openssh-selinux 8.1p1-4 update

5 files changed, 128 insertions, 26 deletions

diff --git a/.SRCINFO b/.SRCINFO
index dd44f4116df1..f689087e3c74 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = openssh-selinux
 	pkgdesc = Premier connectivity tool for remote login with the SSH protocol, with SELinux support
 	pkgver = 8.1p1
-	pkgrel = 1
+	pkgrel = 4
 	url = https://www.openssh.com/portable.html
 	install = install
 	arch = x86_64
@@ -15,8 +15,8 @@ pkgbase = openssh-selinux
 	depends = libselinux
 	optdepends = xorg-xauth: X11 forwarding
 	optdepends = x11-ssh-askpass: input passphrase in X
-	provides = openssh=8.1p1-1
-	provides = selinux-openssh=8.1p1-1
+	provides = openssh=8.1p1-4
+	provides = selinux-openssh=8.1p1-4
 	conflicts = openssh
 	conflicts = selinux-openssh
 	backup = etc/ssh/ssh_config
@@ -28,6 +28,7 @@ pkgbase = openssh-selinux
 	source = sshd.service
 	source = sshd.conf
 	source = sshd.pam
+	source = glibc-2.31.patch
 	validpgpkeys = 59C2118ED206D927E667EBE3D3E5F56B6D920D30
 	sha256sums = 02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff
 	sha256sums = SKIP
@@ -35,6 +36,7 @@ pkgbase = openssh-selinux
 	sha256sums = e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7
 	sha256sums = 4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6
 	sha256sums = 64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846
+	sha256sums = 25b4a4d9e2d9d3289ef30636a30e85fa1c71dd930d5efd712cca1a01a5019f93
 
 pkgname = openssh-selinux
 
diff --git a/PKGBUILD b/PKGBUILD
index c1139df8d391..d4c7302ca2ae 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -10,7 +10,7 @@
 
 pkgname=openssh-selinux
 pkgver=8.1p1
-pkgrel=1
+pkgrel=4
 pkgdesc='Premier connectivity tool for remote login with the SSH protocol, with SELinux support'
 url='https://www.openssh.com/portable.html'
 license=('custom:BSD')
@@ -28,18 +28,25 @@ source=("https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname/-selinux
         'sshdgenkeys.service'
         'sshd.service'
         'sshd.conf'
-        'sshd.pam')
+        'sshd.pam'
+        'glibc-2.31.patch')
 sha256sums=('02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff'
             'SKIP'
             '4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7'
             'e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7'
             '4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6'
-            '64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846')
+            '64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846'
+            '25b4a4d9e2d9d3289ef30636a30e85fa1c71dd930d5efd712cca1a01a5019f93')
 
 backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd')
 
 install=install
 
+prepare() {
+	cd "${srcdir}/${pkgname/-selinux}-${pkgver}"
+	patch -p1 -i "${srcdir}/glibc-2.31.patch"
+}
+
 build() {
 	cd "${srcdir}/${pkgname/-selinux}-${pkgver}"
 
@@ -48,6 +55,7 @@ build() {
 		--sbindir=/usr/bin \
 		--libexecdir=/usr/lib/ssh \
 		--sysconfdir=/etc/ssh \
+		--disable-strip \
 		--with-ldns \
 		--with-libedit \
 		--with-ssl-engine \
@@ -71,7 +79,18 @@ check() {
         # it runs as nobody which has /bin/false as login shell.
 
 	if [[ -e /usr/bin/scp && ! -e /.arch-chroot ]]; then
-		make tests
+		# Running tests in parallel is broken in 8.1p1-4, so force -j1:
+		#
+		# openssh-selinux/src/openssh-8.1p1/regress/ssh-rsa already exists.
+		# Overwrite (y/n)? ssh-keygen for ssh-rsa failed
+		# putty interop tests not enabled
+		# run test putty-ciphers.sh ...
+		# ssh connect with failed
+		# failed simple connect
+		# make[1]: *** [Makefile:211: t-exec] Error 1
+		# make[1]: Leaving directory 'openssh-selinux/src/openssh-8.1p1/regress'
+		# make: *** [Makefile:610: t-exec] Error 2
+		make tests -j1
 	fi
 }
 
diff --git a/glibc-2.31.patch b/glibc-2.31.patch
new file mode 100644
index 000000000000..187042870deb
--- /dev/null
+++ b/glibc-2.31.patch
@@ -0,0 +1,100 @@
+From beee0ef61866cb567b9abc23bd850f922e59e3f0 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Wed, 13 Nov 2019 23:19:35 +1100
+Subject: [PATCH] seccomp: Allow clock_nanosleep() in sandbox.
+
+seccomp: Allow clock_nanosleep() to make OpenSSH working with latest
+glibc.  Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093.
+---
+ sandbox-seccomp-filter.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index b5cda70bb..96ab141f7 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -242,6 +242,12 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_nanosleep
+ 	SC_ALLOW(__NR_nanosleep),
+ #endif
++#ifdef __NR_clock_nanosleep
++	SC_ALLOW(__NR_clock_nanosleep),
++#endif
++#ifdef __NR_clock_nanosleep
++	SC_ALLOW(__NR_clock_nanosleep),
++#endif
+ #ifdef __NR__newselect
+ 	SC_ALLOW(__NR__newselect),
+ #endif
+From 69298ebfc2c066acee5d187eac8ce9f38c796630 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Wed, 13 Nov 2019 23:27:31 +1100
+Subject: [PATCH] Remove duplicate __NR_clock_nanosleep
+
+---
+ sandbox-seccomp-filter.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 96ab141f7..be2397671 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -245,9 +245,6 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_clock_nanosleep
+ 	SC_ALLOW(__NR_clock_nanosleep),
+ #endif
+-#ifdef __NR_clock_nanosleep
+-	SC_ALLOW(__NR_clock_nanosleep),
+-#endif
+ #ifdef __NR__newselect
+ 	SC_ALLOW(__NR__newselect),
+ #endif
+From 030b4c2b8029563bc8a9fd764288fde08fa2347c Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Mon, 16 Dec 2019 13:55:56 +1100
+Subject: [PATCH] Allow clock_nanosleep_time64 in seccomp sandbox.
+
+Needed on Linux ARM.  bz#3100, patch from jjelen@redhat.com.
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index be2397671..3ef30c9d5 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -245,6 +245,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_clock_nanosleep
+ 	SC_ALLOW(__NR_clock_nanosleep),
+ #endif
++#ifdef __NR_clock_nanosleep_time64
++	SC_ALLOW(__NR_clock_nanosleep_time64),
++#endif
+ #ifdef __NR__newselect
+ 	SC_ALLOW(__NR__newselect),
+ #endif
+From a991cc5ed5a7c455fefe909a30cf082011ef5dff Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 7 Jan 2020 16:26:45 -0800
+Subject: [PATCH] seccomp: Allow clock_gettime64() in sandbox.
+
+This helps sshd accept connections on mips platforms with
+upcoming glibc ( 2.31 )
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 3ef30c9d5..999c46c9f 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -248,6 +248,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_clock_nanosleep_time64
+ 	SC_ALLOW(__NR_clock_nanosleep_time64),
+ #endif
++#ifdef __NR_clock_gettime64
++	SC_ALLOW(__NR_clock_gettime64),
++#endif
+ #ifdef __NR__newselect
+ 	SC_ALLOW(__NR__newselect),
+ #endif
diff --git a/sshd.socket b/sshd.socket
deleted file mode 100644
index e09e328690fd..000000000000
--- a/sshd.socket
+++ /dev/null
@@ -1,10 +0,0 @@
-[Unit]
-Conflicts=sshd.service
-Wants=sshdgenkeys.service
-
-[Socket]
-ListenStream=22
-Accept=yes
-
-[Install]
-WantedBy=sockets.target
diff --git a/sshd@.service b/sshd@.service
deleted file mode 100644
index 0201a9d5ff28..000000000000
--- a/sshd@.service
+++ /dev/null
@@ -1,9 +0,0 @@
-[Unit]
-Description=OpenSSH Per-Connection Daemon
-After=sshdgenkeys.service
-
-[Service]
-ExecStart=-/usr/bin/sshd -i
-StandardInput=socket
-StandardError=syslog
-KillMode=process