archlinuxarm/PKGBUILDs
1
0
Fork 0
mirror of https://github.com/archlinuxarm/PKGBUILDs.git synced 2024-11-08 22:45:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

extra/memcached to 1.6.19-1

Browse source
This commit is contained in:
Kevin Mihelich 2023-05-05 23:26:20 +00:00
parent bccbcdd668
commit e5a083f4c4
3 changed files with 137 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

99
extra/memcached/0001-seccomp-extend-syscalls-tested-on-Linux-6.1-with-gli.patch Normal file
View file

@ -0,0 +1,99 @@
From 29f871dcab4d79a706a4af4c7a1989fd2a4c31e9 Mon Sep 17 00:00:00 2001
From: Levente Polyak <levente@leventepolyak.net>
Date: Fri, 5 May 2023 18:10:23 +0200
Subject: [PATCH] seccomp: extend syscalls tested on Linux 6.1 with glibc 2.37
---
linux_priv.c | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/linux_priv.c b/linux_priv.c
index 8d132c8..4bc0ce3 100644
--- a/linux_priv.c
+++ b/linux_priv.c
@@ -69,6 +69,9 @@ void drop_privileges(void) {
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 0);
+#ifdef __NR_futex_time64
+ rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex_time64), 0);
+#endif
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_wait), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_pwait), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 0);
@@ -77,6 +80,12 @@ void drop_privileges(void) {
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(writev), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
+ rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat64), 0);
+ rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstatat64), 0);
+ rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0);
+#ifdef __NR_statx
+ rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(statx), 0);
+#endif
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0);
@@ -96,6 +105,7 @@ void drop_privileges(void) {
#ifdef MEMCACHED_DEBUG
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
+ rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(readv), 0);
@@ -103,7 +113,6 @@ void drop_privileges(void) {
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0);
if (settings.relaxed_privileges) {
- rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mkdir), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0);
}
@@ -139,6 +148,9 @@ void drop_worker_privileges(void) {
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 0);
+#ifdef __NR_futex_time64
+ rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex_time64), 0);
+#endif
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_wait), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_pwait), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 0);
@@ -157,12 +169,21 @@ void drop_worker_privileges(void) {
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, SCMP_A1(SCMP_CMP_EQ, TIOCGWINSZ));
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msync), 0);
+ rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday), 0);
// for spawning the LRU crawler
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clone), 0);
+#ifdef __NR_clone3
+ rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clone3), 0);
+#endif
+#ifdef __NR_rseq
+ rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rseq), 0);
+#endif
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(set_robust_list), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(madvise), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
+ rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+ rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clock_nanosleep), 0);
// stat
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockname), 0);
@@ -171,8 +192,10 @@ void drop_worker_privileges(void) {
if (settings.shutdown_command) {
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(tgkill), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(tkill), 0);
- rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
+ rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat64), 0);
+ rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstatat64), 0);
+ rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0);
rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(gettid), 0);
}
--
2.40.1

28
extra/memcached/0001-tests-enable-drop_privileges-by-default-for-better-s.patch Normal file
View file

@ -0,0 +1,28 @@
From 5647bec11c166707eaf348830bc2f5da11d554c0 Mon Sep 17 00:00:00 2001
From: Levente Polyak <levente@leventepolyak.net>
Date: Fri, 5 May 2023 18:13:57 +0200
Subject: [PATCH] tests: enable drop_privileges by default for better seccomp
coverage
---
t/lib/MemcachedTest.pm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/t/lib/MemcachedTest.pm b/t/lib/MemcachedTest.pm
index a9557e5..4a63913 100644
--- a/t/lib/MemcachedTest.pm
+++ b/t/lib/MemcachedTest.pm
@@ -298,7 +298,9 @@ sub new_memcached {
if ($< == 0) {
$args .= " -u root";
}
- $args .= " -o relaxed_privileges";
+ if (supports_drop_priv()) {
+ $args .= " -o drop_privileges,relaxed_privileges";
+ }
my $udpport;
if ($args =~ /-l (\S+)/ || (($ssl_enabled || $unix_socket_disabled) && ($args !~ /-s (\S+)/))) {
--
2.40.1

14
extra/memcached/PKGBUILD
View file

@ -6,7 +6,7 @@
# - remove depend on libseccomp, don't configure with --enable-seccomp; problematic on ARM # - remove depend on libseccomp, don't configure with --enable-seccomp; problematic on ARM
pkgname=memcached pkgname=memcached
pkgver=1.6.18 pkgver=1.6.19
pkgrel=1 pkgrel=1
pkgdesc='Distributed memory object caching system' pkgdesc='Distributed memory object caching system'
url='https://memcached.org/' url='https://memcached.org/'
@ -17,14 +17,20 @@ optdepends=('perl: for memcached-tool usage')
source=(https://www.memcached.org/files/${pkgname}-${pkgver}.tar.gz source=(https://www.memcached.org/files/${pkgname}-${pkgver}.tar.gz
memcached.service.patch memcached.service.patch
memcached.tmpfiles memcached.tmpfiles
memcached.sysusers) memcached.sysusers
sha512sums=('85e5a5e7c901b02158ea20cc58f2e7e6ba4806c40a0105185140b31fa40f3ce0fc704f6f17ea4a425a9ff543f9d30092aadbb202ea4ca46476c151e65eac97e6' 0001-tests-enable-drop_privileges-by-default-for-better-s.patch
0001-seccomp-extend-syscalls-tested-on-Linux-6.1-with-gli.patch)
sha512sums=('60d93065e0ef2b17e9da5370a497a4fbfc64c0af70e14fdfdab60c0c94c0b19e30da31d615e19565474c278141a4cb401c65fd79bd70947dd96a9fee81824a74'
'dd21f49062054c601469f9abc9ee39a0f06c604e8805e7bc9bf2cfa65429962f93e7ac67764257c578fc15b1e75394956f350162c99b084c76a6e14d9331f31f' 'dd21f49062054c601469f9abc9ee39a0f06c604e8805e7bc9bf2cfa65429962f93e7ac67764257c578fc15b1e75394956f350162c99b084c76a6e14d9331f31f'
'960705ff74d25afed477e0b2a5872a3a4fb49ed3105a351f0d0224abc947778f9dbda81e80be94ab636da4a8411a9dd56a8fd4513e5b86a3096a14fa67f1548b' '960705ff74d25afed477e0b2a5872a3a4fb49ed3105a351f0d0224abc947778f9dbda81e80be94ab636da4a8411a9dd56a8fd4513e5b86a3096a14fa67f1548b'
'e6ddcab9a6fee024072b6363ef60aa176ed258369bf3a17d475f19b1f410ffd6195b9c5737dc5b1371e8974b44bdbdaa109927acaeb54fb40302a5d67d7c13a8') 'e6ddcab9a6fee024072b6363ef60aa176ed258369bf3a17d475f19b1f410ffd6195b9c5737dc5b1371e8974b44bdbdaa109927acaeb54fb40302a5d67d7c13a8'
'5da2a4fb0cdaefe9527dec67e01d881161c49a1593f11ddccf28fb55cbc25fe841ea8eca8a50387e2fef5bc304f12a5c9af4909543eafc0f8865dea39f9e8355'
'8d2518507cf843202dc90c10f6fce3c3fc9b41c7aaf10ff0b862c31d30bbbec7de92f9be0327ea3e58e77e29ae2a12b2f47370502bbddc04324f394cfdd7d4a8')
prepare() { prepare() {
cd ${pkgname}-${pkgver} cd ${pkgname}-${pkgver}
patch -Np1 < ../0001-seccomp-extend-syscalls-tested-on-Linux-6.1-with-gli.patch
patch -Np1 < ../0001-tests-enable-drop_privileges-by-default-for-better-s.patch
patch -Np1 < ../memcached.service.patch patch -Np1 < ../memcached.service.patch
sed -e 's/^##safer##//g' -i scripts/*.service sed -e 's/^##safer##//g' -i scripts/*.service
} }