From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1644232-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by finch.gentoo.org (Postfix) with ESMTPS id BEC5315817D
for <garchives@archives.gentoo.org>; Mon, 17 Jun 2024 22:36:25 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id 8F0FFE29E6;
Mon, 17 Jun 2024 22:36:23 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits))
(No client certificate requested)
by pigeon.gentoo.org (Postfix) with ESMTPS id 67DB5E29E6
for <gentoo-commits@lists.gentoo.org>; Mon, 17 Jun 2024 22:36:23 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits))
(No client certificate requested)
by smtp.gentoo.org (Postfix) with ESMTPS id 14EE1335D2B
for <gentoo-commits@lists.gentoo.org>; Mon, 17 Jun 2024 22:36:22 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
by oystercatcher.gentoo.org (Postfix) with ESMTP id 9599C1D30
for <gentoo-commits@lists.gentoo.org>; Mon, 17 Jun 2024 22:36:19 +0000 (UTC)
From: "Conrad Kostecki" <conikost@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Conrad Kostecki" <conikost@gentoo.org>
Message-ID: <1718663697.60dcbb123200782a1538220d3e859381cba8fe04.conikost@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/systemd/files/
X-VCS-Repository: repo/gentoo
X-VCS-Files: sys-apps/systemd/files/systemd-254.9-fchmodat2.patch
X-VCS-Directories: sys-apps/systemd/files/
X-VCS-Committer: conikost
X-VCS-Committer-Name: Conrad Kostecki
X-VCS-Revision: 60dcbb123200782a1538220d3e859381cba8fe04
X-VCS-Branch: master
Date: Mon, 17 Jun 2024 22:36:19 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: c5c73606-9352-4c8e-8e6f-551e76ee6f3f
X-Archives-Hash: 4c2419d89d8733a2380b0b144d9f804e
commit: 60dcbb123200782a1538220d3e859381cba8fe04
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Fri May 31 14:08:21 2024 +0000
Commit: Conrad Kostecki <conikost <AT> gentoo <DOT> org>
CommitDate: Mon Jun 17 22:34:57 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=60dcbb12
sys-apps/systemd: remove unused patch
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>
.../systemd/files/systemd-254.9-fchmodat2.patch | 255 ---------------------
1 file changed, 255 deletions(-)
diff --git a/sys-apps/systemd/files/systemd-254.9-fchmodat2.patch b/sys-apps/systemd/files/systemd-254.9-fchmodat2.patch
deleted file mode 100644
index 27bdd121aa60..000000000000
--- a/sys-apps/systemd/files/systemd-254.9-fchmodat2.patch
+++ /dev/null
@@ -1,255 +0,0 @@
-From 3d93b69fa558b33f1f2b52305fa4c2d836789394 Mon Sep 17 00:00:00 2001
-From: Arseny Maslennikov <arseny@altlinux.org>
-Date: Sun, 15 Oct 2023 11:00:00 +0300
-Subject: [PATCH 1/3] basic/missing_syscall: generate defs for `fchmodat2(2)`
-
-We will need this to set seccomp filters on this system call regardless
-of libseccomp or kernel support.
-
-(cherry picked from commit 3677364cc3a2c5429380cfd3a2472e2da87925c4)
----
- src/basic/missing_syscall_def.h | 68 +++++++++++++++++++++++++++++++++
- src/basic/missing_syscalls.py | 1 +
- 2 files changed, 69 insertions(+)
-
-diff --git a/src/basic/missing_syscall_def.h b/src/basic/missing_syscall_def.h
-index 402fdd00dc..b5beb434db 100644
---- a/src/basic/missing_syscall_def.h
-+++ b/src/basic/missing_syscall_def.h
-@@ -246,6 +246,74 @@ assert_cc(__NR_copy_file_range == systemd_NR_copy_file_range);
- # endif
- #endif
-
-+#ifndef __IGNORE_fchmodat2
-+# if defined(__aarch64__)
-+# define systemd_NR_fchmodat2 452
-+# elif defined(__alpha__)
-+# define systemd_NR_fchmodat2 562
-+# elif defined(__arc__) || defined(__tilegx__)
-+# define systemd_NR_fchmodat2 452
-+# elif defined(__arm__)
-+# define systemd_NR_fchmodat2 452
-+# elif defined(__i386__)
-+# define systemd_NR_fchmodat2 452
-+# elif defined(__ia64__)
-+# define systemd_NR_fchmodat2 1476
-+# elif defined(__loongarch_lp64)
-+# define systemd_NR_fchmodat2 452
-+# elif defined(__m68k__)
-+# define systemd_NR_fchmodat2 452
-+# elif defined(_MIPS_SIM)
-+# if _MIPS_SIM == _MIPS_SIM_ABI32
-+# define systemd_NR_fchmodat2 4452
-+# elif _MIPS_SIM == _MIPS_SIM_NABI32
-+# define systemd_NR_fchmodat2 6452
-+# elif _MIPS_SIM == _MIPS_SIM_ABI64
-+# define systemd_NR_fchmodat2 5452
-+# else
-+# error "Unknown MIPS ABI"
-+# endif
-+# elif defined(__hppa__)
-+# define systemd_NR_fchmodat2 452
-+# elif defined(__powerpc__)
-+# define systemd_NR_fchmodat2 452
-+# elif defined(__riscv)
-+# if __riscv_xlen == 32
-+# define systemd_NR_fchmodat2 452
-+# elif __riscv_xlen == 64
-+# define systemd_NR_fchmodat2 452
-+# else
-+# error "Unknown RISC-V ABI"
-+# endif
-+# elif defined(__s390__)
-+# define systemd_NR_fchmodat2 452
-+# elif defined(__sparc__)
-+# define systemd_NR_fchmodat2 452
-+# elif defined(__x86_64__)
-+# if defined(__ILP32__)
-+# define systemd_NR_fchmodat2 (452 | /* __X32_SYSCALL_BIT */ 0x40000000)
-+# else
-+# define systemd_NR_fchmodat2 452
-+# endif
-+# elif !defined(missing_arch_template)
-+# warning "fchmodat2() syscall number is unknown for your architecture"
-+# endif
-+
-+/* may be an (invalid) negative number due to libseccomp, see PR 13319 */
-+# if defined __NR_fchmodat2 && __NR_fchmodat2 >= 0
-+# if defined systemd_NR_fchmodat2
-+assert_cc(__NR_fchmodat2 == systemd_NR_fchmodat2);
-+# endif
-+# else
-+# if defined __NR_fchmodat2
-+# undef __NR_fchmodat2
-+# endif
-+# if defined systemd_NR_fchmodat2 && systemd_NR_fchmodat2 >= 0
-+# define __NR_fchmodat2 systemd_NR_fchmodat2
-+# endif
-+# endif
-+#endif
-+
- #ifndef __IGNORE_getrandom
- # if defined(__aarch64__)
- # define systemd_NR_getrandom 278
-diff --git a/src/basic/missing_syscalls.py b/src/basic/missing_syscalls.py
-index 5ccf02adec..00f72dc7a8 100644
---- a/src/basic/missing_syscalls.py
-+++ b/src/basic/missing_syscalls.py
-@@ -9,6 +9,7 @@ SYSCALLS = [
- 'bpf',
- 'close_range',
- 'copy_file_range',
-+ 'fchmodat2',
- 'getrandom',
- 'memfd_create',
- 'mount_setattr',
---
-2.43.0
-
-
-From c1ffd32c642dcadb844b149fcc0c6fe0dbe8a292 Mon Sep 17 00:00:00 2001
-From: Arseny Maslennikov <arseny@altlinux.org>
-Date: Sun, 15 Oct 2023 11:00:00 +0300
-Subject: [PATCH 2/3] seccomp: include `fchmodat2` in `@file-system`
-
-(cherry picked from commit 6e10405aa25fe5e76b740d9ec59730e3f4470c7a)
----
- src/shared/seccomp-util.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
-index bd9660cb35..a9c6279b18 100644
---- a/src/shared/seccomp-util.c
-+++ b/src/shared/seccomp-util.c
-@@ -468,6 +468,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
- "fchdir\0"
- "fchmod\0"
- "fchmodat\0"
-+ "fchmodat2\0"
- "fcntl\0"
- "fcntl64\0"
- "fgetxattr\0"
---
-2.43.0
-
-
-From da6ec29e7f755e14655132b4e0b04f463f40af3e Mon Sep 17 00:00:00 2001
-From: Arseny Maslennikov <arseny@altlinux.org>
-Date: Sun, 15 Oct 2023 11:00:00 +0300
-Subject: [PATCH 3/3] seccomp: also check the mode parameter of `fchmodat2(2)`
-
-If there is no libseccomp support, just ban the entire syscall instead
-so wrappers will fall back to older, supported syscalls.
-Also reflect all of this in `test-seccomp.c`.
-
-(cherry picked from commit 8b45281daa3a87b4b7a3248263cd0ba929d15596)
----
- src/shared/seccomp-util.c | 24 +++++++++++++++++++++++-
- src/test/test-seccomp.c | 28 ++++++++++++++++++++++++++++
- 2 files changed, 51 insertions(+), 1 deletion(-)
-
-diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
-index a9c6279b18..12fd95d95b 100644
---- a/src/shared/seccomp-util.c
-+++ b/src/shared/seccomp-util.c
-@@ -2038,7 +2038,7 @@ int seccomp_protect_hostname(void) {
- static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
- /* Checks the mode_t parameter of the following system calls:
- *
-- * → chmod() + fchmod() + fchmodat()
-+ * → chmod() + fchmod() + fchmodat() + fchmodat2()
- * → open() + creat() + openat()
- * → mkdir() + mkdirat()
- * → mknod() + mknodat()
-@@ -2081,6 +2081,28 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
- else
- any = true;
-
-+#if defined(__SNR_fchmodat2)
-+ r = seccomp_rule_add_exact(
-+ seccomp,
-+ SCMP_ACT_ERRNO(EPERM),
-+ SCMP_SYS(fchmodat2),
-+ 1,
-+ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m));
-+#else
-+ /* It looks like this libseccomp does not know about fchmodat2().
-+ * Pretend the fchmodat2() system call is not supported at all,
-+ * regardless of the kernel version. */
-+ r = seccomp_rule_add_exact(
-+ seccomp,
-+ SCMP_ACT_ERRNO(ENOSYS),
-+ __NR_fchmodat2,
-+ 0);
-+#endif
-+ if (r < 0)
-+ log_debug_errno(r, "Failed to add filter for fchmodat2: %m");
-+ else
-+ any = true;
-+
- r = seccomp_rule_add_exact(
- seccomp,
- SCMP_ACT_ERRNO(EPERM),
-diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
-index 2d06098ddd..3a73262a8b 100644
---- a/src/test/test-seccomp.c
-+++ b/src/test/test-seccomp.c
-@@ -21,6 +21,7 @@
- #include "macro.h"
- #include "memory-util.h"
- #include "missing_sched.h"
-+#include "missing_syscall_def.h"
- #include "nsflags.h"
- #include "nulstr-util.h"
- #include "process-util.h"
-@@ -1003,6 +1004,23 @@ static int real_open(const char *path, int flags, mode_t mode) {
- #endif
- }
-
-+static int try_fchmodat2(int dirfd, const char *path, int flags, mode_t mode) {
-+ /* glibc does not provide a direct wrapper for fchmodat2(). Let's hence define our own wrapper for
-+ * testing purposes that calls the real syscall, on architectures and in environments where
-+ * SYS_fchmodat2 is defined. Otherwise, let's just fall back to the glibc fchmodat() call. */
-+
-+#if defined __NR_fchmodat2 && __NR_fchmodat2 >= 0
-+ int r;
-+ r = (int) syscall(__NR_fchmodat2, dirfd, path, flags, mode);
-+ /* The syscall might still be unsupported by kernel or libseccomp. */
-+ if (r < 0 && errno == ENOSYS)
-+ return fchmodat(dirfd, path, flags, mode);
-+ return r;
-+#else
-+ return fchmodat(dirfd, path, flags, mode);
-+#endif
-+}
-+
- TEST(restrict_suid_sgid) {
- pid_t pid;
-
-@@ -1044,6 +1062,11 @@ TEST(restrict_suid_sgid) {
- assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISGID | S_ISUID, 0) >= 0);
- assert_se(fchmodat(AT_FDCWD, path, 0755, 0) >= 0);
-
-+ assert_se(try_fchmodat2(AT_FDCWD, path, 0755 | S_ISUID, 0) >= 0);
-+ assert_se(try_fchmodat2(AT_FDCWD, path, 0755 | S_ISGID, 0) >= 0);
-+ assert_se(try_fchmodat2(AT_FDCWD, path, 0755 | S_ISGID | S_ISUID, 0) >= 0);
-+ assert_se(try_fchmodat2(AT_FDCWD, path, 0755, 0) >= 0);
-+
- k = real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID);
- k = safe_close(k);
- assert_se(unlink(z) >= 0);
-@@ -1145,6 +1168,11 @@ TEST(restrict_suid_sgid) {
- assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISGID | S_ISUID, 0) < 0 && errno == EPERM);
- assert_se(fchmodat(AT_FDCWD, path, 0755, 0) >= 0);
-
-+ assert_se(try_fchmodat2(AT_FDCWD, path, 0755 | S_ISUID, 0) < 0 && errno == EPERM);
-+ assert_se(try_fchmodat2(AT_FDCWD, path, 0755 | S_ISGID, 0) < 0 && errno == EPERM);
-+ assert_se(try_fchmodat2(AT_FDCWD, path, 0755 | S_ISGID | S_ISUID, 0) < 0 && errno == EPERM);
-+ assert_se(try_fchmodat2(AT_FDCWD, path, 0755, 0) >= 0);
-+
- assert_se(real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID) < 0 && errno == EPERM);
- assert_se(real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISGID) < 0 && errno == EPERM);
- assert_se(real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM);
---
-2.43.0
-