From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, core154,
 updated. c1b356d20da2ebb162072787927b5babbafebfa4
Date: Fri, 05 Feb 2021 17:02:37 +0000
Message-ID: <4DXMDF5BV7z2xcJ@people01.haj.ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4799552386965726263=="
List-Id: <ipfire-scm.lists.ipfire.org>

--===============4799552386965726263==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, core154 has been updated
       via  c1b356d20da2ebb162072787927b5babbafebfa4 (commit)
      from  8e308e4eb2534c260a29a17bd66700f894a84cb9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c1b356d20da2ebb162072787927b5babbafebfa4
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Fri Feb 5 17:01:29 2021 +0000

    Revert "dhcpcd: Update to 9.4.0"
   =20
    This reverts commit 15194c7c52c2438611832cecf4dad24fec304322.
   =20
    This version still fails to run on i586 without this patch.
   =20
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 lfs/dhcpcd                                         |  7 +++--
 ...86_for_SECCOMP_as_it_just_uses_socketcall.patch | 36 ++++++++++++++++++++=
++
 2 files changed, 41 insertions(+), 2 deletions(-)
 create mode 100644 src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_ju=
st_uses_socketcall.patch

Difference in files:
diff --git a/lfs/dhcpcd b/lfs/dhcpcd
index 352308692..4e34e19d5 100644
--- a/lfs/dhcpcd
+++ b/lfs/dhcpcd
@@ -24,7 +24,7 @@
=20
 include Config
=20
-VER        =3D 9.4.0
+VER        =3D 9.3.4
=20
 THISAPP    =3D dhcpcd-$(VER)
 DL_FILE    =3D $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
=20
 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
=20
-$(DL_FILE)_MD5 =3D c36715fc629bc40aa94aae06fa1724c2
+$(DL_FILE)_MD5 =3D badb02dfc69fe9bbeec35a02efcdb4db
=20
 install : $(TARGET)
=20
@@ -70,6 +70,9 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dhcpcd/01_Fix_Linux_i=
386_for_SECCOMP_as_it_just_uses_socketcall.patch
+
 	cd $(DIR_APP) && ./configure --prefix=3D"" --sysconfdir=3D/var/ipfire/dhcpc=
 \
 			--dbdir=3D/var/ipfire/dhcpc \
 			--libexecdir=3D/var/ipfire/dhcpc \
diff --git a/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses=
_socketcall.patch b/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_ju=
st_uses_socketcall.patch
new file mode 100644
index 000000000..9efcde219
--- /dev/null
+++ b/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socket=
call.patch
@@ -0,0 +1,36 @@
+=EF=BB=BFdiff --git a/src/privsep-linux.c b/src/privsep-linux.c
+index 050a30cf..d31d720d 100644
+--- a/src/privsep-linux.c
++++ b/src/privsep-linux.c
+@@ -32,6 +32,7 @@
+=20
+ #include <linux/audit.h>
+ #include <linux/filter.h>
++#include <linux/net.h>
+ #include <linux/seccomp.h>
+ #include <linux/sockios.h>
+=20
+@@ -304,6 +305,23 @@ static struct sock_filter ps_seccomp_filter[] =3D {
+ #ifdef __NR_sendto
+ 	SECCOMP_ALLOW(__NR_sendto),
+ #endif
++#ifdef __NR_socketcall
++	/* i386 needs this and demonstrates why SECCOMP
++	 * is poor compared to OpenBSD pledge(2) and FreeBSD capsicum(4)
++	 * as this is soooo tied to the kernel API which changes per arch
++	 * and likely libc as well. */
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT4),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_LISTEN),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_GETSOCKOPT),	/* overflow */
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECV),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVFROM),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVMSG),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SEND),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDMSG),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDTO),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
++#endif
+ #ifdef __NR_shutdown
+ 	SECCOMP_ALLOW(__NR_shutdown),
+ #endif


hooks/post-receive
--
IPFire 2.x development tree

--===============4799552386965726263==--