add content
This commit is contained in:
parent
fdb66ec988
commit
840f37da49
|
@ -0,0 +1,2 @@
|
|||
DIST sara-test-0.2.tar.gz 33807 BLAKE2B db8e31379f8f7747647246b2b9023d8fec76802eb502b8255d97afae83c026fe6ea4028ce242942578edcf9d0089de794bc06c6a1befa43392e0c3c7e6bb166b SHA512 cccc0348a1b19cb483483e5571bb85ae0295e6f0b16b2dc652a8361ee8087daf2afad280c69a3f7aaaa032235c78ec231ffd862116e41790a71cfaed23f5ae86
|
||||
EBUILD sara-test-0.2.ebuild 364 BLAKE2B 1df8d8cc87e1bd88cfd121af7f4b857e68bca14794428f13ee734545831b09a25aa1665448f0dd367103e99a4850f2da0caccf8154d4ed7e0baba26a3bb73dab SHA512 3ee9a256b4da7390e4dc196183dca0823670bbce60f4e0ff3c67fde4ebc755a374f4147f654378f351a5a204c0d81c50010c6c52dfd97219dcc8341a46e21374
|
|
@ -0,0 +1,17 @@
|
|||
# Copyright 2019 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=7
|
||||
|
||||
DESCRIPTION="S.A.R.A.'s test suite"
|
||||
HOMEPAGE="https://github.com/smeso/sara-test"
|
||||
SRC_URI="https://github.com/smeso/${PN}/archive/v0.2.tar.gz -> ${P}.tar.gz"
|
||||
|
||||
LICENSE="GPL-3"
|
||||
SLOT="0"
|
||||
KEYWORDS="amd64 ~x86"
|
||||
IUSE=""
|
||||
|
||||
DEPEND=""
|
||||
RDEPEND="${DEPEND}"
|
||||
BDEPEND=""
|
|
@ -0,0 +1,6 @@
|
|||
DIST lego-1.0.1.tar.gz 2147839 BLAKE2B ad33e8b1cf61efd3396d584cf8506e987d8726c72726b0f4214124f81de47ef158ecc5f708ac1c7b75d5351865df48563af572812fd653eb9f30fcb3df635a4c SHA512 65f278873eb9e7fe8b17d1a65782876bf2ea8afc20b9f205b912d937e4dcc8fd40fbee0eced64e80d05d6334ccec85324edbe0c8cdd47e1a35a459d9f6e2edb5
|
||||
DIST lego-1.2.1.tar.gz 4307533 BLAKE2B 1f5c35a456a30cbf8722dc61356f7072e94231627ea4edac0e3bda53d35a86ce8abe2aaf9669b5c475b5766233c40c9fb7b364bd24707bf9c9960356a676e1e9 SHA512 b326b27a768d7c767df1401ff7497eb73b7f2842ebbbc3a1ccb1907d031c2397aca2d1e47c150b46bd5a3421306e67de80d31c247d28402acfd47d6be251336b
|
||||
DIST lego-2.4.0.tar.gz 4595834 BLAKE2B cbf538c497455ba37b6c0648c97919971d758dfbffe92f9c38bcf65536f4e0393ae85f4efe46c820339f7f7e82bc434bcdd2a3b2b2f2fab97d58c1bf6eee5e3d SHA512 aaed154fed3bc5d490c945a31170c934b8115ea60f0811d5e2f781eeb8befe4b94692d4890a42d3c88eca390574b60dd0cae2a7d8c35474b58b2e1d6bd817aec
|
||||
EBUILD lego-1.0.1.ebuild 812 BLAKE2B 4c6f7486778b877f67e9ea674b31df289c306c3fffdc1b0bd5dfdf74866fabcef908b502d605a840acbf520ecf4b4341500a7c046d48fa27ee8df882dd91f9b8 SHA512 764ef611797dab0adbff773bb3b9a3cf1724fe1b636f275808e07d1310f2ca568365ff78ddc940523c00462a0c65e25b736fd76be8a223e0f01874bd0785e8f5
|
||||
EBUILD lego-1.2.1.ebuild 812 BLAKE2B 4c6f7486778b877f67e9ea674b31df289c306c3fffdc1b0bd5dfdf74866fabcef908b502d605a840acbf520ecf4b4341500a7c046d48fa27ee8df882dd91f9b8 SHA512 764ef611797dab0adbff773bb3b9a3cf1724fe1b636f275808e07d1310f2ca568365ff78ddc940523c00462a0c65e25b736fd76be8a223e0f01874bd0785e8f5
|
||||
EBUILD lego-2.4.0.ebuild 832 BLAKE2B af396f02f21680e339eca2e5142eb87ac1e83a60dc0e4683a8c0aac1aac241b394e7d1ae6ae02e118a36630eaa2727fa290433b89fa9f9cb2a3bc0167c3f6c0e SHA512 9ad70f7cece1dbfe93e9cf50339b16d4f0fef004724b4694fb85a20d51d4330dbf66fc724d6894ce5900b5c305ec10ce07a071695de0129f7219f35af9441b62
|
|
@ -0,0 +1,31 @@
|
|||
# Copyright 1999-2017 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=6
|
||||
|
||||
EGO_PN="github.com/xenolf/lego"
|
||||
|
||||
inherit golang-build golang-vcs-snapshot
|
||||
|
||||
KEYWORDS="~amd64"
|
||||
|
||||
DESCRIPTION="Let's Encrypt client and ACME library written in Go"
|
||||
HOMEPAGE="https://github.com/xenolf/lego"
|
||||
SRC_URI="https://${EGO_PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
|
||||
LICENSE="MIT"
|
||||
SLOT="0"
|
||||
IUSE="selinux"
|
||||
|
||||
RDEPEND="selinux? ( sec-policy/selinux-lego )"
|
||||
|
||||
src_compile() {
|
||||
export GOPATH="${S}:$(get_golibdir_gopath)"
|
||||
cd src/${EGO_PN} || die
|
||||
go build -ldflags="-s -X main.version=${PV}" -o bin/lego || die
|
||||
}
|
||||
|
||||
src_install() {
|
||||
pushd src/${EGO_PN} >& /dev/null || die
|
||||
dobin bin/*
|
||||
popd >& /dev/null || die
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
# Copyright 1999-2017 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=6
|
||||
|
||||
EGO_PN="github.com/xenolf/lego"
|
||||
|
||||
inherit golang-build golang-vcs-snapshot
|
||||
|
||||
KEYWORDS="~amd64"
|
||||
|
||||
DESCRIPTION="Let's Encrypt client and ACME library written in Go"
|
||||
HOMEPAGE="https://github.com/xenolf/lego"
|
||||
SRC_URI="https://${EGO_PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
|
||||
LICENSE="MIT"
|
||||
SLOT="0"
|
||||
IUSE="selinux"
|
||||
|
||||
RDEPEND="selinux? ( sec-policy/selinux-lego )"
|
||||
|
||||
src_compile() {
|
||||
export GOPATH="${S}:$(get_golibdir_gopath)"
|
||||
cd src/${EGO_PN} || die
|
||||
go build -ldflags="-s -X main.version=${PV}" -o bin/lego || die
|
||||
}
|
||||
|
||||
src_install() {
|
||||
pushd src/${EGO_PN} >& /dev/null || die
|
||||
dobin bin/*
|
||||
popd >& /dev/null || die
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
# Copyright 1999-2017 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=6
|
||||
|
||||
EGO_PN="github.com/go-acme/lego"
|
||||
|
||||
inherit golang-build golang-vcs-snapshot
|
||||
|
||||
KEYWORDS="amd64"
|
||||
|
||||
DESCRIPTION="Let's Encrypt client and ACME library written in Go"
|
||||
HOMEPAGE="https://go-acme.github.io/lego/"
|
||||
SRC_URI="https://${EGO_PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
|
||||
|
||||
LICENSE="MIT"
|
||||
SLOT="0"
|
||||
IUSE="selinux"
|
||||
|
||||
RDEPEND="selinux? ( sec-policy/selinux-lego )"
|
||||
|
||||
src_compile() {
|
||||
export GOPATH="${S}:$(get_golibdir_gopath)"
|
||||
cd src/${EGO_PN} || die
|
||||
go build -ldflags="-s -X main.version=${PV}" -o dist/lego ./cmd/lego/ || die
|
||||
}
|
||||
|
||||
src_install() {
|
||||
pushd src/${EGO_PN} >& /dev/null || die
|
||||
dobin dist/${PN}
|
||||
popd >& /dev/null || die
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
AUX 0002-image.c-clear-image-variable.patch 822 BLAKE2B acb775f625ecd081d9b3d7e497b066218e82d2dc13f80c473c25361dc85098ee15e5f14530334e47c33fe7cc9b2349ffb1aaba7abe4fdd33bfdde05ed9191c39 SHA512 004ba118cbe8fe5cc291888966e5994373c0b9d8149bc5c652a72971138fab5e64d721061c69e8b864d6ca5cdb4ffa193520156941b6bd9c998b256f8d72697b
|
||||
AUX 0003-Fix-for-multi-sign.patch 1452 BLAKE2B eaa6e39c18d13f3819d5852eda27eb5a8d589241224965392f1b1e067b5cb9ff0ece7fa83697e5fb6f5f8dd0acec15b7bbe57fcd5f761fcb2e8e1fc51193641f SHA512 2aba55a116536e7f41e4aac2fd33eeb92cf89b14bcdd8b93b6e9dc9bdaf2f0162134e56f7d365640445bf801ad8590f6d49f14cdf80b791324647067d52ae435
|
||||
AUX sbsigntools-0.9.1-openssl-1.1.0-compat.patch 4727 BLAKE2B 3b47c8086220cf12778bf5cd6018627a30ea349677eeb2cfcd1eaa1b83a25d39499ab21a1a123181a51f4138624c17e574050216f59c480e38d9774936f8b6f0 SHA512 6946e1d67161345088aee3ab54129b6e904b6008f2b275ab4eb55ed24fb2b866029f7d7ca856c5dfe76c395580f04709ad1be974369a1b4954b9e87cf812fd4b
|
||||
DIST sbsigntool_0.6.orig.tar.gz 212375 BLAKE2B fab9141c7fbfa01ec24f975503ac83be4ae0664251a1311afb3d95124fec3750ce20a5ffab35b6965d4ee4585ab4ee91f25ae49488214a983b6fc006071d0968 SHA512 ed314d1cb7278cf5f27d4c3cd17f2195678419a7f9e47770429b6f95df35f7df035331e60c45970183ddd9b150a9b752f876c777929598b0525872b3255af95c
|
||||
EBUILD sbsigntools-0.6-r2.ebuild 1175 BLAKE2B 929699251878c2860398192e990a9e502453e50f8d3b5259dc8e7bc0f6a9ffe6e746016f120efb24b92b0a934033bd1763f7a9f6592e421b49903da6e81e3951 SHA512 7751a727c445f3e50d5669aafce8f2e4869789c988c1a32a097be814ec466a2e876f80b454c2d0817d590206ccb6ae0f24ed845cf4dee26ca5bae55ff8accd4d
|
||||
MISC metadata.xml 291 BLAKE2B 0aeb75750176d719f10db508a8924d0bf2fe75e8544b275a7c7e11c44320ce4f7819febb093dd3083a33a998a225f2a3b882407a8ffc03d1a57d03cbfc0a7ff2 SHA512 f7a520fc9a216ff983bd3d361c6ddb3b635eb5dcd94ed042e7c5d0beb0b4e10cdb231e2b4ace599ebb93d4bb46e071a744f1a780ec83f451bb2ee6bad4c2d8cc
|
|
@ -0,0 +1,29 @@
|
|||
From 21e984fa9d93a760cc03f5d9d13d023809227df2 Mon Sep 17 00:00:00 2001
|
||||
From: James Bottomley <JBottomley@Parallels.com>
|
||||
Date: Thu, 11 Apr 2013 21:12:17 -0700
|
||||
Subject: image.c: clear image variable
|
||||
|
||||
Not zeroing the image after talloc occasionally leads to a segfault because
|
||||
the programme thinks it has a signature when in reality it just has a junk
|
||||
pointer and segfaults.
|
||||
|
||||
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
||||
---
|
||||
src/image.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/image.c b/src/image.c
|
||||
index cc55791..10eba0e 100644
|
||||
--- a/src/image.c
|
||||
+++ b/src/image.c
|
||||
@@ -401,6 +401,7 @@ struct image *image_load(const char *filename)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+ memset(image, 0, sizeof(*image));
|
||||
rc = fileio_read_file(image, filename, &image->buf, &image->size);
|
||||
if (rc)
|
||||
goto err;
|
||||
--
|
||||
1.8.2.1
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
From e58a528ef57e53008222f238cce7c326a14572e2 Mon Sep 17 00:00:00 2001
|
||||
From: James Bottomley <JBottomley@Parallels.com>
|
||||
Date: Mon, 30 Sep 2013 19:25:37 -0700
|
||||
Subject: [PATCH 4/4] Fix for multi-sign
|
||||
|
||||
The new Tianocore multi-sign code fails now for images signed with
|
||||
sbsigntools. The reason is that we don't actually align the signature table,
|
||||
we just slap it straight after the binary data. Unfortunately, the new
|
||||
multi-signature code checks that our alignment offsets are correct and fails
|
||||
the signature for this reason. Fix by adding junk to the end of the image to
|
||||
align the signature section.
|
||||
|
||||
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
||||
---
|
||||
src/image.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/image.c b/src/image.c
|
||||
index 10eba0e..519e288 100644
|
||||
--- a/src/image.c
|
||||
+++ b/src/image.c
|
||||
@@ -385,7 +385,13 @@ static int image_find_regions(struct image *image)
|
||||
|
||||
/* record the size of non-signature data */
|
||||
r = &image->checksum_regions[image->n_checksum_regions - 1];
|
||||
- image->data_size = (r->data - (void *)image->buf) + r->size;
|
||||
+ /*
|
||||
+ * The new Tianocore multisign does a stricter check of the signatures
|
||||
+ * in particular, the signature table must start at an aligned offset
|
||||
+ * fix this by adding bytes to the end of the text section (which must
|
||||
+ * be included in the hash)
|
||||
+ */
|
||||
+ image->data_size = align_up((r->data - (void *)image->buf) + r->size, 8);
|
||||
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
1.8.4
|
||||
|
|
@ -0,0 +1,152 @@
|
|||
diff --git a/src/fileio.c b/src/fileio.c
|
||||
index 032eb1e..09bc3aa 100644
|
||||
--- a/src/fileio.c
|
||||
+++ b/src/fileio.c
|
||||
@@ -40,6 +40,7 @@
|
||||
#include <openssl/pem.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/engine.h>
|
||||
+#include <openssl/ui.h>
|
||||
|
||||
#include <ccan/talloc/talloc.h>
|
||||
#include <ccan/read_write_all/read_write_all.h>
|
||||
diff --git a/src/idc.c b/src/idc.c
|
||||
index 236cefd..6d87bd4 100644
|
||||
--- a/src/idc.c
|
||||
+++ b/src/idc.c
|
||||
@@ -238,7 +238,11 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
|
||||
|
||||
/* extract the idc from the signed PKCS7 'other' data */
|
||||
str = p7->d.sign->contents->d.other->value.asn1_string;
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
idcbuf = buf = ASN1_STRING_data(str);
|
||||
+#else
|
||||
+ idcbuf = buf = ASN1_STRING_get0_data(str);
|
||||
+#endif
|
||||
idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
|
||||
|
||||
/* If we were passed a BIO, write the idc data, minus type and length,
|
||||
@@ -289,7 +293,11 @@ int IDC_check_hash(struct idc *idc, struct image *image)
|
||||
}
|
||||
|
||||
/* check hash against the one we calculated from the image */
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
buf = ASN1_STRING_data(str);
|
||||
+#else
|
||||
+ buf = ASN1_STRING_get0_data(str);
|
||||
+#endif
|
||||
if (memcmp(buf, sha, sizeof(sha))) {
|
||||
fprintf(stderr, "Hash doesn't match image\n");
|
||||
fprintf(stderr, " got: %s\n", sha256_str(buf));
|
||||
diff --git a/src/sbattach.c b/src/sbattach.c
|
||||
index a0c01b8..e89a23e 100644
|
||||
--- a/src/sbattach.c
|
||||
+++ b/src/sbattach.c
|
||||
@@ -231,6 +231,7 @@ int main(int argc, char **argv)
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
ERR_load_crypto_strings();
|
||||
OpenSSL_add_all_digests();
|
||||
OPENSSL_config(NULL);
|
||||
@@ -239,6 +240,7 @@ int main(int argc, char **argv)
|
||||
* module isn't present). In either case ignore the errors
|
||||
* (malloc will cause other failures out lower down */
|
||||
ERR_clear_error();
|
||||
+#endif
|
||||
|
||||
image = image_load(image_filename);
|
||||
if (!image) {
|
||||
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
|
||||
index 7b17f40..419b1e7 100644
|
||||
--- a/src/sbkeysync.c
|
||||
+++ b/src/sbkeysync.c
|
||||
@@ -208,7 +208,11 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
|
||||
goto out;
|
||||
|
||||
key->id_len = ASN1_STRING_length(serial);
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
|
||||
+#else
|
||||
+ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
|
||||
+#endif
|
||||
|
||||
key->description = talloc_array(key, char, description_len);
|
||||
X509_NAME_oneline(X509_get_subject_name(x509),
|
||||
@@ -927,6 +931,7 @@ int main(int argc, char **argv)
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
ERR_load_crypto_strings();
|
||||
OpenSSL_add_all_digests();
|
||||
OpenSSL_add_all_ciphers();
|
||||
@@ -936,6 +941,7 @@ int main(int argc, char **argv)
|
||||
* module isn't present). In either case ignore the errors
|
||||
* (malloc will cause other failures out lower down */
|
||||
ERR_clear_error();
|
||||
+#endif
|
||||
|
||||
ctx->filesystem_keys = init_keyset(ctx);
|
||||
ctx->firmware_keys = init_keyset(ctx);
|
||||
diff --git a/src/sbsign.c b/src/sbsign.c
|
||||
index ff1fdfd..78d8d64 100644
|
||||
--- a/src/sbsign.c
|
||||
+++ b/src/sbsign.c
|
||||
@@ -188,6 +188,7 @@ int main(int argc, char **argv)
|
||||
|
||||
talloc_steal(ctx, ctx->image);
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
ERR_load_crypto_strings();
|
||||
OpenSSL_add_all_digests();
|
||||
OpenSSL_add_all_ciphers();
|
||||
@@ -197,6 +198,7 @@ int main(int argc, char **argv)
|
||||
* module isn't present). In either case ignore the errors
|
||||
* (malloc will cause other failures out lower down */
|
||||
ERR_clear_error();
|
||||
+#endif
|
||||
if (engine)
|
||||
pkey = fileio_read_engine_key(engine, keyfilename);
|
||||
else
|
||||
diff --git a/src/sbvarsign.c b/src/sbvarsign.c
|
||||
index 7dcbe51..9319c8b 100644
|
||||
--- a/src/sbvarsign.c
|
||||
+++ b/src/sbvarsign.c
|
||||
@@ -509,6 +509,7 @@ int main(int argc, char **argv)
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
/* initialise openssl */
|
||||
OpenSSL_add_all_digests();
|
||||
OpenSSL_add_all_ciphers();
|
||||
@@ -519,6 +520,7 @@ int main(int argc, char **argv)
|
||||
* module isn't present). In either case ignore the errors
|
||||
* (malloc will cause other failures out lower down */
|
||||
ERR_clear_error();
|
||||
+#endif
|
||||
|
||||
/* set up the variable signing context */
|
||||
varname = argv[optind];
|
||||
diff --git a/src/sbverify.c b/src/sbverify.c
|
||||
index 3920d91..d0b203a 100644
|
||||
--- a/src/sbverify.c
|
||||
+++ b/src/sbverify.c
|
||||
@@ -250,6 +250,7 @@ int main(int argc, char **argv)
|
||||
verbose = false;
|
||||
detached_sig_filename = NULL;
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
OpenSSL_add_all_digests();
|
||||
ERR_load_crypto_strings();
|
||||
OPENSSL_config(NULL);
|
||||
@@ -258,6 +259,7 @@ int main(int argc, char **argv)
|
||||
* module isn't present). In either case ignore the errors
|
||||
* (malloc will cause other failures out lower down */
|
||||
ERR_clear_error();
|
||||
+#endif
|
||||
|
||||
for (;;) {
|
||||
int idx;
|
|
@ -0,0 +1,10 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<maintainer type="person">
|
||||
<email>tamiko@gentoo.org</email>
|
||||
</maintainer>
|
||||
<upstream>
|
||||
<remote-id type="launchpad">ubuntu</remote-id>
|
||||
</upstream>
|
||||
</pkgmetadata>
|
|
@ -0,0 +1,44 @@
|
|||
# Copyright 1999-2018 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI="5"
|
||||
|
||||
MY_PN="${PN::-1}"
|
||||
|
||||
inherit eutils toolchain-funcs
|
||||
|
||||
DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot"
|
||||
HOMEPAGE="https://launchpad.net/ubuntu/+source/sbsigntool"
|
||||
SRC_URI="https://launchpad.net/ubuntu/+archive/primary/+files/${MY_PN}_${PV}.orig.tar.gz"
|
||||
|
||||
LICENSE="GPL-3"
|
||||
SLOT="0"
|
||||
KEYWORDS="amd64 x86"
|
||||
IUSE="libressl"
|
||||
|
||||
RDEPEND="
|
||||
!libressl? ( dev-libs/openssl:0= )
|
||||
libressl? ( dev-libs/libressl:0= )
|
||||
sys-apps/util-linux"
|
||||
DEPEND="${RDEPEND}
|
||||
sys-apps/help2man
|
||||
sys-boot/gnu-efi
|
||||
sys-libs/binutils-libs
|
||||
virtual/pkgconfig"
|
||||
|
||||
S="${WORKDIR}/${MY_PN}-${PV}"
|
||||
|
||||
src_prepare() {
|
||||
local iarch
|
||||
case ${ARCH} in
|
||||
ia64) iarch=ia64 ;;
|
||||
x86) iarch=ia32 ;;
|
||||
amd64) iarch=x86_64 ;;
|
||||
*) die "unsupported architecture: ${ARCH}" ;;
|
||||
esac
|
||||
sed -i "/^EFI_ARCH=/s:=.*:=${iarch}:" configure || die
|
||||
sed -i 's/-m64$/& -march=x86-64/' tests/Makefile.in || die
|
||||
sed -i "/^AR /s:=.*:= $(tc-getAR):" lib/ccan/Makefile.in || die #481480
|
||||
epatch "${FILESDIR}"/0002-image.c-clear-image-variable.patch
|
||||
epatch "${FILESDIR}"/0003-Fix-for-multi-sign.patch
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
DIST go-darwin-amd64-bootstrap-1.8.tbz 55053831 BLAKE2B 7d87ff36b0e13b3b3c0b8ffc4516493e1a6dde1287675b85b591c1d0a8438c9cb9c8991dc53d3c94c5ebb26830da1c7177ef1f90c250c1efeb5868020abcc660 SHA512 4cc24d44c84c94feafab021c0977fcea2aca8f191c6395e38fff68154b1e64efc3f94331c3e36c7b69901af58e9d53545c682f0a742d36b2d230508bd69777c4
|
||||
DIST go-freebsd-386-bootstrap-1.8.tbz 53739013 BLAKE2B a91e0a6b601aadc965f774ffd25a185e1f300e7194e969337f32bf9cb3056769786d92ef697271e7434d72c04d9d6780bf0fb3cb70efa83fe53cc18dc23670ec SHA512 c92f849b2d92401657412cccc589042b2747e55b2f4813d674c5bc91c3f535ee60f8ed7b8cbf1320e216d22a16dade8b78bb8071982895901f2b3c304e38f478
|
||||
DIST go-freebsd-amd64-bootstrap-1.8.tbz 55103927 BLAKE2B 30e4e4bcb43da3a170f520b47cd032a524d4c4977a9c76c4d597bb50e21a3ad2ef764dec15085d97cb5791bd483d8fac10ef5949c56b46e7580468fc9c90a78c SHA512 c7d50731ff41147295ef5f3233aa1404081b47e786a300e1d0e4db8348e56bd73fe5f169fe8b807ffa37a53683e3aef16ebb6e877d802b86ff1a3d5d3a6f44cb
|
||||
DIST go-linux-386-bootstrap-1.8.tbz 53843745 BLAKE2B 6bbb6df7ea0f7307386590524261f9ec477e7032171020ac3ed4a09bf9c39075ba4143c466611b0ab28cc4b494dec75063ecb291d2166a82bc7601562e7e3685 SHA512 b456f7572d04c805a6fc756647c050460f76e5404dba41963c861c92f1600e9fedafe181a1f69132518065737a88edb4b183ec8c3ca24bc8df31279117e92606
|
||||
DIST go-linux-amd64-bootstrap-musl-1.4.3.tbz 23246790 BLAKE2B 364d2afa2a882b752635c2e3b956ca499b02fd4842eb8e159fce74adfffb9e65db3e5b64a2ed81ec12dc71bd209979cbe6d35b3796ef877ff148f2c1be249de5 SHA512 1cdc1c667fbee992c2ef0555d1ed8ce4d8b9ecf5ecd23b73f6729a6f91764a41407a016c71eeb1755cb1889fe702a0aa0da382ffdb6bab7b9cdacaa558449898
|
||||
DIST go-linux-arm-bootstrap-1.8.tbz 53948103 BLAKE2B 515051e777ad273999c82f31b8a07ba61b77fbeede761a72b52c0bc3a7b55da013b5061af03a1b9634bf7b44429d7b371b89be85fb9e4f3a23d4d1a3c52bd90b SHA512 98ff0dbdb2aca9e54ea5327c9d31ce389e434a887015ef8555a8e85223a9998075c5013045275fb995a877a8d247704a21d726d46df7097adc0c4aa03af4cd68
|
||||
DIST go-linux-arm64-bootstrap-1.8.tbz 51947002 BLAKE2B 5899f5d304031eae96b66ed7aa21f5af13b0fdfdcd7a12095bda2eff0f5fe5610135f9370b34681e4c33f33c1e0428a2a09c1c8a581c6b170da223f57cac4607 SHA512 adfbe62c5594c267707078bf8afb94a793dfba004c04a1a60f96d023d96c2fc4a6a422dee93a0f3487b1f2e1e117c7c6c607b62126dd5535686aaed88f6659d9
|
||||
DIST go-linux-ppc64-bootstrap-1.8.tbz 52315782 BLAKE2B 6be0a48e8bc4e5fed4d34f8aaa8dfb6ad4d513064275dd940d0f58b25d442b33ad71c11687d317448b93d9c4690f7412e5a6a4553ec5298663409416cec04fbf SHA512 0aa32ac1514055ed9140b8c8330cbdbadfd9da6ad00b60d49b0685473be21e0b6510c31394678e32048f2f38d06a0d575f453c555614664eaef2bf5be6c91734
|
||||
DIST go-linux-ppc64le-bootstrap-1.8.tbz 52211575 BLAKE2B 7a28ec5a381369c4e9415c8360e904c2545380513afd328077c584e8af0bf6bd818aa03e5a58c350cbb98facc1c9dccb02b06adcb27233875497cf5d33265912 SHA512 6931d999dd0ee1ff44c4cec48acb27af061f57f87aa74802dcebab78553b46bc8ac732f07fe91e5074dbdd32c55b707994875934bfb12bb4276d71eb1d06c4ba
|
||||
DIST go-linux-s390x-bootstrap-1.8.tbz 57124869 BLAKE2B 920a176b8f4fc3a816e724324bbb30a383d599e31a0d2093d24797dbcd0e799a662a3589dbb87d2f5dd16df07c4cf8f1e444e87b540ec732746bb025dc9271f8 SHA512 d429cae870d66217ab2e07c74209d3031d97baa4f899b4d70ae6283a1a5b1434b037904c4cfca0b2bc798d5ba0b358c3739e000eccbc74809baf564c5686df5a
|
||||
DIST go-solaris-amd64-bootstrap-1.8.tbz 54926326 BLAKE2B 0a45312f090d81ebf46fe5950cb65c059e2801394231e715e94145d1f918eb59b10472b2385e57ebd5cfb9eca0ad7290fb118436486b665520bb540970f971ab SHA512 52b849e5b9a940e10de7ba3df0ebdf6e1c5d631de9581d936c9edf8f38e6bb3314acbc2b2d5202b0528fde2a359d52bc0c6f39acf9b1b614725e4b4a947ed10d
|
||||
DIST go1.10.1.src.tar.gz 18305765 BLAKE2B 61b8db22c50b9a4653244dc18267f405607755932d84ea2c475338a9f4a5421da2bb8cc808dbd166aa35c3c8778180bf47d6e51ebe303bc62e582516919058f9 SHA512 13f6b0643a4f92eeca04444b9fa10de38fc3427daea9aa3227cf9a5738ffee1a3f2e355ba5faf711b8506f7de118bdcd3b9064b65407a22613523e29ffd73415
|
||||
DIST go1.10.3.src.tar.gz 18323736 BLAKE2B f07ea774378eb25e28fc29ce6d8d7ed84227d4b93bfa93d38a071fe294da30c3cdc3a559d643e7379873df56b0e2731dbd772e385ffcb4b2e93819db3b4e33f2 SHA512 fd2bd5fcb5c6d0a5336c4b1d2cacb368edbb01359297a83bdedc53f6018642598232f00633fc60fde879050f5f26a810c828d46b5d6626cbcc0702d93ad33fbb
|
||||
DIST go1.11.5.src.tar.gz 21108339 BLAKE2B 3a33a89e267e57fee688e4d67257810ca1f37cfb904b6806c3a566b021aa80153f59f64d3a61ed68f526f093e0d5b6b3c95565cd06622cf9a65eef81bc7e9733 SHA512 63500238e8d73e4b29279ee3eb9242960de93ccd3b52bacc4009f45cf123cb8edfe5f519d38c5b07bdf2a810925758511ff3255310a056113d0169f78be1d2f6
|
||||
EBUILD go-1.10.1.ebuild 5653 BLAKE2B 1e742993a575d6f28fc55d16d466152f93a7ad89aabb429d83ea31d5a51f5c0188f6b22c2e1d5b721af68315dc9bd7bc59fcb6a1470393de0fda73ad6be57db4 SHA512 c42ca83b0d4f5a2d8cb1c272551cea55d5d47fafa30cc4a624fbb965a9ef3d35ac14b4fe4a27ccb557e89661a2757e82f2ecda35d8395556f22f6b681489f921
|
||||
EBUILD go-1.10.3.ebuild 5653 BLAKE2B 1e742993a575d6f28fc55d16d466152f93a7ad89aabb429d83ea31d5a51f5c0188f6b22c2e1d5b721af68315dc9bd7bc59fcb6a1470393de0fda73ad6be57db4 SHA512 c42ca83b0d4f5a2d8cb1c272551cea55d5d47fafa30cc4a624fbb965a9ef3d35ac14b4fe4a27ccb557e89661a2757e82f2ecda35d8395556f22f6b681489f921
|
||||
EBUILD go-1.11.5.ebuild 6008 BLAKE2B 025a51bc415f60e9b94d6cd985c5334f5d7f603c3e14537ad6d8422c369a0d9b89ef534093dab52617f17108840d5a9105815d984883ce076ef47f322c4d7752 SHA512 31decfc1df9eae82316ac10aebe4d01190e2fdaa2b365eb8ee65750bf1a23e1d676f03a0551d7b9bd4c339358f7555a53d2a8806ed209b28e8e81ad3a8e680f7
|
||||
MISC metadata.xml 538 BLAKE2B 78502c369a490804b2c69eef864276c2be5d0ee84ec189b6cc8584f8f42668a35f3c74bd25ceb53c469716337cbab908c576ca880c492f5961fedafc74cc346f SHA512 514a441a522218fdca543a22370e965a2bfc1f1f2c37e77431143329bb3d3f4f53e99ad5d7f7d7c61877f77387a777f7b4f339b9a3e45322d01d39d3d0ea1309
|
|
@ -0,0 +1,228 @@
|
|||
# Copyright 1999-2018 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=6
|
||||
|
||||
export CBUILD=${CBUILD:-${CHOST}}
|
||||
export CTARGET=${CTARGET:-${CHOST}}
|
||||
|
||||
MY_PV=${PV/_/}
|
||||
|
||||
inherit toolchain-funcs
|
||||
|
||||
BOOTSTRAP_DIST="https://dev.gentoo.org/~williamh/dist"
|
||||
BOOTSTRAP_VERSION="bootstrap-1.8"
|
||||
BOOTSTRAP_URI="
|
||||
amd64? ( ${BOOTSTRAP_DIST}/go-linux-amd64-bootstrap-musl-1.4.3.tbz )
|
||||
arm? ( ${BOOTSTRAP_DIST}/go-linux-arm-${BOOTSTRAP_VERSION}.tbz )
|
||||
arm64? ( ${BOOTSTRAP_DIST}/go-linux-arm64-${BOOTSTRAP_VERSION}.tbz )
|
||||
ppc64? (
|
||||
${BOOTSTRAP_DIST}/go-linux-ppc64-${BOOTSTRAP_VERSION}.tbz
|
||||
${BOOTSTRAP_DIST}/go-linux-ppc64le-${BOOTSTRAP_VERSION}.tbz
|
||||
)
|
||||
s390? ( ${BOOTSTRAP_DIST}/go-linux-s390x-${BOOTSTRAP_VERSION}.tbz )
|
||||
x86? ( ${BOOTSTRAP_DIST}/go-linux-386-${BOOTSTRAP_VERSION}.tbz )
|
||||
amd64-fbsd? ( ${BOOTSTRAP_DIST}/go-freebsd-amd64-${BOOTSTRAP_VERSION}.tbz )
|
||||
x86-fbsd? ( ${BOOTSTRAP_DIST}/go-freebsd-386-${BOOTSTRAP_VERSION}.tbz )
|
||||
x64-macos? ( ${BOOTSTRAP_DIST}/go-darwin-amd64-${BOOTSTRAP_VERSION}.tbz )
|
||||
x64-solaris? ( ${BOOTSTRAP_DIST}/go-solaris-amd64-${BOOTSTRAP_VERSION}.tbz )
|
||||
"
|
||||
|
||||
case ${PV} in
|
||||
*9999*)
|
||||
EGIT_REPO_URI="https://github.com/golang/go.git"
|
||||
inherit git-r3
|
||||
;;
|
||||
*)
|
||||
SRC_URI="https://storage.googleapis.com/golang/go${MY_PV}.src.tar.gz "
|
||||
S="${WORKDIR}"/go
|
||||
case ${PV} in
|
||||
*_beta*|*_rc*) ;;
|
||||
*)
|
||||
KEYWORDS="-* amd64 arm ~arm64 ~ppc64 ~s390 x86 ~amd64-fbsd ~x86-fbsd ~x64-macos ~x64-solaris"
|
||||
# The upstream tests fail under portage but pass if the build is
|
||||
# run according to their documentation [1].
|
||||
# I am restricting the tests on released versions until this is
|
||||
# solved.
|
||||
# [1] https://golang.org/issues/18442
|
||||
RESTRICT="test"
|
||||
;;
|
||||
esac
|
||||
esac
|
||||
SRC_URI+="!gccgo? ( ${BOOTSTRAP_URI} )"
|
||||
|
||||
DESCRIPTION="A concurrent garbage collected and typesafe programming language"
|
||||
HOMEPAGE="https://golang.org"
|
||||
|
||||
LICENSE="BSD"
|
||||
SLOT="0/${PV}"
|
||||
IUSE="gccgo"
|
||||
|
||||
DEPEND="gccgo? ( >=sys-devel/gcc-5[go] )"
|
||||
RDEPEND="!<dev-go/go-tools-0_pre20150902"
|
||||
|
||||
# These test data objects have writable/executable stacks.
|
||||
QA_EXECSTACK="
|
||||
usr/lib/go/src/debug/elf/testdata/*.obj
|
||||
usr/lib/go/src/go/internal/gccgoimporter/testdata/escapeinfo.gox
|
||||
usr/lib/go/src/go/internal/gccgoimporter/testdata/unicode.gox
|
||||
usr/lib/go/src/go/internal/gccgoimporter/testdata/time.gox
|
||||
"
|
||||
|
||||
# Do not complain about CFLAGS, etc, since Go doesn't use them.
|
||||
QA_FLAGS_IGNORED='.*'
|
||||
|
||||
REQUIRES_EXCLUDE="/usr/lib/go/src/debug/elf/testdata/*"
|
||||
|
||||
# The tools in /usr/lib/go should not cause the multilib-strict check to fail.
|
||||
QA_MULTILIB_PATHS="usr/lib/go/pkg/tool/.*/.*"
|
||||
|
||||
# Do not strip this package. Stripping is unsupported upstream and may
|
||||
# fail.
|
||||
RESTRICT+=" strip"
|
||||
|
||||
DOCS=(
|
||||
AUTHORS
|
||||
CONTRIBUTING.md
|
||||
CONTRIBUTORS
|
||||
PATENTS
|
||||
README.md
|
||||
)
|
||||
|
||||
go_arch()
|
||||
{
|
||||
# By chance most portage arch names match Go
|
||||
local portage_arch=$(tc-arch $@)
|
||||
case "${portage_arch}" in
|
||||
x86) echo 386;;
|
||||
x64-*) echo amd64;;
|
||||
ppc64) [[ $(tc-endian $@) = big ]] && echo ppc64 || echo ppc64le ;;
|
||||
s390) echo s390x ;;
|
||||
*) echo "${portage_arch}";;
|
||||
esac
|
||||
}
|
||||
|
||||
go_arm()
|
||||
{
|
||||
case "${1:-${CHOST}}" in
|
||||
armv5*) echo 5;;
|
||||
armv6*) echo 6;;
|
||||
armv7*) echo 7;;
|
||||
*)
|
||||
die "unknown GOARM for ${1:-${CHOST}}"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
go_os()
|
||||
{
|
||||
case "${1:-${CHOST}}" in
|
||||
*-linux*) echo linux;;
|
||||
*-darwin*) echo darwin;;
|
||||
*-freebsd*) echo freebsd;;
|
||||
*-netbsd*) echo netbsd;;
|
||||
*-openbsd*) echo openbsd;;
|
||||
*-solaris*) echo solaris;;
|
||||
*-cygwin*|*-interix*|*-winnt*)
|
||||
echo windows
|
||||
;;
|
||||
*)
|
||||
die "unknown GOOS for ${1:-${CHOST}}"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
go_tuple()
|
||||
{
|
||||
echo "$(go_os $@)_$(go_arch $@)"
|
||||
}
|
||||
|
||||
go_cross_compile()
|
||||
{
|
||||
[[ $(go_tuple ${CBUILD}) != $(go_tuple) ]]
|
||||
}
|
||||
|
||||
pkg_pretend()
|
||||
{
|
||||
# make.bash does not understand cross-compiling a cross-compiler
|
||||
if [[ $(go_tuple) != $(go_tuple ${CTARGET}) ]]; then
|
||||
die "CHOST CTARGET pair unsupported: CHOST=${CHOST} CTARGET=${CTARGET}"
|
||||
fi
|
||||
}
|
||||
|
||||
src_unpack()
|
||||
{
|
||||
if [[ ${PV} = 9999 ]]; then
|
||||
git-r3_src_unpack
|
||||
fi
|
||||
default
|
||||
}
|
||||
|
||||
src_compile()
|
||||
{
|
||||
export GOROOT_BOOTSTRAP="${WORKDIR}"/go-$(go_os)-$(go_arch)-bootstrap
|
||||
if use gccgo; then
|
||||
mkdir -p "${GOROOT_BOOTSTRAP}/bin" || die
|
||||
local go_binary=$(gcc-config --get-bin-path)/go-$(gcc-major-version)
|
||||
[[ -x ${go_binary} ]] || go_binary=$(
|
||||
find "${EPREFIX}"/usr/${CHOST}/gcc-bin/*/go-$(gcc-major-version) |
|
||||
sort -V | tail -n1)
|
||||
[[ -x ${go_binary} ]] ||
|
||||
die "go-$(gcc-major-version): command not found"
|
||||
ln -s "${go_binary}" "${GOROOT_BOOTSTRAP}/bin/go" || die
|
||||
fi
|
||||
export GOROOT_FINAL="${EPREFIX}"/usr/lib/go
|
||||
export GOROOT="$(pwd)"
|
||||
export GOBIN="${GOROOT}/bin"
|
||||
|
||||
# Go's build script does not use BUILD/HOST/TARGET consistently. :(
|
||||
export GOHOSTARCH=$(go_arch ${CBUILD})
|
||||
export GOHOSTOS=$(go_os ${CBUILD})
|
||||
export CC=$(tc-getBUILD_CC)
|
||||
|
||||
export GOARCH=$(go_arch)
|
||||
export GOOS=$(go_os)
|
||||
export CC_FOR_TARGET=$(tc-getCC)
|
||||
export CXX_FOR_TARGET=$(tc-getCXX)
|
||||
if [[ ${ARCH} == arm ]]; then
|
||||
export GOARM=$(go_arm)
|
||||
fi
|
||||
einfo "GOROOT_BOOTSTRAP is ${GOROOT_BOOTSTRAP}"
|
||||
|
||||
cd src
|
||||
./make.bash || die "build failed"
|
||||
}
|
||||
|
||||
src_test()
|
||||
{
|
||||
go_cross_compile && return 0
|
||||
|
||||
cd src
|
||||
PATH="${GOBIN}:${PATH}" \
|
||||
./run.bash -no-rebuild || die "tests failed"
|
||||
}
|
||||
|
||||
src_install()
|
||||
{
|
||||
local bin_path f x
|
||||
|
||||
dodir /usr/lib/go
|
||||
|
||||
# There is a known issue which requires the source tree to be installed [1].
|
||||
# Once this is fixed, we can consider using the doc use flag to control
|
||||
# installing the doc and src directories.
|
||||
# [1] https://golang.org/issue/2775
|
||||
#
|
||||
# deliberately use cp to retain permissions
|
||||
cp -R api bin doc lib pkg misc src test "${ED}"/usr/lib/go
|
||||
if go_cross_compile; then
|
||||
bin_path="bin/$(go_tuple)"
|
||||
else
|
||||
bin_path=bin
|
||||
fi
|
||||
for x in ${bin_path}/*; do
|
||||
f=${x##*/}
|
||||
dosym ../lib/go/${bin_path}/${f} /usr/bin/${f}
|
||||
done
|
||||
einstalldocs
|
||||
}
|
|
@ -0,0 +1,228 @@
|
|||
# Copyright 1999-2018 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=6
|
||||
|
||||
export CBUILD=${CBUILD:-${CHOST}}
|
||||
export CTARGET=${CTARGET:-${CHOST}}
|
||||
|
||||
MY_PV=${PV/_/}
|
||||
|
||||
inherit toolchain-funcs
|
||||
|
||||
BOOTSTRAP_DIST="https://dev.gentoo.org/~williamh/dist"
|
||||
BOOTSTRAP_VERSION="bootstrap-1.8"
|
||||
BOOTSTRAP_URI="
|
||||
amd64? ( ${BOOTSTRAP_DIST}/go-linux-amd64-bootstrap-musl-1.4.3.tbz )
|
||||
arm? ( ${BOOTSTRAP_DIST}/go-linux-arm-${BOOTSTRAP_VERSION}.tbz )
|
||||
arm64? ( ${BOOTSTRAP_DIST}/go-linux-arm64-${BOOTSTRAP_VERSION}.tbz )
|
||||
ppc64? (
|
||||
${BOOTSTRAP_DIST}/go-linux-ppc64-${BOOTSTRAP_VERSION}.tbz
|
||||
${BOOTSTRAP_DIST}/go-linux-ppc64le-${BOOTSTRAP_VERSION}.tbz
|
||||
)
|
||||
s390? ( ${BOOTSTRAP_DIST}/go-linux-s390x-${BOOTSTRAP_VERSION}.tbz )
|
||||
x86? ( ${BOOTSTRAP_DIST}/go-linux-386-${BOOTSTRAP_VERSION}.tbz )
|
||||
amd64-fbsd? ( ${BOOTSTRAP_DIST}/go-freebsd-amd64-${BOOTSTRAP_VERSION}.tbz )
|
||||
x86-fbsd? ( ${BOOTSTRAP_DIST}/go-freebsd-386-${BOOTSTRAP_VERSION}.tbz )
|
||||
x64-macos? ( ${BOOTSTRAP_DIST}/go-darwin-amd64-${BOOTSTRAP_VERSION}.tbz )
|
||||
x64-solaris? ( ${BOOTSTRAP_DIST}/go-solaris-amd64-${BOOTSTRAP_VERSION}.tbz )
|
||||
"
|
||||
|
||||
case ${PV} in
|
||||
*9999*)
|
||||
EGIT_REPO_URI="https://github.com/golang/go.git"
|
||||
inherit git-r3
|
||||
;;
|
||||
*)
|
||||
SRC_URI="https://storage.googleapis.com/golang/go${MY_PV}.src.tar.gz "
|
||||
S="${WORKDIR}"/go
|
||||
case ${PV} in
|
||||
*_beta*|*_rc*) ;;
|
||||
*)
|
||||
KEYWORDS="-* amd64 arm ~arm64 ~ppc64 ~s390 x86 ~amd64-fbsd ~x86-fbsd ~x64-macos ~x64-solaris"
|
||||
# The upstream tests fail under portage but pass if the build is
|
||||
# run according to their documentation [1].
|
||||
# I am restricting the tests on released versions until this is
|
||||
# solved.
|
||||
# [1] https://golang.org/issues/18442
|
||||
RESTRICT="test"
|
||||
;;
|
||||
esac
|
||||
esac
|
||||
SRC_URI+="!gccgo? ( ${BOOTSTRAP_URI} )"
|
||||
|
||||
DESCRIPTION="A concurrent garbage collected and typesafe programming language"
|
||||
HOMEPAGE="https://golang.org"
|
||||
|
||||
LICENSE="BSD"
|
||||
SLOT="0/${PV}"
|
||||
IUSE="gccgo"
|
||||
|
||||
DEPEND="gccgo? ( >=sys-devel/gcc-5[go] )"
|
||||
RDEPEND="!<dev-go/go-tools-0_pre20150902"
|
||||
|
||||
# These test data objects have writable/executable stacks.
|
||||
QA_EXECSTACK="
|
||||
usr/lib/go/src/debug/elf/testdata/*.obj
|
||||
usr/lib/go/src/go/internal/gccgoimporter/testdata/escapeinfo.gox
|
||||
usr/lib/go/src/go/internal/gccgoimporter/testdata/unicode.gox
|
||||
usr/lib/go/src/go/internal/gccgoimporter/testdata/time.gox
|
||||
"
|
||||
|
||||
# Do not complain about CFLAGS, etc, since Go doesn't use them.
|
||||
QA_FLAGS_IGNORED='.*'
|
||||
|
||||
REQUIRES_EXCLUDE="/usr/lib/go/src/debug/elf/testdata/*"
|
||||
|
||||
# The tools in /usr/lib/go should not cause the multilib-strict check to fail.
|
||||
QA_MULTILIB_PATHS="usr/lib/go/pkg/tool/.*/.*"
|
||||
|
||||
# Do not strip this package. Stripping is unsupported upstream and may
|
||||
# fail.
|
||||
RESTRICT+=" strip"
|
||||
|
||||
DOCS=(
|
||||
AUTHORS
|
||||
CONTRIBUTING.md
|
||||
CONTRIBUTORS
|
||||
PATENTS
|
||||
README.md
|
||||
)
|
||||
|
||||
go_arch()
|
||||
{
|
||||
# By chance most portage arch names match Go
|
||||
local portage_arch=$(tc-arch $@)
|
||||
case "${portage_arch}" in
|
||||
x86) echo 386;;
|
||||
x64-*) echo amd64;;
|
||||
ppc64) [[ $(tc-endian $@) = big ]] && echo ppc64 || echo ppc64le ;;
|
||||
s390) echo s390x ;;
|
||||
*) echo "${portage_arch}";;
|
||||
esac
|
||||
}
|
||||
|
||||
go_arm()
|
||||
{
|
||||
case "${1:-${CHOST}}" in
|
||||
armv5*) echo 5;;
|
||||
armv6*) echo 6;;
|
||||
armv7*) echo 7;;
|
||||
*)
|
||||
die "unknown GOARM for ${1:-${CHOST}}"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
go_os()
|
||||
{
|
||||
case "${1:-${CHOST}}" in
|
||||
*-linux*) echo linux;;
|
||||
*-darwin*) echo darwin;;
|
||||
*-freebsd*) echo freebsd;;
|
||||
*-netbsd*) echo netbsd;;
|
||||
*-openbsd*) echo openbsd;;
|
||||
*-solaris*) echo solaris;;
|
||||
*-cygwin*|*-interix*|*-winnt*)
|
||||
echo windows
|
||||
;;
|
||||
*)
|
||||
die "unknown GOOS for ${1:-${CHOST}}"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
go_tuple()
|
||||
{
|
||||
echo "$(go_os $@)_$(go_arch $@)"
|
||||
}
|
||||
|
||||
go_cross_compile()
|
||||
{
|
||||
[[ $(go_tuple ${CBUILD}) != $(go_tuple) ]]
|
||||
}
|
||||
|
||||
pkg_pretend()
|
||||
{
|
||||
# make.bash does not understand cross-compiling a cross-compiler
|
||||
if [[ $(go_tuple) != $(go_tuple ${CTARGET}) ]]; then
|
||||
die "CHOST CTARGET pair unsupported: CHOST=${CHOST} CTARGET=${CTARGET}"
|
||||
fi
|
||||
}
|
||||
|
||||
src_unpack()
|
||||
{
|
||||
if [[ ${PV} = 9999 ]]; then
|
||||
git-r3_src_unpack
|
||||
fi
|
||||
default
|
||||
}
|
||||
|
||||
src_compile()
|
||||
{
|
||||
export GOROOT_BOOTSTRAP="${WORKDIR}"/go-$(go_os)-$(go_arch)-bootstrap
|
||||
if use gccgo; then
|
||||
mkdir -p "${GOROOT_BOOTSTRAP}/bin" || die
|
||||
local go_binary=$(gcc-config --get-bin-path)/go-$(gcc-major-version)
|
||||
[[ -x ${go_binary} ]] || go_binary=$(
|
||||
find "${EPREFIX}"/usr/${CHOST}/gcc-bin/*/go-$(gcc-major-version) |
|
||||
sort -V | tail -n1)
|
||||
[[ -x ${go_binary} ]] ||
|
||||
die "go-$(gcc-major-version): command not found"
|
||||
ln -s "${go_binary}" "${GOROOT_BOOTSTRAP}/bin/go" || die
|
||||
fi
|
||||
export GOROOT_FINAL="${EPREFIX}"/usr/lib/go
|
||||
export GOROOT="$(pwd)"
|
||||
export GOBIN="${GOROOT}/bin"
|
||||
|
||||
# Go's build script does not use BUILD/HOST/TARGET consistently. :(
|
||||
export GOHOSTARCH=$(go_arch ${CBUILD})
|
||||
export GOHOSTOS=$(go_os ${CBUILD})
|
||||
export CC=$(tc-getBUILD_CC)
|
||||
|
||||
export GOARCH=$(go_arch)
|
||||
export GOOS=$(go_os)
|
||||
export CC_FOR_TARGET=$(tc-getCC)
|
||||
export CXX_FOR_TARGET=$(tc-getCXX)
|
||||
if [[ ${ARCH} == arm ]]; then
|
||||
export GOARM=$(go_arm)
|
||||
fi
|
||||
einfo "GOROOT_BOOTSTRAP is ${GOROOT_BOOTSTRAP}"
|
||||
|
||||
cd src
|
||||
./make.bash || die "build failed"
|
||||
}
|
||||
|
||||
src_test()
|
||||
{
|
||||
go_cross_compile && return 0
|
||||
|
||||
cd src
|
||||
PATH="${GOBIN}:${PATH}" \
|
||||
./run.bash -no-rebuild || die "tests failed"
|
||||
}
|
||||
|
||||
src_install()
|
||||
{
|
||||
local bin_path f x
|
||||
|
||||
dodir /usr/lib/go
|
||||
|
||||
# There is a known issue which requires the source tree to be installed [1].
|
||||
# Once this is fixed, we can consider using the doc use flag to control
|
||||
# installing the doc and src directories.
|
||||
# [1] https://golang.org/issue/2775
|
||||
#
|
||||
# deliberately use cp to retain permissions
|
||||
cp -R api bin doc lib pkg misc src test "${ED}"/usr/lib/go
|
||||
if go_cross_compile; then
|
||||
bin_path="bin/$(go_tuple)"
|
||||
else
|
||||
bin_path=bin
|
||||
fi
|
||||
for x in ${bin_path}/*; do
|
||||
f=${x##*/}
|
||||
dosym ../lib/go/${bin_path}/${f} /usr/bin/${f}
|
||||
done
|
||||
einstalldocs
|
||||
}
|
|
@ -0,0 +1,236 @@
|
|||
# Copyright 1999-2019 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=6
|
||||
|
||||
export CBUILD=${CBUILD:-${CHOST}}
|
||||
export CTARGET=${CTARGET:-${CHOST}}
|
||||
|
||||
MY_PV=${PV/_/}
|
||||
|
||||
inherit toolchain-funcs
|
||||
|
||||
BOOTSTRAP_DIST="https://dev.gentoo.org/~williamh/dist"
|
||||
BOOTSTRAP_VERSION="bootstrap-1.8"
|
||||
BOOTSTRAP_URI="
|
||||
amd64? ( ${BOOTSTRAP_DIST}//go-linux-amd64-bootstrap-musl-1.4.3.tbz )
|
||||
arm? ( ${BOOTSTRAP_DIST}/go-linux-arm-${BOOTSTRAP_VERSION}.tbz )
|
||||
arm64? ( ${BOOTSTRAP_DIST}/go-linux-arm64-${BOOTSTRAP_VERSION}.tbz )
|
||||
ppc64? (
|
||||
${BOOTSTRAP_DIST}/go-linux-ppc64-${BOOTSTRAP_VERSION}.tbz
|
||||
${BOOTSTRAP_DIST}/go-linux-ppc64le-${BOOTSTRAP_VERSION}.tbz
|
||||
)
|
||||
s390? ( ${BOOTSTRAP_DIST}/go-linux-s390x-${BOOTSTRAP_VERSION}.tbz )
|
||||
x86? ( ${BOOTSTRAP_DIST}/go-linux-386-${BOOTSTRAP_VERSION}.tbz )
|
||||
amd64-fbsd? ( ${BOOTSTRAP_DIST}/go-freebsd-amd64-${BOOTSTRAP_VERSION}.tbz )
|
||||
x86-fbsd? ( ${BOOTSTRAP_DIST}/go-freebsd-386-${BOOTSTRAP_VERSION}.tbz )
|
||||
x64-macos? ( ${BOOTSTRAP_DIST}/go-darwin-amd64-${BOOTSTRAP_VERSION}.tbz )
|
||||
x64-solaris? ( ${BOOTSTRAP_DIST}/go-solaris-amd64-${BOOTSTRAP_VERSION}.tbz )
|
||||
"
|
||||
|
||||
case ${PV} in
|
||||
*9999*)
|
||||
EGIT_REPO_URI="https://github.com/golang/go.git"
|
||||
inherit git-r3
|
||||
;;
|
||||
*)
|
||||
SRC_URI="https://storage.googleapis.com/golang/go${MY_PV}.src.tar.gz "
|
||||
S="${WORKDIR}"/go
|
||||
case ${PV} in
|
||||
*_beta*|*_rc*) ;;
|
||||
*)
|
||||
KEYWORDS="-* amd64 arm ~arm64 ~ppc64 ~s390 x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x64-solaris"
|
||||
# The upstream tests fail under portage but pass if the build is
|
||||
# run according to their documentation [1].
|
||||
# I am restricting the tests on released versions until this is
|
||||
# solved.
|
||||
# [1] https://golang.org/issues/18442
|
||||
RESTRICT="test"
|
||||
;;
|
||||
esac
|
||||
esac
|
||||
SRC_URI+="!gccgo? ( ${BOOTSTRAP_URI} )"
|
||||
|
||||
DESCRIPTION="A concurrent garbage collected and typesafe programming language"
|
||||
HOMEPAGE="https://golang.org"
|
||||
|
||||
LICENSE="BSD"
|
||||
SLOT="0/${PV}"
|
||||
IUSE="gccgo"
|
||||
|
||||
DEPEND="gccgo? ( >=sys-devel/gcc-5[go] )"
|
||||
RDEPEND="!<dev-go/go-tools-0_pre20150902"
|
||||
|
||||
# These test data objects have writable/executable stacks.
|
||||
QA_EXECSTACK="
|
||||
usr/lib/go/src/debug/elf/testdata/*.obj
|
||||
usr/lib/go/src/go/internal/gccgoimporter/testdata/escapeinfo.gox
|
||||
usr/lib/go/src/go/internal/gccgoimporter/testdata/unicode.gox
|
||||
usr/lib/go/src/go/internal/gccgoimporter/testdata/time.gox
|
||||
"
|
||||
|
||||
# Do not complain about CFLAGS, etc, since Go doesn't use them.
|
||||
QA_FLAGS_IGNORED='.*'
|
||||
|
||||
REQUIRES_EXCLUDE="/usr/lib/go/src/debug/elf/testdata/*"
|
||||
|
||||
# The tools in /usr/lib/go should not cause the multilib-strict check to fail.
|
||||
QA_MULTILIB_PATHS="usr/lib/go/pkg/tool/.*/.*"
|
||||
|
||||
# Do not strip this package. Stripping is unsupported upstream and may
|
||||
# fail.
|
||||
RESTRICT+=" strip"
|
||||
|
||||
DOCS=(
|
||||
AUTHORS
|
||||
CONTRIBUTING.md
|
||||
CONTRIBUTORS
|
||||
PATENTS
|
||||
README.md
|
||||
)
|
||||
|
||||
go_arch()
|
||||
{
|
||||
# By chance most portage arch names match Go
|
||||
local portage_arch=$(tc-arch $@)
|
||||
case "${portage_arch}" in
|
||||
x86) echo 386;;
|
||||
x64-*) echo amd64;;
|
||||
ppc64) [[ $(tc-endian $@) = big ]] && echo ppc64 || echo ppc64le ;;
|
||||
s390) echo s390x ;;
|
||||
*) echo "${portage_arch}";;
|
||||
esac
|
||||
}
|
||||
|
||||
go_arm()
|
||||
{
|
||||
case "${1:-${CHOST}}" in
|
||||
armv5*) echo 5;;
|
||||
armv6*) echo 6;;
|
||||
armv7*) echo 7;;
|
||||
*)
|
||||
die "unknown GOARM for ${1:-${CHOST}}"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
go_os()
|
||||
{
|
||||
case "${1:-${CHOST}}" in
|
||||
*-linux*) echo linux;;
|
||||
*-darwin*) echo darwin;;
|
||||
*-freebsd*) echo freebsd;;
|
||||
*-netbsd*) echo netbsd;;
|
||||
*-openbsd*) echo openbsd;;
|
||||
*-solaris*) echo solaris;;
|
||||
*-cygwin*|*-interix*|*-winnt*)
|
||||
echo windows
|
||||
;;
|
||||
*)
|
||||
die "unknown GOOS for ${1:-${CHOST}}"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
go_tuple()
|
||||
{
|
||||
echo "$(go_os $@)_$(go_arch $@)"
|
||||
}
|
||||
|
||||
go_cross_compile()
|
||||
{
|
||||
[[ $(go_tuple ${CBUILD}) != $(go_tuple) ]]
|
||||
}
|
||||
|
||||
pkg_pretend()
|
||||
{
|
||||
# make.bash does not understand cross-compiling a cross-compiler
|
||||
if [[ $(go_tuple) != $(go_tuple ${CTARGET}) ]]; then
|
||||
die "CHOST CTARGET pair unsupported: CHOST=${CHOST} CTARGET=${CTARGET}"
|
||||
fi
|
||||
}
|
||||
|
||||
src_unpack()
|
||||
{
|
||||
if [[ ${PV} = 9999 ]]; then
|
||||
git-r3_src_unpack
|
||||
fi
|
||||
default
|
||||
}
|
||||
|
||||
src_compile()
|
||||
{
|
||||
export GOROOT_BOOTSTRAP="${WORKDIR}"/go-$(go_os)-$(go_arch)-bootstrap
|
||||
if use gccgo; then
|
||||
mkdir -p "${GOROOT_BOOTSTRAP}/bin" || die
|
||||
local go_binary=$(gcc-config --get-bin-path)/go-$(gcc-major-version)
|
||||
[[ -x ${go_binary} ]] || go_binary=$(
|
||||
find "${EPREFIX}"/usr/${CHOST}/gcc-bin/*/go-$(gcc-major-version) |
|
||||
sort -V | tail -n1)
|
||||
[[ -x ${go_binary} ]] ||
|
||||
die "go-$(gcc-major-version): command not found"
|
||||
ln -s "${go_binary}" "${GOROOT_BOOTSTRAP}/bin/go" || die
|
||||
fi
|
||||
export GOROOT_FINAL="${EPREFIX}"/usr/lib/go
|
||||
export GOROOT="$(pwd)"
|
||||
export GOBIN="${GOROOT}/bin"
|
||||
|
||||
# Go's build script does not use BUILD/HOST/TARGET consistently. :(
|
||||
export GOHOSTARCH=$(go_arch ${CBUILD})
|
||||
export GOHOSTOS=$(go_os ${CBUILD})
|
||||
export CC=$(tc-getBUILD_CC)
|
||||
|
||||
export GOARCH=$(go_arch)
|
||||
export GOOS=$(go_os)
|
||||
export CC_FOR_TARGET=$(tc-getCC)
|
||||
export CXX_FOR_TARGET=$(tc-getCXX)
|
||||
if [[ ${ARCH} == arm ]]; then
|
||||
export GOARM=$(go_arm)
|
||||
fi
|
||||
einfo "GOROOT_BOOTSTRAP is ${GOROOT_BOOTSTRAP}"
|
||||
|
||||
cd src
|
||||
./make.bash || die "build failed"
|
||||
}
|
||||
|
||||
src_test()
|
||||
{
|
||||
go_cross_compile && return 0
|
||||
|
||||
cd src
|
||||
PATH="${GOBIN}:${PATH}" \
|
||||
./run.bash -no-rebuild || die "tests failed"
|
||||
}
|
||||
|
||||
src_install()
|
||||
{
|
||||
local bin_path f x
|
||||
|
||||
dodir /usr/lib/go
|
||||
|
||||
# There is a known issue which requires the source tree to be installed [1].
|
||||
# Once this is fixed, we can consider using the doc use flag to control
|
||||
# installing the doc and src directories.
|
||||
# [1] https://golang.org/issue/2775
|
||||
#
|
||||
# deliberately use cp to retain permissions
|
||||
cp -R api bin doc lib pkg misc src test "${ED}"/usr/lib/go
|
||||
if go_cross_compile; then
|
||||
bin_path="bin/$(go_tuple)"
|
||||
else
|
||||
bin_path=bin
|
||||
fi
|
||||
for x in ${bin_path}/*; do
|
||||
f=${x##*/}
|
||||
dosym ../lib/go/${bin_path}/${f} /usr/bin/${f}
|
||||
done
|
||||
einstalldocs
|
||||
|
||||
if [[ ${CHOST} == *-darwin* ]] ; then
|
||||
# fix install_name for test object (binutils_test) on Darwin, it
|
||||
# is never used in real circumstances
|
||||
local libmac64="${EPREFIX}"/usr/lib/go/src/cmd/vendor/github.com/
|
||||
libmac64+=google/pprof/internal/binutils/testdata/lib_mac_64
|
||||
install_name_tool -id "${libmac64}" "${D}${libmac64}"
|
||||
fi
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<maintainer type="person">
|
||||
<email>williamh@gentoo.org</email>
|
||||
<name>William Hubbs</name>
|
||||
</maintainer>
|
||||
<longdescription lang="en">
|
||||
Go is a new systems programming language developped at google by
|
||||
Rob Pike. It has garbage collection, coroutines, communication
|
||||
channels and a clean syntax.
|
||||
</longdescription>
|
||||
<use>
|
||||
<flag name="gccgo">Enable bootstrapping using gccgo</flag>
|
||||
</use>
|
||||
</pkgmetadata>
|
|
@ -0,0 +1,4 @@
|
|||
AUX qtnetwork-5.11-libressl.patch 4742 BLAKE2B dc5796246cad7f124108d441cccb79e3aa5e46365637af9aa68322fd426cfc772de7a8c626e0eeba8068bb941ed0607dfbd58111c111228d89761067ac4a6620 SHA512 9a91220a9210c4f82ecd77aa4ee70ba62aac7ca39cb01f3e153cd8d42a50105e375dd9280de9b13c4fcf3777e42c48320fff4d822b7e35f392323fb5cca99032
|
||||
DIST qtbase-everywhere-src-5.11.3.tar.xz 46997676 BLAKE2B a70089be5530dec0eedcd5ba990140b375261dea5c85ea7d1dbb5b0bd09ee23edbb4917851127686b5f3cac6969a284eb91ab075ebe53326e69e99e81b257da0 SHA512 93865e41c994211456a575b085c2e7491b7975a1c3b4deb48e9616b51104eb990c1fcfd53d5fb2146ba22457cb134e6254e9077ba73c8b4c4b4d1d525e66fb65
|
||||
EBUILD qtnetwork-5.11.3.ebuild 1345 BLAKE2B 5db0b7120e982fc58fce2ae8eba178da92793c4f64309d0dde39a4cd43c85a0fc92692a146c89852972547dffea9eb5a4362899c548aec982bd73198cc23bfeb SHA512 7628aca9770e51b198287f317a914afe95e1ecba5eae1762b3c7cfdb57284a9aa76ce903a9e6757cf8dbbd00eb88be0d071f445b99b0c89c005312730e1b22fe
|
||||
MISC metadata.xml 876 BLAKE2B cd547dff93432d3d0c4baba6790166ab951035e3c7b9d66fb9717349626f7ac72ef38daf7c648de40bf73ad59f5f7ad8c85894d73e2c37b24832371bed868656 SHA512 6a38a068dd89a9a1bb470938bf4b2427553356fed8f1a638596e21261363544b8fb770ca2ec9e619aedb4e4ea260b60966924b5b8beb8295804c99cb8d916f5f
|
|
@ -0,0 +1,74 @@
|
|||
diff -Naurp old_qt/config.tests/unix/openssl11/openssl.cpp new_qt/config.tests/unix/openssl11/openssl.cpp
|
||||
--- old_qt/config.tests/unix/openssl11/openssl.cpp 2018-09-13 13:25:10.000000000 +0900
|
||||
+++ new_qt/config.tests/unix/openssl11/openssl.cpp 2018-10-20 08:31:20.497180387 +0900
|
||||
@@ -39,7 +39,7 @@
|
||||
|
||||
#include <openssl/opensslv.h>
|
||||
|
||||
-#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER-0 < 0x10100000L
|
||||
+#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER-0 < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
# error "OpenSSL >= 1.1 is required"
|
||||
#endif
|
||||
|
||||
diff -Naurp old_qt/src/network/ssl/qsslcontext_openssl.cpp new_qt/src/network/ssl/qsslcontext_openssl.cpp
|
||||
--- old_qt/src/network/ssl/qsslcontext_openssl.cpp 2018-09-13 13:25:10.000000000 +0900
|
||||
+++ new_qt/src/network/ssl/qsslcontext_openssl.cpp 2018-10-20 08:34:24.613169930 +0900
|
||||
@@ -248,7 +248,7 @@ void QSslContext::applyBackendConfig(QSs
|
||||
if (sslContext->sslConfiguration.backendConfiguration().isEmpty())
|
||||
return;
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
if (QSslSocket::sslLibraryVersionNumber() >= 0x10002000L) {
|
||||
QSharedPointer<SSL_CONF_CTX> cctx(q_SSL_CONF_CTX_new(), &q_SSL_CONF_CTX_free);
|
||||
if (cctx) {
|
||||
diff -Naurp old_qt/src/network/ssl/qsslsocket_openssl_symbols.cpp new_qt/src/network/ssl/qsslsocket_openssl_symbols.cpp
|
||||
--- old_qt/src/network/ssl/qsslsocket_openssl_symbols.cpp 2018-09-13 13:25:10.000000000 +0900
|
||||
+++ new_qt/src/network/ssl/qsslsocket_openssl_symbols.cpp 2018-10-20 08:37:48.682266708 +0900
|
||||
@@ -406,7 +406,7 @@ DEFINEFUNC2(int, SSL_CTX_use_PrivateKey,
|
||||
DEFINEFUNC2(int, SSL_CTX_use_RSAPrivateKey, SSL_CTX *a, a, RSA *b, b, return -1, return)
|
||||
DEFINEFUNC3(int, SSL_CTX_use_PrivateKey_file, SSL_CTX *a, a, const char *b, b, int c, c, return -1, return)
|
||||
DEFINEFUNC(X509_STORE *, SSL_CTX_get_cert_store, const SSL_CTX *a, a, return 0, return)
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
DEFINEFUNC(SSL_CONF_CTX *, SSL_CONF_CTX_new, DUMMYARG, DUMMYARG, return 0, return);
|
||||
DEFINEFUNC(void, SSL_CONF_CTX_free, SSL_CONF_CTX *a, a, return ,return);
|
||||
DEFINEFUNC2(void, SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX *a, a, SSL_CTX *b, b, return, return);
|
||||
diff -Naurp old_qt/src/network/ssl/qsslsocket_openssl_symbols_p.h new_qt/src/network/ssl/qsslsocket_openssl_symbols_p.h
|
||||
--- old_qt/src/network/ssl/qsslsocket_openssl_symbols_p.h 2018-09-13 13:25:10.000000000 +0900
|
||||
+++ new_qt/src/network/ssl/qsslsocket_openssl_symbols_p.h 2018-10-20 08:39:53.219936039 +0900
|
||||
@@ -356,7 +356,7 @@ int q_SSL_CTX_use_PrivateKey(SSL_CTX *a,
|
||||
int q_SSL_CTX_use_RSAPrivateKey(SSL_CTX *a, RSA *b);
|
||||
int q_SSL_CTX_use_PrivateKey_file(SSL_CTX *a, const char *b, int c);
|
||||
X509_STORE *q_SSL_CTX_get_cert_store(const SSL_CTX *a);
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
SSL_CONF_CTX *q_SSL_CONF_CTX_new();
|
||||
void q_SSL_CONF_CTX_free(SSL_CONF_CTX *a);
|
||||
void q_SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *a, SSL_CTX *b);
|
||||
--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp
|
||||
+++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp
|
||||
@@ -190,8 +190,8 @@ DEFINEFUNC3(void *, ASN1_dup, i2d_of_void *a, a, d2i_of_void *b, b, char *c, c,
|
||||
#endif
|
||||
DEFINEFUNC2(BIO *, BIO_new_file, const char *filename, filename, const char *mode, mode, return 0, return)
|
||||
DEFINEFUNC(void, ERR_clear_error, DUMMYARG, DUMMYARG, return, DUMMYARG)
|
||||
-DEFINEFUNC(BIO *, BIO_new, BIO_METHOD *a, a, return 0, return)
|
||||
-DEFINEFUNC(BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return)
|
||||
+DEFINEFUNC(BIO *, BIO_new, const BIO_METHOD *a, a, return 0, return)
|
||||
+DEFINEFUNC(const BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return)
|
||||
DEFINEFUNC(int, CRYPTO_num_locks, DUMMYARG, DUMMYARG, return 0, return)
|
||||
DEFINEFUNC(void, CRYPTO_set_locking_callback, void (*a)(int, int, const char *, int), a, return, DUMMYARG)
|
||||
DEFINEFUNC(void, CRYPTO_set_id_callback, unsigned long (*a)(), a, return, DUMMYARG)
|
||||
--- a/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h
|
||||
+++ b/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h
|
||||
@@ -78,8 +78,8 @@
|
||||
unsigned char * q_ASN1_STRING_data(ASN1_STRING *a);
|
||||
BIO *q_BIO_new_file(const char *filename, const char *mode);
|
||||
void q_ERR_clear_error();
|
||||
-Q_AUTOTEST_EXPORT BIO *q_BIO_new(BIO_METHOD *a);
|
||||
-Q_AUTOTEST_EXPORT BIO_METHOD *q_BIO_s_mem();
|
||||
+Q_AUTOTEST_EXPORT BIO *q_BIO_new(const BIO_METHOD *a);
|
||||
+Q_AUTOTEST_EXPORT const BIO_METHOD *q_BIO_s_mem();
|
||||
int q_CRYPTO_num_locks();
|
||||
void q_CRYPTO_set_locking_callback(void (*a)(int, int, const char *, int));
|
||||
void q_CRYPTO_set_id_callback(unsigned long (*a)());
|
|
@ -0,0 +1,25 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<maintainer type="project">
|
||||
<email>qt@gentoo.org</email>
|
||||
<name>Gentoo Qt Project</name>
|
||||
</maintainer>
|
||||
<use>
|
||||
<flag name="bindist">Disable EC support via <pkg>dev-libs/openssl</pkg></flag>
|
||||
<flag name="connman">Enable <pkg>net-misc/connman</pkg>-based bearer plugin</flag>
|
||||
<flag name="libproxy">Use <pkg>net-libs/libproxy</pkg> for automatic
|
||||
HTTP/SOCKS proxy configuration</flag>
|
||||
<flag name="networkmanager">Enable <pkg>net-misc/networkmanager</pkg>-based
|
||||
bearer plugin</flag>
|
||||
</use>
|
||||
<upstream>
|
||||
<bugs-to>https://bugreports.qt.io/</bugs-to>
|
||||
<doc>https://doc.qt.io/</doc>
|
||||
</upstream>
|
||||
<slots>
|
||||
<subslots>
|
||||
Must only be used by packages that are known to use private parts of the Qt API.
|
||||
</subslots>
|
||||
</slots>
|
||||
</pkgmetadata>
|
|
@ -0,0 +1,64 @@
|
|||
# Copyright 1999-2018 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=6
|
||||
QT5_MODULE="qtbase"
|
||||
inherit qt5-build
|
||||
|
||||
DESCRIPTION="Network abstraction library for the Qt5 framework"
|
||||
|
||||
if [[ ${QT5_BUILD_TYPE} == release ]]; then
|
||||
KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~x86 ~amd64-fbsd"
|
||||
fi
|
||||
|
||||
IUSE="bindist connman libproxy libressl networkmanager +ssl"
|
||||
|
||||
DEPEND="
|
||||
~dev-qt/qtcore-${PV}
|
||||
>=sys-libs/zlib-1.2.5
|
||||
connman? ( ~dev-qt/qtdbus-${PV} )
|
||||
libproxy? ( net-libs/libproxy )
|
||||
networkmanager? ( ~dev-qt/qtdbus-${PV} )
|
||||
ssl? (
|
||||
!libressl? ( dev-libs/openssl:0=[bindist=] )
|
||||
libressl? ( dev-libs/libressl:0= )
|
||||
)
|
||||
"
|
||||
RDEPEND="${DEPEND}
|
||||
connman? ( net-misc/connman )
|
||||
networkmanager? ( net-misc/networkmanager )
|
||||
"
|
||||
|
||||
PATCHES=(
|
||||
"${FILESDIR}"/${PN}-5.11-libressl.patch
|
||||
)
|
||||
|
||||
QT5_TARGET_SUBDIRS=(
|
||||
src/network
|
||||
src/plugins/bearer/generic
|
||||
)
|
||||
|
||||
QT5_GENTOO_CONFIG=(
|
||||
libproxy
|
||||
ssl::SSL
|
||||
ssl::OPENSSL
|
||||
ssl:openssl-linked:LINKED_OPENSSL
|
||||
)
|
||||
|
||||
QT5_GENTOO_PRIVATE_CONFIG=(
|
||||
:network
|
||||
)
|
||||
|
||||
pkg_setup() {
|
||||
use connman && QT5_TARGET_SUBDIRS+=(src/plugins/bearer/connman)
|
||||
use networkmanager && QT5_TARGET_SUBDIRS+=(src/plugins/bearer/networkmanager)
|
||||
}
|
||||
|
||||
src_configure() {
|
||||
local myconf=(
|
||||
$(use connman || use networkmanager && echo -dbus-linked)
|
||||
$(qt_use libproxy)
|
||||
$(usex ssl -openssl-linked '')
|
||||
)
|
||||
qt5-build_src_configure
|
||||
}
|
|
@ -0,0 +1,2 @@
|
|||
DIST linux-4.19.25.tar.xz 103160576 BLAKE2B 25952ebcdf9010a992eabe088e87610f2033c5768251d257fb7d5041e0def50faf798d0ec2a00e7c8e6bcb6ef6b9ea6dfd3b19c75145fdff3e11cb6d7d768544 SHA512 d7f6cb0980640a772008f3517e260e545d201658d2202834fba82f9abc6d05a2917d45d8ab8885c0282c1064dbd9149adc5df307ba3ea063dbe1a9dde40c8810
|
||||
EBUILD bpftool-4.19.25.ebuild 466 BLAKE2B 6437628dfe4071b152f48b083090abea818bdc9e24f9403731c15e839c89cb2295df27cba32ffa96df7fda7edc4a5f061e9d866d8dd05cbdc32c885b8def52b3 SHA512 3805e4fe843ec60d1a5cd917c6596e76b21b396d9a065445f65ed8281e2bb88cb61253a0480c535e5d0302251b78bf46586a38e212dfd0c7eab7a1a4d793380c
|
|
@ -0,0 +1,19 @@
|
|||
# Copyright 2019 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=7
|
||||
|
||||
DESCRIPTION="BPFTOOL - tool for inspection and simple manipulation of eBPF programs and maps"
|
||||
HOMEPAGE="https://www.kernel.org/"
|
||||
SRC_URI="https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/linux-${PV}.tar.xz"
|
||||
|
||||
LICENSE="GPL-2"
|
||||
SLOT="0"
|
||||
KEYWORDS="amd64 ~x86"
|
||||
IUSE=""
|
||||
|
||||
DEPEND=""
|
||||
RDEPEND="${DEPEND}"
|
||||
BDEPEND=""
|
||||
|
||||
S="${WORKDIR}/linux-${PV}/tools/bpf/bpftool"
|
|
@ -0,0 +1 @@
|
|||
masters = gentoo
|
|
@ -0,0 +1,6 @@
|
|||
AUX knot-1.service 337 BLAKE2B a6645b2ab92612f3c6640f4e9601cefe087a519d8a40b222e05dbd44c8b8c5c87a01d500d5ac328fdee1cae3f9dd126448a8b82b979e13a4ff5285fa48b983d5 SHA512 58c4186e57ebd00b86dae34d5d208ed8801c0376da40cccb23b3d4542a7ee04a1003a12a4b89347b76a384b50eae4a61f96164bf22ec987ce05b1c65691659e7
|
||||
AUX knot.init 861 BLAKE2B 30ffe287f4f83058407ceab00b2113dade3b60b38d76c86f156cc31c33cc4f2ec8cf7f22172823755b71385ca18cc1044605b5479c9de05284f911d500b5dc40 SHA512 e5faa96cbee618e9042bdfd0628f06c4bc4d23c7295521771e16f6eae715835a240799e8425317b03b1ea162966defb5d6b6592139cb1d9d61b47a24961ec9b9
|
||||
AUX knot.service 275 BLAKE2B c39b50630a84cb20d33a02ad82c0fc0c994b098766af0cd3e11b4ac6e2f6e6ebc38d6e5b99c358d5e771022fd6ad14fb7e04e95fd77ba677d10950e1fc52e9a9 SHA512 37c4700320a2781aa93ca92bc2634c3e080c87337b7d632d0e2fa23f6e2e8fa1985d1d8e2516fed02b612da4d340472d5f8d0ae37c5b323ac17bbd61ca243a86
|
||||
DIST knot-2.7.6.tar.xz 1151068 BLAKE2B aba7b9f89d98ddabe5596198b0767b6d88cab2278eda33bea2738bcc2f62bc3b7463ee517488f8d2efa40b11859b3aefaa212999968654e5e5580969a173ec8e SHA512 6b6a727d57337da01e2d44abec7fde4504d112604769b118fe6254b0317f149ed4e9fab321a04517eccedb08e409818d1817fc1136c27d1fd351538e6816022a
|
||||
EBUILD knot-2.7.6.ebuild 1923 BLAKE2B 188b6e9f09fdfe7a2c2d8e608e67833ca97a7b355987ae28668b21dda27ae3e4aec16466c897cdf7b67be6aa20e3db27b6ce2db2a37a76ef3cca02733baa3abf SHA512 31c5bd0cca511d35d661de2593c4d467d32d6dbde95f58a9e5f0a40d4bd923932bd141aeb5deaea1daa8d742ea9be21dafdcdae9ac9ba7335f5f565853a6305b
|
||||
MISC metadata.xml 1776 BLAKE2B 704ee480034e47aa62a552ae559671728d96df078dca931c9acc1ab58bcd502188c21820cc8300f536e793515765ed32f6e9cc8f48d9b01b91a959df98a9aa92 SHA512 57ec897a014478f4f5693cd242ecf76215dcf2c331e951bc2a5c0f7b492a76a49cb86d54885325fff2777470119da2f8ea140afece4b70ae410ffe50a4a4679a
|
|
@ -0,0 +1,17 @@
|
|||
[Unit]
|
||||
Description=Knot high-performance DNS Server
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/sbin/knotd
|
||||
ExecReload=/usr/sbin/knotc reload
|
||||
ExecStop=/usr/sbin/knotc stop
|
||||
PrivateTmp=true
|
||||
User=knot
|
||||
Group=knot
|
||||
RuntimeDirectory=knot
|
||||
RuntimeDirectoryMode=750
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,41 @@
|
|||
#!/sbin/openrc-run
|
||||
# Copyright 1999-2013 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
command=/usr/sbin/knotd
|
||||
command_args="-d"
|
||||
pidfile=/var/run/knot/knot.pid
|
||||
required_files=/etc/knot/knot.conf
|
||||
extra_started_commands="reload"
|
||||
description_reload="Reload configuration and changed zones."
|
||||
|
||||
depend() {
|
||||
need net
|
||||
}
|
||||
|
||||
start() {
|
||||
checkpath -d -m 0750 -o knot:knot /var/run/knot/ /var/lib/knot/
|
||||
|
||||
ebegin "Starting knot"
|
||||
start-stop-daemon --start \
|
||||
--pidfile $pidfile --exec $command -- $command_args
|
||||
eend $?
|
||||
}
|
||||
|
||||
stop() {
|
||||
ebegin "Stoping knot"
|
||||
/usr/sbin/knotc stop >/dev/null 2>&1
|
||||
# In case remote control is not working
|
||||
if [ "$?" != 0 ]; then
|
||||
if [ -f $pidfile ]; then
|
||||
start-stop-daemon --stop --pidfile $pidfile
|
||||
fi
|
||||
fi
|
||||
ewend $?
|
||||
}
|
||||
|
||||
reload() {
|
||||
ebegin "Reloading knot"
|
||||
/usr/sbin/knotc reload >/dev/null
|
||||
eend $?
|
||||
}
|
|
@ -0,0 +1,14 @@
|
|||
[Unit]
|
||||
Description=Knot high-performance DNS Server
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/sbin/knotd
|
||||
ExecReload=/usr/sbin/knotc reload
|
||||
ExecStop=/usr/sbin/knotc stop
|
||||
PrivateTmp=true
|
||||
RuntimeDirectory=knot
|
||||
RuntimeDirectoryMode=750
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,106 @@
|
|||
# Copyright 1999-2018 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=7
|
||||
|
||||
inherit systemd user
|
||||
|
||||
DESCRIPTION="High-performance authoritative-only DNS server"
|
||||
HOMEPAGE="https://www.knot-dns.cz/"
|
||||
SRC_URI="https://secure.nic.cz/files/knot-dns/${P/_/-}.tar.xz"
|
||||
|
||||
LICENSE="GPL-3"
|
||||
SLOT="0"
|
||||
KEYWORDS="~amd64 ~x86"
|
||||
|
||||
KNOT_MODULES=(
|
||||
"+cookies"
|
||||
"+dnsproxy"
|
||||
"dnstap"
|
||||
"geoip"
|
||||
"+noudp"
|
||||
"+onlinesign"
|
||||
"+queryacl"
|
||||
"+rrl"
|
||||
"+stats"
|
||||
"+synthrecord"
|
||||
"+whoami"
|
||||
)
|
||||
IUSE="doc caps +fastparser idn libidn2 systemd +utils ${KNOT_MODULES[@]}"
|
||||
|
||||
RDEPEND="
|
||||
dev-db/lmdb
|
||||
dev-libs/libedit
|
||||
dev-libs/userspace-rcu:=
|
||||
dev-python/lmdb
|
||||
net-libs/gnutls
|
||||
caps? ( sys-libs/libcap-ng )
|
||||
dnstap? (
|
||||
dev-libs/fstrm
|
||||
dev-libs/protobuf-c
|
||||
)
|
||||
geoip? ( dev-libs/libmaxminddb )
|
||||
idn? (
|
||||
!libidn2? ( net-dns/libidn:* )
|
||||
libidn2? ( net-dns/libidn2 )
|
||||
)
|
||||
systemd? ( sys-apps/systemd )
|
||||
"
|
||||
BDEPEND="${RDEPEND}
|
||||
virtual/pkgconfig
|
||||
doc? ( dev-python/sphinx )
|
||||
"
|
||||
|
||||
S="${WORKDIR}/${P/_/-}"
|
||||
|
||||
src_configure() {
|
||||
local u
|
||||
local my_conf=(
|
||||
--with-storage="${EPREFIX}/var/lib/${PN}"
|
||||
--with-rundir="${EPREFIX}/var/run/${PN}"
|
||||
$(use_enable fastparser)
|
||||
$(use_enable dnstap)
|
||||
$(use_enable doc documentation)
|
||||
$(use_enable utils utilities)
|
||||
--enable-systemd=$(usex systemd)
|
||||
$(use_with idn libidn)
|
||||
)
|
||||
|
||||
for u in "${KNOT_MODULES[@]#+}"; do
|
||||
my_conf+=("$(use_with ${u} module-${u})")
|
||||
done
|
||||
|
||||
econf "${my_conf[@]}"
|
||||
}
|
||||
|
||||
src_compile() {
|
||||
default
|
||||
|
||||
if use doc; then
|
||||
emake -C doc html
|
||||
HTML_DOCS=( doc/_build/html/{*.html,*.js,_sources,_static} )
|
||||
fi
|
||||
}
|
||||
|
||||
src_test() {
|
||||
emake check
|
||||
}
|
||||
|
||||
src_install() {
|
||||
default
|
||||
|
||||
rmdir "${D}/var/run/${PN}" "${D}/var/run/" || die
|
||||
keepdir /var/lib/${PN}
|
||||
|
||||
newinitd "${FILESDIR}/knot.init" knot
|
||||
if use systemd; then
|
||||
systemd_newunit "${FILESDIR}/knot-1.service" knot.service
|
||||
fi
|
||||
|
||||
find "${D}" -name '*.la' -delete || die
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
enewgroup knot 53
|
||||
enewuser knot 53 -1 /var/lib/knot knot
|
||||
}
|
|
@ -0,0 +1,65 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<maintainer type="person">
|
||||
<email>nemunaire@nemunai.re</email>
|
||||
<name>Pierre-Olivier Mercier</name>
|
||||
</maintainer>
|
||||
<maintainer type="project">
|
||||
<email>proxy-maint@gentoo.org</email>
|
||||
<name>Proxy Maintainers</name>
|
||||
</maintainer>
|
||||
<use>
|
||||
<flag name="cookies">
|
||||
Enable the DNS cookie module (RFC 7873)
|
||||
</flag>
|
||||
<flag name="dnsproxy">
|
||||
Enable the tiny DNS proxy module
|
||||
</flag>
|
||||
<flag name="dnstap">
|
||||
Include support for the dnstap binary log format
|
||||
(http://dnstap.info/)
|
||||
</flag>
|
||||
<flag name="fastparser">
|
||||
Use a zone file parser that is faster, but requires
|
||||
more memory and CPU time to compile
|
||||
</flag>
|
||||
<flag name="geoip">
|
||||
Enable the Geography-based responses module
|
||||
</flag>
|
||||
<flag name="libidn2">
|
||||
If IDN support is enabled, use net-dns/libidn2 instead
|
||||
of net-dns/libidn
|
||||
</flag>
|
||||
<flag name="noudp">
|
||||
Enable the module which can send empty truncated
|
||||
responses to UDP queries
|
||||
</flag>
|
||||
<flag name="onlinesign">
|
||||
Enable the module that sign zones on the fly instead of
|
||||
pre-signing zone
|
||||
</flag>
|
||||
<flag name="queryacl">
|
||||
Enable the module for query access control
|
||||
</flag>
|
||||
<flag name="rosedb">
|
||||
Enable the module that staticaly override certain
|
||||
responses
|
||||
</flag>
|
||||
<flag name="rrl">
|
||||
Enable the response rate limiting module
|
||||
</flag>
|
||||
<flag name="stats">
|
||||
Enable the server statistics module
|
||||
</flag>
|
||||
<flag name="synthrecord">
|
||||
Enable the automatic forward/reverse records module
|
||||
</flag>
|
||||
<flag name="utils">
|
||||
Install Knot utilities, such as kdig, kzonecheck, ...
|
||||
</flag>
|
||||
<flag name="whoami">
|
||||
Enable the whoami response module
|
||||
</flag>
|
||||
</use>
|
||||
</pkgmetadata>
|
|
@ -0,0 +1,22 @@
|
|||
AUX Do-not-pass-null-pointer-to-freeaddrinfo.diff 1063 BLAKE2B 1181e4b44e5a9ecfef46e72a83d3a67c7725024879d7ec13c0424c07784faeee06b4f69d99a9e83401f9d5f1e55152993a57ce8094d4930f163d4abd7e7a4cde SHA512 ea51cdaa1a15910c05b18808a67d68822bc9e0c5d6f615aee2a374b7879d3bd55cd6c8b2e9976cc3bf7958d0f0abb9d191ac3df16f79b23e6c9caf90c459b200
|
||||
AUX exports 66 BLAKE2B 8ddc8e1b7888570cf7ce21ecebf0fb390ab394d25e60f1d914406396b23cb3cbf243a15a199f30608ac7e3c0abde73f48e0ccea605a3dadad654dfd8d6572dcd SHA512 fd8052dc8e17eccb0bb1443f341c97ec7c9dac5824294cadf486d91475bc728d4bb69300034b528a690707520590f6675ee371f92e9838afc8ed88092ee0f220
|
||||
AUX nfs-utils-1.1.4-mtab-sym.patch 1020 BLAKE2B 6f1315a02a6070443fbd8cc943e382a02ac8ee99dbbc78f6b1b6c835548b80a78238ae4f7de18c7f02687df370bc58d628ed2bdbf216a41e80b5b589f1952c3c SHA512 1cd916028a8515772f05ef63832d73a09e9720055aedc9e2e4ce3a08ce1820948700a4f00ca9c4ee684880f18e67aca888dd857fc7931d923021ba50964be998
|
||||
AUX nfs-utils-1.2.8-cross-build.patch 1323 BLAKE2B 51ec6b58436725e78fd9000aa1d97a1a73e7884bea01e0d22d5ec0a88cc4d5c8f152baaeb2b602961232c08330b311f3e98cb79c40b7d700a279842430e484d9 SHA512 42a41411d0de384b66a2875fa9ea15e4b854150b5f75ba2db54ad7785fd147ee329eb8867d24a26b2b1d9ef89bd887caeaf0b5a59cdda15f5a11c47888882b9a
|
||||
AUX nfs-utils-2.3.1-svcgssd_undefined_reference.patch 1055 BLAKE2B a2f045f7886eb0772ad9b30ddc1c98294039e32f92eb811dcccde8926eda7d33c42b34e07912fcb536ed96a2f0b2114eb293689380751f3c786bdea6a6923ba7 SHA512 21361593415c497fa5a0bbd547b2cb0e0512ad8b3deb2397aba6a453cce840876d607015e46d8c3a367cd478395420d8b24e2f3a7f73d0e75d5a2445e4e46ef2
|
||||
AUX nfs-utils-musl.patch 797 BLAKE2B 8c29bbf4f2e08c376b738c811f354a0886a82a3bf2d63ec418bd54f3dde03c5975eade103b00882dcc876855a4180bf1a1b518c3f7ee17dda485009a64d10ff6 SHA512 e4c9467af1d29a252aef4965589d0eb125f65f0e62bda23b085fe5daef21d0bea3a9198fe7d82c44a1696ead4d96762f68e1d641ad84c7950b4ab8bdfa1cb3e0
|
||||
AUX nfs-utils.conf 74 BLAKE2B 504c298c1e8e7eb596cd87813f1aeeac5cbc830bb85be9e26ed98f7ed85cdbd14ae2c47b0e111c912398ef28ef629e6de7e585a7b161624e9698ea208750fd9f SHA512 d72c0fbdf12cb1ddf8eaa5885e1ed93a2078c40ca48eb8868836fb72fa456c4865df15273fb7472f70dfe8098167e695b1340ff9a59b55e73b47690baaf977d6
|
||||
AUX nfs.confd 930 BLAKE2B 4ef1662b31cffd78b0e96396ad74dc8b8135a9a18956fa1267639d2069893d4f218ded5809497b56d19a192e7e18408e1d1b56bd1535abed8db236bc1a1649cb SHA512 bc11b073735ee86c96b9c249ee187f4d16329c279a4e26760875059d2b5fa1d510ef3e4df5ee9dfb2a3133d755e1eb5c323d2fadc432a0cf630191ec353ac535
|
||||
AUX nfs.initd 4244 BLAKE2B 0df8f270cf38b16efb331202d300d0bd648ee90c9dc44704e4db6f6aaad53e1c16059e94e14278923db59ce17752e4f034ad948ed53d6f2aefe8ecd6faf808c9 SHA512 f7feb79cfcab0478affb640d1e5ad059757c88d51cc790fd54cde2fd7ed2e3cfd8f7f4c2de993d99da03e8ce3bdfb2750a4cb997b850fe33d0ef76d9b91c9018
|
||||
AUX nfsclient.confd 592 BLAKE2B b661b726aa50f904752ec73a201a088f403a1e0f8d11181615e794da259a03b98131fff68e27645d4371564c796bb44915d6a13db9dc5a909294c4d1613c429d SHA512 f12e67728ac4e76357685e2fe38bd7f6fcd90064165758ffeca145e6962ac44d4ff9d8d57e18cc6925a6ada8e95ad8321e9fc355931a804dd455aae1e4850e92
|
||||
AUX nfsclient.initd 752 BLAKE2B 8e3303be602ed97b9c6db0238b950039ec87830d733e7490f62657953e18d8050d5cd75e603d566b00db86ba910384d36e488d149112c86f1b9ed8e0901f5c16 SHA512 85078e2cd38b37a1e6fbaf0e40cf7690f403e71d9c8188d542d12fe56bfc02a49763c7bcc7742691754acc37928468c215db2795bebc29a5dfb052ba08f407bb
|
||||
AUX nfsmount.confd 326 BLAKE2B c9506a71d28358d0ee7eef18985e3f65decd6cd2735cae17cef911129fe0531e2859c833ef75b04c1521c364c5aa1245d38a03191cb4167f6c1fa02383e7c091 SHA512 6e23897885cc33c49d9c7353b456585a1e0c7300822edba81bc48ba4ccc18297adce137260cc0aa9487aa5ef0aab3eecf931532cfa5bd40fd03bc9e0ddacfb28
|
||||
AUX nfsmount.initd 1014 BLAKE2B 2a8f142c3932afa7867e2e85ed4497a45413a2abe602ac39a1897f912d2c24d4e80be3ed50602c5563eff05ce4476eba2f4e2442fce3deec34558533c26ff73b SHA512 89259b9f0878658d48792b5b2f42b43c966ed098dba1fecf9e07fb0de4aab37ad67655ea8dbcc2361ddab2b5013b2de35a03048a513aaeedf790e4b416a35a54
|
||||
AUX nfsmount.initd-1.3.1 740 BLAKE2B 2668a3c485925f5b670efd11f357c5e0d616c1e1b62863c14b86e3201d5a5d61c1c4f4257b3b19ed8a8194879c67a9ddf996608073474e154f033be719b5ea54 SHA512 a540443a0259360f2476277bc020bb08eb095debe9c8e6a620dba5da1c7850f399673cc1ab505df65aea095a7e67954a9b5b8b26bbfd94e55d62348791af643d
|
||||
AUX rpc.gssd.initd 455 BLAKE2B 9831c82341737d7877b01deebff82bfc49be59f8faabe4b5ee5542912b488460efd226f01e0bad5486faff5f37579ac15c8e8cf410a5eccd79d690c34f2beb4f SHA512 d9d7eeebbe153d3c4784112ed6d50734b5619b3315bb1454f8163de2b78ed8f958029a0e1088de58e9b1b8069184aeab2c8f19af4b957b6be25e4f138960aeac
|
||||
AUX rpc.idmapd.initd 482 BLAKE2B db643d164787a730ed8f1da73cbc045237bb641fcdf297015e6651a4c683a075fdc29d037bc44a9832d45be87d41f37eb4e00ea37fdeed66038cf4a93d1a260f SHA512 f3e88038cb040ffcbca76166f4322d37e39da00d144bc0a17aed4467ab10c6e626fcde6c407d0911d135bfab55622ad2e38ed93788b11459c5882ce60577fb45
|
||||
AUX rpc.pipefs.initd 760 BLAKE2B 4c05275e59d7d19d80779964a3631096258704cec2097f12d87232deecba5d74181f1713e18ebb01f5da9c3833037ba47566414f0b415608ad13e3fa97c8f1e6 SHA512 3d3fa6e7ae01e27d27d88aba1e307c5293dd1cbc9d555737e03c4f1e17988518f4f1e7f7a38a7337f8e8961e8378cc4611769b04db7368460589a3b218ac6d6b
|
||||
AUX rpc.statd.initd 706 BLAKE2B 6c175729706d298307deea1d190703e67edb671a6b2c86216658fc89dafff1ae9f85a25b5386e4c89b86ca1b7b1fce7bb3045f944b7a1aee5b6544594d753cf8 SHA512 7f6baea852fff91b88e15e432ba19f9da0a3e3510b6f550b553912cf3887ce176280367b62bcce2a044730a075e4c1f6d7df1a669556d42725dea6e6e8e967ac
|
||||
AUX rpc.svcgssd.initd 470 BLAKE2B c610a7abc44b86ca242d59f833ffa6e42f48d1c3bf93420988c6c6dfcd5cc4d8e02eaf2f3a86bb8bca7c8952e05017f887e6c4f4290085c41cc095a580e04235 SHA512 819cce4ae0a0f26bc74ce546e149b98420584240a594c9bb4a0a49413750320bde050866f3753c499425ea8d8df094211fb1f7e020ce281791e1933e1bc6a47f
|
||||
DIST nfs-utils-2.3.1.tar.bz2 854899 BLAKE2B f9541b9dc103d978f21d57d8ba0c14a3b30f6ba874b112239d014076c1c72b6654e8e02b4bfea686e658dac84d1e896b872bc2054591275ef1713ae4e7b7d005 SHA512 de3e70f8656bc5b5aa98262685a9e80929c6314234d9bbb74d4c7efcb7a8b2640d48d2100850b403157ebefc8f0eb48598b48238fae795f64c7a0e9a8bff93e3
|
||||
EBUILD nfs-utils-2.3.1-r4.ebuild 5349 BLAKE2B 02240b429f9a3ba1ebbda3caf92ef97f333ea1529311a9bd0e499f02ada5eb7dca78a0b93a681c868989b8d1e15ad97f1faecb3e67e70b172fd3d38fae980e6a SHA512 24e22dd1ba16b2312c33571dfb3b47beb562e578a2c9734efd099d52beed308354963636526e3757b662e07f0b3ebc74a0cbe6974c4e8cc744ae5a19efc40c4a
|
||||
MISC metadata.xml 861 BLAKE2B 14c4f9e530e9c3a695f615d698f7a96d1252c14936849a846536790059c79f992c79246028b1945f496fda813891e1079ef0a6ad3411d18e0ee8ad9b6e0315c3 SHA512 21e7e63ddddda196f114b98b6ae2c67abe9cbabf91d60ab7877b34ed96e749c0ea167169c6ffa0502c80f993bbd2243db7bf544b304900a07d2b6c84141d1cf5
|
|
@ -0,0 +1,36 @@
|
|||
diff -ur nfs-utils-2.3.1.orig/support/export/client.c nfs-utils-2.3.1.mod/support/export/client.c
|
||||
--- nfs-utils-2.3.1.orig/support/export/client.c 2017-12-20 18:40:36.000000000 +0300
|
||||
+++ nfs-utils-2.3.1.mod/support/export/client.c 2019-03-06 16:14:54.974191027 +0300
|
||||
@@ -309,7 +309,8 @@
|
||||
init_addrlist(clp, ai);
|
||||
|
||||
out:
|
||||
- freeaddrinfo(ai);
|
||||
+ if (ai)
|
||||
+ freeaddrinfo(ai);
|
||||
return clp;
|
||||
}
|
||||
|
||||
diff -ur nfs-utils-2.3.1.orig/utils/mountd/cache.c nfs-utils-2.3.1.mod/utils/mountd/cache.c
|
||||
--- nfs-utils-2.3.1.orig/utils/mountd/cache.c 2017-12-20 18:40:36.000000000 +0300
|
||||
+++ nfs-utils-2.3.1.mod/utils/mountd/cache.c 2019-03-06 16:23:28.829378703 +0300
|
||||
@@ -834,7 +834,8 @@
|
||||
out:
|
||||
if (found_path)
|
||||
free(found_path);
|
||||
- freeaddrinfo(ai);
|
||||
+ if (ai)
|
||||
+ freeaddrinfo(ai);
|
||||
free(dom);
|
||||
xlog(D_CALL, "nfsd_fh: found %p path %s", found, found ? found->e_path : NULL);
|
||||
}
|
||||
@@ -1364,7 +1365,8 @@
|
||||
xlog(D_CALL, "nfsd_export: found %p path %s", found, path ? path : NULL);
|
||||
if (dom) free(dom);
|
||||
if (path) free(path);
|
||||
- freeaddrinfo(ai);
|
||||
+ if (ai)
|
||||
+ freeaddrinfo(ai);
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1 @@
|
|||
# /etc/exports: NFS file systems being exported. See exports(5).
|
|
@ -0,0 +1,39 @@
|
|||
ripped from Debian
|
||||
|
||||
--- nfs-utils-1.1.4/utils/mount/fstab.c
|
||||
+++ nfs-utils-1.1.4/utils/mount/fstab.c
|
||||
@@ -57,7 +57,7 @@ mtab_does_not_exist(void) {
|
||||
return var_mtab_does_not_exist;
|
||||
}
|
||||
|
||||
-static int
|
||||
+int
|
||||
mtab_is_a_symlink(void) {
|
||||
get_mtab_info();
|
||||
return var_mtab_is_a_symlink;
|
||||
--- nfs-utils-1.1.4/utils/mount/fstab.h
|
||||
+++ nfs-utils-1.1.4/utils/mount/fstab.h
|
||||
@@ -7,6 +7,7 @@
|
||||
#define _PATH_FSTAB "/etc/fstab"
|
||||
#endif
|
||||
|
||||
+int mtab_is_a_symlink(void);
|
||||
int mtab_is_writable(void);
|
||||
int mtab_does_not_exist(void);
|
||||
void reset_mtab_info(void);
|
||||
--- nfs-utils-1.1.4/utils/mount/mount.c
|
||||
+++ nfs-utils-1.1.4/utils/mount/mount.c
|
||||
@@ -230,6 +230,13 @@ create_mtab (void) {
|
||||
int flags;
|
||||
mntFILE *mfp;
|
||||
|
||||
+ /* Avoid writing if the mtab is a symlink to /proc/mounts, since
|
||||
+ that would create a file /proc/mounts in case the proc filesystem
|
||||
+ is not mounted, and the fchmod below would also fail. */
|
||||
+ if (mtab_is_a_symlink()) {
|
||||
+ return EX_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
lock_mtab();
|
||||
|
||||
mfp = nfs_setmntent (MOUNTED, "a+");
|
|
@ -0,0 +1,48 @@
|
|||
this is kind of hacky, but automake doesn't make this easy
|
||||
for us atm, so hack away :(
|
||||
|
||||
(recent autotools will always add $(CFLAGS)/etc... to the compile)
|
||||
|
||||
--- a/tools/locktest/Makefile.am
|
||||
+++ b/tools/locktest/Makefile.am
|
||||
@@ -1,12 +1,11 @@
|
||||
## Process this file with automake to produce Makefile.in
|
||||
|
||||
CC=$(CC_FOR_BUILD)
|
||||
-LIBTOOL = @LIBTOOL@ --tag=CC
|
||||
+CFLAGS=$(CFLAGS_FOR_BUILD)
|
||||
+CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
|
||||
+LDFLAGS=$(LDFLAGS_FOR_BUILD)
|
||||
|
||||
noinst_PROGRAMS = testlk
|
||||
testlk_SOURCES = testlk.c
|
||||
-testlk_CFLAGS=$(CFLAGS_FOR_BUILD)
|
||||
-testlk_CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
|
||||
-testlk_LDFLAGS=$(LDFLAGS_FOR_BUILD)
|
||||
|
||||
MAINTAINERCLEANFILES = Makefile.in
|
||||
--- a/tools/rpcgen/Makefile.am
|
||||
+++ b/tools/rpcgen/Makefile.am
|
||||
@@ -1,7 +1,9 @@
|
||||
## Process this file with automake to produce Makefile.in
|
||||
|
||||
CC=$(CC_FOR_BUILD)
|
||||
-LIBTOOL = @LIBTOOL@ --tag=CC
|
||||
+CFLAGS=$(CFLAGS_FOR_BUILD)
|
||||
+CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
|
||||
+LDFLAGS=$(LDFLAGS_FOR_BUILD)
|
||||
|
||||
noinst_PROGRAMS = rpcgen
|
||||
rpcgen_SOURCES = rpc_clntout.c rpc_cout.c rpc_hout.c rpc_main.c \
|
||||
@@ -9,10 +11,6 @@
|
||||
rpc_util.c rpc_sample.c rpc_output.h rpc_parse.h \
|
||||
rpc_scan.h rpc_util.h
|
||||
|
||||
-rpcgen_CFLAGS=$(CFLAGS_FOR_BUILD)
|
||||
-rpcgen_CPPLAGS=$(CPPFLAGS_FOR_BUILD)
|
||||
-rpcgen_LDFLAGS=$(LDFLAGS_FOR_BUILD)
|
||||
-rpcgen_LDADD=$(LIBTIRPC)
|
||||
|
||||
MAINTAINERCLEANFILES = Makefile.in
|
||||
|
||||
EXTRA_DIST = rpcgen.new.1
|
|
@ -0,0 +1,40 @@
|
|||
From 1451d7585bf1c622658ccc04abac7e79ffe40263 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Mitchell <jumitche@redhat.com>
|
||||
Date: Mon, 8 Jan 2018 09:14:11 -0500
|
||||
Subject: [PATCH] svcgssd: Update svcgssd so that it builds
|
||||
|
||||
Since a15bd948 the --enable-svcgss option no longer builds
|
||||
as svcgssd references functions which were changed at that time.
|
||||
Fix those, and other function changes since then.
|
||||
|
||||
Signed-off-by: Justin Mitchell <jumitche@redhat.com>
|
||||
Signed-off-by: Steve Dickson <steved@redhat.com>
|
||||
---
|
||||
utils/gssd/svcgssd.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/utils/gssd/svcgssd.c b/utils/gssd/svcgssd.c
|
||||
index 3514ae1..23f0c0b 100644
|
||||
--- a/utils/gssd/svcgssd.c
|
||||
+++ b/utils/gssd/svcgssd.c
|
||||
@@ -63,6 +63,8 @@
|
||||
#include "err_util.h"
|
||||
#include "conffile.h"
|
||||
|
||||
+struct state_paths etab;
|
||||
+
|
||||
void
|
||||
sig_die(int signal)
|
||||
{
|
||||
@@ -101,7 +103,7 @@ main(int argc, char *argv[])
|
||||
char *principal = NULL;
|
||||
char *s;
|
||||
|
||||
- conf_init(NFS_CONFFILE);
|
||||
+ conf_init_file(NFS_CONFFILE);
|
||||
|
||||
s = conf_get_str("svcgssd", "principal");
|
||||
if (!s)
|
||||
--
|
||||
1.8.3.1
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
--- nfs-utils-2.3.1/configure.ac.orig 2018-05-21 11:05:01.939912918 -0700
|
||||
+++ nfs-utils-2.3.1/configure.ac 2018-05-21 11:05:10.531968707 -0700
|
||||
@@ -401,7 +401,7 @@
|
||||
fi
|
||||
|
||||
dnl libdnsidmap specific checks
|
||||
-AC_CHECK_LIB([resolv], [__res_querydomain], , AC_MSG_ERROR(res_querydomain needed))
|
||||
+AC_CHECK_LIB([resolv], [res_querydomain], , AC_MSG_ERROR(res_querydomain needed))
|
||||
|
||||
AC_ARG_ENABLE([ldap],
|
||||
[AS_HELP_STRING([--disable-ldap],[Disable support for LDAP @<:default=detect@:>@])])
|
||||
--- nfs-utils-2.3.1/support/misc/file.c.orig 2018-05-21 18:15:37.572007979 +0000
|
||||
+++ nfs-utils-2.3.1/support/misc/file.c 2018-05-21 18:15:43.668047008 +0000
|
||||
@@ -27,6 +27,7 @@
|
||||
#include <dirent.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdbool.h>
|
||||
+#include <limits.h> /* PATH_MAX */
|
||||
|
||||
#include "xlog.h"
|
||||
#include "misc.h"
|
|
@ -0,0 +1,3 @@
|
|||
d /var/lib/nfs/rpc_pipefs
|
||||
d /var/lib/nfs/v4recovery
|
||||
d /var/lib/nfs/v4root
|
|
@ -0,0 +1,38 @@
|
|||
# /etc/conf.d/nfs
|
||||
|
||||
# If you wish to set the port numbers for lockd,
|
||||
# please see /etc/sysctl.conf
|
||||
|
||||
# Optional services to include in default `/etc/init.d/nfs start`
|
||||
# For NFSv4 users, you'll want to add "rpc.idmapd" here.
|
||||
NFS_NEEDED_SERVICES=""
|
||||
|
||||
# Options to pass to rpc.nfsd
|
||||
OPTS_RPC_NFSD="8"
|
||||
|
||||
# Options to pass to rpc.mountd
|
||||
# ex. OPTS_RPC_MOUNTD="-p 32767"
|
||||
OPTS_RPC_MOUNTD=""
|
||||
|
||||
# Options to pass to rpc.statd
|
||||
# ex. OPTS_RPC_STATD="-p 32765 -o 32766"
|
||||
OPTS_RPC_STATD=""
|
||||
|
||||
# Options to pass to rpc.idmapd
|
||||
OPTS_RPC_IDMAPD=""
|
||||
|
||||
# Options to pass to rpc.gssd
|
||||
OPTS_RPC_GSSD=""
|
||||
|
||||
# Options to pass to rpc.svcgssd
|
||||
OPTS_RPC_SVCGSSD=""
|
||||
|
||||
# Options to pass to rpc.rquotad (requires sys-fs/quota)
|
||||
OPTS_RPC_RQUOTAD=""
|
||||
|
||||
# Timeout (in seconds) for exportfs
|
||||
EXPORTFS_TIMEOUT=30
|
||||
|
||||
# Options to set in the nfsd filesystem (/proc/fs/nfsd/).
|
||||
# Format is <option>=<value>. Multiple options are allowed.
|
||||
#OPTS_NFSD="nfsv4leasetime=30 max_block_size=4096"
|
|
@ -0,0 +1,162 @@
|
|||
#!/sbin/openrc-run
|
||||
# Copyright 1999-2014 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
extra_started_commands="reload"
|
||||
|
||||
# This variable is used for controlling whether or not to run exportfs -ua;
|
||||
# see stop() for more information
|
||||
restarting=no
|
||||
|
||||
# The binary locations
|
||||
exportfs=/usr/sbin/exportfs
|
||||
mountd=/usr/sbin/rpc.mountd
|
||||
nfsd=/usr/sbin/rpc.nfsd
|
||||
smnotify=/usr/sbin/sm-notify
|
||||
|
||||
depend() {
|
||||
local myneed=""
|
||||
# XXX: no way to detect NFSv4 is desired and so need rpc.idmapd
|
||||
myneed="${myneed} $(
|
||||
awk '!/^[[:space:]]*#/ {
|
||||
# clear the path to avoid spurious matches
|
||||
$1 = "";
|
||||
if ($0 ~ /[(][^)]*sec=(krb|spkm)[^)]*[)]/) {
|
||||
print "rpc.svcgssd"
|
||||
exit 0
|
||||
}
|
||||
}' /etc/exports /etc/exports.d/*.exports 2>/dev/null
|
||||
)"
|
||||
config /etc/exports /etc/exports.d/*.exports
|
||||
need portmap rpc.statd ${myneed} ${NFS_NEEDED_SERVICES}
|
||||
use ypbind net dns rpc.rquotad rpc.idmapd rpc.svcgssd
|
||||
after quota
|
||||
}
|
||||
|
||||
mkdir_nfsdirs() {
|
||||
local d
|
||||
for d in v4recovery v4root ; do
|
||||
d="/var/lib/nfs/${d}"
|
||||
[ ! -d "${d}" ] && mkdir -p "${d}"
|
||||
done
|
||||
}
|
||||
|
||||
waitfor_exportfs() {
|
||||
local pid=$1
|
||||
( sleep ${EXPORTFS_TIMEOUT:-30}; kill -9 ${pid} 2>/dev/null ) &
|
||||
wait $1
|
||||
}
|
||||
|
||||
mount_nfsd() {
|
||||
if [ -e /proc/modules ] ; then
|
||||
# Make sure nfs support is loaded in the kernel #64709
|
||||
if ! grep -qs nfsd /proc/filesystems ; then
|
||||
modprobe -q nfsd
|
||||
fi
|
||||
# Restart idmapd if needed #220747
|
||||
if grep -qs nfsd /proc/modules ; then
|
||||
killall -q -HUP rpc.idmapd
|
||||
fi
|
||||
fi
|
||||
|
||||
# This is the new "kernel 2.6 way" to handle the exports file
|
||||
if grep -qs nfsd /proc/filesystems ; then
|
||||
if ! mountinfo -q /proc/fs/nfsd ; then
|
||||
ebegin "Mounting nfsd filesystem in /proc"
|
||||
mount -t nfsd -o nodev,noexec,nosuid nfsd /proc/fs/nfsd
|
||||
eend $?
|
||||
fi
|
||||
|
||||
local o
|
||||
for o in ${OPTS_NFSD} ; do
|
||||
echo "${o#*=}" > "/proc/fs/nfsd/${o%%=*}"
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
start_it() {
|
||||
ebegin "Starting NFS $1"
|
||||
shift
|
||||
"$@"
|
||||
eend $?
|
||||
ret=$((ret + $?))
|
||||
}
|
||||
start() {
|
||||
mount_nfsd
|
||||
mkdir_nfsdirs
|
||||
|
||||
# Exportfs likes to hang if networking isn't working.
|
||||
# If that's the case, then try to kill it so the
|
||||
# bootup process can continue.
|
||||
if grep -qs '^[[:space:]]*/' /etc/exports /etc/exports.d/*.exports ; then
|
||||
ebegin "Exporting NFS directories"
|
||||
${exportfs} -r &
|
||||
waitfor_exportfs $!
|
||||
eend $?
|
||||
fi
|
||||
|
||||
local ret=0
|
||||
start_it mountd ${mountd} ${OPTS_RPC_MOUNTD}
|
||||
start_it daemon ${nfsd} ${OPTS_RPC_NFSD}
|
||||
[ -x "${smnotify}" ] && start_it smnotify ${smnotify} ${OPTS_SMNOTIFY}
|
||||
return ${ret}
|
||||
}
|
||||
|
||||
stop() {
|
||||
local ret=0
|
||||
|
||||
ebegin "Stopping NFS mountd"
|
||||
start-stop-daemon --stop --exec ${mountd}
|
||||
eend $?
|
||||
ret=$((ret + $?))
|
||||
|
||||
# nfsd sets its process name to [nfsd] so don't look for $nfsd
|
||||
ebegin "Stopping NFS daemon"
|
||||
start-stop-daemon --stop --name nfsd --user root --signal 2
|
||||
eend $?
|
||||
ret=$((ret + $?))
|
||||
# in case things don't work out ... #228127
|
||||
rpc.nfsd 0
|
||||
|
||||
# When restarting the NFS server, running "exportfs -ua" probably
|
||||
# isn't what the user wants. Running it causes all entries listed
|
||||
# in xtab to be removed from the kernel export tables, and the
|
||||
# xtab file is cleared. This effectively shuts down all NFS
|
||||
# activity, leaving all clients holding stale NFS filehandles,
|
||||
# *even* when the NFS server has restarted.
|
||||
#
|
||||
# That's what you would want if you were shutting down the NFS
|
||||
# server for good, or for a long period of time, but not when the
|
||||
# NFS server will be running again in short order. In this case,
|
||||
# then "exportfs -r" will reread the xtab, and all the current
|
||||
# clients will be able to resume NFS activity, *without* needing
|
||||
# to umount/(re)mount the filesystem.
|
||||
if [ "${restarting}" = no -o "${RC_CMD}" = "restart" ] ; then
|
||||
ebegin "Unexporting NFS directories"
|
||||
# Exportfs likes to hang if networking isn't working.
|
||||
# If that's the case, then try to kill it so the
|
||||
# shutdown process can continue.
|
||||
${exportfs} -ua &
|
||||
waitfor_exportfs $!
|
||||
eend $?
|
||||
fi
|
||||
|
||||
return ${ret}
|
||||
}
|
||||
|
||||
reload() {
|
||||
# Exportfs likes to hang if networking isn't working.
|
||||
# If that's the case, then try to kill it so the
|
||||
# bootup process can continue.
|
||||
ebegin "Reloading /etc/exports"
|
||||
${exportfs} -r 1>&2 &
|
||||
waitfor_exportfs $!
|
||||
eend $?
|
||||
}
|
||||
|
||||
restart() {
|
||||
# See long comment in stop() regarding "restarting" and exportfs -ua
|
||||
restarting=yes
|
||||
svc_stop
|
||||
svc_start
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
# You need to decide which nfs protocol version you want to use.
|
||||
# If you are unsure, leave these alone.
|
||||
#
|
||||
# If you are using only nfsv4, uncomment this line:
|
||||
#
|
||||
#rc_need="!rpc.statd"
|
||||
#
|
||||
# If you are using only nfsv3, uncomment this line:
|
||||
#
|
||||
#rc_need="!rpc.idmapd"
|
||||
#
|
||||
# You will need to set the dependencies in the nfsclient script to match
|
||||
# the network configuration tools you are using. This should be done in
|
||||
# this file by following the examples below, and not by changing the
|
||||
# service script itself. See /etc/conf.d/netmount for more examples.
|
||||
#
|
||||
# This is a safe default.
|
||||
rc_after="net"
|
|
@ -0,0 +1,33 @@
|
|||
#!/sbin/openrc-run
|
||||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
|
||||
|
||||
depend() {
|
||||
local opts myneed=""
|
||||
if [ -e /etc/fstab ] ; then
|
||||
for opts in $(fstabinfo -o -t nfs,nfs4) ; do
|
||||
case $opts in
|
||||
*sec=krb*|*sec=spkm*) myneed="$myneed rpc.gssd" ;;
|
||||
esac
|
||||
done
|
||||
fi
|
||||
config /etc/fstab
|
||||
need portmap rpc.statd rpc.idmapd ${myneed}
|
||||
use ypbind dns
|
||||
}
|
||||
|
||||
start() {
|
||||
if [ -x /usr/sbin/sm-notify ] ; then
|
||||
ebegin "Starting NFS sm-notify"
|
||||
/usr/sbin/sm-notify ${OPTS_SMNOTIFY}
|
||||
eend $?
|
||||
fi
|
||||
|
||||
# Make sure nfs support is loaded in the kernel #64709
|
||||
if [ -e /proc/modules ] && ! grep -qs 'nfs$' /proc/filesystems ; then
|
||||
modprobe -q nfs
|
||||
fi
|
||||
return 0
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
# You will need to set the dependencies in the nfsmount script to match
|
||||
# the network configuration tools you are using. This should be done in
|
||||
# this file by following the examples below, and not by changing the
|
||||
# service script itself. See /etc/conf.d/netmount for more examples.
|
||||
#
|
||||
# This is a safe default.
|
||||
rc_after="net"
|
|
@ -0,0 +1,47 @@
|
|||
#!/sbin/openrc-run
|
||||
# Copyright 1999-2013 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
|
||||
|
||||
depend() {
|
||||
local myneed=""
|
||||
if [ -e /etc/fstab ] ; then
|
||||
myneed="${myneed} $(
|
||||
awk '!/^[[:space:]]*#/ && ($3 == "nfs" || $3 == "nfs4") {
|
||||
if ($3 == "nfs4")
|
||||
idmapd = "rpc.idmapd"
|
||||
if ($4 ~ /sec=(krb|spkm)/)
|
||||
gssd = "rpc.gssd"
|
||||
}
|
||||
END { print idmapd " " gssd }
|
||||
' /etc/fstab
|
||||
)"
|
||||
fi
|
||||
config /etc/fstab
|
||||
need portmap rpc.statd ${myneed}
|
||||
use ypbind dns rpc.idmapd rpc.gssd
|
||||
}
|
||||
|
||||
start() {
|
||||
if [ -x /usr/sbin/sm-notify ] ; then
|
||||
ebegin "Starting NFS sm-notify"
|
||||
/usr/sbin/sm-notify ${OPTS_SMNOTIFY}
|
||||
eend $?
|
||||
fi
|
||||
|
||||
# Make sure nfs support is loaded in the kernel #64709
|
||||
if [ -e /proc/modules ] && ! grep -qs 'nfs$' /proc/filesystems ; then
|
||||
modprobe -q nfs
|
||||
fi
|
||||
|
||||
ebegin "Mounting NFS filesystems"
|
||||
mount -a -t nfs,nfs4
|
||||
eend $?
|
||||
}
|
||||
|
||||
stop() {
|
||||
ebegin "Unmounting NFS filesystems"
|
||||
umount -a -t nfs,nfs4
|
||||
eend $?
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
#!/sbin/openrc-run
|
||||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
# This is mostly as a fix for bug #537996, to avoid breaking existing users
|
||||
# with nfsmount in their runlevels.
|
||||
# If neither nfsclient nor netmount are in your runlevels, and you manually
|
||||
# start netmount before nfsclient, then this will break. A real solution is
|
||||
# forthcoming, but requires feature development, see bug #406021 for soft
|
||||
# dependencies
|
||||
depend() {
|
||||
need nfsclient netmount
|
||||
}
|
||||
|
||||
msg() {
|
||||
ewarn "nfsmount is deprecated, please migrate as described in the news item: 2015-02-02-nfs-service-changes"
|
||||
ewarn "This migration script will be removed after 01 Aug 2015."
|
||||
}
|
||||
|
||||
start() {
|
||||
msg
|
||||
}
|
||||
|
||||
stop() {
|
||||
msg
|
||||
}
|
|
@ -0,0 +1,23 @@
|
|||
#!/sbin/openrc-run
|
||||
# Copyright 1999-2008 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
|
||||
|
||||
depend() {
|
||||
use ypbind net
|
||||
need portmap rpc.pipefs
|
||||
after quota
|
||||
}
|
||||
|
||||
start() {
|
||||
ebegin "Starting gssd"
|
||||
start-stop-daemon --start --exec /usr/sbin/rpc.gssd -- ${OPTS_RPC_GSSD}
|
||||
eend $?
|
||||
}
|
||||
|
||||
stop() {
|
||||
ebegin "Stopping gssd"
|
||||
start-stop-daemon --stop --exec /usr/sbin/rpc.gssd
|
||||
eend $?
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
#!/sbin/openrc-run
|
||||
# Copyright 1999-2008 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
|
||||
|
||||
rpc_bin=/usr/sbin/rpc.idmapd
|
||||
|
||||
depend() {
|
||||
use ypbind net
|
||||
need portmap rpc.pipefs
|
||||
after quota
|
||||
}
|
||||
|
||||
start() {
|
||||
ebegin "Starting idmapd"
|
||||
${rpc_bin} ${OPTS_RPC_IDMAPD}
|
||||
eend $? "make sure DNOTIFY support is enabled ..."
|
||||
}
|
||||
|
||||
stop() {
|
||||
ebegin "Stopping idmapd"
|
||||
start-stop-daemon --stop --exec ${rpc_bin}
|
||||
eend $?
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
#!/sbin/openrc-run
|
||||
# Copyright 1999-2014 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
MNT="/var/lib/nfs/rpc_pipefs"
|
||||
|
||||
mount_pipefs() {
|
||||
local fstype=rpc_pipefs
|
||||
|
||||
# if things are already mounted, nothing to do
|
||||
mountinfo -q ${MNT} && return 0
|
||||
|
||||
# if rpc_pipefs is not available, try to load sunrpc for it #219566
|
||||
grep -qs ${fstype} /proc/filesystems || modprobe -q sunrpc
|
||||
# if still not available, the `mount` will issue an error for the user
|
||||
|
||||
# now just do it for kicks
|
||||
mkdir -p ${MNT}
|
||||
mount -t ${fstype} ${fstype} ${MNT}
|
||||
}
|
||||
|
||||
start() {
|
||||
ebegin "Setting up RPC pipefs"
|
||||
mount_pipefs
|
||||
eend $? "make sure you have NFS/SUNRPC enabled in your kernel"
|
||||
}
|
||||
|
||||
stop() {
|
||||
ebegin "Unmounting RPC pipefs"
|
||||
umount ${MNT}
|
||||
eend $?
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
#!/sbin/openrc-run
|
||||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
|
||||
|
||||
rpc_bin=/sbin/rpc.statd
|
||||
rpc_pid=/var/run/rpc.statd.pid
|
||||
|
||||
depend() {
|
||||
use ypbind net
|
||||
need portmap
|
||||
after quota
|
||||
}
|
||||
|
||||
start() {
|
||||
# Don't start rpc.statd if already started by someone else ...
|
||||
# Don't try and kill it if it's already dead ...
|
||||
if killall -q -0 ${rpc_bin} ; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
ebegin "Starting NFS statd"
|
||||
start-stop-daemon --start --exec ${rpc_bin} -- --no-notify ${OPTS_RPC_STATD}
|
||||
eend $?
|
||||
}
|
||||
|
||||
stop() {
|
||||
ebegin "Stopping NFS statd"
|
||||
start-stop-daemon --stop --exec ${rpc_bin} --pidfile /var/run/rpc.statd.pid
|
||||
eend $?
|
||||
}
|
|
@ -0,0 +1,23 @@
|
|||
#!/sbin/openrc-run
|
||||
# Copyright 1999-2008 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
|
||||
|
||||
depend() {
|
||||
use ypbind net
|
||||
need portmap rpc.pipefs
|
||||
after quota
|
||||
}
|
||||
|
||||
start() {
|
||||
ebegin "Starting svcgssd"
|
||||
start-stop-daemon --start --exec /usr/sbin/rpc.svcgssd -- ${OPTS_RPC_SVCGSSD}
|
||||
eend $?
|
||||
}
|
||||
|
||||
stop() {
|
||||
ebegin "Stopping svcgssd"
|
||||
start-stop-daemon --stop --exec /usr/sbin/rpc.svcgssd
|
||||
eend $?
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<maintainer type="project">
|
||||
<email>base-system@gentoo.org</email>
|
||||
<name>Gentoo Base System</name>
|
||||
</maintainer>
|
||||
<longdescription>NFS client and server daemons</longdescription>
|
||||
<use>
|
||||
<flag name="ldap">Add ldap support</flag>
|
||||
<flag name="libmount">Link mount.nfs with libmount</flag>
|
||||
<flag name="nfsdcld">Enable nfsdcld NFSv4 clientid tracking daemon</flag>
|
||||
<flag name="nfsidmap">Enable support for newer nfsidmap helper</flag>
|
||||
<flag name="nfsv4">Enable support for NFSv4</flag>
|
||||
<flag name="nfsv41">Enable support for NFSv4.1</flag>
|
||||
<flag name="uuid">Support UUID lookups in rpc.mountd</flag>
|
||||
</use>
|
||||
<upstream>
|
||||
<remote-id type="sourceforge">nfs</remote-id>
|
||||
</upstream>
|
||||
</pkgmetadata>
|
|
@ -0,0 +1,188 @@
|
|||
# Copyright 1999-2018 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=6
|
||||
|
||||
inherit autotools flag-o-matic multilib systemd
|
||||
|
||||
DESCRIPTION="NFS client and server daemons"
|
||||
HOMEPAGE="http://linux-nfs.org/"
|
||||
|
||||
if [[ "${PV}" = *_rc* ]] ; then
|
||||
inherit versionator
|
||||
MY_PV="$(replace_all_version_separators -)"
|
||||
SRC_URI="http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=snapshot;h=refs/tags/${PN}-${MY_PV};sf=tgz -> ${P}.tar.gz"
|
||||
S="${WORKDIR}/${PN}-${PN}-${MY_PV}"
|
||||
else
|
||||
SRC_URI="mirror://sourceforge/nfs/${P}.tar.bz2"
|
||||
KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86"
|
||||
fi
|
||||
|
||||
LICENSE="GPL-2"
|
||||
SLOT="0"
|
||||
IUSE="caps ipv6 kerberos ldap +libmount nfsdcld +nfsidmap +nfsv4 nfsv41 selinux tcpd +uuid"
|
||||
REQUIRED_USE="kerberos? ( nfsv4 )"
|
||||
RESTRICT="test" #315573
|
||||
|
||||
# kth-krb doesn't provide the right include
|
||||
# files, and nfs-utils doesn't build against heimdal either,
|
||||
# so don't depend on virtual/krb.
|
||||
# (04 Feb 2005 agriffis)
|
||||
DEPEND_COMMON="
|
||||
net-libs/libtirpc:=
|
||||
>=net-nds/rpcbind-0.2.4
|
||||
sys-libs/e2fsprogs-libs
|
||||
caps? ( sys-libs/libcap )
|
||||
ldap? ( net-nds/openldap )
|
||||
libmount? ( sys-apps/util-linux )
|
||||
nfsdcld? ( >=dev-db/sqlite-3.3 )
|
||||
nfsv4? (
|
||||
dev-libs/libevent:=
|
||||
>=sys-apps/keyutils-1.5.9
|
||||
kerberos? (
|
||||
>=net-libs/libtirpc-0.2.4-r1[kerberos]
|
||||
app-crypt/mit-krb5
|
||||
)
|
||||
)
|
||||
nfsv41? (
|
||||
sys-fs/lvm2
|
||||
)
|
||||
tcpd? ( sys-apps/tcp-wrappers )
|
||||
uuid? ( sys-apps/util-linux )"
|
||||
RDEPEND="${DEPEND_COMMON}
|
||||
!net-libs/libnfsidmap
|
||||
!net-nds/portmap
|
||||
!<sys-apps/openrc-0.13.9
|
||||
selinux? (
|
||||
sec-policy/selinux-rpc
|
||||
sec-policy/selinux-rpcbind
|
||||
)
|
||||
"
|
||||
DEPEND="${DEPEND_COMMON}
|
||||
virtual/pkgconfig"
|
||||
|
||||
PATCHES=(
|
||||
"${FILESDIR}"/${PN}-1.1.4-mtab-sym.patch
|
||||
"${FILESDIR}"/${PN}-1.2.8-cross-build.patch
|
||||
"${FILESDIR}"/${P}-svcgssd_undefined_reference.patch #641912
|
||||
"${FILESDIR}"/${PN}-musl.patch
|
||||
"${FILESDIR}"/Do-not-pass-null-pointer-to-freeaddrinfo.diff
|
||||
)
|
||||
|
||||
src_prepare() {
|
||||
default
|
||||
|
||||
sed \
|
||||
-e "/^sbindir/s:= := \"${EPREFIX}\":g" \
|
||||
-i utils/*/Makefile.am || die
|
||||
|
||||
eautoreconf
|
||||
}
|
||||
|
||||
src_configure() {
|
||||
export libsqlite3_cv_is_recent=yes # Our DEPEND forces this.
|
||||
export ac_cv_header_keyutils_h=$(usex nfsidmap)
|
||||
local myeconfargs=(
|
||||
--with-statedir="${EPREFIX%/}"/var/lib/nfs
|
||||
--enable-tirpc
|
||||
--with-tirpcinclude="${EPREFIX%/}"/usr/include/tirpc/
|
||||
--with-pluginpath="${EPREFIX%/}"/usr/$(get_libdir)/libnfsidmap
|
||||
--with-systemd="$(systemd_get_systemunitdir)"
|
||||
--without-gssglue
|
||||
$(use_enable caps)
|
||||
$(use_enable ipv6)
|
||||
$(use_enable kerberos gss)
|
||||
$(use_enable kerberos svcgss)
|
||||
$(use_enable ldap)
|
||||
$(use_enable libmount libmount-mount)
|
||||
$(use_enable nfsdcld nfsdcltrack)
|
||||
$(use_enable nfsv4)
|
||||
$(use_enable nfsv41)
|
||||
$(use_enable uuid)
|
||||
$(use_with tcpd tcp-wrappers)
|
||||
)
|
||||
econf "${myeconfargs[@]}"
|
||||
}
|
||||
|
||||
src_compile(){
|
||||
# remove compiled files bundled in the tarball
|
||||
emake clean
|
||||
default
|
||||
}
|
||||
|
||||
src_install() {
|
||||
default
|
||||
rm linux-nfs/Makefile* || die
|
||||
dodoc -r linux-nfs README
|
||||
|
||||
# Don't overwrite existing xtab/etab, install the original
|
||||
# versions somewhere safe... more info in pkg_postinst
|
||||
keepdir /var/lib/nfs/{,sm,sm.bak}
|
||||
mv "${ED%/}"/var/lib/nfs "${ED%/}"/usr/$(get_libdir)/ || die
|
||||
|
||||
# Install some client-side binaries in /sbin
|
||||
dodir /sbin
|
||||
mv "${ED%/}"/usr/sbin/rpc.statd "${ED%/}"/sbin/ || die
|
||||
|
||||
if use nfsv4 && use nfsidmap ; then
|
||||
# Install a config file for idmappers in newer kernels. #415625
|
||||
insinto /etc/request-key.d
|
||||
echo 'create id_resolver * * /usr/sbin/nfsidmap -t 600 %k %d' > id_resolver.conf
|
||||
doins id_resolver.conf
|
||||
fi
|
||||
|
||||
insinto /etc
|
||||
doins "${FILESDIR}"/exports
|
||||
keepdir /etc/exports.d
|
||||
|
||||
local f list=() opt_need=""
|
||||
if use nfsv4 ; then
|
||||
opt_need="rpc.idmapd"
|
||||
list+=( rpc.idmapd rpc.pipefs )
|
||||
use kerberos && list+=( rpc.gssd rpc.svcgssd )
|
||||
fi
|
||||
for f in nfs nfsclient rpc.statd "${list[@]}" ; do
|
||||
newinitd "${FILESDIR}"/${f}.initd ${f}
|
||||
done
|
||||
newinitd "${FILESDIR}"/nfsmount.initd-1.3.1 nfsmount # Nuke after 2015/08/01
|
||||
for f in nfs nfsclient ; do
|
||||
newconfd "${FILESDIR}"/${f}.confd ${f}
|
||||
done
|
||||
sed -i \
|
||||
-e "/^NFS_NEEDED_SERVICES=/s:=.*:=\"${opt_need}\":" \
|
||||
"${ED%/}"/etc/conf.d/nfs || die #234132
|
||||
|
||||
local systemd_systemunitdir="$(systemd_get_systemunitdir)"
|
||||
sed -i \
|
||||
-e 's:/usr/sbin/rpc.statd:/sbin/rpc.statd:' \
|
||||
"${ED%/}${systemd_systemunitdir}"/* || die
|
||||
|
||||
keepdir /var/lib/nfs #368505
|
||||
keepdir /var/lib/nfs/v4recovery #603628
|
||||
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
# Install default xtab and friends if there's none existing. In
|
||||
# src_install we put them in /usr/lib/nfs for safe-keeping, but
|
||||
# the daemons actually use the files in /var/lib/nfs. #30486
|
||||
local f
|
||||
for f in "${EROOT%/}"/usr/$(get_libdir)/nfs/*; do
|
||||
[[ -e ${EROOT%/}/var/lib/nfs/${f##*/} ]] && continue
|
||||
einfo "Copying default ${f##*/} from ${EPREFIX}/usr/$(get_libdir)/nfs to ${EPREFIX}/var/lib/nfs"
|
||||
cp -pPR "${f}" "${EROOT%/}"/var/lib/nfs/
|
||||
done
|
||||
|
||||
if systemd_is_booted; then
|
||||
if [[ ${REPLACING_VERSIONS} < 1.3.0 ]]; then
|
||||
ewarn "We have switched to upstream systemd unit files. Since"
|
||||
ewarn "they got renamed, you should probably enable the new ones."
|
||||
ewarn "You can run 'equery files nfs-utils | grep systemd'"
|
||||
ewarn "to know what services you need to enable now."
|
||||
fi
|
||||
else
|
||||
ewarn "If you use OpenRC, the nfsmount service has been replaced with nfsclient."
|
||||
ewarn "If you were using nfsmount, please add nfsclient and netmount to the"
|
||||
ewarn "same runlevel as nfsmount."
|
||||
fi
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
AUX lego.fc 135 BLAKE2B f5518e53fe8d8aed6d19f06b53a9117f72c8773387b0a15f6970fa4e1b3ae985a60a37b8520750a7f16c8efff692c60a560fcaa66fd950675fa7a0627c0c8b97 SHA512 5e457469dc4685fa57175f1825bde5c3323fe7dd83ede73a5987086e90e8cf49c541f142ab5b83f63609323f35d2f3016123365f5dd06d7d55b796b95eba5b18
|
||||
AUX lego.if 3516 BLAKE2B 2209fb75dce7c5a79423be81c0b66e3295f6ffd9113d60e58cfe90e6b41b8563f019d4aff3f2ce285a25fe2ee199eb4d4a42180c7b785d22d1180d49e4a6bc71 SHA512 c68cfdcedcf858a717c59353c2709a9687703a873048b61de634f5e05b87bcc1682380616a51a2e687dec99a6c6c385a13074668336a9cc0d37be8a2bc9f763d
|
||||
AUX lego.te 2266 BLAKE2B d8329f30a1614f3091247c33d0b3e12a48840d44aeff6bdda76fc636840102717c992bdc861305dc7eba81bb9394fa303d0448cd6ff1d0b573d0675b5a631bfd SHA512 42b0b99909831801a5f5f6c3e32cd196e2a069434bcd2493c3776aa14a5292eea82e4708312d00fc62258bd4931a571eecc49e5c8da448d553c0c8fbf8588e36
|
||||
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
|
||||
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
|
||||
EBUILD selinux-lego-2.20180701-r1.ebuild 377 BLAKE2B 81194e9e7d540735c490a35a783b780bb7ad68d1f8e208c1f54d3c1f8eb688b9fed8c73ebe8abb5f0acb7e62abb77101a12e059809a53437695ca212edcad558 SHA512 5ae9193ce0aae16b0f35a5fdb904c81777eddd6347e776d990c2f562252e7f52018c9b23b470365ae880267069de4e7f5ce6b466fb406c2b86bb7ed83191ce3f
|
|
@ -0,0 +1,2 @@
|
|||
/var/lib/lego(/.*)? gen_context(system_u:object_r:lego_data_t,s0)
|
||||
/usr/bin/lego -- gen_context(system_u:object_r:lego_exec_t,s0)
|
|
@ -0,0 +1,193 @@
|
|||
|
||||
## <summary>policy for lego</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute lego_exec_t in the lego domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lego_domtrans',`
|
||||
gen_require(`
|
||||
type lego_t, lego_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, lego_exec_t, lego_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute lego in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lego_exec',`
|
||||
gen_require(`
|
||||
type lego_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, lego_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search lego conf directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lego_search_data',`
|
||||
gen_require(`
|
||||
type lego_data_t;
|
||||
')
|
||||
|
||||
allow $1 lego_data_t:dir search_dir_perms;
|
||||
files_search_etc($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read lego conf files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lego_read_data_files',`
|
||||
gen_require(`
|
||||
type lego_data_t;
|
||||
')
|
||||
|
||||
allow $1 lego_data_t:dir list_dir_perms;
|
||||
read_files_pattern($1, lego_data_t, lego_data_t)
|
||||
files_search_etc($1)
|
||||
files_search_var_lib($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage lego conf files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lego_manage_data_files',`
|
||||
gen_require(`
|
||||
type lego_data_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, lego_data_t, lego_data_t)
|
||||
files_search_etc($1)
|
||||
files_search_var_lib($1)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute lego in the lego domain, and
|
||||
## allow the specified role the lego domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the lego domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lego_run',`
|
||||
gen_require(`
|
||||
type lego_t;
|
||||
attribute_role lego_roles;
|
||||
')
|
||||
|
||||
lego_domtrans($1)
|
||||
roleattribute $2 lego_roles;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Role access for lego
|
||||
## </summary>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lego_role',`
|
||||
gen_require(`
|
||||
type lego_t;
|
||||
attribute_role lego_roles;
|
||||
')
|
||||
|
||||
roleattribute $1 lego_roles;
|
||||
|
||||
lego_domtrans($2)
|
||||
|
||||
ps_process_pattern($2, lego_t)
|
||||
allow $2 lego_t:process { signull signal sigkill };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an lego environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`lego_admin',`
|
||||
gen_require(`
|
||||
type lego_t;
|
||||
')
|
||||
|
||||
allow $1 lego_t:process { signal_perms };
|
||||
ps_process_pattern($1, lego_t)
|
||||
|
||||
tunable_policy(`deny_ptrace',`',`
|
||||
allow $1 lego_t:process ptrace;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
admin_pattern($1, lego_data_t)
|
||||
optional_policy(`
|
||||
systemd_passwd_agent_exec($1)
|
||||
systemd_read_fifo_file_passwd_run($1)
|
||||
')
|
||||
')
|
|
@ -0,0 +1,100 @@
|
|||
policy_module(doveadm, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute_role dovecot_adm_roles;
|
||||
roleattribute system_r lego_roles;
|
||||
|
||||
type dovecot_adm_t, dovecot_domain;
|
||||
type dovecot_adm_exec_t;
|
||||
domain_type(dovecot_adm_t)
|
||||
domain_entry_file(dovecot_adm_t, dovecot_adm_exec_t)
|
||||
role system_r types dovecot_adm_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
# lego local policy
|
||||
#
|
||||
|
||||
allow lego_t self:process getsched;
|
||||
sysnet_read_config(lego_t)
|
||||
files_search_var_lib(lego_t)
|
||||
|
||||
userdom_use_user_ptys(lego_t)
|
||||
domain_use_interactive_fds(lego_t)
|
||||
|
||||
corenet_tcp_connect_http_port(lego_t)
|
||||
allow lego_t self:tcp_socket create_socket_perms;
|
||||
allow lego_t self:udp_socket create_socket_perms;
|
||||
allow lego_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
manage_dirs_pattern(lego_t, lego_data_t, lego_data_t)
|
||||
manage_files_pattern(lego_t, lego_data_t, lego_data_t)
|
||||
manage_lnk_files_pattern(lego_t, lego_data_t, lego_data_t)
|
||||
files_etc_filetrans(lego_t, lego_data_t, { dir file lnk_file })
|
||||
|
||||
miscfiles_read_generic_certs(lego_t)
|
||||
miscfiles_read_localization(lego_t)
|
||||
|
||||
tunable_policy(`lego_use_homedirs',`
|
||||
userdom_manage_user_home_content_dirs(lego_t)
|
||||
userdom_manage_user_home_content_files(lego_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
role sysadm_r;
|
||||
')
|
||||
lego_role(sysadm_r, sysadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
role user_r;
|
||||
type user_t;
|
||||
')
|
||||
lego_role(user_r, user_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
role staff_r;
|
||||
type staff_t;
|
||||
')
|
||||
lego_role(staff_r, staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type nginx_t;
|
||||
')
|
||||
lego_read_data_files(nginx_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type dovecot_t;
|
||||
')
|
||||
lego_read_data_files(dovecot_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type exim_t;
|
||||
')
|
||||
lego_read_data_files(exim_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type system_cronjob_t, system_cronjob_tmp_t;
|
||||
')
|
||||
cron_system_entry(lego_t, lego_exec_t)
|
||||
allow system_cronjob_t lego_data_t:file setattr;
|
||||
allow lego_t system_cronjob_tmp_t:file write;
|
||||
')
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
EAPI="5"
|
||||
|
||||
IUSE=""
|
||||
MODS="doveadm"
|
||||
POLICY_FILES="doveadm.te doveadm.fc doveadm.if"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for doveadm - Dovecot's administration utility"
|
||||
|
||||
RDEPEND="sec-policy/selinux-base-policy"
|
||||
|
||||
if [[ $PV == 9999* ]] ; then
|
||||
KEYWORDS=""
|
||||
else
|
||||
KEYWORDS="amd64 x86"
|
||||
fi
|
|
@ -0,0 +1,5 @@
|
|||
AUX hostapd.fc 299 BLAKE2B 57f03ed6b66766688e01ca1aff1dfa6882d11fc2d2e6160426478be49d5b190a945b1d41f8fc02a075a0ee9ccadcfbc23549635a02448fffb2790467df8514c5 SHA512 c403eceead2eca2cb3f525788374681c9800239f57c2403840813e03df755528ae80457dd0c13db27d31b03da3e972f3a9deac63be50eb0cb7e3597cacfe74dd
|
||||
AUX hostapd.te 1713 BLAKE2B 69952a4ba1acfd7e9199c60cce4f8a12bc80e8e3e731bca9f0f5aaba04c09fb41a604c20e4dfde223225f949dcb8fbc3466a9b84740bfe1a7eeeba456476f7d7 SHA512 4d6688bb4ee118af5c253a07eda4f3a8e6f56ff37568882599c6bd8060d871ea2228a9318c36c290f941cde4f2059a4f38d6832d2162dce132c6f17820c10e2a
|
||||
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
|
||||
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
|
||||
EBUILD selinux-hostapd-2.20180701-r1.ebuild 381 BLAKE2B e72b73164969be79643d5b584a57d1bc1ab4724f24d9d8e4d5964dd3193b1402277f6662db461f10d8937fdffea9dadb53f86afb855a3226be760a3df72309d3 SHA512 696ea45e4f5fac01fab8c5c44ca03f28746e9b251bc4e81f2c6c4dfb06d95eda475563bba6f6498bc2290a97cf9db7753b39f7c8178c6dad701ad85acda775b9
|
|
@ -0,0 +1,6 @@
|
|||
/usr/sbin/hostapd -- gen_context(system_u:object_r:hostapd_exec_t,s0)
|
||||
|
||||
/var/run/hostapd(/.*)? gen_context(system_u:object_r:hostapd_var_run_t,s0)
|
||||
/etc/hostapd(/.*)? gen_context(system_u:object_r:hostapd_conf_t,s0)
|
||||
|
||||
/run/hostapd.pid -- gen_context(system_u:object_r:hostapd_var_run_t,s0)
|
|
@ -0,0 +1,56 @@
|
|||
policy_module(hostapd, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type hostapd_t;
|
||||
type hostapd_exec_t;
|
||||
init_daemon_domain(hostapd_t, hostapd_exec_t)
|
||||
|
||||
type hostapd_var_run_t;
|
||||
files_pid_file(hostapd_var_run_t)
|
||||
|
||||
type hostapd_conf_t;
|
||||
files_type(hostapd_conf_t)
|
||||
########################################
|
||||
#
|
||||
# hostapd local policy
|
||||
#
|
||||
allow hostapd_t self:capability { fsetid chown net_admin net_raw dac_read_search dac_override };
|
||||
allow hostapd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow hostapd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow hostapd_t self:netlink_socket create_socket_perms;
|
||||
allow hostapd_t self:netlink_generic_socket create_socket_perms;
|
||||
allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow hostapd_t self:packet_socket create_socket_perms;
|
||||
|
||||
manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
|
||||
manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
|
||||
manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
|
||||
manage_sock_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
|
||||
files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file sock_file })
|
||||
|
||||
read_files_pattern(hostapd_t, hostapd_conf_t, hostapd_conf_t)
|
||||
|
||||
kernel_read_system_state(hostapd_t)
|
||||
kernel_read_network_state(hostapd_t)
|
||||
kernel_request_load_module(hostapd_t)
|
||||
kernel_rw_net_sysctls(hostapd_t)
|
||||
dev_rw_sysfs(hostapd_t)
|
||||
|
||||
#allow initrc_t hostapd_conf_t:file read;
|
||||
|
||||
dev_read_rand(hostapd_t)
|
||||
dev_read_urand(hostapd_t)
|
||||
dev_read_sysfs(hostapd_t)
|
||||
dev_rw_wireless(hostapd_t)
|
||||
|
||||
domain_use_interactive_fds(hostapd_t)
|
||||
|
||||
auth_use_nsswitch(hostapd_t)
|
||||
|
||||
logging_send_syslog_msg(hostapd_t)
|
||||
|
||||
miscfiles_read_localization(hostapd_t)
|
|
@ -0,0 +1,20 @@
|
|||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
EAPI="5"
|
||||
|
||||
IUSE=""
|
||||
MODS="hostapd"
|
||||
POLICY_FILES="hostapd.te hostapd.fc"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for hostapd"
|
||||
|
||||
RDEPEND="sec-policy/selinux-base-policy"
|
||||
|
||||
if [[ $PV == 9999* ]] ; then
|
||||
KEYWORDS=""
|
||||
else
|
||||
KEYWORDS="amd64 x86"
|
||||
fi
|
|
@ -0,0 +1,6 @@
|
|||
AUX knot.fc 351 BLAKE2B c405546b5b619948a3dffccad17c4ae12dcbfbc9b538e4bb7325fc5d8560e3a1b87ab0ccac4fd3dcc14be02d9112f139fe71b9bcd40e06efd8893ddf88a5c0c8 SHA512 214002c8c118e2320c3839a7e9cfccd4bd71e6fa0140351ff2c398f27609ea8ea0c5988ee30072db2729469bfc56cbc4f16de6ddcba792e1baf428215a4661a6
|
||||
AUX knot.if 4627 BLAKE2B f383b3fc55dc7c99d583a0b5d61949e5b2d328586e02db7d2e8e6b3d88d3b4a1ed67c812db38d49f71efd8b89c92d37ac9722b0bfc8f11de952f1e02725d716a SHA512 a967b731a993ecec3a9ff7189bb5866049331209f643daadd951053d29e44d133140f3fecad756dc6a6e3f1b87f880c40cae81c5c685c834d7f268bf990fab2b
|
||||
AUX knot.te 2142 BLAKE2B 15de1876243e55ba3ed68ecd5bbbcb8f637e23431b5ac15958096be29dd14a248d029a27134b72d43f93bb3215b5b1f9fab7c6d9464fbdcd2ab21fb030104816 SHA512 41ad8d429d680351186b6b337fd8b122a61eea73b302bb893fe7243531ba375678239fade0496474e4ece45df667669854d3f5d3e858fe9f8b733e4b52070611
|
||||
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
|
||||
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
|
||||
EBUILD selinux-knot-2.20180701-r1.ebuild 377 BLAKE2B 3e0e81a404c1810ddeedad0ab2af2d6db2270f85492ea39d60992cf0b0015f500b8e70dda185af2341684115adcb580e79fba76665fbe80ba0d1db3305103082 SHA512 18f8f1a16161f4f648cbd346b467bc4bb3c810d156e6ffbdc34d12d7686f08c0911484e8c5304045ae2aef49c71d9586b574f041c1fe337fbacf1d405579c5f4
|
|
@ -0,0 +1,10 @@
|
|||
/usr/sbin/knotd -- gen_context(system_u:object_r:knotd_exec_t,s0)
|
||||
|
||||
/usr/sbin/knotc -- gen_context(system_u:object_r:knotc_exec_t,s0)
|
||||
|
||||
/var/run/knot(/.*)? gen_context(system_u:object_r:knot_var_run_t,s0)
|
||||
|
||||
/var/lib/knot(/.*)? gen_context(system_u:object_r:knot_var_lib_t,s0)
|
||||
|
||||
/etc/knot(/.*)? gen_context(system_u:object_r:knot_etc_t,s0)
|
||||
|
|
@ -0,0 +1,198 @@
|
|||
|
||||
## <summary>policy for knotc</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute knotd_exec_t in the knotd domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`knotd_domtrans',`
|
||||
gen_require(`
|
||||
type knotd_t, knotd_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, knotd_exec_t, knotd_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute knotd in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`knotd_exec',`
|
||||
gen_require(`
|
||||
type knotd_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, knotd_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Knotd /run files transitions.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`knot_var_run_trans',`
|
||||
gen_require(`
|
||||
type knot_var_run_t;
|
||||
type var_run_t;
|
||||
type tmpfiles_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, knot_var_run_t, knot_var_run_t)
|
||||
manage_files_pattern($1, knot_var_run_t, knot_var_run_t)
|
||||
manage_lnk_files_pattern($1, knot_var_run_t, knot_var_run_t)
|
||||
manage_sock_files_pattern($1, knot_var_run_t, knot_var_run_t)
|
||||
search_dirs_pattern($1, knot_var_run_t, knot_var_run_t)
|
||||
files_pid_filetrans($1, knot_var_run_t, { file dir sock_file})
|
||||
filetrans_pattern(tmpfiles_t, var_run_t, knot_var_run_t, dir, "knot")
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Knot /var/lib files mamange.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`knot_var_lib_manage',`
|
||||
gen_require(`
|
||||
type knot_var_lib_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, knot_var_lib_t, knot_var_lib_t)
|
||||
manage_files_pattern($1, knot_var_lib_t, knot_var_lib_t)
|
||||
manage_lnk_files_pattern($1, knot_var_lib_t, knot_var_lib_t)
|
||||
allow $1 knot_var_lib_t:file map;
|
||||
files_var_lib_filetrans($1, knot_var_lib_t, { file dir })
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Knotd /var/lib files transitions.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`knot_var_lib_trans',`
|
||||
gen_require(`
|
||||
type knot_var_lib_t;
|
||||
type var_lib_t;
|
||||
type tmpfiles_t;
|
||||
')
|
||||
|
||||
knot_var_lib_manage($1)
|
||||
filetrans_pattern(tmpfiles_t, var_lib_t, knot_var_lib_t, dir, "knot")
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Knot /etc/knot files read.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`knot_etc_t_read',`
|
||||
gen_require(`
|
||||
type knot_etc_t;
|
||||
type initrc_t;
|
||||
')
|
||||
|
||||
mmap_read_files_pattern($1, knot_etc_t, knot_etc_t)
|
||||
read_files_pattern(initrc_t, knot_etc_t, knot_etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Knot /tmp files transitions.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`knot_tmp_trans',`
|
||||
gen_require(`
|
||||
type knot_tmp_t;
|
||||
')
|
||||
|
||||
files_tmp_filetrans($1, knot_tmp_t, { file dir })
|
||||
allow $1 knot_tmp_t:file map;
|
||||
allow $1 knot_tmp_t:file manage_file_perms;
|
||||
allow $1 knot_tmp_t:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute knotc_exec_t in the knotc domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`knotc_domtrans',`
|
||||
gen_require(`
|
||||
type knotc_t, knotc_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, knotc_exec_t, knotc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Role access for knotc
|
||||
## </summary>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`knotc_role',`
|
||||
gen_require(`
|
||||
type knotc_t;
|
||||
attribute_role knotc_roles;
|
||||
')
|
||||
|
||||
roleattribute $1 knotc_roles;
|
||||
|
||||
knotc_domtrans($2)
|
||||
|
||||
ps_process_pattern($2, knotc_t)
|
||||
allow $2 knotc_t:process { signull signal sigkill };
|
||||
')
|
|
@ -0,0 +1,95 @@
|
|||
policy_module(knot, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type knotd_t;
|
||||
type knotd_exec_t;
|
||||
init_daemon_domain(knotd_t, knotd_exec_t)
|
||||
|
||||
type knotc_t;
|
||||
type knotc_exec_t;
|
||||
application_domain(knotc_t, knotc_exec_t)
|
||||
init_daemon_domain(knotc_t, knotc_exec_t)
|
||||
role knotc_roles types knotc_t;
|
||||
|
||||
attribute_role knotc_roles;
|
||||
roleattribute system_r knotc_roles;
|
||||
|
||||
type knot_etc_t;
|
||||
files_type(knot_etc_t)
|
||||
|
||||
type knot_var_run_t;
|
||||
files_pid_file(knot_var_run_t)
|
||||
|
||||
type knot_var_lib_t;
|
||||
files_type(knot_var_lib_t)
|
||||
|
||||
type knot_tmp_t;
|
||||
files_tmp_file(knot_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# knotd local policy
|
||||
#
|
||||
allow knotd_t self:capability { setgid setuid dac_read_search };
|
||||
allow knotd_t self:process { fork signal_perms getcap getsched setsched };
|
||||
allow knotd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow knotd_t self:udp_socket create_stream_socket_perms;
|
||||
allow knotd_t self:unix_stream_socket { listen accept };
|
||||
|
||||
corenet_tcp_bind_generic_node(knotd_t)
|
||||
corenet_udp_bind_generic_node(knotd_t)
|
||||
corenet_tcp_bind_dns_port(knotd_t)
|
||||
corenet_udp_bind_dns_port(knotd_t)
|
||||
|
||||
knot_etc_t_read(knotd_t)
|
||||
knot_var_run_trans(knotd_t)
|
||||
knot_var_lib_trans(knotd_t)
|
||||
knot_tmp_trans(knotd_t)
|
||||
|
||||
kernel_read_kernel_sysctls(knotd_t)
|
||||
|
||||
fs_getattr_xattr_fs(knotd_t)
|
||||
fs_dontaudit_getattr_tmpfs(knotd_t)
|
||||
|
||||
files_read_etc_files(knotd_t)
|
||||
|
||||
auth_use_nsswitch(knotd_t)
|
||||
|
||||
logging_send_syslog_msg(knotd_t)
|
||||
|
||||
miscfiles_read_localization(knotd_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# knotc local policy
|
||||
#
|
||||
|
||||
allow knotc_t self:capability { dac_override dac_read_search };
|
||||
allow knotc_t knotd_t:unix_stream_socket connectto;
|
||||
allow knotc_t knot_var_run_t:dir search;
|
||||
allow knotc_t knot_var_run_t:sock_file write_sock_file_perms;
|
||||
|
||||
knot_etc_t_read(knotc_t)
|
||||
knot_tmp_trans(knotc_t)
|
||||
knot_var_lib_manage(knotc_t)
|
||||
|
||||
fs_dontaudit_getattr_tmpfs(knotc_t)
|
||||
files_dontaudit_search_var_lib(knotc_t)
|
||||
|
||||
domain_use_interactive_fds(knotc_t)
|
||||
userdom_use_user_ptys(knotc_t)
|
||||
|
||||
miscfiles_read_localization(knotc_t)
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
role sysadm_r;
|
||||
')
|
||||
|
||||
knotc_role(sysadm_r, sysadm_t)
|
||||
')
|
|
@ -0,0 +1,20 @@
|
|||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
EAPI="5"
|
||||
|
||||
IUSE=""
|
||||
MODS="knot"
|
||||
POLICY_FILES="knot.te knot.fc knot.if"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for knot"
|
||||
|
||||
RDEPEND="sec-policy/selinux-base-policy"
|
||||
|
||||
if [[ $PV == 9999* ]] ; then
|
||||
KEYWORDS=""
|
||||
else
|
||||
KEYWORDS="amd64 x86"
|
||||
fi
|
|
@ -0,0 +1,6 @@
|
|||
AUX lego.fc 135 BLAKE2B f5518e53fe8d8aed6d19f06b53a9117f72c8773387b0a15f6970fa4e1b3ae985a60a37b8520750a7f16c8efff692c60a560fcaa66fd950675fa7a0627c0c8b97 SHA512 5e457469dc4685fa57175f1825bde5c3323fe7dd83ede73a5987086e90e8cf49c541f142ab5b83f63609323f35d2f3016123365f5dd06d7d55b796b95eba5b18
|
||||
AUX lego.if 3516 BLAKE2B 2209fb75dce7c5a79423be81c0b66e3295f6ffd9113d60e58cfe90e6b41b8563f019d4aff3f2ce285a25fe2ee199eb4d4a42180c7b785d22d1180d49e4a6bc71 SHA512 c68cfdcedcf858a717c59353c2709a9687703a873048b61de634f5e05b87bcc1682380616a51a2e687dec99a6c6c385a13074668336a9cc0d37be8a2bc9f763d
|
||||
AUX lego.te 2329 BLAKE2B bd04b323a09926b8262b6e1232904f22a5cf5cfc1ad7a54a1812ea5faddc07c974039619baccf657437178f27ef0bb4aba5eec9141c6aa670957ddc47a582a88 SHA512 485cd6449edce49b6e6368c21e9d388bf443c2a19ec782354c6dff16b8c4b8ce7ecd9c89cd45effd2df19edc6ed318851f387a10cd109aaf72698271f3b8da0c
|
||||
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
|
||||
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
|
||||
EBUILD selinux-lego-2.20180701-r1.ebuild 377 BLAKE2B 81194e9e7d540735c490a35a783b780bb7ad68d1f8e208c1f54d3c1f8eb688b9fed8c73ebe8abb5f0acb7e62abb77101a12e059809a53437695ca212edcad558 SHA512 5ae9193ce0aae16b0f35a5fdb904c81777eddd6347e776d990c2f562252e7f52018c9b23b470365ae880267069de4e7f5ce6b466fb406c2b86bb7ed83191ce3f
|
|
@ -0,0 +1,2 @@
|
|||
/var/lib/lego(/.*)? gen_context(system_u:object_r:lego_data_t,s0)
|
||||
/usr/bin/lego -- gen_context(system_u:object_r:lego_exec_t,s0)
|
|
@ -0,0 +1,193 @@
|
|||
|
||||
## <summary>policy for lego</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute lego_exec_t in the lego domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lego_domtrans',`
|
||||
gen_require(`
|
||||
type lego_t, lego_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, lego_exec_t, lego_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute lego in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lego_exec',`
|
||||
gen_require(`
|
||||
type lego_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, lego_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search lego conf directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lego_search_data',`
|
||||
gen_require(`
|
||||
type lego_data_t;
|
||||
')
|
||||
|
||||
allow $1 lego_data_t:dir search_dir_perms;
|
||||
files_search_etc($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read lego conf files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lego_read_data_files',`
|
||||
gen_require(`
|
||||
type lego_data_t;
|
||||
')
|
||||
|
||||
allow $1 lego_data_t:dir list_dir_perms;
|
||||
read_files_pattern($1, lego_data_t, lego_data_t)
|
||||
files_search_etc($1)
|
||||
files_search_var_lib($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage lego conf files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lego_manage_data_files',`
|
||||
gen_require(`
|
||||
type lego_data_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, lego_data_t, lego_data_t)
|
||||
files_search_etc($1)
|
||||
files_search_var_lib($1)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute lego in the lego domain, and
|
||||
## allow the specified role the lego domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the lego domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lego_run',`
|
||||
gen_require(`
|
||||
type lego_t;
|
||||
attribute_role lego_roles;
|
||||
')
|
||||
|
||||
lego_domtrans($1)
|
||||
roleattribute $2 lego_roles;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Role access for lego
|
||||
## </summary>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lego_role',`
|
||||
gen_require(`
|
||||
type lego_t;
|
||||
attribute_role lego_roles;
|
||||
')
|
||||
|
||||
roleattribute $1 lego_roles;
|
||||
|
||||
lego_domtrans($2)
|
||||
|
||||
ps_process_pattern($2, lego_t)
|
||||
allow $2 lego_t:process { signull signal sigkill };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an lego environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`lego_admin',`
|
||||
gen_require(`
|
||||
type lego_t;
|
||||
')
|
||||
|
||||
allow $1 lego_t:process { signal_perms };
|
||||
ps_process_pattern($1, lego_t)
|
||||
|
||||
tunable_policy(`deny_ptrace',`',`
|
||||
allow $1 lego_t:process ptrace;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
admin_pattern($1, lego_data_t)
|
||||
optional_policy(`
|
||||
systemd_passwd_agent_exec($1)
|
||||
systemd_read_fifo_file_passwd_run($1)
|
||||
')
|
||||
')
|
|
@ -0,0 +1,112 @@
|
|||
policy_module(lego, 1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Determine whether lego can use
|
||||
## user home directories.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(lego_use_homedirs, false)
|
||||
|
||||
attribute_role lego_roles;
|
||||
roleattribute system_r lego_roles;
|
||||
|
||||
type lego_t;
|
||||
type lego_exec_t;
|
||||
application_domain(lego_t, lego_exec_t)
|
||||
role lego_roles types lego_t;
|
||||
|
||||
type lego_data_t;
|
||||
files_type(lego_data_t)
|
||||
ubac_constrained(lego_data_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# lego local policy
|
||||
#
|
||||
|
||||
allow lego_t self:capability { dac_override dac_read_search };
|
||||
allow lego_t self:process getsched;
|
||||
sysnet_read_config(lego_t)
|
||||
files_search_var_lib(lego_t)
|
||||
|
||||
userdom_use_user_ptys(lego_t)
|
||||
domain_use_interactive_fds(lego_t)
|
||||
|
||||
corenet_tcp_connect_http_port(lego_t)
|
||||
allow lego_t self:tcp_socket create_socket_perms;
|
||||
allow lego_t self:udp_socket create_socket_perms;
|
||||
allow lego_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
manage_dirs_pattern(lego_t, lego_data_t, lego_data_t)
|
||||
manage_files_pattern(lego_t, lego_data_t, lego_data_t)
|
||||
manage_lnk_files_pattern(lego_t, lego_data_t, lego_data_t)
|
||||
files_etc_filetrans(lego_t, lego_data_t, { dir file lnk_file })
|
||||
|
||||
miscfiles_read_generic_certs(lego_t)
|
||||
miscfiles_read_localization(lego_t)
|
||||
|
||||
tunable_policy(`lego_use_homedirs',`
|
||||
userdom_manage_user_home_content_dirs(lego_t)
|
||||
userdom_manage_user_home_content_files(lego_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
role sysadm_r;
|
||||
')
|
||||
lego_role(sysadm_r, sysadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
role user_r;
|
||||
type user_t;
|
||||
')
|
||||
lego_role(user_r, user_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
role staff_r;
|
||||
type staff_t;
|
||||
')
|
||||
lego_role(staff_r, staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type nginx_t;
|
||||
')
|
||||
lego_read_data_files(nginx_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type dovecot_t;
|
||||
')
|
||||
lego_read_data_files(dovecot_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type exim_t;
|
||||
')
|
||||
lego_read_data_files(exim_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type system_cronjob_t, system_cronjob_tmp_t;
|
||||
')
|
||||
cron_system_entry(lego_t, lego_exec_t)
|
||||
allow system_cronjob_t lego_data_t:file setattr;
|
||||
allow lego_t system_cronjob_tmp_t:file write;
|
||||
')
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
EAPI="5"
|
||||
|
||||
IUSE=""
|
||||
MODS="lego"
|
||||
POLICY_FILES="lego.te lego.fc lego.if"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for lego"
|
||||
|
||||
RDEPEND="sec-policy/selinux-base-policy"
|
||||
|
||||
if [[ $PV == 9999* ]] ; then
|
||||
KEYWORDS=""
|
||||
else
|
||||
KEYWORDS="amd64 x86"
|
||||
fi
|
|
@ -0,0 +1,4 @@
|
|||
AUX nextcloud.te 1363 BLAKE2B b18c1a2a3a1cbefba0f0d8e56e38556a7778e4d41c5e8c0cbe7016417fe361a2c0b1a18c72b1c7a587fa81482295e3bf1a226ceb49f42d6ab439a1e6d2b418a6 SHA512 034ee58a7780a2f9ee098accbb2b4e5996153de7d5bf7f95cc932193f963fe7addc58dbb2f805d25bb6ec3ccc72707580ef321053d4d321fc3607d0f9f8d873c
|
||||
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
|
||||
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
|
||||
EBUILD selinux-nextcloud-2.20180701-r1.ebuild 376 BLAKE2B 582ecbc77d098512f524daf539346819dc6c480a6d7754a6e2a4224485453f19ad1c906cdd42e92e72d1a2093fd47698e13847df575a60e7369b1d80c9d00181 SHA512 d287903678e45839041fcf06e19e2245d20d2ebc4ffea8dcd8b22000ce8bba362f5f943969723926e4b86fca62c885ad2a371273910631a62d2b4b122df6caf2
|
|
@ -0,0 +1,57 @@
|
|||
policy_module(nextcloud, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
########################################
|
||||
#
|
||||
# lego local policy
|
||||
#
|
||||
|
||||
gen_require(`
|
||||
type phpfpm_t;
|
||||
type phpfpm_tmp_t;
|
||||
type etc_t;
|
||||
type cert_t;
|
||||
type httpd_sys_content_t;
|
||||
type httpd_sys_rw_content_t;
|
||||
class file { map open read };
|
||||
class process sigkill;
|
||||
class shm { create destroy read unix_read unix_write write };
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type system_cronjob_t;
|
||||
type phpfpm_exec_t;
|
||||
')
|
||||
cron_system_entry(phpfpm_t, phpfpm_exec_t)
|
||||
')
|
||||
|
||||
corenet_udp_bind_generic_node(phpfpm_t)
|
||||
corenet_tcp_connect_http_port(phpfpm_t)
|
||||
# Allow to connect to IMAP/SMTP
|
||||
corenet_tcp_connect_pop_port(phpfpm_t)
|
||||
corenet_tcp_connect_smtp_port(phpfpm_t)
|
||||
|
||||
fs_rw_hugetlbfs_files(phpfpm_t)
|
||||
allow phpfpm_t hugetlbfs_t:file map;
|
||||
|
||||
allow phpfpm_t etc_t:file map;
|
||||
allow phpfpm_t phpfpm_tmp_t:file map;
|
||||
allow phpfpm_t httpd_sys_content_t:file map;
|
||||
allow phpfpm_t httpd_sys_rw_content_t:file map;
|
||||
|
||||
allow phpfpm_t cert_t:file { open read };
|
||||
|
||||
allow phpfpm_t self:process sigkill;
|
||||
allow phpfpm_t self:shm { create_shm_perms r_shm_perms };
|
||||
|
||||
files_search_var(phpfpm_t)
|
||||
userdom_list_user_home_content(phpfpm_t)
|
||||
userdom_read_user_home_content_files(phpfpm_t)
|
||||
files_search_mnt(phpfpm_t)
|
||||
|
||||
files_dontaudit_list_var(phpfpm_t)
|
|
@ -0,0 +1,20 @@
|
|||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
EAPI="5"
|
||||
|
||||
IUSE=""
|
||||
MODS="nextcloud"
|
||||
POLICY_FILES="nextcloud.te"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for nextcloud"
|
||||
|
||||
RDEPEND="sec-policy/selinux-base-policy"
|
||||
|
||||
if [[ $PV == 9999* ]] ; then
|
||||
KEYWORDS=""
|
||||
else
|
||||
KEYWORDS="amd64 x86"
|
||||
fi
|
|
@ -0,0 +1,4 @@
|
|||
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
|
||||
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
|
||||
EBUILD selinux-nsd-2.20180701-r1.ebuild 277 BLAKE2B 19b0326fc75c91994ba63b0e410241877e87b81680b9d02458b4896652c93b6b472170543d7f23de1f714f62aee29dfc932c428103b752f6ca9de5e30c92ed8a SHA512 dc3549650228861e51c8b1dda49b0ce0e7403a3e3d004c72e021b31e7987f7227d263e19e3500d6e34ba9d560a3a0876d6428f493aaea7d3ec27c132b03b62f3
|
||||
MISC metadata.xml 314 BLAKE2B 804e8fd77ee3d8a8ef928de31a5db28fe522eafed3695574154fd70316f49d793c62a758dd53e5902c322c23bd9edc4f18888258e41b8701d3ae5cf4c573560c SHA512 dec699cdcba4fb0219f7fb71afbfca634d1a5767121078a206289fda39d33a622f2986064e29f16548290f4ca8aa71150667e92fbb4d799ece93209b2f1967c2
|
|
@ -0,0 +1,9 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<maintainer type="project">
|
||||
<email>selinux@gentoo.org</email>
|
||||
<name>SELinux Team</name>
|
||||
</maintainer>
|
||||
<longdescription>Gentoo SELinux policy for alsa</longdescription>
|
||||
</pkgmetadata>
|
|
@ -0,0 +1,15 @@
|
|||
# Copyright 1999-2018 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI="6"
|
||||
|
||||
IUSE=""
|
||||
MODS="nsd"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for nsd"
|
||||
|
||||
if [[ ${PV} != 9999* ]] ; then
|
||||
KEYWORDS="amd64 -arm ~arm64 ~mips ~x86"
|
||||
fi
|
|
@ -0,0 +1,6 @@
|
|||
AUX rspamd.fc 359 BLAKE2B 5b559490f203545c60fdaad7b9b5446c467f73312b5fa62716de5850aaf2b18b2610e36903dce0f3711ef6070c8132752a74b2161b49a1ae2770dfca7bffd4dd SHA512 5b8feaf54ea3437b12b9bad8d9f47fa52dc2f0b8993043c6d37b3e4179b36afdb047eec38294c271adbfc2c7e112f205de64c36aea71055777c3747a9fe25ea0
|
||||
AUX rspamd.if 6518 BLAKE2B 3c1a62ab074e8ff0e46aec72804ef67022589cc7d40f9bfce45350b9396fb336d121bd407af2e6dea905e0b71c3609c21ef72d3dd24df46f26f8e22188333552 SHA512 79dd3e7ecf5b80f2e60f28a887ab69b037097427472c2b12a2960b325aec9d3ed60b5c11518287512a9a439b99880857aec3446a30383f30c1be1035e03d9798
|
||||
AUX rspamd.te 3621 BLAKE2B b155e0f160627b81be85208950468d483e2a1a6eddb0d43671ca5adb15f637c675f54fe24ff17811d14c0f34211afc4b6c2c8e08077f928b59e5ae36d44d8b61 SHA512 71540931c4e6e1eed253f60d2118df36788fb59a9dfe200ffa03d7be2afcc0eb97773a6cda0e38f91ccd254a53df3e4dbc33e1f0a3529f6ae92f9c689e88e95d
|
||||
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
|
||||
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
|
||||
EBUILD selinux-rspamd-2.20180701-r1.ebuild 387 BLAKE2B 029838949f858eccc5ffd50ef22ad623253db4494b881e150ecaab40b4c5976a7d483fa96f7591e748f6401bd1fdf270b514f26bd6810034a4084dd9f7029468 SHA512 16894cabddda31b87d354f7a34d4f0877027db0c381bd4347c5a540e34e4b848f5053f037454577c7f2e2e575a2bfeb36106b39107fa442192633662fcd1e4f3
|
|
@ -0,0 +1,9 @@
|
|||
/usr/bin/rspamd.* -- gen_context(system_u:object_r:rspamd_exec_t,s0)
|
||||
|
||||
/etc/rspamd(/.*)? gen_context(system_u:object_r:rspamd_conf_t,s0)
|
||||
|
||||
/var/lib/rspamd(/.*)? gen_context(system_u:object_r:rspamd_var_lib_t,s0)
|
||||
|
||||
/var/log/rspamd(/.*)? gen_context(system_u:object_r:rspamd_log_t,s0)
|
||||
|
||||
/var/run/rspamd(/.*)? gen_context(system_u:object_r:rspamd_var_run_t,s0)
|
|
@ -0,0 +1,325 @@
|
|||
|
||||
## <summary>policy for rspamd</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute rspamd_exec_t in the rspamd domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rspamd_domtrans',`
|
||||
gen_require(`
|
||||
type rspamd_t, rspamd_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, rspamd_exec_t, rspamd_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute rspamd in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rspamd_exec',`
|
||||
gen_require(`
|
||||
type rspamd_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, rspamd_exec_t)
|
||||
')
|
||||
########################################
|
||||
## <summary>
|
||||
## Read rspamd's log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`rspamd_read_log',`
|
||||
gen_require(`
|
||||
type rspamd_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
read_files_pattern($1, rspamd_log_t, rspamd_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Append to rspamd log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rspamd_append_log',`
|
||||
gen_require(`
|
||||
type rspamd_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
append_files_pattern($1, rspamd_log_t, rspamd_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage rspamd log files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rspamd_manage_log',`
|
||||
gen_require(`
|
||||
type rspamd_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
manage_dirs_pattern($1, rspamd_log_t, rspamd_log_t)
|
||||
manage_files_pattern($1, rspamd_log_t, rspamd_log_t)
|
||||
manage_lnk_files_pattern($1, rspamd_log_t, rspamd_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search rspamd lib directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rspamd_search_lib',`
|
||||
gen_require(`
|
||||
type rspamd_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 rspamd_var_lib_t:dir search_dir_perms;
|
||||
files_search_var_lib($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read rspamd lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rspamd_read_lib_files',`
|
||||
gen_require(`
|
||||
type rspamd_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
read_files_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage rspamd lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rspamd_manage_lib_files',`
|
||||
gen_require(`
|
||||
type rspamd_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage rspamd lib directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rspamd_manage_lib_dirs',`
|
||||
gen_require(`
|
||||
type rspamd_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_dirs_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read rspamd PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rspamd_read_pid_files',`
|
||||
gen_require(`
|
||||
type rspamd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
read_files_pattern($1, rspamd_var_run_t, rspamd_var_run_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an rspamd environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`rspamd_admin',`
|
||||
gen_require(`
|
||||
type rspamd_t;
|
||||
type rspamd_log_t;
|
||||
type rspamd_var_lib_t;
|
||||
type rspamd_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 rspamd_t:process { signal_perms };
|
||||
ps_process_pattern($1, rspamd_t)
|
||||
|
||||
tunable_policy(`deny_ptrace',`',`
|
||||
allow $1 rspamd_t:process ptrace;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
admin_pattern($1, rspamd_log_t)
|
||||
|
||||
files_search_var_lib($1)
|
||||
admin_pattern($1, rspamd_var_lib_t)
|
||||
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, rspamd_var_run_t)
|
||||
optional_policy(`
|
||||
systemd_passwd_agent_exec($1)
|
||||
systemd_read_fifo_file_passwd_run($1)
|
||||
')
|
||||
')
|
||||
|
||||
############################################################################
|
||||
# network.if
|
||||
############################################################################
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Bind TCP sockets to the rspamd worker port.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
#
|
||||
interface(`corenet_tcp_bind_rspamd_wrkr_port',`
|
||||
gen_require(`
|
||||
type rspamd_wrkr_port_t;
|
||||
')
|
||||
|
||||
allow $1 rspamd_wrkr_port_t:tcp_socket name_bind;
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Bind TCP sockets to the rspamd controller port.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
#
|
||||
interface(`corenet_tcp_bind_rspamd_cntrllr_port',`
|
||||
gen_require(`
|
||||
type rspamd_cntrllr_port_t;
|
||||
')
|
||||
|
||||
allow $1 rspamd_cntrllr_port_t:tcp_socket name_bind;
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Bind TCP sockets to the rspamd proxy port.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
#
|
||||
interface(`corenet_tcp_bind_rspamd_prx_port',`
|
||||
gen_require(`
|
||||
type rspamd_prx_port_t;
|
||||
')
|
||||
|
||||
allow $1 rspamd_prx_port_t:tcp_socket name_bind;
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make a TCP connection to the rspamd worker port.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_tcp_connect_rspamd_wrkr_port',`
|
||||
gen_require(`
|
||||
type rspamd_wrkr_port_t;
|
||||
')
|
||||
|
||||
allow $1 rspamd_wrkr_port_t:tcp_socket name_connect;
|
||||
')
|
||||
|
||||
|
|
@ -0,0 +1,120 @@
|
|||
policy_module(rspamd, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type rspamd_t;
|
||||
type rspamd_exec_t;
|
||||
init_daemon_domain(rspamd_t, rspamd_exec_t)
|
||||
|
||||
#permissive rspamd_t;
|
||||
|
||||
type rspamd_conf_t;
|
||||
files_type(rspamd_conf_t)
|
||||
|
||||
type rspamd_tmpfs_t;
|
||||
files_tmpfs_file(rspamd_tmpfs_t)
|
||||
|
||||
type rspamd_log_t;
|
||||
logging_log_file(rspamd_log_t)
|
||||
|
||||
type rspamd_var_lib_t;
|
||||
files_type(rspamd_var_lib_t)
|
||||
|
||||
type rspamd_var_run_t;
|
||||
files_pid_file(rspamd_var_run_t)
|
||||
|
||||
type rspamd_wrkr_port_t;
|
||||
corenet_port(rspamd_wrkr_port_t)
|
||||
#portcon tcp 11333 gen_context(system_u:object_r:rspamd_wrkr_port_t,s0)
|
||||
|
||||
type rspamd_cntrllr_port_t;
|
||||
corenet_port(rspamd_cntrllr_port_t)
|
||||
#portcon tcp 11334 gen_context(system_u:object_r:rspamd_cntrllr_port_t,s0)
|
||||
|
||||
type rspamd_prx_port_t;
|
||||
corenet_port(rspamd_prx_port_t)
|
||||
#portcon tcp 11332 gen_context(system_u:object_r:rspamd_prx_port_t,s0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# rspamd local policy
|
||||
#
|
||||
#allow rspamd_t self:capability { chown setgid setuid };
|
||||
#allow rspamd_t self:process { fork setrlimit signal_perms };
|
||||
allow rspamd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow rspamd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow rspamd_t self:capability { chown dac_override dac_read_search kill net_bind_service setgid setuid };
|
||||
allow rspamd_t self:process { getsched setrlimit signal execmem };
|
||||
allow rspamd_t self:tcp_socket { listen accept };
|
||||
|
||||
corenet_tcp_bind_generic_node(rspamd_t)
|
||||
corenet_udp_bind_generic_node(rspamd_t)
|
||||
corenet_tcp_bind_rspamd_wrkr_port(rspamd_t)
|
||||
corenet_tcp_bind_rspamd_cntrllr_port(rspamd_t)
|
||||
corenet_tcp_bind_rspamd_prx_port(rspamd_t)
|
||||
corenet_tcp_connect_http_port(rspamd_t)
|
||||
corenet_tcp_connect_smtp_port(rspamd_t)
|
||||
corenet_tcp_connect_redis_port(rspamd_t)
|
||||
|
||||
kernel_read_kernel_sysctls(rspamd_t)
|
||||
|
||||
allow rspamd_t rspamd_conf_t:file map;
|
||||
list_dirs_pattern(rspamd_t, rspamd_conf_t, rspamd_conf_t)
|
||||
read_files_pattern(rspamd_t, rspamd_conf_t, rspamd_conf_t)
|
||||
read_lnk_files_pattern(rspamd_t, rspamd_conf_t, rspamd_conf_t)
|
||||
|
||||
allow rspamd_t rspamd_tmpfs_t:file map;
|
||||
manage_files_pattern(rspamd_t, rspamd_tmpfs_t, rspamd_tmpfs_t)
|
||||
fs_tmpfs_filetrans(rspamd_t, rspamd_tmpfs_t, file)
|
||||
|
||||
manage_dirs_pattern(rspamd_t, rspamd_log_t, rspamd_log_t)
|
||||
manage_files_pattern(rspamd_t, rspamd_log_t, rspamd_log_t)
|
||||
manage_lnk_files_pattern(rspamd_t, rspamd_log_t, rspamd_log_t)
|
||||
logging_log_filetrans(rspamd_t, rspamd_log_t, { dir file lnk_file })
|
||||
|
||||
files_list_var(rspamd_t)
|
||||
allow rspamd_t rspamd_var_lib_t:file map;
|
||||
manage_dirs_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
|
||||
manage_files_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
|
||||
manage_lnk_files_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
|
||||
manage_sock_files_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
|
||||
files_var_lib_filetrans(rspamd_t, rspamd_var_lib_t, { dir file lnk_file })
|
||||
|
||||
manage_dirs_pattern(rspamd_t, rspamd_var_run_t, rspamd_var_run_t)
|
||||
manage_files_pattern(rspamd_t, rspamd_var_run_t, rspamd_var_run_t)
|
||||
manage_lnk_files_pattern(rspamd_t, rspamd_var_run_t, rspamd_var_run_t)
|
||||
files_pid_filetrans(rspamd_t, rspamd_var_run_t, { dir file lnk_file })
|
||||
|
||||
userdom_use_user_ptys(rspamd_t)
|
||||
domain_use_interactive_fds(rspamd_t)
|
||||
|
||||
#files_read_etc_files(rspamd_t)
|
||||
files_read_usr_files(rspamd_t)
|
||||
files_map_usr_files(rspamd_t)
|
||||
|
||||
files_dontaudit_list_var(rspamd_t)
|
||||
|
||||
auth_use_nsswitch(rspamd_t)
|
||||
|
||||
logging_send_syslog_msg(rspamd_t)
|
||||
|
||||
miscfiles_read_localization(rspamd_t)
|
||||
|
||||
sysnet_dns_name_resolve(rspamd_t)
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type exim_t;
|
||||
')
|
||||
|
||||
corenet_tcp_connect_rspamd_wrkr_port(exim_t)
|
||||
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
clamav_stream_connect(rspamd_t)
|
||||
')
|
|
@ -0,0 +1,20 @@
|
|||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
EAPI="5"
|
||||
|
||||
IUSE=""
|
||||
MODS="rspamd"
|
||||
POLICY_FILES="rspamd.te rspamd.fc rspamd.if"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for rspamd"
|
||||
|
||||
RDEPEND="sec-policy/selinux-base-policy"
|
||||
|
||||
if [[ $PV == 9999* ]] ; then
|
||||
KEYWORDS=""
|
||||
else
|
||||
KEYWORDS="amd64 x86"
|
||||
fi
|
|
@ -0,0 +1,4 @@
|
|||
AUX server-custom.te 4534 BLAKE2B 5cda8ae24fdff6101c505139f3b9f2c5003cf5e7231ee2144f8ed04311e5ee2c83ae7a8ba5f33b2d09423077d624b9490c7683f117e6d43f81edddd89022d47a SHA512 699a67ef140ca9cf9f950731e0a788f793a8c2dc11f804967bf5c4cb9760090e6aa631d5e329d1a71d4153dfdbaf9ba39dfe6bf2a7fa2ecc47843813d6b6f161
|
||||
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
|
||||
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
|
||||
EBUILD selinux-server-custom-2.20180701-r1.ebuild 388 BLAKE2B 7967baa6b3ffbd099510af5cb138a3b309fe70266100aae1f7c34072f2f6fdd1918fb0e8edd24f693b1bedee2c8a47c80e81208f5ad762693add2eba918c1c82 SHA512 da5bde5eb21ab5aa097e9ca8638697af92985774fbe0b91cea5fe1097b24b3703255c3af987ecac2f2d32ae6f894c64dcf54fb99c81ff2fdc230c8a89a3dcdee
|
|
@ -0,0 +1,101 @@
|
|||
policy_module(server-custom, 1.0.2)
|
||||
|
||||
gen_require(`
|
||||
type ping_t, rsync_t, nginx_t, syncthing_t;
|
||||
type ssh_keygen_t, lvm_t, lvm_metadata_t;
|
||||
type portage_t, portage_ebuild_t;
|
||||
type sysadm_t, tmpfiles_t, syslogd_t, hugetlbfs_t;
|
||||
type kmod_t, tracefs_t, postgresql_t, postgresql_tmp_t;
|
||||
type named_t, dovecot_t, dovecot_auth_t, redis_t;
|
||||
type mail_spool_t, exim_t, dovecot_deliver_t, mailserver_delivery;
|
||||
type freshclam_t, phpfpm_t, kernel_t, iptables_t;
|
||||
role sysadm_r;
|
||||
')
|
||||
|
||||
####### Policy
|
||||
|
||||
# Musl specific requirements for address resolve
|
||||
corenet_udp_bind_generic_node(ping_t)
|
||||
corenet_udp_bind_generic_node(portage_t)
|
||||
corenet_udp_bind_generic_node(rsync_t)
|
||||
corenet_udp_bind_generic_node(nginx_t)
|
||||
corenet_udp_bind_generic_node(exim_t)
|
||||
corenet_udp_bind_generic_node(freshclam_t)
|
||||
|
||||
# PHP ROUNDCUBE
|
||||
corenet_tcp_connect_sieve_port(phpfpm_t)
|
||||
|
||||
# NGINX failed to start without additional permissions
|
||||
allow nginx_t self:capability { dac_override dac_read_search };
|
||||
allow nginx_t self:process getsched;
|
||||
|
||||
# Syncthing failed to start/stop without additional permissions
|
||||
corecmd_exec_bin(syncthing_t)
|
||||
# WARNING: Failed to lower process priority: set process group: permission denied
|
||||
# WARNING: Failed to lower process priority: set niceness: permission denied
|
||||
allow syncthing_t self:process { signal_perms setpgid setsched };
|
||||
# Able to run "ip ropute show" to determinate gateway for NAT-PMP
|
||||
# sysnet_domtrans_ifconfig(syncthing_t)
|
||||
# Able to read network state (/proc/*/route) to determinate gateway for NAT-t And to check for cpu capabilities (/proc/cpuinfo).
|
||||
kernel_read_network_state(syncthing_t)
|
||||
files_search_mnt(syncthing_t)
|
||||
|
||||
# Unbound
|
||||
allow named_t self:capability net_admin;
|
||||
|
||||
# PostgreSQL
|
||||
allow postgresql_t hugetlbfs_t:file map;
|
||||
allow postgresql_t postgresql_tmp_t:file map;
|
||||
|
||||
# Exim
|
||||
#allow exim_t self:capability dac_read_search;
|
||||
#allow exim_t self:process getsched;
|
||||
allow dovecot_deliver_t exim_t:unix_stream_socket { read write };
|
||||
|
||||
# Redis
|
||||
allow redis_t self:process getsched;
|
||||
files_search_var_lib(redis_t)
|
||||
|
||||
# DOVECOT
|
||||
# dovecot[28606]: Error: imap: Index (in-memory index): Lost log for seq=1 offset=0: Failed to map file seq=2 offset=40..18446744073709551615 (ret=0): Beginning of the log isn't available (initial_mapped=1, reason=in-memory index)
|
||||
# dovecot[28606]: imap: Warning: fscking index file (in-memory index)
|
||||
# dovecot[28606]: Error: imap: Failed to map transaction log /var/mail/xxx/Maildir/.Drafts/dovecot.index.log at sync_offset=40 after locking: Beginning of the log isn't available
|
||||
# avc: denied { map } for pid=28895 comm="imap" path="/var/spool/mail/xxx/Maildir/.Drafts/dovecot.index.cache" dev="dm-0" ino=187521031 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0
|
||||
allow dovecot_t mail_spool_t:file map;
|
||||
# Dovecot SMTP Submission
|
||||
corenet_sendrecv_smtp_server_packets(dovecot_t)
|
||||
corenet_tcp_bind_smtp_port(dovecot_t)
|
||||
corenet_sendrecv_smtp_client_packets(dovecot_t)
|
||||
corenet_tcp_connect_smtp_port(dovecot_t)
|
||||
# Dovecot DB connect
|
||||
corenet_tcp_connect_postgresql_port(dovecot_auth_t)
|
||||
|
||||
# NSD failed to work properly without additional permissions
|
||||
#allow nsd_t self:capability { dac_read_search net_admin };
|
||||
#allow nsd_t self:capability { dac_read_search net_admin };
|
||||
#allow nsd_t nsd_zone_t:file { map };
|
||||
#allow nsd_t nsd_db_t:file { map };
|
||||
|
||||
#allow lvm_t lvm_metadata_t:file map;
|
||||
|
||||
# comm="modprobe" name="events" dev="tracefs"
|
||||
allow kmod_t tracefs_t:dir search;
|
||||
|
||||
# avc: denied { dac_read_search } for pid=9036 comm="checkpath" capability=2
|
||||
# avc: denied { dac_override } for pid=9036 comm="checkpath" capability=1
|
||||
allow tmpfiles_t self:capability { dac_read_search };
|
||||
|
||||
# avc: denied { sendto } for pid=9036 comm="checkpath" path="/dev/log"
|
||||
logging_send_syslog_msg(tmpfiles_t)
|
||||
|
||||
# type=AVC msg=audit(1535383674.057:1263): avc: denied { write } for pid=19064 comm="ebuild.sh" name="fd" dev="proc" ino=1054984 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=staff_u:sysadm_r:portage_t:s0 tclass=dir permissive=0
|
||||
allow portage_t self:dir write;
|
||||
# type=AVC msg=audit(1536753503.662:7355): avc: denied { map } for pid=19388 comm="eix-update" path="/var/lib/layman/musl/sys-apps/sandbox/sandbox-2.12.ebuild" dev="dm-0" ino=749977658 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=system_u:object_r:portage_ebuild_t:s0 tclass=file permissive=0
|
||||
allow portage_t portage_ebuild_t:file map;
|
||||
|
||||
#optional_policy(`
|
||||
# nsd_admin(sysadm_t, sysadm_r)
|
||||
#')
|
||||
|
||||
# ssh_keygen_t failed to work with terminal
|
||||
userdom_use_user_ptys(ssh_keygen_t)
|
|
@ -0,0 +1,20 @@
|
|||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
EAPI="5"
|
||||
|
||||
IUSE=""
|
||||
MODS="server-custom"
|
||||
POLICY_FILES="server-custom.te"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for custom things"
|
||||
|
||||
RDEPEND="sec-policy/selinux-base-policy"
|
||||
|
||||
if [[ $PV == 9999* ]] ; then
|
||||
KEYWORDS=""
|
||||
else
|
||||
KEYWORDS="amd64 x86"
|
||||
fi
|
|
@ -0,0 +1,4 @@
|
|||
AUX toe.cil 850 BLAKE2B 868de20c80b2a15e4b9952d238314ff847b094a33e55ca31c77cc63fe585d394c8c46a2a72852cccbd4250d1f6c21f008c3d3946f2ab54422a56aefb8e3ec0a7 SHA512 0985266aa4fd290df95d611d73b6fe1dc821c52a1280485886efdd9696e358442cf7c8016c8fe47fcdbcbddb0fcf0ef511c37f524ee5f83d9a57fba94b61a4f9
|
||||
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
|
||||
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
|
||||
EBUILD selinux-toe-2.20180701-r1.ebuild 390 BLAKE2B d5f793a0130e6cd1812e83860a1f307142a86d9543e9f5052447297d7f80b11fbe7a1de18e4c121135eb6a7bada6552a36dd8454f7bf2b7a3a62a38a230438a5 SHA512 7597ec58304a19796053339032e0d65e8801372c716388554d6fb2fe7d88207f5cbf1fab842f08449910bcef82bc5d60792200e4e901b3b41dbd0132d56efef9
|
|
@ -0,0 +1,23 @@
|
|||
; Name: TOE (Trusted Owner Execution) SELinux module.
|
||||
; Author: Alexander Miroshnichenko (alexminder)
|
||||
; e-mail: alexminder@gmail.com
|
||||
; Purpose: Prevent users to execute untrusted their (non system_u context) or tmp files.
|
||||
; License: GPL-3
|
||||
;
|
||||
(typeattributeset cil_gen_require (user_home_t git_user_content_t portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
|
||||
(typeattribute toe_insecure_type)
|
||||
(typeattribute toe_exclude_type)
|
||||
(typeattributeset toe_insecure_type (user_home_t git_user_content_t))
|
||||
(typeattributeset toe_exclude_type (portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
|
||||
(constrain (file (execute))
|
||||
(and
|
||||
(neq t2 toe_insecure_type)
|
||||
(or
|
||||
(eq t2 toe_exclude_type)
|
||||
(and
|
||||
(eq u2 system_u)
|
||||
(neq t2 tmpfile)
|
||||
)
|
||||
)
|
||||
)
|
||||
)
|
|
@ -0,0 +1,20 @@
|
|||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
EAPI="5"
|
||||
|
||||
IUSE=""
|
||||
MODS="toe"
|
||||
POLICY_FILES="toe.cil"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for trusted owner (sysadm_u) execution"
|
||||
|
||||
RDEPEND="sec-policy/selinux-base-policy"
|
||||
|
||||
if [[ $PV == 9999* ]] ; then
|
||||
KEYWORDS=""
|
||||
else
|
||||
KEYWORDS="amd64 x86"
|
||||
fi
|
|
@ -0,0 +1,6 @@
|
|||
AUX transmission.fc 519 BLAKE2B 96edf5ac319fb0ee07c49638321cf91f714c1e1dc977f882cbd756e73ff778c9f1f3fe964e9f3e345b9d73c236b5f235e627c7a14bcd25c0586f6867decf5414 SHA512 815b13e6254b28b073e032a13d2d3d6b3ff50d4085a09f330b5466926cf4b4815f626f3fe008f527eb6e9d23bf3411341ae7c4c6880d48682b1a61dee5c660cf
|
||||
AUX transmission.if 7230 BLAKE2B 67581dd8b9583aaec0c65456cc9a14562d838dee46af3e0344f63c94ee39578ac1b9b1d3fda82b051b74f9bc92d17efe4b36170c6d9cf1f15a8e35d0a769071d SHA512 b59c4725478ec2c6257cee4233cd0c1954968c6be8bf5ae4fde44f09f0d2ebbbd6c2b3d630e82030cbe2173d3bdc509d9d40938f14940768e1ccfdad4e3688cb
|
||||
AUX transmission.te 3353 BLAKE2B e1a7afb093add23ecacf4e0964d9a386d02a39759cff5a089f3c41d88d63ef2c8d9f0fe00b8c0872d007dc3e80cc3f86be30420760209de5b78ded5811938565 SHA512 66562fa975a6a4524684a83938c34cd6fadf1950cc68c891898f0ddbdba562ebfeea4ced27e63dd65a89c80d4c2022d2393e568e6fa8468711893665703177a7
|
||||
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
|
||||
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
|
||||
EBUILD selinux-transmission-2.20180701-r1.ebuild 417 BLAKE2B e7c1edd816214b43cc229eb00bf49f618c38583ff433f4afe76c4e2d2deb82d6b83e1799bf87bf8b3252089662ef2697cd58f27a944e452342c639550125aabc SHA512 28d9546192291811e21a2cc346e565c5e580bb1a040b63bdcfde7ba08da6383ed4de932d0e6127548431e0c477717c54c1433236609ad6493d41c2759b0bb781
|
|
@ -0,0 +1,11 @@
|
|||
/usr/bin/transmission-daemon -- gen_context(system_u:object_r:transmission_exec_t,s0)
|
||||
|
||||
/var/lib/transmission(/.*)? gen_context(system_u:object_r:transmission_var_lib_t,s0)
|
||||
|
||||
/var/lib/transmission/(/.*)? gen_context(system_u:object_r:transmission_var_lib_t,s0)
|
||||
|
||||
/var/log/transmission(/.*)? gen_context(system_u:object_r:transmission_log_t,s0)
|
||||
|
||||
/var/run/transmission(/.*)? gen_context(system_u:object_r:transmission_var_run_t,s0)
|
||||
|
||||
/usr/share/transmission(/.*)? gen_context(system_u:object_r:transmission_share_t,s0)
|
|
@ -0,0 +1,326 @@
|
|||
|
||||
## <summary>policy for transmission</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute transmission_exec_t in the transmission domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`transmission_domtrans',`
|
||||
gen_require(`
|
||||
type transmission_t, transmission_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, transmission_exec_t, transmission_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute transmission in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`transmission_exec',`
|
||||
gen_require(`
|
||||
type transmission_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, transmission_exec_t)
|
||||
')
|
||||
########################################
|
||||
## <summary>
|
||||
## Read transmission's log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`transmission_read_log',`
|
||||
gen_require(`
|
||||
type transmission_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
read_files_pattern($1, transmission_log_t, transmission_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Append to transmission log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`transmission_append_log',`
|
||||
gen_require(`
|
||||
type transmission_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
append_files_pattern($1, transmission_log_t, transmission_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage transmission log files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`transmission_manage_log',`
|
||||
gen_require(`
|
||||
type transmission_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
manage_dirs_pattern($1, transmission_log_t, transmission_log_t)
|
||||
manage_files_pattern($1, transmission_log_t, transmission_log_t)
|
||||
manage_lnk_files_pattern($1, transmission_log_t, transmission_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search transmission lib directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`transmission_search_lib',`
|
||||
gen_require(`
|
||||
type transmission_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 transmission_var_lib_t:dir search_dir_perms;
|
||||
files_search_var_lib($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read transmission lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`transmission_read_lib_files',`
|
||||
gen_require(`
|
||||
type transmission_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
read_files_pattern($1, transmission_var_lib_t, transmission_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage transmission lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`transmission_manage_lib_files',`
|
||||
gen_require(`
|
||||
type transmission_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, transmission_var_lib_t, transmission_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage transmission lib directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`transmission_manage_lib_dirs',`
|
||||
gen_require(`
|
||||
type transmission_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_dirs_pattern($1, transmission_var_lib_t, transmission_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read transmission PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`transmission_read_pid_files',`
|
||||
gen_require(`
|
||||
type transmission_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
read_files_pattern($1, transmission_var_run_t, transmission_var_run_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transmission PID files trsansiotions.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`transmission_pid_trans',`
|
||||
gen_require(`
|
||||
type transmission_t;
|
||||
type var_run_t;
|
||||
type transmission_var_run_t;
|
||||
type initrc_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern(transmission_t, transmission_var_run_t, transmission_var_run_t)
|
||||
manage_files_pattern(transmission_t, transmission_var_run_t, transmission_var_run_t)
|
||||
manage_lnk_files_pattern(transmission_t, transmission_var_run_t, transmission_var_run_t)
|
||||
files_pid_filetrans(transmission_t, transmission_var_run_t, { dir file lnk_file })
|
||||
filetrans_pattern(initrc_t, var_run_t, transmission_var_run_t, dir, "transmission")
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an transmission environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`transmission_admin',`
|
||||
gen_require(`
|
||||
type transmission_t;
|
||||
type transmission_log_t;
|
||||
type transmission_var_lib_t;
|
||||
type transmission_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 transmission_t:process { signal_perms };
|
||||
ps_process_pattern($1, transmission_t)
|
||||
|
||||
tunable_policy(`deny_ptrace',`',`
|
||||
allow $1 transmission_t:process ptrace;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
admin_pattern($1, transmission_log_t)
|
||||
|
||||
files_search_var_lib($1)
|
||||
admin_pattern($1, transmission_var_lib_t)
|
||||
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, transmission_var_run_t)
|
||||
optional_policy(`
|
||||
systemd_passwd_agent_exec($1)
|
||||
systemd_read_fifo_file_passwd_run($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Bind TCP sockets to the transmission peer port.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
#
|
||||
interface(`corenet_tcp_bind_transmission_peer_port',`
|
||||
gen_require(`
|
||||
type transmission_peer_port_t;
|
||||
')
|
||||
|
||||
allow $1 transmission_peer_port_t:tcp_socket name_bind;
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Bind UDP sockets to the transmission peer port.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
#
|
||||
interface(`corenet_udp_bind_transmission_peer_port',`
|
||||
gen_require(`
|
||||
type transmission_peer_port_t;
|
||||
')
|
||||
|
||||
allow $1 transmission_peer_port_t:udp_socket name_bind;
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Bind TCP sockets to the transmission rpc port.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
#
|
||||
interface(`corenet_tcp_bind_transmission_rpc_port',`
|
||||
gen_require(`
|
||||
type transmission_rpc_port_t;
|
||||
')
|
||||
|
||||
allow $1 transmission_rpc_port_t:tcp_socket name_bind;
|
||||
|
||||
')
|
|
@ -0,0 +1,108 @@
|
|||
policy_module(transmission, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow transmission to use DHT, uTP and LPD.
|
||||
## The correspondig port must be transmission_peer_port_t.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(transmission_use_udp, true)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow transmission to use RPC.
|
||||
## The correspondig port must be transmission_rpc_port_t.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(transmission_use_rpc, true)
|
||||
|
||||
type transmission_t;
|
||||
type transmission_exec_t;
|
||||
init_daemon_domain(transmission_t, transmission_exec_t)
|
||||
|
||||
#permissive transmission_t;
|
||||
|
||||
type transmission_log_t;
|
||||
logging_log_file(transmission_log_t)
|
||||
|
||||
type transmission_var_lib_t;
|
||||
files_type(transmission_var_lib_t)
|
||||
|
||||
type transmission_var_run_t;
|
||||
files_pid_file(transmission_var_run_t)
|
||||
|
||||
type transmission_share_t;
|
||||
files_type(transmission_share_t)
|
||||
|
||||
type transmission_peer_port_t;
|
||||
corenet_port(transmission_peer_port_t)
|
||||
#portcon tcp 51413 gen_context(system_u:object_r:transmission_peer_port_t,s0)
|
||||
#portcon tcp 5413 gen_context(system_u:object_r:transmission_peer_port_t,s0)
|
||||
#portcon tcp 6771 gen_context(system_u:object_r:transmission_peer_port_t,s0)
|
||||
|
||||
type transmission_rpc_port_t;
|
||||
corenet_port(transmission_rpc_port_t)
|
||||
#portcon tcp 9091 gen_context(system_u:object_r:transmission_rpc_port_t,s0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# transmission local policy
|
||||
#
|
||||
allow transmission_t self:process { fork setrlimit };
|
||||
allow transmission_t self:fifo_file rw_fifo_file_perms;
|
||||
#allow transmission_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow transmission_t self:tcp_socket { accept listen };
|
||||
|
||||
corenet_tcp_bind_transmission_peer_port(transmission_t)
|
||||
corenet_tcp_bind_rtorrent_port(transmission_t)
|
||||
corenet_tcp_bind_generic_node(transmission_t)
|
||||
corenet_tcp_connect_all_ports(transmission_t)
|
||||
|
||||
kernel_read_kernel_sysctls(transmission_t)
|
||||
kernel_read_network_state(transmission_t)
|
||||
|
||||
manage_dirs_pattern(transmission_t, transmission_log_t, transmission_log_t)
|
||||
manage_files_pattern(transmission_t, transmission_log_t, transmission_log_t)
|
||||
manage_lnk_files_pattern(transmission_t, transmission_log_t, transmission_log_t)
|
||||
logging_log_filetrans(transmission_t, transmission_log_t, { dir file lnk_file })
|
||||
|
||||
manage_dirs_pattern(transmission_t, transmission_var_lib_t, transmission_var_lib_t)
|
||||
manage_files_pattern(transmission_t, transmission_var_lib_t, transmission_var_lib_t)
|
||||
manage_lnk_files_pattern(transmission_t, transmission_var_lib_t, transmission_var_lib_t)
|
||||
files_var_lib_filetrans(transmission_t, transmission_var_lib_t, { dir file lnk_file })
|
||||
|
||||
read_files_pattern(transmission_t, transmission_share_t, transmission_share_t)
|
||||
|
||||
miscfiles_read_generic_certs(transmission_t)
|
||||
|
||||
fs_get_xattr_fs_quotas(transmission_t)
|
||||
fs_getattr_xattr_fs(transmission_t)
|
||||
|
||||
transmission_pid_trans(transmission_t)
|
||||
|
||||
#domain_use_interactive_fds(transmission_t)
|
||||
|
||||
#files_read_etc_files(transmission_t)
|
||||
|
||||
auth_use_nsswitch(transmission_t)
|
||||
|
||||
logging_send_syslog_msg(transmission_t)
|
||||
|
||||
miscfiles_read_localization(transmission_t)
|
||||
|
||||
sysnet_dns_name_resolve(transmission_t)
|
||||
|
||||
tunable_policy(`transmission_use_udp',`
|
||||
corenet_udp_bind_transmission_peer_port(transmission_t)
|
||||
corenet_udp_bind_rtorrent_port(transmission_t)
|
||||
corenet_udp_bind_generic_node(transmission_t)
|
||||
')
|
||||
|
||||
tunable_policy(`transmission_use_rpc',`
|
||||
corenet_tcp_bind_transmission_rpc_port(transmission_t)
|
||||
')
|
|
@ -0,0 +1,20 @@
|
|||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
EAPI="5"
|
||||
|
||||
IUSE=""
|
||||
MODS="transmission"
|
||||
POLICY_FILES="transmission.te transmission.fc transmission.if"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for transmission"
|
||||
|
||||
RDEPEND="sec-policy/selinux-base-policy"
|
||||
|
||||
if [[ $PV == 9999* ]] ; then
|
||||
KEYWORDS=""
|
||||
else
|
||||
KEYWORDS="amd64 x86"
|
||||
fi
|
|
@ -0,0 +1,6 @@
|
|||
AUX wireguard.fc 250 BLAKE2B 10976a1e72bc8a7962920e4831e25bd8bd36c11d4890d0955e3d85453ebf821d2a1403b68bd178cddc3a8f09c4ce328a9628e0257d72635eb32d6184e18fa2d6 SHA512 248873b7767631ff46f014c8ccc7fcf73077962a037359a1b551a028812e6d2a351ed1f36e5e3717a39612323befa39c5d3c4e6dfc96bcdec08498bcd5f451c5
|
||||
AUX wireguard.if 2642 BLAKE2B 292ac6cfda215ffa8b97a2471a42f7e778e84357b268549497ce589e2c9d27ba4e03ee2090618690e6ce34f6436d962eb9fce98a41e37823c63f27d91d9cbc1e SHA512 96a31ab31e57f71bfa7c76a95386e845a50eeb748d9632197e89d3e3d7f7ed3d29d3b30bed668f569bdebebd2803736d1638784fa9195f877b97e55f96701f71
|
||||
AUX wireguard.te 2452 BLAKE2B 3408dd5f133978499884236e5fab7480c6be664a82f6862fef7d20d52c9a301fed456520cf61bb9671920d8b2019191a35a1c74702f79ea7c28ca01fa9121d4d SHA512 0af8271f9cfaabbc6f653fa307658cc039f09748972778a6302cc21fd4e9f2023ecd1ff30f2a5ab51f9816c06d6bb2ab3528c94705e582bc3d51b97955296d8b
|
||||
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
|
||||
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
|
||||
EBUILD selinux-wireguard-2.20180701-r1.ebuild 402 BLAKE2B 0b9fa44a7cd7fdd8408288b2ed754f23591051e75288e9e50e05a36a0e03eaae39f882a4df3ee3a1c367927922a9e8e57900b72297ef445582a68e2ab06bfa4a SHA512 177f53e4fde327213b713ae19e191f11417ab02ce953abb7742ad16ac685cbdf4a1e12ae4c9f4c24e46da82c16624f4fbe52bf27380d399596c5631f7ade6441
|
|
@ -0,0 +1,11 @@
|
|||
#
|
||||
# /etc
|
||||
#
|
||||
/etc/wireguard(/.*)? gen_context(system_u:object_r:wireguard_etc_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/wg -- gen_context(system_u:object_r:wireguard_exec_t,s0)
|
||||
/usr/bin/wg-quick -- gen_context(system_u:object_r:wireguard_script_exec_t,s0)
|
||||
|
|
@ -0,0 +1,128 @@
|
|||
## <summary>Policy for logical volume management programs.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute wireguard programs in the wireguard domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`wireguard_domtrans',`
|
||||
gen_require(`
|
||||
type wireguard_t, wireguard_exec_t;
|
||||
type wireguard_script_t, wireguard_script_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, wireguard_exec_t, wireguard_t)
|
||||
domtrans_pattern($1, wireguard_script_exec_t, wireguard_script_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute wireguard programs in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`wireguard_exec',`
|
||||
gen_require(`
|
||||
type wireguard_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, wireguard_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute wireguard programs in the wireguard domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to allow the Wireguard domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`wireguard_run',`
|
||||
gen_require(`
|
||||
type wireguard_t, wireguard_script_t;
|
||||
')
|
||||
|
||||
wireguard_domtrans($1)
|
||||
role $2 types wireguard_t;
|
||||
role $2 types wireguard_script_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send wireguard a null signal.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`wireguard_signull',`
|
||||
gen_require(`
|
||||
type wireguard_t;
|
||||
')
|
||||
|
||||
allow $1 wireguard_t:process signull;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read Wireguard configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`wireguard_read_config',`
|
||||
gen_require(`
|
||||
type wireguard_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 wireguard_etc_t:dir list_dir_perms;
|
||||
read_files_pattern($1, wireguard_etc_t, wireguard_etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage Wireguard configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`wireguard_manage_config',`
|
||||
gen_require(`
|
||||
type wireguard_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
manage_dirs_pattern($1, wireguard_etc_t, wireguard_etc_t)
|
||||
manage_files_pattern($1, wireguard_etc_t, wireguard_etc_t)
|
||||
')
|
||||
|
|
@ -0,0 +1,84 @@
|
|||
policy_module(wireguard, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type wireguard_t;
|
||||
type wireguard_exec_t;
|
||||
init_system_domain(wireguard_t, wireguard_exec_t)
|
||||
# needs privowner because it assigns the identity system_u to device nodes
|
||||
# but runs as the identity of the sysadmin
|
||||
domain_obj_id_change_exemption(wireguard_t)
|
||||
role system_r types wireguard_t;
|
||||
|
||||
type wireguard_script_t;
|
||||
type wireguard_script_exec_t;
|
||||
init_system_domain(wireguard_script_t, wireguard_script_exec_t)
|
||||
domtrans_pattern(wireguard_script_t, wireguard_exec_t, wireguard_t)
|
||||
|
||||
type wireguard_etc_t;
|
||||
files_type(wireguard_etc_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# wireguard Local policy
|
||||
#
|
||||
|
||||
kernel_request_load_module(wireguard_t)
|
||||
|
||||
allow wireguard_t self:capability net_admin;
|
||||
allow wireguard_t self:netlink_generic_socket create_socket_perms;
|
||||
allow wireguard_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow wireguard_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow wireguard_t wireguard_script_t:fifo_file read_fifo_file_perms;
|
||||
|
||||
manage_dirs_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t)
|
||||
manage_files_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t)
|
||||
manage_lnk_files_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t)
|
||||
files_etc_filetrans(wireguard_t, wireguard_etc_t, dir)
|
||||
filetrans_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t, file)
|
||||
|
||||
userdom_use_user_ptys(wireguard_t)
|
||||
domain_use_interactive_fds(wireguard_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# wireguard-quick Local policy
|
||||
#
|
||||
|
||||
files_read_etc_files(wireguard_script_t)
|
||||
corecmd_exec_bin(wireguard_script_t)
|
||||
corecmd_exec_shell(wireguard_script_t)
|
||||
sysnet_domtrans_ifconfig(wireguard_script_t)
|
||||
|
||||
manage_dirs_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t)
|
||||
manage_files_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t)
|
||||
manage_lnk_files_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t)
|
||||
filetrans_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t, file)
|
||||
|
||||
allow wireguard_script_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
kernel_read_network_state(wireguard_script_t)
|
||||
|
||||
miscfiles_read_localization(wireguard_script_t)
|
||||
|
||||
userdom_use_user_ptys(wireguard_script_t)
|
||||
domain_use_interactive_fds(wireguard_script_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# optional policy
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
role sysadm_r;
|
||||
')
|
||||
|
||||
wireguard_run(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
EAPI="5"
|
||||
|
||||
IUSE=""
|
||||
MODS="wireguard"
|
||||
POLICY_FILES="wireguard.te wireguard.fc wireguard.if"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for wireguard"
|
||||
|
||||
RDEPEND="sec-policy/selinux-base-policy"
|
||||
|
||||
if [[ $PV == 9999* ]] ; then
|
||||
KEYWORDS=""
|
||||
else
|
||||
KEYWORDS="amd64 x86"
|
||||
fi
|
|
@ -0,0 +1,27 @@
|
|||
DIST genpatches-4.14-57.base.tar.xz 1472016 BLAKE2B 1905e983d34220a97bda5eb7b1fff09d7ac42dc129b722611c079418133231d6d41f871c20df94a3db5440c8b1374d09ae3303be9e2cb8b70f5d92b61382f3ed SHA512 bace21a042f6e45512a8ffe3cb329c70b3f3548142fbaddbd76b2be50f50276db8f4cc410a7d05915c30c443cc82934893203d3025cd4653387ff6fd64f0b4ae
|
||||
DIST genpatches-4.14-57.experimental.tar.xz 5216 BLAKE2B ac751059eb363f1327b8cc6a9ad6c993cc56e3a57010f6a7d8b30220a401ec2b607b7eda601b39f1d6480fddb45f7a980ba7ffe7cf808ae382a57cc57a785f39 SHA512 efb2bf34ea83789437388b6becb4c51564c885355dffdfe0f902ded0cd0a9dbc534a891a8eddde76418a651f0da41d8a7402e672688b2cccaae5897ce0bfb744
|
||||
DIST genpatches-4.14-57.extras.tar.xz 17488 BLAKE2B 6dbe6859eafa2a61d2139572a28046a1278a965aa6a82518b5658c61f18ece4054175116b5907436bc40bd4c32458752fc381cb29806d9e25550a17f81684eab SHA512 49d7a27075e7e113ef39f2da651e9302b51c66d46c4d2960acc648dcd0eb4b608118584dbcbf169d73cf1ed4e105fbae9125f06dda46d346a63f0f35bf23bb4e
|
||||
DIST genpatches-4.14-66.base.tar.xz 1681920 BLAKE2B 90daa216c9bc74aae62b773d9492b9d9afd211541307765493ea01cab4c1f87e0268fdc3648efe12c9d2be14e14ba1422d44cda87683c618f0d62e469eb47342 SHA512 2eab17379a326581d74d00ace8beac6d2b84f729d6b5e5784d77cfcdfc80d442f7863e0ee8c855c3bc39c54556dafc790854df3b9ab41761bf86ed9ff4a30c68
|
||||
DIST genpatches-4.14-66.experimental.tar.xz 5224 BLAKE2B 7435fa53f9278635a316a403a4e3ee03ec585338673b3148ef69190901e52dfc1c8cb19a0600eaebb54b120e65c60bb9b688883af33eb0240cd8623f7fea771c SHA512 c1024431a43cb397a65eec12c206ec57cbcf267364ad8dae4875e6ccfa90b955e468907e440db25bb93610898a7b8f8a99dba5ec542ccd850770963b1b5785bf
|
||||
DIST genpatches-4.14-66.extras.tar.xz 17496 BLAKE2B d156cc7b5612ee7d6d5faed0e606a0c8ed49f952cfe77097e37e432b142b8241f3b9fab156ed71f716540bc906f21050c2901b067b3ba1498893068ad45cb9e3 SHA512 8f3c9098a559556d3e256a9b8243cc5886387f23431501093f3c0ce9599a93fb885c5056d28b9189cbcd693b4c7e3601827abd96e548e659b4a7e33bd3403045
|
||||
DIST genpatches-4.14-77.base.tar.xz 1897728 BLAKE2B 0481c22f540d3a8f663717ca5771c480a4c88dcd59323ee313b0fa08f887ec855a43cccf928e21978a666509ee96c1a1eb360909278944e625c0c802a2d7e7ac SHA512 d9433d1e5b9232dca6d74928a835bed1e3f27c0affa96e335895df67cb2f7d11d2ba27cd3f6ac40cc51a5a7a670008df91061be5274d61bcc08eb0f06f90d5fe
|
||||
DIST genpatches-4.14-77.experimental.tar.xz 5224 BLAKE2B 8d0b8f1e8a2953e500b9d3e654cd89d40ba0bae53a014b1bee8fb19e6580dbf33687821bb3edbffa2db8daf3fdfb521ce3232f9b4aca0f4d2661be8115220c8c SHA512 a063a5e76f391a0d8011a0a1bb1fa06e6693c7efb211e5d25bfa5f39b6dc216f3c965ec1303a1d865c4b3c1484e03a4b99f3097759a0e15b15ca8b11215a3342
|
||||
DIST genpatches-4.14-77.extras.tar.xz 17492 BLAKE2B abaf103790fceab73cacd949473e50b8d678e0fb1ead41a36577a02e48805052c8d10f78ce474c215773117e9aeb97a49123b58a3ce42348520e32415838ec13 SHA512 28db86e6cfeaa3293d5a9db43774d5c0710492e9ca6b750a687b65a4d38e3a6cc196f689025bf7ce8fded4e97a221f4e2c4352e1ffc2a465fb3546a8d6712536
|
||||
DIST genpatches-4.14-91.base.tar.xz 2173020 BLAKE2B a054b2d25fded4313d894a7a3713eea66d365816bf9e2b2c8f7d8d46bbacc4008400fd469c1e485b09645ac3e2003647832ea4135871f245d6b018158fd51f4c SHA512 171fc023e1bb36c695ad61692cb77332b4b53a4088a165a9a18e53a4a51a8969a7aee4656983ee3f5d330894e411de37ca4fc18aa8856a3f0e4f725583539503
|
||||
DIST genpatches-4.14-91.experimental.tar.xz 5224 BLAKE2B b273895fd1286b3d6f60b244817eedd72b4db34cbe8cf2b595e5154f9d42f1f50f2a30d5f53cbe4228ed4314c9a66f3f8e493d4d2448efd08f9f0de050b4ca1a SHA512 5cd49e9f7428e451be705027a818eef41be88ac3ecf55f8fa3b3a8a4858267c7a8ba3c5901b5dbe66934c1154d49aacfdf86ced0e26c0056ef1832abe5a32e6d
|
||||
DIST genpatches-4.14-91.extras.tar.xz 17484 BLAKE2B 9d8abd5f5c71b957634f475645a2549b661b485e0cb100abdb715a2349a05114cba0c5f77b815aa6104999d32e6620558c17bea8746da55f077a4f00a06a404b SHA512 3d0c7ae83e6ed69d9debe45bcd409c6225af199068957f176dead4074dda9e3c4542db1fac6f4fd2a13672d6c5b428b763a615886cf3c80fb102771ea29b29ec
|
||||
DIST genpatches-4.19-25.base.tar.xz 744736 BLAKE2B e88e4c307d93db643f0b2ffb9f97b81763c1d7a903db652c52c29ace6eb2e911b0b685d66120203156caa8a50a6cf927594c62e5b45b4bf490217f367c3cc9b3 SHA512 3939582c9d641e4bd1e13f35b52dde7720bc3e9f4052145d7c88e88d0929474461fbb5d42ee58378150b8e64c276d455193467835cb38e9639e212de932434ef
|
||||
DIST genpatches-4.19-25.experimental.tar.xz 5808 BLAKE2B fb7b0ae0e7aba6f696e1ca23b97a84ca92764bce107596309d4f692f24a51deee3b45c6c3d5921de28bbca79677c1582ee2c36ab307005fa2f330123e4ef9018 SHA512 574ef13dbfaee86613336e356efb50b83e11a8cf5fa83533b946d706245a462fc5d47d6cdf93586ab63770b06af637fa739811159d50439e60f45629705741a0
|
||||
DIST genpatches-4.19-25.extras.tar.xz 17484 BLAKE2B 68a2cad49ec8b0f54b108728aa69accbe0e4eb209f5fde95142adfe7df5625291a7ab03a9b051e6b198bfb95b85c156aac3cc295835e74568be75d5e9575c91b SHA512 b407e59af09d8951fe2bf195c430054cadba0e1cc60d712ad7040a50ca198cdf17adb5fc932b69ec50fdd71287cd8736f34fd0d9648e32b9ae802e98dae76aa3
|
||||
DIST linux-4.14.tar.xz 100770500 BLAKE2B 85dc4aa953fe65e273a24473d8de98e4f204f97c43be9fc87cf5be01f796f94cfde5c8f9c84619751f1cac51f83ce0b4681fb19c5f2965a72d4a94fe5577846a SHA512 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8
|
||||
DIST linux-4.19.tar.xz 103117552 BLAKE2B 1dbf16cf410867412d17568fe42bc1e90c034183b654d270b650621ff7664a321950943d0639205bc1ee7ef6210be170c1f2c785a042ed8a4ec5e3a486d890e0 SHA512 ab67cc746b375a8b135e8b23e35e1d6787930d19b3c26b2679787d62951cbdbc3bb66f8ededeb9b890e5008b2459397f9018f1a6772fdef67780b06a4cb9f6f4
|
||||
DIST linux-hardened-4.14.52.a.patch 96384 BLAKE2B 2297f1265882e89183db613152f75dde295493f43fe8808dc973c9c1ee38e13c7d3ed45015fb70e8dc0ed1de91b810fe5a315a39220b652b0626d58ef21f08ff SHA512 dbe794cbc7668706671f05278bd54c0759e6ef2beba9f2be34d5baa100afb5631718dddf25c3b4ad46d3f715ab78608509be80d0e567bc8eaae92b7039fec80a
|
||||
DIST linux-hardened-4.14.61.a.patch 96384 BLAKE2B 8044c01423578d404a8a775f0e204ca531adbfc6ecb1b39aaea3fa28701a2f4920aafd50b420ba77a72866ef26deeedc0cd7750b8f4de412215f1993e6d7026b SHA512 6bf784c4b26eefdb655820cdfaa8592e339b43a0853c76bc696ecde66240170cb535af54ef8963d28319805f05d9242d70f61f83c9b030764dd614c7d561e7f5
|
||||
DIST linux-hardened-4.14.71.a.patch 96384 BLAKE2B af0f1c7562066319749c62a1e0865560dfa5381650913d43219fd93daebee6747e385e4b1803736b7e00c79f088bf89730814da245ecea993fc827983b15fffe SHA512 4e725582bd9fe6e52699edf8bc0beb29d4040a0483b891df6c3aad0b85a5e83f81c5d9332842ed2c89312e3665c48f5513b6255164dd14800dec665d971f9161
|
||||
DIST linux-hardened-4.14.84.a.patch 96384 BLAKE2B 3232358ded70261db9a752882d062a439559718c2df901768cd2f7ceb1cbe8991000654cfe1c4bc8a2f3b3524c0bdc943b26a02261717c1831aba00380fba17e SHA512 36f2492823d26bbe831401582ff8b1f43ef30c40d817039b73b38bda3a7718ebfe95c41254fea1e2ef801f875efbc65ae54de5e3533c345bd65393c187f9b645
|
||||
DIST linux-hardened-4.19.25.a.patch 92707 BLAKE2B 9407d2b9f7c9ce4deb4711cbbf53a7d27e200843ab2550b05fe2869c7e383cca274c233ba4f9216f867652ee15833b53ec1ee8344d083f896854c7536574398c SHA512 feb38fcc59280b45f8b1d7ea4f49c890614cdb9fd0c2e7351980f479821d93f87082ae7a38026557155dfda43f489619aff6436ea366c79054b1271b6deffe0a
|
||||
EBUILD linux-hardened-sources-4.14.52.ebuild 1711 BLAKE2B 85b226aac4d1aade665a2297fa4de961785617996c9d0c6afafc06fdaac6d26c8346ed1421106e471f80fa1c01782b3eeea005891d8c988931dad2f98bf188a1 SHA512 1368cecc3905f61c04cb7cc3237c9d68c4960c79e0d61ea76401a3326eb57a3650f01b72aeee8b29fb4502a512cece60d984a2983788142043d640dadc053f92
|
||||
EBUILD linux-hardened-sources-4.14.61.ebuild 1711 BLAKE2B f98603311888d24a94e983c50bf7d586d1fefb9b82d514145ec132481741c2e3346dd8b8794854aceb52e98bfc2ca574b4ab590ea39426b07ba8201153ee72c6 SHA512 1bc341db4dc6bc867d288dff3b8e6e3f0c536866a3ec96641d6171a11f045c53748ce5a8a15fcecb7aa3361f00a1a51afab126cb2c24bdb019c59007e2ffb9d9
|
||||
EBUILD linux-hardened-sources-4.14.71.ebuild 1713 BLAKE2B da0595a9d99d727f4804222ebcc1de582b92737799cb15463b59362387e87464e8ca6d9e12370631f9a18c664af29c1a438ed3e14c6c4f64d31e3e6c18523ac2 SHA512 0021719b56361eba8a3b8be1f91e0309818b57df2632c0bc3d13be71db8c0a0a0721c6d75d99bc011d74ba08806d19de136c835d3973beddd11841ae1b868318
|
||||
EBUILD linux-hardened-sources-4.14.84.ebuild 1713 BLAKE2B 7493da3ae2083bef4f362a687b324c693a23f94d65cd1a37e423bfa69e1659134dcd463fa3e52d24f6e79d79187a10f265bd95456b34af6bad167d67e0582a5f SHA512 b64e585a38ac688e3b4b21fb56dbba4083127e1f51dfc0da733c1b2bdeb84a4fd8674b5525ecec84a5f5215d3373d120dc6dce46036475587c43043ba5510342
|
||||
EBUILD linux-hardened-sources-4.19.25.ebuild 1713 BLAKE2B 66a5f28b006d057d8894e32434a299429a6522d2a0cd849c66599533fa597673243ffefc9b7e6868ffe5636c39dd8f806b75b87bf97951984b2fe35684250e34 SHA512 06f5d3f8900a80327b87224051f7b278576938031a7873748534910cc1c77e8c9a4da8b45235ad99731618671fd44663d1fbf98800de7bf5257a9d6529d27d6f
|
|
@ -0,0 +1,50 @@
|
|||
# Copyright 1999-2018 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
# See https://blogs.gentoo.org/ago/2017/08/21/sys-kernel-grsecurity-sources-available
|
||||
|
||||
EAPI="6"
|
||||
|
||||
ETYPE="sources"
|
||||
#K_GENPATCHES_VER="not-empty" # Set to not-empty to avoid the useless download of patch-*.xz
|
||||
K_WANT_GENPATCHES="base extras experimental"
|
||||
K_GENPATCHES_VER="57"
|
||||
K_NOSETEXTRAVERSION="1"
|
||||
NAME="linux-hardened"
|
||||
MINOR_VER=".a"
|
||||
PN="hardened"
|
||||
|
||||
inherit kernel-2
|
||||
detect_version
|
||||
detect_arch
|
||||
|
||||
UNIPATCH_LIST="${DISTDIR}/${NAME}-${PV}.a.patch
|
||||
${FILESDIR}/4.14/*.patch"
|
||||
UNIPATCH_EXCLUDE="1500_XATTR_USER_PREFIX.patch
|
||||
1510_fs-enable-link-security-restrictions-by-default.patch
|
||||
2900_dev-root-proc-mount-fix.patch
|
||||
4200_fbcondecor.patch
|
||||
4400_alpha-sysctl-uac.patch"
|
||||
|
||||
LINHARD_URI="https://github.com/anthraxx/${NAME}/releases/download/${PV}${MINOR_VER}/${NAME}-${PV}${MINOR_VER}.patch"
|
||||
|
||||
KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
|
||||
HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches"
|
||||
IUSE="experimental"
|
||||
|
||||
DESCRIPTION="Full sources including the Gentoo, ArchLinux and Linux Hardened patches for the ${KV_MAJOR}.${KV_MINOR} kernel tree"
|
||||
SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${LINHARD_URI} ${ARCH_URI}"
|
||||
|
||||
src_compile() {
|
||||
echo "${MINOR_VER}-hardened" > ${S}/localversion-hardened
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
kernel-2_pkg_postinst
|
||||
einfo "For more info on this patchset, and how to report problems, see:"
|
||||
einfo "${HOMEPAGE}"
|
||||
}
|
||||
|
||||
pkg_postrm() {
|
||||
kernel-2_pkg_postrm
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue