commit: 1d9b7172e93caccdc5ec6bf9f80dd181e22bc2ab Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sat Jan 15 01:54:09 2022 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sat Jan 15 01:54:19 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d9b7172
net-misc/lldpd: backport additional seccomp fixes Signed-off-by: Sam James <sam <AT> gentoo.org> .../lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch | 50 ++++++++++ net-misc/lldpd/lldpd-1.0.13-r2.ebuild | 106 +++++++++++++++++++++ 2 files changed, 156 insertions(+) diff --git a/net-misc/lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch b/net-misc/lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch new file mode 100644 index 000000000000..62f8cdc2e62b --- /dev/null +++ b/net-misc/lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch @@ -0,0 +1,50 @@ +https://github.com/lldpd/lldpd/commit/0ea4b1a5e0e9c35d960145d25166e92a9990227f +https://github.com/lldpd/lldpd/commit/1def824404cfcab9f64b687da1cb7a4b4b51bbe0 + +From: Antonio Quartulli <a...@unstable.cc> +Date: Sun, 9 Jan 2022 15:24:55 +0100 +Subject: [PATCH] linux: add access syscall to seccomp rules + +Signed-off-by: Antonio Quartulli <a...@unstable.cc> +--- a/src/daemon/priv-seccomp.c ++++ b/src/daemon/priv-seccomp.c +@@ -178,6 +178,7 @@ priv_seccomp_init(int remote, int child) + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday), 0)) < 0 || + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0)) < 0 || + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(pread64), 0)) < 0 || ++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0)) < 0 || + /* The following are for resolving addresses */ + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0)) < 0 || + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0)) < 0 || + +From: David Sastre Medina <d.sastre.med...@gmail.com> +Date: Tue, 11 Jan 2022 14:55:05 +0100 +Subject: [PATCH] daemon: add additional syscalls to SECCOMP filter when + running in the foreground + +Running lldpd in the foreground as follows: + +strace -c /usr/sbin/lldpd -d -cfse -D -C lldpd-peer -I lldpd-peer \ + -S lldpd-system-name -m 192.168.50.6 + +Requires additional syscalls to be filtered (non relevant syscalls removed): + +% time seconds usecs/call calls errors syscall +------ ----------- ----------- --------- --------- ---------------- + 0.47 0.000026 6 4 ppoll + 0.33 0.000018 3 5 rt_sigprocmask + 0.27 0.000015 3 4 getsockopt +------ ----------- ----------- --------- --------- ---------------- +100.00 0.005520 8 637 22 total +--- a/src/daemon/priv-seccomp.c ++++ b/src/daemon/priv-seccomp.c +@@ -179,6 +179,9 @@ priv_seccomp_init(int remote, int child) + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0)) < 0 || + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(pread64), 0)) < 0 || + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0)) < 0 || ++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0)) < 0 || ++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0)) < 0 || ++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ppoll), 0)) < 0 || + /* The following are for resolving addresses */ + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0)) < 0 || + (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0)) < 0 || diff --git a/net-misc/lldpd/lldpd-1.0.13-r2.ebuild b/net-misc/lldpd/lldpd-1.0.13-r2.ebuild new file mode 100644 index 000000000000..0d977a8c72aa --- /dev/null +++ b/net-misc/lldpd/lldpd-1.0.13-r2.ebuild @@ -0,0 +1,106 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit systemd bash-completion-r1 autotools tmpfiles + +DESCRIPTION="Implementation of IEEE 802.1ab (LLDP)" +HOMEPAGE="https://lldpd.github.io/"; +SRC_URI="http://media.luffy.cx/files/${PN}/${P}.tar.gz"; + +LICENSE="ISC" +SLOT="0/4.9.0" +KEYWORDS="~amd64 ~x86" +IUSE="cdp doc +dot1 +dot3 edp fdp graph +lldpmed old-kernel sanitizers + seccomp sonmp snmp static-libs test readline xml" +RESTRICT="!test? ( test )" + +RDEPEND=" + acct-group/lldpd + acct-user/lldpd + dev-libs/libbsd + >=dev-libs/libevent-2.1.11:= + sys-libs/readline:0= + seccomp? ( sys-libs/libseccomp:= ) + snmp? ( net-analyzer/net-snmp:=[extensible(+)] ) + xml? ( dev-libs/libxml2:= ) +" +DEPEND="${RDEPEND} + test? ( dev-libs/check ) +" +BDEPEND="virtual/pkgconfig + doc? ( + graph? ( app-doc/doxygen[dot] ) + !graph? ( app-doc/doxygen ) + ) +" + +REQUIRED_USE="graph? ( doc )" + +PATCHES=( + # Can drop both of these on next release; upstream. + "${FILESDIR}/${P}-glibc-2.33.patch" + "${FILESDIR}/${P}-r2-glibc-2.33.patch" +) + +src_prepare() { + default + + eautoreconf +} + +src_configure() { + econf \ + --without-embedded-libevent \ + --with-privsep-user=${PN} \ + --with-privsep-group=${PN} \ + --with-privsep-chroot=/run/${PN} \ + --with-lldpd-ctl-socket=/run/${PN}.socket \ + --with-lldpd-pid-file=/run/${PN}.pid \ + $(use_enable cdp) \ + $(use_enable doc doxygen-man) \ + $(use_enable doc doxygen-pdf) \ + $(use_enable doc doxygen-html) \ + $(use_enable dot1) \ + $(use_enable dot3) \ + $(use_enable edp) \ + $(use_enable fdp) \ + $(use_enable graph doxygen-dot) \ + $(use_enable lldpmed) \ + $(use_enable old-kernel oldies) \ + $(use_enable sonmp) \ + $(use_enable static-libs static) \ + $(use_with readline) \ + $(use_enable sanitizers) \ + $(use_with seccomp) \ + $(use_with snmp) \ + $(use_with xml) +} + +src_compile() { + emake + use doc && emake doxygen-doc +} + +src_install() { + emake DESTDIR="${D}" install + find "${D}" -name '*.la' -delete || die + + newinitd "${FILESDIR}"/${PN}-initd-5 ${PN} + newconfd "${FILESDIR}"/${PN}-confd-1 ${PN} + newbashcomp src/client/completion/lldpcli lldpcli + + use doc && dodoc -r doxygen/html + + insinto /etc + doins "${FILESDIR}/lldpd.conf" + keepdir /etc/${PN}.d + + systemd_dounit "${FILESDIR}"/${PN}.service + newtmpfiles "${FILESDIR}"/tmpfilesd ${PN}.conf +} + +pkg_postinst() { + tmpfiles_process ${PN}.conf +}
