diff options
author | Nicolas Iooss | 2020-02-14 09:17:39 +0100 |
---|---|---|
committer | Nicolas Iooss | 2020-02-14 09:17:39 +0100 |
commit | 9196c6ae3db45729d04a38a0861c17d6aab4f5c4 (patch) | |
tree | e991e2252fea90f9d7d0f515046265958b11451c | |
parent | deb991875230922e5a94f62cce61a4b613c182a5 (diff) | |
download | aur-9196c6ae3db45729d04a38a0861c17d6aab4f5c4.tar.gz |
openssh-selinux 8.1p1-4 update
-rw-r--r-- | .SRCINFO | 8 | ||||
-rw-r--r-- | PKGBUILD | 27 | ||||
-rw-r--r-- | glibc-2.31.patch | 100 | ||||
-rw-r--r-- | sshd.socket | 10 | ||||
-rw-r--r-- | sshd@.service | 9 |
5 files changed, 128 insertions, 26 deletions
@@ -1,7 +1,7 @@ pkgbase = openssh-selinux pkgdesc = Premier connectivity tool for remote login with the SSH protocol, with SELinux support pkgver = 8.1p1 - pkgrel = 1 + pkgrel = 4 url = https://www.openssh.com/portable.html install = install arch = x86_64 @@ -15,8 +15,8 @@ pkgbase = openssh-selinux depends = libselinux optdepends = xorg-xauth: X11 forwarding optdepends = x11-ssh-askpass: input passphrase in X - provides = openssh=8.1p1-1 - provides = selinux-openssh=8.1p1-1 + provides = openssh=8.1p1-4 + provides = selinux-openssh=8.1p1-4 conflicts = openssh conflicts = selinux-openssh backup = etc/ssh/ssh_config @@ -28,6 +28,7 @@ pkgbase = openssh-selinux source = sshd.service source = sshd.conf source = sshd.pam + source = glibc-2.31.patch validpgpkeys = 59C2118ED206D927E667EBE3D3E5F56B6D920D30 sha256sums = 02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff sha256sums = SKIP @@ -35,6 +36,7 @@ pkgbase = openssh-selinux sha256sums = e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7 sha256sums = 4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6 sha256sums = 64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846 + sha256sums = 25b4a4d9e2d9d3289ef30636a30e85fa1c71dd930d5efd712cca1a01a5019f93 pkgname = openssh-selinux @@ -10,7 +10,7 @@ pkgname=openssh-selinux pkgver=8.1p1 -pkgrel=1 +pkgrel=4 pkgdesc='Premier connectivity tool for remote login with the SSH protocol, with SELinux support' url='https://www.openssh.com/portable.html' license=('custom:BSD') @@ -28,18 +28,25 @@ source=("https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname/-selinux 'sshdgenkeys.service' 'sshd.service' 'sshd.conf' - 'sshd.pam') + 'sshd.pam' + 'glibc-2.31.patch') sha256sums=('02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff' 'SKIP' '4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7' 'e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7' '4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6' - '64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846') + '64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846' + '25b4a4d9e2d9d3289ef30636a30e85fa1c71dd930d5efd712cca1a01a5019f93') backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd') install=install +prepare() { + cd "${srcdir}/${pkgname/-selinux}-${pkgver}" + patch -p1 -i "${srcdir}/glibc-2.31.patch" +} + build() { cd "${srcdir}/${pkgname/-selinux}-${pkgver}" @@ -48,6 +55,7 @@ build() { --sbindir=/usr/bin \ --libexecdir=/usr/lib/ssh \ --sysconfdir=/etc/ssh \ + --disable-strip \ --with-ldns \ --with-libedit \ --with-ssl-engine \ @@ -71,7 +79,18 @@ check() { # it runs as nobody which has /bin/false as login shell. if [[ -e /usr/bin/scp && ! -e /.arch-chroot ]]; then - make tests + # Running tests in parallel is broken in 8.1p1-4, so force -j1: + # + # openssh-selinux/src/openssh-8.1p1/regress/ssh-rsa already exists. + # Overwrite (y/n)? ssh-keygen for ssh-rsa failed + # putty interop tests not enabled + # run test putty-ciphers.sh ... + # ssh connect with failed + # failed simple connect + # make[1]: *** [Makefile:211: t-exec] Error 1 + # make[1]: Leaving directory 'openssh-selinux/src/openssh-8.1p1/regress' + # make: *** [Makefile:610: t-exec] Error 2 + make tests -j1 fi } diff --git a/glibc-2.31.patch b/glibc-2.31.patch new file mode 100644 index 000000000000..187042870deb --- /dev/null +++ b/glibc-2.31.patch @@ -0,0 +1,100 @@ +From beee0ef61866cb567b9abc23bd850f922e59e3f0 Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@dtucker.net> +Date: Wed, 13 Nov 2019 23:19:35 +1100 +Subject: [PATCH] seccomp: Allow clock_nanosleep() in sandbox. + +seccomp: Allow clock_nanosleep() to make OpenSSH working with latest +glibc. Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093. +--- + sandbox-seccomp-filter.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index b5cda70bb..96ab141f7 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -242,6 +242,12 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_nanosleep + SC_ALLOW(__NR_nanosleep), + #endif ++#ifdef __NR_clock_nanosleep ++ SC_ALLOW(__NR_clock_nanosleep), ++#endif ++#ifdef __NR_clock_nanosleep ++ SC_ALLOW(__NR_clock_nanosleep), ++#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif +From 69298ebfc2c066acee5d187eac8ce9f38c796630 Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@dtucker.net> +Date: Wed, 13 Nov 2019 23:27:31 +1100 +Subject: [PATCH] Remove duplicate __NR_clock_nanosleep + +--- + sandbox-seccomp-filter.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 96ab141f7..be2397671 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -245,9 +245,6 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_clock_nanosleep + SC_ALLOW(__NR_clock_nanosleep), + #endif +-#ifdef __NR_clock_nanosleep +- SC_ALLOW(__NR_clock_nanosleep), +-#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif +From 030b4c2b8029563bc8a9fd764288fde08fa2347c Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@dtucker.net> +Date: Mon, 16 Dec 2019 13:55:56 +1100 +Subject: [PATCH] Allow clock_nanosleep_time64 in seccomp sandbox. + +Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com. +--- + sandbox-seccomp-filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index be2397671..3ef30c9d5 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -245,6 +245,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_clock_nanosleep + SC_ALLOW(__NR_clock_nanosleep), + #endif ++#ifdef __NR_clock_nanosleep_time64 ++ SC_ALLOW(__NR_clock_nanosleep_time64), ++#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif +From a991cc5ed5a7c455fefe909a30cf082011ef5dff Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Tue, 7 Jan 2020 16:26:45 -0800 +Subject: [PATCH] seccomp: Allow clock_gettime64() in sandbox. + +This helps sshd accept connections on mips platforms with +upcoming glibc ( 2.31 ) +--- + sandbox-seccomp-filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 3ef30c9d5..999c46c9f 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -248,6 +248,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_clock_nanosleep_time64 + SC_ALLOW(__NR_clock_nanosleep_time64), + #endif ++#ifdef __NR_clock_gettime64 ++ SC_ALLOW(__NR_clock_gettime64), ++#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif diff --git a/sshd.socket b/sshd.socket deleted file mode 100644 index e09e328690fd..000000000000 --- a/sshd.socket +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Conflicts=sshd.service -Wants=sshdgenkeys.service - -[Socket] -ListenStream=22 -Accept=yes - -[Install] -WantedBy=sockets.target diff --git a/sshd@.service b/sshd@.service deleted file mode 100644 index 0201a9d5ff28..000000000000 --- a/sshd@.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=OpenSSH Per-Connection Daemon -After=sshdgenkeys.service - -[Service] -ExecStart=-/usr/bin/sshd -i -StandardInput=socket -StandardError=syslog -KillMode=process |