commit: 2606e84e36c1bf0515947e4d744e6990526ba366 Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> AuthorDate: Tue Jan 11 00:54:09 2022 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Tue Jan 11 01:01:37 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2606e84e
sys-apps/systemd-tmpfiles: add 249.7 Includes backport for CVE-2021-3997. Bug: https://bugs.gentoo.org/830967 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> sys-apps/systemd-tmpfiles/Manifest | 2 + .../systemd-tmpfiles/systemd-tmpfiles-249.7.ebuild | 260 +++++++++++++++++++++ 2 files changed, 262 insertions(+) diff --git a/sys-apps/systemd-tmpfiles/Manifest b/sys-apps/systemd-tmpfiles/Manifest index 56ae06fe69b3..8f7f65ff7640 100644 --- a/sys-apps/systemd-tmpfiles/Manifest +++ b/sys-apps/systemd-tmpfiles/Manifest @@ -1,2 +1,4 @@ +DIST systemd-249.7-CVE-2021-3997.tar.gz 8431 BLAKE2B 167ae8bfb3b653fa4a7a62eee164f2a7edf2f0fb312db8ed955634030c95dfdbd747821b4652620cd34a7af38fe0b77e48ed61096b5d076c3eb2f56371e191c8 SHA512 b17a60a0862743faee0153218792a77b5d06a44876e0c53c264e98d62786442c165f47136d7bc2857edcedc24e667c220a2e7d065e77f9a957804131acb26598 DIST systemd-musl-patches-249.5-r1.tar.xz 25148 BLAKE2B 6717291b5335997dcc327764beffc4ded50a5ac0e777bb3c540b5e355bee419c3d9b4a5605c239392d4c1b0e70792bc87282fa15dc9c09a0465b5608f2909006 SHA512 4bb7566437c280e75402fc435a3437aedad127f7b94c9bd54b94e9e1e7507409ad0898681f23e813b9b47414f58e4ca413b6d4e520bbbf578faec09054bf7f9b DIST systemd-stable-249.5.tar.gz 10597897 BLAKE2B 5c573322ef9bcd9d019776d6e2d8625a741c1535c0d06661b5666c2438a70cfc4dc182919bb419829de27a4d93c16717ce24e668faf9bd6b09e57f8bd88be725 SHA512 d6f1a5a6f03f0ed05b111aee75da509c5868c523af6209f33e630724dd0c7e0d0abf16920795d587e6c31a5915d247ebc613cf26d4aecf39f82ebb0690fab75f +DIST systemd-stable-249.7.tar.gz 10608252 BLAKE2B a5597c4973b24c962779622cae47dbf8351af49f8cd898d9c16a967c6f3600c6feb293e9b03eab0423b860eef5b04b287185fb9827cb323429d0ab9fc6d809b2 SHA512 4daf8570621fdcda5c94d982908c64eddfeef989005f4fd79a10f199dbc6f366354177bb59dff34bcb14764fb4423a870ffabac1163849ec53592e29760105fc diff --git a/sys-apps/systemd-tmpfiles/systemd-tmpfiles-249.7.ebuild b/sys-apps/systemd-tmpfiles/systemd-tmpfiles-249.7.ebuild new file mode 100644 index 000000000000..8d386973e34a --- /dev/null +++ b/sys-apps/systemd-tmpfiles/systemd-tmpfiles-249.7.ebuild @@ -0,0 +1,260 @@ +# Copyright 2020-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +if [[ ${PV} == *.* ]]; then + MY_PN=systemd-stable +else + MY_PN=systemd +fi + +MINKV="3.11" +MUSL_PATCHSET="249.5-r1" +PYTHON_COMPAT=( python3_{8..10} ) +inherit flag-o-matic meson python-any-r1 + +DESCRIPTION="Creates, deletes and cleans up volatile and temporary files and directories" +HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd"; +SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${PV}.tar.gz -> ${MY_PN}-${PV}.tar.gz + https://dev.gentoo.org/~floppym/dist/systemd-249.7-CVE-2021-3997.tar.gz + elibc_musl? ( + https://dev.gentoo.org/~gyakovlev/distfiles/systemd-musl-patches-${MUSL_PATCHSET}.tar.xz + https://dev.gentoo.org/~soap/distfiles/systemd-musl-patches-${MUSL_PATCHSET}.tar.xz + )" + +LICENSE="BSD-2 GPL-2 LGPL-2.1 MIT public-domain" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="selinux test" +RESTRICT="!test? ( test )" + +RDEPEND=" + sys-apps/acl:0= + >=sys-apps/util-linux-2.30:0= + sys-libs/libcap:0= + selinux? ( sys-libs/libselinux:0= ) + virtual/libcrypt:= + !sys-apps/opentmpfiles + !sys-apps/systemd +" + +DEPEND=" + ${RDEPEND} + >=sys-kernel/linux-headers-${MINKV} +" + +BDEPEND=" + ${PYTHON_DEPS} + $(python_gen_any_dep 'dev-python/jinja[${PYTHON_USEDEP}]') + app-text/docbook-xml-dtd:4.2 + app-text/docbook-xml-dtd:4.5 + app-text/docbook-xsl-stylesheets + dev-libs/libxslt + dev-util/gperf + >=dev-util/meson-0.46 + >=sys-apps/coreutils-8.16 + sys-devel/gettext + virtual/pkgconfig +" + +S="${WORKDIR}/${MY_PN}-${PV}" + +python_check_deps() { + has_version -b "dev-python/jinja[${PYTHON_USEDEP}]" +} + +pkg_pretend() { + if [[ -n ${EPREFIX} ]]; then + ewarn "systemd-tmpfiles uses un-prefixed paths at runtime.". + fi +} + +pkg_setup() { + python-any-r1_pkg_setup +} + +src_prepare() { + eapply "${WORKDIR}/systemd-249.7-CVE-2021-3997" + + # musl patchset from: + # http://cgit.openembedded.org/openembedded-core/tree/meta/recipes-core/systemd/systemd + # check SRC_URI_MUSL in systemd_${PV}.bb file for exact list of musl patches + # we share patch tarball with sys-fs/udev + if use elibc_musl; then + einfo "applying musl patches and workarounds" + eapply "${WORKDIR}/musl-patches" + + # avoids re-definition of struct ethhdr, also 0006-Include-netinet-if_ether.h.patch + append-cppflags '-D__UAPI_DEF_ETHHDR=0' + + # src/basic/rlimit-util.c:46:19: error: format ‘%lu’ expects argument of type ‘long unsigned int’, + # but argument 9 has type ‘rlim_t’ {aka ‘long long unsigned int’} + # not a nice workaround, but it comes from debug messages and we don't really use this component. + append-cflags '-Wno-error=format' + fi + + default + + # https://bugs.gentoo.org/767403 + python_fix_shebang src/test/*.py + python_fix_shebang test/*.py + python_fix_shebang tools/*.py +} + +src_configure() { + # disable everything until configure says "enabled features: ACL, tmpfiles, standalone-binaries, static-libsystemd(true)" + # and optionally selinux feature can be enabled to make tmpfiles secontext-aware + local systemd_disable_options=( + adm-group + analyze + apparmor + audit + backlight + binfmt + blkid + bzip2 + coredump + dbus + efi + elfutils + environment-d + fdisk + gcrypt + glib + gshadow + gnutls + hibernate + hostnamed + hwdb + idn + ima + initrd + firstboot + kernel-install + kmod + ldconfig + libcryptsetup + libcurl + libfido2 + libidn + libidn2 + libiptc + link-networkd-shared + link-systemctl-shared + link-timesyncd-shared + link-udev-shared + localed + logind + lz4 + machined + microhttpd + networkd + nscd + nss-myhostname + nss-resolve + nss-systemd + oomd + openssl + p11kit + pam + pcre2 + polkit + portabled + pstore + pwquality + randomseed + resolve + rfkill + seccomp + smack + sysext + sysusers + timedated + timesyncd + tpm + qrencode + quotacheck + userdb + utmp + vconsole + wheel-group + xdg-autostart + xkbcommon + xz + zlib + zstd + ) + + # prepend -D and append =false, e.g. zstd becomes -Dzstd=false + systemd_disable_options=( ${systemd_disable_options[@]/#/-D} ) + systemd_disable_options=( ${systemd_disable_options[@]/%/=false} ) + + local emesonargs=( + -Drootprefix="${EPREFIX:-/}" + -Dacl=true + -Dtmpfiles=true + -Dstandalone-binaries=true # this and below option does the magic + -Dstatic-libsystemd=true + -Dsysvinit-path='' + ${systemd_disable_options[@]} + $(meson_use selinux) + ) + meson_src_configure +} + +src_compile() { + # tmpfiles and sysusers can be built as standalone and link systemd-shared in statically. + # https://github.com/systemd/systemd/pull/16061 original implementation + # we just need to pass -Dstandalone-binaries=true and + # use <name>.standalone target below. + # check meson.build for if have_standalone_binaries condition per target. + local mytargets=( + systemd-tmpfiles.standalone + man/tmpfiles.d.5 + man/systemd-tmpfiles.8 + ) + meson_src_compile "${mytargets[@]}" +} + +src_install() { + # lean and mean installation, single binary and man-pages + pushd "${BUILD_DIR}" > /dev/null || die + into / + newbin systemd-tmpfiles.standalone systemd-tmpfiles + + doman man/{systemd-tmpfiles.8,tmpfiles.d.5} + + popd > /dev/null || die + + # service files adapter from opentmpfiles + newinitd "${FILESDIR}"/stmpfiles-dev.initd stmpfiles-dev + newinitd "${FILESDIR}"/stmpfiles-setup.initd stmpfiles-setup + + # same content, but install as different file + newconfd "${FILESDIR}"/stmpfiles.confd stmpfiles-dev + newconfd "${FILESDIR}"/stmpfiles.confd stmpfiles-setup +} + +src_test() { + # 'meson test' will compile full systemd, but we can still outsmart it + "${EPYTHON}" test/test-systemd-tmpfiles.py \ + "${BUILD_DIR}"/systemd-tmpfiles.standalone || die "${FUNCNAME} failed" +} + +# stolen from opentmpfiles ebuild +add_service() { + local initd=$1 + local runlevel=$2 + + elog "Auto-adding '${initd}' service to your ${runlevel} runlevel" + mkdir -p "${EROOT}/etc/runlevels/${runlevel}" + ln -snf "${EPREFIX}/etc/init.d/${initd}" "${EROOT}/etc/runlevels/${runlevel}/${initd}" +} + +pkg_postinst() { + if [[ -z $REPLACING_VERSIONS ]]; then + add_service stmpfiles-dev sysinit + add_service stmpfiles-setup boot + fi +}
