summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorMaciek Borzecki2019-11-05 16:31:04 +0100
committerMaciek Borzecki2019-11-05 16:31:04 +0100
commitfad24c3ac9890f0ce028ab78f4aaa589082422ee (patch)
tree29d682debc6acf87853da55494991c77565b272f
parent8a0e6187985d6f646b8ba6545e563e84bf57c28c (diff)
downloadaur-fad24c3ac9890f0ce028ab78f4aaa589082422ee.tar.gz
upgpkg: snapd 2.42.1-1
New upstream release. Cherry-pick patches: - 6ff74ebc0e2859547a5c72e4cd5dc63cd8577142 sandbox/seccomp: accept build ID generated by Go toolchain - aaf8138506d2ca6bd16d54d35206d4ca9c4b2842 cmd/snap-seccomp/syscalls: update the list of known syscalls Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com>
-rw-r--r--.SRCINFO13
-rw-r--r--0001-sandbox-seccomp-accept-build-ID-generated-by-Go-tool.patch92
-rw-r--r--0002-cmd-snap-seccomp-syscalls-update-the-list-of-known-s.patch188
-rw-r--r--PKGBUILD24
4 files changed, 308 insertions, 9 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 053206c4d318..fa414a2a8913 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
pkgbase = snapd
pkgdesc = Service and tools for management of snap packages.
- pkgver = 2.42
- pkgrel = 2
+ pkgver = 2.42.1
+ pkgrel = 1
url = https://github.com/snapcore/snapd
install = snapd.install
arch = x86_64
@@ -23,11 +23,16 @@ pkgbase = snapd
depends = libsystemd
depends = apparmor
optdepends = bash-completion: bash completion support
+ optdepends = xdg-desktop-portal: desktop integration
conflicts = snap-confine
options = !strip
options = emptydirs
- source = snapd-2.42.tar.xz::https://github.com/snapcore/snapd/releases/download/2.42/snapd_2.42.vendor.tar.xz
- sha256sums = 44a7cf510495d3d057606d2f9cf7c851b4cc48fc60abbe83040dff6a85d9fe6d
+ source = snapd-2.42.1.tar.xz::https://github.com/snapcore/snapd/releases/download/2.42.1/snapd_2.42.1.vendor.tar.xz
+ source = 0001-sandbox-seccomp-accept-build-ID-generated-by-Go-tool.patch
+ source = 0002-cmd-snap-seccomp-syscalls-update-the-list-of-known-s.patch
+ sha256sums = 5f9b6483cba19bcb5c8d2fbaae194db29b747b7bb0a32c16a3477efd228cea3c
+ sha256sums = 572c0a67c6c68ee7bf344d97a3612813fb09264ade9cba87f4a8770c89984104
+ sha256sums = f3e8be1d15896e334335dac4bebd978d2e2465e65e6c02f706ef32857398541a
pkgname = snapd
diff --git a/0001-sandbox-seccomp-accept-build-ID-generated-by-Go-tool.patch b/0001-sandbox-seccomp-accept-build-ID-generated-by-Go-tool.patch
new file mode 100644
index 000000000000..d1b0eaa8ca5f
--- /dev/null
+++ b/0001-sandbox-seccomp-accept-build-ID-generated-by-Go-tool.patch
@@ -0,0 +1,92 @@
+From 6ff74ebc0e2859547a5c72e4cd5dc63cd8577142 Mon Sep 17 00:00:00 2001
+Message-Id: <6ff74ebc0e2859547a5c72e4cd5dc63cd8577142.1572947174.git.maciej.zenon.borzecki@canonical.com>
+From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
+Date: Mon, 4 Nov 2019 14:19:41 +0100
+Subject: [PATCH] sandbox/seccomp: accept build ID generated by Go toolchain
+
+From user reports, it is possible that snap-seccomp binaries found in the wild,
+will contain build ID generated by Go toolchain. The build ID in this case is a
+hash of go package, import path, binary, then truncated to 83 bytes and written
+to .note.go.buildid ELF section.
+
+See https://aur.archlinux.org/packages/snapd/#comment-714427 and
+https://forum.snapcraft.io/t/future-release-to-include-alpine-linux-as-snapd-host/13144/7
+for examples.
+
+Update the code to allow the upper limit of 166 characters, which is the
+hexstring representation of Go build ID. Since build ID is effectively user
+controlled during the build time, this also bumps the upper sanity limit on the
+length of this field.
+
+Fixes: https://bugs.launchpad.net/snapd/+bug/1850914
+
+Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
+---
+ sandbox/seccomp/compiler.go | 21 +++++++++++++--------
+ sandbox/seccomp/compiler_test.go | 10 ++++++++--
+ 2 files changed, 21 insertions(+), 10 deletions(-)
+
+diff --git a/sandbox/seccomp/compiler.go b/sandbox/seccomp/compiler.go
+index d46cebbc45637afbb312af2e9f4c32bf4ffc93ba..2eaf64d59cbe98a08fadb3ee3785dc833efbac9c 100644
+--- a/sandbox/seccomp/compiler.go
++++ b/sandbox/seccomp/compiler.go
+@@ -31,14 +31,19 @@ import (
+ )
+
+ var (
+- // version-info format: <build-id> <libseccomp-version> <hash> <features>
+- // Where, the hash is calculated over all syscall names supported by the
+- // libseccomp library. The build-id is a 160-bit SHA-1 (40 char) string
+- // and the hash is a 256-bit SHA-256 (64 char) string. Allow libseccomp
+- // version to be 1-5 chars per field (eg, 1.2.3 or 12345.23456.34567)
+- // and 1-30 chars of colon-separated features.
+- // Ex: 7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c bpf-actlog
+- validVersionInfo = regexp.MustCompile(`^[0-9a-f]{1,40} [0-9]{1,5}\.[0-9]{1,5}\.[0-9]{1,5} [0-9a-f]{1,64} [-a-z0-9:]{1,30}$`)
++ // version-info format: <build-id> <libseccomp-version> <hash>
++ // <features> Where, the hash is calculated over all syscall names
++ // supported by the libseccomp library. The build-id is a string of up
++ // to 166 chars, accommodates 128-bit MD5 (32 chars), 160-bit SHA-1 (40
++ // chars) generated by GNU ld, and 83-byte (166 chars) build ID
++ // generated by Go toolchain, also provides an upper limit of the
++ // user-settable build ID. The hash is a 256-bit SHA-256 (64 char)
++ // string. Allow libseccomp version to be 1-5 chars per field (eg, 1.2.3
++ // or 12345.23456.34567) and 1-30 chars of colon-separated features. Ex:
++ // 7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3
++ // 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c
++ // bpf-actlog
++ validVersionInfo = regexp.MustCompile(`^[0-9a-f]{1,166} [0-9]{1,5}\.[0-9]{1,5}\.[0-9]{1,5} [0-9a-f]{1,64} [-a-z0-9:]{1,30}$`)
+ )
+
+ type Compiler struct {
+diff --git a/sandbox/seccomp/compiler_test.go b/sandbox/seccomp/compiler_test.go
+index e8c5e7a318227d6686985d0067348e8a5d5c6022..2eaf2bfce439e12f1f68fdb2287c97407032324f 100644
+--- a/sandbox/seccomp/compiler_test.go
++++ b/sandbox/seccomp/compiler_test.go
+@@ -49,16 +49,22 @@ func (s *compilerSuite) TestVersionInfoValidate(c *C) {
+ exp string
+ err string
+ }{
+- // valid
++ // all valid
++ // 20-byte sha1 build ID added by GNU ld
+ {"7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c bpf-actlog", "7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c bpf-actlog", ""},
+ {"7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c foo:bar", "7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c foo:bar", ""},
+ {"7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", "7ac348ac9c934269214b00d1692dfa50d5d4a157 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", ""},
++ // 16-byte md5/uuid build ID added by GNU ld
++ {"3817b197e7abe71a952c1245e8bdf8d9 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", "3817b197e7abe71a952c1245e8bdf8d9 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", ""},
++ // 83-byte Go build ID
++ {"4e444571495f482d30796b5f57307065544e47692f594c61795f384b7a5258362d6a6f4272736e38302f773374475869496e433176527749797a457a4b532f3967324d4f76556f3130323644572d56326e6248 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", "4e444571495f482d30796b5f57307065544e47692f594c61795f384b7a5258362d6a6f4272736e38302f773374475869496e433176527749797a457a4b532f3967324d4f76556f3130323644572d56326e6248 2.3.3 03e996919907bc7163bc83b95bca0ecab31300f20dfa365ea14047c698340e7c -", ""},
++ // sanity
+ {"abcdef 0.0.0 abcd bpf-actlog", "abcdef 0.0.0 abcd bpf-actlog", ""},
+ {"abcdef 0.0.0 abcd -", "abcdef 0.0.0 abcd -", ""},
+
+ // invalid all the way down from here
+ // this is over/under the sane length limit for the fields
+- {"00000000000000000000000000000000000000001 2.4.1 0000000000000000000000000000000000000000000000000000000000000000 -", "", "invalid format of version-info: .*"},
++ {"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 2.4.1 0000000000000000000000000000000000000000000000000000000000000000 -", "", "invalid format of version-info: .*"},
+ {"0000000000000000000000000000000000000000 123456.0.0 0000000000000000000000000000000000000000000000000000000000000000 -", "", "invalid format of version-info: .*"},
+ {"0000000000000000000000000000000000000000 0.123456.0 0000000000000000000000000000000000000000000000000000000000000000 -", "", "invalid format of version-info: .*"},
+ {"0000000000000000000000000000000000000000 0.0.123456 0000000000000000000000000000000000000000000000000000000000000000 -", "", "invalid format of version-info: .*"},
+--
+2.24.0
+
diff --git a/0002-cmd-snap-seccomp-syscalls-update-the-list-of-known-s.patch b/0002-cmd-snap-seccomp-syscalls-update-the-list-of-known-s.patch
new file mode 100644
index 000000000000..89d81d5e2983
--- /dev/null
+++ b/0002-cmd-snap-seccomp-syscalls-update-the-list-of-known-s.patch
@@ -0,0 +1,188 @@
+From aaf8138506d2ca6bd16d54d35206d4ca9c4b2842 Mon Sep 17 00:00:00 2001
+Message-Id: <aaf8138506d2ca6bd16d54d35206d4ca9c4b2842.1572966778.git.maciej.zenon.borzecki@canonical.com>
+From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
+Date: Thu, 31 Oct 2019 18:17:15 +0100
+Subject: [PATCH] cmd/snap-seccomp/syscalls: update the list of known syscalls
+
+Update the list of syscalls known to libseccomp using the latest revision from
+master:
+
+ commit bf747eb21e428c2b3ead6ebcca27951b681963a0
+ Author: Paul Moore <paul@paul-moore.com>
+ Date: Sun Sep 29 22:02:42 2019 -0400
+
+ arch: update the internal syscall tables to Linux v5.4-rc4
+
+Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
+---
+ cmd/snap-seccomp/syscalls/syscalls.go | 30 ++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/cmd/snap-seccomp/syscalls/syscalls.go b/cmd/snap-seccomp/syscalls/syscalls.go
+index 0224ce5744787beab55a2c901f59203a8861534b..5e98a4a6f1a7192dc3eaa6c327f3b7e4ba81f953 100644
+--- a/cmd/snap-seccomp/syscalls/syscalls.go
++++ b/cmd/snap-seccomp/syscalls/syscalls.go
+@@ -20,7 +20,7 @@
+ package syscalls
+
+ // Generated using arch-syscall-dump test tool from libseccomp tree, git
+-// revision 584ca7a5e69d87a4c2c4e4c07ce8415fa59e1351.
++// revision bf747eb21e428c2b3ead6ebcca27951b681963a0.
+ var SeccompSyscalls = []string{
+ "_llseek",
+ "_newselect",
+@@ -52,11 +52,16 @@ var SeccompSyscalls = []string{
+ "chown32",
+ "chroot",
+ "clock_adjtime",
++ "clock_adjtime64",
+ "clock_getres",
+ "clock_gettime",
++ "clock_gettime64",
+ "clock_nanosleep",
++ "clock_nanosleep_time64",
+ "clock_settime",
++ "clock_settime64",
+ "clone",
++ "clone3",
+ "close",
+ "connect",
+ "copy_file_range",
+@@ -100,7 +105,11 @@ var SeccompSyscalls = []string{
+ "flock",
+ "fork",
+ "fremovexattr",
++ "fsconfig",
+ "fsetxattr",
++ "fsmount",
++ "fsopen",
++ "fspick",
+ "fstat",
+ "fstat64",
+ "fstatat64",
+@@ -111,6 +120,7 @@ var SeccompSyscalls = []string{
+ "ftruncate",
+ "ftruncate64",
+ "futex",
++ "futex_time64",
+ "futimesat",
+ "get_kernel_syms",
+ "get_mempolicy",
+@@ -163,6 +173,7 @@ var SeccompSyscalls = []string{
+ "io_destroy",
+ "io_getevents",
+ "io_pgetevents",
++ "io_pgetevents_time64",
+ "io_setup",
+ "io_submit",
+ "io_uring_enter",
+@@ -211,6 +222,7 @@ var SeccompSyscalls = []string{
+ "mmap2",
+ "modify_ldt",
+ "mount",
++ "move_mount",
+ "move_pages",
+ "mprotect",
+ "mpx",
+@@ -218,7 +230,9 @@ var SeccompSyscalls = []string{
+ "mq_notify",
+ "mq_open",
+ "mq_timedreceive",
++ "mq_timedreceive_time64",
+ "mq_timedsend",
++ "mq_timedsend_time64",
+ "mq_unlink",
+ "mremap",
+ "msgctl",
+@@ -243,6 +257,7 @@ var SeccompSyscalls = []string{
+ "oldwait4",
+ "open",
+ "open_by_handle_at",
++ "open_tree",
+ "openat",
+ "pause",
+ "pciconfig_iobase",
+@@ -250,6 +265,8 @@ var SeccompSyscalls = []string{
+ "pciconfig_write",
+ "perf_event_open",
+ "personality",
++ "pidfd_open",
++ "pidfd_send_signal",
+ "pipe",
+ "pipe2",
+ "pivot_root",
+@@ -258,6 +275,7 @@ var SeccompSyscalls = []string{
+ "pkey_mprotect",
+ "poll",
+ "ppoll",
++ "ppoll_time64",
+ "prctl",
+ "pread64",
+ "preadv",
+@@ -268,6 +286,7 @@ var SeccompSyscalls = []string{
+ "prof",
+ "profil",
+ "pselect6",
++ "pselect6_time64",
+ "ptrace",
+ "putpmsg",
+ "pwrite64",
+@@ -285,6 +304,7 @@ var SeccompSyscalls = []string{
+ "recv",
+ "recvfrom",
+ "recvmmsg",
++ "recvmmsg_time64",
+ "recvmsg",
+ "remap_file_pages",
+ "removexattr",
+@@ -302,6 +322,7 @@ var SeccompSyscalls = []string{
+ "rt_sigreturn",
+ "rt_sigsuspend",
+ "rt_sigtimedwait",
++ "rt_sigtimedwait_time64",
+ "rt_tgsigqueueinfo",
+ "rtas",
+ "s390_guarded_storage",
+@@ -316,6 +337,7 @@ var SeccompSyscalls = []string{
+ "sched_getparam",
+ "sched_getscheduler",
+ "sched_rr_get_interval",
++ "sched_rr_get_interval_time64",
+ "sched_setaffinity",
+ "sched_setattr",
+ "sched_setparam",
+@@ -328,6 +350,7 @@ var SeccompSyscalls = []string{
+ "semget",
+ "semop",
+ "semtimedop",
++ "semtimedop_time64",
+ "send",
+ "sendfile",
+ "sendfile64",
+@@ -421,11 +444,15 @@ var SeccompSyscalls = []string{
+ "timer_delete",
+ "timer_getoverrun",
+ "timer_gettime",
++ "timer_gettime64",
+ "timer_settime",
++ "timer_settime64",
+ "timerfd",
+ "timerfd_create",
+ "timerfd_gettime",
++ "timerfd_gettime64",
+ "timerfd_settime",
++ "timerfd_settime64",
+ "times",
+ "tkill",
+ "truncate",
+@@ -447,6 +474,7 @@ var SeccompSyscalls = []string{
+ "ustat",
+ "utime",
+ "utimensat",
++ "utimensat_time64",
+ "utimes",
+ "vfork",
+ "vhangup",
+--
+2.24.0
+
diff --git a/PKGBUILD b/PKGBUILD
index 6ec54f868e15..1c9a8d1253a1 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -6,9 +6,10 @@
pkgname=snapd
pkgdesc="Service and tools for management of snap packages."
depends=('squashfs-tools' 'libseccomp' 'libsystemd' 'apparmor')
-optdepends=('bash-completion: bash completion support')
-pkgver=2.42
-pkgrel=2
+optdepends=('bash-completion: bash completion support'
+ 'xdg-desktop-portal: desktop integration')
+pkgver=2.42.1
+pkgrel=1
arch=('x86_64' 'i686' 'armv7h' 'aarch64')
url="https://github.com/snapcore/snapd"
license=('GPL3')
@@ -16,8 +17,12 @@ makedepends=('git' 'go' 'go-tools' 'libseccomp' 'libcap' 'systemd' 'xfsprogs' 'p
conflicts=('snap-confine')
options=('!strip' 'emptydirs')
install=snapd.install
-source=("$pkgname-$pkgver.tar.xz::https://github.com/snapcore/${pkgname}/releases/download/${pkgver}/${pkgname}_${pkgver}.vendor.tar.xz")
-sha256sums=('44a7cf510495d3d057606d2f9cf7c851b4cc48fc60abbe83040dff6a85d9fe6d')
+source=("$pkgname-$pkgver.tar.xz::https://github.com/snapcore/${pkgname}/releases/download/${pkgver}/${pkgname}_${pkgver}.vendor.tar.xz"
+ "0001-sandbox-seccomp-accept-build-ID-generated-by-Go-tool.patch"
+ "0002-cmd-snap-seccomp-syscalls-update-the-list-of-known-s.patch")
+sha256sums=('5f9b6483cba19bcb5c8d2fbaae194db29b747b7bb0a32c16a3477efd228cea3c'
+ '572c0a67c6c68ee7bf344d97a3612813fb09264ade9cba87f4a8770c89984104'
+ 'f3e8be1d15896e334335dac4bebd978d2e2465e65e6c02f706ef32857398541a')
_gourl=github.com/snapcore/snapd
@@ -32,6 +37,15 @@ prepare() {
# above describes.
mkdir -p "$(dirname "$GOPATH/src/${_gourl}")"
ln --no-target-directory -fs "$srcdir/$pkgname-$pkgver" "$GOPATH/src/${_gourl}"
+
+ for name in "${source[@]}"; do
+ if [[ "${name%.patch}" == "$name" ]]; then
+ # not a patch
+ continue
+ fi
+ msg2 "applying $name"
+ patch -p1 -i "$srcdir/$name"
+ done
}
build() {