Arch Linux User Repository

- pkgver = 2.42.1

- source = snapd-2.42.1.tar.xz::https://github.com/snapcore/snapd/releases/download/2.42.1/snapd_2.42.1.vendor.tar.xz

- source = 0001-sandbox-seccomp-accept-build-ID-generated-by-Go-tool.patch

- source = 0002-cmd-snap-seccomp-syscalls-update-the-list-of-known-s.patch

- sha256sums = 5f9b6483cba19bcb5c8d2fbaae194db29b747b7bb0a32c16a3477efd228cea3c

- sha256sums = 572c0a67c6c68ee7bf344d97a3612813fb09264ade9cba87f4a8770c89984104

- sha256sums = f3e8be1d15896e334335dac4bebd978d2e2465e65e6c02f706ef32857398541a

-From 6ff74ebc0e2859547a5c72e4cd5dc63cd8577142 Mon Sep 17 00:00:00 2001

-Message-Id: <6ff74ebc0e2859547a5c72e4cd5dc63cd8577142.1572947174.git.maciej.zenon.borzecki@canonical.com>

-From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>

-Date: Mon, 4 Nov 2019 14:19:41 +0100

-Subject: [PATCH] sandbox/seccomp: accept build ID generated by Go toolchain

-

-From user reports, it is possible that snap-seccomp binaries found in the wild,

-will contain build ID generated by Go toolchain. The build ID in this case is a

-hash of go package, import path, binary, then truncated to 83 bytes and written

-to .note.go.buildid ELF section.

-

-See https://aur.archlinux.org/packages/snapd/#comment-714427 and

-https://forum.snapcraft.io/t/future-release-to-include-alpine-linux-as-snapd-host/13144/7

-for examples.

-

-Update the code to allow the upper limit of 166 characters, which is the

-hexstring representation of Go build ID. Since build ID is effectively user

-controlled during the build time, this also bumps the upper sanity limit on the

-length of this field.

-

-Fixes: https://bugs.launchpad.net/snapd/+bug/1850914

-

-Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>

----

- sandbox/seccomp/compiler.go | 21 +++++++++++++--------

- sandbox/seccomp/compiler_test.go | 10 ++++++++--

- 2 files changed, 21 insertions(+), 10 deletions(-)

-

-diff --git a/sandbox/seccomp/compiler.go b/sandbox/seccomp/compiler.go

-index d46cebbc45637afbb312af2e9f4c32bf4ffc93ba..2eaf64d59cbe98a08fadb3ee3785dc833efbac9c 100644

---- a/sandbox/seccomp/compiler.go

-+++ b/sandbox/seccomp/compiler.go

-@@ -31,14 +31,19 @@ import (

- )

-

- var (

-- // version-info format: <build-id> <libseccomp-version> <hash> <features>

-- // Where, the hash is calculated over all syscall names supported by the

-- // libseccomp library. The build-id is a 160-bit SHA-1 (40 char) string

-- // and the hash is a 256-bit SHA-256 (64 char) string. Allow libseccomp

-- // version to be 1-5 chars per field (eg, 1.2.3 or 12345.23456.34567)

-- // and 1-30 chars of colon-separated features.

-- // Ex: 7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c bpf-actlog

-- validVersionInfo = regexp.MustCompile(`^[0-9a-f]{1,40} [0-9]{1,5}\.[0-9]{1,5}\.[0-9]{1,5} [0-9a-f]{1,64} [-a-z0-9:]{1,30}$`)

-+ // version-info format: <build-id> <libseccomp-version> <hash>

-+ // <features> Where, the hash is calculated over all syscall names

-+ // supported by the libseccomp library. The build-id is a string of up

-+ // to 166 chars, accommodates 128-bit MD5 (32 chars), 160-bit SHA-1 (40

-+ // chars) generated by GNU ld, and 83-byte (166 chars) build ID

-+ // generated by Go toolchain, also provides an upper limit of the

-+ // user-settable build ID. The hash is a 256-bit SHA-256 (64 char)

-+ // string. Allow libseccomp version to be 1-5 chars per field (eg, 1.2.3

-+ // or 12345.23456.34567) and 1-30 chars of colon-separated features. Ex:

-+ // 7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3

-+ // 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c

-+ // bpf-actlog

-+ validVersionInfo = regexp.MustCompile(`^[0-9a-f]{1,166} [0-9]{1,5}\.[0-9]{1,5}\.[0-9]{1,5} [0-9a-f]{1,64} [-a-z0-9:]{1,30}$`)

- )

-

- type Compiler struct {

-diff --git a/sandbox/seccomp/compiler_test.go b/sandbox/seccomp/compiler_test.go

-index e8c5e7a318227d6686985d0067348e8a5d5c6022..2eaf2bfce439e12f1f68fdb2287c97407032324f 100644

---- a/sandbox/seccomp/compiler_test.go

-+++ b/sandbox/seccomp/compiler_test.go

-@@ -49,16 +49,22 @@ func (s *compilerSuite) TestVersionInfoValidate(c *C) {

- exp string

- err string

- }{

-- // valid

-+ // all valid

-+ // 20-byte sha1 build ID added by GNU ld

- {"7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c bpf-actlog", "7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c bpf-actlog", ""},

- {"7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c foo:bar", "7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c foo:bar", ""},

- {"7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", "7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", ""},

-+ // 16-byte md5/uuid build ID added by GNU ld

-+ {"3817b197e7abe71a952c1245e8bdf8d9 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", "3817b197e7abe71a952c1245e8bdf8d9 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", ""},

-+ // 83-byte Go build ID

-+ {"4e444571495f482d30796b5f57307065544e47692f594c61795f384b7a5258362d6a6f4272736e38302f773374475869496e433176527749797a457a4b532f3967324d4f76556f3130323644572d56326e6248 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", "4e444571495f482d30796b5f57307065544e47692f594c61795f384b7a5258362d6a6f4272736e38302f773374475869496e433176527749797a457a4b532f3967324d4f76556f3130323644572d56326e6248 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", ""},

-+ // sanity

- {"abcdef 0.0.0 abcd bpf-actlog", "abcdef 0.0.0 abcd bpf-actlog", ""},

- {"abcdef 0.0.0 abcd -", "abcdef 0.0.0 abcd -", ""},

-

- // invalid all the way down from here

- // this is over/under the sane length limit for the fields

-- {"00000000000000000000000000000000000000001 2.4.1 0000000000000000000000000000000000000000000000000000000000000000 -", "", "invalid format of version-info: .*"},

-+ {"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 2.4.1 0000000000000000000000000000000000000000000000000000000000000000 -", "", "invalid format of version-info: .*"},

- {"0000000000000000000000000000000000000000 123456.0.0 0000000000000000000000000000000000000000000000000000000000000000 -", "", "invalid format of version-info: .*"},

- {"0000000000000000000000000000000000000000 0.123456.0 0000000000000000000000000000000000000000000000000000000000000000 -", "", "invalid format of version-info: .*"},

- {"0000000000000000000000000000000000000000 0.0.123456 0000000000000000000000000000000000000000000000000000000000000000 -", "", "invalid format of version-info: .*"},

---

-2.24.0

-

-From aaf8138506d2ca6bd16d54d35206d4ca9c4b2842 Mon Sep 17 00:00:00 2001

-Message-Id: <aaf8138506d2ca6bd16d54d35206d4ca9c4b2842.1572966778.git.maciej.zenon.borzecki@canonical.com>

-From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>

-Date: Thu, 31 Oct 2019 18:17:15 +0100

-Subject: [PATCH] cmd/snap-seccomp/syscalls: update the list of known syscalls

-

-Update the list of syscalls known to libseccomp using the latest revision from

-master:

-

- commit bf747eb21e428c2b3ead6ebcca27951b681963a0

- Author: Paul Moore <paul@paul-moore.com>

- Date: Sun Sep 29 22:02:42 2019 -0400

-

- arch: update the internal syscall tables to Linux v5.4-rc4

-

-Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>

----

- cmd/snap-seccomp/syscalls/syscalls.go | 30 ++++++++++++++++++++++++++-

- 1 file changed, 29 insertions(+), 1 deletion(-)

-

-diff --git a/cmd/snap-seccomp/syscalls/syscalls.go b/cmd/snap-seccomp/syscalls/syscalls.go

-index 0224ce5744787beab55a2c901f59203a8861534b..5e98a4a6f1a7192dc3eaa6c327f3b7e4ba81f953 100644

---- a/cmd/snap-seccomp/syscalls/syscalls.go

-+++ b/cmd/snap-seccomp/syscalls/syscalls.go

-@@ -20,7 +20,7 @@

- package syscalls

-

- // Generated using arch-syscall-dump test tool from libseccomp tree, git

--// revision 584ca7a5e69d87a4c2c4e4c07ce8415fa59e1351.

-+// revision bf747eb21e428c2b3ead6ebcca27951b681963a0.

- var SeccompSyscalls = []string{

- "_llseek",

- "_newselect",

-@@ -52,11 +52,16 @@ var SeccompSyscalls = []string{

- "chown32",

- "chroot",

- "clock_adjtime",

-+ "clock_adjtime64",

- "clock_getres",

- "clock_gettime",

-+ "clock_gettime64",

- "clock_nanosleep",

-+ "clock_nanosleep_time64",

- "clock_settime",

-+ "clock_settime64",

- "clone",

-+ "clone3",

- "close",

- "connect",

- "copy_file_range",

-@@ -100,7 +105,11 @@ var SeccompSyscalls = []string{

- "flock",

- "fork",

- "fremovexattr",

-+ "fsconfig",

- "fsetxattr",

-+ "fsmount",

-+ "fsopen",

-+ "fspick",

- "fstat",

- "fstat64",

- "fstatat64",

-@@ -111,6 +120,7 @@ var SeccompSyscalls = []string{

- "ftruncate",

- "ftruncate64",

- "futex",

-+ "futex_time64",

- "futimesat",

- "get_kernel_syms",

- "get_mempolicy",

-@@ -163,6 +173,7 @@ var SeccompSyscalls = []string{

- "io_destroy",

- "io_getevents",

- "io_pgetevents",

-+ "io_pgetevents_time64",

- "io_setup",

- "io_submit",

- "io_uring_enter",

-@@ -211,6 +222,7 @@ var SeccompSyscalls = []string{

- "mmap2",

- "modify_ldt",

- "mount",

-+ "move_mount",

- "move_pages",

- "mprotect",

- "mpx",

-@@ -218,7 +230,9 @@ var SeccompSyscalls = []string{

- "mq_notify",

- "mq_open",

- "mq_timedreceive",

-+ "mq_timedreceive_time64",

- "mq_timedsend",

-+ "mq_timedsend_time64",

- "mq_unlink",

- "mremap",

- "msgctl",

-@@ -243,6 +257,7 @@ var SeccompSyscalls = []string{

- "oldwait4",

- "open",

- "open_by_handle_at",

-+ "open_tree",

- "openat",

- "pause",

- "pciconfig_iobase",

-@@ -250,6 +265,8 @@ var SeccompSyscalls = []string{

- "pciconfig_write",

- "perf_event_open",

- "personality",

-+ "pidfd_open",

-+ "pidfd_send_signal",

- "pipe",

- "pipe2",

- "pivot_root",

-@@ -258,6 +275,7 @@ var SeccompSyscalls = []string{

- "pkey_mprotect",

- "poll",

- "ppoll",

-+ "ppoll_time64",

- "prctl",

- "pread64",

- "preadv",

-@@ -268,6 +286,7 @@ var SeccompSyscalls = []string{

- "prof",

- "profil",

- "pselect6",

-+ "pselect6_time64",

- "ptrace",

- "putpmsg",

- "pwrite64",

-@@ -285,6 +304,7 @@ var SeccompSyscalls = []string{

- "recv",

- "recvfrom",

- "recvmmsg",

-+ "recvmmsg_time64",

- "recvmsg",

- "remap_file_pages",

- "removexattr",

-@@ -302,6 +322,7 @@ var SeccompSyscalls = []string{

- "rt_sigreturn",

- "rt_sigsuspend",

- "rt_sigtimedwait",

-+ "rt_sigtimedwait_time64",

- "rt_tgsigqueueinfo",

- "rtas",

- "s390_guarded_storage",

-@@ -316,6 +337,7 @@ var SeccompSyscalls = []string{

- "sched_getparam",

- "sched_getscheduler",

- "sched_rr_get_interval",

-+ "sched_rr_get_interval_time64",

- "sched_setaffinity",

- "sched_setattr",

- "sched_setparam",

-@@ -328,6 +350,7 @@ var SeccompSyscalls = []string{

- "semget",

- "semop",

- "semtimedop",

-+ "semtimedop_time64",

- "send",

- "sendfile",

- "sendfile64",

-@@ -421,11 +444,15 @@ var SeccompSyscalls = []string{

- "timer_delete",

- "timer_getoverrun",

- "timer_gettime",

-+ "timer_gettime64",

- "timer_settime",

-+ "timer_settime64",

- "timerfd",

- "timerfd_create",

- "timerfd_gettime",

-+ "timerfd_gettime64",

- "timerfd_settime",

-+ "timerfd_settime64",

- "times",

- "tkill",

- "truncate",

-@@ -447,6 +474,7 @@ var SeccompSyscalls = []string{

- "ustat",

- "utime",

- "utimensat",

-+ "utimensat_time64",

- "utimes",

- "vfork",

- "vhangup",

---

-2.24.0

-

-pkgver=2.42.1

-source=("$pkgname-$pkgver.tar.xz::https://github.com/snapcore/${pkgname}/releases/download/${pkgver}/${pkgname}_${pkgver}.vendor.tar.xz"

- "0001-sandbox-seccomp-accept-build-ID-generated-by-Go-tool.patch"

- "0002-cmd-snap-seccomp-syscalls-update-the-list-of-known-s.patch")

-sha256sums=('5f9b6483cba19bcb5c8d2fbaae194db29b747b7bb0a32c16a3477efd228cea3c'

- '572c0a67c6c68ee7bf344d97a3612813fb09264ade9cba87f4a8770c89984104'

- 'f3e8be1d15896e334335dac4bebd978d2e2465e65e6c02f706ef32857398541a')