This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, core154 has been updated
via c1b356d20da2ebb162072787927b5babbafebfa4 (commit)
from 8e308e4eb2534c260a29a17bd66700f894a84cb9 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c1b356d20da2ebb162072787927b5babbafebfa4
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Feb 5 17:01:29 2021 +0000
Revert "dhcpcd: Update to 9.4.0"
This reverts commit 15194c7c52c2438611832cecf4dad24fec304322.
This version still fails to run on i586 without this patch.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
lfs/dhcpcd | 7 +++--
...86_for_SECCOMP_as_it_just_uses_socketcall.patch | 36 ++++++++++++++++++++++
2 files changed, 41 insertions(+), 2 deletions(-)
create mode 100644 src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch
Difference in files:
diff --git a/lfs/dhcpcd b/lfs/dhcpcd
index 352308692..4e34e19d5 100644
--- a/lfs/dhcpcd
+++ b/lfs/dhcpcd
@@ -24,7 +24,7 @@
include Config
-VER = 9.4.0
+VER = 9.3.4
THISAPP = dhcpcd-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = c36715fc629bc40aa94aae06fa1724c2
+$(DL_FILE)_MD5 = badb02dfc69fe9bbeec35a02efcdb4db
install : $(TARGET)
@@ -70,6 +70,9 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch
+
cd $(DIR_APP) && ./configure --prefix="" --sysconfdir=/var/ipfire/dhcpc \
--dbdir=/var/ipfire/dhcpc \
--libexecdir=/var/ipfire/dhcpc \
diff --git a/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch b/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch
new file mode 100644
index 000000000..9efcde219
--- /dev/null
+++ b/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch
@@ -0,0 +1,36 @@
+diff --git a/src/privsep-linux.c b/src/privsep-linux.c
+index 050a30cf..d31d720d 100644
+--- a/src/privsep-linux.c
++++ b/src/privsep-linux.c
+@@ -32,6 +32,7 @@
+
+ #include <linux/audit.h>
+ #include <linux/filter.h>
++#include <linux/net.h>
+ #include <linux/seccomp.h>
+ #include <linux/sockios.h>
+
+@@ -304,6 +305,23 @@ static struct sock_filter ps_seccomp_filter[] = {
+ #ifdef __NR_sendto
+ SECCOMP_ALLOW(__NR_sendto),
+ #endif
++#ifdef __NR_socketcall
++ /* i386 needs this and demonstrates why SECCOMP
++ * is poor compared to OpenBSD pledge(2) and FreeBSD capsicum(4)
++ * as this is soooo tied to the kernel API which changes per arch
++ * and likely libc as well. */
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT4),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_LISTEN),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_GETSOCKOPT), /* overflow */
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECV),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVFROM),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVMSG),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SEND),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDMSG),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDTO),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
++#endif
+ #ifdef __NR_shutdown
+ SECCOMP_ALLOW(__NR_shutdown),
+ #endif
hooks/post-receive
--
IPFire 2.x development tree