From be137230902c258769e4ac966a06065f9729da82 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 21 Feb 2024 13:03:20 +0100 Subject: [PATCH 01/18] sys-libs/libsemanage: Sync with Gentoo It's from Gentoo commit e70aa9e9c0de8663fecbd59c4e26a0d17a41050d. --- .../sys-libs/libsemanage/Manifest | 2 +- ...nage-3.5.ebuild => libsemanage-3.6.ebuild} | 50 +++++++++++++++---- .../sys-libs/libsemanage/metadata.xml | 1 + 3 files changed, 42 insertions(+), 11 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/{libsemanage-3.5.ebuild => libsemanage-3.6.ebuild} (76%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest index 11ffe4e62f..00164c9e9c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest @@ -1 +1 @@ -DIST libsemanage-3.5.tar.gz 185060 BLAKE2B 3e08b15cb6b335a2747bd5f0bd84f74abdd22a7e8ec91ebb443ca6fe3886d5e8cd2827fefdaa0e9caf2af3280cffbf593ee828fee54dd423a21b257493cc754c SHA512 959fbd0d6bc6849da6caa13dc41c3f8818cbbd29f04b5d2ac7246c4b395b4f370f113a04cc9cfcb52be2afebfa636013ac4ad4011384c58c7ce066a45cae2751 +DIST libsemanage-3.6.tar.gz 182583 BLAKE2B 3ed9ef06601093983fa41ad6ab9f7eeae241dce98937db04efca6f421afcfd3f59cf5e51d24c596ae03997a398949ed84fbdf629518e3c382a5453129b0a87ab SHA512 8998b6a1b254a9673b99ae4d70a1edc769bb728a44f573cdf62e0a9c9392b77644ee2d70e1936a2f8a9a7f8b063ce98a981f4b8b7060f5b82791889330d69364 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.6.ebuild similarity index 76% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.6.ebuild index 0dee8f4dd8..94a270075a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.6.ebuild @@ -1,8 +1,8 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_{9..11} ) +PYTHON_COMPAT=( python3_{10..11} ) inherit python-r1 toolchain-funcs multilib-minimal @@ -24,15 +24,18 @@ fi LICENSE="GPL-2" SLOT="0/2" +REQUIRED_USE="${PYTHON_REQUIRED_USE}" RDEPEND="app-arch/bzip2[${MULTILIB_USEDEP}] >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] >=sys-libs/libselinux-${PV}:=[${MULTILIB_USEDEP}] - >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}]" - + >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] + ${PYTHON_DEPS}" DEPEND="${RDEPEND}" -BDEPEND="sys-devel/bison - sys-devel/flex" +BDEPEND=">=dev-lang/swig-2.0.4-r1 + app-alternatives/yacc + app-alternatives/lex + virtual/pkgconfig" # tests are not meant to be run outside of the # full SELinux userland repo @@ -59,7 +62,7 @@ src_prepare() { echo "# 1-9 when compressing. The higher the number," >> "${S}/src/semanage.conf" echo "# the more memory is traded off for disk space." >> "${S}/src/semanage.conf" echo "# Set to 0 to disable bzip2 compression." >> "${S}/src/semanage.conf" - echo "bzip-blocksize=1" >> "${S}/src/semanage.conf" + echo "bzip-blocksize=0" >> "${S}/src/semanage.conf" echo >> "${S}/src/semanage.conf" echo "# Reduce memory usage for bzip2 compression and" >> "${S}/src/semanage.conf" echo "# decompression of modules in the module store." >> "${S}/src/semanage.conf" @@ -76,14 +79,41 @@ multilib_src_compile() { CC="$(tc-getCC)" \ LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ all + + if multilib_is_native_abi; then + building_py() { + emake \ + AR="$(tc-getAR)" \ + CC="$(tc-getCC)" \ + PKG_CONFIG="$(tc-getPKG_CONFIG)" \ + LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ + "$@" + } + python_foreach_impl building_py swigify + python_foreach_impl building_py pywrap + fi } multilib_src_install() { emake \ LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ - SHLIBDIR="/usr/$(get_libdir)" \ - DESTDIR="${ED}" \ - install + DESTDIR="${ED}" install + + if multilib_is_native_abi; then + installation_py() { + emake DESTDIR="${ED}" \ + LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ + PKG_CONFIG="$(tc-getPKG_CONFIG)" \ + install-pywrap + python_optimize # bug 531638 + } + python_foreach_impl installation_py + fi +} + +multiib_src_install_all() { + python_setup + python_fix_shebang "${ED}"/usr/libexec/selinux/semanage_migrate_store } pkg_postinst() { diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml index 861770703d..6de2a0cea8 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml @@ -7,5 +7,6 @@ SELinuxProject/selinux + cpe:/a:selinuxproject:libsemanage From 59b431f9d0d609fb26fb00ab090c1004878bc4e7 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 12 Jun 2023 18:29:10 +0200 Subject: [PATCH 02/18] sys-libs/libsemanage: Apply flatcar patches Prepare the ebuild to be in an upstreamable state: - hide python dependencies behind the IUSE flag - move the semanage.conf additions to a patch - that way, we can add a user patch that changes compression setting that was added by Gentoo Signed-off-by: Mathieu Tortuyaux Signed-off-by: Krzesimir Nowak --- .../files/libsemanage-extra-config.patch | 30 ++++++++++ .../libsemanage/libsemanage-3.6.ebuild | 58 ++++++++----------- 2 files changed, 53 insertions(+), 35 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/libsemanage-extra-config.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/libsemanage-extra-config.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/libsemanage-extra-config.patch new file mode 100644 index 0000000000..ecd0ffd920 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/libsemanage-extra-config.patch @@ -0,0 +1,30 @@ +diff -r -u libsemanage-3.6/src/semanage.conf libsemanage-3.6-patched/src/semanage.conf +--- libsemanage-3.6/src/semanage.conf 2023-12-13 15:46:22.000000000 +0100 ++++ libsemanage-3.6-patched/src/semanage.conf 2024-02-21 14:33:06.055611733 +0100 +@@ -40,3 +40,26 @@ + # By default, semanage will generate policies for the SELinux target. + # To build policies for Xen, uncomment the following line. + #target-platform = xen ++ ++# Set this to true to save the linked policy. ++# This is normally only useful for analysis ++# or debugging of policy. ++save-linked=false ++ ++# Set this to 0 to disable assertion checking. ++# This should speed up building the kernel policy ++# from policy modules, but may leave you open to ++# dangerous rules which assertion checking ++# would catch. ++expand-check=1 ++ ++# Modules in the module store can be compressed ++# with bzip2. Set this to the bzip2 blocksize ++# 1-9 when compressing. The higher the number, ++# the more memory is traded off for disk space. ++# Set to 0 to disable bzip2 compression. ++bzip-blocksize=0 ++ ++# Reduce memory usage for bzip2 compression and ++# decompression of modules in the module store. ++bzip-small=true diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.6.ebuild index 94a270075a..3de4516643 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.6.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.6.ebuild @@ -24,50 +24,36 @@ fi LICENSE="GPL-2" SLOT="0/2" -REQUIRED_USE="${PYTHON_REQUIRED_USE}" +IUSE="+python" +REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" -RDEPEND="app-arch/bzip2[${MULTILIB_USEDEP}] +RDEPEND=" + app-arch/bzip2[${MULTILIB_USEDEP}] >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] >=sys-libs/libselinux-${PV}:=[${MULTILIB_USEDEP}] >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] - ${PYTHON_DEPS}" + python? ( ${PYTHON_DEPS} ) +" DEPEND="${RDEPEND}" -BDEPEND=">=dev-lang/swig-2.0.4-r1 +BDEPEND=" app-alternatives/yacc app-alternatives/lex - virtual/pkgconfig" + python? ( + >=dev-lang/swig-2.0.4-r1 + virtual/pkgconfig + ) +" # tests are not meant to be run outside of the # full SELinux userland repo RESTRICT="test" +PATCHES=( + "${FILESDIR}/libsemanage-extra-config.patch" +) + src_prepare() { - eapply_user - - echo >> "${S}/src/semanage.conf" - echo "# Set this to true to save the linked policy." >> "${S}/src/semanage.conf" - echo "# This is normally only useful for analysis" >> "${S}/src/semanage.conf" - echo "# or debugging of policy." >> "${S}/src/semanage.conf" - echo "save-linked=false" >> "${S}/src/semanage.conf" - echo >> "${S}/src/semanage.conf" - echo "# Set this to 0 to disable assertion checking." >> "${S}/src/semanage.conf" - echo "# This should speed up building the kernel policy" >> "${S}/src/semanage.conf" - echo "# from policy modules, but may leave you open to" >> "${S}/src/semanage.conf" - echo "# dangerous rules which assertion checking" >> "${S}/src/semanage.conf" - echo "# would catch." >> "${S}/src/semanage.conf" - echo "expand-check=1" >> "${S}/src/semanage.conf" - echo >> "${S}/src/semanage.conf" - echo "# Modules in the module store can be compressed" >> "${S}/src/semanage.conf" - echo "# with bzip2. Set this to the bzip2 blocksize" >> "${S}/src/semanage.conf" - echo "# 1-9 when compressing. The higher the number," >> "${S}/src/semanage.conf" - echo "# the more memory is traded off for disk space." >> "${S}/src/semanage.conf" - echo "# Set to 0 to disable bzip2 compression." >> "${S}/src/semanage.conf" - echo "bzip-blocksize=0" >> "${S}/src/semanage.conf" - echo >> "${S}/src/semanage.conf" - echo "# Reduce memory usage for bzip2 compression and" >> "${S}/src/semanage.conf" - echo "# decompression of modules in the module store." >> "${S}/src/semanage.conf" - echo "bzip-small=true" >> "${S}/src/semanage.conf" - + default multilib_copy_sources } @@ -80,7 +66,7 @@ multilib_src_compile() { LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ all - if multilib_is_native_abi; then + if use python && multilib_is_native_abi; then building_py() { emake \ AR="$(tc-getAR)" \ @@ -99,7 +85,7 @@ multilib_src_install() { LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ DESTDIR="${ED}" install - if multilib_is_native_abi; then + if use python && multilib_is_native_abi; then installation_py() { emake DESTDIR="${ED}" \ LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ @@ -112,8 +98,10 @@ multilib_src_install() { } multiib_src_install_all() { - python_setup - python_fix_shebang "${ED}"/usr/libexec/selinux/semanage_migrate_store + if use python; then + python_setup + python_fix_shebang "${ED}"/usr/libexec/selinux/semanage_migrate_store + fi } pkg_postinst() { From 6c5ad829278fd9c9385215576157cd5bb44c45f4 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 21 Feb 2024 14:46:25 +0100 Subject: [PATCH 03/18] overlay coreos/user-patches: Add a patch for sys-libs/libsemanage The added patch turns on the module compression. --- .../user-patches/sys-libs/libsemanage/README.md | 4 ++++ .../sys-libs/libsemanage/compress-modules.patch | 12 ++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/README.md create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/compress-modules.patch diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/README.md new file mode 100644 index 0000000000..a3e6280660 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/README.md @@ -0,0 +1,4 @@ +We have a patch that modifies the semanage.conf file that is +previously modified by the Gentoo ebuild. The patch enables the +SELinux module compression to save some disk space (the modules went +from 33MB to 3MB). diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/compress-modules.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/compress-modules.patch new file mode 100644 index 0000000000..488f44555d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libsemanage/compress-modules.patch @@ -0,0 +1,12 @@ +diff -r -u libsemanage-3.6-patched/src/semanage.conf libsemanage-3.6-flatcar/src/semanage.conf +--- libsemanage-3.6-patched/src/semanage.conf 2024-02-21 14:33:06.055611733 +0100 ++++ libsemanage-3.6-flatcar/src/semanage.conf 2024-02-21 14:42:13.566991009 +0100 +@@ -58,7 +58,7 @@ + # 1-9 when compressing. The higher the number, + # the more memory is traded off for disk space. + # Set to 0 to disable bzip2 compression. +-bzip-blocksize=0 ++bzip-blocksize=1 + + # Reduce memory usage for bzip2 compression and + # decompression of modules in the module store. From a62028633423578b21b219bd1617a1e6c7b0d10b Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 21 Feb 2024 14:47:01 +0100 Subject: [PATCH 04/18] sys-apps/policycoreutils: Sync with Gentoo It's from Gentoo commit c4719a957590a9b209422d93c8136075c2781af7. --- .../sys-apps/policycoreutils/Manifest | 2 +- .../files/tmpfiles.d/10-var-lib-selinux.conf | 2 - ...-3.5.ebuild => policycoreutils-3.6.ebuild} | 54 ++++++++++++------- 3 files changed, 37 insertions(+), 21 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/10-var-lib-selinux.conf rename sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/{policycoreutils-3.5.ebuild => policycoreutils-3.6.ebuild} (72%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest index cfc08315c2..8b299836d9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest @@ -1,2 +1,2 @@ -DIST policycoreutils-3.5.tar.gz 775639 BLAKE2B 777b8564484e89385db7a184c4cad9a99aabf1fd1ac41abd5826c7e6ad29118ae9d6f0d0fd968b6ced87f2f04bc6d7cd207b67428151522915367f656fb8d3f8 SHA512 7978ef6b7a278c6384c9b397734d03c4932c8aefecceaa1e6a1345be27b253dbe276fdcd219ce83ad732c6ed55d53bbc3254e39bccadd67d2cd1152a14749444 +DIST policycoreutils-3.6.tar.gz 755682 BLAKE2B a8b180c8006989192d152651dcfa51856956780bfe1139cc1dc0162eb66ba1eef4f7d64f68a48479572b02e2e97a68c7082722a745d22a9453e8378373319e3c SHA512 e1f32e6e0310b879a5aadab157b103314a61bf3b8fd59c1212d701fbf39900e3b9a0b727338988103d784a7e505355a871ba519dd91520b135a3b9dae40bf1b0 DIST policycoreutils-extra-1.37.tar.bz2 8809 BLAKE2B a7f6122c2e27f54b018174e962bd7f4c14af04e09bbb5300bde6967ea7f2dc5cd03b5787919a4e7f5288bcbc6747922962b5bd3b588ab1e3a035fbff4910d8f5 SHA512 0a85cd7cf279256b5e1927f9dfdd89626a1c8b77b0aeb62b496e7e8d1dccbaa315e39f9308fb2df7270f0bc1c10787b19990e7365cad74b47b61e30394c8b23f diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/10-var-lib-selinux.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/10-var-lib-selinux.conf deleted file mode 100644 index f763cf3e45..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/10-var-lib-selinux.conf +++ /dev/null @@ -1,2 +0,0 @@ -#Type Path Mode UID GID Age Argument -L /var/lib/selinux/ - - - - ../../usr/lib/selinux/policy diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.6.ebuild similarity index 72% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.6.ebuild index 202a894257..e2527faa68 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.6.ebuild @@ -1,12 +1,11 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" -PYTHON_COMPAT=( python3_{9..11} ) +PYTHON_COMPAT=( python3_{10..11} ) PYTHON_REQ_USE="xml(+)" -TMPFILES_OPTIONAL=1 -inherit multilib python-r1 toolchain-funcs bash-completion-r1 tmpfiles +inherit python-r1 toolchain-funcs bash-completion-r1 MY_PV="${PV//_/-}" MY_P="${PN}-${MY_PV}" @@ -36,12 +35,14 @@ SLOT="0" IUSE="audit pam split-usr" REQUIRED_USE="${PYTHON_REQUIRED_USE}" -DEPEND=">=sys-libs/libselinux-${PV}:= - >=sys-libs/libsemanage-${PV}:= +DEPEND=">=sys-libs/libselinux-${PV}:=[python,${PYTHON_USEDEP}] + >=sys-libs/libsemanage-${PV}:=[python(+),${PYTHON_USEDEP}] >=sys-libs/libsepol-${PV}:= sys-libs/libcap-ng:= + >=app-admin/setools-4.2.0[${PYTHON_USEDEP}] audit? ( >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}] ) - pam? ( sys-libs/pam:= )" + pam? ( sys-libs/pam:= ) + ${PYTHON_DEPS}" # Avoid dependency loop in the cross-compile case, bug #755173 # (Still exists in native) @@ -51,7 +52,8 @@ BDEPEND="sys-devel/gettext" RDEPEND="${DEPEND} app-misc/pax-utils" -PDEPEND="sys-apps/semodule-utils" +PDEPEND="sys-apps/semodule-utils + sys-apps/selinux-python" src_unpack() { # Override default one because we need the SRC_URI ones even in case of 9999 ebuilds @@ -78,6 +80,14 @@ src_prepare() { eapply_user sed -i 's/-Werror//g' "${S1}"/*/Makefile || die "Failed to remove Werror" + + python_copy_sources + # Our extra code is outside the regular directory, so set it to the extra + # directory. We really should optimize this as it is ugly, but the extra + # code is needed for Gentoo at the same time that policycoreutils is present + # (so we cannot use an additional package for now). + S="${S2}" + python_copy_sources } src_compile() { @@ -90,8 +100,10 @@ src_compile() { CC="$(tc-getCC)" \ LIBDIR="\$(PREFIX)/$(get_libdir)" } - BUILD_DIR="${S1}" - building + S="${S1}" # Regular policycoreutils + python_foreach_impl building + S="${S2}" # Extra set + python_foreach_impl building } src_install() { @@ -106,6 +118,7 @@ src_install() { CC="$(tc-getCC)" \ LIBDIR="\$(PREFIX)/$(get_libdir)" \ install + python_optimize } installation-extras() { @@ -113,11 +126,14 @@ src_install() { emake -C "${BUILD_DIR}" \ DESTDIR="${D}" \ install + python_optimize } - BUILD_DIR="${S1}" - installation-policycoreutils - + S="${S1}" # policycoreutils + python_foreach_impl installation-policycoreutils + S="${S2}" # extras + python_foreach_impl installation-extras + S="${S1}" # back for later # remove redhat-style init script rm -fR "${D}/etc/rc.d" || die @@ -132,12 +148,14 @@ src_install() { bashcomp_alias setsebool getsebool - dodir /usr/lib/selinux/policy - dosym ../../usr/lib/selinux/policy /var/lib/selinux - keepdir /usr/lib/selinux/policy + # location for policy definitions + dodir /var/lib/selinux + keepdir /var/lib/selinux - # Recreate the symlink in /var in case of wiping the root filesystem. - dotmpfiles "${FILESDIR}/tmpfiles.d/10-var-lib-selinux.conf" + # Set version-specific scripts + for pyscript in rlpkg; do + python_replicate_script "${ED}/usr/sbin/${pyscript}" + done } pkg_postinst() { From d7c32b1cb06aafd75b4434dd60e7bfb9d3854231 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 12 Jun 2023 18:29:10 +0200 Subject: [PATCH 05/18] sys-apps/policycoreutils: Apply Flatcar modifications Prepare the changes for upstreaming: - Hide python dependencies behind the python USE flag. - Allow using original sources, without Gentoo modifications with the vanilla USE flag. - This also hides app-admin/setools dependency behind this USE flag. I'm not sure if anything in policycoreutils requires anything from that package - I assumed that Gentoo-provided rlpkg maybe does. - Keep using /var/lib/selinux as a SELinux policy directory. We will use INSTALL_MASK to skip installation of the directory and will add a tmpfiles config file to coreos-base/misc-files instead. Signed-off-by: Mathieu Tortuyaux Signed-off-by: Krzesimir Nowak --- .../policycoreutils-3.6.ebuild | 136 ++++++++++++------ 1 file changed, 89 insertions(+), 47 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.6.ebuild index e2527faa68..1def5f4a4e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.6.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.6.ebuild @@ -17,13 +17,13 @@ HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" if [[ ${PV} == 9999 ]]; then inherit git-r3 EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" - SRC_URI="https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2" + SRC_URI="!vanilla? ( https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2 )" S1="${WORKDIR}/${P}/${PN}" S2="${WORKDIR}/policycoreutils-extra" S="${S1}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz - https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2" + !vanilla? ( https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2 )" KEYWORDS="amd64 arm arm64 ~mips x86" S1="${WORKDIR}/${MY_P}" S2="${WORKDIR}/policycoreutils-extra" @@ -32,17 +32,30 @@ fi LICENSE="GPL-2" SLOT="0" -IUSE="audit pam split-usr" -REQUIRED_USE="${PYTHON_REQUIRED_USE}" +IUSE="audit pam split-usr vanilla +python" +REQUIRED_USE=" + !vanilla? ( python ${PYTHON_REQUIRED_USE} ) +" -DEPEND=">=sys-libs/libselinux-${PV}:=[python,${PYTHON_USEDEP}] - >=sys-libs/libsemanage-${PV}:=[python(+),${PYTHON_USEDEP}] +DEPEND=" + python? ( + >=sys-libs/libselinux-${PV}:=[python,${PYTHON_USEDEP}] + >=sys-libs/libsemanage-${PV}:=[python(+),${PYTHON_USEDEP}] + audit? ( >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}] ) + ${PYTHON_DEPS} + ) + !python? ( + >=sys-libs/libselinux-${PV}:= + >=sys-libs/libsemanage-${PV}:= + audit? ( >=sys-process/audit-1.5.1 ) + ) >=sys-libs/libsepol-${PV}:= sys-libs/libcap-ng:= - >=app-admin/setools-4.2.0[${PYTHON_USEDEP}] - audit? ( >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}] ) pam? ( sys-libs/pam:= ) - ${PYTHON_DEPS}" + !vanilla? ( + >=app-admin/setools-4.2.0[${PYTHON_USEDEP}] + ) +" # Avoid dependency loop in the cross-compile case, bug #755173 # (Still exists in native) @@ -53,7 +66,7 @@ RDEPEND="${DEPEND} app-misc/pax-utils" PDEPEND="sys-apps/semodule-utils - sys-apps/selinux-python" + python? ( sys-apps/selinux-python )" src_unpack() { # Override default one because we need the SRC_URI ones even in case of 9999 ebuilds @@ -71,28 +84,33 @@ src_prepare() { eapply "${FILESDIR}/policycoreutils-3.1-0001-newrole-not-suid.patch" fi - # rlpkg is more useful than fixfiles - sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \ - || die "fixfiles sed 1 failed" - sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \ - || die "fixfiles sed 2 failed" + if ! use vanilla; then + # rlpkg is more useful than fixfiles + sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \ + || die "fixfiles sed 1 failed" + sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \ + || die "fixfiles sed 2 failed" + fi eapply_user sed -i 's/-Werror//g' "${S1}"/*/Makefile || die "Failed to remove Werror" - python_copy_sources - # Our extra code is outside the regular directory, so set it to the extra - # directory. We really should optimize this as it is ugly, but the extra - # code is needed for Gentoo at the same time that policycoreutils is present - # (so we cannot use an additional package for now). - S="${S2}" - python_copy_sources + if ! use vanilla; then + python_copy_sources + # Our extra code is outside the regular directory, so set it to the extra + # directory. We really should optimize this as it is ugly, but the extra + # code is needed for Gentoo at the same time that policycoreutils is present + # (so we cannot use an additional package for now). + S="${S2}" + python_copy_sources + fi } src_compile() { building() { - emake -C "${BUILD_DIR}" \ + local build_dir=${1} + emake -C "${build_dir}" \ AUDIT_LOG_PRIVS="y" \ AUDITH="$(usex audit y n)" \ PAMH="$(usex pam y n)" \ @@ -100,17 +118,27 @@ src_compile() { CC="$(tc-getCC)" \ LIBDIR="\$(PREFIX)/$(get_libdir)" } - S="${S1}" # Regular policycoreutils - python_foreach_impl building - S="${S2}" # Extra set - python_foreach_impl building + if ! use vanilla; then + building_with_python() { + building "${BUILD_DIR}" + } + S="${S1}" # Regular policycoreutils + python_foreach_impl building_with_python + S="${S2}" # Extra set + python_foreach_impl building_with_python + unset -f building_with_python + else + S="${S1}" # Regular policycoreutils + building "${S}" + fi + unset -f building } src_install() { - # Python scripts are present in many places. There are no extension modules. - installation-policycoreutils() { + installation-policycoreutils-base() { + local build_dir=${1} einfo "Installing policycoreutils" - emake -C "${BUILD_DIR}" DESTDIR="${D}" \ + emake -C "${build_dir}" DESTDIR="${D}" \ AUDIT_LOG_PRIVS="y" \ AUDITH="$(usex audit y n)" \ PAMH="$(usex pam y n)" \ @@ -118,22 +146,34 @@ src_install() { CC="$(tc-getCC)" \ LIBDIR="\$(PREFIX)/$(get_libdir)" \ install - python_optimize } - installation-extras() { - einfo "Installing policycoreutils-extra" - emake -C "${BUILD_DIR}" \ - DESTDIR="${D}" \ - install - python_optimize - } + if ! use vanilla; then + # Python scripts are present in many places. There are no extension modules. + installation-policycoreutils() { + installation-policycoreutils-base "${BUILD_DIR}" + python_optimize + } - S="${S1}" # policycoreutils - python_foreach_impl installation-policycoreutils - S="${S2}" # extras - python_foreach_impl installation-extras - S="${S1}" # back for later + installation-extras() { + einfo "Installing policycoreutils-extra" + emake -C "${BUILD_DIR}" \ + DESTDIR="${D}" \ + install + python_optimize + } + + S="${S1}" # policycoreutils + python_foreach_impl installation-policycoreutils + S="${S2}" # extras + python_foreach_impl installation-extras + S="${S1}" # back for later + unset -f installation-extras installation-policycoreutils + else + S="${S1}" # policycoreutils + installation-policycoreutils-base "${S}" + fi + unset -f installation-policycoreutils-base # remove redhat-style init script rm -fR "${D}/etc/rc.d" || die @@ -152,10 +192,12 @@ src_install() { dodir /var/lib/selinux keepdir /var/lib/selinux - # Set version-specific scripts - for pyscript in rlpkg; do - python_replicate_script "${ED}/usr/sbin/${pyscript}" - done + if ! use vanilla; then + # Set version-specific scripts + for pyscript in rlpkg; do + python_replicate_script "${ED}/usr/sbin/${pyscript}" + done + fi } pkg_postinst() { From 49fb14d782a41d2adccb48b631f6eac72b971ff7 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 21 Feb 2024 16:11:50 +0100 Subject: [PATCH 06/18] overlay coreos-base/misc-files: Recreate a symlink on filesystem wipe The path where the SELinux policy modules are built is normally /var/lib/selinux. In our case we want to have those policies to be installed somewhere under /usr. So we have a setup where /var/lib/selinux is a symlink to /usr/lib/selinux/policy. The /var/lib/selinux directory is normally created by sys-apps/policycoreutils directory and we don't want to change it in order to pursue the goal of putting the package back to portage-stable. On the other hand, the override of modules directory location can't happen in the coreos-base/misc-files package, because sys-apps/policycoreutils needs that directory to be already set up in the package post installation time. The override of the SELinux policy modules directory needs to be done in the bashrc hook unfortunately. This will come in the follow-up commit. So the only thing left is to set up tmpfiles configuration file to recreate the /var/lib/selinux symlink, since it can be removed when wiping the filesystem. --- .../misc-files/files/10-var-lib-selinux.conf | 2 ++ ...les-0-r3.ebuild => misc-files-0-r4.ebuild} | 21 ++++++++++++++----- 2 files changed, 18 insertions(+), 5 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/10-var-lib-selinux.conf rename sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/{misc-files-0-r3.ebuild => misc-files-0-r4.ebuild} (90%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/10-var-lib-selinux.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/10-var-lib-selinux.conf new file mode 100644 index 0000000000..f763cf3e45 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/10-var-lib-selinux.conf @@ -0,0 +1,2 @@ +#Type Path Mode UID GID Age Argument +L /var/lib/selinux/ - - - - ../../usr/lib/selinux/policy diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r3.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild index 79aae29e95..f282ddd6fc 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild @@ -12,7 +12,7 @@ HOMEPAGE='https://www.flatcar.org/' LICENSE='Apache-2.0' SLOT='0' KEYWORDS='amd64 arm64' -IUSE="openssh ntp" +IUSE="openssh ntp policycoreutils" # No source directory. S="${WORKDIR}" @@ -23,15 +23,16 @@ S="${WORKDIR}" # net-misc/openssh must be installed on host for enabling its unit to # work during installation. DEPEND=" - openssh? ( >=net-misc/openssh-9.4_p1 ) + openssh? ( >=net-misc/openssh-9.4_p1 ) " # Versions listed below are version of packages that shedded the # modifications in their ebuilds. RDEPEND=" - ${DEPEND} - >=app-shells/bash-5.2_p15-r2 - ntp? ( >=net-misc/ntp-4.2.8_p17 ) + ${DEPEND} + >=app-shells/bash-5.2_p15-r2 + ntp? ( >=net-misc/ntp-4.2.8_p17 ) + policycoreutils? ( >=sys-apps/policycoreutils-3.6 ) " declare -A CORE_BASH_SYMLINKS @@ -171,6 +172,16 @@ src_install() { misc_files_install_dropin sntp.service "${FILESDIR}/ntp-environment.conf" fi + if use policycoreutils; then + # Exceptionally, the location for policy definitions is set up + # in profiles/coreos/base/profile.bashrc. See the comment for + # cros_post_src_install_set_up_var_lib_selinux for reasoning. + # + # Recreate the symlink in /var in case of wiping the root + # filesystem. + dotmpfiles "${FILESDIR}/10-var-lib-selinux.conf" + fi + # Create a symlink for Kubernetes to redirect writes from /usr/libexec/... to /var/kubernetes/... # (The below keepdir will result in a tmpfiles entry in base_image_var.conf) keepdir /var/kubernetes/kubelet-plugins/volume/exec From f5ce98288bd6e93c9896a2d48cacd0d310478db5 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 28 Feb 2024 12:37:49 +0100 Subject: [PATCH 07/18] overlay profiles: Set up SELinux policy directory --- .../profiles/coreos/base/profile.bashrc | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc index 0a8c513aaf..e686af5419 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc @@ -104,6 +104,26 @@ cros_pre_pkg_postinst_no_modifications_of_users() { export ACCT_USER_NO_MODIFY=x } +# sys-apps/policycoreutils creates /var/lib/selinux directory in +# src_install and then needs it to be available when running +# pkg_postinst, because it does a policy module rebuild there. We +# initially have put /var/lib/selinux into INSTALL_MASK and told +# coreos-base/misc-files to install the directory at +# /usr/lib/selinux/policy together with a symlink at /var/lib/selinux +# pointing to the directory. But this is done too late - at +# sys-apps/policycoreutils' pkg_postinst time, /var/lib/selinux does +# not exist, because coreos-base/misc-files was not yet emerged. So we +# need to fall back to this hack, where we set up /var/lib/selinux and +# /usr/lib/selinux/policy the way we want. +cros_post_src_install_set_up_var_lib_selinux() { + if [[ ${CATEGORY} != 'sys-apps' ]] || [[ ${PN} != 'policycoreutils' ]]; then + return 0; + fi + dodir /usr/lib/selinux + mv "${ED}/var/lib/selinux" "${ED}/usr/lib/selinux/policy" + dosym ../../usr/lib/selinux/policy /var/lib/selinux +} + # Source hooks for SLSA build provenance report generation source "${BASH_SOURCE[0]}.slsa-provenance" From fbdf2bf74a2291644e2bf7b11e2065b1ce75cda3 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 21 Feb 2024 16:14:08 +0100 Subject: [PATCH 08/18] overlay profiles: Enable policycoreutils USE flag for coreos-base/misc-files --- .../profiles/coreos/targets/generic/package.use | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use index 037aef1cc4..f10b11d617 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use @@ -8,7 +8,9 @@ app-editors/vim minimal -crypt app-editors/vim-core minimal # Install our modifications and compatibility symlinks for ssh and ntp -coreos-base/misc-files openssh ntp +# +# Install a SELinux policy directory symlink +coreos-base/misc-files openssh ntp policycoreutils dev-lang/python gdbm dev-libs/dbus-glib tools From 1017fd45e5ed22a2e5101f1c62fa47d506ef8b47 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 21 Feb 2024 15:59:17 +0100 Subject: [PATCH 09/18] overlay profiles: Disable python in SELinux tools We never needed the python tools in Flatcar. --- .../coreos-overlay/profiles/coreos/base/package.use | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index 24667fbc0d..dfd11a9693 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -150,3 +150,9 @@ sys-apps/findutils selinux app-containers/containerd btrfs device-mapper app-containers/docker btrfs device-mapper overlay seccomp app-containers/docker-cli hardened + +# Drop python dependencies from some SELinux packages. +# +# The vanilla USE flag must be enabled if python is disabled. +sys-apps/policycoreutils vanilla -python +sys-libs/libsemanage -python From 66811126d1f39021b7ea4f3e0e588c0ce848c922 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 23 Feb 2024 11:59:02 +0100 Subject: [PATCH 10/18] dev-lang/swig: Sync with Gentoo It's from Gentoo commit 8a1e6e5446c2729e93f1ad51a409862538ea34e9. --- .../portage-stable/dev-lang/swig/Manifest | 5 +- .../swig-4.1.1-ccache-configure-clang16.patch | 32 ++++++++++ .../dev-lang/swig/swig-3.0.12.ebuild | 35 ----------- .../dev-lang/swig/swig-4.0.0.ebuild | 51 ---------------- .../dev-lang/swig/swig-4.1.1-r1.ebuild | 61 +++++++++++++++++++ .../{swig-4.0.2.ebuild => swig-4.2.0.ebuild} | 22 ++++--- 6 files changed, 110 insertions(+), 96 deletions(-) create mode 100644 sdk_container/src/third_party/portage-stable/dev-lang/swig/files/swig-4.1.1-ccache-configure-clang16.patch delete mode 100644 sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-3.0.12.ebuild delete mode 100644 sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.0.0.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.1.1-r1.ebuild rename sdk_container/src/third_party/portage-stable/dev-lang/swig/{swig-4.0.2.ebuild => swig-4.2.0.ebuild} (58%) diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/swig/Manifest b/sdk_container/src/third_party/portage-stable/dev-lang/swig/Manifest index f6a6294670..d6c7d753b6 100644 --- a/sdk_container/src/third_party/portage-stable/dev-lang/swig/Manifest +++ b/sdk_container/src/third_party/portage-stable/dev-lang/swig/Manifest @@ -1,3 +1,2 @@ -DIST swig-3.0.12.tar.gz 8149820 BLAKE2B 05ce913dedbbde26592619e0edc65050cb31a517f309c1188252cb8c276147cb28ebf4d8534c31b75c4ed8be5d42223b432a7318bf8eb5b2d4d528e5ff9a781b SHA512 5eaa2e06d8e4197fd02194051db1e518325dbb074a4c55a91099ad9c55193874f577764afc9029409a41bd520a95154095f26e33ef5add5c102bb2c1d98d33eb -DIST swig-4.0.0.tar.gz 8052518 BLAKE2B a34eb17d795ba5b34ea7362f8f07d6a6e82fd4394a0159fcf608ffb27580f37fc722c4907f1fd6fa3322663662f8e11fecbcb2bc7b90405834ef35d6218d65c7 SHA512 c897b87fb8b21caf8d1bee2c39cb9675a3b0ee047110e808c310a2787f8b89585738726e9f517c64e9d2f1b8311136365c569528f399b444b1081f69689b7165 -DIST swig-4.0.2.tar.gz 8097014 BLAKE2B 4c36b7e9b9bf1663779aa31b0eda8a1fe443695d945bcc1642c3404b22e45440def85e58dd65dc18a2ca8c00ffdcfe0f1d75373b7becc0b0e5402fda90b8c29a SHA512 05e7da70ce6d9a733b96c0bcfa3c1b82765bd859f48c74759bbf4bb1467acb1809caa310cba5e2b3280cd704fca249eaa0624821dffae1d2a75097c7f55d14ed +DIST swig-4.1.1.tar.gz 8600805 BLAKE2B 898d3405f20c3e49626fb808b568e77c69b81ec2401c0a0c406f9e7a3d7d218353dc8b8ae88a3d485ddfc3be659971b961ee2c89d5b0c75aed0688e0952fd208 SHA512 1cea1918455a75ebc9b2653dd1715bd5dcd974554955f324295c6a6f14c0a715651b221b85fad4a8af5197e0c75bfe7b590bc6ba7178c26245fbbd9a7e110100 +DIST swig-4.2.0.tar.gz 8339586 BLAKE2B 4f1c3c7d4b1e218b67a2d796d2171df73971036a433e5fb80233b3050f022d578efdff28fc44d98a6d176ec6270b4942f5f56e9a74bbd8b30d6836c76c620a04 SHA512 b7f508b25bc6e882ed6123f6c7ad12b02a7b74de09ac6e5789968e9c2f51407d1e3dafd5ea495087b4fb0f447ecce17e6070471479c67c4265166d8342a10862 diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/swig/files/swig-4.1.1-ccache-configure-clang16.patch b/sdk_container/src/third_party/portage-stable/dev-lang/swig/files/swig-4.1.1-ccache-configure-clang16.patch new file mode 100644 index 0000000000..b2fefd1356 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-lang/swig/files/swig-4.1.1-ccache-configure-clang16.patch @@ -0,0 +1,32 @@ +https://github.com/swig/swig/pull/2483 + +From 784dfc917e99429bdbb70fb9dd80c16dfeb73659 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Thu, 12 Jan 2023 17:49:40 +0100 +Subject: [PATCH] CCache: Do not rely on C89-only features in configure.ac + +Add missing #include directives to obtain additional function +prototypes. This avoids altering the result of this test with C99 +compilers which do not support implicit function declarations. +--- a/CCache/configure.ac ++++ b/CCache/configure.ac +@@ -63,6 +63,9 @@ AC_CACHE_CHECK([for C99 vsnprintf],ccache_cv_HAVE_C99_VSNPRINTF,[ + AC_RUN_IFELSE([AC_LANG_SOURCE([[ + #include + #include ++#include ++#include ++#include + void foo(const char *format, ...) { + va_list ap; + int len; +@@ -77,7 +80,7 @@ void foo(const char *format, ...) { + + exit(0); + } +-main() { foo("hello"); } ++int main(void) { foo("hello"); } + ]])],[ccache_cv_HAVE_C99_VSNPRINTF=yes],[ccache_cv_HAVE_C99_VSNPRINTF=no],[ccache_cv_HAVE_C99_VSNPRINTF=cross])]) + if test x"$ccache_cv_HAVE_C99_VSNPRINTF" = x"yes"; then + AC_DEFINE(HAVE_C99_VSNPRINTF, 1, [ ]) + diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-3.0.12.ebuild b/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-3.0.12.ebuild deleted file mode 100644 index fc8b43deec..0000000000 --- a/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-3.0.12.ebuild +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -DESCRIPTION="Simplified Wrapper and Interface Generator" -HOMEPAGE="http://www.swig.org/" -SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz" - -LICENSE="GPL-3+ BSD BSD-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~x64-solaris ~x86-solaris" -IUSE="ccache doc pcre" -RESTRICT="test" - -DEPEND="pcre? ( dev-libs/libpcre ) - ccache? ( sys-libs/zlib )" -RDEPEND="${DEPEND}" - -DOCS=( ANNOUNCE CHANGES CHANGES.current README TODO ) - -src_configure() { - econf \ - $(use_enable ccache) \ - $(use_with pcre) -} - -src_install() { - default - - if use doc; then - docinto html - dodoc -r Doc/{Devel,Manual} - fi -} diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.0.0.ebuild b/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.0.0.ebuild deleted file mode 100644 index 088cf9af84..0000000000 --- a/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.0.0.ebuild +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit toolchain-funcs - -DESCRIPTION="Simplified Wrapper and Interface Generator" -HOMEPAGE="http://www.swig.org/" -SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz" - -LICENSE="GPL-3+ BSD BSD-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~x64-solaris ~x86-solaris" -IUSE="ccache doc pcre" -RESTRICT="test" - -RDEPEND=" - pcre? ( dev-libs/libpcre ) - ccache? ( sys-libs/zlib ) -" -DEPEND=" - ${RDEPEND} -" -BDEPEND="virtual/pkgconfig" - -DOCS=( ANNOUNCE CHANGES CHANGES.current README TODO ) - -src_prepare() { - default - # https://github.com/swig/swig/pull/1796 - sed -i \ - -e '/if pkg-config javascriptcoregtk-1.0/s:pkg-config:$PKGCONFIG:' \ - configure || die -} - -src_configure() { - econf \ - PKGCONFIG="$(tc-getPKG_CONFIG)" \ - $(use_enable ccache) \ - $(use_with pcre) -} - -src_install() { - default - - if use doc; then - docinto html - dodoc -r Doc/{Devel,Manual} - fi -} diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.1.1-r1.ebuild b/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.1.1-r1.ebuild new file mode 100644 index 0000000000..77019af764 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.1.1-r1.ebuild @@ -0,0 +1,61 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit autotools toolchain-funcs + +DESCRIPTION="Simplified Wrapper and Interface Generator" +HOMEPAGE="http://www.swig.org/ https://github.com/swig/swig" +SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz" + +LICENSE="GPL-3+ BSD BSD-2" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="ccache doc pcre test" +RESTRICT="!test? ( test )" + +RDEPEND=" + pcre? ( dev-libs/libpcre2 ) + ccache? ( sys-libs/zlib ) +" +DEPEND=" + ${RDEPEND} + test? ( dev-libs/boost ) +" +BDEPEND="virtual/pkgconfig" + +DOCS=( ANNOUNCE CHANGES CHANGES.current README TODO ) + +PATCHES=( + "${FILESDIR}"/${PN}-4.1.1-ccache-configure-clang16.patch +) + +src_prepare() { + default + + # Only needed for Clang 16 patch + ln -s "${S}"/Tools CCache/ || die + AT_M4DIR="Tools/config" eautoreconf +} + +src_configure() { + econf \ + PKGCONFIG="$(tc-getPKG_CONFIG)" \ + $(use_enable ccache) \ + $(use_with pcre) +} + +src_test() { + # The tests won't get run w/o an explicit call, broken Makefiles? + emake check +} + +src_install() { + default + + if use doc; then + docinto html + dodoc -r Doc/{Devel,Manual} + fi +} diff --git a/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.0.2.ebuild b/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.2.0.ebuild similarity index 58% rename from sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.0.2.ebuild rename to sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.2.0.ebuild index b52bf56727..168ccf98d9 100644 --- a/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.0.2.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-lang/swig/swig-4.2.0.ebuild @@ -1,7 +1,7 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 inherit toolchain-funcs @@ -11,15 +11,18 @@ SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz" LICENSE="GPL-3+ BSD BSD-2" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~x64-solaris ~x86-solaris" -IUSE="ccache doc pcre" -RESTRICT="test" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="ccache doc pcre test" +RESTRICT="!test? ( test )" RDEPEND=" - pcre? ( dev-libs/libpcre ) + pcre? ( dev-libs/libpcre2 ) ccache? ( sys-libs/zlib ) " -DEPEND="${RDEPEND}" +DEPEND=" + ${RDEPEND} + test? ( dev-libs/boost ) +" BDEPEND="virtual/pkgconfig" DOCS=( ANNOUNCE CHANGES CHANGES.current README TODO ) @@ -31,6 +34,11 @@ src_configure() { $(use_with pcre) } +src_test() { + # The tests won't get run w/o an explicit call, broken Makefiles? + emake check +} + src_install() { default From 39bf99b420cd477cd2eb1b417fbd8a467429a088 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 26 Feb 2024 13:13:55 +0100 Subject: [PATCH 11/18] overlay coreos-base/misc-files: Reorganize the files a bit The files directory of the package was getting crowded and the names of the files weren't really saying much. --- .../files/{ => bash}/99-flatcar-bcc | 0 .../files/{ => ntp}/ntp-environment.conf | 0 .../misc-files/files/{ => ntp}/ntp.conf | 0 .../files/{ => ntp}/ntpd-always-restart.conf | 0 .../files/{ => openssh}/50-flatcar-ssh.conf | 0 .../files/{ => openssh}/50-flatcar-sshd.conf | 0 .../{ => openssh}/no-trigger-limit-burst.conf | 0 .../{ => selinux}/10-var-lib-selinux.conf | 0 .../files/{selinux-config => selinux/config} | 0 .../misc-files/misc-files-0-r4.ebuild | 28 +++++++++---------- 10 files changed, 14 insertions(+), 14 deletions(-) rename sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/{ => bash}/99-flatcar-bcc (100%) rename sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/{ => ntp}/ntp-environment.conf (100%) rename sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/{ => ntp}/ntp.conf (100%) rename sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/{ => ntp}/ntpd-always-restart.conf (100%) rename sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/{ => openssh}/50-flatcar-ssh.conf (100%) rename sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/{ => openssh}/50-flatcar-sshd.conf (100%) rename sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/{ => openssh}/no-trigger-limit-burst.conf (100%) rename sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/{ => selinux}/10-var-lib-selinux.conf (100%) rename sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/{selinux-config => selinux/config} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/99-flatcar-bcc b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/bash/99-flatcar-bcc similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/99-flatcar-bcc rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/bash/99-flatcar-bcc diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp-environment.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntp-environment.conf similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp-environment.conf rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntp-environment.conf diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntp.conf similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp.conf rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntp.conf diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntpd-always-restart.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntpd-always-restart.conf similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntpd-always-restart.conf rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/ntp/ntpd-always-restart.conf diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/50-flatcar-ssh.conf similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-ssh.conf rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/50-flatcar-ssh.conf diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/50-flatcar-sshd.conf similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/50-flatcar-sshd.conf rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/50-flatcar-sshd.conf diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/no-trigger-limit-burst.conf similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/no-trigger-limit-burst.conf rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/openssh/no-trigger-limit-burst.conf diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/10-var-lib-selinux.conf b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux/10-var-lib-selinux.conf similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/10-var-lib-selinux.conf rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux/10-var-lib-selinux.conf diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux-config b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux/config similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux-config rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux/config diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild index f282ddd6fc..fd9bf07386 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild @@ -122,10 +122,10 @@ src_install() { done insinto '/etc/selinux/' - newins "${FILESDIR}/selinux-config" config + doins "${FILESDIR}/selinux/config" insinto '/etc/bash/bashrc.d' - doins "${FILESDIR}/99-flatcar-bcc" + doins "${FILESDIR}/bash/99-flatcar-bcc" insinto '/usr/share/flatcar' # The "oems" folder should contain a file "$OEMID" for each expected OEM sysext and @@ -149,29 +149,29 @@ src_install() { fowners --no-dereference 500:500 "${link}" done + if use ntp; then + insinto /etc + doins "${FILESDIR}/ntp/ntp.conf" + misc_files_install_dropin ntpd.service "${FILESDIR}/ntp/ntpd-always-restart.conf" + misc_files_install_dropin ntpdate.service "${FILESDIR}/ntp/ntp-environment.conf" + misc_files_install_dropin sntp.service "${FILESDIR}/ntp/ntp-environment.conf" + fi + if use openssh; then # Install our configuration snippets. insinto /etc/ssh/ssh_config.d - doins "${FILESDIR}/50-flatcar-ssh.conf" + doins "${FILESDIR}/openssh/50-flatcar-ssh.conf" insinto /etc/ssh/sshd_config.d - doins "${FILESDIR}/50-flatcar-sshd.conf" + doins "${FILESDIR}/openssh/50-flatcar-sshd.conf" # Install our socket drop-in file that disables the rate # limiting on the sshd socket. - misc_files_install_dropin sshd.socket "${FILESDIR}/no-trigger-limit-burst.conf" + misc_files_install_dropin sshd.socket "${FILESDIR}/openssh/no-trigger-limit-burst.conf" # Enable some sockets that aren't enabled by their own ebuilds. systemd_enable_service sockets.target sshd.socket fi - if use ntp; then - insinto /etc - doins "${FILESDIR}/ntp.conf" - misc_files_install_dropin ntpd.service "${FILESDIR}/ntpd-always-restart.conf" - misc_files_install_dropin ntpdate.service "${FILESDIR}/ntp-environment.conf" - misc_files_install_dropin sntp.service "${FILESDIR}/ntp-environment.conf" - fi - if use policycoreutils; then # Exceptionally, the location for policy definitions is set up # in profiles/coreos/base/profile.bashrc. See the comment for @@ -179,7 +179,7 @@ src_install() { # # Recreate the symlink in /var in case of wiping the root # filesystem. - dotmpfiles "${FILESDIR}/10-var-lib-selinux.conf" + dotmpfiles "${FILESDIR}/selinux/10-var-lib-selinux.conf" fi # Create a symlink for Kubernetes to redirect writes from /usr/libexec/... to /var/kubernetes/... From 5cb7639e7c2ecee3cd8db5ccf1184b527c144308 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 26 Feb 2024 15:13:42 +0100 Subject: [PATCH 12/18] overlay coreos-base/misc-files: Install audit files We will move sys-process/audit to portage-stable. In order to do that, we need to move the customizations out of its ebuild. --- .../misc-files/files/audit/00-clear.rules | 3 ++ .../misc-files/files/audit/80-selinux.rules | 4 +++ .../misc-files/files/audit/99-default.rules | 5 +++ .../files/audit/audit-rules.service | 16 ++++++++++ .../misc-files/misc-files-0-r4.ebuild | 32 ++++++++++++++++--- 5 files changed, 56 insertions(+), 4 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/00-clear.rules create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/80-selinux.rules create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/99-default.rules create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/audit-rules.service diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/00-clear.rules b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/00-clear.rules new file mode 100644 index 0000000000..f43e62771c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/00-clear.rules @@ -0,0 +1,3 @@ +# First rule - delete all +# This is to clear out old rules, so we don't append to them. +-D diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/80-selinux.rules b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/80-selinux.rules new file mode 100644 index 0000000000..627b17db3f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/80-selinux.rules @@ -0,0 +1,4 @@ +# Enable all SELinux related events +# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h) + +-a exclude,never -F msgtype>=1400 -F msgtype<=1499 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/99-default.rules b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/99-default.rules new file mode 100644 index 0000000000..cc373d8406 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/99-default.rules @@ -0,0 +1,5 @@ +# Always report changes to the audit subsystem itself. +-a exclude,never -F msgtype=CONFIG_CHANGE + +# Ignore everything else. +-a exclude,always -F msgtype>0 diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/audit-rules.service b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/audit-rules.service new file mode 100644 index 0000000000..8c54802fb5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/audit-rules.service @@ -0,0 +1,16 @@ +[Unit] +Description=Load Security Auditing Rules +DefaultDependencies=no +After=local-fs.target systemd-tmpfiles-setup.service +Conflicts=shutdown.target +Before=sysinit.target shutdown.target +ConditionSecurity=audit + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/sbin/augenrules --load +ExecStop=-/sbin/auditctl -D + +[Install] +WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild index fd9bf07386..e0688455e7 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild @@ -12,7 +12,7 @@ HOMEPAGE='https://www.flatcar.org/' LICENSE='Apache-2.0' SLOT='0' KEYWORDS='amd64 arm64' -IUSE="openssh ntp policycoreutils" +IUSE="audit ntp openssh policycoreutils" # No source directory. S="${WORKDIR}" @@ -33,6 +33,7 @@ RDEPEND=" >=app-shells/bash-5.2_p15-r2 ntp? ( >=net-misc/ntp-4.2.8_p17 ) policycoreutils? ( >=sys-apps/policycoreutils-3.6 ) + audit? ( >=sys-process/audit-3.1.1 ) " declare -A CORE_BASH_SYMLINKS @@ -99,10 +100,12 @@ src_install() { ['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs' ['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf' ) - if use openssh; then + if use audit; then compat_symlinks+=( - ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf' - ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf' + ['/usr/share/audit/rules.d/00-clear.rules']='/usr/share/flatcar/etc/audit/rules.d/00-clear.rules' + ['/usr/share/audit/rules.d/80-selinux.rules']='/usr/share/flatcar/etc/audit/rules.d/80-selinux.rules' + ['/usr/share/audit/rules.d/99-default.rules']='/usr/share/flatcar/etc/audit/rules.d/99-default.rules' + ['/usr/share/auditd/auditd.conf']='/usr/share/flatcar/etc/audit/auditd.conf' ) fi if use ntp; then @@ -110,6 +113,12 @@ src_install() { ['/usr/share/ntp/ntp.conf']='/usr/share/flatcar/etc/ntp.conf' ) fi + if use openssh; then + compat_symlinks+=( + ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf' + ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf' + ) + fi local link target for link in "${!compat_symlinks[@]}"; do @@ -149,6 +158,21 @@ src_install() { fowners --no-dereference 500:500 "${link}" done + if use audit; then + # Install our rules. + insinto /etc/audit/rules.d + for name in 00-clear.rules 80-selinux.rules 99-default.rules; do + doins "${FILESDIR}/audit/${name}" + # Upstream wants these to have restrictive perms. + fperms 0640 "/etc/audit/rules.d/${name}" + done + # Install a service that loads the rules (it's possibly + # something that a deamon does, but in our case the daemon is + # disabled by default). + systemd_dounit "${FILESDIR}/audit/audit-rules.service" + systemd_enable_service multi-user.target audit-rules.service + fi + if use ntp; then insinto /etc doins "${FILESDIR}/ntp/ntp.conf" From 382ada247537a245261fda1b5b4bdb0c717a0403 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 27 Feb 2024 10:31:32 +0100 Subject: [PATCH 13/18] overlay profiles: Enable audit files from coreos-base/misc-files --- .../coreos-overlay/profiles/coreos/targets/generic/package.use | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use index f10b11d617..44fb7c9588 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use @@ -10,7 +10,7 @@ app-editors/vim-core minimal # Install our modifications and compatibility symlinks for ssh and ntp # # Install a SELinux policy directory symlink -coreos-base/misc-files openssh ntp policycoreutils +coreos-base/misc-files audit ntp openssh policycoreutils dev-lang/python gdbm dev-libs/dbus-glib tools From bad8cffcd98b410fa266e8619bd006ea4148f659 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 26 Feb 2024 15:15:01 +0100 Subject: [PATCH 14/18] overlay coreos/config: Mask some files from sys-process/audit We will move sys-process/audit to portage-stable. In order to do that, we need to move the customizations out of its ebuild. --- .../coreos/config/env/sys-process/audit | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-process/audit diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-process/audit b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-process/audit new file mode 100644 index 0000000000..dc9b3ac4bf --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-process/audit @@ -0,0 +1,11 @@ +# Do not install Gentoo-provided audit rules, we will install our own +# in coreos-base/misc-files. +INSTALL_MASK+=" +/etc/audit/audit.rules* +" + +# Do not install legacy initscripts stuff +INSTALL_MASK+=" +/usr/libexec/audit-functions +/usr/libexec/initscripts +" From 7d8e71300962534db9add589ed7c2c9739ebb162 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 26 Feb 2024 15:18:19 +0100 Subject: [PATCH 15/18] overlay sys-process/audit: Move to portage-stable --- .../{coreos-overlay => portage-stable}/sys-process/audit/Manifest | 0 .../sys-process/audit/README.md | 0 .../sys-process/audit/audit-3.0.6-r1.ebuild | 0 .../sys-process/audit/files/audit-rules.service | 0 .../sys-process/audit/files/audit-rules.tmpfiles | 0 .../sys-process/audit/files/rules.d/00-clear.rules | 0 .../sys-process/audit/files/rules.d/80-selinux.rules | 0 .../sys-process/audit/files/rules.d/99-default.rules | 0 .../sys-process/audit/metadata.xml | 0 9 files changed, 0 insertions(+), 0 deletions(-) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-process/audit/Manifest (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-process/audit/README.md (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-process/audit/audit-3.0.6-r1.ebuild (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-process/audit/files/audit-rules.service (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-process/audit/files/audit-rules.tmpfiles (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-process/audit/files/rules.d/00-clear.rules (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-process/audit/files/rules.d/80-selinux.rules (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-process/audit/files/rules.d/99-default.rules (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-process/audit/metadata.xml (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/Manifest b/sdk_container/src/third_party/portage-stable/sys-process/audit/Manifest similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-process/audit/Manifest rename to sdk_container/src/third_party/portage-stable/sys-process/audit/Manifest diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md b/sdk_container/src/third_party/portage-stable/sys-process/audit/README.md similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md rename to sdk_container/src/third_party/portage-stable/sys-process/audit/README.md diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.0.6-r1.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6-r1.ebuild rename to sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.0.6-r1.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.service similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service rename to sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.service diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.tmpfiles similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles rename to sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.tmpfiles diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/00-clear.rules similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules rename to sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/00-clear.rules diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/80-selinux.rules similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules rename to sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/80-selinux.rules diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/99-default.rules similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules rename to sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/99-default.rules diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-process/audit/metadata.xml similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-process/audit/metadata.xml rename to sdk_container/src/third_party/portage-stable/sys-process/audit/metadata.xml From 81684a1453ff60c3a95089abc079680b41dbc167 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 26 Feb 2024 15:41:31 +0100 Subject: [PATCH 16/18] sys-process/audit: Sync with Gentoo It's from Gentoo commit b3421946f41290093bd4bfe67fee6ecccab31bcb. --- .../portage-stable/sys-process/audit/Manifest | 3 +- .../sys-process/audit/README.md | 24 --- ...dit-3.0.6-r1.ebuild => audit-3.1.1.ebuild} | 129 ++++++------- .../sys-process/audit/audit-3.1.2.ebuild | 181 ++++++++++++++++++ .../audit-3.0.8-linux-headers-5.17.patch | 41 ++++ .../audit/files/audit-3.0.8-musl-malloc.patch | 29 +++ .../audit/files/audit-rules.service | 16 -- .../audit/files/audit-rules.tmpfiles | 6 - .../sys-process/audit/files/audit.rules-2.1.3 | 25 +++ .../audit/files/audit.rules.stop.post | 12 ++ .../audit/files/audit.rules.stop.pre | 15 ++ .../audit/files/auditd-conf.d-2.1.3 | 22 +++ .../audit/files/auditd-init.d-2.4.3 | 90 +++++++++ .../audit/files/rules.d/00-clear.rules | 3 - .../audit/files/rules.d/80-selinux.rules | 4 - .../audit/files/rules.d/99-default.rules | 5 - .../sys-process/audit/metadata.xml | 2 + 17 files changed, 478 insertions(+), 129 deletions(-) delete mode 100644 sdk_container/src/third_party/portage-stable/sys-process/audit/README.md rename sdk_container/src/third_party/portage-stable/sys-process/audit/{audit-3.0.6-r1.ebuild => audit-3.1.1.ebuild} (51%) create mode 100644 sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.2.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch create mode 100644 sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-musl-malloc.patch delete mode 100644 sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.service delete mode 100644 sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.tmpfiles create mode 100644 sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules-2.1.3 create mode 100644 sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.post create mode 100644 sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.pre create mode 100644 sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-conf.d-2.1.3 create mode 100644 sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-init.d-2.4.3 delete mode 100644 sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/00-clear.rules delete mode 100644 sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/80-selinux.rules delete mode 100644 sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/99-default.rules diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/Manifest b/sdk_container/src/third_party/portage-stable/sys-process/audit/Manifest index 8fde549680..947ffaef62 100644 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/Manifest +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/Manifest @@ -1 +1,2 @@ -DIST audit-3.0.6.tar.gz 1190011 BLAKE2B 93a7efad1cbea6771a73222b05aacbabc4ac61d1efb9fc2532607a94804bcac6512d0be2f4d89aa62d94fb85ba5818ffae4bf0a72676e8d549ddbec766e83e9c SHA512 74734e1b1fddea086db9c5dc8c4b7817917fdf17bc7ca4e5b440aae975484d020a17c3f485f6a37b6b150a307d809e50d559d31a8cbd6f1e554933719551bcd1 +DIST audit-3.1.1.tar.gz 1218111 BLAKE2B a804684e438efc5f35b387708b3dc91bf857eeb56624261e0f75543556c436bfe638b792f63289f049c11541b10b2dc0e9f17b22f44b913da0168b1cf20684fc SHA512 4917970cc4c7f786c464a6d101bf66d55d55ac4716cf415ff97177f08176a6301e946716d28cf5b16054538469b3140b97db99d55a28686a9a807eea60c070f3 +DIST audit-3.1.2.tar.gz 1219860 BLAKE2B dfdec470bf12cce6c570b3d260e65e2b49e8ac0761e6a6fbf7b4f4a57f92e88367cd74bfcb88e6d718619b88fea27ce963a977c9f4346c95d18a5310e217accb SHA512 a97003a294ed3671df01e2952688e7d5eef59a35f6891feb53e67c4c7eab9ae8c2d18de41a5b5b20e0ad7156fac93aec05f32f6bc5eea706b42b6f27f676446a diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/README.md b/sdk_container/src/third_party/portage-stable/sys-process/audit/README.md deleted file mode 100644 index 20ef8bab00..0000000000 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/README.md +++ /dev/null @@ -1,24 +0,0 @@ -This is a fork of gentoo's `sys-process/audit` package. The main -reasons for having our fork seem to be: - -1. We have our own audit rules (see files in `files/rules.d` - directory). - - - These seem to be mostly similar to what gentoo provides, but split - into several files and they have an additional rule for SELinux - events. - - - We also install it in a different place and place symlinks with - systemd's tmpfiles functionality. - -2. We install a systemd service that loads our rules at startup. - -3. We build and install only a subset of binaries in the project. - Namely, we skip all the daemon stuff that puts the logs in - `/var/log/audit` and some tools that process those logs. Since - audit logs are also written to journal, writing them to disk seems - redundant, thus auditd and the tools seem to be unnecessary. This - also reduces the final image size a bit. - -4. Since we do not install the daemon, we don't do the permissions - lockdown on some auditd files. diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.0.6-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.1.ebuild similarity index 51% rename from sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.0.6-r1.ebuild rename to sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.1.ebuild index 846a0db491..ab8e362008 100644 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.0.6-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.1.ebuild @@ -1,13 +1,15 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 -# Flatcar: Support python 3.6. -PYTHON_COMPAT=( python3_{6..11} ) +# As with sys-libs/libcap-ng, same maintainer in Fedora as upstream, so +# check Fedora's packaging (https://src.fedoraproject.org/rpms/audit/tree/rawhide) +# on bumps (or if hitting a bug) to see what they've done there. -TMPFILES_OPTIONAL=1 -inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript tmpfiles +PYTHON_COMPAT=( python3_{9..11} ) + +inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript DESCRIPTION="Userspace utilities for storing and processing auditing records" HOMEPAGE="https://people.redhat.com/sgrubb/audit/" @@ -15,24 +17,34 @@ SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz" LICENSE="GPL-2+ LGPL-2.1+" SLOT="0" -# Flatcar: Build amd64 and arm64 by default. -KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" -IUSE="gssapi ldap python static-libs test" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86" +IUSE="gssapi io-uring ldap python static-libs test" REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" RESTRICT="!test? ( test )" -RDEPEND="gssapi? ( virtual/krb5 ) - ldap? ( net-nds/openldap ) +RDEPEND=" sys-libs/libcap-ng - python? ( ${PYTHON_DEPS} )" -DEPEND="${RDEPEND} + gssapi? ( virtual/krb5 ) + ldap? ( net-nds/openldap:= ) + python? ( ${PYTHON_DEPS} ) +" +DEPEND=" + ${RDEPEND} >=sys-kernel/linux-headers-2.6.34 - test? ( dev-libs/check )" -BDEPEND="python? ( dev-lang/swig:0 )" + test? ( dev-libs/check ) +" +BDEPEND="python? ( dev-lang/swig )" CONFIG_CHECK="~AUDIT" +PATCHES=( + # See bug #836702 before removing / verify builds fine w/ USE=python + # with latest kernel headers. + "${FILESDIR}"/${PN}-3.0.8-linux-headers-5.17.patch + "${FILESDIR}"/${PN}-3.0.8-musl-malloc.patch +) + src_prepare() { # audisp-remote moved in multilib_src_install_all sed -i \ @@ -40,51 +52,48 @@ src_prepare() { audisp/plugins/remote/au-remote.conf || die # Disable installing sample rules so they can be installed as docs. - echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null - - # Flatcar: Some legacy stuff is being installed when systemd - # is enabled. Drop all the lines that try doing it. - sed -e '/${DESTDIR}${initdir}/d' \ - -e '/${DESTDIR}${legacydir}/d' \ - -i init.d/Makefile.am || die - # Flatcar: Do not build daemon stuff. - sed -e '/^sbin_PROGRAMS =/s/aureport//' \ - -e '/^sbin_PROGRAMS =/s/ausearch//' \ - -i src/Makefile.am || die + echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null || die default eautoreconf } multilib_src_configure() { - local -a myeconfargs=( - --sbindir="${EPREFIX}/sbin" + local myeconfargs=( + --sbindir="${EPREFIX}"/sbin $(use_enable gssapi gssapi-krb5) $(use_enable ldap zos-remote) $(use_enable static-libs static) + $(use_with io-uring io_uring) --enable-systemd --without-golang + --without-libwrap --without-python --without-python3 ) - ECONF_SOURCE=${S} econf "${myeconfargs[@]}" + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" if multilib_is_native_abi && use python; then python_configure() { - mkdir -p "${BUILD_DIR}" + mkdir -p "${BUILD_DIR}" || die pushd "${BUILD_DIR}" &>/dev/null || die - ECONF_SOURCE=${S} econf "${myeconfargs[@]}" --with-python3 + + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" --with-python3 + popd &>/dev/null || die } + python_foreach_impl python_configure fi } src_configure() { tc-export_build_env BUILD_{CC,CPP} + local -x CC_FOR_BUILD="${BUILD_CC}" local -x CPP_FOR_BUILD="${BUILD_CPP}" + multilib-minimal_src_configure } @@ -93,10 +102,12 @@ multilib_src_compile() { default local native_build="${BUILD_DIR}" + python_compile() { emake -C "${BUILD_DIR}"/bindings/swig top_builddir="${native_build}" emake -C "${BUILD_DIR}"/bindings/python/python3 top_builddir="${native_build}" } + use python && python_foreach_impl python_compile else emake -C common @@ -110,14 +121,16 @@ multilib_src_install() { emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install local native_build="${BUILD_DIR}" + python_install() { emake -C "${BUILD_DIR}"/bindings/swig DESTDIR="${D}" top_builddir="${native_build}" install emake -C "${BUILD_DIR}"/bindings/python/python3 DESTDIR="${D}" top_builddir="${native_build}" install python_optimize } + use python && python_foreach_impl python_install - # things like shadow use this so we need to be in / + # Things like shadow use this so we need to be in / gen_usr_ldscript -a audit auparse else emake -C lib DESTDIR="${D}" install @@ -129,35 +142,24 @@ multilib_src_install_all() { dodoc AUTHORS ChangeLog README* THANKS docinto contrib dodoc contrib/avc_snap - # Flatcar: Do not install any plugin stuff, these are parts of - # auditd that we don't build and install anyway. - # docinto contrib/plugin - # dodoc contrib/plugin/* + docinto contrib/plugin + dodoc contrib/plugin/* docinto rules dodoc rules/*rules - # Flatcar: Do not install stuff auditd stuff. - # newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd - # newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd + newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd + newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd - # Flatcar: install sample configuration - insinto /usr/share/auditd - doins "${S}"/init.d/auditd.conf + if [[ -f "${ED}"/sbin/audisp-remote ]] ; then + dodir /usr/sbin + mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die + fi - - # Flatcar: We are not installing audisp too. - # [ -f "${ED}"/sbin/audisp-remote ] && \ - # dodir /usr/sbin && \ - # mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die - - # Flatcar: Do not install gentoo rules. # Gentoo rules - # newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules - # Flatcar: We are installing our own rules. - insinto /usr/share/audit/rules.d - doins "${FILESDIR}"/rules.d/*.rules - # Flatcar: Do not install deamon stuff. - # doins "${FILESDIR}"/audit.rules.stop* + insinto /etc/audit + newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules + doins "${FILESDIR}"/audit.rules.stop* + keepdir /etc/audit/rules.d # audit logs go here keepdir /var/log/audit @@ -166,14 +168,6 @@ multilib_src_install_all() { # Security lockdown_perms "${ED}" - - # Flatcar: We add the systemd unit but don't enable it. - systemd_dounit init.d/auditd.service - - # Flatcar: Our systemd stuff. - newtmpfiles "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf - systemd_dounit "${FILESDIR}"/audit-rules.service - systemd_enable_service multi-user.target audit-rules.service } pkg_postinst() { @@ -183,13 +177,8 @@ pkg_postinst() { lockdown_perms() { # Upstream wants these to have restrictive perms. # Should not || die as not all paths may exist. - # Flatcar: We don't include ausearch and aureport - # so they're removed from the hardening list local basedir="${1}" - # chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null - chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,trace} 2>/dev/null + chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null chmod 0750 "${basedir}"/var/log/audit 2>/dev/null - # chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null - rm -f "${basedir}"/etc/audit/auditd.conf 2>/dev/null - : + chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null } diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.2.ebuild b/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.2.ebuild new file mode 100644 index 0000000000..d2b9730673 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.2.ebuild @@ -0,0 +1,181 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# As with sys-libs/libcap-ng, same maintainer in Fedora as upstream, so +# check Fedora's packaging (https://src.fedoraproject.org/rpms/audit/tree/rawhide) +# on bumps (or if hitting a bug) to see what they've done there. + +PYTHON_COMPAT=( python3_{9..11} ) + +inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript + +DESCRIPTION="Userspace utilities for storing and processing auditing records" +HOMEPAGE="https://people.redhat.com/sgrubb/audit/" +SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz" + +LICENSE="GPL-2+ LGPL-2.1+" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="gssapi io-uring ldap python static-libs test" + +REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" +RESTRICT="!test? ( test )" + +RDEPEND=" + sys-libs/libcap-ng + gssapi? ( virtual/krb5 ) + ldap? ( net-nds/openldap:= ) + python? ( ${PYTHON_DEPS} ) +" +DEPEND=" + ${RDEPEND} + >=sys-kernel/linux-headers-2.6.34 + test? ( dev-libs/check ) +" +BDEPEND="python? ( dev-lang/swig )" + +CONFIG_CHECK="~AUDIT" + +PATCHES=( + "${FILESDIR}"/${PN}-3.0.8-musl-malloc.patch +) + +src_prepare() { + # audisp-remote moved in multilib_src_install_all + sed -i \ + -e "s,/sbin/audisp-remote,${EPREFIX}/usr/sbin/audisp-remote," \ + audisp/plugins/remote/au-remote.conf || die + + # Disable installing sample rules so they can be installed as docs. + echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null || die + + default + eautoreconf +} + +multilib_src_configure() { + local myeconfargs=( + --sbindir="${EPREFIX}"/sbin + $(use_enable gssapi gssapi-krb5) + $(use_enable ldap zos-remote) + $(use_enable static-libs static) + $(use_with io-uring io_uring) + --enable-systemd + --without-golang + --without-libwrap + --without-python + --without-python3 + ) + + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" + + if multilib_is_native_abi && use python; then + python_configure() { + mkdir -p "${BUILD_DIR}" || die + pushd "${BUILD_DIR}" &>/dev/null || die + + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" --with-python3 + + popd &>/dev/null || die + } + + python_foreach_impl python_configure + fi +} + +src_configure() { + tc-export_build_env BUILD_{CC,CPP} + + local -x CC_FOR_BUILD="${BUILD_CC}" + local -x CPP_FOR_BUILD="${BUILD_CPP}" + + multilib-minimal_src_configure +} + +multilib_src_compile() { + if multilib_is_native_abi; then + default + + local native_build="${BUILD_DIR}" + + python_compile() { + emake -C "${BUILD_DIR}"/bindings/swig top_builddir="${native_build}" + emake -C "${BUILD_DIR}"/bindings/python/python3 top_builddir="${native_build}" + } + + use python && python_foreach_impl python_compile + else + emake -C common + emake -C lib + emake -C auparse + fi +} + +multilib_src_install() { + if multilib_is_native_abi; then + emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install + + local native_build="${BUILD_DIR}" + + python_install() { + emake -C "${BUILD_DIR}"/bindings/swig DESTDIR="${D}" top_builddir="${native_build}" install + emake -C "${BUILD_DIR}"/bindings/python/python3 DESTDIR="${D}" top_builddir="${native_build}" install + python_optimize + } + + use python && python_foreach_impl python_install + + # Things like shadow use this so we need to be in / + gen_usr_ldscript -a audit auparse + else + emake -C lib DESTDIR="${D}" install + emake -C auparse DESTDIR="${D}" install + fi +} + +multilib_src_install_all() { + dodoc AUTHORS ChangeLog README* THANKS + docinto contrib + dodoc contrib/avc_snap + docinto contrib/plugin + dodoc contrib/plugin/* + docinto rules + dodoc rules/*rules + + newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd + newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd + + if [[ -f "${ED}"/sbin/audisp-remote ]] ; then + dodir /usr/sbin + mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die + fi + + # Gentoo rules + insinto /etc/audit + newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules + doins "${FILESDIR}"/audit.rules.stop* + keepdir /etc/audit/rules.d + + # audit logs go here + keepdir /var/log/audit + + find "${ED}" -type f -name '*.la' -delete || die + + # Security + lockdown_perms "${ED}" +} + +pkg_postinst() { + lockdown_perms "${EROOT}" +} + +lockdown_perms() { + # Upstream wants these to have restrictive perms. + # Should not || die as not all paths may exist. + local basedir="${1}" + chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null + chmod 0750 "${basedir}"/var/log/audit 2>/dev/null + chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null +} diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch new file mode 100644 index 0000000000..8d41d83638 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch @@ -0,0 +1,41 @@ +Upstream rejected a workaround/fix at https://github.com/linux-audit/audit-userspace/pull/253 +/ https://github.com/linux-audit/audit-userspace/issues/252#issuecomment-1078595249. + +Instead, in Fedora (same maintainer as upstream), they're patching the headers then unpatching before install. + +Apparently the swig bindings are on their way out but I'm not convinced that's going to be a quick migration given the API will.. surely change? + +It's not ideal but let's take the patch slyfox ended up using in nixpkgs anyway. + +https://bugs.gentoo.org/836702 + +From beed138222421a2eb4212d83cb889404bd7efc49 Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich +Date: Wed, 23 Mar 2022 07:27:05 +0000 +Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf + +As it's a flexible array generated code was never safe to use. +With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574 +change it's a build failure now: + + audit> audit_wrap.c:5010:15: error: invalid use of flexible array member + audit> 5010 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size)); + audit> | ^ + +Let's avoid setter generation entirely. + +Closes: https://github.com/linux-audit/audit-userspace/issues/252 +--- a/bindings/swig/src/auditswig.i ++++ b/bindings/swig/src/auditswig.i +@@ -39,6 +39,10 @@ signed + #define __attribute(X) /*nothing*/ + typedef unsigned __u32; + typedef unsigned uid_t; ++/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not: ++ * generating setters against them: https://github.com/swig/swig/issues/1699 ++ */ ++%ignore audit_rule_data::buf; + %include "/usr/include/linux/audit.h" + #define __extension__ /*nothing*/ + %include + diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-musl-malloc.patch b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-musl-malloc.patch new file mode 100644 index 0000000000..7233aabe03 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-musl-malloc.patch @@ -0,0 +1,29 @@ +https://cgit.openembedded.org/meta-openembedded/tree/meta-oe/recipes-security/audit/audit/0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch?id=ad978133a1a10d609bb2545882a2f720a2572f3d +https://github.com/linux-audit/audit-userspace/pull/311 +https://bugs.gentoo.org/837275 + +From 79c8d6a2755c9dfa00a5e86378e89a94eef0504d Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Tue, 9 Aug 2022 23:57:03 -0700 +Subject: [PATCH] Replace __attribute_malloc__ with + __attribute__((__malloc__)) + +__attribute_malloc__ is not available on musl + +Fixes +| ../../git/auparse/auparse.h:54:2: error: expected function body after function declarator +| __attribute_malloc__ __attr_dealloc (auparse_destroy, 1); +| ^ + +Signed-off-by: Khem Raj +--- a/auparse/auparse.h ++++ b/auparse/auparse.h +@@ -51,7 +51,7 @@ typedef void (*auparse_callback_ptr)(auparse_state_t *au, + void auparse_destroy(auparse_state_t *au); + void auparse_destroy_ext(auparse_state_t *au, auparse_destroy_what_t what); + auparse_state_t *auparse_init(ausource_t source, const void *b) +- __attribute_malloc__ __attr_dealloc (auparse_destroy, 1); ++ __attribute__((__malloc__)) __attr_dealloc (auparse_destroy, 1); + int auparse_new_buffer(auparse_state_t *au, const char *data, size_t data_len) + __attr_access ((__read_only__, 2, 3)); + int auparse_feed(auparse_state_t *au, const char *data, size_t data_len) diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.service b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.service deleted file mode 100644 index 8c54802fb5..0000000000 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Load Security Auditing Rules -DefaultDependencies=no -After=local-fs.target systemd-tmpfiles-setup.service -Conflicts=shutdown.target -Before=sysinit.target shutdown.target -ConditionSecurity=audit - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/sbin/augenrules --load -ExecStop=-/sbin/auditctl -D - -[Install] -WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.tmpfiles b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.tmpfiles deleted file mode 100644 index b7f9530cca..0000000000 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.tmpfiles +++ /dev/null @@ -1,6 +0,0 @@ -d /etc/audit 750 - - - - -C /etc/audit/auditd.conf 640 - - - /usr/share/auditd/auditd.conf -d /etc/audit/rules.d 750 - - - - -L /etc/audit/rules.d/00-clear.rules 640 - - - /usr/share/audit/rules.d/00-clear.rules -L /etc/audit/rules.d/80-selinux.rules 640 - - - /usr/share/audit/rules.d/80-selinux.rules -L /etc/audit/rules.d/99-default.rules 640 - - - /usr/share/audit/rules.d/99-default.rules diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules-2.1.3 b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules-2.1.3 new file mode 100644 index 0000000000..25dbedfd1d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules-2.1.3 @@ -0,0 +1,25 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# +# This file contains the auditctl rules that are loaded +# whenever the audit daemon is started via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# First rule - delete all +# This is to clear out old rules, so we don't append to them. +-D + +# Feel free to add below this line. See auditctl man page + +# The following rule would cause all of the syscalls listed to be ignored in logging. +-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat +-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat + +# The following rule would cause the capture of all systems not caught above. +# -a exit,always -S all + +# Increase the buffers to survive stress events +-b 8192 + +# vim:ft=conf: diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.post b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.post new file mode 100644 index 0000000000..29ae197f18 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.post @@ -0,0 +1,12 @@ +# Copyright 1999-2005 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# +# This file contains the auditctl rules that are loaded immediately after the +# audit deamon is stopped via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# Not used for the default Gentoo configuration as of v1.2.3 +# Paranoid security types might wish to reconfigure kauditd here. + +# vim:ft=conf: diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.pre b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.pre new file mode 100644 index 0000000000..1f34173369 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.pre @@ -0,0 +1,15 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# +# This file contains the auditctl rules that are loaded immediately before the +# audit deamon is stopped via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# auditd is stopping, don't capture events anymore +-D + +# Disable kernel generating audit events +-e 0 + +# vim:ft=conf: diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-conf.d-2.1.3 b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-conf.d-2.1.3 new file mode 100644 index 0000000000..c66be166ce --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-conf.d-2.1.3 @@ -0,0 +1,22 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# Configuration options for auditd +# -f for foreground mode +# There are some other options as well, but you'll have to look in the source +# code to find them as they aren't ready for use yet. +EXTRAOPTIONS='' + +# Audit rules file to run after starting auditd +RULEFILE_STARTUP=/etc/audit/audit.rules + +# Audit rules file to run before and after stopping auditd +RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre +RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post + +# If you want to enforce a certain locale for auditd, +# uncomment one of the next lines: +#AUDITD_LANG=none +AUDITD_LANG=C +#AUDITD_LANG=en_US +#AUDITD_LANG=en_US.UTF-8 diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-init.d-2.4.3 b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-init.d-2.4.3 new file mode 100644 index 0000000000..c952554df2 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-init.d-2.4.3 @@ -0,0 +1,90 @@ +#!/sbin/openrc-run +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_started_commands='reload reload_auditd reload_rules' +description='Linux Auditing System' +description_reload='Reload daemon configuration and rules' +description_reload_rules='Reload daemon rules' +description_reload_auditd='Reload daemon configuration' + +name='auditd' +pidfile='/var/run/auditd.pid' +command='/sbin/auditd' + +start_auditd() { + # Env handling taken from the upstream init script + if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then + unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + else + LANG="$AUDITD_LANG" + LC_TIME="$AUDITD_LANG" + LC_ALL="$AUDITD_LANG" + LC_MESSAGES="$AUDITD_LANG" + LC_NUMERIC="$AUDITD_LANG" + LC_MONETARY="$AUDITD_LANG" + LC_COLLATE="$AUDITD_LANG" + export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + fi + unset HOME MAIL USER USERNAME + + ebegin "Starting ${name}" + start-stop-daemon \ + --start --quiet --pidfile ${pidfile} \ + --exec ${command} -- ${EXTRAOPTIONS} + local ret=$? + eend $ret + return $ret +} + +stop_auditd() { + ebegin "Stopping ${name}" + start-stop-daemon --stop --quiet --pidfile ${pidfile} + local ret=$? + eend $ret + return $ret +} + +loadfile() { + local rules="$1" + if [ -n "${rules}" -a -f "${rules}" ]; then + einfo "Loading audit rules from ${rules}" + /sbin/auditctl -R "${rules}" >/dev/null + return $? + else + return 0 + fi +} + +start() { + start_auditd + local ret=$? + if [ $ret -eq 0 -a "${RC_CMD}" != "restart" ]; then + loadfile "${RULEFILE_STARTUP}" + fi + return $ret +} + +reload_rules() { + loadfile "${RULEFILE_STARTUP}" +} + +reload_auditd() { + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${command}" --pidfile "${pidfile}" + eend $? +} + +reload() { + reload_auditd + reload_rules +} + +stop() { + [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_PRE}" + stop_auditd + local ret=$? + [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_POST}" + return $ret +} diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/00-clear.rules b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/00-clear.rules deleted file mode 100644 index f43e62771c..0000000000 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/00-clear.rules +++ /dev/null @@ -1,3 +0,0 @@ -# First rule - delete all -# This is to clear out old rules, so we don't append to them. --D diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/80-selinux.rules b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/80-selinux.rules deleted file mode 100644 index 627b17db3f..0000000000 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/80-selinux.rules +++ /dev/null @@ -1,4 +0,0 @@ -# Enable all SELinux related events -# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h) - --a exclude,never -F msgtype>=1400 -F msgtype<=1499 diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/99-default.rules b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/99-default.rules deleted file mode 100644 index cc373d8406..0000000000 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/99-default.rules +++ /dev/null @@ -1,5 +0,0 @@ -# Always report changes to the audit subsystem itself. --a exclude,never -F msgtype=CONFIG_CHANGE - -# Ignore everything else. --a exclude,always -F msgtype>0 diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-process/audit/metadata.xml index 3524ab03cd..79fc6fdac9 100644 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/metadata.xml @@ -9,8 +9,10 @@ Enable GSSAPI support + Enable support for io-uring. Doesn't need the library but needs at least kernel 5.1. linux-audit/audit-userspace + cpe:/a:linux:audit From 88d1effdc41cd0591320dffc463e141d731fed37 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 26 Feb 2024 15:19:31 +0100 Subject: [PATCH 17/18] .github: Add sys-process/audit and dev-lang/swig to automation --- .github/workflows/portage-stable-packages-list | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index 006e5ab99b..1e521d54ff 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -186,6 +186,7 @@ dev-lang/perl dev-lang/python dev-lang/python-exec dev-lang/python-exec-conf +dev-lang/swig dev-lang/yasm dev-libs/cJSON @@ -565,6 +566,7 @@ sys-libs/zlib sys-power/acpid +sys-process/audit sys-process/lsof sys-process/procps sys-process/psmisc From 91853181d12619defc5da69ddb2c53989ac98c4e Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 1 Mar 2024 16:14:22 +0100 Subject: [PATCH 18/18] changelog: Add an entry --- changelog/updates/2024-03-01-selinux-followup.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelog/updates/2024-03-01-selinux-followup.md diff --git a/changelog/updates/2024-03-01-selinux-followup.md b/changelog/updates/2024-03-01-selinux-followup.md new file mode 100644 index 0000000000..8fbda6efe1 --- /dev/null +++ b/changelog/updates/2024-03-01-selinux-followup.md @@ -0,0 +1,3 @@ +- policycoreutils ([3.6](https://github.com/SELinuxProject/selinux/releases/tag/3.6)) +- libsemanage ([3.6](https://github.com/SELinuxProject/selinux/releases/tag/3.6)) +- audit ([3.1.1](https://github.com/linux-audit/audit-userspace/releases/tag/v3.1.1))