Control: tags 1093545 + patch - moreinfo On Wed, Jan 29, 2025 at 09:23:12PM +0000, Andrew Bower wrote: > Withdrawing proposed patch pending converting xchpst from divert to > alternatives mechanism per policy 3.9 and because it's better that way.
New patch attached using the 'update-alternatives' mechanism to work with xchpst-0.3.0-1. This should scale better and be more robust.
From 9a1680b3cb296d2c9bbf040267e68f4cab3aa578 Mon Sep 17 00:00:00 2001 From: Andrew Bower <[email protected]> Date: Wed, 29 Jan 2025 23:16:10 +0000 Subject: [PATCH] Add fake xchpst executable and man page for compat Install a compatibility script to emulate xchpst and corresponding man page as a low priority alternative to the real xchpst tool to allow runscripts to use xchpst transparently with fallback to chpst for compatible options. Closes: #1093545 --- debian/contrib/xchpst.runit | 22 +++++++++++++++ debian/contrib/xchpst.runit.8 | 51 +++++++++++++++++++++++++++++++++++ debian/copyright | 4 +++ debian/runit.install | 2 ++ debian/runit.manpages | 2 +- debian/runit.postinst | 8 ++++++ debian/runit.prerm | 10 +++++++ 7 files changed, 98 insertions(+), 1 deletion(-) create mode 100644 debian/contrib/xchpst.runit create mode 100755 debian/contrib/xchpst.runit.8 create mode 100644 debian/runit.prerm diff --git a/debian/contrib/xchpst.runit b/debian/contrib/xchpst.runit new file mode 100644 index 0000000..167caf3 --- /dev/null +++ b/debian/contrib/xchpst.runit @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Copyright: 2025 Andrew Bower <[email protected]> +# License: BSD-3-Clause +# +# Fake xchpst that strips the extended options and passes everything after +# the first -@ or including -- to classic chpst for use when xchpst is not +# available. + +# Consume extended arguments +while [ $# -gt 0 -a "$1" != "-@" -a "$1" != "--" ] +do + shift +done + +# Consume -@ but not -- +if [ "$1" = "-@" ] +then + shift; +fi + +exec chpst "$@" diff --git a/debian/contrib/xchpst.runit.8 b/debian/contrib/xchpst.runit.8 new file mode 100755 index 0000000..b0081cb --- /dev/null +++ b/debian/contrib/xchpst.runit.8 @@ -0,0 +1,51 @@ +.Dd January 4, 2025. +.Dt xchpst 8 +.Os +.Sh NAME +.Nm xchpst.runit +.Nd fake xchpst that passes compatible arguments to chpst +.Sh SYNOPSIS +.Nm +.Op Ar XCHPST-OPTIONS +.Fl @ +.Op Ar CHPST-OPTIONS +.Op Fl - +.Op Ar COMMAND ... +.Sh DESCRIPTION +.Pp +The +.Nm +script strips all options preceding the +.Fl @ +separator +and passes the remainder of the arguments to +.Nm chpst . +.Pp +The purpose of this script is to allow runscripts to take advantage of +.Nm xchpst Ns 's +Linux-specific hardening features when the 'xchpst' package is installed and +fall back to the classical +.Nm chpst +features otherwise, without embedding any conditionality in the runscript. +.Sh EXIT STATUS +The exit status is the return code from +.Nm chpst +or the target command. +.Sh EXAMPLES +The following command, +.Dl exec xchpst --cap-bs-keep CAP_SYS_TIME -@ -p 4 -- myntpd -D +in the absence of the real +.Nm xchpst +tool, is equivalent to: +.Dl exec chpst -p 4 -- myntpd -D +.Sh SEE ALSO +.Xr xchpst.real 8 +from the xchpst package. +.Pp +.Xr chpst 8 +.Sh AUTHORS +.An -nosplit +.An Andrew Bower Aq Mt [email protected] +.Sh BUGS +Please raise bug reports for the compatibility script with: +.Dl reportbug runit diff --git a/debian/copyright b/debian/copyright index 23784cd..2bd3b6a 100644 --- a/debian/copyright +++ b/debian/copyright @@ -40,6 +40,10 @@ Files: debian/contrib/i-s-h/invoke-rc.d-*.in Copyright: 2000,2001 Henrique de Moraes Holschuh <[email protected]> License: GPL-2+ +Files: debian/contrib/xchpst* +Copyright: 2025 Andrew Bower <[email protected]> +License: BSD-3-clause + License: BSD-3-clause Redistribution and use in source and binary forms, with or without modification, diff --git a/debian/runit.install b/debian/runit.install index 2a5a09c..2c14cbb 100644 --- a/debian/runit.install +++ b/debian/runit.install @@ -36,3 +36,5 @@ debian/contrib/lib/async-timeout /usr/lib/runit debian/contrib/lib/finish-default /usr/lib/runit debian/contrib/lib/finish-exec /usr/lib/runit debian/contrib/lib/run_sysv_scripts /usr/lib/runit + +debian/contrib/xchpst.runit /usr/bin diff --git a/debian/runit.manpages b/debian/runit.manpages index adb29bc..c740977 100644 --- a/debian/runit.manpages +++ b/debian/runit.manpages @@ -13,4 +13,4 @@ debian/contrib/update-service.8 debian/contrib/mk-runscript.8 debian/contrib/cpsv.8 debian/contrib/man/* - +debian/contrib/xchpst.runit.8 diff --git a/debian/runit.postinst b/debian/runit.postinst index d552881..e8275d3 100644 --- a/debian/runit.postinst +++ b/debian/runit.postinst @@ -12,4 +12,12 @@ case "$1" in ;; esac +case "$1" in + configure|abort-upgrade) + update-alternatives \ + --install /usr/bin/xchpst xchpst /usr/bin/xchpst.runit 10 \ + --slave /usr/share/man/man8/xchpst.8.gz xchpst.8.gz /usr/share/man/man8/xchpst.runit.8.gz + ;; +esac + #DEBHELPER# diff --git a/debian/runit.prerm b/debian/runit.prerm new file mode 100644 index 0000000..1cba721 --- /dev/null +++ b/debian/runit.prerm @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +if [ "$1" != "upgrade" ] || dpkg --compare-versions "$2" lt "2.1.2-61" +then + update-alternatives --remove xchpst /usr/bin/xchpst.runit +fi + +#DEBHELPER# -- 2.47.2
signature.asc
Description: PGP signature
