From 8608a017a9abd92a443bf8772bb409dbc50999f3 Mon Sep 17 00:00:00 2001 From: Duncaen Date: Wed, 19 Dec 2018 22:26:52 +0100 Subject: [PATCH] kcgi: fix seccomp sandbox --- srcpkgs/kcgi/patches/sandbox-musl.patch | 22 -------- srcpkgs/kcgi/patches/sandbox.patch | 73 +++++++++++++++++++++++++ srcpkgs/kcgi/template | 16 +++++- 3 files changed, 88 insertions(+), 23 deletions(-) delete mode 100644 srcpkgs/kcgi/patches/sandbox-musl.patch create mode 100644 srcpkgs/kcgi/patches/sandbox.patch diff --git a/srcpkgs/kcgi/patches/sandbox-musl.patch b/srcpkgs/kcgi/patches/sandbox-musl.patch deleted file mode 100644 index c0d917d382c..00000000000 --- a/srcpkgs/kcgi/patches/sandbox-musl.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- sandbox-seccomp-filter.c.orig -+++ sandbox-seccomp-filter.c -@@ -106,7 +106,9 @@ - SC_ALLOW(recvmsg), - #endif - SC_ALLOW(read), -+ SC_ALLOW(readv), - SC_ALLOW(write), -+ SC_ALLOW(writev), - SC_ALLOW(close), - #ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ - SC_ALLOW(shutdown), -@@ -158,7 +160,9 @@ - SC_ALLOW(time), - #endif - SC_ALLOW(read), -+ SC_ALLOW(readv), - SC_ALLOW(write), -+ SC_ALLOW(writev), - SC_ALLOW(close), - #ifdef __NR_fcntl64 /* only noted on arm */ - SC_ALLOW(fcntl64), diff --git a/srcpkgs/kcgi/patches/sandbox.patch b/srcpkgs/kcgi/patches/sandbox.patch new file mode 100644 index 00000000000..271e397c77e --- /dev/null +++ b/srcpkgs/kcgi/patches/sandbox.patch @@ -0,0 +1,73 @@ +--- sandbox-seccomp-filter.c.orig ++++ sandbox-seccomp-filter.c +@@ -85,7 +85,9 @@ + /* Load the syscall number for checking. */ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, + offsetof(struct seccomp_data, nr)), ++#ifdef __NR_open /* not defined on AARCH64 */ + SC_DENY(open, EACCES), ++#endif + SC_ALLOW(getpid), + SC_ALLOW(gettimeofday), + SC_ALLOW(clock_gettime), +@@ -106,18 +108,24 @@ + SC_ALLOW(recvmsg), + #endif + SC_ALLOW(read), ++ SC_ALLOW(readv), + SC_ALLOW(write), ++ SC_ALLOW(writev), + SC_ALLOW(close), + #ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ + SC_ALLOW(shutdown), + #endif + SC_ALLOW(brk), ++#ifdef __NR_poll /* not defined on AARCH64 */ + SC_ALLOW(poll), ++#endif + #ifdef __NR__newselect + SC_ALLOW(_newselect), + #else ++#ifdef __NR_select /* not defined on AARCH64 */ + SC_ALLOW(select), + #endif ++#endif + SC_ALLOW(madvise), + #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ + SC_ALLOW(mmap2), +@@ -150,7 +158,9 @@ + /* Load the syscall number for checking. */ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, + offsetof(struct seccomp_data, nr)), ++#ifdef __NR_open /* not defined on AARCH64 */ + SC_DENY(open, EACCES), ++#endif + SC_ALLOW(getpid), + SC_ALLOW(gettimeofday), + SC_ALLOW(clock_gettime), +@@ -158,7 +168,9 @@ + SC_ALLOW(time), + #endif + SC_ALLOW(read), ++ SC_ALLOW(readv), + SC_ALLOW(write), ++ SC_ALLOW(writev), + SC_ALLOW(close), + #ifdef __NR_fcntl64 /* only noted on arm */ + SC_ALLOW(fcntl64), +@@ -167,11 +179,15 @@ + SC_ALLOW(shutdown), + #endif + SC_ALLOW(brk), ++#ifdef __NR_poll /* not defined on AARCH64 */ + SC_ALLOW(poll), ++#endif + #ifdef __NR__newselect + SC_ALLOW(_newselect), + #else ++#ifdef __NR_select /* not defined on AARCH64 */ + SC_ALLOW(select), ++#endif + #endif + SC_ALLOW(madvise), + #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ diff --git a/srcpkgs/kcgi/template b/srcpkgs/kcgi/template index 24e27db78ac..fd48df3be29 100644 --- a/srcpkgs/kcgi/template +++ b/srcpkgs/kcgi/template @@ -1,7 +1,7 @@ # Template file for 'kcgi' pkgname=kcgi version=0.10.8 -revision=1 +revision=2 build_style=configure configure_args="PREFIX=/usr MANDIR=/usr/share/man SBINDIR=/usr/bin" make_check_target="regress" @@ -13,6 +13,20 @@ homepage="http://kristaps.bsd.lv/kcgi/" distfiles="http://kristaps.bsd.lv/kcgi/snapshots/kcgi-${version}.tgz" checksum=878c8134d48a3048ea0bc28315fe95698fb9c764023d9244610d7e481ef3734c +post_configure() { + local suffix + case "${XBPS_TARGET_MACHINE}" in + i686*) suffix="X86" ;; + x86_64*) suffix="X86_64" ;; + arm*) suffix="ARM" ;; + aarch64*) suffix="AARCH64" ;; + esac + echo "suffix $suffix <<<<<" >&2 + [ -z "$suffix" ] \ + && sed -i "/AUDIT_ARCH_X86_64/d" config.h \ + || sed -i "s/AUDIT_ARCH_X86_64/AUDIT_ARCH_${suffix}/" config.h +} + post_install() { sed -n '2,16p' kcgi.c > LICENSE vlicense LICENSE