summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSam James <sam@gentoo.org>2022-01-15 01:54:09 +0000
committerSam James <sam@gentoo.org>2022-01-15 01:54:19 +0000
commit1d9b7172e93caccdc5ec6bf9f80dd181e22bc2ab (patch)
treedb8af8411f8ddafd324cfa4280d09e4600f18d64
parentnet-misc/lldpd: drop no-op USE=zsh-completion (diff)
downloadgentoo-1d9b7172e93caccdc5ec6bf9f80dd181e22bc2ab.tar.gz
gentoo-1d9b7172e93caccdc5ec6bf9f80dd181e22bc2ab.tar.bz2
gentoo-1d9b7172e93caccdc5ec6bf9f80dd181e22bc2ab.zip
net-misc/lldpd: backport additional seccomp fixes
Signed-off-by: Sam James <sam@gentoo.org>
-rw-r--r--net-misc/lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch50
-rw-r--r--net-misc/lldpd/lldpd-1.0.13-r2.ebuild106
2 files changed, 156 insertions, 0 deletions
diff --git a/net-misc/lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch b/net-misc/lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch
new file mode 100644
index 00000000000..62f8cdc2e62
--- /dev/null
+++ b/net-misc/lldpd/files/lldpd-1.0.13-r2-glibc-2.33.patch
@@ -0,0 +1,50 @@
+https://github.com/lldpd/lldpd/commit/0ea4b1a5e0e9c35d960145d25166e92a9990227f
+https://github.com/lldpd/lldpd/commit/1def824404cfcab9f64b687da1cb7a4b4b51bbe0
+
+From: Antonio Quartulli <a@unstable.cc>
+Date: Sun, 9 Jan 2022 15:24:55 +0100
+Subject: [PATCH] linux: add access syscall to seccomp rules
+
+Signed-off-by: Antonio Quartulli <a@unstable.cc>
+--- a/src/daemon/priv-seccomp.c
++++ b/src/daemon/priv-seccomp.c
+@@ -178,6 +178,7 @@ priv_seccomp_init(int remote, int child)
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday), 0)) < 0 ||
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0)) < 0 ||
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(pread64), 0)) < 0 ||
++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0)) < 0 ||
+ /* The following are for resolving addresses */
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0)) < 0 ||
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0)) < 0 ||
+
+From: David Sastre Medina <d.sastre.medina@gmail.com>
+Date: Tue, 11 Jan 2022 14:55:05 +0100
+Subject: [PATCH] daemon: add additional syscalls to SECCOMP filter when
+ running in the foreground
+
+Running lldpd in the foreground as follows:
+
+strace -c /usr/sbin/lldpd -d -cfse -D -C lldpd-peer -I lldpd-peer \
+ -S lldpd-system-name -m 192.168.50.6
+
+Requires additional syscalls to be filtered (non relevant syscalls removed):
+
+% time seconds usecs/call calls errors syscall
+------ ----------- ----------- --------- --------- ----------------
+ 0.47 0.000026 6 4 ppoll
+ 0.33 0.000018 3 5 rt_sigprocmask
+ 0.27 0.000015 3 4 getsockopt
+------ ----------- ----------- --------- --------- ----------------
+100.00 0.005520 8 637 22 total
+--- a/src/daemon/priv-seccomp.c
++++ b/src/daemon/priv-seccomp.c
+@@ -179,6 +179,9 @@ priv_seccomp_init(int remote, int child)
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0)) < 0 ||
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(pread64), 0)) < 0 ||
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0)) < 0 ||
++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0)) < 0 ||
++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0)) < 0 ||
++ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ppoll), 0)) < 0 ||
+ /* The following are for resolving addresses */
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0)) < 0 ||
+ (rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0)) < 0 ||
diff --git a/net-misc/lldpd/lldpd-1.0.13-r2.ebuild b/net-misc/lldpd/lldpd-1.0.13-r2.ebuild
new file mode 100644
index 00000000000..0d977a8c72a
--- /dev/null
+++ b/net-misc/lldpd/lldpd-1.0.13-r2.ebuild
@@ -0,0 +1,106 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit systemd bash-completion-r1 autotools tmpfiles
+
+DESCRIPTION="Implementation of IEEE 802.1ab (LLDP)"
+HOMEPAGE="https://lldpd.github.io/"
+SRC_URI="http://media.luffy.cx/files/${PN}/${P}.tar.gz"
+
+LICENSE="ISC"
+SLOT="0/4.9.0"
+KEYWORDS="~amd64 ~x86"
+IUSE="cdp doc +dot1 +dot3 edp fdp graph +lldpmed old-kernel sanitizers
+ seccomp sonmp snmp static-libs test readline xml"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+ acct-group/lldpd
+ acct-user/lldpd
+ dev-libs/libbsd
+ >=dev-libs/libevent-2.1.11:=
+ sys-libs/readline:0=
+ seccomp? ( sys-libs/libseccomp:= )
+ snmp? ( net-analyzer/net-snmp:=[extensible(+)] )
+ xml? ( dev-libs/libxml2:= )
+"
+DEPEND="${RDEPEND}
+ test? ( dev-libs/check )
+"
+BDEPEND="virtual/pkgconfig
+ doc? (
+ graph? ( app-doc/doxygen[dot] )
+ !graph? ( app-doc/doxygen )
+ )
+"
+
+REQUIRED_USE="graph? ( doc )"
+
+PATCHES=(
+ # Can drop both of these on next release; upstream.
+ "${FILESDIR}/${P}-glibc-2.33.patch"
+ "${FILESDIR}/${P}-r2-glibc-2.33.patch"
+)
+
+src_prepare() {
+ default
+
+ eautoreconf
+}
+
+src_configure() {
+ econf \
+ --without-embedded-libevent \
+ --with-privsep-user=${PN} \
+ --with-privsep-group=${PN} \
+ --with-privsep-chroot=/run/${PN} \
+ --with-lldpd-ctl-socket=/run/${PN}.socket \
+ --with-lldpd-pid-file=/run/${PN}.pid \
+ $(use_enable cdp) \
+ $(use_enable doc doxygen-man) \
+ $(use_enable doc doxygen-pdf) \
+ $(use_enable doc doxygen-html) \
+ $(use_enable dot1) \
+ $(use_enable dot3) \
+ $(use_enable edp) \
+ $(use_enable fdp) \
+ $(use_enable graph doxygen-dot) \
+ $(use_enable lldpmed) \
+ $(use_enable old-kernel oldies) \
+ $(use_enable sonmp) \
+ $(use_enable static-libs static) \
+ $(use_with readline) \
+ $(use_enable sanitizers) \
+ $(use_with seccomp) \
+ $(use_with snmp) \
+ $(use_with xml)
+}
+
+src_compile() {
+ emake
+ use doc && emake doxygen-doc
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+ find "${D}" -name '*.la' -delete || die
+
+ newinitd "${FILESDIR}"/${PN}-initd-5 ${PN}
+ newconfd "${FILESDIR}"/${PN}-confd-1 ${PN}
+ newbashcomp src/client/completion/lldpcli lldpcli
+
+ use doc && dodoc -r doxygen/html
+
+ insinto /etc
+ doins "${FILESDIR}/lldpd.conf"
+ keepdir /etc/${PN}.d
+
+ systemd_dounit "${FILESDIR}"/${PN}.service
+ newtmpfiles "${FILESDIR}"/tmpfilesd ${PN}.conf
+}
+
+pkg_postinst() {
+ tmpfiles_process ${PN}.conf
+}