diff options
author | Maciek Borzecki | 2019-11-05 16:31:04 +0100 |
---|---|---|
committer | Maciek Borzecki | 2019-11-05 16:31:04 +0100 |
commit | fad24c3ac9890f0ce028ab78f4aaa589082422ee (patch) | |
tree | 29d682debc6acf87853da55494991c77565b272f | |
parent | 8a0e6187985d6f646b8ba6545e563e84bf57c28c (diff) | |
download | aur-fad24c3ac9890f0ce028ab78f4aaa589082422ee.tar.gz |
upgpkg: snapd 2.42.1-1
New upstream release.
Cherry-pick patches:
- 6ff74ebc0e2859547a5c72e4cd5dc63cd8577142 sandbox/seccomp: accept build ID generated by Go toolchain
- aaf8138506d2ca6bd16d54d35206d4ca9c4b2842 cmd/snap-seccomp/syscalls: update the list of known syscalls
Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com>
-rw-r--r-- | .SRCINFO | 13 | ||||
-rw-r--r-- | 0001-sandbox-seccomp-accept-build-ID-generated-by-Go-tool.patch | 92 | ||||
-rw-r--r-- | 0002-cmd-snap-seccomp-syscalls-update-the-list-of-known-s.patch | 188 | ||||
-rw-r--r-- | PKGBUILD | 24 |
4 files changed, 308 insertions, 9 deletions
@@ -1,7 +1,7 @@ pkgbase = snapd pkgdesc = Service and tools for management of snap packages. - pkgver = 2.42 - pkgrel = 2 + pkgver = 2.42.1 + pkgrel = 1 url = https://github.com/snapcore/snapd install = snapd.install arch = x86_64 @@ -23,11 +23,16 @@ pkgbase = snapd depends = libsystemd depends = apparmor optdepends = bash-completion: bash completion support + optdepends = xdg-desktop-portal: desktop integration conflicts = snap-confine options = !strip options = emptydirs - source = snapd-2.42.tar.xz::https://github.com/snapcore/snapd/releases/download/2.42/snapd_2.42.vendor.tar.xz - sha256sums = 44a7cf510495d3d057606d2f9cf7c851b4cc48fc60abbe83040dff6a85d9fe6d + source = snapd-2.42.1.tar.xz::https://github.com/snapcore/snapd/releases/download/2.42.1/snapd_2.42.1.vendor.tar.xz + source = 0001-sandbox-seccomp-accept-build-ID-generated-by-Go-tool.patch + source = 0002-cmd-snap-seccomp-syscalls-update-the-list-of-known-s.patch + sha256sums = 5f9b6483cba19bcb5c8d2fbaae194db29b747b7bb0a32c16a3477efd228cea3c + sha256sums = 572c0a67c6c68ee7bf344d97a3612813fb09264ade9cba87f4a8770c89984104 + sha256sums = f3e8be1d15896e334335dac4bebd978d2e2465e65e6c02f706ef32857398541a pkgname = snapd diff --git a/0001-sandbox-seccomp-accept-build-ID-generated-by-Go-tool.patch b/0001-sandbox-seccomp-accept-build-ID-generated-by-Go-tool.patch new file mode 100644 index 000000000000..d1b0eaa8ca5f --- /dev/null +++ b/0001-sandbox-seccomp-accept-build-ID-generated-by-Go-tool.patch @@ -0,0 +1,92 @@ +From 6ff74ebc0e2859547a5c72e4cd5dc63cd8577142 Mon Sep 17 00:00:00 2001 +Message-Id: <6ff74ebc0e2859547a5c72e4cd5dc63cd8577142.1572947174.git.maciej.zenon.borzecki@canonical.com> +From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com> +Date: Mon, 4 Nov 2019 14:19:41 +0100 +Subject: [PATCH] sandbox/seccomp: accept build ID generated by Go toolchain + +From user reports, it is possible that snap-seccomp binaries found in the wild, +will contain build ID generated by Go toolchain. The build ID in this case is a +hash of go package, import path, binary, then truncated to 83 bytes and written +to .note.go.buildid ELF section. + +See https://aur.archlinux.org/packages/snapd/#comment-714427 and +https://forum.snapcraft.io/t/future-release-to-include-alpine-linux-as-snapd-host/13144/7 +for examples. + +Update the code to allow the upper limit of 166 characters, which is the +hexstring representation of Go build ID. Since build ID is effectively user +controlled during the build time, this also bumps the upper sanity limit on the +length of this field. + +Fixes: https://bugs.launchpad.net/snapd/+bug/1850914 + +Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com> +--- + sandbox/seccomp/compiler.go | 21 +++++++++++++-------- + sandbox/seccomp/compiler_test.go | 10 ++++++++-- + 2 files changed, 21 insertions(+), 10 deletions(-) + +diff --git a/sandbox/seccomp/compiler.go b/sandbox/seccomp/compiler.go +index d46cebbc45637afbb312af2e9f4c32bf4ffc93ba..2eaf64d59cbe98a08fadb3ee3785dc833efbac9c 100644 +--- a/sandbox/seccomp/compiler.go ++++ b/sandbox/seccomp/compiler.go +@@ -31,14 +31,19 @@ import ( + ) + + var ( +- // version-info format: <build-id> <libseccomp-version> <hash> <features> +- // Where, the hash is calculated over all syscall names supported by the +- // libseccomp library. The build-id is a 160-bit SHA-1 (40 char) string +- // and the hash is a 256-bit SHA-256 (64 char) string. Allow libseccomp +- // version to be 1-5 chars per field (eg, 1.2.3 or 12345.23456.34567) +- // and 1-30 chars of colon-separated features. +- // Ex: 7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c bpf-actlog +- validVersionInfo = regexp.MustCompile(`^[0-9a-f]{1,40} [0-9]{1,5}\.[0-9]{1,5}\.[0-9]{1,5} [0-9a-f]{1,64} [-a-z0-9:]{1,30}$`) ++ // version-info format: <build-id> <libseccomp-version> <hash> ++ // <features> Where, the hash is calculated over all syscall names ++ // supported by the libseccomp library. The build-id is a string of up ++ // to 166 chars, accommodates 128-bit MD5 (32 chars), 160-bit SHA-1 (40 ++ // chars) generated by GNU ld, and 83-byte (166 chars) build ID ++ // generated by Go toolchain, also provides an upper limit of the ++ // user-settable build ID. The hash is a 256-bit SHA-256 (64 char) ++ // string. Allow libseccomp version to be 1-5 chars per field (eg, 1.2.3 ++ // or 12345.23456.34567) and 1-30 chars of colon-separated features. Ex: ++ // 7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 ++ // 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c ++ // bpf-actlog ++ validVersionInfo = regexp.MustCompile(`^[0-9a-f]{1,166} [0-9]{1,5}\.[0-9]{1,5}\.[0-9]{1,5} [0-9a-f]{1,64} [-a-z0-9:]{1,30}$`) + ) + + type Compiler struct { +diff --git a/sandbox/seccomp/compiler_test.go b/sandbox/seccomp/compiler_test.go +index e8c5e7a318227d6686985d0067348e8a5d5c6022..2eaf2bfce439e12f1f68fdb2287c97407032324f 100644 +--- a/sandbox/seccomp/compiler_test.go ++++ b/sandbox/seccomp/compiler_test.go +@@ -49,16 +49,22 @@ func (s *compilerSuite) TestVersionInfoValidate(c *C) { + exp string + err string + }{ +- // valid ++ // all valid ++ // 20-byte sha1 build ID added by GNU ld + {"7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c bpf-actlog", "7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c bpf-actlog", ""}, + {"7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c foo:bar", "7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c foo:bar", ""}, + {"7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", "7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", ""}, ++ // 16-byte md5/uuid build ID added by GNU ld ++ {"3817b197e7abe71a952c1245e8bdf8d9 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", "3817b197e7abe71a952c1245e8bdf8d9 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", ""}, ++ // 83-byte Go build ID ++ {"4e444571495f482d30796b5f57307065544e47692f594c61795f384b7a5258362d6a6f4272736e38302f773374475869496e433176527749797a457a4b532f3967324d4f76556f3130323644572d56326e6248 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", "4e444571495f482d30796b5f57307065544e47692f594c61795f384b7a5258362d6a6f4272736e38302f773374475869496e433176527749797a457a4b532f3967324d4f76556f3130323644572d56326e6248 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", ""}, ++ // sanity + {"abcdef 0.0.0 abcd bpf-actlog", "abcdef 0.0.0 abcd bpf-actlog", ""}, + {"abcdef 0.0.0 abcd -", "abcdef 0.0.0 abcd -", ""}, + + // invalid all the way down from here + // this is over/under the sane length limit for the fields +- {"00000000000000000000000000000000000000001 2.4.1 0000000000000000000000000000000000000000000000000000000000000000 -", "", "invalid format of version-info: .*"}, ++ {"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 2.4.1 0000000000000000000000000000000000000000000000000000000000000000 -", "", "invalid format of version-info: .*"}, + {"0000000000000000000000000000000000000000 123456.0.0 0000000000000000000000000000000000000000000000000000000000000000 -", "", "invalid format of version-info: .*"}, + {"0000000000000000000000000000000000000000 0.123456.0 0000000000000000000000000000000000000000000000000000000000000000 -", "", "invalid format of version-info: .*"}, + {"0000000000000000000000000000000000000000 0.0.123456 0000000000000000000000000000000000000000000000000000000000000000 -", "", "invalid format of version-info: .*"}, +-- +2.24.0 + diff --git a/0002-cmd-snap-seccomp-syscalls-update-the-list-of-known-s.patch b/0002-cmd-snap-seccomp-syscalls-update-the-list-of-known-s.patch new file mode 100644 index 000000000000..89d81d5e2983 --- /dev/null +++ b/0002-cmd-snap-seccomp-syscalls-update-the-list-of-known-s.patch @@ -0,0 +1,188 @@ +From aaf8138506d2ca6bd16d54d35206d4ca9c4b2842 Mon Sep 17 00:00:00 2001 +Message-Id: <aaf8138506d2ca6bd16d54d35206d4ca9c4b2842.1572966778.git.maciej.zenon.borzecki@canonical.com> +From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com> +Date: Thu, 31 Oct 2019 18:17:15 +0100 +Subject: [PATCH] cmd/snap-seccomp/syscalls: update the list of known syscalls + +Update the list of syscalls known to libseccomp using the latest revision from +master: + + commit bf747eb21e428c2b3ead6ebcca27951b681963a0 + Author: Paul Moore <paul@paul-moore.com> + Date: Sun Sep 29 22:02:42 2019 -0400 + + arch: update the internal syscall tables to Linux v5.4-rc4 + +Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com> +--- + cmd/snap-seccomp/syscalls/syscalls.go | 30 ++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +diff --git a/cmd/snap-seccomp/syscalls/syscalls.go b/cmd/snap-seccomp/syscalls/syscalls.go +index 0224ce5744787beab55a2c901f59203a8861534b..5e98a4a6f1a7192dc3eaa6c327f3b7e4ba81f953 100644 +--- a/cmd/snap-seccomp/syscalls/syscalls.go ++++ b/cmd/snap-seccomp/syscalls/syscalls.go +@@ -20,7 +20,7 @@ + package syscalls + + // Generated using arch-syscall-dump test tool from libseccomp tree, git +-// revision 584ca7a5e69d87a4c2c4e4c07ce8415fa59e1351. ++// revision bf747eb21e428c2b3ead6ebcca27951b681963a0. + var SeccompSyscalls = []string{ + "_llseek", + "_newselect", +@@ -52,11 +52,16 @@ var SeccompSyscalls = []string{ + "chown32", + "chroot", + "clock_adjtime", ++ "clock_adjtime64", + "clock_getres", + "clock_gettime", ++ "clock_gettime64", + "clock_nanosleep", ++ "clock_nanosleep_time64", + "clock_settime", ++ "clock_settime64", + "clone", ++ "clone3", + "close", + "connect", + "copy_file_range", +@@ -100,7 +105,11 @@ var SeccompSyscalls = []string{ + "flock", + "fork", + "fremovexattr", ++ "fsconfig", + "fsetxattr", ++ "fsmount", ++ "fsopen", ++ "fspick", + "fstat", + "fstat64", + "fstatat64", +@@ -111,6 +120,7 @@ var SeccompSyscalls = []string{ + "ftruncate", + "ftruncate64", + "futex", ++ "futex_time64", + "futimesat", + "get_kernel_syms", + "get_mempolicy", +@@ -163,6 +173,7 @@ var SeccompSyscalls = []string{ + "io_destroy", + "io_getevents", + "io_pgetevents", ++ "io_pgetevents_time64", + "io_setup", + "io_submit", + "io_uring_enter", +@@ -211,6 +222,7 @@ var SeccompSyscalls = []string{ + "mmap2", + "modify_ldt", + "mount", ++ "move_mount", + "move_pages", + "mprotect", + "mpx", +@@ -218,7 +230,9 @@ var SeccompSyscalls = []string{ + "mq_notify", + "mq_open", + "mq_timedreceive", ++ "mq_timedreceive_time64", + "mq_timedsend", ++ "mq_timedsend_time64", + "mq_unlink", + "mremap", + "msgctl", +@@ -243,6 +257,7 @@ var SeccompSyscalls = []string{ + "oldwait4", + "open", + "open_by_handle_at", ++ "open_tree", + "openat", + "pause", + "pciconfig_iobase", +@@ -250,6 +265,8 @@ var SeccompSyscalls = []string{ + "pciconfig_write", + "perf_event_open", + "personality", ++ "pidfd_open", ++ "pidfd_send_signal", + "pipe", + "pipe2", + "pivot_root", +@@ -258,6 +275,7 @@ var SeccompSyscalls = []string{ + "pkey_mprotect", + "poll", + "ppoll", ++ "ppoll_time64", + "prctl", + "pread64", + "preadv", +@@ -268,6 +286,7 @@ var SeccompSyscalls = []string{ + "prof", + "profil", + "pselect6", ++ "pselect6_time64", + "ptrace", + "putpmsg", + "pwrite64", +@@ -285,6 +304,7 @@ var SeccompSyscalls = []string{ + "recv", + "recvfrom", + "recvmmsg", ++ "recvmmsg_time64", + "recvmsg", + "remap_file_pages", + "removexattr", +@@ -302,6 +322,7 @@ var SeccompSyscalls = []string{ + "rt_sigreturn", + "rt_sigsuspend", + "rt_sigtimedwait", ++ "rt_sigtimedwait_time64", + "rt_tgsigqueueinfo", + "rtas", + "s390_guarded_storage", +@@ -316,6 +337,7 @@ var SeccompSyscalls = []string{ + "sched_getparam", + "sched_getscheduler", + "sched_rr_get_interval", ++ "sched_rr_get_interval_time64", + "sched_setaffinity", + "sched_setattr", + "sched_setparam", +@@ -328,6 +350,7 @@ var SeccompSyscalls = []string{ + "semget", + "semop", + "semtimedop", ++ "semtimedop_time64", + "send", + "sendfile", + "sendfile64", +@@ -421,11 +444,15 @@ var SeccompSyscalls = []string{ + "timer_delete", + "timer_getoverrun", + "timer_gettime", ++ "timer_gettime64", + "timer_settime", ++ "timer_settime64", + "timerfd", + "timerfd_create", + "timerfd_gettime", ++ "timerfd_gettime64", + "timerfd_settime", ++ "timerfd_settime64", + "times", + "tkill", + "truncate", +@@ -447,6 +474,7 @@ var SeccompSyscalls = []string{ + "ustat", + "utime", + "utimensat", ++ "utimensat_time64", + "utimes", + "vfork", + "vhangup", +-- +2.24.0 + @@ -6,9 +6,10 @@ pkgname=snapd pkgdesc="Service and tools for management of snap packages." depends=('squashfs-tools' 'libseccomp' 'libsystemd' 'apparmor') -optdepends=('bash-completion: bash completion support') -pkgver=2.42 -pkgrel=2 +optdepends=('bash-completion: bash completion support' + 'xdg-desktop-portal: desktop integration') +pkgver=2.42.1 +pkgrel=1 arch=('x86_64' 'i686' 'armv7h' 'aarch64') url="https://github.com/snapcore/snapd" license=('GPL3') @@ -16,8 +17,12 @@ makedepends=('git' 'go' 'go-tools' 'libseccomp' 'libcap' 'systemd' 'xfsprogs' 'p conflicts=('snap-confine') options=('!strip' 'emptydirs') install=snapd.install -source=("$pkgname-$pkgver.tar.xz::https://github.com/snapcore/${pkgname}/releases/download/${pkgver}/${pkgname}_${pkgver}.vendor.tar.xz") -sha256sums=('44a7cf510495d3d057606d2f9cf7c851b4cc48fc60abbe83040dff6a85d9fe6d') +source=("$pkgname-$pkgver.tar.xz::https://github.com/snapcore/${pkgname}/releases/download/${pkgver}/${pkgname}_${pkgver}.vendor.tar.xz" + "0001-sandbox-seccomp-accept-build-ID-generated-by-Go-tool.patch" + "0002-cmd-snap-seccomp-syscalls-update-the-list-of-known-s.patch") +sha256sums=('5f9b6483cba19bcb5c8d2fbaae194db29b747b7bb0a32c16a3477efd228cea3c' + '572c0a67c6c68ee7bf344d97a3612813fb09264ade9cba87f4a8770c89984104' + 'f3e8be1d15896e334335dac4bebd978d2e2465e65e6c02f706ef32857398541a') _gourl=github.com/snapcore/snapd @@ -32,6 +37,15 @@ prepare() { # above describes. mkdir -p "$(dirname "$GOPATH/src/${_gourl}")" ln --no-target-directory -fs "$srcdir/$pkgname-$pkgver" "$GOPATH/src/${_gourl}" + + for name in "${source[@]}"; do + if [[ "${name%.patch}" == "$name" ]]; then + # not a patch + continue + fi + msg2 "applying $name" + patch -p1 -i "$srcdir/$name" + done } build() { |