From 271aba5d0f4dd2ab98857f1aad051d45eadf8f87 Mon Sep 17 00:00:00 2001 From: Oliver Smith Date: Sun, 5 May 2019 17:51:04 +0200 Subject: [PATCH] temp: build networkmanager for armhf, armv7 Due to the following dependency chain, it is currently not available in Alpine for armhf and armv7. This breaks postmarketos-base. postmarketos-base -> networkmanager -> polkit -> mozjs60 This can be reverted, when networkmanager is back for arm{hf,v7} in Alpine. The mozjs60 arm fix is from here: https://github.com/alpinelinux/aports/pull/7561 Related: #244 --- .../0001-silence-sandbox-violations.patch | 30 ++++ temp/mozjs60/APKBUILD | 68 ++++++++ temp/mozjs60/fix-musl-build.patch | 16 ++ temp/mozjs60/fix-soname-lib.patch | 30 ++++ temp/networkmanager/APKBUILD | 118 +++++++++++++ temp/networkmanager/fix-ppc64le-build.patch | 12 ++ temp/networkmanager/musl-basic.patch | 46 +++++ temp/networkmanager/musl-compar.patch | 18 ++ temp/networkmanager/musl-fix-includes.patch | 52 ++++++ .../musl-has-not-secure-getenv.patch | 13 ++ .../networkmanager/musl-network-support.patch | 42 +++++ temp/networkmanager/musl-process-util.patch | 40 +++++ temp/networkmanager/networkmanager.conf | 2 + temp/networkmanager/networkmanager.initd | 24 +++ .../networkmanager/networkmanager.pre-install | 9 + .../networkmanager/networkmanager.pre-upgrade | 1 + temp/networkmanager/networkmanager.rules | 9 + temp/polkit/APKBUILD | 78 +++++++++ temp/polkit/CVE-2018-19788.patch | 150 +++++++++++++++++ temp/polkit/alpine-pam.patch | 18 ++ temp/polkit/make-innetgr-optional.patch | 68 ++++++++ temp/polkit/mozjs60-1.patch | 28 ++++ temp/polkit/mozjs60-2.patch | 158 ++++++++++++++++++ temp/polkit/polkit.pre-install | 6 + 24 files changed, 1036 insertions(+) create mode 100644 temp/mozjs60/0001-silence-sandbox-violations.patch create mode 100644 temp/mozjs60/APKBUILD create mode 100644 temp/mozjs60/fix-musl-build.patch create mode 100644 temp/mozjs60/fix-soname-lib.patch create mode 100644 temp/networkmanager/APKBUILD create mode 100644 temp/networkmanager/fix-ppc64le-build.patch create mode 100644 temp/networkmanager/musl-basic.patch create mode 100644 temp/networkmanager/musl-compar.patch create mode 100644 temp/networkmanager/musl-fix-includes.patch create mode 100644 temp/networkmanager/musl-has-not-secure-getenv.patch create mode 100644 temp/networkmanager/musl-network-support.patch create mode 100644 temp/networkmanager/musl-process-util.patch create mode 100644 temp/networkmanager/networkmanager.conf create mode 100644 temp/networkmanager/networkmanager.initd create mode 100644 temp/networkmanager/networkmanager.pre-install create mode 120000 temp/networkmanager/networkmanager.pre-upgrade create mode 100644 temp/networkmanager/networkmanager.rules create mode 100644 temp/polkit/APKBUILD create mode 100644 temp/polkit/CVE-2018-19788.patch create mode 100644 temp/polkit/alpine-pam.patch create mode 100644 temp/polkit/make-innetgr-optional.patch create mode 100644 temp/polkit/mozjs60-1.patch create mode 100644 temp/polkit/mozjs60-2.patch create mode 100644 temp/polkit/polkit.pre-install diff --git a/temp/mozjs60/0001-silence-sandbox-violations.patch b/temp/mozjs60/0001-silence-sandbox-violations.patch new file mode 100644 index 000000000..918202671 --- /dev/null +++ b/temp/mozjs60/0001-silence-sandbox-violations.patch @@ -0,0 +1,30 @@ +Upstream: no +From 9ad10569e11a2fb96377188f895bc66abcc9511d Mon Sep 17 00:00:00 2001 +From: Marc-Antoine Perennou +Date: Wed, 5 Sep 2018 15:05:24 +0200 +Subject: [PATCH] silence sandbox violations + +Signed-off-by: Marc-Antoine Perennou +--- + python/mozbuild/mozbuild/frontend/emitter.py | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/python/mozbuild/mozbuild/frontend/emitter.py b/python/mozbuild/mozbuild/frontend/emitter.py +index 642b381c0..c37fbf5d0 100644 +--- a/python/mozbuild/mozbuild/frontend/emitter.py ++++ b/python/mozbuild/mozbuild/frontend/emitter.py +@@ -1127,11 +1127,6 @@ class TreeMetadataEmitter(LoggingMixin): + raise SandboxValidationError('Path specified in LOCAL_INCLUDES ' + 'does not exist: %s (resolved to %s)' % (local_include, + full_path), context) +- if (full_path == context.config.topsrcdir or +- full_path == context.config.topobjdir): +- raise SandboxValidationError('Path specified in LOCAL_INCLUDES ' +- 'is not allowed: %s (resolved to %s)' % (local_include, +- full_path), context) + include_obj = LocalInclude(context, local_include) + local_includes.append(include_obj.path.full_path) + yield include_obj +-- +2.18.0 + diff --git a/temp/mozjs60/APKBUILD b/temp/mozjs60/APKBUILD new file mode 100644 index 000000000..b3a991a7e --- /dev/null +++ b/temp/mozjs60/APKBUILD @@ -0,0 +1,68 @@ +# Forked from Alpine, because networkmanager is currently missing in armhf, armv7 (#244) +pkgname=mozjs60 +pkgver=60.6.1 +_majver=${pkgver%%.*} +pkgrel=1 +pkgdesc="standalone mozilla javascript engine" +url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Releases/60" +arch="all !s390x" +license="MPL-2.0" +depends_dev="icu-dev nspr-dev libffi-dev readline-dev" +makedepends="$depends_dev zlib-dev python2 perl sed autoconf2.13 linux-headers coreutils" +subpackages="$pkgname-dev" +source="https://ftp.mozilla.org/pub/firefox/releases/${pkgver}esr/source/firefox-${pkgver}esr.source.tar.xz + 0001-silence-sandbox-violations.patch + fix-musl-build.patch + fix-soname-lib.patch + " +builddir="$srcdir"/firefox-$pkgver +_builddir="$builddir/js/src" + +# checks take forever in qemu +options="!check" + +build() { + cd "$_builddir" + + export LDFLAGS="$LDFLAGS -Wl,-z,stack-size=1048576" + + # avoid complains about autoconf + touch configure + + # Fix broken ARM_ARCH check which doesn't work with newer GCCs it seems. + if [ "$CTARGET = "armv* ]; then + ARM_ARCH=$(echo ${CTARGET#*armv} | sed "s|-.*||") + sed -i "s|ARM_ARCH=.*|ARM_ARCH=$ARM_ARCH|" "$builddir"/build/autoconf/arch.m4 + fi + + export SHELL=/bin/ash + PYTHON=/usr/bin/python2 ./configure --prefix=/usr \ + --with-system-icu \ + --with-system-nspr \ + --with-system-zlib \ + --with-intl-api \ + --enable-ctypes \ + --enable-shared-js \ + --enable-readline \ + --enable-system-ffi \ + --disable-optimize \ + --disable-jemalloc \ + --enable-pie + make +} + +check() { + cd "$_builddir" + dist/bin/jsapi-tests +} + +package() { + cd "$_builddir" + make DESTDIR="$pkgdir" install + rm -f "$pkgdir"/usr/lib/*.ajs +} + +sha512sums="a1683e9ad551c2aa6b84013216393fe1f7107728c253ed8e5700d419cf0956513110ed4e1b5dbac3e3bc23930e3024706f1b24d405b6edcdf8c175b03ab241ed firefox-60.6.1esr.source.tar.xz +adaacd6e087a07bd4ded598f6a66ee00c67c9092bb93d88729668516f6f00f497ad8ece1866680e6c371e4705e0f9194ade41ea3a986f793bd972c92029cf03a 0001-silence-sandbox-violations.patch +bc91c2fb15eb22acb8acc36d086fb18fbf6f202b4511d138769b5ecaaed4a673349c55f808270c762616fafa42e3b01e74dc0af1dcbeea1289e043926e2750c8 fix-musl-build.patch +4782794a0f409f767293fb5f61a9ad58985e05197538975ed8f7372bfae6921a3b9bcbbbfcf8ce2843cdfe8ee799d08cee71a6391ed5ae939f051d13038b0960 fix-soname-lib.patch" diff --git a/temp/mozjs60/fix-musl-build.patch b/temp/mozjs60/fix-musl-build.patch new file mode 100644 index 000000000..af3946739 --- /dev/null +++ b/temp/mozjs60/fix-musl-build.patch @@ -0,0 +1,16 @@ +Upstream: No +Reason: mozjs60 miscompiles on musl if built with HAVE_THREAD_TLS_KEYWORD: +https://github.com/void-linux/void-packages/issues/2598 +diff --git a/js/src/old-configure.in b/js/src/old-configure.in +--- a/js/src/old-configure.in ++++ b/js/src/old-configure.in +@@ -1272,6 +1272,9 @@ + *-android*|*-linuxandroid*) + : + ;; ++ *-musl*) ++ : ++ ;; + *) + AC_DEFINE(HAVE_THREAD_TLS_KEYWORD) + ;; diff --git a/temp/mozjs60/fix-soname-lib.patch b/temp/mozjs60/fix-soname-lib.patch new file mode 100644 index 000000000..b9147fa20 --- /dev/null +++ b/temp/mozjs60/fix-soname-lib.patch @@ -0,0 +1,30 @@ +Source: Arch Linux +Upstream: Unknown +Reason: fixes linking against libmozjs-60 + +diff --git i/js/src/build/Makefile.in w/js/src/build/Makefile.in +index ee19104e0ef5..a0f06fd35a18 100644 +--- i/js/src/build/Makefile.in ++++ w/js/src/build/Makefile.in +@@ -89,6 +89,8 @@ ifneq (,$(REAL_LIBRARY)) + endif + ifneq (,$(SHARED_LIBRARY)) + $(SYSINSTALL) $(SHARED_LIBRARY) $(DESTDIR)$(libdir) ++ mv -f $(DESTDIR)$(libdir)/$(SHARED_LIBRARY) $(DESTDIR)$(libdir)/$(SHARED_LIBRARY).0 ++ ln -s $(SHARED_LIBRARY).0 $(DESTDIR)$(libdir)/$(SHARED_LIBRARY) + ifeq ($(OS_ARCH),Darwin) + install_name_tool -id $(abspath $(libdir)/$(SHARED_LIBRARY)) $(DESTDIR)$(libdir)/$(SHARED_LIBRARY) + endif +diff --git i/js/src/build/moz.build w/js/src/build/moz.build +index a7f5fa4ce8eb..726687c13fb0 100644 +--- i/js/src/build/moz.build ++++ w/js/src/build/moz.build +@@ -23,6 +23,7 @@ if not CONFIG['JS_STANDALONE']: + if CONFIG['JS_SHARED_LIBRARY']: + GeckoSharedLibrary('js', linkage=None) + SHARED_LIBRARY_NAME = CONFIG['JS_LIBRARY_NAME'] ++ LDFLAGS += ['-Wl,-soname,lib{}.so.0'.format(SHARED_LIBRARY_NAME)] + else: + Library('js') + + diff --git a/temp/networkmanager/APKBUILD b/temp/networkmanager/APKBUILD new file mode 100644 index 000000000..b28470780 --- /dev/null +++ b/temp/networkmanager/APKBUILD @@ -0,0 +1,118 @@ +# Forked from Alpine, because networkmanager is currently missing in armhf, armv7 (#244) +pkgname=networkmanager +pkgver=1.18.1 +pkgrel=1 +pkgdesc="Network Management daemon" +url="https://wiki.gnome.org/Projects/NetworkManager" +arch="all" +license="GPL-2.0-or-later" +depends="dhcpcd iptables dbus" +install="$pkgname.pre-install $pkgname.pre-upgrade" +makedepends="$depends_dev + curl-dev + dbus-glib-dev + eudev-dev + libgudev-dev + gobject-introspection-dev + intltool + libndp-dev + libnl3-dev + libsoup-dev + libteam-dev + linux-headers + modemmanager-dev + newt-dev + nss-dev + polkit-dev + ppp-dev + readline-dev + util-linux-dev + jansson-dev + vala + meson + py-gobject3 + libpsl-dev + python2 + " +subpackages="$pkgname-dev $pkgname-doc $pkgname-lang $pkgname-openrc" +source="https://download.gnome.org/sources/NetworkManager/${pkgver:0:4}/NetworkManager-$pkgver.tar.xz + $pkgname.conf + $pkgname.initd + $pkgname.rules + musl-basic.patch + musl-network-support.patch + musl-fix-includes.patch + musl-process-util.patch + musl-has-not-secure-getenv.patch + musl-compar.patch + fix-ppc64le-build.patch + " +options="!check" # fail to compile on musl + +builddir="$srcdir"/NetworkManager-$pkgver + +build() { + meson \ + --prefix=/usr \ + --sysconfdir=/etc \ + --localstatedir=/var \ + -Dsystemdsystemunitdir=no \ + -Dudev_dir=/lib/udev \ + -Diptables=/sbin/iptables \ + -Ddnsmasq=/usr/sbin/dnsmasq \ + -Dmodify_system=true \ + -Dselinux=false \ + -Dsystemd_journal=false \ + -Dlibaudit=no \ + -Diwd=true \ + -Dpppd=/usr/sbin/pppd \ + -Dconfig_plugins_default=ifupdown \ + -Difupdown=true \ + -Ddhcpcd=true \ + -Dconfig_dhcp_default=dhcpcd \ + -Dvapi=true \ + -Dtests=no \ + -Dlibnm_glib=true \ + -Dpolkit_agent=true \ + -Dsession_tracking=no \ + -Dqt=false \ + . output + ninja -C output +} + +check() { + ninja -C output test +} + +package() { + DESTDIR="$pkgdir" ninja -C output install + + install -m755 -D "$srcdir"/networkmanager.initd "$pkgdir"/etc/init.d/networkmanager + install -m644 -D "$srcdir/$pkgname.conf" "$pkgdir"/etc/NetworkManager/NetworkManager.conf + # allow plugdev users to modify connections + install -m644 -D "$srcdir/$pkgname.rules" \ + "$pkgdir/usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.settings.modify.system.rules" + mkdir -p "$pkgdir/usr/share/apk-tools/$pkgname" + # post-install message + mv "$pkgdir/usr/share/doc/NetworkManager" "$pkgdir/usr/share/doc/$pkgname" + cat > $pkgdir/usr/share/doc/$pkgname/README.alpine < + ++#ifndef RTLD_DEEPBIND ++#define RTLD_DEEPBIND 0 ++#endif ++ + void *_nm_jansson_json_object_iter_value; + void *_nm_jansson_json_object_key_to_iter; + void *_nm_jansson_json_integer; +diff --git a/shared/systemd/src/basic/stdio-util.h b/shared/systemd/src/basic/stdio-util.h +index c3b9448..e80a938 100644 +--- a/shared/systemd/src/basic/stdio-util.h ++++ b/shared/systemd/src/basic/stdio-util.h +@@ -1,7 +1,9 @@ + /* SPDX-License-Identifier: LGPL-2.1+ */ + #pragma once + ++#if defined(__GLIBC__) + #include ++#endif + #include + #include + #include +diff --git a/shared/systemd/src/basic/util.h b/shared/systemd/src/basic/util.h +index 25e6ab8..7967e8a 100644 +--- a/shared/systemd/src/basic/util.h ++++ b/shared/systemd/src/basic/util.h +@@ -46,6 +46,12 @@ static inline unsigned u64log2(uint64_t n) { + #endif + } + ++#if !defined(__GLIBC__) ++typedef int (*__compar_fn_t) (const void*, const void*); ++typedef __compar_fn_t comparison_fn_t; ++typedef int (*__compar_d_fn_t) (const void *, const void *, void *); ++#endif ++ + static inline unsigned u32ctz(uint32_t n) { + #if __SIZEOF_INT__ == 4 + return n != 0 ? __builtin_ctz(n) : 32; diff --git a/temp/networkmanager/musl-compar.patch b/temp/networkmanager/musl-compar.patch new file mode 100644 index 000000000..1b1de2f28 --- /dev/null +++ b/temp/networkmanager/musl-compar.patch @@ -0,0 +1,18 @@ +diff --git a/shared/systemd/src/basic/sort-util.h b/shared/systemd/src/basic/sort-util.h +index e029f86..935f136 100644 +--- a/shared/systemd/src/basic/sort-util.h ++++ b/shared/systemd/src/basic/sort-util.h +@@ -5,6 +5,13 @@ + + #include "macro.h" + ++#ifndef __COMPAR_FN_T ++# define __COMPAR_FN_T ++typedef int (*__compar_fn_t) (const void *, const void *); ++typedef __compar_fn_t comparison_fn_t; ++typedef int (*__compar_d_fn_t) (const void *, const void *, void *); ++#endif ++ + void *xbsearch_r(const void *key, const void *base, size_t nmemb, size_t size, + __compar_d_fn_t compar, void *arg); + diff --git a/temp/networkmanager/musl-fix-includes.patch b/temp/networkmanager/musl-fix-includes.patch new file mode 100644 index 000000000..e68925372 --- /dev/null +++ b/temp/networkmanager/musl-fix-includes.patch @@ -0,0 +1,52 @@ +diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c +index bd4fbcc..cb5436f 100644 +--- a/src/devices/nm-device.c ++++ b/src/devices/nm-device.c +@@ -32,7 +32,11 @@ + #include + #include + #include ++#if defined(__GLIBC__) + #include ++#else ++#include ++#endif + #include + #include + +diff --git a/src/nm-manager.c b/src/nm-manager.c +index 40e068a..aa57ce8 100644 +--- a/src/nm-manager.c ++++ b/src/nm-manager.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + #include "nm-glib-aux/nm-c-list.h" + +diff --git a/src/platform/nm-linux-platform.c b/src/platform/nm-linux-platform.c +index d4b0115..c934f10 100644 +--- a/src/platform/nm-linux-platform.c ++++ b/src/platform/nm-linux-platform.c +@@ -20,6 +20,7 @@ + #include "nm-default.h" + + #include "nm-linux-platform.h" ++#include "wpan/nm-wpan-utils.h" + + #include + #include +@@ -28,7 +29,11 @@ + #include + #include + #include ++#if defined(__GLIBC__) + #include ++#else ++#include ++#endif + #include + #include + #include diff --git a/temp/networkmanager/musl-has-not-secure-getenv.patch b/temp/networkmanager/musl-has-not-secure-getenv.patch new file mode 100644 index 000000000..37883e272 --- /dev/null +++ b/temp/networkmanager/musl-has-not-secure-getenv.patch @@ -0,0 +1,13 @@ +diff --git a/src/systemd/sd-adapt-core/nm-sd-adapt-core.h b/src/systemd/sd-adapt-core/nm-sd-adapt-core.h +index 8c07c53..d043afc 100644 +--- a/src/systemd/sd-adapt-core/nm-sd-adapt-core.h ++++ b/src/systemd/sd-adapt-core/nm-sd-adapt-core.h +@@ -65,7 +65,7 @@ + # ifdef HAVE___SECURE_GETENV + # define secure_getenv __secure_getenv + # else +-# error neither secure_getenv nor __secure_getenv is available ++# define secure_getenv getenv + # endif + #endif + diff --git a/temp/networkmanager/musl-network-support.patch b/temp/networkmanager/musl-network-support.patch new file mode 100644 index 000000000..36536df67 --- /dev/null +++ b/temp/networkmanager/musl-network-support.patch @@ -0,0 +1,42 @@ +--- a/libnm-core/nm-utils.h ++++ b/libnm-core/nm-utils.h +@@ -30,7 +30,11 @@ + #include + + /* For ETH_ALEN and INFINIBAND_ALEN */ ++#if defined(__GLIBC__) + #include ++#else ++#define ETH_ALEN 6 /* Octets in one ethernet addr */ ++#endif + #include + + #include "nm-core-enum-types.h" +--- a/src/platform/wifi/nm-wifi-utils.h ++++ b/src/platform/wifi/nm-wifi-utils.h +@@ -22,7 +22,11 @@ + #ifndef __WIFI_UTILS_H__ + #define __WIFI_UTILS_H__ + ++#if defined(__GLIBC__) + #include ++#else /* musl libc */ ++#define ETH_ALEN 6 /* Octets in one ethernet addr */ ++#endif + + #include "nm-dbus-interface.h" + +--- a/shared/systemd/src/basic/socket-util.h 2019-03-16 15:41:33.287235649 +0100 ++++ b/shared/systemd/src/basic/socket-util.h 2019-03-16 15:42:24.273912106 +0100 +@@ -12,6 +12,11 @@ + #include + #include + #include ++#if !defined(__GLIBC__) ++/* SIOCGSTAMPNS from linux/asm-generic.h ++ * for src/systemd/src/libsystemd-network/sd-lldp.c */ ++#include ++#endif + + #include "macro.h" + #include "missing_socket.h" diff --git a/temp/networkmanager/musl-process-util.patch b/temp/networkmanager/musl-process-util.patch new file mode 100644 index 000000000..0eb0057fd --- /dev/null +++ b/temp/networkmanager/musl-process-util.patch @@ -0,0 +1,40 @@ +--- a/shared/systemd/src/basic/process-util.c ++++ b/shared/systemd/src/basic/process-util.c +@@ -21,6 +21,9 @@ + #include + #include + #include ++#ifndef __GLIBC__ ++#include ++#endif + #if 0 /* NM_IGNORED */ + #if HAVE_VALGRIND_VALGRIND_H + #include +@@ -1168,11 +1171,13 @@ void reset_cached_pid(void) { + cached_pid = CACHED_PID_UNSET; + } + ++#ifdef __GLIBC__ + /* We use glibc __register_atfork() + __dso_handle directly here, as they are not included in the glibc + * headers. __register_atfork() is mostly equivalent to pthread_atfork(), but doesn't require us to link against + * libpthread, as it is part of glibc anyway. */ + extern int __register_atfork(void (*prepare) (void), void (*parent) (void), void (*child) (void), void *dso_handle); + extern void* __dso_handle _weak_; ++#endif + + pid_t getpid_cached(void) { + static bool installed = false; +@@ -1201,7 +1206,12 @@ pid_t getpid_cached(void) { + * only half-documented (glibc doesn't document it but LSB does — though only superficially) + * we'll check for errors only in the most generic fashion possible. */ + +- if (__register_atfork(NULL, NULL, reset_cached_pid, __dso_handle) != 0) { ++ #ifdef __GLIBC__ ++ if (__register_atfork(NULL, NULL, reset_cached_pid, __dso_handle) != 0) { ++ #else ++ if (pthread_atfork(NULL, NULL, reset_cached_pid) != 0) { ++ #endif ++ + /* OOM? Let's try again later */ + cached_pid = CACHED_PID_UNSET; + return new_pid; diff --git a/temp/networkmanager/networkmanager.conf b/temp/networkmanager/networkmanager.conf new file mode 100644 index 000000000..8da4fe048 --- /dev/null +++ b/temp/networkmanager/networkmanager.conf @@ -0,0 +1,2 @@ +[main] +dhcp=dhcpcd diff --git a/temp/networkmanager/networkmanager.initd b/temp/networkmanager/networkmanager.initd new file mode 100644 index 000000000..1c5e41fc0 --- /dev/null +++ b/temp/networkmanager/networkmanager.initd @@ -0,0 +1,24 @@ +#!/sbin/openrc-run +# Copyright (c) 2008 Saleem Abdulrasool +# Distributed under the terms of the GNU General Purpose License v2 +# $Header: $ + +depend() { + need dbus + provide net +} + +start() { + ebegin "Starting NetworkManager" + start-stop-daemon --start --quiet --pidfile /var/run/NetworkManager.pid \ + --exec /usr/sbin/NetworkManager -- --pid-file /var/run/NetworkManager.pid + eend $? +} + +stop() { + ebegin "Stopping NetworkManager" + start-stop-daemon --stop --quiet --pidfile /var/run/NetworkManager.pid + eend $? +} + +# vim: set ft=gentoo-init-d ts=3 sw=3 et: diff --git a/temp/networkmanager/networkmanager.pre-install b/temp/networkmanager/networkmanager.pre-install new file mode 100644 index 000000000..26811dfb0 --- /dev/null +++ b/temp/networkmanager/networkmanager.pre-install @@ -0,0 +1,9 @@ +#!/bin/sh + +addgroup -S plugdev 2>/dev/null + +printf " *\n * To setup system connections, regular users must be member of 'plugdev' group.\n *\n" +printf " *\n * To control WiFi devices, enable wpa_supplicant service: 'rc-update add wpa_supplicant default'\n" +printf " * then reboot the system or restart 'wpa_supplicant' and 'networkmanager' services respectively.\n *\n" + +exit 0 diff --git a/temp/networkmanager/networkmanager.pre-upgrade b/temp/networkmanager/networkmanager.pre-upgrade new file mode 120000 index 000000000..a349c8889 --- /dev/null +++ b/temp/networkmanager/networkmanager.pre-upgrade @@ -0,0 +1 @@ +networkmanager.pre-install \ No newline at end of file diff --git a/temp/networkmanager/networkmanager.rules b/temp/networkmanager/networkmanager.rules new file mode 100644 index 000000000..66d21d6bb --- /dev/null +++ b/temp/networkmanager/networkmanager.rules @@ -0,0 +1,9 @@ +// Let users in plugdev group modify NetworkManager +polkit.addRule(function(action, subject) { + if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" && + subject.isInGroup("plugdev") && subject.active) { + return "yes"; + } +}); + + diff --git a/temp/polkit/APKBUILD b/temp/polkit/APKBUILD new file mode 100644 index 000000000..9cbdb9691 --- /dev/null +++ b/temp/polkit/APKBUILD @@ -0,0 +1,78 @@ +# Forked from Alpine, because networkmanager is currently missing in armhf, armv7 (#244) +pkgname=polkit +pkgver=0.115 +pkgrel=0 +pkgdesc="Application development toolkit for controlling system-wide privileges" +url="https://www.freedesktop.org/wiki/Software/polkit/" +arch="all" +license="GPL-2.0-or-later" +options="suid !check" +depends_dev="dbus-glib-dev" +makedepends="$depends_dev expat-dev glib-dev gtk-doc gobject-introspection-dev + intltool autoconf automake libtool bash mozjs60-dev linux-pam-dev" +subpackages="$pkgname-dev $pkgname-doc $pkgname-lang" +source="https://www.freedesktop.org/software/polkit/releases/polkit-$pkgver.tar.gz + CVE-2018-19788.patch + make-innetgr-optional.patch + mozjs60-1.patch + mozjs60-2.patch + alpine-pam.patch +" +install="polkit.pre-install" +pkgusers="polkitd" +pkggroups="polkitd" + +builddir="$srcdir/$pkgname-$pkgver" + +prepare() { + cd "$builddir" + default_prepare + autoreconf -fi +} + +build() { + cd "$builddir" + ./configure \ + --build=$CBUILD \ + --host=$CHOST \ + --prefix=/usr \ + --sysconfdir=/etc \ + --mandir=/usr/share/man \ + --infodir=/usr/share/info \ + --libexecdir=/usr/lib/polkit-1 \ + --localstatedir=/var \ + --disable-static \ + --enable-introspection \ + --with-authfw=pam \ + --with-os-type=alpine \ + --disable-gtk-doc \ + --disable-gtk-doc-html \ + --disable-gtk-doc-pdf \ + --disable-libelogind \ + --disable-systemd \ + --disable-libsystemd-login + + make +} + +check() { + cd "$builddir" + make check +} + +package() { + cd "$builddir" + # Set SHELL as a workaround for #10081 + make SHELL=/bin/bash DESTDIR="$pkgdir" install + + # Required to run the polkitd daemon as non-root + chown -R polkitd:polkitd "$pkgdir"/etc/polkit-1/rules.d "$pkgdir"/usr/share/polkit-1/rules.d + chmod -R 700 "$pkgdir"/etc/polkit-1/rules.d "$pkgdir"/usr/share/polkit-1/rules.d +} + +sha512sums="1153011fa93145b2c184e6b3446d3ca21b38918641aeccd8fac3985ac3e30ec6bc75be6973985fde90f2a24236592f1595be259155061c2d33358dd17c4ee4fc polkit-0.115.tar.gz +5b951d7532b0ad51214cf63814cb863fe83ebc57722245cef3f5f003bba368ffd18fab03b9f23bbef8ed30972ad32f074d25491c3fe338389e02e279b4ced62c CVE-2018-19788.patch +1e679eda2cacb25ad0d7409ab7c5811697519e46d3873a86a9ff2d8d3d3664e63c925ab13e5faf643031ea27e8e35730556121c96e06acd28c5f690848a8ce00 make-innetgr-optional.patch +8d71494ddfc3f8d24b6c7dbab2b0440d9ab9df49d9e095c90f3802054bf858f4c81c644d1ab64872a6ea61ae70c58a181e47123a4c50bd8a339b27a23bfffaaa mozjs60-1.patch +d7dc9fc3189a0897e8f484f7dfcee3722f75694401f7a01cac3eb1f0f6cb639081136e86e4bf467c908f77c847d4ddf310817c722fd21a73662ca6b908ce8d53 mozjs60-2.patch +077a3e10ada918e6f9879ce50bba9145229bd92d3f13d4c6454147eb051086afbcf8d0a683a5ebe583ba00f956db011aa1afd3d9e99d7693e288737191468b8f alpine-pam.patch" diff --git a/temp/polkit/CVE-2018-19788.patch b/temp/polkit/CVE-2018-19788.patch new file mode 100644 index 000000000..c48df46fa --- /dev/null +++ b/temp/polkit/CVE-2018-19788.patch @@ -0,0 +1,150 @@ +--- a/src/polkit/polkitunixgroup.c ++++ b/src/polkit/polkitunixgroup.c +@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT, + static void + polkit_unix_group_init (PolkitUnixGroup *unix_group) + { ++ unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */ + } + + static void +@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject *object, + GParamSpec *pspec) + { + PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object); ++ gint val; + + switch (prop_id) + { + case PROP_GID: +- unix_group->gid = g_value_get_int (value); ++ val = g_value_get_int (value); ++ g_return_if_fail (val != -1); ++ unix_group->gid = val; + break; + + default: +@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass) + g_param_spec_int ("gid", + "Group ID", + "The UNIX group ID", +- 0, ++ G_MININT, + G_MAXINT, +- 0, ++ -1, + G_PARAM_CONSTRUCT | + G_PARAM_READWRITE | + G_PARAM_STATIC_NAME | +@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group) + */ + void + polkit_unix_group_set_gid (PolkitUnixGroup *group, +- gint gid) ++ gint gid) + { + g_return_if_fail (POLKIT_IS_UNIX_GROUP (group)); ++ g_return_if_fail (gid != -1); + group->gid = gid; + } + +@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group, + PolkitIdentity * + polkit_unix_group_new (gint gid) + { ++ g_return_val_if_fail (gid != -1, NULL); ++ + return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP, + "gid", gid, + NULL)); +--- a/src/polkit/polkitunixprocess.c ++++ b/src/polkit/polkitunixprocess.c +@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject *object, + polkit_unix_process_set_pid (unix_process, g_value_get_int (value)); + break; + +- case PROP_UID: +- polkit_unix_process_set_uid (unix_process, g_value_get_int (value)); ++ case PROP_UID: { ++ gint val; ++ ++ val = g_value_get_int (value); ++ g_return_if_fail (val != -1); ++ polkit_unix_process_set_uid (unix_process, val); + break; ++ } + + case PROP_START_TIME: + polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value)); +@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass) + g_param_spec_int ("uid", + "User ID", + "The UNIX user ID", +- -1, ++ G_MININT, + G_MAXINT, + -1, + G_PARAM_CONSTRUCT | +@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process, + gint uid) + { + g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process)); +- g_return_if_fail (uid >= -1); + process->uid = uid; + } + +--- a/src/polkit/polkitunixuser.c ++++ b/src/polkit/polkitunixuser.c +@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT, + static void + polkit_unix_user_init (PolkitUnixUser *unix_user) + { ++ unix_user->uid = -1; /* (uid_t) -1 is not a valid UID under Linux */ + unix_user->name = NULL; + } + +@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject *object, + GParamSpec *pspec) + { + PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object); ++ gint val; + + switch (prop_id) + { + case PROP_UID: +- unix_user->uid = g_value_get_int (value); ++ val = g_value_get_int (value); ++ g_return_if_fail (val != -1); ++ unix_user->uid = val; + break; + + default: +@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass) + g_param_spec_int ("uid", + "User ID", + "The UNIX user ID", +- 0, ++ G_MININT, + G_MAXINT, +- 0, ++ -1, + G_PARAM_CONSTRUCT | + G_PARAM_READWRITE | + G_PARAM_STATIC_NAME | +@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, + gint uid) + { + g_return_if_fail (POLKIT_IS_UNIX_USER (user)); ++ g_return_if_fail (uid != -1); + user->uid = uid; + } + +@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, + PolkitIdentity * + polkit_unix_user_new (gint uid) + { ++ g_return_val_if_fail (uid != -1, NULL); ++ + return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER, + "uid", uid, + NULL)); diff --git a/temp/polkit/alpine-pam.patch b/temp/polkit/alpine-pam.patch new file mode 100644 index 000000000..662e7c4d9 --- /dev/null +++ b/temp/polkit/alpine-pam.patch @@ -0,0 +1,18 @@ +Point /etc/pam.d/polkit-1 to the right PAM files. + +diff --git configure.ac configure.ac +index 36df239..53b5573 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -470,6 +470,11 @@ elif test x$with_os_type = xfreebsd -o x$with_os_type = xnetbsd; then + PAM_FILE_INCLUDE_ACCOUNT=system + PAM_FILE_INCLUDE_PASSWORD=system + PAM_FILE_INCLUDE_SESSION=system ++elif test x$with_os_type = xalpine; then ++ PAM_FILE_INCLUDE_AUTH=base-auth ++ PAM_FILE_INCLUDE_ACCOUNT=base-account ++ PAM_FILE_INCLUDE_PASSWORD=base-password ++ PAM_FILE_INCLUDE_SESSION=base-session + else + PAM_FILE_INCLUDE_AUTH=system-auth + PAM_FILE_INCLUDE_ACCOUNT=system-auth diff --git a/temp/polkit/make-innetgr-optional.patch b/temp/polkit/make-innetgr-optional.patch new file mode 100644 index 000000000..338c20174 --- /dev/null +++ b/temp/polkit/make-innetgr-optional.patch @@ -0,0 +1,68 @@ +--- a/configure.ac ++++ b/configure.ac +@@ -99,7 +99,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXPAT_LIBS="-lexpat"], + [AC_MSG_ERROR([Can't find expat library. Please install expat.])]) + AC_SUBST(EXPAT_LIBS) + +-AC_CHECK_FUNCS(clearenv fdatasync) ++AC_CHECK_FUNCS(clearenv fdatasync getnetgrent) + + if test "x$GCC" = "xyes"; then + LDFLAGS="-Wl,--as-needed $LDFLAGS" +--- a/src/polkitbackend/polkitbackendinteractiveauthority.c ++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c +@@ -2228,6 +2228,7 @@ get_users_in_net_group (PolkitIdentity *group, + ret = NULL; + name = polkit_unix_netgroup_get_name (POLKIT_UNIX_NETGROUP (group)); + ++#if defined HAVE_GETNETGRENT + #ifdef HAVE_SETNETGRENT_RETURN + if (setnetgrent (name) == 0) + { +@@ -2236,6 +2237,7 @@ get_users_in_net_group (PolkitIdentity *group, + } + #else + setnetgrent (name); ++#endif + #endif + + for (;;) +@@ -2248,8 +2250,10 @@ get_users_in_net_group (PolkitIdentity *group, + PolkitIdentity *user; + GError *error = NULL; + ++#if defined HAVE_GETNETGRENT + if (getnetgrent (&hostname, &username, &domainname) == 0) + break; ++#endif + + /* Skip NULL entries since we never want to make everyone an admin + * Skip "-" entries which mean "no match ever" in netgroup land */ +@@ -2274,7 +2278,9 @@ get_users_in_net_group (PolkitIdentity *group, + ret = g_list_reverse (ret); + + out: ++#if defined HAVE_GETNETGRENT + endnetgrent (); ++#endif + return ret; + } + +--- a/src/polkitbackend/polkitbackendjsauthority.cpp ++++ b/src/polkitbackend/polkitbackendjsauthority.cpp +@@ -1499,6 +1499,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, + + JS::CallArgs args = JS::CallArgsFromVp (argc, vp); + ++#if defined HAVE_GETNETGRENT + user = JS_EncodeString (cx, args[0].toString()); + netgroup = JS_EncodeString (cx, args[1].toString()); + +@@ -1514,6 +1515,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, + JS_free (cx, user); + + ret = true; ++#endif + + args.rval ().setBoolean (is_in_netgroup); + diff --git a/temp/polkit/mozjs60-1.patch b/temp/polkit/mozjs60-1.patch new file mode 100644 index 000000000..d76a3350b --- /dev/null +++ b/temp/polkit/mozjs60-1.patch @@ -0,0 +1,28 @@ +Upstream: yes +From c9cd7024140b837b5693d7c1bbaad1b0cd31cce6 Mon Sep 17 00:00:00 2001 +From: Emmanuele Bassi +Date: Fri, 31 Aug 2018 13:32:16 +0100 +Subject: Depend on mozjs-60 + +This is the new ESR version of the Mozilla JS engine, superceding +mozjs-52. +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 5c37e48..5cedb4e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -79,7 +79,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0]) + AC_SUBST(GLIB_CFLAGS) + AC_SUBST(GLIB_LIBS) + +-PKG_CHECK_MODULES(LIBJS, [mozjs-52]) ++PKG_CHECK_MODULES(LIBJS, [mozjs-60]) + + AC_SUBST(LIBJS_CFLAGS) + AC_SUBST(LIBJS_CXXFLAGS) +-- +cgit v1.1 + diff --git a/temp/polkit/mozjs60-2.patch b/temp/polkit/mozjs60-2.patch new file mode 100644 index 000000000..22369bc98 --- /dev/null +++ b/temp/polkit/mozjs60-2.patch @@ -0,0 +1,158 @@ +Upstream: yes +From dd00683e8781d230a45781d509d86ad676138564 Mon Sep 17 00:00:00 2001 +From: Emmanuele Bassi +Date: Fri, 31 Aug 2018 13:33:20 +0100 +Subject: Port the JS authority to mozjs-60 + +API changes in mozjs that need to be reflected in the JS authority: + + - the JS::CompileOptions constructor and the JS::CompartmentOptions + do not allow setting a JS version any more + + - do not use NULL comparisons for C++ objects + + - the resize() method for a vector has a return value that needs + to be handled + + - JSClassOps has different fields +--- + src/polkitbackend/polkitbackendjsauthority.cpp | 65 +++++++++++++------------- + 1 file changed, 32 insertions(+), 33 deletions(-) + +diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp +index 7602714..984a0f0 100644 +--- a/src/polkitbackend/polkitbackendjsauthority.cpp ++++ b/src/polkitbackend/polkitbackendjsauthority.cpp +@@ -150,18 +150,17 @@ G_DEFINE_TYPE (PolkitBackendJsAuthority, polkit_backend_js_authority, POLKIT_BAC + /* ---------------------------------------------------------------------------------------------------- */ + + static const struct JSClassOps js_global_class_ops = { +- NULL, +- NULL, +- NULL, +- NULL, +- NULL, +- NULL, +- NULL, +- NULL, +- NULL, +- NULL, +- NULL, +- NULL ++ nullptr, // addProperty ++ nullptr, // deleteProperty ++ nullptr, // enumerate ++ nullptr, // newEnumerate ++ nullptr, // resolve ++ nullptr, // mayResolve ++ nullptr, // finalize ++ nullptr, // call ++ nullptr, // hasInstance ++ nullptr, // construct ++ JS_GlobalObjectTraceHook + }; + + static JSClass js_global_class = { +@@ -172,18 +171,17 @@ static JSClass js_global_class = { + + /* ---------------------------------------------------------------------------------------------------- */ + static const struct JSClassOps js_polkit_class_ops = { +- NULL, +- NULL, +- NULL, +- NULL, +- NULL, +- NULL, +- NULL, +- NULL, +- NULL, +- NULL, +- NULL, +- NULL ++ nullptr, // addProperty ++ nullptr, // deleteProperty ++ nullptr, // enumerate ++ nullptr, // newEnumerate ++ nullptr, // resolve ++ nullptr, // mayResolve ++ nullptr, // finalize ++ nullptr, // call ++ nullptr, // hasInstance ++ nullptr, // construct ++ nullptr // trace + }; + + static JSClass js_polkit_class = { +@@ -469,19 +467,18 @@ polkit_backend_js_authority_constructed (GObject *object) + + { + JS::CompartmentOptions compart_opts; +- compart_opts.behaviors().setVersion(JSVERSION_LATEST); ++ + JS::RootedObject global(authority->priv->cx); + + authority->priv->js_global = new JS::Heap (JS_NewGlobalObject (authority->priv->cx, &js_global_class, NULL, JS::FireOnNewGlobalHook, compart_opts)); + + global = authority->priv->js_global->get (); +- +- if (global == NULL) ++ if (!global) + goto fail; + + authority->priv->ac = new JSAutoCompartment(authority->priv->cx, global); + +- if (authority->priv->ac == NULL) ++ if (!authority->priv->ac) + goto fail; + + if (!JS_InitStandardClasses (authority->priv->cx, global)) +@@ -493,7 +490,7 @@ polkit_backend_js_authority_constructed (GObject *object) + + polkit = authority->priv->js_polkit->get (); + +- if (polkit == NULL) ++ if (!polkit) + goto fail; + + if (!JS_DefineProperty(authority->priv->cx, global, "polkit", polkit, JSPROP_ENUMERATE)) +@@ -504,7 +501,7 @@ polkit_backend_js_authority_constructed (GObject *object) + js_polkit_functions)) + goto fail; + +- JS::CompileOptions options(authority->priv->cx, JSVERSION_UNKNOWN); ++ JS::CompileOptions options(authority->priv->cx); + JS::RootedValue rval(authority->priv->cx); + if (!JS::Evaluate (authority->priv->cx, + options, +@@ -684,7 +681,9 @@ set_property_strv (PolkitBackendJsAuthority *authority, + JS::AutoValueVector elems(authority->priv->cx); + guint n; + +- elems.resize(value->len); ++ if (!elems.resize(value->len)) ++ g_error ("Unable to resize vector"); ++ + for (n = 0; n < value->len; n++) + { + const char *c_string = (const char *) g_ptr_array_index(value, n); +@@ -741,7 +740,7 @@ subject_to_jsval (PolkitBackendJsAuthority *authority, + GError **error) + { + gboolean ret = FALSE; +- JS::CompileOptions options(authority->priv->cx, JSVERSION_UNKNOWN); ++ JS::CompileOptions options(authority->priv->cx); + const char *src; + JS::RootedObject obj(authority->priv->cx); + pid_t pid; +@@ -868,7 +867,7 @@ action_and_details_to_jsval (PolkitBackendJsAuthority *authority, + GError **error) + { + gboolean ret = FALSE; +- JS::CompileOptions options(authority->priv->cx, JSVERSION_UNKNOWN); ++ JS::CompileOptions options(authority->priv->cx); + const char *src; + JS::RootedObject obj(authority->priv->cx); + gchar **keys; +-- +cgit v1.1 + diff --git a/temp/polkit/polkit.pre-install b/temp/polkit/polkit.pre-install new file mode 100644 index 000000000..7c4e3eff8 --- /dev/null +++ b/temp/polkit/polkit.pre-install @@ -0,0 +1,6 @@ +#!/bin/sh + +addgroup -S polkitd 2>/dev/null +adduser -S -D -H -h /var/empty -s /sbin/nologin -G polkitd -g polkitd polkitd 2>/dev/null + +exit 0