-list
+++ b/.github/workflows/portage-stable-packages-list
@@ -186,6 +186,7 @@ dev-lang/perl
dev-lang/python
dev-lang/python-exec
dev-lang/python-exec-conf
+dev-lang/swig
dev-lang/yasm
dev-libs/cJSON
@@ -565,6 +566,7 @@ sys-libs/zlib
sys-power/acpid
+sys-process/audit
sys-process/lsof
sys-process/procps
sys-process/psmisc
diff --git a/changelog/updates/2024-03-01-selinux-followup.md b/changelog/updates/2024-03-01-selinux-followup.md
new file mode 100644
index 0000000000..8fbda6efe1
--- /dev/null
+++ b/changelog/updates/2024-03-01-selinux-followup.md
@@ -0,0 +1,3 @@
+- policycoreutils ([3.6](https://github.com/SELinuxProject/selinux/releases/tag/3.6))
+- libsemanage ([3.6](https://github.com/SELinuxProject/selinux/releases/tag/3.6))
+- audit ([3.1.1](https://github.com/linux-audit/audit-userspace/releases/tag/v3.1.1))
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/00-clear.rules
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/00-clear.rules
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/80-selinux.rules
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/80-selinux.rules
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/99-default.rules
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/99-default.rules
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/audit-rules.service
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/audit-rules.service
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/99-flatcar-bcc b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/bash/99-flatcar-bcc
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/99-flatcar-bcc
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/bash/99-flatcar-bcc
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp-environment.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntp-environment.conf
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp-environment.conf
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntp-environment.conf
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntp.conf
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp.conf
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntp.conf
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntpd-always-restart.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntpd-always-restart.conf
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntpd-always-restart.conf
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntpd-always-restart.conf
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/50-flatcar-ssh.conf
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/50-flatcar-ssh.conf
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/50-flatcar-sshd.conf
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/50-flatcar-sshd.conf
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/no-trigger-limit-burst.conf
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/no-trigger-limit-burst.conf
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/10-var-lib-selinux.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux/10-var-lib-selinux.conf
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/10-var-lib-selinux.conf
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux/10-var-lib-selinux.conf
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux-config b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux/config
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux-config
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux/config
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild
similarity index 71%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r3.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild
index 79aae29e95..e0688455e7 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild
@@ -12,7 +12,7 @@ HOMEPAGE='https://www.flatcar.org/'
LICENSE='Apache-2.0'
SLOT='0'
KEYWORDS='amd64 arm64'
-IUSE="openssh ntp"
+IUSE="audit ntp openssh policycoreutils"
# No source directory.
S="${WORKDIR}"
@@ -23,15 +23,17 @@ S="${WORKDIR}"
# net-misc/openssh must be installed on host for enabling its unit to
# work during installation.
DEPEND="
- openssh? ( >=net-misc/openssh-9.4_p1 )
+ openssh? ( >=net-misc/openssh-9.4_p1 )
"
# Versions listed below are version of packages that shedded the
# modifications in their ebuilds.
RDEPEND="
- ${DEPEND}
- >=app-shells/bash-5.2_p15-r2
- ntp? ( >=net-misc/ntp-4.2.8_p17 )
+ ${DEPEND}
+ >=app-shells/bash-5.2_p15-r2
+ ntp? ( >=net-misc/ntp-4.2.8_p17 )
+ policycoreutils? ( >=sys-apps/policycoreutils-3.6 )
+ audit? ( >=sys-process/audit-3.1.1 )
"
declare -A CORE_BASH_SYMLINKS
@@ -98,10 +100,12 @@ src_install() {
['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs'
['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf'
)
- if use openssh; then
+ if use audit; then
compat_symlinks+=(
- ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf'
- ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
+ ['/usr/share/audit/rules.d/00-clear.rules']='/usr/share/flatcar/etc/audit/rules.d/00-clear.rules'
+ ['/usr/share/audit/rules.d/80-selinux.rules']='/usr/share/flatcar/etc/audit/rules.d/80-selinux.rules'
+ ['/usr/share/audit/rules.d/99-default.rules']='/usr/share/flatcar/etc/audit/rules.d/99-default.rules'
+ ['/usr/share/auditd/auditd.conf']='/usr/share/flatcar/etc/audit/auditd.conf'
)
fi
if use ntp; then
@@ -109,6 +113,12 @@ src_install() {
['/usr/share/ntp/ntp.conf']='/usr/share/flatcar/etc/ntp.conf'
)
fi
+ if use openssh; then
+ compat_symlinks+=(
+ ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf'
+ ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
+ )
+ fi
local link target
for link in "${!compat_symlinks[@]}"; do
@@ -121,10 +131,10 @@ src_install() {
done
insinto '/etc/selinux/'
- newins "${FILESDIR}/selinux-config" config
+ doins "${FILESDIR}/selinux/config"
insinto '/etc/bash/bashrc.d'
- doins "${FILESDIR}/99-flatcar-bcc"
+ doins "${FILESDIR}/bash/99-flatcar-bcc"
insinto '/usr/share/flatcar'
# The "oems" folder should contain a file "$OEMID" for each expected OEM sysext and
@@ -148,27 +158,52 @@ src_install() {
fowners --no-dereference 500:500 "${link}"
done
+ if use audit; then
+ # Install our rules.
+ insinto /etc/audit/rules.d
+ for name in 00-clear.rules 80-selinux.rules 99-default.rules; do
+ doins "${FILESDIR}/audit/${name}"
+ # Upstream wants these to have restrictive perms.
+ fperms 0640 "/etc/audit/rules.d/${name}"
+ done
+ # Install a service that loads the rules (it's possibly
+ # something that a deamon does, but in our case the daemon is
+ # disabled by default).
+ systemd_dounit "${FILESDIR}/audit/audit-rules.service"
+ systemd_enable_service multi-user.target audit-rules.service
+ fi
+
+ if use ntp; then
+ insinto /etc
+ doins "${FILESDIR}/ntp/ntp.conf"
+ misc_files_install_dropin ntpd.service "${FILESDIR}/ntp/ntpd-always-restart.conf"
+ misc_files_install_dropin ntpdate.service "${FILESDIR}/ntp/ntp-environment.conf"
+ misc_files_install_dropin sntp.service "${FILESDIR}/ntp/ntp-environment.conf"
+ fi
+
if use openssh; then
# Install our configuration snippets.
insinto /etc/ssh/ssh_config.d
- doins "${FILESDIR}/50-flatcar-ssh.conf"
+ doins "${FILESDIR}/openssh/50-flatcar-ssh.conf"
insinto /etc/ssh/sshd_config.d
- doins "${FILESDIR}/50-flatcar-sshd.conf"
+ doins "${FILESDIR}/openssh/50-flatcar-sshd.conf"
# Install our socket drop-in file that disables the rate
# limiting on the sshd socket.
- misc_files_install_dropin sshd.socket "${FILESDIR}/no-trigger-limit-burst.conf"
+ misc_files_install_dropin sshd.socket "${FILESDIR}/openssh/no-trigger-limit-burst.conf"
# Enable some sockets that aren't enabled by their own ebuilds.
systemd_enable_service sockets.target sshd.socket
fi
- if use ntp; then
- insinto /etc
- doins "${FILESDIR}/ntp.conf"
- misc_files_install_dropin ntpd.service "${FILESDIR}/ntpd-always-restart.conf"
- misc_files_install_dropin ntpdate.service "${FILESDIR}/ntp-environment.conf"
- misc_files_install_dropin sntp.service "${FILESDIR}/ntp-environment.conf"
+ if use policycoreutils; then
+ # Exceptionally, the location for policy definitions is set up
+ # in profiles/coreos/base/profile.bashrc. See the comment for
+ # cros_post_src_install_set_up_var_lib_selinux for reasoning.
+ #
+ # Recreate the symlink in /var in case of wiping the root
+ # filesystem.
+ dotmpfiles "${FILESDIR}/selinux/10-var-lib-selinux.conf"
fi
# Create a symlink for Kubernetes to redirect writes from /usr/libexec/... to /var/kubernetes/...
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-process/audit b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-process/audit
new file mode 100644
index 0000000000..dc9b3ac4bf
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-process/audit
@@ -0,0 +1,11 @@
+# Do not install Gentoo-provided audit rules, we will install our own
+# in coreos-base/misc-files.
+INSTALL_MASK+="
+/etc/audit/audit.rules*
+"
+
+# Do not install legacy initscripts stuff
+INSTALL_MASK+="
+/usr/libexec/audit-functions
+/usr/libexec/initscripts
+"
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/README.md
new file mode 100644
index 0000000000..a3e6280660
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/README.md
@@ -0,0 +1,4 @@
+We have a patch that modifies the semanage.conf file that is
+previously modified by the Gentoo ebuild. The patch enables the
+SELinux module compression to save some disk space (the modules went
+from 33MB to 3MB).
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/compress-modules.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/compress-modules.patch
new file mode 100644
index 0000000000..488f44555d
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/compress-modules.patch
@@ -0,0 +1,12 @@
+diff -r -u libsemanage-3.6-patched/src/semanage.conf libsemanage-3.6-flatcar/src/semanage.conf
+--- libsemanage-3.6-patched/src/semanage.conf 2024-02-21 14:33:06.055611733 +0100
++++ libsemanage-3.6-flatcar/src/semanage.conf 2024-02-21 14:42:13.566991009 +0100
+@@ -58,7 +58,7 @@
+ # 1-9 when compressing. The higher the number,
+ # the more memory is traded off for disk space.
+ # Set to 0 to disable bzip2 compression.
+-bzip-blocksize=0
++bzip-blocksize=1
+
+ # Reduce memory usage for bzip2 compression and
+ # decompression of modules in the module store.
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
index 24667fbc0d..dfd11a9693 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -150,3 +150,9 @@ sys-apps/findutils selinux
app-containers/containerd btrfs device-mapper
app-containers/docker btrfs device-mapper overlay seccomp
app-containers/docker-cli hardened
+
+# Drop python dependencies from some SELinux packages.
+#
+# The vanilla USE flag must be enabled if python is disabled.
+sys-apps/policycoreutils vanilla -python
+sys-libs/libsemanage -python
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc
index 0a8c513aaf..e686af5419 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc
@@ -104,6 +104,26 @@ cros_pre_pkg_postinst_no_modifications_of_users() {
export ACCT_USER_NO_MODIFY=x
}
+# sys-apps/policycoreutils creates /var/lib/selinux directory in
+# src_install and then needs it to be available when running
+# pkg_postinst, because it does a policy module rebuild there. We
+# initially have put /var/lib/selinux into INSTALL_MASK and told
+# coreos-base/misc-files to install the directory at
+# /usr/lib/selinux/policy together with a symlink at /var/lib/selinux
+# pointing to the directory. But this is done too late - at
+# sys-apps/policycoreutils' pkg_postinst time, /var/lib/selinux does
+# not exist, because coreos-base/misc-files was not yet emerged. So we
+# need to fall back to this hack, where we set up /var/lib/selinux and
+# /usr/lib/selinux/policy the way we want.
+cros_post_src_install_set_up_var_lib_selinux() {
+ if [[ ${CATEGORY} != 'sys-apps' ]] || [[ ${PN} != 'policycoreutils' ]]; then
+ return 0;
+ fi
+ dodir /usr/lib/selinux
+ mv "${ED}/var/lib/selinux" "${ED}/usr/lib/selinux/policy"
+ dosym ../../usr/lib/selinux/policy /var/lib/selinux
+}
+
# Source hooks for SLSA build provenance report generation
source "${BASH_SOURCE[0]}.slsa-provenance"
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use
index 037aef1cc4..44fb7c9588 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use
@@ -8,7 +8,9 @@ app-editors/vim minimal -crypt
app-editors/vim-core minimal
# Install our modifications and compatibility symlinks for ssh and ntp
-coreos-base/misc-files openssh ntp
+#
+# Install a SELinux policy directory symlink
+coreos-base/misc-files audit ntp openssh policycoreutils
dev-lang/python gdbm
dev-libs/dbus-glib tools
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest
index cfc08315c2..8b299836d9 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest
@@ -1,2 +1,2 @@
-DIST policycoreutils-3.5.tar.gz 775639 BLAKE2B 777b8564484e89385db7a184c4cad9a99aabf1fd1ac41abd5826c7e6ad29118ae9d6f0d0fd968b6ced87f2f04bc6d7cd207b67428151522915367f656fb8d3f8 SHA512 7978ef6b7a278c6384c9b397734d03c4932c8aefecceaa1e6a1345be27b253dbe276fdcd219ce83ad732c6ed55d53bbc3254e39bccadd67d2cd1152a14749444
+DIST policycoreutils-3.6.tar.gz 755682 BLAKE2B a8b180c8006989192d152651dcfa51856956780bfe1139cc1dc0162eb66ba1eef4f7d64f68a48479572b02e2e97a68c7082722a745d22a9453e8378373319e3c SHA512 e1f32e6e0310b879a5aadab157b103314a61bf3b8fd59c1212d701fbf39900e3b9a0b727338988103d784a7e505355a871ba519dd91520b135a3b9dae40bf1b0
DIST policycoreutils-extra-1.37.tar.bz2 8809 BLAKE2B a7f6122c2e27f54b018174e962bd7f4c14af04e09bbb5300bde6967ea7f2dc5cd03b5787919a4e7f5288bcbc6747922962b5bd3b588ab1e3a035fbff4910d8f5 SHA512 0a85cd7cf279256b5e1927f9dfdd89626a1c8b77b0aeb62b496e7e8d1dccbaa315e39f9308fb2df7270f0bc1c10787b19990e7365cad74b47b61e30394c8b23f
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild
deleted file mode 100644
index 202a894257..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild
+++ /dev/null
@@ -1,150 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-PYTHON_COMPAT=( python3_{9..11} )
-PYTHON_REQ_USE="xml(+)"
-
-TMPFILES_OPTIONAL=1
-inherit multilib python-r1 toolchain-funcs bash-completion-r1 tmpfiles
-
-MY_PV="${PV//_/-}"
-MY_P="${PN}-${MY_PV}"
-EXTRAS_VER="1.37"
-
-DESCRIPTION="SELinux core utilities"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
-
-if [[ ${PV} == 9999 ]]; then
- inherit git-r3
- EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
- SRC_URI="https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2"
- S1="${WORKDIR}/${P}/${PN}"
- S2="${WORKDIR}/policycoreutils-extra"
- S="${S1}"
-else
- SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz
- https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2"
- KEYWORDS="amd64 arm arm64 ~mips x86"
- S1="${WORKDIR}/${MY_P}"
- S2="${WORKDIR}/policycoreutils-extra"
- S="${S1}"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-IUSE="audit pam split-usr"
-REQUIRED_USE="${PYTHON_REQUIRED_USE}"
-
-DEPEND=">=sys-libs/libselinux-${PV}:=
- >=sys-libs/libsemanage-${PV}:=
- >=sys-libs/libsepol-${PV}:=
- sys-libs/libcap-ng:=
- audit? ( >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}] )
- pam? ( sys-libs/pam:= )"
-
-# Avoid dependency loop in the cross-compile case, bug #755173
-# (Still exists in native)
-BDEPEND="sys-devel/gettext"
-
-# pax-utils for scanelf used by rlpkg
-RDEPEND="${DEPEND}
- app-misc/pax-utils"
-
-PDEPEND="sys-apps/semodule-utils"
-
-src_unpack() {
- # Override default one because we need the SRC_URI ones even in case of 9999 ebuilds
- default
- if [[ ${PV} == 9999 ]] ; then
- git-r3_src_unpack
- fi
-}
-
-src_prepare() {
- S="${S1}"
- cd "${S}" || die "Failed to switch to ${S}"
- if [[ ${PV} != 9999 ]] ; then
- # If needed for live ebuilds please use /etc/portage/patches
- eapply "${FILESDIR}/policycoreutils-3.1-0001-newrole-not-suid.patch"
- fi
-
- # rlpkg is more useful than fixfiles
- sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \
- || die "fixfiles sed 1 failed"
- sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \
- || die "fixfiles sed 2 failed"
-
- eapply_user
-
- sed -i 's/-Werror//g' "${S1}"/*/Makefile || die "Failed to remove Werror"
-}
-
-src_compile() {
- building() {
- emake -C "${BUILD_DIR}" \
- AUDIT_LOG_PRIVS="y" \
- AUDITH="$(usex audit y n)" \
- PAMH="$(usex pam y n)" \
- SESANDBOX="n" \
- CC="$(tc-getCC)" \
- LIBDIR="\$(PREFIX)/$(get_libdir)"
- }
- BUILD_DIR="${S1}"
- building
-}
-
-src_install() {
- # Python scripts are present in many places. There are no extension modules.
- installation-policycoreutils() {
- einfo "Installing policycoreutils"
- emake -C "${BUILD_DIR}" DESTDIR="${D}" \
- AUDIT_LOG_PRIVS="y" \
- AUDITH="$(usex audit y n)" \
- PAMH="$(usex pam y n)" \
- SESANDBOX="n" \
- CC="$(tc-getCC)" \
- LIBDIR="\$(PREFIX)/$(get_libdir)" \
- install
- }
-
- installation-extras() {
- einfo "Installing policycoreutils-extra"
- emake -C "${BUILD_DIR}" \
- DESTDIR="${D}" \
- install
- }
-
- BUILD_DIR="${S1}"
- installation-policycoreutils
-
-
- # remove redhat-style init script
- rm -fR "${D}/etc/rc.d" || die
-
- # compatibility symlinks
- if use split-usr; then
- dosym ../../sbin/setfiles /usr/sbin/setfiles
- else
- # remove sestatus symlink
- rm -f "${D}"/usr/sbin/sestatus || die
- fi
-
- bashcomp_alias setsebool getsebool
-
- dodir /usr/lib/selinux/policy
- dosym ../../usr/lib/selinux/policy /var/lib/selinux
- keepdir /usr/lib/selinux/policy
-
- # Recreate the symlink in /var in case of wiping the root filesystem.
- dotmpfiles "${FILESDIR}/tmpfiles.d/10-var-lib-selinux.conf"
-}
-
-pkg_postinst() {
- for POLICY_TYPE in ${POLICY_TYPES} ; do
- # There have been some changes to the policy store, rebuilding now.
- # https://marc.info/?l=selinux&m=143757277819717&w=2
- einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)."
- semodule -p "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
- done
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.6.ebuild
new file mode 100644
index 0000000000..1def5f4a4e
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.6.ebuild
@@ -0,0 +1,210 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+PYTHON_COMPAT=( python3_{10..11} )
+PYTHON_REQ_USE="xml(+)"
+
+inherit python-r1 toolchain-funcs bash-completion-r1
+
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+EXTRAS_VER="1.37"
+
+DESCRIPTION="SELinux core utilities"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
+
+if [[ ${PV} == 9999 ]]; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
+ SRC_URI="!vanilla? ( https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2 )"
+ S1="${WORKDIR}/${P}/${PN}"
+ S2="${WORKDIR}/policycoreutils-extra"
+ S="${S1}"
+else
+ SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz
+ !vanilla? ( https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2 )"
+ KEYWORDS="amd64 arm arm64 ~mips x86"
+ S1="${WORKDIR}/${MY_P}"
+ S2="${WORKDIR}/policycoreutils-extra"
+ S="${S1}"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="audit pam split-usr vanilla +python"
+REQUIRED_USE="
+ !vanilla? ( python ${PYTHON_REQUIRED_USE} )
+"
+
+DEPEND="
+ python? (
+ >=sys-libs/libselinux-${PV}:=[python,${PYTHON_USEDEP}]
+ >=sys-libs/libsemanage-${PV}:=[python(+),${PYTHON_USEDEP}]
+ audit? ( >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}] )
+ ${PYTHON_DEPS}
+ )
+ !python? (
+ >=sys-libs/libselinux-${PV}:=
+ >=sys-libs/libsemanage-${PV}:=
+ audit? ( >=sys-process/audit-1.5.1 )
+ )
+ >=sys-libs/libsepol-${PV}:=
+ sys-libs/libcap-ng:=
+ pam? ( sys-libs/pam:= )
+ !vanilla? (
+ >=app-admin/setools-4.2.0[${PYTHON_USEDEP}]
+ )
+"
+
+# Avoid dependency loop in the cross-compile case, bug #755173
+# (Still exists in native)
+BDEPEND="sys-devel/gettext"
+
+# pax-utils for scanelf used by rlpkg
+RDEPEND="${DEPEND}
+ app-misc/pax-utils"
+
+PDEPEND="sys-apps/semodule-utils
+ python? ( sys-apps/selinux-python )"
+
+src_unpack() {
+ # Override default one because we need the SRC_URI ones even in case of 9999 ebuilds
+ default
+ if [[ ${PV} == 9999 ]] ; then
+ git-r3_src_unpack
+ fi
+}
+
+src_prepare() {
+ S="${S1}"
+ cd "${S}" || die "Failed to switch to ${S}"
+ if [[ ${PV} != 9999 ]] ; then
+ # If needed for live ebuilds please use /etc/portage/patches
+ eapply "${FILESDIR}/policycoreutils-3.1-0001-newrole-not-suid.patch"
+ fi
+
+ if ! use vanilla; then
+ # rlpkg is more useful than fixfiles
+ sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \
+ || die "fixfiles sed 1 failed"
+ sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \
+ || die "fixfiles sed 2 failed"
+ fi
+
+ eapply_user
+
+ sed -i 's/-Werror//g' "${S1}"/*/Makefile || die "Failed to remove Werror"
+
+ if ! use vanilla; then
+ python_copy_sources
+ # Our extra code is outside the regular directory, so set it to the extra
+ # directory. We really should optimize this as it is ugly, but the extra
+ # code is needed for Gentoo at the same time that policycoreutils is present
+ # (so we cannot use an additional package for now).
+ S="${S2}"
+ python_copy_sources
+ fi
+}
+
+src_compile() {
+ building() {
+ local build_dir=${1}
+ emake -C "${build_dir}" \
+ AUDIT_LOG_PRIVS="y" \
+ AUDITH="$(usex audit y n)" \
+ PAMH="$(usex pam y n)" \
+ SESANDBOX="n" \
+ CC="$(tc-getCC)" \
+ LIBDIR="\$(PREFIX)/$(get_libdir)"
+ }
+ if ! use vanilla; then
+ building_with_python() {
+ building "${BUILD_DIR}"
+ }
+ S="${S1}" # Regular policycoreutils
+ python_foreach_impl building_with_python
+ S="${S2}" # Extra set
+ python_foreach_impl building_with_python
+ unset -f building_with_python
+ else
+ S="${S1}" # Regular policycoreutils
+ building "${S}"
+ fi
+ unset -f building
+}
+
+src_install() {
+ installation-policycoreutils-base() {
+ local build_dir=${1}
+ einfo "Installing policycoreutils"
+ emake -C "${build_dir}" DESTDIR="${D}" \
+ AUDIT_LOG_PRIVS="y" \
+ AUDITH="$(usex audit y n)" \
+ PAMH="$(usex pam y n)" \
+ SESANDBOX="n" \
+ CC="$(tc-getCC)" \
+ LIBDIR="\$(PREFIX)/$(get_libdir)" \
+ install
+ }
+
+ if ! use vanilla; then
+ # Python scripts are present in many places. There are no extension modules.
+ installation-policycoreutils() {
+ installation-policycoreutils-base "${BUILD_DIR}"
+ python_optimize
+ }
+
+ installation-extras() {
+ einfo "Installing policycoreutils-extra"
+ emake -C "${BUILD_DIR}" \
+ DESTDIR="${D}" \
+ install
+ python_optimize
+ }
+
+ S="${S1}" # policycoreutils
+ python_foreach_impl installation-policycoreutils
+ S="${S2}" # extras
+ python_foreach_impl installation-extras
+ S="${S1}" # back for later
+ unset -f installation-extras installation-policycoreutils
+ else
+ S="${S1}" # policycoreutils
+ installation-policycoreutils-base "${S}"
+ fi
+ unset -f installation-policycoreutils-base
+
+ # remove redhat-style init script
+ rm -fR "${D}/etc/rc.d" || die
+
+ # compatibility symlinks
+ if use split-usr; then
+ dosym ../../sbin/setfiles /usr/sbin/setfiles
+ else
+ # remove sestatus symlink
+ rm -f "${D}"/usr/sbin/sestatus || die
+ fi
+
+ bashcomp_alias setsebool getsebool
+
+ # location for policy definitions
+ dodir /var/lib/selinux
+ keepdir /var/lib/selinux
+
+ if ! use vanilla; then
+ # Set version-specific scripts
+ for pyscript in rlpkg; do
+ python_replicate_script "${ED}/usr/sbin/${pyscript}"
+ done
+ fi
+}
+
+pkg_postinst() {
+ for POLICY_TYPE in ${POLICY_TYPES} ; do
+ # There have been some changes to the policy store, rebuilding now.
+ # https://marc.info/?l=selinux&m=143757277819717&w=2
+ einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)."
+ semodule -p "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
+ done
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest
index 11ffe4e62f..00164c9e9c 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest
@@ -1 +1 @@
-DIST libsemanage-3.5.tar.gz 185060 BLAKE2B 3e08b15cb6b335a2747bd5f0bd84f74abdd22a7e8ec91ebb443ca6fe3886d5e8cd2827fefdaa0e9caf2af3280cffbf593ee828fee54dd423a21b257493cc754c SHA512 959fbd0d6bc6849da6caa13dc41c3f8818cbbd29f04b5d2ac7246c4b395b4f370f113a04cc9cfcb52be2afebfa636013ac4ad4011384c58c7ce066a45cae2751
+DIST libsemanage-3.6.tar.gz 182583 BLAKE2B 3ed9ef06601093983fa41ad6ab9f7eeae241dce98937db04efca6f421afcfd3f59cf5e51d24c596ae03997a398949ed84fbdf629518e3c382a5453129b0a87ab SHA512 8998b6a1b254a9673b99ae4d70a1edc769bb728a44f573cdf62e0a9c9392b77644ee2d70e1936a2f8a9a7f8b063ce98a981f4b8b7060f5b82791889330d69364
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/libsemanage-extra-config.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/libsemanage-extra-config.patch
new file mode 100644
index 0000000000..ecd0ffd920
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/libsemanage-extra-config.patch
@@ -0,0 +1,30 @@
+diff -r -u libsemanage-3.6/src/semanage.conf libsemanage-3.6-patched/src/semanage.conf
+--- libsemanage-3.6/src/semanage.conf 2023-12-13 15:46:22.000000000 +0100
++++ libsemanage-3.6-patched/src/semanage.conf 2024-02-21 14:33:06.055611733 +0100
+@@ -40,3 +40,26 @@
+ # By default, semanage will generate policies for the SELinux target.
+ # To build policies for Xen, uncomment the following line.
+ #target-platform = xen
++
++# Set this to true to save the linked policy.
++# This is normally only useful for analysis
++# or debugging of policy.
++save-linked=false
++
++# Set this to 0 to disable assertion checking.
++# This should speed up building the kernel policy
++# from policy modules, but may leave you open to
++# dangerous rules which assertion checking
++# would catch.
++expand-check=1
++
++# Modules in the module store can be compressed
++# with bzip2. Set this to the bzip2 blocksize
++# 1-9 when compressing. The higher the number,
++# the more memory is traded off for disk space.
++# Set to 0 to disable bzip2 compression.
++bzip-blocksize=0
++
++# Reduce memory usage for bzip2 compression and
++# decompression of modules in the module store.
++bzip-small=true
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.6.ebuild
similarity index 50%
rename from sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.6.ebuild
index 0dee8f4dd8..3de4516643 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.6.ebuild
@@ -1,8 +1,8 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
-PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_COMPAT=( python3_{10..11} )
inherit python-r1 toolchain-funcs multilib-minimal
@@ -24,47 +24,36 @@ fi
LICENSE="GPL-2"
SLOT="0/2"
+IUSE="+python"
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
-RDEPEND="app-arch/bzip2[${MULTILIB_USEDEP}]
+RDEPEND="
+ app-arch/bzip2[${MULTILIB_USEDEP}]
>=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}]
>=sys-libs/libselinux-${PV}:=[${MULTILIB_USEDEP}]
- >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}]"
-
+ >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}]
+ python? ( ${PYTHON_DEPS} )
+"
DEPEND="${RDEPEND}"
-BDEPEND="sys-devel/bison
- sys-devel/flex"
+BDEPEND="
+ app-alternatives/yacc
+ app-alternatives/lex
+ python? (
+ >=dev-lang/swig-2.0.4-r1
+ virtual/pkgconfig
+ )
+"
# tests are not meant to be run outside of the
# full SELinux userland repo
RESTRICT="test"
+PATCHES=(
+ "${FILESDIR}/libsemanage-extra-config.patch"
+)
+
src_prepare() {
- eapply_user
-
- echo >> "${S}/src/semanage.conf"
- echo "# Set this to true to save the linked policy." >> "${S}/src/semanage.conf"
- echo "# This is normally only useful for analysis" >> "${S}/src/semanage.conf"
- echo "# or debugging of policy." >> "${S}/src/semanage.conf"
- echo "save-linked=false" >> "${S}/src/semanage.conf"
- echo >> "${S}/src/semanage.conf"
- echo "# Set this to 0 to disable assertion checking." >> "${S}/src/semanage.conf"
- echo "# This should speed up building the kernel policy" >> "${S}/src/semanage.conf"
- echo "# from policy modules, but may leave you open to" >> "${S}/src/semanage.conf"
- echo "# dangerous rules which assertion checking" >> "${S}/src/semanage.conf"
- echo "# would catch." >> "${S}/src/semanage.conf"
- echo "expand-check=1" >> "${S}/src/semanage.conf"
- echo >> "${S}/src/semanage.conf"
- echo "# Modules in the module store can be compressed" >> "${S}/src/semanage.conf"
- echo "# with bzip2. Set this to the bzip2 blocksize" >> "${S}/src/semanage.conf"
- echo "# 1-9 when compressing. The higher the number," >> "${S}/src/semanage.conf"
- echo "# the more memory is traded off for disk space." >> "${S}/src/semanage.conf"
- echo "# Set to 0 to disable bzip2 compression." >> "${S}/src/semanage.conf"
- echo "bzip-blocksize=1" >> "${S}/src/semanage.conf"
- echo >> "${S}/src/semanage.conf"
- echo "# Reduce memory usage for bzip2 compression and" >> "${S}/src/semanage.conf"
- echo "# decompression of modules in the module store." >> "${S}/src/semanage.conf"
- echo "bzip-small=true" >> "${S}/src/semanage.conf"
-
+ default
multilib_copy_sources
}
@@ -76,14 +65,43 @@ multilib_src_compile() {
CC="$(tc-getCC)" \
LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
all
+
+ if use python && multilib_is_native_abi; then
+ building_py() {
+ emake \
+ AR="$(tc-getAR)" \
+ CC="$(tc-getCC)" \
+ PKG_CONFIG="$(tc-getPKG_CONFIG)" \
+ LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
+ "$@"
+ }
+ python_foreach_impl building_py swigify
+ python_foreach_impl building_py pywrap
+ fi
}
multilib_src_install() {
emake \
LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
- SHLIBDIR="/usr/$(get_libdir)" \
- DESTDIR="${ED}" \
- install
+ DESTDIR="${ED}" install
+
+ if use python && multilib_is_native_abi; then
+ installation_py() {
+ emake DESTDIR="${ED}" \
+ LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
+ PKG_CONFIG="$(tc-getPKG_CONFIG)" \
+ install-pywrap
+ python_optimize # bug 531638
+ }
+ python_foreach_impl installation_py
+ fi
+}
+
+multiib_src_install_all() {
+ if use python; then
+ python_setup
+ python_fix_shebang "${ED}"/usr/libexec/selinux/semanage_migrate_store
+ fi
}
pkg_postinst() {
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml
index 861770703d..6de2a0cea8 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml
@@ -7,5 +7,6 @@
SELinuxProject/selinux
+ cpe:/a:selinuxproject:libsemanage
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/Manifest
deleted file mode 100644
index 8fde549680..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/Manifest
+++ /dev/null
@@ -1 +0,0 @@
-DIST audit-3.0.6.tar.gz 1190011 BLAKE2B 93a7efad1cbea6771a73222b05aacbabc4ac61d1efb9fc2532607a94804bcac6512d0be2f4d89aa62d94fb85ba5818ffae4bf0a72676e8d549ddbec766e83e9c SHA512 74734e1b1fddea086db9c5dc8c4b7817917fdf17bc7ca4e5b440aae975484d020a17c3f485f6a37b6b150a307d809e50d559d31a8cbd6f1e554933719551bcd1
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md
deleted file mode 100644
index 20ef8bab00..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md
+++ /dev/null
@@ -1,24 +0,0 @@
-This is a fork of gentoo's `sys-process/audit` package. The main
-reasons for having our fork seem to be:
-
-1. We have our own audit rules (see files in `files/rules.d`
- directory).
-
- - These seem to be mostly similar to what gentoo provides, but split
- into several files and they have an additional rule for SELinux
- events.
-
- - We also install it in a different place and place symlinks with
- systemd's tmpfiles functionality.
-
-2. We install a systemd service that loads our rules at startup.
-
-3. We build and install only a subset of binaries in the project.
- Namely, we skip all the daemon stuff that puts the logs in
- `/var/log/audit` and some tools that process those logs. Since
- audit logs are also written to journal, writing them to disk seems
- redundant, thus auditd and the tools seem to be unnecessary. This
- also reduces the final image size a bit.
-
-4. Since we do not install the daemon, we don't do the permissions
- lockdown on some auditd files.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
deleted file mode 100644
index b7f9530cca..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
+++ /dev/null
@@ -1,6 +0,0 @@
-d /etc/audit 750 - - - -
-C /etc/audit/auditd.conf 640 - - - /usr/share/auditd/auditd.conf
-d /etc/audit/rules.d 750 - - - -
-L /etc/audit/rules.d/00-clear.rules 640 - - - /usr/share/audit/rules.d/00-clear.rules
-L /etc/audit/rules.d/80-selinux.rules 640 - - - /usr/share/audit/rules.d/80-selinux.rules
-L /etc/audit/rules.d/99-default.rules 640 - - - /usr/share/audit/rules.d/99-default.rules
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/swig/Manifest b/sdk_container/src/third_party/portage-stable/dev-lang/swig/Manifest
index f6a6294670..d6c7d753b6 100644
--- a/sdk_container/src/third_party/portage-stable/dev-lang/swig/Manifest
+++ b/sdk_container/src/third_party/portage-stable/dev-lang/swig/Manifest
@@ -1,3 +1,2 @@
-DIST swig-3.0.12.tar.gz 8149820 BLAKE2B 05ce913dedbbde26592619e0edc65050cb31a517f309c1188252cb8c276147cb28ebf4d8534c31b75c4ed8be5d42223b432a7318bf8eb5b2d4d528e5ff9a781b SHA512 5eaa2e06d8e4197fd02194051db1e518325dbb074a4c55a91099ad9c55193874f577764afc9029409a41bd520a95154095f26e33ef5add5c102bb2c1d98d33eb
-DIST swig-4.0.0.tar.gz 8052518 BLAKE2B a34eb17d795ba5b34ea7362f8f07d6a6e82fd4394a0159fcf608ffb27580f37fc722c4907f1fd6fa3322663662f8e11fecbcb2bc7b90405834ef35d6218d65c7 SHA512 c897b87fb8b21caf8d1bee2c39cb9675a3b0ee047110e808c310a2787f8b89585738726e9f517c64e9d2f1b8311136365c569528f399b444b1081f69689b7165
-DIST swig-4.0.2.tar.gz 8097014 BLAKE2B 4c36b7e9b9bf1663779aa31b0eda8a1fe443695d945bcc1642c3404b22e45440def85e58dd65dc18a2ca8c00ffdcfe0f1d75373b7becc0b0e5402fda90b8c29a SHA512 05e7da70ce6d9a733b96c0bcfa3c1b82765bd859f48c74759bbf4bb1467acb1809caa310cba5e2b3280cd704fca249eaa0624821dffae1d2a75097c7f55d14ed
+DIST swig-4.1.1.tar.gz 8600805 BLAKE2B 898d3405f20c3e49626fb808b568e77c69b81ec2401c0a0c406f9e7a3d7d218353dc8b8ae88a3d485ddfc3be659971b961ee2c89d5b0c75aed0688e0952fd208 SHA512 1cea1918455a75ebc9b2653dd1715bd5dcd974554955f324295c6a6f14c0a715651b221b85fad4a8af5197e0c75bfe7b590bc6ba7178c26245fbbd9a7e110100
+DIST swig-4.2.0.tar.gz 8339586 BLAKE2B 4f1c3c7d4b1e218b67a2d796d2171df73971036a433e5fb80233b3050f022d578efdff28fc44d98a6d176ec6270b4942f5f56e9a74bbd8b30d6836c76c620a04 SHA512 b7f508b25bc6e882ed6123f6c7ad12b02a7b74de09ac6e5789968e9c2f51407d1e3dafd5ea495087b4fb0f447ecce17e6070471479c67c4265166d8342a10862
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/swig/files/swig-4.1.1-ccache-configure-clang16.patch b/sdk_container/src/third_party/portage-stable/dev-lang/swig/files/swig-4.1.1-ccache-configure-clang16.patch
new file mode 100644
index 0000000000..b2fefd1356
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/dev-lang/swig/files/swig-4.1.1-ccache-configure-clang16.patch
@@ -0,0 +1,32 @@
+https://github.com/swig/swig/pull/2483
+
+From 784dfc917e99429bdbb70fb9dd80c16dfeb73659 Mon Sep 17 00:00:00 2001
+From: Florian Weimer
+Date: Thu, 12 Jan 2023 17:49:40 +0100
+Subject: [PATCH] CCache: Do not rely on C89-only features in configure.ac
+
+Add missing #include directives to obtain additional function
+prototypes. This avoids altering the result of this test with C99
+compilers which do not support implicit function declarations.
+--- a/CCache/configure.ac
++++ b/CCache/configure.ac
+@@ -63,6 +63,9 @@ AC_CACHE_CHECK([for C99 vsnprintf],ccache_cv_HAVE_C99_VSNPRINTF,[
+ AC_RUN_IFELSE([AC_LANG_SOURCE([[
+ #include
+ #include
++#include
++#include
++#include
+ void foo(const char *format, ...) {
+ va_list ap;
+ int len;
+@@ -77,7 +80,7 @@ void foo(const char *format, ...) {
+
+ exit(0);
+ }
+-main() { foo("hello"); }
++int main(void) { foo("hello"); }
+ ]])],[ccache_cv_HAVE_C99_VSNPRINTF=yes],[ccache_cv_HAVE_C99_VSNPRINTF=no],[ccache_cv_HAVE_C99_VSNPRINTF=cross])])
+ if test x"$ccache_cv_HAVE_C99_VSNPRINTF" = x"yes"; then
+ AC_DEFINE(HAVE_C99_VSNPRINTF, 1, [ ])
+
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-3.0.12.ebuild b/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-3.0.12.ebuild
deleted file mode 100644
index fc8b43deec..0000000000
--- a/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-3.0.12.ebuild
+++ /dev/null
@@ -1,35 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-DESCRIPTION="Simplified Wrapper and Interface Generator"
-HOMEPAGE="http://www.swig.org/"
-SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
-
-LICENSE="GPL-3+ BSD BSD-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="ccache doc pcre"
-RESTRICT="test"
-
-DEPEND="pcre? ( dev-libs/libpcre )
- ccache? ( sys-libs/zlib )"
-RDEPEND="${DEPEND}"
-
-DOCS=( ANNOUNCE CHANGES CHANGES.current README TODO )
-
-src_configure() {
- econf \
- $(use_enable ccache) \
- $(use_with pcre)
-}
-
-src_install() {
- default
-
- if use doc; then
- docinto html
- dodoc -r Doc/{Devel,Manual}
- fi
-}
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.0.0.ebuild b/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.0.0.ebuild
deleted file mode 100644
index 088cf9af84..0000000000
--- a/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.0.0.ebuild
+++ /dev/null
@@ -1,51 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit toolchain-funcs
-
-DESCRIPTION="Simplified Wrapper and Interface Generator"
-HOMEPAGE="http://www.swig.org/"
-SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
-
-LICENSE="GPL-3+ BSD BSD-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="ccache doc pcre"
-RESTRICT="test"
-
-RDEPEND="
- pcre? ( dev-libs/libpcre )
- ccache? ( sys-libs/zlib )
-"
-DEPEND="
- ${RDEPEND}
-"
-BDEPEND="virtual/pkgconfig"
-
-DOCS=( ANNOUNCE CHANGES CHANGES.current README TODO )
-
-src_prepare() {
- default
- # https://github.com/swig/swig/pull/1796
- sed -i \
- -e '/if pkg-config javascriptcoregtk-1.0/s:pkg-config:$PKGCONFIG:' \
- configure || die
-}
-
-src_configure() {
- econf \
- PKGCONFIG="$(tc-getPKG_CONFIG)" \
- $(use_enable ccache) \
- $(use_with pcre)
-}
-
-src_install() {
- default
-
- if use doc; then
- docinto html
- dodoc -r Doc/{Devel,Manual}
- fi
-}
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.1.1-r1.ebuild b/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.1.1-r1.ebuild
new file mode 100644
index 0000000000..77019af764
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.1.1-r1.ebuild
@@ -0,0 +1,61 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools toolchain-funcs
+
+DESCRIPTION="Simplified Wrapper and Interface Generator"
+HOMEPAGE="http://www.swig.org/ https://github.com/swig/swig"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
+
+LICENSE="GPL-3+ BSD BSD-2"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="ccache doc pcre test"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+ pcre? ( dev-libs/libpcre2 )
+ ccache? ( sys-libs/zlib )
+"
+DEPEND="
+ ${RDEPEND}
+ test? ( dev-libs/boost )
+"
+BDEPEND="virtual/pkgconfig"
+
+DOCS=( ANNOUNCE CHANGES CHANGES.current README TODO )
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-4.1.1-ccache-configure-clang16.patch
+)
+
+src_prepare() {
+ default
+
+ # Only needed for Clang 16 patch
+ ln -s "${S}"/Tools CCache/ || die
+ AT_M4DIR="Tools/config" eautoreconf
+}
+
+src_configure() {
+ econf \
+ PKGCONFIG="$(tc-getPKG_CONFIG)" \
+ $(use_enable ccache) \
+ $(use_with pcre)
+}
+
+src_test() {
+ # The tests won't get run w/o an explicit call, broken Makefiles?
+ emake check
+}
+
+src_install() {
+ default
+
+ if use doc; then
+ docinto html
+ dodoc -r Doc/{Devel,Manual}
+ fi
+}
diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.0.2.ebuild b/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.2.0.ebuild
similarity index 58%
rename from sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.0.2.ebuild
rename to sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.2.0.ebuild
index b52bf56727..168ccf98d9 100644
--- a/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.0.2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.2.0.ebuild
@@ -1,7 +1,7 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
-EAPI=7
+EAPI=8
inherit toolchain-funcs
@@ -11,15 +11,18 @@ SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
LICENSE="GPL-3+ BSD BSD-2"
SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="ccache doc pcre"
-RESTRICT="test"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="ccache doc pcre test"
+RESTRICT="!test? ( test )"
RDEPEND="
- pcre? ( dev-libs/libpcre )
+ pcre? ( dev-libs/libpcre2 )
ccache? ( sys-libs/zlib )
"
-DEPEND="${RDEPEND}"
+DEPEND="
+ ${RDEPEND}
+ test? ( dev-libs/boost )
+"
BDEPEND="virtual/pkgconfig"
DOCS=( ANNOUNCE CHANGES CHANGES.current README TODO )
@@ -31,6 +34,11 @@ src_configure() {
$(use_with pcre)
}
+src_test() {
+ # The tests won't get run w/o an explicit call, broken Makefiles?
+ emake check
+}
+
src_install() {
default
diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/Manifest b/sdk_container/src/third_party/portage-stable/sys-process/audit/Manifest
new file mode 100644
index 0000000000..947ffaef62
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/Manifest
@@ -0,0 +1,2 @@
+DIST audit-3.1.1.tar.gz 1218111 BLAKE2B a804684e438efc5f35b387708b3dc91bf857eeb56624261e0f75543556c436bfe638b792f63289f049c11541b10b2dc0e9f17b22f44b913da0168b1cf20684fc SHA512 4917970cc4c7f786c464a6d101bf66d55d55ac4716cf415ff97177f08176a6301e946716d28cf5b16054538469b3140b97db99d55a28686a9a807eea60c070f3
+DIST audit-3.1.2.tar.gz 1219860 BLAKE2B dfdec470bf12cce6c570b3d260e65e2b49e8ac0761e6a6fbf7b4f4a57f92e88367cd74bfcb88e6d718619b88fea27ce963a977c9f4346c95d18a5310e217accb SHA512 a97003a294ed3671df01e2952688e7d5eef59a35f6891feb53e67c4c7eab9ae8c2d18de41a5b5b20e0ad7156fac93aec05f32f6bc5eea706b42b6f27f676446a
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.1.ebuild
similarity index 51%
rename from sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6-r1.ebuild
rename to sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.1.ebuild
index 846a0db491..ab8e362008 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.1.ebuild
@@ -1,13 +1,15 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
-EAPI=7
+EAPI=8
-# Flatcar: Support python 3.6.
-PYTHON_COMPAT=( python3_{6..11} )
+# As with sys-libs/libcap-ng, same maintainer in Fedora as upstream, so
+# check Fedora's packaging (https://src.fedoraproject.org/rpms/audit/tree/rawhide)
+# on bumps (or if hitting a bug) to see what they've done there.
-TMPFILES_OPTIONAL=1
-inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript tmpfiles
+PYTHON_COMPAT=( python3_{9..11} )
+
+inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript
DESCRIPTION="Userspace utilities for storing and processing auditing records"
HOMEPAGE="https://people.redhat.com/sgrubb/audit/"
@@ -15,24 +17,34 @@ SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz"
LICENSE="GPL-2+ LGPL-2.1+"
SLOT="0"
-# Flatcar: Build amd64 and arm64 by default.
-KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
-IUSE="gssapi ldap python static-libs test"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+IUSE="gssapi io-uring ldap python static-libs test"
REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
RESTRICT="!test? ( test )"
-RDEPEND="gssapi? ( virtual/krb5 )
- ldap? ( net-nds/openldap )
+RDEPEND="
sys-libs/libcap-ng
- python? ( ${PYTHON_DEPS} )"
-DEPEND="${RDEPEND}
+ gssapi? ( virtual/krb5 )
+ ldap? ( net-nds/openldap:= )
+ python? ( ${PYTHON_DEPS} )
+"
+DEPEND="
+ ${RDEPEND}
>=sys-kernel/linux-headers-2.6.34
- test? ( dev-libs/check )"
-BDEPEND="python? ( dev-lang/swig:0 )"
+ test? ( dev-libs/check )
+"
+BDEPEND="python? ( dev-lang/swig )"
CONFIG_CHECK="~AUDIT"
+PATCHES=(
+ # See bug #836702 before removing / verify builds fine w/ USE=python
+ # with latest kernel headers.
+ "${FILESDIR}"/${PN}-3.0.8-linux-headers-5.17.patch
+ "${FILESDIR}"/${PN}-3.0.8-musl-malloc.patch
+)
+
src_prepare() {
# audisp-remote moved in multilib_src_install_all
sed -i \
@@ -40,51 +52,48 @@ src_prepare() {
audisp/plugins/remote/au-remote.conf || die
# Disable installing sample rules so they can be installed as docs.
- echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null
-
- # Flatcar: Some legacy stuff is being installed when systemd
- # is enabled. Drop all the lines that try doing it.
- sed -e '/${DESTDIR}${initdir}/d' \
- -e '/${DESTDIR}${legacydir}/d' \
- -i init.d/Makefile.am || die
- # Flatcar: Do not build daemon stuff.
- sed -e '/^sbin_PROGRAMS =/s/aureport//' \
- -e '/^sbin_PROGRAMS =/s/ausearch//' \
- -i src/Makefile.am || die
+ echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null || die
default
eautoreconf
}
multilib_src_configure() {
- local -a myeconfargs=(
- --sbindir="${EPREFIX}/sbin"
+ local myeconfargs=(
+ --sbindir="${EPREFIX}"/sbin
$(use_enable gssapi gssapi-krb5)
$(use_enable ldap zos-remote)
$(use_enable static-libs static)
+ $(use_with io-uring io_uring)
--enable-systemd
--without-golang
+ --without-libwrap
--without-python
--without-python3
)
- ECONF_SOURCE=${S} econf "${myeconfargs[@]}"
+ ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
if multilib_is_native_abi && use python; then
python_configure() {
- mkdir -p "${BUILD_DIR}"
+ mkdir -p "${BUILD_DIR}" || die
pushd "${BUILD_DIR}" &>/dev/null || die
- ECONF_SOURCE=${S} econf "${myeconfargs[@]}" --with-python3
+
+ ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" --with-python3
+
popd &>/dev/null || die
}
+
python_foreach_impl python_configure
fi
}
src_configure() {
tc-export_build_env BUILD_{CC,CPP}
+
local -x CC_FOR_BUILD="${BUILD_CC}"
local -x CPP_FOR_BUILD="${BUILD_CPP}"
+
multilib-minimal_src_configure
}
@@ -93,10 +102,12 @@ multilib_src_compile() {
default
local native_build="${BUILD_DIR}"
+
python_compile() {
emake -C "${BUILD_DIR}"/bindings/swig top_builddir="${native_build}"
emake -C "${BUILD_DIR}"/bindings/python/python3 top_builddir="${native_build}"
}
+
use python && python_foreach_impl python_compile
else
emake -C common
@@ -110,14 +121,16 @@ multilib_src_install() {
emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install
local native_build="${BUILD_DIR}"
+
python_install() {
emake -C "${BUILD_DIR}"/bindings/swig DESTDIR="${D}" top_builddir="${native_build}" install
emake -C "${BUILD_DIR}"/bindings/python/python3 DESTDIR="${D}" top_builddir="${native_build}" install
python_optimize
}
+
use python && python_foreach_impl python_install
- # things like shadow use this so we need to be in /
+ # Things like shadow use this so we need to be in /
gen_usr_ldscript -a audit auparse
else
emake -C lib DESTDIR="${D}" install
@@ -129,35 +142,24 @@ multilib_src_install_all() {
dodoc AUTHORS ChangeLog README* THANKS
docinto contrib
dodoc contrib/avc_snap
- # Flatcar: Do not install any plugin stuff, these are parts of
- # auditd that we don't build and install anyway.
- # docinto contrib/plugin
- # dodoc contrib/plugin/*
+ docinto contrib/plugin
+ dodoc contrib/plugin/*
docinto rules
dodoc rules/*rules
- # Flatcar: Do not install stuff auditd stuff.
- # newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
- # newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
+ newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
+ newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
- # Flatcar: install sample configuration
- insinto /usr/share/auditd
- doins "${S}"/init.d/auditd.conf
+ if [[ -f "${ED}"/sbin/audisp-remote ]] ; then
+ dodir /usr/sbin
+ mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
+ fi
-
- # Flatcar: We are not installing audisp too.
- # [ -f "${ED}"/sbin/audisp-remote ] && \
- # dodir /usr/sbin && \
- # mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
-
- # Flatcar: Do not install gentoo rules.
# Gentoo rules
- # newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
- # Flatcar: We are installing our own rules.
- insinto /usr/share/audit/rules.d
- doins "${FILESDIR}"/rules.d/*.rules
- # Flatcar: Do not install deamon stuff.
- # doins "${FILESDIR}"/audit.rules.stop*
+ insinto /etc/audit
+ newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
+ doins "${FILESDIR}"/audit.rules.stop*
+ keepdir /etc/audit/rules.d
# audit logs go here
keepdir /var/log/audit
@@ -166,14 +168,6 @@ multilib_src_install_all() {
# Security
lockdown_perms "${ED}"
-
- # Flatcar: We add the systemd unit but don't enable it.
- systemd_dounit init.d/auditd.service
-
- # Flatcar: Our systemd stuff.
- newtmpfiles "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf
- systemd_dounit "${FILESDIR}"/audit-rules.service
- systemd_enable_service multi-user.target audit-rules.service
}
pkg_postinst() {
@@ -183,13 +177,8 @@ pkg_postinst() {
lockdown_perms() {
# Upstream wants these to have restrictive perms.
# Should not || die as not all paths may exist.
- # Flatcar: We don't include ausearch and aureport
- # so they're removed from the hardening list
local basedir="${1}"
- # chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
- chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,trace} 2>/dev/null
+ chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
- # chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
- rm -f "${basedir}"/etc/audit/auditd.conf 2>/dev/null
- :
+ chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
}
diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.2.ebuild b/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.2.ebuild
new file mode 100644
index 0000000000..d2b9730673
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.2.ebuild
@@ -0,0 +1,181 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# As with sys-libs/libcap-ng, same maintainer in Fedora as upstream, so
+# check Fedora's packaging (https://src.fedoraproject.org/rpms/audit/tree/rawhide)
+# on bumps (or if hitting a bug) to see what they've done there.
+
+PYTHON_COMPAT=( python3_{9..11} )
+
+inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript
+
+DESCRIPTION="Userspace utilities for storing and processing auditing records"
+HOMEPAGE="https://people.redhat.com/sgrubb/audit/"
+SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz"
+
+LICENSE="GPL-2+ LGPL-2.1+"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="gssapi io-uring ldap python static-libs test"
+
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+ sys-libs/libcap-ng
+ gssapi? ( virtual/krb5 )
+ ldap? ( net-nds/openldap:= )
+ python? ( ${PYTHON_DEPS} )
+"
+DEPEND="
+ ${RDEPEND}
+ >=sys-kernel/linux-headers-2.6.34
+ test? ( dev-libs/check )
+"
+BDEPEND="python? ( dev-lang/swig )"
+
+CONFIG_CHECK="~AUDIT"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-3.0.8-musl-malloc.patch
+)
+
+src_prepare() {
+ # audisp-remote moved in multilib_src_install_all
+ sed -i \
+ -e "s,/sbin/audisp-remote,${EPREFIX}/usr/sbin/audisp-remote," \
+ audisp/plugins/remote/au-remote.conf || die
+
+ # Disable installing sample rules so they can be installed as docs.
+ echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null || die
+
+ default
+ eautoreconf
+}
+
+multilib_src_configure() {
+ local myeconfargs=(
+ --sbindir="${EPREFIX}"/sbin
+ $(use_enable gssapi gssapi-krb5)
+ $(use_enable ldap zos-remote)
+ $(use_enable static-libs static)
+ $(use_with io-uring io_uring)
+ --enable-systemd
+ --without-golang
+ --without-libwrap
+ --without-python
+ --without-python3
+ )
+
+ ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+
+ if multilib_is_native_abi && use python; then
+ python_configure() {
+ mkdir -p "${BUILD_DIR}" || die
+ pushd "${BUILD_DIR}" &>/dev/null || die
+
+ ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" --with-python3
+
+ popd &>/dev/null || die
+ }
+
+ python_foreach_impl python_configure
+ fi
+}
+
+src_configure() {
+ tc-export_build_env BUILD_{CC,CPP}
+
+ local -x CC_FOR_BUILD="${BUILD_CC}"
+ local -x CPP_FOR_BUILD="${BUILD_CPP}"
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_compile() {
+ if multilib_is_native_abi; then
+ default
+
+ local native_build="${BUILD_DIR}"
+
+ python_compile() {
+ emake -C "${BUILD_DIR}"/bindings/swig top_builddir="${native_build}"
+ emake -C "${BUILD_DIR}"/bindings/python/python3 top_builddir="${native_build}"
+ }
+
+ use python && python_foreach_impl python_compile
+ else
+ emake -C common
+ emake -C lib
+ emake -C auparse
+ fi
+}
+
+multilib_src_install() {
+ if multilib_is_native_abi; then
+ emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install
+
+ local native_build="${BUILD_DIR}"
+
+ python_install() {
+ emake -C "${BUILD_DIR}"/bindings/swig DESTDIR="${D}" top_builddir="${native_build}" install
+ emake -C "${BUILD_DIR}"/bindings/python/python3 DESTDIR="${D}" top_builddir="${native_build}" install
+ python_optimize
+ }
+
+ use python && python_foreach_impl python_install
+
+ # Things like shadow use this so we need to be in /
+ gen_usr_ldscript -a audit auparse
+ else
+ emake -C lib DESTDIR="${D}" install
+ emake -C auparse DESTDIR="${D}" install
+ fi
+}
+
+multilib_src_install_all() {
+ dodoc AUTHORS ChangeLog README* THANKS
+ docinto contrib
+ dodoc contrib/avc_snap
+ docinto contrib/plugin
+ dodoc contrib/plugin/*
+ docinto rules
+ dodoc rules/*rules
+
+ newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
+ newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
+
+ if [[ -f "${ED}"/sbin/audisp-remote ]] ; then
+ dodir /usr/sbin
+ mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
+ fi
+
+ # Gentoo rules
+ insinto /etc/audit
+ newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
+ doins "${FILESDIR}"/audit.rules.stop*
+ keepdir /etc/audit/rules.d
+
+ # audit logs go here
+ keepdir /var/log/audit
+
+ find "${ED}" -type f -name '*.la' -delete || die
+
+ # Security
+ lockdown_perms "${ED}"
+}
+
+pkg_postinst() {
+ lockdown_perms "${EROOT}"
+}
+
+lockdown_perms() {
+ # Upstream wants these to have restrictive perms.
+ # Should not || die as not all paths may exist.
+ local basedir="${1}"
+ chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
+ chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
+ chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
+}
diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch
new file mode 100644
index 0000000000..8d41d83638
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch
@@ -0,0 +1,41 @@
+Upstream rejected a workaround/fix at https://github.com/linux-audit/audit-userspace/pull/253
+/ https://github.com/linux-audit/audit-userspace/issues/252#issuecomment-1078595249.
+
+Instead, in Fedora (same maintainer as upstream), they're patching the headers then unpatching before install.
+
+Apparently the swig bindings are on their way out but I'm not convinced that's going to be a quick migration given the API will.. surely change?
+
+It's not ideal but let's take the patch slyfox ended up using in nixpkgs anyway.
+
+https://bugs.gentoo.org/836702
+
+From beed138222421a2eb4212d83cb889404bd7efc49 Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich
+Date: Wed, 23 Mar 2022 07:27:05 +0000
+Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf
+
+As it's a flexible array generated code was never safe to use.
+With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574
+change it's a build failure now:
+
+ audit> audit_wrap.c:5010:15: error: invalid use of flexible array member
+ audit> 5010 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
+ audit> | ^
+
+Let's avoid setter generation entirely.
+
+Closes: https://github.com/linux-audit/audit-userspace/issues/252
+--- a/bindings/swig/src/auditswig.i
++++ b/bindings/swig/src/auditswig.i
+@@ -39,6 +39,10 @@ signed
+ #define __attribute(X) /*nothing*/
+ typedef unsigned __u32;
+ typedef unsigned uid_t;
++/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not:
++ * generating setters against them: https://github.com/swig/swig/issues/1699
++ */
++%ignore audit_rule_data::buf;
+ %include "/usr/include/linux/audit.h"
+ #define __extension__ /*nothing*/
+ %include
+
diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-musl-malloc.patch b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-musl-malloc.patch
new file mode 100644
index 0000000000..7233aabe03
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-musl-malloc.patch
@@ -0,0 +1,29 @@
+https://cgit.openembedded.org/meta-openembedded/tree/meta-oe/recipes-security/audit/audit/0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch?id=ad978133a1a10d609bb2545882a2f720a2572f3d
+https://github.com/linux-audit/audit-userspace/pull/311
+https://bugs.gentoo.org/837275
+
+From 79c8d6a2755c9dfa00a5e86378e89a94eef0504d Mon Sep 17 00:00:00 2001
+From: Khem Raj
+Date: Tue, 9 Aug 2022 23:57:03 -0700
+Subject: [PATCH] Replace __attribute_malloc__ with
+ __attribute__((__malloc__))
+
+__attribute_malloc__ is not available on musl
+
+Fixes
+| ../../git/auparse/auparse.h:54:2: error: expected function body after function declarator
+| __attribute_malloc__ __attr_dealloc (auparse_destroy, 1);
+| ^
+
+Signed-off-by: Khem Raj
+--- a/auparse/auparse.h
++++ b/auparse/auparse.h
+@@ -51,7 +51,7 @@ typedef void (*auparse_callback_ptr)(auparse_state_t *au,
+ void auparse_destroy(auparse_state_t *au);
+ void auparse_destroy_ext(auparse_state_t *au, auparse_destroy_what_t what);
+ auparse_state_t *auparse_init(ausource_t source, const void *b)
+- __attribute_malloc__ __attr_dealloc (auparse_destroy, 1);
++ __attribute__((__malloc__)) __attr_dealloc (auparse_destroy, 1);
+ int auparse_new_buffer(auparse_state_t *au, const char *data, size_t data_len)
+ __attr_access ((__read_only__, 2, 3));
+ int auparse_feed(auparse_state_t *au, const char *data, size_t data_len)
diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules-2.1.3 b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules-2.1.3
new file mode 100644
index 0000000000..25dbedfd1d
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules-2.1.3
@@ -0,0 +1,25 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+#
+# This file contains the auditctl rules that are loaded
+# whenever the audit daemon is started via the initscripts.
+# The rules are simply the parameters that would be passed
+# to auditctl.
+
+# First rule - delete all
+# This is to clear out old rules, so we don't append to them.
+-D
+
+# Feel free to add below this line. See auditctl man page
+
+# The following rule would cause all of the syscalls listed to be ignored in logging.
+-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
+-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
+
+# The following rule would cause the capture of all systems not caught above.
+# -a exit,always -S all
+
+# Increase the buffers to survive stress events
+-b 8192
+
+# vim:ft=conf:
diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.post b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.post
new file mode 100644
index 0000000000..29ae197f18
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.post
@@ -0,0 +1,12 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+#
+# This file contains the auditctl rules that are loaded immediately after the
+# audit deamon is stopped via the initscripts.
+# The rules are simply the parameters that would be passed
+# to auditctl.
+
+# Not used for the default Gentoo configuration as of v1.2.3
+# Paranoid security types might wish to reconfigure kauditd here.
+
+# vim:ft=conf:
diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.pre b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.pre
new file mode 100644
index 0000000000..1f34173369
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.pre
@@ -0,0 +1,15 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+#
+# This file contains the auditctl rules that are loaded immediately before the
+# audit deamon is stopped via the initscripts.
+# The rules are simply the parameters that would be passed
+# to auditctl.
+
+# auditd is stopping, don't capture events anymore
+-D
+
+# Disable kernel generating audit events
+-e 0
+
+# vim:ft=conf:
diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-conf.d-2.1.3 b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-conf.d-2.1.3
new file mode 100644
index 0000000000..c66be166ce
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-conf.d-2.1.3
@@ -0,0 +1,22 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# Configuration options for auditd
+# -f for foreground mode
+# There are some other options as well, but you'll have to look in the source
+# code to find them as they aren't ready for use yet.
+EXTRAOPTIONS=''
+
+# Audit rules file to run after starting auditd
+RULEFILE_STARTUP=/etc/audit/audit.rules
+
+# Audit rules file to run before and after stopping auditd
+RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre
+RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post
+
+# If you want to enforce a certain locale for auditd,
+# uncomment one of the next lines:
+#AUDITD_LANG=none
+AUDITD_LANG=C
+#AUDITD_LANG=en_US
+#AUDITD_LANG=en_US.UTF-8
diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-init.d-2.4.3 b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-init.d-2.4.3
new file mode 100644
index 0000000000..c952554df2
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-init.d-2.4.3
@@ -0,0 +1,90 @@
+#!/sbin/openrc-run
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_started_commands='reload reload_auditd reload_rules'
+description='Linux Auditing System'
+description_reload='Reload daemon configuration and rules'
+description_reload_rules='Reload daemon rules'
+description_reload_auditd='Reload daemon configuration'
+
+name='auditd'
+pidfile='/var/run/auditd.pid'
+command='/sbin/auditd'
+
+start_auditd() {
+ # Env handling taken from the upstream init script
+ if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then
+ unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
+ else
+ LANG="$AUDITD_LANG"
+ LC_TIME="$AUDITD_LANG"
+ LC_ALL="$AUDITD_LANG"
+ LC_MESSAGES="$AUDITD_LANG"
+ LC_NUMERIC="$AUDITD_LANG"
+ LC_MONETARY="$AUDITD_LANG"
+ LC_COLLATE="$AUDITD_LANG"
+ export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
+ fi
+ unset HOME MAIL USER USERNAME
+
+ ebegin "Starting ${name}"
+ start-stop-daemon \
+ --start --quiet --pidfile ${pidfile} \
+ --exec ${command} -- ${EXTRAOPTIONS}
+ local ret=$?
+ eend $ret
+ return $ret
+}
+
+stop_auditd() {
+ ebegin "Stopping ${name}"
+ start-stop-daemon --stop --quiet --pidfile ${pidfile}
+ local ret=$?
+ eend $ret
+ return $ret
+}
+
+loadfile() {
+ local rules="$1"
+ if [ -n "${rules}" -a -f "${rules}" ]; then
+ einfo "Loading audit rules from ${rules}"
+ /sbin/auditctl -R "${rules}" >/dev/null
+ return $?
+ else
+ return 0
+ fi
+}
+
+start() {
+ start_auditd
+ local ret=$?
+ if [ $ret -eq 0 -a "${RC_CMD}" != "restart" ]; then
+ loadfile "${RULEFILE_STARTUP}"
+ fi
+ return $ret
+}
+
+reload_rules() {
+ loadfile "${RULEFILE_STARTUP}"
+}
+
+reload_auditd() {
+ ebegin "Reloading ${SVCNAME}"
+ start-stop-daemon --signal HUP \
+ --exec "${command}" --pidfile "${pidfile}"
+ eend $?
+}
+
+reload() {
+ reload_auditd
+ reload_rules
+}
+
+stop() {
+ [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_PRE}"
+ stop_auditd
+ local ret=$?
+ [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_POST}"
+ return $ret
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-process/audit/metadata.xml
similarity index 72%
rename from sdk_container/src/third_party/coreos-overlay/sys-process/audit/metadata.xml
rename to sdk_container/src/third_party/portage-stable/sys-process/audit/metadata.xml
index 3524ab03cd..79fc6fdac9 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/metadata.xml
@@ -9,8 +9,10 @@
linux-audit/audit-userspace
+ cpe:/a:linux:audit