sys-libs/libseccomp: Sync with Gentoo

It's from Gentoo commit 00b81b84504c9de0c8bc7c9c9071afaf80cc6042.
2025-08-16 01:16:59 +02:00 · 2024-10-07 07:08:15 +00:00 · 2024-10-07 07:08:15 +00:00 · c855643df0
commit c855643df0
parent d96fd18344
2 changed files with 157 additions and 0 deletions
--- a/sdk_container/src/third_party/portage-stable/sys-libs/libseccomp/files/libseccomp-2.5.5-aliasing.patch
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/libseccomp/files/libseccomp-2.5.5-aliasing.patch
@ -0,0 +1,30 @@
+https://github.com/seccomp/libseccomp/commit/2847f10dddca72167309c04cd09f326fd3b78e2f
+
+From 2847f10dddca72167309c04cd09f326fd3b78e2f Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Sun, 24 Dec 2023 20:38:06 +0100
+Subject: [PATCH] scmp_bpf_sim: fix aliasing UB
+
+See https://github.com/seccomp/libseccomp/pull/425.
+
+Punning sys_data_b between uint32_t* and struct* seccomp_data isn't legal,
+use memcpy to fix the testsuite with Clang 17.
+
+Modern compilers recognise this idiom and optimise it out anyway.
+
+Signed-off-by: Sam James <sam@gentoo.org>
+Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+--- a/tools/scmp_bpf_sim.c
+++ b/tools/scmp_bpf_sim.c
+@@ -182,7 +182,8 @@ static void bpf_execute(const struct bpf_program *prg,
+ 		switch (code) {
+ 		case BPF_LD+BPF_W+BPF_ABS:
+ 			if (k < BPF_SYSCALL_MAX) {
+-				uint32_t val = *((uint32_t *)&sys_data_b[k]);
+				uint32_t val;
+				memcpy(&val, &sys_data_b[k], sizeof(val));
+ 				state.acc = ttoh32(arch, val);
+ 			} else
+ 				exit_error(ERANGE, ip_c);
+
--- a/sdk_container/src/third_party/portage-stable/sys-libs/libseccomp/libseccomp-2.5.5-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/libseccomp/libseccomp-2.5.5-r2.ebuild
@ -0,0 +1,127 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DISTUTILS_EXT=1
+DISTUTILS_OPTIONAL=1
+DISTUTILS_USE_PEP517=setuptools
+PYTHON_COMPAT=( python3_{10..12} )
+
+inherit distutils-r1 multilib-minimal
+
+DESCRIPTION="High level interface to Linux seccomp filter"
+HOMEPAGE="https://github.com/seccomp/libseccomp"
+
+if [[ ${PV} == *9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/seccomp/libseccomp.git"
+	PRERELEASE="2.6.0"
+	AUTOTOOLS_AUTO_DEPEND=yes
+	inherit autotools git-r3
+else
+	AUTOTOOLS_AUTO_DEPEND=no
+	inherit autotools libtool
+	SRC_URI="https://github.com/seccomp/libseccomp/releases/download/v${PV}/${P}.tar.gz
+		experimental-loong? ( https://github.com/matoro/libseccomp/compare/v${PV}..loongarch-r1.patch
+			-> ${P}-loongarch-r1.patch )"
+	KEYWORDS="-* ~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~x86 ~amd64-linux ~x86-linux"
+fi
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+IUSE="experimental-loong python static-libs test"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+
+# We need newer kernel headers; we don't keep strict control of the exact
+# version here, just be safe and pull in the latest stable ones. bug #551248
+DEPEND="
+	>=sys-kernel/linux-headers-5.15
+	python? ( ${PYTHON_DEPS} )
+"
+RDEPEND="${DEPEND}"
+BDEPEND="
+	${DEPEND}
+	dev-util/gperf
+	experimental-loong? ( ${AUTOTOOLS_DEPEND} )
+	python? (
+		${DISTUTILS_DEPS}
+		dev-python/cython[${PYTHON_USEDEP}]
+	)
+"
+
+PATCHES=(
+	"${FILESDIR}"/libseccomp-python-shared.patch
+	"${FILESDIR}"/libseccomp-2.5.3-skip-valgrind.patch
+	"${FILESDIR}"/libseccomp-2.5.5-which-hunt.patch
+	"${FILESDIR}"/libseccomp-2.5.5-arch-syscall-check.patch
+	"${FILESDIR}"/libseccomp-2.5.5-aliasing.patch
+)
+
+src_prepare() {
+	if use experimental-loong; then
+		PATCHES+=( "${DISTDIR}/${P}-loongarch-r1.patch" )
+	fi
+
+	default
+
+	if [[ ${PV} == *9999 ]] ; then
+		sed -i -e "s/0.0.0/${PRERELEASE}/" configure.ac || die
+	fi
+
+	if use experimental-loong; then
+		# touch generated files to avoid activating maintainer mode
+		# remove when loong-fix-build.patch is no longer necessary
+		touch ./aclocal.m4 ./configure ./configure.h.in || die
+		find . -name Makefile.in -exec touch {} + || die
+	fi
+
+	if [[ ${PV} == *9999 ]] || use experimental-loong; then
+		rm -f "include/seccomp.h" || die
+		eautoreconf
+	else
+		elibtoolize
+	fi
+}
+
+multilib_src_configure() {
+	local myeconfargs=(
+		$(use_enable static-libs static)
+		--disable-python
+	)
+
+	ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake
+
+	if multilib_is_native_abi && use python ; then
+		# setup.py expects libseccomp.so to live in "../.libs"
+		# Copy the python files to the right place for this.
+		rm -r "${BUILD_DIR}"/src/python || die
+		cp -r "${S}"/src/python "${BUILD_DIR}"/src/python || die
+		local -x CPPFLAGS="-I\"${BUILD_DIR}/include\" -I\"${S}/include\" ${CPPFLAGS}"
+
+		# setup.py reads VERSION_RELEASE from the environment
+		local -x VERSION_RELEASE=${PRERELEASE-${PV}}
+
+		pushd "${BUILD_DIR}/src/python" >/dev/null || die
+		distutils-r1_src_compile
+		popd >/dev/null || die
+	fi
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install
+
+	if multilib_is_native_abi && use python ; then
+		distutils-r1_src_install
+	fi
+}
+
+multilib_src_install_all() {
+	find "${ED}" -type f -name "${PN}.la" -delete || die
+
+	einstalldocs
+}