From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, core154, updated. c1b356d20da2ebb162072787927b5babbafebfa4
Date: Fri, 05 Feb 2021 17:02:37 +0000 [thread overview]
Message-ID: <4DXMDF5BV7z2xcJ@people01.haj.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 4176 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, core154 has been updated
via c1b356d20da2ebb162072787927b5babbafebfa4 (commit)
from 8e308e4eb2534c260a29a17bd66700f894a84cb9 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c1b356d20da2ebb162072787927b5babbafebfa4
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Feb 5 17:01:29 2021 +0000
Revert "dhcpcd: Update to 9.4.0"
This reverts commit 15194c7c52c2438611832cecf4dad24fec304322.
This version still fails to run on i586 without this patch.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
lfs/dhcpcd | 7 +++--
...86_for_SECCOMP_as_it_just_uses_socketcall.patch | 36 ++++++++++++++++++++++
2 files changed, 41 insertions(+), 2 deletions(-)
create mode 100644 src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch
Difference in files:
diff --git a/lfs/dhcpcd b/lfs/dhcpcd
index 352308692..4e34e19d5 100644
--- a/lfs/dhcpcd
+++ b/lfs/dhcpcd
@@ -24,7 +24,7 @@
include Config
-VER = 9.4.0
+VER = 9.3.4
THISAPP = dhcpcd-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = c36715fc629bc40aa94aae06fa1724c2
+$(DL_FILE)_MD5 = badb02dfc69fe9bbeec35a02efcdb4db
install : $(TARGET)
@@ -70,6 +70,9 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch
+
cd $(DIR_APP) && ./configure --prefix="" --sysconfdir=/var/ipfire/dhcpc \
--dbdir=/var/ipfire/dhcpc \
--libexecdir=/var/ipfire/dhcpc \
diff --git a/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch b/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch
new file mode 100644
index 000000000..9efcde219
--- /dev/null
+++ b/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch
@@ -0,0 +1,36 @@
+diff --git a/src/privsep-linux.c b/src/privsep-linux.c
+index 050a30cf..d31d720d 100644
+--- a/src/privsep-linux.c
++++ b/src/privsep-linux.c
+@@ -32,6 +32,7 @@
+
+ #include <linux/audit.h>
+ #include <linux/filter.h>
++#include <linux/net.h>
+ #include <linux/seccomp.h>
+ #include <linux/sockios.h>
+
+@@ -304,6 +305,23 @@ static struct sock_filter ps_seccomp_filter[] = {
+ #ifdef __NR_sendto
+ SECCOMP_ALLOW(__NR_sendto),
+ #endif
++#ifdef __NR_socketcall
++ /* i386 needs this and demonstrates why SECCOMP
++ * is poor compared to OpenBSD pledge(2) and FreeBSD capsicum(4)
++ * as this is soooo tied to the kernel API which changes per arch
++ * and likely libc as well. */
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT4),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_LISTEN),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_GETSOCKOPT), /* overflow */
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECV),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVFROM),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVMSG),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SEND),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDMSG),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDTO),
++ SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
++#endif
+ #ifdef __NR_shutdown
+ SECCOMP_ALLOW(__NR_shutdown),
+ #endif
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2021-02-05 17:02 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DXMDF5BV7z2xcJ@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox