main/doas: backport OpenBSD patch for increased rowhammer resistance

This commit backports a patch from OpenBSD upstream for increasing
resistance to rowhammer attacks. A similar patch has recently been
committed to sudo.

The patch has not made its way into OpenDoas yet. Unfortunately,
OpenDoas development seems to have stalled a bit (last commit was
2 years ago).

main/doas/APKBUILD

@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=doas
 pkgver=6.8.2
-pkgrel=6
+pkgrel=7
 pkgdesc="OpenBSD's temporary privilege escalation tool"
 url="https://github.com/Duncaen/OpenDoas"
 arch="all"
@@ -13,6 +13,7 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/Duncaen/OpenDoas/archive/v$p
 	configuration-directory.patch
 	manpage-example-path.patch
 	change-PATH.patch
+	rowhammer.patch
 	doas.conf
 	"
 builddir="$srcdir/OpenDoas-$pkgver"
@@ -50,5 +51,6 @@ sha512sums="
 efad2866d9d3e26266bdb37555453a436aa88ff4b8877b2ba01f7446ea095d998313aa566cafba30d426c79968d3d4a610dfbaa2e33735ab60f1283c9d9fa4ef  configuration-directory.patch
 60efd196595bda2c4f036cd0080a8825a85fedcc7524c917304b342373863213b3c557b4336f1dab760f167fd8cc2a59b2e744d8a47ff8a8acebbe74b1328f4f  manpage-example-path.patch
 31a87aced097ea1189c2162172788cd27b82af318db3476e1c143d3c87d99e2aa6350f63b81361d0a54482ba8dd0cfd10928ff6074a4c66248a1ec815a274f68  change-PATH.patch
+c18e0e164606466c2e59b94c463f31c8d4ba7f050938114525a70855935655d0c690662de63358ca6854d3411a486d5a85aa247895b640c3b124c957ff325fe9  rowhammer.patch
 b52a9cfe5cea9068db0f2ff09d2c2520a09603bd5cc5586031fcb2496a11b87c0b5ffc5bac2bfa9a9daafd04d9d3c8b3c93cf413a7b835c36a7a12bd60844598  doas.conf
 "

main/doas/rowhammer.patch

@@ -0,0 +1,73 @@
+This patch has been taken from OpenBSD upstream, it changes permit bits to make
+them more rowhammer-resistent. A similar patch has also been committed to sudo.
+
+The patch has not made its way into OpenDoas yet, but at the time of writting
+OpenDoas upstream is rather stale (last commit was done 2 years ago).
+
+See:
+
+* https://github.com/openbsd/src/commit/38599afa1d1d1f14a897b01350e8ce94486e1788
+* https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f
+
+diff --git a/doas.c b/doas.c
+index ac3a42a..93f0836 100644
+--- a/doas.c
++++ b/doas.c
+@@ -148,8 +148,10 @@ permit(uid_t uid, gid_t *groups, int ngroups, const struct rule **lastr,
+ 			*lastr = rules[i];
+ 	}
+ 	if (!*lastr)
++		return -1;
++	if ((*lastr)->action == PERMIT)
+ 		return 0;
+-	return (*lastr)->action == PERMIT;
++	return -1;
+ }
+ 
+ static void
+@@ -184,6 +186,7 @@ checkconfig(const char *confpath, int argc, char **argv,
+     uid_t uid, gid_t *groups, int ngroups, uid_t target)
+ {
+ 	const struct rule *rule;
++	int rv;
+ 
+ 	if (setresuid(uid, uid, uid) != 0)
+ 		err(1, "setresuid");
+@@ -191,9 +194,9 @@ checkconfig(const char *confpath, int argc, char **argv,
+ 	parseconfig(confpath, 0);
+ 	if (!argc)
+ 		exit(0);
+-
+-	if (permit(uid, groups, ngroups, &rule, target, argv[0],
+-	    (const char **)argv + 1)) {
++	rv = permit(uid, groups, ngroups, &rule, target, argv[0],
++ 	    (const char **)argv + 1);
++	if (rv == 0) {
+ 		printf("permit%s\n", (rule->options & NOPASS) ? " nopass" : "");
+ 		exit(0);
+ 	} else {
+@@ -342,8 +345,9 @@ main(int argc, char **argv)
+ 	}
+ 
+ 	cmd = argv[0];
+-	if (!permit(uid, groups, ngroups, &rule, target, cmd,
+-	    (const char **)argv + 1)) {
++	rv = permit(uid, groups, ngroups, &rule, target, cmd,
++	    (const char **)argv + 1);
++	if (rv != 0) {
+ 		syslog(LOG_AUTHPRIV | LOG_NOTICE,
+ 		    "command not permitted for %s: %s", mypw->pw_name, cmdline);
+ 		errc(1, EPERM, NULL);
+diff --git a/doas.h b/doas.h
+index a8aa41b..591816f 100644
+--- a/doas.h
++++ b/doas.h
+@@ -36,7 +36,7 @@ struct passwd;
+ char **prepenv(const struct rule *, const struct passwd *,
+     const struct passwd *);
+ 
+-#define PERMIT	1
++#define PERMIT	-1
+ #define DENY	2
+ 
+ #define NOPASS		0x1