millerson.name
/
gentoo-overlay
1
0
Fork 0
Code Issues Pull Requests Releases Activity

add content

This commit is contained in:
Alexander Miroshnichenko 2019-05-08 14:53:59 +03:00
parent fdb66ec988
commit 840f37da49
Signed by: alex
GPG Key ID: E93720C6C73A77F4
122 changed files with 5873 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app-admin/sara-test/Manifest Normal file
View File

@ -0,0 +1,2 @@
DIST sara-test-0.2.tar.gz 33807 BLAKE2B db8e31379f8f7747647246b2b9023d8fec76802eb502b8255d97afae83c026fe6ea4028ce242942578edcf9d0089de794bc06c6a1befa43392e0c3c7e6bb166b SHA512 cccc0348a1b19cb483483e5571bb85ae0295e6f0b16b2dc652a8361ee8087daf2afad280c69a3f7aaaa032235c78ec231ffd862116e41790a71cfaed23f5ae86
EBUILD sara-test-0.2.ebuild 364 BLAKE2B 1df8d8cc87e1bd88cfd121af7f4b857e68bca14794428f13ee734545831b09a25aa1665448f0dd367103e99a4850f2da0caccf8154d4ed7e0baba26a3bb73dab SHA512 3ee9a256b4da7390e4dc196183dca0823670bbce60f4e0ff3c67fde4ebc755a374f4147f654378f351a5a204c0d81c50010c6c52dfd97219dcc8341a46e21374

17
app-admin/sara-test/sara-test-0.2.ebuild Normal file
View File

@ -0,0 +1,17 @@
# Copyright 2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
DESCRIPTION="S.A.R.A.'s test suite"
HOMEPAGE="https://github.com/smeso/sara-test"
SRC_URI="https://github.com/smeso/${PN}/archive/v0.2.tar.gz -> ${P}.tar.gz"
LICENSE="GPL-3"
SLOT="0"
KEYWORDS="amd64 ~x86"
IUSE=""
DEPEND=""
RDEPEND="${DEPEND}"
BDEPEND=""

6
app-crypt/lego/Manifest Normal file
View File

@ -0,0 +1,6 @@
DIST lego-1.0.1.tar.gz 2147839 BLAKE2B ad33e8b1cf61efd3396d584cf8506e987d8726c72726b0f4214124f81de47ef158ecc5f708ac1c7b75d5351865df48563af572812fd653eb9f30fcb3df635a4c SHA512 65f278873eb9e7fe8b17d1a65782876bf2ea8afc20b9f205b912d937e4dcc8fd40fbee0eced64e80d05d6334ccec85324edbe0c8cdd47e1a35a459d9f6e2edb5
DIST lego-1.2.1.tar.gz 4307533 BLAKE2B 1f5c35a456a30cbf8722dc61356f7072e94231627ea4edac0e3bda53d35a86ce8abe2aaf9669b5c475b5766233c40c9fb7b364bd24707bf9c9960356a676e1e9 SHA512 b326b27a768d7c767df1401ff7497eb73b7f2842ebbbc3a1ccb1907d031c2397aca2d1e47c150b46bd5a3421306e67de80d31c247d28402acfd47d6be251336b
DIST lego-2.4.0.tar.gz 4595834 BLAKE2B cbf538c497455ba37b6c0648c97919971d758dfbffe92f9c38bcf65536f4e0393ae85f4efe46c820339f7f7e82bc434bcdd2a3b2b2f2fab97d58c1bf6eee5e3d SHA512 aaed154fed3bc5d490c945a31170c934b8115ea60f0811d5e2f781eeb8befe4b94692d4890a42d3c88eca390574b60dd0cae2a7d8c35474b58b2e1d6bd817aec
EBUILD lego-1.0.1.ebuild 812 BLAKE2B 4c6f7486778b877f67e9ea674b31df289c306c3fffdc1b0bd5dfdf74866fabcef908b502d605a840acbf520ecf4b4341500a7c046d48fa27ee8df882dd91f9b8 SHA512 764ef611797dab0adbff773bb3b9a3cf1724fe1b636f275808e07d1310f2ca568365ff78ddc940523c00462a0c65e25b736fd76be8a223e0f01874bd0785e8f5
EBUILD lego-1.2.1.ebuild 812 BLAKE2B 4c6f7486778b877f67e9ea674b31df289c306c3fffdc1b0bd5dfdf74866fabcef908b502d605a840acbf520ecf4b4341500a7c046d48fa27ee8df882dd91f9b8 SHA512 764ef611797dab0adbff773bb3b9a3cf1724fe1b636f275808e07d1310f2ca568365ff78ddc940523c00462a0c65e25b736fd76be8a223e0f01874bd0785e8f5
EBUILD lego-2.4.0.ebuild 832 BLAKE2B af396f02f21680e339eca2e5142eb87ac1e83a60dc0e4683a8c0aac1aac241b394e7d1ae6ae02e118a36630eaa2727fa290433b89fa9f9cb2a3bc0167c3f6c0e SHA512 9ad70f7cece1dbfe93e9cf50339b16d4f0fef004724b4694fb85a20d51d4330dbf66fc724d6894ce5900b5c305ec10ce07a071695de0129f7219f35af9441b62

31
app-crypt/lego/lego-1.0.1.ebuild Normal file
View File

@ -0,0 +1,31 @@
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
EGO_PN="github.com/xenolf/lego"
inherit golang-build golang-vcs-snapshot
KEYWORDS="~amd64"
DESCRIPTION="Let's Encrypt client and ACME library written in Go"
HOMEPAGE="https://github.com/xenolf/lego"
SRC_URI="https://${EGO_PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
LICENSE="MIT"
SLOT="0"
IUSE="selinux"
RDEPEND="selinux? ( sec-policy/selinux-lego )"
src_compile() {
export GOPATH="${S}:$(get_golibdir_gopath)"
cd src/${EGO_PN} || die
go build -ldflags="-s -X main.version=${PV}" -o bin/lego || die
}
src_install() {
pushd src/${EGO_PN} >& /dev/null || die
dobin bin/*
popd >& /dev/null || die
}

31
app-crypt/lego/lego-1.2.1.ebuild Normal file
View File

@ -0,0 +1,31 @@
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
EGO_PN="github.com/xenolf/lego"
inherit golang-build golang-vcs-snapshot
KEYWORDS="~amd64"
DESCRIPTION="Let's Encrypt client and ACME library written in Go"
HOMEPAGE="https://github.com/xenolf/lego"
SRC_URI="https://${EGO_PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
LICENSE="MIT"
SLOT="0"
IUSE="selinux"
RDEPEND="selinux? ( sec-policy/selinux-lego )"
src_compile() {
export GOPATH="${S}:$(get_golibdir_gopath)"
cd src/${EGO_PN} || die
go build -ldflags="-s -X main.version=${PV}" -o bin/lego || die
}
src_install() {
pushd src/${EGO_PN} >& /dev/null || die
dobin bin/*
popd >& /dev/null || die
}

32
app-crypt/lego/lego-2.4.0.ebuild Normal file
View File

@ -0,0 +1,32 @@
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
EGO_PN="github.com/go-acme/lego"
inherit golang-build golang-vcs-snapshot
KEYWORDS="amd64"
DESCRIPTION="Let's Encrypt client and ACME library written in Go"
HOMEPAGE="https://go-acme.github.io/lego/"
SRC_URI="https://${EGO_PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
LICENSE="MIT"
SLOT="0"
IUSE="selinux"
RDEPEND="selinux? ( sec-policy/selinux-lego )"
src_compile() {
export GOPATH="${S}:$(get_golibdir_gopath)"
cd src/${EGO_PN} || die
go build -ldflags="-s -X main.version=${PV}" -o dist/lego ./cmd/lego/ || die
}
src_install() {
pushd src/${EGO_PN} >& /dev/null || die
dobin dist/${PN}
popd >& /dev/null || die
}

6
app-crypt/sbsigntools/Manifest Normal file
View File

@ -0,0 +1,6 @@
AUX 0002-image.c-clear-image-variable.patch 822 BLAKE2B acb775f625ecd081d9b3d7e497b066218e82d2dc13f80c473c25361dc85098ee15e5f14530334e47c33fe7cc9b2349ffb1aaba7abe4fdd33bfdde05ed9191c39 SHA512 004ba118cbe8fe5cc291888966e5994373c0b9d8149bc5c652a72971138fab5e64d721061c69e8b864d6ca5cdb4ffa193520156941b6bd9c998b256f8d72697b
AUX 0003-Fix-for-multi-sign.patch 1452 BLAKE2B eaa6e39c18d13f3819d5852eda27eb5a8d589241224965392f1b1e067b5cb9ff0ece7fa83697e5fb6f5f8dd0acec15b7bbe57fcd5f761fcb2e8e1fc51193641f SHA512 2aba55a116536e7f41e4aac2fd33eeb92cf89b14bcdd8b93b6e9dc9bdaf2f0162134e56f7d365640445bf801ad8590f6d49f14cdf80b791324647067d52ae435
AUX sbsigntools-0.9.1-openssl-1.1.0-compat.patch 4727 BLAKE2B 3b47c8086220cf12778bf5cd6018627a30ea349677eeb2cfcd1eaa1b83a25d39499ab21a1a123181a51f4138624c17e574050216f59c480e38d9774936f8b6f0 SHA512 6946e1d67161345088aee3ab54129b6e904b6008f2b275ab4eb55ed24fb2b866029f7d7ca856c5dfe76c395580f04709ad1be974369a1b4954b9e87cf812fd4b
DIST sbsigntool_0.6.orig.tar.gz 212375 BLAKE2B fab9141c7fbfa01ec24f975503ac83be4ae0664251a1311afb3d95124fec3750ce20a5ffab35b6965d4ee4585ab4ee91f25ae49488214a983b6fc006071d0968 SHA512 ed314d1cb7278cf5f27d4c3cd17f2195678419a7f9e47770429b6f95df35f7df035331e60c45970183ddd9b150a9b752f876c777929598b0525872b3255af95c
EBUILD sbsigntools-0.6-r2.ebuild 1175 BLAKE2B 929699251878c2860398192e990a9e502453e50f8d3b5259dc8e7bc0f6a9ffe6e746016f120efb24b92b0a934033bd1763f7a9f6592e421b49903da6e81e3951 SHA512 7751a727c445f3e50d5669aafce8f2e4869789c988c1a32a097be814ec466a2e876f80b454c2d0817d590206ccb6ae0f24ed845cf4dee26ca5bae55ff8accd4d
MISC metadata.xml 291 BLAKE2B 0aeb75750176d719f10db508a8924d0bf2fe75e8544b275a7c7e11c44320ce4f7819febb093dd3083a33a998a225f2a3b882407a8ffc03d1a57d03cbfc0a7ff2 SHA512 f7a520fc9a216ff983bd3d361c6ddb3b635eb5dcd94ed042e7c5d0beb0b4e10cdb231e2b4ace599ebb93d4bb46e071a744f1a780ec83f451bb2ee6bad4c2d8cc

29
app-crypt/sbsigntools/files/0002-image.c-clear-image-variable.patch Normal file
View File

@ -0,0 +1,29 @@
From 21e984fa9d93a760cc03f5d9d13d023809227df2 Mon Sep 17 00:00:00 2001
From: James Bottomley <JBottomley@Parallels.com>
Date: Thu, 11 Apr 2013 21:12:17 -0700
Subject: image.c: clear image variable
Not zeroing the image after talloc occasionally leads to a segfault because
the programme thinks it has a signature when in reality it just has a junk
pointer and segfaults.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
---
src/image.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/image.c b/src/image.c
index cc55791..10eba0e 100644
--- a/src/image.c
+++ b/src/image.c
@@ -401,6 +401,7 @@ struct image *image_load(const char *filename)
return NULL;
}
+ memset(image, 0, sizeof(*image));
rc = fileio_read_file(image, filename, &image->buf, &image->size);
if (rc)
goto err;
--
1.8.2.1

39
app-crypt/sbsigntools/files/0003-Fix-for-multi-sign.patch Normal file
View File

@ -0,0 +1,39 @@
From e58a528ef57e53008222f238cce7c326a14572e2 Mon Sep 17 00:00:00 2001
From: James Bottomley <JBottomley@Parallels.com>
Date: Mon, 30 Sep 2013 19:25:37 -0700
Subject: [PATCH 4/4] Fix for multi-sign
The new Tianocore multi-sign code fails now for images signed with
sbsigntools. The reason is that we don't actually align the signature table,
we just slap it straight after the binary data. Unfortunately, the new
multi-signature code checks that our alignment offsets are correct and fails
the signature for this reason. Fix by adding junk to the end of the image to
align the signature section.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
---
src/image.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/image.c b/src/image.c
index 10eba0e..519e288 100644
--- a/src/image.c
+++ b/src/image.c
@@ -385,7 +385,13 @@ static int image_find_regions(struct image *image)
/* record the size of non-signature data */
r = &image->checksum_regions[image->n_checksum_regions - 1];
- image->data_size = (r->data - (void *)image->buf) + r->size;
+ /*
+ * The new Tianocore multisign does a stricter check of the signatures
+ * in particular, the signature table must start at an aligned offset
+ * fix this by adding bytes to the end of the text section (which must
+ * be included in the hash)
+ */
+ image->data_size = align_up((r->data - (void *)image->buf) + r->size, 8);
return 0;
}
--
1.8.4

152
app-crypt/sbsigntools/files/sbsigntools-0.9.1-openssl-1.1.0-compat.patch Normal file
View File

@ -0,0 +1,152 @@
diff --git a/src/fileio.c b/src/fileio.c
index 032eb1e..09bc3aa 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -40,6 +40,7 @@
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/engine.h>
+#include <openssl/ui.h>
#include <ccan/talloc/talloc.h>
#include <ccan/read_write_all/read_write_all.h>
diff --git a/src/idc.c b/src/idc.c
index 236cefd..6d87bd4 100644
--- a/src/idc.c
+++ b/src/idc.c
@@ -238,7 +238,11 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
/* extract the idc from the signed PKCS7 'other' data */
str = p7->d.sign->contents->d.other->value.asn1_string;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
idcbuf = buf = ASN1_STRING_data(str);
+#else
+ idcbuf = buf = ASN1_STRING_get0_data(str);
+#endif
idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
/* If we were passed a BIO, write the idc data, minus type and length,
@@ -289,7 +293,11 @@ int IDC_check_hash(struct idc *idc, struct image *image)
}
/* check hash against the one we calculated from the image */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
buf = ASN1_STRING_data(str);
+#else
+ buf = ASN1_STRING_get0_data(str);
+#endif
if (memcmp(buf, sha, sizeof(sha))) {
fprintf(stderr, "Hash doesn't match image\n");
fprintf(stderr, " got: %s\n", sha256_str(buf));
diff --git a/src/sbattach.c b/src/sbattach.c
index a0c01b8..e89a23e 100644
--- a/src/sbattach.c
+++ b/src/sbattach.c
@@ -231,6 +231,7 @@ int main(int argc, char **argv)
return EXIT_FAILURE;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
ERR_load_crypto_strings();
OpenSSL_add_all_digests();
OPENSSL_config(NULL);
@@ -239,6 +240,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
+#endif
image = image_load(image_filename);
if (!image) {
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
index 7b17f40..419b1e7 100644
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -208,7 +208,11 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
goto out;
key->id_len = ASN1_STRING_length(serial);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
+#else
+ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
+#endif
key->description = talloc_array(key, char, description_len);
X509_NAME_oneline(X509_get_subject_name(x509),
@@ -927,6 +931,7 @@ int main(int argc, char **argv)
return EXIT_FAILURE;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
ERR_load_crypto_strings();
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
@@ -936,6 +941,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
+#endif
ctx->filesystem_keys = init_keyset(ctx);
ctx->firmware_keys = init_keyset(ctx);
diff --git a/src/sbsign.c b/src/sbsign.c
index ff1fdfd..78d8d64 100644
--- a/src/sbsign.c
+++ b/src/sbsign.c
@@ -188,6 +188,7 @@ int main(int argc, char **argv)
talloc_steal(ctx, ctx->image);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
ERR_load_crypto_strings();
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
@@ -197,6 +198,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
+#endif
if (engine)
pkey = fileio_read_engine_key(engine, keyfilename);
else
diff --git a/src/sbvarsign.c b/src/sbvarsign.c
index 7dcbe51..9319c8b 100644
--- a/src/sbvarsign.c
+++ b/src/sbvarsign.c
@@ -509,6 +509,7 @@ int main(int argc, char **argv)
return EXIT_FAILURE;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* initialise openssl */
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
@@ -519,6 +520,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
+#endif
/* set up the variable signing context */
varname = argv[optind];
diff --git a/src/sbverify.c b/src/sbverify.c
index 3920d91..d0b203a 100644
--- a/src/sbverify.c
+++ b/src/sbverify.c
@@ -250,6 +250,7 @@ int main(int argc, char **argv)
verbose = false;
detached_sig_filename = NULL;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
OpenSSL_add_all_digests();
ERR_load_crypto_strings();
OPENSSL_config(NULL);
@@ -258,6 +259,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
+#endif
for (;;) {
int idx;

10
app-crypt/sbsigntools/metadata.xml Normal file
View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>tamiko@gentoo.org</email>
</maintainer>
<upstream>
<remote-id type="launchpad">ubuntu</remote-id>
</upstream>
</pkgmetadata>

44
app-crypt/sbsigntools/sbsigntools-0.6-r2.ebuild Normal file
View File

@ -0,0 +1,44 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI="5"
MY_PN="${PN::-1}"
inherit eutils toolchain-funcs
DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot"
HOMEPAGE="https://launchpad.net/ubuntu/+source/sbsigntool"
SRC_URI="https://launchpad.net/ubuntu/+archive/primary/+files/${MY_PN}_${PV}.orig.tar.gz"
LICENSE="GPL-3"
SLOT="0"
KEYWORDS="amd64 x86"
IUSE="libressl"
RDEPEND="
!libressl? ( dev-libs/openssl:0= )
libressl? ( dev-libs/libressl:0= )
sys-apps/util-linux"
DEPEND="${RDEPEND}
sys-apps/help2man
sys-boot/gnu-efi
sys-libs/binutils-libs
virtual/pkgconfig"
S="${WORKDIR}/${MY_PN}-${PV}"
src_prepare() {
local iarch
case ${ARCH} in
ia64) iarch=ia64 ;;
x86) iarch=ia32 ;;
amd64) iarch=x86_64 ;;
*) die "unsupported architecture: ${ARCH}" ;;
esac
sed -i "/^EFI_ARCH=/s:=.*:=${iarch}:" configure || die
sed -i 's/-m64$/& -march=x86-64/' tests/Makefile.in || die
sed -i "/^AR /s:=.*:= $(tc-getAR):" lib/ccan/Makefile.in || die #481480
epatch "${FILESDIR}"/0002-image.c-clear-image-variable.patch
epatch "${FILESDIR}"/0003-Fix-for-multi-sign.patch
}

18
dev-lang/go/Manifest Normal file
View File

@ -0,0 +1,18 @@
DIST go-darwin-amd64-bootstrap-1.8.tbz 55053831 BLAKE2B 7d87ff36b0e13b3b3c0b8ffc4516493e1a6dde1287675b85b591c1d0a8438c9cb9c8991dc53d3c94c5ebb26830da1c7177ef1f90c250c1efeb5868020abcc660 SHA512 4cc24d44c84c94feafab021c0977fcea2aca8f191c6395e38fff68154b1e64efc3f94331c3e36c7b69901af58e9d53545c682f0a742d36b2d230508bd69777c4
DIST go-freebsd-386-bootstrap-1.8.tbz 53739013 BLAKE2B a91e0a6b601aadc965f774ffd25a185e1f300e7194e969337f32bf9cb3056769786d92ef697271e7434d72c04d9d6780bf0fb3cb70efa83fe53cc18dc23670ec SHA512 c92f849b2d92401657412cccc589042b2747e55b2f4813d674c5bc91c3f535ee60f8ed7b8cbf1320e216d22a16dade8b78bb8071982895901f2b3c304e38f478
DIST go-freebsd-amd64-bootstrap-1.8.tbz 55103927 BLAKE2B 30e4e4bcb43da3a170f520b47cd032a524d4c4977a9c76c4d597bb50e21a3ad2ef764dec15085d97cb5791bd483d8fac10ef5949c56b46e7580468fc9c90a78c SHA512 c7d50731ff41147295ef5f3233aa1404081b47e786a300e1d0e4db8348e56bd73fe5f169fe8b807ffa37a53683e3aef16ebb6e877d802b86ff1a3d5d3a6f44cb
DIST go-linux-386-bootstrap-1.8.tbz 53843745 BLAKE2B 6bbb6df7ea0f7307386590524261f9ec477e7032171020ac3ed4a09bf9c39075ba4143c466611b0ab28cc4b494dec75063ecb291d2166a82bc7601562e7e3685 SHA512 b456f7572d04c805a6fc756647c050460f76e5404dba41963c861c92f1600e9fedafe181a1f69132518065737a88edb4b183ec8c3ca24bc8df31279117e92606
DIST go-linux-amd64-bootstrap-musl-1.4.3.tbz 23246790 BLAKE2B 364d2afa2a882b752635c2e3b956ca499b02fd4842eb8e159fce74adfffb9e65db3e5b64a2ed81ec12dc71bd209979cbe6d35b3796ef877ff148f2c1be249de5 SHA512 1cdc1c667fbee992c2ef0555d1ed8ce4d8b9ecf5ecd23b73f6729a6f91764a41407a016c71eeb1755cb1889fe702a0aa0da382ffdb6bab7b9cdacaa558449898
DIST go-linux-arm-bootstrap-1.8.tbz 53948103 BLAKE2B 515051e777ad273999c82f31b8a07ba61b77fbeede761a72b52c0bc3a7b55da013b5061af03a1b9634bf7b44429d7b371b89be85fb9e4f3a23d4d1a3c52bd90b SHA512 98ff0dbdb2aca9e54ea5327c9d31ce389e434a887015ef8555a8e85223a9998075c5013045275fb995a877a8d247704a21d726d46df7097adc0c4aa03af4cd68
DIST go-linux-arm64-bootstrap-1.8.tbz 51947002 BLAKE2B 5899f5d304031eae96b66ed7aa21f5af13b0fdfdcd7a12095bda2eff0f5fe5610135f9370b34681e4c33f33c1e0428a2a09c1c8a581c6b170da223f57cac4607 SHA512 adfbe62c5594c267707078bf8afb94a793dfba004c04a1a60f96d023d96c2fc4a6a422dee93a0f3487b1f2e1e117c7c6c607b62126dd5535686aaed88f6659d9
DIST go-linux-ppc64-bootstrap-1.8.tbz 52315782 BLAKE2B 6be0a48e8bc4e5fed4d34f8aaa8dfb6ad4d513064275dd940d0f58b25d442b33ad71c11687d317448b93d9c4690f7412e5a6a4553ec5298663409416cec04fbf SHA512 0aa32ac1514055ed9140b8c8330cbdbadfd9da6ad00b60d49b0685473be21e0b6510c31394678e32048f2f38d06a0d575f453c555614664eaef2bf5be6c91734
DIST go-linux-ppc64le-bootstrap-1.8.tbz 52211575 BLAKE2B 7a28ec5a381369c4e9415c8360e904c2545380513afd328077c584e8af0bf6bd818aa03e5a58c350cbb98facc1c9dccb02b06adcb27233875497cf5d33265912 SHA512 6931d999dd0ee1ff44c4cec48acb27af061f57f87aa74802dcebab78553b46bc8ac732f07fe91e5074dbdd32c55b707994875934bfb12bb4276d71eb1d06c4ba
DIST go-linux-s390x-bootstrap-1.8.tbz 57124869 BLAKE2B 920a176b8f4fc3a816e724324bbb30a383d599e31a0d2093d24797dbcd0e799a662a3589dbb87d2f5dd16df07c4cf8f1e444e87b540ec732746bb025dc9271f8 SHA512 d429cae870d66217ab2e07c74209d3031d97baa4f899b4d70ae6283a1a5b1434b037904c4cfca0b2bc798d5ba0b358c3739e000eccbc74809baf564c5686df5a
DIST go-solaris-amd64-bootstrap-1.8.tbz 54926326 BLAKE2B 0a45312f090d81ebf46fe5950cb65c059e2801394231e715e94145d1f918eb59b10472b2385e57ebd5cfb9eca0ad7290fb118436486b665520bb540970f971ab SHA512 52b849e5b9a940e10de7ba3df0ebdf6e1c5d631de9581d936c9edf8f38e6bb3314acbc2b2d5202b0528fde2a359d52bc0c6f39acf9b1b614725e4b4a947ed10d
DIST go1.10.1.src.tar.gz 18305765 BLAKE2B 61b8db22c50b9a4653244dc18267f405607755932d84ea2c475338a9f4a5421da2bb8cc808dbd166aa35c3c8778180bf47d6e51ebe303bc62e582516919058f9 SHA512 13f6b0643a4f92eeca04444b9fa10de38fc3427daea9aa3227cf9a5738ffee1a3f2e355ba5faf711b8506f7de118bdcd3b9064b65407a22613523e29ffd73415
DIST go1.10.3.src.tar.gz 18323736 BLAKE2B f07ea774378eb25e28fc29ce6d8d7ed84227d4b93bfa93d38a071fe294da30c3cdc3a559d643e7379873df56b0e2731dbd772e385ffcb4b2e93819db3b4e33f2 SHA512 fd2bd5fcb5c6d0a5336c4b1d2cacb368edbb01359297a83bdedc53f6018642598232f00633fc60fde879050f5f26a810c828d46b5d6626cbcc0702d93ad33fbb
DIST go1.11.5.src.tar.gz 21108339 BLAKE2B 3a33a89e267e57fee688e4d67257810ca1f37cfb904b6806c3a566b021aa80153f59f64d3a61ed68f526f093e0d5b6b3c95565cd06622cf9a65eef81bc7e9733 SHA512 63500238e8d73e4b29279ee3eb9242960de93ccd3b52bacc4009f45cf123cb8edfe5f519d38c5b07bdf2a810925758511ff3255310a056113d0169f78be1d2f6
EBUILD go-1.10.1.ebuild 5653 BLAKE2B 1e742993a575d6f28fc55d16d466152f93a7ad89aabb429d83ea31d5a51f5c0188f6b22c2e1d5b721af68315dc9bd7bc59fcb6a1470393de0fda73ad6be57db4 SHA512 c42ca83b0d4f5a2d8cb1c272551cea55d5d47fafa30cc4a624fbb965a9ef3d35ac14b4fe4a27ccb557e89661a2757e82f2ecda35d8395556f22f6b681489f921
EBUILD go-1.10.3.ebuild 5653 BLAKE2B 1e742993a575d6f28fc55d16d466152f93a7ad89aabb429d83ea31d5a51f5c0188f6b22c2e1d5b721af68315dc9bd7bc59fcb6a1470393de0fda73ad6be57db4 SHA512 c42ca83b0d4f5a2d8cb1c272551cea55d5d47fafa30cc4a624fbb965a9ef3d35ac14b4fe4a27ccb557e89661a2757e82f2ecda35d8395556f22f6b681489f921
EBUILD go-1.11.5.ebuild 6008 BLAKE2B 025a51bc415f60e9b94d6cd985c5334f5d7f603c3e14537ad6d8422c369a0d9b89ef534093dab52617f17108840d5a9105815d984883ce076ef47f322c4d7752 SHA512 31decfc1df9eae82316ac10aebe4d01190e2fdaa2b365eb8ee65750bf1a23e1d676f03a0551d7b9bd4c339358f7555a53d2a8806ed209b28e8e81ad3a8e680f7
MISC metadata.xml 538 BLAKE2B 78502c369a490804b2c69eef864276c2be5d0ee84ec189b6cc8584f8f42668a35f3c74bd25ceb53c469716337cbab908c576ca880c492f5961fedafc74cc346f SHA512 514a441a522218fdca543a22370e965a2bfc1f1f2c37e77431143329bb3d3f4f53e99ad5d7f7d7c61877f77387a777f7b4f339b9a3e45322d01d39d3d0ea1309

228
dev-lang/go/go-1.10.1.ebuild Normal file
View File

@ -0,0 +1,228 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
export CBUILD=${CBUILD:-${CHOST}}
export CTARGET=${CTARGET:-${CHOST}}
MY_PV=${PV/_/}
inherit toolchain-funcs
BOOTSTRAP_DIST="https://dev.gentoo.org/~williamh/dist"
BOOTSTRAP_VERSION="bootstrap-1.8"
BOOTSTRAP_URI="
amd64? ( ${BOOTSTRAP_DIST}/go-linux-amd64-bootstrap-musl-1.4.3.tbz )
arm? ( ${BOOTSTRAP_DIST}/go-linux-arm-${BOOTSTRAP_VERSION}.tbz )
arm64? ( ${BOOTSTRAP_DIST}/go-linux-arm64-${BOOTSTRAP_VERSION}.tbz )
ppc64? (
${BOOTSTRAP_DIST}/go-linux-ppc64-${BOOTSTRAP_VERSION}.tbz
${BOOTSTRAP_DIST}/go-linux-ppc64le-${BOOTSTRAP_VERSION}.tbz
)
s390? ( ${BOOTSTRAP_DIST}/go-linux-s390x-${BOOTSTRAP_VERSION}.tbz )
x86? ( ${BOOTSTRAP_DIST}/go-linux-386-${BOOTSTRAP_VERSION}.tbz )
amd64-fbsd? ( ${BOOTSTRAP_DIST}/go-freebsd-amd64-${BOOTSTRAP_VERSION}.tbz )
x86-fbsd? ( ${BOOTSTRAP_DIST}/go-freebsd-386-${BOOTSTRAP_VERSION}.tbz )
x64-macos? ( ${BOOTSTRAP_DIST}/go-darwin-amd64-${BOOTSTRAP_VERSION}.tbz )
x64-solaris? ( ${BOOTSTRAP_DIST}/go-solaris-amd64-${BOOTSTRAP_VERSION}.tbz )
"
case ${PV} in
*9999*)
EGIT_REPO_URI="https://github.com/golang/go.git"
inherit git-r3
;;
*)
SRC_URI="https://storage.googleapis.com/golang/go${MY_PV}.src.tar.gz "
S="${WORKDIR}"/go
case ${PV} in
*_beta*|*_rc*) ;;
*)
KEYWORDS="-* amd64 arm ~arm64 ~ppc64 ~s390 x86 ~amd64-fbsd ~x86-fbsd ~x64-macos ~x64-solaris"
# The upstream tests fail under portage but pass if the build is
# run according to their documentation [1].
# I am restricting the tests on released versions until this is
# solved.
# [1] https://golang.org/issues/18442
RESTRICT="test"
;;
esac
esac
SRC_URI+="!gccgo? ( ${BOOTSTRAP_URI} )"
DESCRIPTION="A concurrent garbage collected and typesafe programming language"
HOMEPAGE="https://golang.org"
LICENSE="BSD"
SLOT="0/${PV}"
IUSE="gccgo"
DEPEND="gccgo? ( >=sys-devel/gcc-5[go] )"
RDEPEND="!<dev-go/go-tools-0_pre20150902"
# These test data objects have writable/executable stacks.
QA_EXECSTACK="
usr/lib/go/src/debug/elf/testdata/*.obj
usr/lib/go/src/go/internal/gccgoimporter/testdata/escapeinfo.gox
usr/lib/go/src/go/internal/gccgoimporter/testdata/unicode.gox
usr/lib/go/src/go/internal/gccgoimporter/testdata/time.gox
"
# Do not complain about CFLAGS, etc, since Go doesn't use them.
QA_FLAGS_IGNORED='.*'
REQUIRES_EXCLUDE="/usr/lib/go/src/debug/elf/testdata/*"
# The tools in /usr/lib/go should not cause the multilib-strict check to fail.
QA_MULTILIB_PATHS="usr/lib/go/pkg/tool/.*/.*"
# Do not strip this package. Stripping is unsupported upstream and may
# fail.
RESTRICT+=" strip"
DOCS=(
AUTHORS
CONTRIBUTING.md
CONTRIBUTORS
PATENTS
README.md
)
go_arch()
{
# By chance most portage arch names match Go
local portage_arch=$(tc-arch $@)
case "${portage_arch}" in
x86) echo 386;;
x64-*) echo amd64;;
ppc64) [[ $(tc-endian $@) = big ]] && echo ppc64 || echo ppc64le ;;
s390) echo s390x ;;
*) echo "${portage_arch}";;
esac
}
go_arm()
{
case "${1:-${CHOST}}" in
armv5*) echo 5;;
armv6*) echo 6;;
armv7*) echo 7;;
*)
die "unknown GOARM for ${1:-${CHOST}}"
;;
esac
}
go_os()
{
case "${1:-${CHOST}}" in
*-linux*) echo linux;;
*-darwin*) echo darwin;;
*-freebsd*) echo freebsd;;
*-netbsd*) echo netbsd;;
*-openbsd*) echo openbsd;;
*-solaris*) echo solaris;;
*-cygwin*|*-interix*|*-winnt*)
echo windows
;;
*)
die "unknown GOOS for ${1:-${CHOST}}"
;;
esac
}
go_tuple()
{
echo "$(go_os $@)_$(go_arch $@)"
}
go_cross_compile()
{
[[ $(go_tuple ${CBUILD}) != $(go_tuple) ]]
}
pkg_pretend()
{
# make.bash does not understand cross-compiling a cross-compiler
if [[ $(go_tuple) != $(go_tuple ${CTARGET}) ]]; then
die "CHOST CTARGET pair unsupported: CHOST=${CHOST} CTARGET=${CTARGET}"
fi
}
src_unpack()
{
if [[ ${PV} = 9999 ]]; then
git-r3_src_unpack
fi
default
}
src_compile()
{
export GOROOT_BOOTSTRAP="${WORKDIR}"/go-$(go_os)-$(go_arch)-bootstrap
if use gccgo; then
mkdir -p "${GOROOT_BOOTSTRAP}/bin" || die
local go_binary=$(gcc-config --get-bin-path)/go-$(gcc-major-version)
[[ -x ${go_binary} ]] || go_binary=$(
find "${EPREFIX}"/usr/${CHOST}/gcc-bin/*/go-$(gcc-major-version) |
sort -V | tail -n1)
[[ -x ${go_binary} ]] ||
die "go-$(gcc-major-version): command not found"
ln -s "${go_binary}" "${GOROOT_BOOTSTRAP}/bin/go" || die
fi
export GOROOT_FINAL="${EPREFIX}"/usr/lib/go
export GOROOT="$(pwd)"
export GOBIN="${GOROOT}/bin"
# Go's build script does not use BUILD/HOST/TARGET consistently. :(
export GOHOSTARCH=$(go_arch ${CBUILD})
export GOHOSTOS=$(go_os ${CBUILD})
export CC=$(tc-getBUILD_CC)
export GOARCH=$(go_arch)
export GOOS=$(go_os)
export CC_FOR_TARGET=$(tc-getCC)
export CXX_FOR_TARGET=$(tc-getCXX)
if [[ ${ARCH} == arm ]]; then
export GOARM=$(go_arm)
fi
einfo "GOROOT_BOOTSTRAP is ${GOROOT_BOOTSTRAP}"
cd src
./make.bash || die "build failed"
}
src_test()
{
go_cross_compile && return 0
cd src
PATH="${GOBIN}:${PATH}" \
./run.bash -no-rebuild || die "tests failed"
}
src_install()
{
local bin_path f x
dodir /usr/lib/go
# There is a known issue which requires the source tree to be installed [1].
# Once this is fixed, we can consider using the doc use flag to control
# installing the doc and src directories.
# [1] https://golang.org/issue/2775
#
# deliberately use cp to retain permissions
cp -R api bin doc lib pkg misc src test "${ED}"/usr/lib/go
if go_cross_compile; then
bin_path="bin/$(go_tuple)"
else
bin_path=bin
fi
for x in ${bin_path}/*; do
f=${x##*/}
dosym ../lib/go/${bin_path}/${f} /usr/bin/${f}
done
einstalldocs
}

228
dev-lang/go/go-1.10.3.ebuild Normal file
View File

@ -0,0 +1,228 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
export CBUILD=${CBUILD:-${CHOST}}
export CTARGET=${CTARGET:-${CHOST}}
MY_PV=${PV/_/}
inherit toolchain-funcs
BOOTSTRAP_DIST="https://dev.gentoo.org/~williamh/dist"
BOOTSTRAP_VERSION="bootstrap-1.8"
BOOTSTRAP_URI="
amd64? ( ${BOOTSTRAP_DIST}/go-linux-amd64-bootstrap-musl-1.4.3.tbz )
arm? ( ${BOOTSTRAP_DIST}/go-linux-arm-${BOOTSTRAP_VERSION}.tbz )
arm64? ( ${BOOTSTRAP_DIST}/go-linux-arm64-${BOOTSTRAP_VERSION}.tbz )
ppc64? (
${BOOTSTRAP_DIST}/go-linux-ppc64-${BOOTSTRAP_VERSION}.tbz
${BOOTSTRAP_DIST}/go-linux-ppc64le-${BOOTSTRAP_VERSION}.tbz
)
s390? ( ${BOOTSTRAP_DIST}/go-linux-s390x-${BOOTSTRAP_VERSION}.tbz )
x86? ( ${BOOTSTRAP_DIST}/go-linux-386-${BOOTSTRAP_VERSION}.tbz )
amd64-fbsd? ( ${BOOTSTRAP_DIST}/go-freebsd-amd64-${BOOTSTRAP_VERSION}.tbz )
x86-fbsd? ( ${BOOTSTRAP_DIST}/go-freebsd-386-${BOOTSTRAP_VERSION}.tbz )
x64-macos? ( ${BOOTSTRAP_DIST}/go-darwin-amd64-${BOOTSTRAP_VERSION}.tbz )
x64-solaris? ( ${BOOTSTRAP_DIST}/go-solaris-amd64-${BOOTSTRAP_VERSION}.tbz )
"
case ${PV} in
*9999*)
EGIT_REPO_URI="https://github.com/golang/go.git"
inherit git-r3
;;
*)
SRC_URI="https://storage.googleapis.com/golang/go${MY_PV}.src.tar.gz "
S="${WORKDIR}"/go
case ${PV} in
*_beta*|*_rc*) ;;
*)
KEYWORDS="-* amd64 arm ~arm64 ~ppc64 ~s390 x86 ~amd64-fbsd ~x86-fbsd ~x64-macos ~x64-solaris"
# The upstream tests fail under portage but pass if the build is
# run according to their documentation [1].
# I am restricting the tests on released versions until this is
# solved.
# [1] https://golang.org/issues/18442
RESTRICT="test"
;;
esac
esac
SRC_URI+="!gccgo? ( ${BOOTSTRAP_URI} )"
DESCRIPTION="A concurrent garbage collected and typesafe programming language"
HOMEPAGE="https://golang.org"
LICENSE="BSD"
SLOT="0/${PV}"
IUSE="gccgo"
DEPEND="gccgo? ( >=sys-devel/gcc-5[go] )"
RDEPEND="!<dev-go/go-tools-0_pre20150902"
# These test data objects have writable/executable stacks.
QA_EXECSTACK="
usr/lib/go/src/debug/elf/testdata/*.obj
usr/lib/go/src/go/internal/gccgoimporter/testdata/escapeinfo.gox
usr/lib/go/src/go/internal/gccgoimporter/testdata/unicode.gox
usr/lib/go/src/go/internal/gccgoimporter/testdata/time.gox
"
# Do not complain about CFLAGS, etc, since Go doesn't use them.
QA_FLAGS_IGNORED='.*'
REQUIRES_EXCLUDE="/usr/lib/go/src/debug/elf/testdata/*"
# The tools in /usr/lib/go should not cause the multilib-strict check to fail.
QA_MULTILIB_PATHS="usr/lib/go/pkg/tool/.*/.*"
# Do not strip this package. Stripping is unsupported upstream and may
# fail.
RESTRICT+=" strip"
DOCS=(
AUTHORS
CONTRIBUTING.md
CONTRIBUTORS
PATENTS
README.md
)
go_arch()
{
# By chance most portage arch names match Go
local portage_arch=$(tc-arch $@)
case "${portage_arch}" in
x86) echo 386;;
x64-*) echo amd64;;
ppc64) [[ $(tc-endian $@) = big ]] && echo ppc64 || echo ppc64le ;;
s390) echo s390x ;;
*) echo "${portage_arch}";;
esac
}
go_arm()
{
case "${1:-${CHOST}}" in
armv5*) echo 5;;
armv6*) echo 6;;
armv7*) echo 7;;
*)
die "unknown GOARM for ${1:-${CHOST}}"
;;
esac
}
go_os()
{
case "${1:-${CHOST}}" in
*-linux*) echo linux;;
*-darwin*) echo darwin;;
*-freebsd*) echo freebsd;;
*-netbsd*) echo netbsd;;
*-openbsd*) echo openbsd;;
*-solaris*) echo solaris;;
*-cygwin*|*-interix*|*-winnt*)
echo windows
;;
*)
die "unknown GOOS for ${1:-${CHOST}}"
;;
esac
}
go_tuple()
{
echo "$(go_os $@)_$(go_arch $@)"
}
go_cross_compile()
{
[[ $(go_tuple ${CBUILD}) != $(go_tuple) ]]
}
pkg_pretend()
{
# make.bash does not understand cross-compiling a cross-compiler
if [[ $(go_tuple) != $(go_tuple ${CTARGET}) ]]; then
die "CHOST CTARGET pair unsupported: CHOST=${CHOST} CTARGET=${CTARGET}"
fi
}
src_unpack()
{
if [[ ${PV} = 9999 ]]; then
git-r3_src_unpack
fi
default
}
src_compile()
{
export GOROOT_BOOTSTRAP="${WORKDIR}"/go-$(go_os)-$(go_arch)-bootstrap
if use gccgo; then
mkdir -p "${GOROOT_BOOTSTRAP}/bin" || die
local go_binary=$(gcc-config --get-bin-path)/go-$(gcc-major-version)
[[ -x ${go_binary} ]] || go_binary=$(
find "${EPREFIX}"/usr/${CHOST}/gcc-bin/*/go-$(gcc-major-version) |
sort -V | tail -n1)
[[ -x ${go_binary} ]] ||
die "go-$(gcc-major-version): command not found"
ln -s "${go_binary}" "${GOROOT_BOOTSTRAP}/bin/go" || die
fi
export GOROOT_FINAL="${EPREFIX}"/usr/lib/go
export GOROOT="$(pwd)"
export GOBIN="${GOROOT}/bin"
# Go's build script does not use BUILD/HOST/TARGET consistently. :(
export GOHOSTARCH=$(go_arch ${CBUILD})
export GOHOSTOS=$(go_os ${CBUILD})
export CC=$(tc-getBUILD_CC)
export GOARCH=$(go_arch)
export GOOS=$(go_os)
export CC_FOR_TARGET=$(tc-getCC)
export CXX_FOR_TARGET=$(tc-getCXX)
if [[ ${ARCH} == arm ]]; then
export GOARM=$(go_arm)
fi
einfo "GOROOT_BOOTSTRAP is ${GOROOT_BOOTSTRAP}"
cd src
./make.bash || die "build failed"
}
src_test()
{
go_cross_compile && return 0
cd src
PATH="${GOBIN}:${PATH}" \
./run.bash -no-rebuild || die "tests failed"
}
src_install()
{
local bin_path f x
dodir /usr/lib/go
# There is a known issue which requires the source tree to be installed [1].
# Once this is fixed, we can consider using the doc use flag to control
# installing the doc and src directories.
# [1] https://golang.org/issue/2775
#
# deliberately use cp to retain permissions
cp -R api bin doc lib pkg misc src test "${ED}"/usr/lib/go
if go_cross_compile; then
bin_path="bin/$(go_tuple)"
else
bin_path=bin
fi
for x in ${bin_path}/*; do
f=${x##*/}
dosym ../lib/go/${bin_path}/${f} /usr/bin/${f}
done
einstalldocs
}

236
dev-lang/go/go-1.11.5.ebuild Normal file
View File

@ -0,0 +1,236 @@
# Copyright 1999-2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=6
export CBUILD=${CBUILD:-${CHOST}}
export CTARGET=${CTARGET:-${CHOST}}
MY_PV=${PV/_/}
inherit toolchain-funcs
BOOTSTRAP_DIST="https://dev.gentoo.org/~williamh/dist"
BOOTSTRAP_VERSION="bootstrap-1.8"
BOOTSTRAP_URI="
amd64? ( ${BOOTSTRAP_DIST}//go-linux-amd64-bootstrap-musl-1.4.3.tbz )
arm? ( ${BOOTSTRAP_DIST}/go-linux-arm-${BOOTSTRAP_VERSION}.tbz )
arm64? ( ${BOOTSTRAP_DIST}/go-linux-arm64-${BOOTSTRAP_VERSION}.tbz )
ppc64? (
${BOOTSTRAP_DIST}/go-linux-ppc64-${BOOTSTRAP_VERSION}.tbz
${BOOTSTRAP_DIST}/go-linux-ppc64le-${BOOTSTRAP_VERSION}.tbz
)
s390? ( ${BOOTSTRAP_DIST}/go-linux-s390x-${BOOTSTRAP_VERSION}.tbz )
x86? ( ${BOOTSTRAP_DIST}/go-linux-386-${BOOTSTRAP_VERSION}.tbz )
amd64-fbsd? ( ${BOOTSTRAP_DIST}/go-freebsd-amd64-${BOOTSTRAP_VERSION}.tbz )
x86-fbsd? ( ${BOOTSTRAP_DIST}/go-freebsd-386-${BOOTSTRAP_VERSION}.tbz )
x64-macos? ( ${BOOTSTRAP_DIST}/go-darwin-amd64-${BOOTSTRAP_VERSION}.tbz )
x64-solaris? ( ${BOOTSTRAP_DIST}/go-solaris-amd64-${BOOTSTRAP_VERSION}.tbz )
"
case ${PV} in
*9999*)
EGIT_REPO_URI="https://github.com/golang/go.git"
inherit git-r3
;;
*)
SRC_URI="https://storage.googleapis.com/golang/go${MY_PV}.src.tar.gz "
S="${WORKDIR}"/go
case ${PV} in
*_beta*|*_rc*) ;;
*)
KEYWORDS="-* amd64 arm ~arm64 ~ppc64 ~s390 x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x64-solaris"
# The upstream tests fail under portage but pass if the build is
# run according to their documentation [1].
# I am restricting the tests on released versions until this is
# solved.
# [1] https://golang.org/issues/18442
RESTRICT="test"
;;
esac
esac
SRC_URI+="!gccgo? ( ${BOOTSTRAP_URI} )"
DESCRIPTION="A concurrent garbage collected and typesafe programming language"
HOMEPAGE="https://golang.org"
LICENSE="BSD"
SLOT="0/${PV}"
IUSE="gccgo"
DEPEND="gccgo? ( >=sys-devel/gcc-5[go] )"
RDEPEND="!<dev-go/go-tools-0_pre20150902"
# These test data objects have writable/executable stacks.
QA_EXECSTACK="
usr/lib/go/src/debug/elf/testdata/*.obj
usr/lib/go/src/go/internal/gccgoimporter/testdata/escapeinfo.gox
usr/lib/go/src/go/internal/gccgoimporter/testdata/unicode.gox
usr/lib/go/src/go/internal/gccgoimporter/testdata/time.gox
"
# Do not complain about CFLAGS, etc, since Go doesn't use them.
QA_FLAGS_IGNORED='.*'
REQUIRES_EXCLUDE="/usr/lib/go/src/debug/elf/testdata/*"
# The tools in /usr/lib/go should not cause the multilib-strict check to fail.
QA_MULTILIB_PATHS="usr/lib/go/pkg/tool/.*/.*"
# Do not strip this package. Stripping is unsupported upstream and may
# fail.
RESTRICT+=" strip"
DOCS=(
AUTHORS
CONTRIBUTING.md
CONTRIBUTORS
PATENTS
README.md
)
go_arch()
{
# By chance most portage arch names match Go
local portage_arch=$(tc-arch $@)
case "${portage_arch}" in
x86) echo 386;;
x64-*) echo amd64;;
ppc64) [[ $(tc-endian $@) = big ]] && echo ppc64 || echo ppc64le ;;
s390) echo s390x ;;
*) echo "${portage_arch}";;
esac
}
go_arm()
{
case "${1:-${CHOST}}" in
armv5*) echo 5;;
armv6*) echo 6;;
armv7*) echo 7;;
*)
die "unknown GOARM for ${1:-${CHOST}}"
;;
esac
}
go_os()
{
case "${1:-${CHOST}}" in
*-linux*) echo linux;;
*-darwin*) echo darwin;;
*-freebsd*) echo freebsd;;
*-netbsd*) echo netbsd;;
*-openbsd*) echo openbsd;;
*-solaris*) echo solaris;;
*-cygwin*|*-interix*|*-winnt*)
echo windows
;;
*)
die "unknown GOOS for ${1:-${CHOST}}"
;;
esac
}
go_tuple()
{
echo "$(go_os $@)_$(go_arch $@)"
}
go_cross_compile()
{
[[ $(go_tuple ${CBUILD}) != $(go_tuple) ]]
}
pkg_pretend()
{
# make.bash does not understand cross-compiling a cross-compiler
if [[ $(go_tuple) != $(go_tuple ${CTARGET}) ]]; then
die "CHOST CTARGET pair unsupported: CHOST=${CHOST} CTARGET=${CTARGET}"
fi
}
src_unpack()
{
if [[ ${PV} = 9999 ]]; then
git-r3_src_unpack
fi
default
}
src_compile()
{
export GOROOT_BOOTSTRAP="${WORKDIR}"/go-$(go_os)-$(go_arch)-bootstrap
if use gccgo; then
mkdir -p "${GOROOT_BOOTSTRAP}/bin" || die
local go_binary=$(gcc-config --get-bin-path)/go-$(gcc-major-version)
[[ -x ${go_binary} ]] || go_binary=$(
find "${EPREFIX}"/usr/${CHOST}/gcc-bin/*/go-$(gcc-major-version) |
sort -V | tail -n1)
[[ -x ${go_binary} ]] ||
die "go-$(gcc-major-version): command not found"
ln -s "${go_binary}" "${GOROOT_BOOTSTRAP}/bin/go" || die
fi
export GOROOT_FINAL="${EPREFIX}"/usr/lib/go
export GOROOT="$(pwd)"
export GOBIN="${GOROOT}/bin"
# Go's build script does not use BUILD/HOST/TARGET consistently. :(
export GOHOSTARCH=$(go_arch ${CBUILD})
export GOHOSTOS=$(go_os ${CBUILD})
export CC=$(tc-getBUILD_CC)
export GOARCH=$(go_arch)
export GOOS=$(go_os)
export CC_FOR_TARGET=$(tc-getCC)
export CXX_FOR_TARGET=$(tc-getCXX)
if [[ ${ARCH} == arm ]]; then
export GOARM=$(go_arm)
fi
einfo "GOROOT_BOOTSTRAP is ${GOROOT_BOOTSTRAP}"
cd src
./make.bash || die "build failed"
}
src_test()
{
go_cross_compile && return 0
cd src
PATH="${GOBIN}:${PATH}" \
./run.bash -no-rebuild || die "tests failed"
}
src_install()
{
local bin_path f x
dodir /usr/lib/go
# There is a known issue which requires the source tree to be installed [1].
# Once this is fixed, we can consider using the doc use flag to control
# installing the doc and src directories.
# [1] https://golang.org/issue/2775
#
# deliberately use cp to retain permissions
cp -R api bin doc lib pkg misc src test "${ED}"/usr/lib/go
if go_cross_compile; then
bin_path="bin/$(go_tuple)"
else
bin_path=bin
fi
for x in ${bin_path}/*; do
f=${x##*/}
dosym ../lib/go/${bin_path}/${f} /usr/bin/${f}
done
einstalldocs
if [[ ${CHOST} == *-darwin* ]] ; then
# fix install_name for test object (binutils_test) on Darwin, it
# is never used in real circumstances
local libmac64="${EPREFIX}"/usr/lib/go/src/cmd/vendor/github.com/
libmac64+=google/pprof/internal/binutils/testdata/lib_mac_64
install_name_tool -id "${libmac64}" "${D}${libmac64}"
fi
}

16
dev-lang/go/metadata.xml Normal file
View File

@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>williamh@gentoo.org</email>
<name>William Hubbs</name>
</maintainer>
<longdescription lang="en">
Go is a new systems programming language developped at google by
Rob Pike. It has garbage collection, coroutines, communication
channels and a clean syntax.
</longdescription>
<use>
<flag name="gccgo">Enable bootstrapping using gccgo</flag>
</use>
</pkgmetadata>

4
dev-qt/qtnetwork/Manifest Normal file
View File

@ -0,0 +1,4 @@
AUX qtnetwork-5.11-libressl.patch 4742 BLAKE2B dc5796246cad7f124108d441cccb79e3aa5e46365637af9aa68322fd426cfc772de7a8c626e0eeba8068bb941ed0607dfbd58111c111228d89761067ac4a6620 SHA512 9a91220a9210c4f82ecd77aa4ee70ba62aac7ca39cb01f3e153cd8d42a50105e375dd9280de9b13c4fcf3777e42c48320fff4d822b7e35f392323fb5cca99032
DIST qtbase-everywhere-src-5.11.3.tar.xz 46997676 BLAKE2B a70089be5530dec0eedcd5ba990140b375261dea5c85ea7d1dbb5b0bd09ee23edbb4917851127686b5f3cac6969a284eb91ab075ebe53326e69e99e81b257da0 SHA512 93865e41c994211456a575b085c2e7491b7975a1c3b4deb48e9616b51104eb990c1fcfd53d5fb2146ba22457cb134e6254e9077ba73c8b4c4b4d1d525e66fb65
EBUILD qtnetwork-5.11.3.ebuild 1345 BLAKE2B 5db0b7120e982fc58fce2ae8eba178da92793c4f64309d0dde39a4cd43c85a0fc92692a146c89852972547dffea9eb5a4362899c548aec982bd73198cc23bfeb SHA512 7628aca9770e51b198287f317a914afe95e1ecba5eae1762b3c7cfdb57284a9aa76ce903a9e6757cf8dbbd00eb88be0d071f445b99b0c89c005312730e1b22fe
MISC metadata.xml 876 BLAKE2B cd547dff93432d3d0c4baba6790166ab951035e3c7b9d66fb9717349626f7ac72ef38daf7c648de40bf73ad59f5f7ad8c85894d73e2c37b24832371bed868656 SHA512 6a38a068dd89a9a1bb470938bf4b2427553356fed8f1a638596e21261363544b8fb770ca2ec9e619aedb4e4ea260b60966924b5b8beb8295804c99cb8d916f5f

74
dev-qt/qtnetwork/files/qtnetwork-5.11-libressl.patch Normal file
View File

@ -0,0 +1,74 @@
diff -Naurp old_qt/config.tests/unix/openssl11/openssl.cpp new_qt/config.tests/unix/openssl11/openssl.cpp
--- old_qt/config.tests/unix/openssl11/openssl.cpp 2018-09-13 13:25:10.000000000 +0900
+++ new_qt/config.tests/unix/openssl11/openssl.cpp 2018-10-20 08:31:20.497180387 +0900
@@ -39,7 +39,7 @@
#include <openssl/opensslv.h>
-#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER-0 < 0x10100000L
+#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER-0 < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
# error "OpenSSL >= 1.1 is required"
#endif
diff -Naurp old_qt/src/network/ssl/qsslcontext_openssl.cpp new_qt/src/network/ssl/qsslcontext_openssl.cpp
--- old_qt/src/network/ssl/qsslcontext_openssl.cpp 2018-09-13 13:25:10.000000000 +0900
+++ new_qt/src/network/ssl/qsslcontext_openssl.cpp 2018-10-20 08:34:24.613169930 +0900
@@ -248,7 +248,7 @@ void QSslContext::applyBackendConfig(QSs
if (sslContext->sslConfiguration.backendConfiguration().isEmpty())
return;
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
if (QSslSocket::sslLibraryVersionNumber() >= 0x10002000L) {
QSharedPointer<SSL_CONF_CTX> cctx(q_SSL_CONF_CTX_new(), &q_SSL_CONF_CTX_free);
if (cctx) {
diff -Naurp old_qt/src/network/ssl/qsslsocket_openssl_symbols.cpp new_qt/src/network/ssl/qsslsocket_openssl_symbols.cpp
--- old_qt/src/network/ssl/qsslsocket_openssl_symbols.cpp 2018-09-13 13:25:10.000000000 +0900
+++ new_qt/src/network/ssl/qsslsocket_openssl_symbols.cpp 2018-10-20 08:37:48.682266708 +0900
@@ -406,7 +406,7 @@ DEFINEFUNC2(int, SSL_CTX_use_PrivateKey,
DEFINEFUNC2(int, SSL_CTX_use_RSAPrivateKey, SSL_CTX *a, a, RSA *b, b, return -1, return)
DEFINEFUNC3(int, SSL_CTX_use_PrivateKey_file, SSL_CTX *a, a, const char *b, b, int c, c, return -1, return)
DEFINEFUNC(X509_STORE *, SSL_CTX_get_cert_store, const SSL_CTX *a, a, return 0, return)
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
DEFINEFUNC(SSL_CONF_CTX *, SSL_CONF_CTX_new, DUMMYARG, DUMMYARG, return 0, return);
DEFINEFUNC(void, SSL_CONF_CTX_free, SSL_CONF_CTX *a, a, return ,return);
DEFINEFUNC2(void, SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX *a, a, SSL_CTX *b, b, return, return);
diff -Naurp old_qt/src/network/ssl/qsslsocket_openssl_symbols_p.h new_qt/src/network/ssl/qsslsocket_openssl_symbols_p.h
--- old_qt/src/network/ssl/qsslsocket_openssl_symbols_p.h 2018-09-13 13:25:10.000000000 +0900
+++ new_qt/src/network/ssl/qsslsocket_openssl_symbols_p.h 2018-10-20 08:39:53.219936039 +0900
@@ -356,7 +356,7 @@ int q_SSL_CTX_use_PrivateKey(SSL_CTX *a,
int q_SSL_CTX_use_RSAPrivateKey(SSL_CTX *a, RSA *b);
int q_SSL_CTX_use_PrivateKey_file(SSL_CTX *a, const char *b, int c);
X509_STORE *q_SSL_CTX_get_cert_store(const SSL_CTX *a);
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
SSL_CONF_CTX *q_SSL_CONF_CTX_new();
void q_SSL_CONF_CTX_free(SSL_CONF_CTX *a);
void q_SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *a, SSL_CTX *b);
--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp
+++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp
@@ -190,8 +190,8 @@ DEFINEFUNC3(void *, ASN1_dup, i2d_of_void *a, a, d2i_of_void *b, b, char *c, c,
#endif
DEFINEFUNC2(BIO *, BIO_new_file, const char *filename, filename, const char *mode, mode, return 0, return)
DEFINEFUNC(void, ERR_clear_error, DUMMYARG, DUMMYARG, return, DUMMYARG)
-DEFINEFUNC(BIO *, BIO_new, BIO_METHOD *a, a, return 0, return)
-DEFINEFUNC(BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return)
+DEFINEFUNC(BIO *, BIO_new, const BIO_METHOD *a, a, return 0, return)
+DEFINEFUNC(const BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return)
DEFINEFUNC(int, CRYPTO_num_locks, DUMMYARG, DUMMYARG, return 0, return)
DEFINEFUNC(void, CRYPTO_set_locking_callback, void (*a)(int, int, const char *, int), a, return, DUMMYARG)
DEFINEFUNC(void, CRYPTO_set_id_callback, unsigned long (*a)(), a, return, DUMMYARG)
--- a/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h
+++ b/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h
@@ -78,8 +78,8 @@
unsigned char * q_ASN1_STRING_data(ASN1_STRING *a);
BIO *q_BIO_new_file(const char *filename, const char *mode);
void q_ERR_clear_error();
-Q_AUTOTEST_EXPORT BIO *q_BIO_new(BIO_METHOD *a);
-Q_AUTOTEST_EXPORT BIO_METHOD *q_BIO_s_mem();
+Q_AUTOTEST_EXPORT BIO *q_BIO_new(const BIO_METHOD *a);
+Q_AUTOTEST_EXPORT const BIO_METHOD *q_BIO_s_mem();
int q_CRYPTO_num_locks();
void q_CRYPTO_set_locking_callback(void (*a)(int, int, const char *, int));
void q_CRYPTO_set_id_callback(unsigned long (*a)());

25
dev-qt/qtnetwork/metadata.xml Normal file
View File

@ -0,0 +1,25 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>qt@gentoo.org</email>
<name>Gentoo Qt Project</name>
</maintainer>
<use>
<flag name="bindist">Disable EC support via <pkg>dev-libs/openssl</pkg></flag>
<flag name="connman">Enable <pkg>net-misc/connman</pkg>-based bearer plugin</flag>
<flag name="libproxy">Use <pkg>net-libs/libproxy</pkg> for automatic
HTTP/SOCKS proxy configuration</flag>
<flag name="networkmanager">Enable <pkg>net-misc/networkmanager</pkg>-based
bearer plugin</flag>
</use>
<upstream>
<bugs-to>https://bugreports.qt.io/</bugs-to>
<doc>https://doc.qt.io/</doc>
</upstream>
<slots>
<subslots>
Must only be used by packages that are known to use private parts of the Qt API.
</subslots>
</slots>
</pkgmetadata>

64
dev-qt/qtnetwork/qtnetwork-5.11.3.ebuild Normal file
View File

@ -0,0 +1,64 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
QT5_MODULE="qtbase"
inherit qt5-build
DESCRIPTION="Network abstraction library for the Qt5 framework"
if [[ ${QT5_BUILD_TYPE} == release ]]; then
KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~x86 ~amd64-fbsd"
fi
IUSE="bindist connman libproxy libressl networkmanager +ssl"
DEPEND="
~dev-qt/qtcore-${PV}
>=sys-libs/zlib-1.2.5
connman? ( ~dev-qt/qtdbus-${PV} )
libproxy? ( net-libs/libproxy )
networkmanager? ( ~dev-qt/qtdbus-${PV} )
ssl? (
!libressl? ( dev-libs/openssl:0=[bindist=] )
libressl? ( dev-libs/libressl:0= )
)
"
RDEPEND="${DEPEND}
connman? ( net-misc/connman )
networkmanager? ( net-misc/networkmanager )
"
PATCHES=(
"${FILESDIR}"/${PN}-5.11-libressl.patch
)
QT5_TARGET_SUBDIRS=(
src/network
src/plugins/bearer/generic
)
QT5_GENTOO_CONFIG=(
libproxy
ssl::SSL
ssl::OPENSSL
ssl:openssl-linked:LINKED_OPENSSL
)
QT5_GENTOO_PRIVATE_CONFIG=(
:network
)
pkg_setup() {
use connman && QT5_TARGET_SUBDIRS+=(src/plugins/bearer/connman)
use networkmanager && QT5_TARGET_SUBDIRS+=(src/plugins/bearer/networkmanager)
}
src_configure() {
local myconf=(
$(use connman || use networkmanager && echo -dbus-linked)
$(qt_use libproxy)
$(usex ssl -openssl-linked '')
)
qt5-build_src_configure
}

2
dev-util/bpftool/Manifest Normal file
View File

@ -0,0 +1,2 @@
DIST linux-4.19.25.tar.xz 103160576 BLAKE2B 25952ebcdf9010a992eabe088e87610f2033c5768251d257fb7d5041e0def50faf798d0ec2a00e7c8e6bcb6ef6b9ea6dfd3b19c75145fdff3e11cb6d7d768544 SHA512 d7f6cb0980640a772008f3517e260e545d201658d2202834fba82f9abc6d05a2917d45d8ab8885c0282c1064dbd9149adc5df307ba3ea063dbe1a9dde40c8810
EBUILD bpftool-4.19.25.ebuild 466 BLAKE2B 6437628dfe4071b152f48b083090abea818bdc9e24f9403731c15e839c89cb2295df27cba32ffa96df7fda7edc4a5f061e9d866d8dd05cbdc32c885b8def52b3 SHA512 3805e4fe843ec60d1a5cd917c6596e76b21b396d9a065445f65ed8281e2bb88cb61253a0480c535e5d0302251b78bf46586a38e212dfd0c7eab7a1a4d793380c

19
dev-util/bpftool/bpftool-4.19.25.ebuild Normal file
View File

@ -0,0 +1,19 @@
# Copyright 2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
DESCRIPTION="BPFTOOL - tool for inspection and simple manipulation of eBPF programs and maps"
HOMEPAGE="https://www.kernel.org/"
SRC_URI="https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/linux-${PV}.tar.xz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="amd64 ~x86"
IUSE=""
DEPEND=""
RDEPEND="${DEPEND}"
BDEPEND=""
S="${WORKDIR}/linux-${PV}/tools/bpf/bpftool"

1
metadata/layout.conf Normal file
View File

@ -0,0 +1 @@
masters = gentoo

6
net-dns/knot/Manifest Normal file
View File

@ -0,0 +1,6 @@
AUX knot-1.service 337 BLAKE2B a6645b2ab92612f3c6640f4e9601cefe087a519d8a40b222e05dbd44c8b8c5c87a01d500d5ac328fdee1cae3f9dd126448a8b82b979e13a4ff5285fa48b983d5 SHA512 58c4186e57ebd00b86dae34d5d208ed8801c0376da40cccb23b3d4542a7ee04a1003a12a4b89347b76a384b50eae4a61f96164bf22ec987ce05b1c65691659e7
AUX knot.init 861 BLAKE2B 30ffe287f4f83058407ceab00b2113dade3b60b38d76c86f156cc31c33cc4f2ec8cf7f22172823755b71385ca18cc1044605b5479c9de05284f911d500b5dc40 SHA512 e5faa96cbee618e9042bdfd0628f06c4bc4d23c7295521771e16f6eae715835a240799e8425317b03b1ea162966defb5d6b6592139cb1d9d61b47a24961ec9b9
AUX knot.service 275 BLAKE2B c39b50630a84cb20d33a02ad82c0fc0c994b098766af0cd3e11b4ac6e2f6e6ebc38d6e5b99c358d5e771022fd6ad14fb7e04e95fd77ba677d10950e1fc52e9a9 SHA512 37c4700320a2781aa93ca92bc2634c3e080c87337b7d632d0e2fa23f6e2e8fa1985d1d8e2516fed02b612da4d340472d5f8d0ae37c5b323ac17bbd61ca243a86
DIST knot-2.7.6.tar.xz 1151068 BLAKE2B aba7b9f89d98ddabe5596198b0767b6d88cab2278eda33bea2738bcc2f62bc3b7463ee517488f8d2efa40b11859b3aefaa212999968654e5e5580969a173ec8e SHA512 6b6a727d57337da01e2d44abec7fde4504d112604769b118fe6254b0317f149ed4e9fab321a04517eccedb08e409818d1817fc1136c27d1fd351538e6816022a
EBUILD knot-2.7.6.ebuild 1923 BLAKE2B 188b6e9f09fdfe7a2c2d8e608e67833ca97a7b355987ae28668b21dda27ae3e4aec16466c897cdf7b67be6aa20e3db27b6ce2db2a37a76ef3cca02733baa3abf SHA512 31c5bd0cca511d35d661de2593c4d467d32d6dbde95f58a9e5f0a40d4bd923932bd141aeb5deaea1daa8d742ea9be21dafdcdae9ac9ba7335f5f565853a6305b
MISC metadata.xml 1776 BLAKE2B 704ee480034e47aa62a552ae559671728d96df078dca931c9acc1ab58bcd502188c21820cc8300f536e793515765ed32f6e9cc8f48d9b01b91a959df98a9aa92 SHA512 57ec897a014478f4f5693cd242ecf76215dcf2c331e951bc2a5c0f7b492a76a49cb86d54885325fff2777470119da2f8ea140afece4b70ae410ffe50a4a4679a

17
net-dns/knot/files/knot-1.service Normal file
View File

@ -0,0 +1,17 @@
[Unit]
Description=Knot high-performance DNS Server
After=network.target
[Service]
ExecStart=/usr/sbin/knotd
ExecReload=/usr/sbin/knotc reload
ExecStop=/usr/sbin/knotc stop
PrivateTmp=true
User=knot
Group=knot
RuntimeDirectory=knot
RuntimeDirectoryMode=750
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target

41
net-dns/knot/files/knot.init Normal file
View File

@ -0,0 +1,41 @@
#!/sbin/openrc-run
# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
command=/usr/sbin/knotd
command_args="-d"
pidfile=/var/run/knot/knot.pid
required_files=/etc/knot/knot.conf
extra_started_commands="reload"
description_reload="Reload configuration and changed zones."
depend() {
need net
}
start() {
checkpath -d -m 0750 -o knot:knot /var/run/knot/ /var/lib/knot/
ebegin "Starting knot"
start-stop-daemon --start \
--pidfile $pidfile --exec $command -- $command_args
eend $?
}
stop() {
ebegin "Stoping knot"
/usr/sbin/knotc stop >/dev/null 2>&1
# In case remote control is not working
if [ "$?" != 0 ]; then
if [ -f $pidfile ]; then
start-stop-daemon --stop --pidfile $pidfile
fi
fi
ewend $?
}
reload() {
ebegin "Reloading knot"
/usr/sbin/knotc reload >/dev/null
eend $?
}

14
net-dns/knot/files/knot.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=Knot high-performance DNS Server
After=network.target
[Service]
ExecStart=/usr/sbin/knotd
ExecReload=/usr/sbin/knotc reload
ExecStop=/usr/sbin/knotc stop
PrivateTmp=true
RuntimeDirectory=knot
RuntimeDirectoryMode=750
[Install]
WantedBy=multi-user.target

106
net-dns/knot/knot-2.7.6.ebuild Normal file
View File

@ -0,0 +1,106 @@
# Copyright 1999-2018 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
inherit systemd user
DESCRIPTION="High-performance authoritative-only DNS server"
HOMEPAGE="https://www.knot-dns.cz/"
SRC_URI="https://secure.nic.cz/files/knot-dns/${P/_/-}.tar.xz"
LICENSE="GPL-3"
SLOT="0"
KEYWORDS="~amd64 ~x86"
KNOT_MODULES=(
"+cookies"
"+dnsproxy"
"dnstap"
"geoip"
"+noudp"
"+onlinesign"
"+queryacl"
"+rrl"
"+stats"
"+synthrecord"
"+whoami"
)
IUSE="doc caps +fastparser idn libidn2 systemd +utils ${KNOT_MODULES[@]}"
RDEPEND="
dev-db/lmdb
dev-libs/libedit
dev-libs/userspace-rcu:=
dev-python/lmdb
net-libs/gnutls
caps? ( sys-libs/libcap-ng )
dnstap? (
dev-libs/fstrm
dev-libs/protobuf-c
)
geoip? ( dev-libs/libmaxminddb )
idn? (
!libidn2? ( net-dns/libidn:* )
libidn2? ( net-dns/libidn2 )
)
systemd? ( sys-apps/systemd )
"
BDEPEND="${RDEPEND}
virtual/pkgconfig
doc? ( dev-python/sphinx )
"
S="${WORKDIR}/${P/_/-}"
src_configure() {
local u
local my_conf=(
--with-storage="${EPREFIX}/var/lib/${PN}"
--with-rundir="${EPREFIX}/var/run/${PN}"
$(use_enable fastparser)
$(use_enable dnstap)
$(use_enable doc documentation)
$(use_enable utils utilities)
--enable-systemd=$(usex systemd)
$(use_with idn libidn)
)
for u in "${KNOT_MODULES[@]#+}"; do
my_conf+=("$(use_with ${u} module-${u})")
done
econf "${my_conf[@]}"
}
src_compile() {
default
if use doc; then
emake -C doc html
HTML_DOCS=( doc/_build/html/{*.html,*.js,_sources,_static} )
fi
}
src_test() {
emake check
}
src_install() {
default
rmdir "${D}/var/run/${PN}" "${D}/var/run/" || die
keepdir /var/lib/${PN}
newinitd "${FILESDIR}/knot.init" knot
if use systemd; then
systemd_newunit "${FILESDIR}/knot-1.service" knot.service
fi
find "${D}" -name '*.la' -delete || die
}
pkg_postinst() {
enewgroup knot 53
enewuser knot 53 -1 /var/lib/knot knot
}

65
net-dns/knot/metadata.xml Normal file
View File

@ -0,0 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>nemunaire@nemunai.re</email>
<name>Pierre-Olivier Mercier</name>
</maintainer>
<maintainer type="project">
<email>proxy-maint@gentoo.org</email>
<name>Proxy Maintainers</name>
</maintainer>
<use>
<flag name="cookies">
Enable the DNS cookie module (RFC 7873)
</flag>
<flag name="dnsproxy">
Enable the tiny DNS proxy module
</flag>
<flag name="dnstap">
Include support for the dnstap binary log format
(http://dnstap.info/)
</flag>
<flag name="fastparser">
Use a zone file parser that is faster, but requires
more memory and CPU time to compile
</flag>
<flag name="geoip">
Enable the Geography-based responses module
</flag>
<flag name="libidn2">
If IDN support is enabled, use net-dns/libidn2 instead
of net-dns/libidn
</flag>
<flag name="noudp">
Enable the module which can send empty truncated
responses to UDP queries
</flag>
<flag name="onlinesign">
Enable the module that sign zones on the fly instead of
pre-signing zone
</flag>
<flag name="queryacl">
Enable the module for query access control
</flag>
<flag name="rosedb">
Enable the module that staticaly override certain
responses
</flag>
<flag name="rrl">
Enable the response rate limiting module
</flag>
<flag name="stats">
Enable the server statistics module
</flag>
<flag name="synthrecord">
Enable the automatic forward/reverse records module
</flag>
<flag name="utils">
Install Knot utilities, such as kdig, kzonecheck, ...
</flag>
<flag name="whoami">
Enable the whoami response module
</flag>
</use>
</pkgmetadata>

22
net-fs/nfs-utils/Manifest Normal file
View File

@ -0,0 +1,22 @@
AUX Do-not-pass-null-pointer-to-freeaddrinfo.diff 1063 BLAKE2B 1181e4b44e5a9ecfef46e72a83d3a67c7725024879d7ec13c0424c07784faeee06b4f69d99a9e83401f9d5f1e55152993a57ce8094d4930f163d4abd7e7a4cde SHA512 ea51cdaa1a15910c05b18808a67d68822bc9e0c5d6f615aee2a374b7879d3bd55cd6c8b2e9976cc3bf7958d0f0abb9d191ac3df16f79b23e6c9caf90c459b200
AUX exports 66 BLAKE2B 8ddc8e1b7888570cf7ce21ecebf0fb390ab394d25e60f1d914406396b23cb3cbf243a15a199f30608ac7e3c0abde73f48e0ccea605a3dadad654dfd8d6572dcd SHA512 fd8052dc8e17eccb0bb1443f341c97ec7c9dac5824294cadf486d91475bc728d4bb69300034b528a690707520590f6675ee371f92e9838afc8ed88092ee0f220
AUX nfs-utils-1.1.4-mtab-sym.patch 1020 BLAKE2B 6f1315a02a6070443fbd8cc943e382a02ac8ee99dbbc78f6b1b6c835548b80a78238ae4f7de18c7f02687df370bc58d628ed2bdbf216a41e80b5b589f1952c3c SHA512 1cd916028a8515772f05ef63832d73a09e9720055aedc9e2e4ce3a08ce1820948700a4f00ca9c4ee684880f18e67aca888dd857fc7931d923021ba50964be998
AUX nfs-utils-1.2.8-cross-build.patch 1323 BLAKE2B 51ec6b58436725e78fd9000aa1d97a1a73e7884bea01e0d22d5ec0a88cc4d5c8f152baaeb2b602961232c08330b311f3e98cb79c40b7d700a279842430e484d9 SHA512 42a41411d0de384b66a2875fa9ea15e4b854150b5f75ba2db54ad7785fd147ee329eb8867d24a26b2b1d9ef89bd887caeaf0b5a59cdda15f5a11c47888882b9a
AUX nfs-utils-2.3.1-svcgssd_undefined_reference.patch 1055 BLAKE2B a2f045f7886eb0772ad9b30ddc1c98294039e32f92eb811dcccde8926eda7d33c42b34e07912fcb536ed96a2f0b2114eb293689380751f3c786bdea6a6923ba7 SHA512 21361593415c497fa5a0bbd547b2cb0e0512ad8b3deb2397aba6a453cce840876d607015e46d8c3a367cd478395420d8b24e2f3a7f73d0e75d5a2445e4e46ef2
AUX nfs-utils-musl.patch 797 BLAKE2B 8c29bbf4f2e08c376b738c811f354a0886a82a3bf2d63ec418bd54f3dde03c5975eade103b00882dcc876855a4180bf1a1b518c3f7ee17dda485009a64d10ff6 SHA512 e4c9467af1d29a252aef4965589d0eb125f65f0e62bda23b085fe5daef21d0bea3a9198fe7d82c44a1696ead4d96762f68e1d641ad84c7950b4ab8bdfa1cb3e0
AUX nfs-utils.conf 74 BLAKE2B 504c298c1e8e7eb596cd87813f1aeeac5cbc830bb85be9e26ed98f7ed85cdbd14ae2c47b0e111c912398ef28ef629e6de7e585a7b161624e9698ea208750fd9f SHA512 d72c0fbdf12cb1ddf8eaa5885e1ed93a2078c40ca48eb8868836fb72fa456c4865df15273fb7472f70dfe8098167e695b1340ff9a59b55e73b47690baaf977d6
AUX nfs.confd 930 BLAKE2B 4ef1662b31cffd78b0e96396ad74dc8b8135a9a18956fa1267639d2069893d4f218ded5809497b56d19a192e7e18408e1d1b56bd1535abed8db236bc1a1649cb SHA512 bc11b073735ee86c96b9c249ee187f4d16329c279a4e26760875059d2b5fa1d510ef3e4df5ee9dfb2a3133d755e1eb5c323d2fadc432a0cf630191ec353ac535
AUX nfs.initd 4244 BLAKE2B 0df8f270cf38b16efb331202d300d0bd648ee90c9dc44704e4db6f6aaad53e1c16059e94e14278923db59ce17752e4f034ad948ed53d6f2aefe8ecd6faf808c9 SHA512 f7feb79cfcab0478affb640d1e5ad059757c88d51cc790fd54cde2fd7ed2e3cfd8f7f4c2de993d99da03e8ce3bdfb2750a4cb997b850fe33d0ef76d9b91c9018
AUX nfsclient.confd 592 BLAKE2B b661b726aa50f904752ec73a201a088f403a1e0f8d11181615e794da259a03b98131fff68e27645d4371564c796bb44915d6a13db9dc5a909294c4d1613c429d SHA512 f12e67728ac4e76357685e2fe38bd7f6fcd90064165758ffeca145e6962ac44d4ff9d8d57e18cc6925a6ada8e95ad8321e9fc355931a804dd455aae1e4850e92
AUX nfsclient.initd 752 BLAKE2B 8e3303be602ed97b9c6db0238b950039ec87830d733e7490f62657953e18d8050d5cd75e603d566b00db86ba910384d36e488d149112c86f1b9ed8e0901f5c16 SHA512 85078e2cd38b37a1e6fbaf0e40cf7690f403e71d9c8188d542d12fe56bfc02a49763c7bcc7742691754acc37928468c215db2795bebc29a5dfb052ba08f407bb
AUX nfsmount.confd 326 BLAKE2B c9506a71d28358d0ee7eef18985e3f65decd6cd2735cae17cef911129fe0531e2859c833ef75b04c1521c364c5aa1245d38a03191cb4167f6c1fa02383e7c091 SHA512 6e23897885cc33c49d9c7353b456585a1e0c7300822edba81bc48ba4ccc18297adce137260cc0aa9487aa5ef0aab3eecf931532cfa5bd40fd03bc9e0ddacfb28
AUX nfsmount.initd 1014 BLAKE2B 2a8f142c3932afa7867e2e85ed4497a45413a2abe602ac39a1897f912d2c24d4e80be3ed50602c5563eff05ce4476eba2f4e2442fce3deec34558533c26ff73b SHA512 89259b9f0878658d48792b5b2f42b43c966ed098dba1fecf9e07fb0de4aab37ad67655ea8dbcc2361ddab2b5013b2de35a03048a513aaeedf790e4b416a35a54
AUX nfsmount.initd-1.3.1 740 BLAKE2B 2668a3c485925f5b670efd11f357c5e0d616c1e1b62863c14b86e3201d5a5d61c1c4f4257b3b19ed8a8194879c67a9ddf996608073474e154f033be719b5ea54 SHA512 a540443a0259360f2476277bc020bb08eb095debe9c8e6a620dba5da1c7850f399673cc1ab505df65aea095a7e67954a9b5b8b26bbfd94e55d62348791af643d
AUX rpc.gssd.initd 455 BLAKE2B 9831c82341737d7877b01deebff82bfc49be59f8faabe4b5ee5542912b488460efd226f01e0bad5486faff5f37579ac15c8e8cf410a5eccd79d690c34f2beb4f SHA512 d9d7eeebbe153d3c4784112ed6d50734b5619b3315bb1454f8163de2b78ed8f958029a0e1088de58e9b1b8069184aeab2c8f19af4b957b6be25e4f138960aeac
AUX rpc.idmapd.initd 482 BLAKE2B db643d164787a730ed8f1da73cbc045237bb641fcdf297015e6651a4c683a075fdc29d037bc44a9832d45be87d41f37eb4e00ea37fdeed66038cf4a93d1a260f SHA512 f3e88038cb040ffcbca76166f4322d37e39da00d144bc0a17aed4467ab10c6e626fcde6c407d0911d135bfab55622ad2e38ed93788b11459c5882ce60577fb45
AUX rpc.pipefs.initd 760 BLAKE2B 4c05275e59d7d19d80779964a3631096258704cec2097f12d87232deecba5d74181f1713e18ebb01f5da9c3833037ba47566414f0b415608ad13e3fa97c8f1e6 SHA512 3d3fa6e7ae01e27d27d88aba1e307c5293dd1cbc9d555737e03c4f1e17988518f4f1e7f7a38a7337f8e8961e8378cc4611769b04db7368460589a3b218ac6d6b
AUX rpc.statd.initd 706 BLAKE2B 6c175729706d298307deea1d190703e67edb671a6b2c86216658fc89dafff1ae9f85a25b5386e4c89b86ca1b7b1fce7bb3045f944b7a1aee5b6544594d753cf8 SHA512 7f6baea852fff91b88e15e432ba19f9da0a3e3510b6f550b553912cf3887ce176280367b62bcce2a044730a075e4c1f6d7df1a669556d42725dea6e6e8e967ac
AUX rpc.svcgssd.initd 470 BLAKE2B c610a7abc44b86ca242d59f833ffa6e42f48d1c3bf93420988c6c6dfcd5cc4d8e02eaf2f3a86bb8bca7c8952e05017f887e6c4f4290085c41cc095a580e04235 SHA512 819cce4ae0a0f26bc74ce546e149b98420584240a594c9bb4a0a49413750320bde050866f3753c499425ea8d8df094211fb1f7e020ce281791e1933e1bc6a47f
DIST nfs-utils-2.3.1.tar.bz2 854899 BLAKE2B f9541b9dc103d978f21d57d8ba0c14a3b30f6ba874b112239d014076c1c72b6654e8e02b4bfea686e658dac84d1e896b872bc2054591275ef1713ae4e7b7d005 SHA512 de3e70f8656bc5b5aa98262685a9e80929c6314234d9bbb74d4c7efcb7a8b2640d48d2100850b403157ebefc8f0eb48598b48238fae795f64c7a0e9a8bff93e3
EBUILD nfs-utils-2.3.1-r4.ebuild 5349 BLAKE2B 02240b429f9a3ba1ebbda3caf92ef97f333ea1529311a9bd0e499f02ada5eb7dca78a0b93a681c868989b8d1e15ad97f1faecb3e67e70b172fd3d38fae980e6a SHA512 24e22dd1ba16b2312c33571dfb3b47beb562e578a2c9734efd099d52beed308354963636526e3757b662e07f0b3ebc74a0cbe6974c4e8cc744ae5a19efc40c4a
MISC metadata.xml 861 BLAKE2B 14c4f9e530e9c3a695f615d698f7a96d1252c14936849a846536790059c79f992c79246028b1945f496fda813891e1079ef0a6ad3411d18e0ee8ad9b6e0315c3 SHA512 21e7e63ddddda196f114b98b6ae2c67abe9cbabf91d60ab7877b34ed96e749c0ea167169c6ffa0502c80f993bbd2243db7bf544b304900a07d2b6c84141d1cf5

36
net-fs/nfs-utils/files/Do-not-pass-null-pointer-to-freeaddrinfo.diff Normal file
View File

@ -0,0 +1,36 @@
diff -ur nfs-utils-2.3.1.orig/support/export/client.c nfs-utils-2.3.1.mod/support/export/client.c
--- nfs-utils-2.3.1.orig/support/export/client.c 2017-12-20 18:40:36.000000000 +0300
+++ nfs-utils-2.3.1.mod/support/export/client.c 2019-03-06 16:14:54.974191027 +0300
@@ -309,7 +309,8 @@
init_addrlist(clp, ai);
out:
- freeaddrinfo(ai);
+ if (ai)
+ freeaddrinfo(ai);
return clp;
}
diff -ur nfs-utils-2.3.1.orig/utils/mountd/cache.c nfs-utils-2.3.1.mod/utils/mountd/cache.c
--- nfs-utils-2.3.1.orig/utils/mountd/cache.c 2017-12-20 18:40:36.000000000 +0300
+++ nfs-utils-2.3.1.mod/utils/mountd/cache.c 2019-03-06 16:23:28.829378703 +0300
@@ -834,7 +834,8 @@
out:
if (found_path)
free(found_path);
- freeaddrinfo(ai);
+ if (ai)
+ freeaddrinfo(ai);
free(dom);
xlog(D_CALL, "nfsd_fh: found %p path %s", found, found ? found->e_path : NULL);
}
@@ -1364,7 +1365,8 @@
xlog(D_CALL, "nfsd_export: found %p path %s", found, path ? path : NULL);
if (dom) free(dom);
if (path) free(path);
- freeaddrinfo(ai);
+ if (ai)
+ freeaddrinfo(ai);
}

1
net-fs/nfs-utils/files/exports Normal file
View File

@ -0,0 +1 @@
# /etc/exports: NFS file systems being exported. See exports(5).

39
net-fs/nfs-utils/files/nfs-utils-1.1.4-mtab-sym.patch Normal file
View File

@ -0,0 +1,39 @@
ripped from Debian
--- nfs-utils-1.1.4/utils/mount/fstab.c
+++ nfs-utils-1.1.4/utils/mount/fstab.c
@@ -57,7 +57,7 @@ mtab_does_not_exist(void) {
return var_mtab_does_not_exist;
}
-static int
+int
mtab_is_a_symlink(void) {
get_mtab_info();
return var_mtab_is_a_symlink;
--- nfs-utils-1.1.4/utils/mount/fstab.h
+++ nfs-utils-1.1.4/utils/mount/fstab.h
@@ -7,6 +7,7 @@
#define _PATH_FSTAB "/etc/fstab"
#endif
+int mtab_is_a_symlink(void);
int mtab_is_writable(void);
int mtab_does_not_exist(void);
void reset_mtab_info(void);
--- nfs-utils-1.1.4/utils/mount/mount.c
+++ nfs-utils-1.1.4/utils/mount/mount.c
@@ -230,6 +230,13 @@ create_mtab (void) {
int flags;
mntFILE *mfp;
+ /* Avoid writing if the mtab is a symlink to /proc/mounts, since
+ that would create a file /proc/mounts in case the proc filesystem
+ is not mounted, and the fchmod below would also fail. */
+ if (mtab_is_a_symlink()) {
+ return EX_SUCCESS;
+ }
+
lock_mtab();
mfp = nfs_setmntent (MOUNTED, "a+");

48
net-fs/nfs-utils/files/nfs-utils-1.2.8-cross-build.patch Normal file
View File

@ -0,0 +1,48 @@
this is kind of hacky, but automake doesn't make this easy
for us atm, so hack away :(
(recent autotools will always add $(CFLAGS)/etc... to the compile)
--- a/tools/locktest/Makefile.am
+++ b/tools/locktest/Makefile.am
@@ -1,12 +1,11 @@
## Process this file with automake to produce Makefile.in
CC=$(CC_FOR_BUILD)
-LIBTOOL = @LIBTOOL@ --tag=CC
+CFLAGS=$(CFLAGS_FOR_BUILD)
+CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+LDFLAGS=$(LDFLAGS_FOR_BUILD)
noinst_PROGRAMS = testlk
testlk_SOURCES = testlk.c
-testlk_CFLAGS=$(CFLAGS_FOR_BUILD)
-testlk_CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-testlk_LDFLAGS=$(LDFLAGS_FOR_BUILD)
MAINTAINERCLEANFILES = Makefile.in
--- a/tools/rpcgen/Makefile.am
+++ b/tools/rpcgen/Makefile.am
@@ -1,7 +1,9 @@
## Process this file with automake to produce Makefile.in
CC=$(CC_FOR_BUILD)
-LIBTOOL = @LIBTOOL@ --tag=CC
+CFLAGS=$(CFLAGS_FOR_BUILD)
+CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+LDFLAGS=$(LDFLAGS_FOR_BUILD)
noinst_PROGRAMS = rpcgen
rpcgen_SOURCES = rpc_clntout.c rpc_cout.c rpc_hout.c rpc_main.c \
@@ -9,10 +11,6 @@
rpc_util.c rpc_sample.c rpc_output.h rpc_parse.h \
rpc_scan.h rpc_util.h
-rpcgen_CFLAGS=$(CFLAGS_FOR_BUILD)
-rpcgen_CPPLAGS=$(CPPFLAGS_FOR_BUILD)
-rpcgen_LDFLAGS=$(LDFLAGS_FOR_BUILD)
-rpcgen_LDADD=$(LIBTIRPC)
MAINTAINERCLEANFILES = Makefile.in
EXTRA_DIST = rpcgen.new.1

40
net-fs/nfs-utils/files/nfs-utils-2.3.1-svcgssd_undefined_reference.patch Normal file
View File

@ -0,0 +1,40 @@
From 1451d7585bf1c622658ccc04abac7e79ffe40263 Mon Sep 17 00:00:00 2001
From: Justin Mitchell <jumitche@redhat.com>
Date: Mon, 8 Jan 2018 09:14:11 -0500
Subject: [PATCH] svcgssd: Update svcgssd so that it builds
Since a15bd948 the --enable-svcgss option no longer builds
as svcgssd references functions which were changed at that time.
Fix those, and other function changes since then.
Signed-off-by: Justin Mitchell <jumitche@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
utils/gssd/svcgssd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/utils/gssd/svcgssd.c b/utils/gssd/svcgssd.c
index 3514ae1..23f0c0b 100644
--- a/utils/gssd/svcgssd.c
+++ b/utils/gssd/svcgssd.c
@@ -63,6 +63,8 @@
#include "err_util.h"
#include "conffile.h"
+struct state_paths etab;
+
void
sig_die(int signal)
{
@@ -101,7 +103,7 @@ main(int argc, char *argv[])
char *principal = NULL;
char *s;
- conf_init(NFS_CONFFILE);
+ conf_init_file(NFS_CONFFILE);
s = conf_get_str("svcgssd", "principal");
if (!s)
--
1.8.3.1

21
net-fs/nfs-utils/files/nfs-utils-musl.patch Normal file
View File

@ -0,0 +1,21 @@
--- nfs-utils-2.3.1/configure.ac.orig 2018-05-21 11:05:01.939912918 -0700
+++ nfs-utils-2.3.1/configure.ac 2018-05-21 11:05:10.531968707 -0700
@@ -401,7 +401,7 @@
fi
dnl libdnsidmap specific checks
-AC_CHECK_LIB([resolv], [__res_querydomain], , AC_MSG_ERROR(res_querydomain needed))
+AC_CHECK_LIB([resolv], [res_querydomain], , AC_MSG_ERROR(res_querydomain needed))
AC_ARG_ENABLE([ldap],
[AS_HELP_STRING([--disable-ldap],[Disable support for LDAP @<:default=detect@:>@])])
--- nfs-utils-2.3.1/support/misc/file.c.orig 2018-05-21 18:15:37.572007979 +0000
+++ nfs-utils-2.3.1/support/misc/file.c 2018-05-21 18:15:43.668047008 +0000
@@ -27,6 +27,7 @@
#include <dirent.h>
#include <stdlib.h>
#include <stdbool.h>
+#include <limits.h> /* PATH_MAX */
#include "xlog.h"
#include "misc.h"

3
net-fs/nfs-utils/files/nfs-utils.conf Normal file
View File

@ -0,0 +1,3 @@
d /var/lib/nfs/rpc_pipefs
d /var/lib/nfs/v4recovery
d /var/lib/nfs/v4root

38
net-fs/nfs-utils/files/nfs.confd Normal file
View File

@ -0,0 +1,38 @@
# /etc/conf.d/nfs
# If you wish to set the port numbers for lockd,
# please see /etc/sysctl.conf
# Optional services to include in default `/etc/init.d/nfs start`
# For NFSv4 users, you'll want to add "rpc.idmapd" here.
NFS_NEEDED_SERVICES=""
# Options to pass to rpc.nfsd
OPTS_RPC_NFSD="8"
# Options to pass to rpc.mountd
# ex. OPTS_RPC_MOUNTD="-p 32767"
OPTS_RPC_MOUNTD=""
# Options to pass to rpc.statd
# ex. OPTS_RPC_STATD="-p 32765 -o 32766"
OPTS_RPC_STATD=""
# Options to pass to rpc.idmapd
OPTS_RPC_IDMAPD=""
# Options to pass to rpc.gssd
OPTS_RPC_GSSD=""
# Options to pass to rpc.svcgssd
OPTS_RPC_SVCGSSD=""
# Options to pass to rpc.rquotad (requires sys-fs/quota)
OPTS_RPC_RQUOTAD=""
# Timeout (in seconds) for exportfs
EXPORTFS_TIMEOUT=30
# Options to set in the nfsd filesystem (/proc/fs/nfsd/).
# Format is <option>=<value>. Multiple options are allowed.
#OPTS_NFSD="nfsv4leasetime=30 max_block_size=4096"

162
net-fs/nfs-utils/files/nfs.initd Normal file
View File

@ -0,0 +1,162 @@
#!/sbin/openrc-run
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
extra_started_commands="reload"
# This variable is used for controlling whether or not to run exportfs -ua;
# see stop() for more information
restarting=no
# The binary locations
exportfs=/usr/sbin/exportfs
mountd=/usr/sbin/rpc.mountd
nfsd=/usr/sbin/rpc.nfsd
smnotify=/usr/sbin/sm-notify
depend() {
local myneed=""
# XXX: no way to detect NFSv4 is desired and so need rpc.idmapd
myneed="${myneed} $(
awk '!/^[[:space:]]*#/ {
# clear the path to avoid spurious matches
$1 = "";
if ($0 ~ /[(][^)]*sec=(krb|spkm)[^)]*[)]/) {
print "rpc.svcgssd"
exit 0
}
}' /etc/exports /etc/exports.d/*.exports 2>/dev/null
)"
config /etc/exports /etc/exports.d/*.exports
need portmap rpc.statd ${myneed} ${NFS_NEEDED_SERVICES}
use ypbind net dns rpc.rquotad rpc.idmapd rpc.svcgssd
after quota
}
mkdir_nfsdirs() {
local d
for d in v4recovery v4root ; do
d="/var/lib/nfs/${d}"
[ ! -d "${d}" ] && mkdir -p "${d}"
done
}
waitfor_exportfs() {
local pid=$1
( sleep ${EXPORTFS_TIMEOUT:-30}; kill -9 ${pid} 2>/dev/null ) &
wait $1
}
mount_nfsd() {
if [ -e /proc/modules ] ; then
# Make sure nfs support is loaded in the kernel #64709
if ! grep -qs nfsd /proc/filesystems ; then
modprobe -q nfsd
fi
# Restart idmapd if needed #220747
if grep -qs nfsd /proc/modules ; then
killall -q -HUP rpc.idmapd
fi
fi
# This is the new "kernel 2.6 way" to handle the exports file
if grep -qs nfsd /proc/filesystems ; then
if ! mountinfo -q /proc/fs/nfsd ; then
ebegin "Mounting nfsd filesystem in /proc"
mount -t nfsd -o nodev,noexec,nosuid nfsd /proc/fs/nfsd
eend $?
fi
local o
for o in ${OPTS_NFSD} ; do
echo "${o#*=}" > "/proc/fs/nfsd/${o%%=*}"
done
fi
}
start_it() {
ebegin "Starting NFS $1"
shift
"$@"
eend $?
ret=$((ret + $?))
}
start() {
mount_nfsd
mkdir_nfsdirs
# Exportfs likes to hang if networking isn't working.
# If that's the case, then try to kill it so the
# bootup process can continue.
if grep -qs '^[[:space:]]*/' /etc/exports /etc/exports.d/*.exports ; then
ebegin "Exporting NFS directories"
${exportfs} -r &
waitfor_exportfs $!
eend $?
fi
local ret=0
start_it mountd ${mountd} ${OPTS_RPC_MOUNTD}
start_it daemon ${nfsd} ${OPTS_RPC_NFSD}
[ -x "${smnotify}" ] && start_it smnotify ${smnotify} ${OPTS_SMNOTIFY}
return ${ret}
}
stop() {
local ret=0
ebegin "Stopping NFS mountd"
start-stop-daemon --stop --exec ${mountd}
eend $?
ret=$((ret + $?))
# nfsd sets its process name to [nfsd] so don't look for $nfsd
ebegin "Stopping NFS daemon"
start-stop-daemon --stop --name nfsd --user root --signal 2
eend $?
ret=$((ret + $?))
# in case things don't work out ... #228127
rpc.nfsd 0
# When restarting the NFS server, running "exportfs -ua" probably
# isn't what the user wants. Running it causes all entries listed
# in xtab to be removed from the kernel export tables, and the
# xtab file is cleared. This effectively shuts down all NFS
# activity, leaving all clients holding stale NFS filehandles,
# *even* when the NFS server has restarted.
#
# That's what you would want if you were shutting down the NFS
# server for good, or for a long period of time, but not when the
# NFS server will be running again in short order. In this case,
# then "exportfs -r" will reread the xtab, and all the current
# clients will be able to resume NFS activity, *without* needing
# to umount/(re)mount the filesystem.
if [ "${restarting}" = no -o "${RC_CMD}" = "restart" ] ; then
ebegin "Unexporting NFS directories"
# Exportfs likes to hang if networking isn't working.
# If that's the case, then try to kill it so the
# shutdown process can continue.
${exportfs} -ua &
waitfor_exportfs $!
eend $?
fi
return ${ret}
}
reload() {
# Exportfs likes to hang if networking isn't working.
# If that's the case, then try to kill it so the
# bootup process can continue.
ebegin "Reloading /etc/exports"
${exportfs} -r 1>&2 &
waitfor_exportfs $!
eend $?
}
restart() {
# See long comment in stop() regarding "restarting" and exportfs -ua
restarting=yes
svc_stop
svc_start
}

18
net-fs/nfs-utils/files/nfsclient.confd Normal file
View File

@ -0,0 +1,18 @@
# You need to decide which nfs protocol version you want to use.
# If you are unsure, leave these alone.
#
# If you are using only nfsv4, uncomment this line:
#
#rc_need="!rpc.statd"
#
# If you are using only nfsv3, uncomment this line:
#
#rc_need="!rpc.idmapd"
#
# You will need to set the dependencies in the nfsclient script to match
# the network configuration tools you are using. This should be done in
# this file by following the examples below, and not by changing the
# service script itself. See /etc/conf.d/netmount for more examples.
#
# This is a safe default.
rc_after="net"

33
net-fs/nfs-utils/files/nfsclient.initd Normal file
View File

@ -0,0 +1,33 @@
#!/sbin/openrc-run
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
depend() {
local opts myneed=""
if [ -e /etc/fstab ] ; then
for opts in $(fstabinfo -o -t nfs,nfs4) ; do
case $opts in
*sec=krb*|*sec=spkm*) myneed="$myneed rpc.gssd" ;;
esac
done
fi
config /etc/fstab
need portmap rpc.statd rpc.idmapd ${myneed}
use ypbind dns
}
start() {
if [ -x /usr/sbin/sm-notify ] ; then
ebegin "Starting NFS sm-notify"
/usr/sbin/sm-notify ${OPTS_SMNOTIFY}
eend $?
fi
# Make sure nfs support is loaded in the kernel #64709
if [ -e /proc/modules ] && ! grep -qs 'nfs$' /proc/filesystems ; then
modprobe -q nfs
fi
return 0
}

7
net-fs/nfs-utils/files/nfsmount.confd Normal file
View File

@ -0,0 +1,7 @@
# You will need to set the dependencies in the nfsmount script to match
# the network configuration tools you are using. This should be done in
# this file by following the examples below, and not by changing the
# service script itself. See /etc/conf.d/netmount for more examples.
#
# This is a safe default.
rc_after="net"

47
net-fs/nfs-utils/files/nfsmount.initd Normal file
View File

@ -0,0 +1,47 @@
#!/sbin/openrc-run
# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
depend() {
local myneed=""
if [ -e /etc/fstab ] ; then
myneed="${myneed} $(
awk '!/^[[:space:]]*#/ && ($3 == "nfs" || $3 == "nfs4") {
if ($3 == "nfs4")
idmapd = "rpc.idmapd"
if ($4 ~ /sec=(krb|spkm)/)
gssd = "rpc.gssd"
}
END { print idmapd " " gssd }
' /etc/fstab
)"
fi
config /etc/fstab
need portmap rpc.statd ${myneed}
use ypbind dns rpc.idmapd rpc.gssd
}
start() {
if [ -x /usr/sbin/sm-notify ] ; then
ebegin "Starting NFS sm-notify"
/usr/sbin/sm-notify ${OPTS_SMNOTIFY}
eend $?
fi
# Make sure nfs support is loaded in the kernel #64709
if [ -e /proc/modules ] && ! grep -qs 'nfs$' /proc/filesystems ; then
modprobe -q nfs
fi
ebegin "Mounting NFS filesystems"
mount -a -t nfs,nfs4
eend $?
}
stop() {
ebegin "Unmounting NFS filesystems"
umount -a -t nfs,nfs4
eend $?
}

26
net-fs/nfs-utils/files/nfsmount.initd-1.3.1 Normal file
View File

@ -0,0 +1,26 @@
#!/sbin/openrc-run
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# This is mostly as a fix for bug #537996, to avoid breaking existing users
# with nfsmount in their runlevels.
# If neither nfsclient nor netmount are in your runlevels, and you manually
# start netmount before nfsclient, then this will break. A real solution is
# forthcoming, but requires feature development, see bug #406021 for soft
# dependencies
depend() {
need nfsclient netmount
}
msg() {
ewarn "nfsmount is deprecated, please migrate as described in the news item: 2015-02-02-nfs-service-changes"
ewarn "This migration script will be removed after 01 Aug 2015."
}
start() {
msg
}
stop() {
msg
}

23
net-fs/nfs-utils/files/rpc.gssd.initd Normal file
View File

@ -0,0 +1,23 @@
#!/sbin/openrc-run
# Copyright 1999-2008 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
depend() {
use ypbind net
need portmap rpc.pipefs
after quota
}
start() {
ebegin "Starting gssd"
start-stop-daemon --start --exec /usr/sbin/rpc.gssd -- ${OPTS_RPC_GSSD}
eend $?
}
stop() {
ebegin "Stopping gssd"
start-stop-daemon --stop --exec /usr/sbin/rpc.gssd
eend $?
}

25
net-fs/nfs-utils/files/rpc.idmapd.initd Normal file
View File

@ -0,0 +1,25 @@
#!/sbin/openrc-run
# Copyright 1999-2008 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
rpc_bin=/usr/sbin/rpc.idmapd
depend() {
use ypbind net
need portmap rpc.pipefs
after quota
}
start() {
ebegin "Starting idmapd"
${rpc_bin} ${OPTS_RPC_IDMAPD}
eend $? "make sure DNOTIFY support is enabled ..."
}
stop() {
ebegin "Stopping idmapd"
start-stop-daemon --stop --exec ${rpc_bin}
eend $?
}

32
net-fs/nfs-utils/files/rpc.pipefs.initd Normal file
View File

@ -0,0 +1,32 @@
#!/sbin/openrc-run
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
MNT="/var/lib/nfs/rpc_pipefs"
mount_pipefs() {
local fstype=rpc_pipefs
# if things are already mounted, nothing to do
mountinfo -q ${MNT} && return 0
# if rpc_pipefs is not available, try to load sunrpc for it #219566
grep -qs ${fstype} /proc/filesystems || modprobe -q sunrpc
# if still not available, the `mount` will issue an error for the user
# now just do it for kicks
mkdir -p ${MNT}
mount -t ${fstype} ${fstype} ${MNT}
}
start() {
ebegin "Setting up RPC pipefs"
mount_pipefs
eend $? "make sure you have NFS/SUNRPC enabled in your kernel"
}
stop() {
ebegin "Unmounting RPC pipefs"
umount ${MNT}
eend $?
}

32
net-fs/nfs-utils/files/rpc.statd.initd Normal file
View File

@ -0,0 +1,32 @@
#!/sbin/openrc-run
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
rpc_bin=/sbin/rpc.statd
rpc_pid=/var/run/rpc.statd.pid
depend() {
use ypbind net
need portmap
after quota
}
start() {
# Don't start rpc.statd if already started by someone else ...
# Don't try and kill it if it's already dead ...
if killall -q -0 ${rpc_bin} ; then
return 0
fi
ebegin "Starting NFS statd"
start-stop-daemon --start --exec ${rpc_bin} -- --no-notify ${OPTS_RPC_STATD}
eend $?
}
stop() {
ebegin "Stopping NFS statd"
start-stop-daemon --stop --exec ${rpc_bin} --pidfile /var/run/rpc.statd.pid
eend $?
}

23
net-fs/nfs-utils/files/rpc.svcgssd.initd Normal file
View File

@ -0,0 +1,23 @@
#!/sbin/openrc-run
# Copyright 1999-2008 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
[ -e /etc/conf.d/nfs ] && . /etc/conf.d/nfs
depend() {
use ypbind net
need portmap rpc.pipefs
after quota
}
start() {
ebegin "Starting svcgssd"
start-stop-daemon --start --exec /usr/sbin/rpc.svcgssd -- ${OPTS_RPC_SVCGSSD}
eend $?
}
stop() {
ebegin "Stopping svcgssd"
start-stop-daemon --stop --exec /usr/sbin/rpc.svcgssd
eend $?
}

21
net-fs/nfs-utils/metadata.xml Normal file
View File

@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>base-system@gentoo.org</email>
<name>Gentoo Base System</name>
</maintainer>
<longdescription>NFS client and server daemons</longdescription>
<use>
<flag name="ldap">Add ldap support</flag>
<flag name="libmount">Link mount.nfs with libmount</flag>
<flag name="nfsdcld">Enable nfsdcld NFSv4 clientid tracking daemon</flag>
<flag name="nfsidmap">Enable support for newer nfsidmap helper</flag>
<flag name="nfsv4">Enable support for NFSv4</flag>
<flag name="nfsv41">Enable support for NFSv4.1</flag>
<flag name="uuid">Support UUID lookups in rpc.mountd</flag>
</use>
<upstream>
<remote-id type="sourceforge">nfs</remote-id>
</upstream>
</pkgmetadata>

188
net-fs/nfs-utils/nfs-utils-2.3.1-r4.ebuild Normal file
View File

@ -0,0 +1,188 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
inherit autotools flag-o-matic multilib systemd
DESCRIPTION="NFS client and server daemons"
HOMEPAGE="http://linux-nfs.org/"
if [[ "${PV}" = *_rc* ]] ; then
inherit versionator
MY_PV="$(replace_all_version_separators -)"
SRC_URI="http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=snapshot;h=refs/tags/${PN}-${MY_PV};sf=tgz -> ${P}.tar.gz"
S="${WORKDIR}/${PN}-${PN}-${MY_PV}"
else
SRC_URI="mirror://sourceforge/nfs/${P}.tar.bz2"
KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86"
fi
LICENSE="GPL-2"
SLOT="0"
IUSE="caps ipv6 kerberos ldap +libmount nfsdcld +nfsidmap +nfsv4 nfsv41 selinux tcpd +uuid"
REQUIRED_USE="kerberos? ( nfsv4 )"
RESTRICT="test" #315573
# kth-krb doesn't provide the right include
# files, and nfs-utils doesn't build against heimdal either,
# so don't depend on virtual/krb.
# (04 Feb 2005 agriffis)
DEPEND_COMMON="
net-libs/libtirpc:=
>=net-nds/rpcbind-0.2.4
sys-libs/e2fsprogs-libs
caps? ( sys-libs/libcap )
ldap? ( net-nds/openldap )
libmount? ( sys-apps/util-linux )
nfsdcld? ( >=dev-db/sqlite-3.3 )
nfsv4? (
dev-libs/libevent:=
>=sys-apps/keyutils-1.5.9
kerberos? (
>=net-libs/libtirpc-0.2.4-r1[kerberos]
app-crypt/mit-krb5
)
)
nfsv41? (
sys-fs/lvm2
)
tcpd? ( sys-apps/tcp-wrappers )
uuid? ( sys-apps/util-linux )"
RDEPEND="${DEPEND_COMMON}
!net-libs/libnfsidmap
!net-nds/portmap
!<sys-apps/openrc-0.13.9
selinux? (
sec-policy/selinux-rpc
sec-policy/selinux-rpcbind
)
"
DEPEND="${DEPEND_COMMON}
virtual/pkgconfig"
PATCHES=(
"${FILESDIR}"/${PN}-1.1.4-mtab-sym.patch
"${FILESDIR}"/${PN}-1.2.8-cross-build.patch
"${FILESDIR}"/${P}-svcgssd_undefined_reference.patch #641912
"${FILESDIR}"/${PN}-musl.patch
"${FILESDIR}"/Do-not-pass-null-pointer-to-freeaddrinfo.diff
)
src_prepare() {
default
sed \
-e "/^sbindir/s:= := \"${EPREFIX}\":g" \
-i utils/*/Makefile.am || die
eautoreconf
}
src_configure() {
export libsqlite3_cv_is_recent=yes # Our DEPEND forces this.
export ac_cv_header_keyutils_h=$(usex nfsidmap)
local myeconfargs=(
--with-statedir="${EPREFIX%/}"/var/lib/nfs
--enable-tirpc
--with-tirpcinclude="${EPREFIX%/}"/usr/include/tirpc/
--with-pluginpath="${EPREFIX%/}"/usr/$(get_libdir)/libnfsidmap
--with-systemd="$(systemd_get_systemunitdir)"
--without-gssglue
$(use_enable caps)
$(use_enable ipv6)
$(use_enable kerberos gss)
$(use_enable kerberos svcgss)
$(use_enable ldap)
$(use_enable libmount libmount-mount)
$(use_enable nfsdcld nfsdcltrack)
$(use_enable nfsv4)
$(use_enable nfsv41)
$(use_enable uuid)
$(use_with tcpd tcp-wrappers)
)
econf "${myeconfargs[@]}"
}
src_compile(){
# remove compiled files bundled in the tarball
emake clean
default
}
src_install() {
default
rm linux-nfs/Makefile* || die
dodoc -r linux-nfs README
# Don't overwrite existing xtab/etab, install the original
# versions somewhere safe... more info in pkg_postinst
keepdir /var/lib/nfs/{,sm,sm.bak}
mv "${ED%/}"/var/lib/nfs "${ED%/}"/usr/$(get_libdir)/ || die
# Install some client-side binaries in /sbin
dodir /sbin
mv "${ED%/}"/usr/sbin/rpc.statd "${ED%/}"/sbin/ || die
if use nfsv4 && use nfsidmap ; then
# Install a config file for idmappers in newer kernels. #415625
insinto /etc/request-key.d
echo 'create id_resolver * * /usr/sbin/nfsidmap -t 600 %k %d' > id_resolver.conf
doins id_resolver.conf
fi
insinto /etc
doins "${FILESDIR}"/exports
keepdir /etc/exports.d
local f list=() opt_need=""
if use nfsv4 ; then
opt_need="rpc.idmapd"
list+=( rpc.idmapd rpc.pipefs )
use kerberos && list+=( rpc.gssd rpc.svcgssd )
fi
for f in nfs nfsclient rpc.statd "${list[@]}" ; do
newinitd "${FILESDIR}"/${f}.initd ${f}
done
newinitd "${FILESDIR}"/nfsmount.initd-1.3.1 nfsmount # Nuke after 2015/08/01
for f in nfs nfsclient ; do
newconfd "${FILESDIR}"/${f}.confd ${f}
done
sed -i \
-e "/^NFS_NEEDED_SERVICES=/s:=.*:=\"${opt_need}\":" \
"${ED%/}"/etc/conf.d/nfs || die #234132
local systemd_systemunitdir="$(systemd_get_systemunitdir)"
sed -i \
-e 's:/usr/sbin/rpc.statd:/sbin/rpc.statd:' \
"${ED%/}${systemd_systemunitdir}"/* || die
keepdir /var/lib/nfs #368505
keepdir /var/lib/nfs/v4recovery #603628
}
pkg_postinst() {
# Install default xtab and friends if there's none existing. In
# src_install we put them in /usr/lib/nfs for safe-keeping, but
# the daemons actually use the files in /var/lib/nfs. #30486
local f
for f in "${EROOT%/}"/usr/$(get_libdir)/nfs/*; do
[[ -e ${EROOT%/}/var/lib/nfs/${f##*/} ]] && continue
einfo "Copying default ${f##*/} from ${EPREFIX}/usr/$(get_libdir)/nfs to ${EPREFIX}/var/lib/nfs"
cp -pPR "${f}" "${EROOT%/}"/var/lib/nfs/
done
if systemd_is_booted; then
if [[ ${REPLACING_VERSIONS} < 1.3.0 ]]; then
ewarn "We have switched to upstream systemd unit files. Since"
ewarn "they got renamed, you should probably enable the new ones."
ewarn "You can run 'equery files nfs-utils | grep systemd'"
ewarn "to know what services you need to enable now."
fi
else
ewarn "If you use OpenRC, the nfsmount service has been replaced with nfsclient."
ewarn "If you were using nfsmount, please add nfsclient and netmount to the"
ewarn "same runlevel as nfsmount."
fi
}

6
sec-policy/selinux-doveadm/Manifest Normal file
View File

@ -0,0 +1,6 @@
AUX lego.fc 135 BLAKE2B f5518e53fe8d8aed6d19f06b53a9117f72c8773387b0a15f6970fa4e1b3ae985a60a37b8520750a7f16c8efff692c60a560fcaa66fd950675fa7a0627c0c8b97 SHA512 5e457469dc4685fa57175f1825bde5c3323fe7dd83ede73a5987086e90e8cf49c541f142ab5b83f63609323f35d2f3016123365f5dd06d7d55b796b95eba5b18
AUX lego.if 3516 BLAKE2B 2209fb75dce7c5a79423be81c0b66e3295f6ffd9113d60e58cfe90e6b41b8563f019d4aff3f2ce285a25fe2ee199eb4d4a42180c7b785d22d1180d49e4a6bc71 SHA512 c68cfdcedcf858a717c59353c2709a9687703a873048b61de634f5e05b87bcc1682380616a51a2e687dec99a6c6c385a13074668336a9cc0d37be8a2bc9f763d
AUX lego.te 2266 BLAKE2B d8329f30a1614f3091247c33d0b3e12a48840d44aeff6bdda76fc636840102717c992bdc861305dc7eba81bb9394fa303d0448cd6ff1d0b573d0675b5a631bfd SHA512 42b0b99909831801a5f5f6c3e32cd196e2a069434bcd2493c3776aa14a5292eea82e4708312d00fc62258bd4931a571eecc49e5c8da448d553c0c8fbf8588e36
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
EBUILD selinux-lego-2.20180701-r1.ebuild 377 BLAKE2B 81194e9e7d540735c490a35a783b780bb7ad68d1f8e208c1f54d3c1f8eb688b9fed8c73ebe8abb5f0acb7e62abb77101a12e059809a53437695ca212edcad558 SHA512 5ae9193ce0aae16b0f35a5fdb904c81777eddd6347e776d990c2f562252e7f52018c9b23b470365ae880267069de4e7f5ce6b466fb406c2b86bb7ed83191ce3f

2
sec-policy/selinux-doveadm/files/doveadm.fc Normal file
View File

@ -0,0 +1,2 @@
/var/lib/lego(/.*)? gen_context(system_u:object_r:lego_data_t,s0)
/usr/bin/lego -- gen_context(system_u:object_r:lego_exec_t,s0)

193
sec-policy/selinux-doveadm/files/doveadm.if Normal file
View File

@ -0,0 +1,193 @@
## <summary>policy for lego</summary>
########################################
## <summary>
## Execute lego_exec_t in the lego domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`lego_domtrans',`
gen_require(`
type lego_t, lego_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, lego_exec_t, lego_t)
')
######################################
## <summary>
## Execute lego in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`lego_exec',`
gen_require(`
type lego_exec_t;
')
corecmd_search_bin($1)
can_exec($1, lego_exec_t)
')
########################################
## <summary>
## Search lego conf directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`lego_search_data',`
gen_require(`
type lego_data_t;
')
allow $1 lego_data_t:dir search_dir_perms;
files_search_etc($1)
')
########################################
## <summary>
## Read lego conf files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`lego_read_data_files',`
gen_require(`
type lego_data_t;
')
allow $1 lego_data_t:dir list_dir_perms;
read_files_pattern($1, lego_data_t, lego_data_t)
files_search_etc($1)
files_search_var_lib($1)
')
########################################
## <summary>
## Manage lego conf files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`lego_manage_data_files',`
gen_require(`
type lego_data_t;
')
manage_files_pattern($1, lego_data_t, lego_data_t)
files_search_etc($1)
files_search_var_lib($1)
')
########################################
## <summary>
## Execute lego in the lego domain, and
## allow the specified role the lego domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the lego domain.
## </summary>
## </param>
#
interface(`lego_run',`
gen_require(`
type lego_t;
attribute_role lego_roles;
')
lego_domtrans($1)
roleattribute $2 lego_roles;
')
########################################
## <summary>
## Role access for lego
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`lego_role',`
gen_require(`
type lego_t;
attribute_role lego_roles;
')
roleattribute $1 lego_roles;
lego_domtrans($2)
ps_process_pattern($2, lego_t)
allow $2 lego_t:process { signull signal sigkill };
')
########################################
## <summary>
## All of the rules required to administrate
## an lego environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`lego_admin',`
gen_require(`
type lego_t;
')
allow $1 lego_t:process { signal_perms };
ps_process_pattern($1, lego_t)
tunable_policy(`deny_ptrace',`',`
allow $1 lego_t:process ptrace;
')
files_search_etc($1)
admin_pattern($1, lego_data_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')

100
sec-policy/selinux-doveadm/files/doveadm.te Normal file
View File

@ -0,0 +1,100 @@
policy_module(doveadm, 1.0.0)
########################################
#
# Declarations
#
attribute_role dovecot_adm_roles;
roleattribute system_r lego_roles;
type dovecot_adm_t, dovecot_domain;
type dovecot_adm_exec_t;
domain_type(dovecot_adm_t)
domain_entry_file(dovecot_adm_t, dovecot_adm_exec_t)
role system_r types dovecot_adm_t;
########################################
#
# lego local policy
#
allow lego_t self:process getsched;
sysnet_read_config(lego_t)
files_search_var_lib(lego_t)
userdom_use_user_ptys(lego_t)
domain_use_interactive_fds(lego_t)
corenet_tcp_connect_http_port(lego_t)
allow lego_t self:tcp_socket create_socket_perms;
allow lego_t self:udp_socket create_socket_perms;
allow lego_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(lego_t, lego_data_t, lego_data_t)
manage_files_pattern(lego_t, lego_data_t, lego_data_t)
manage_lnk_files_pattern(lego_t, lego_data_t, lego_data_t)
files_etc_filetrans(lego_t, lego_data_t, { dir file lnk_file })
miscfiles_read_generic_certs(lego_t)
miscfiles_read_localization(lego_t)
tunable_policy(`lego_use_homedirs',`
userdom_manage_user_home_content_dirs(lego_t)
userdom_manage_user_home_content_files(lego_t)
')
optional_policy(`
gen_require(`
type sysadm_t;
role sysadm_r;
')
lego_role(sysadm_r, sysadm_t)
')
optional_policy(`
gen_require(`
role user_r;
type user_t;
')
lego_role(user_r, user_t)
')
optional_policy(`
gen_require(`
role staff_r;
type staff_t;
')
lego_role(staff_r, staff_t)
')
optional_policy(`
gen_require(`
type nginx_t;
')
lego_read_data_files(nginx_t)
')
optional_policy(`
gen_require(`
type dovecot_t;
')
lego_read_data_files(dovecot_t)
')
optional_policy(`
gen_require(`
type exim_t;
')
lego_read_data_files(exim_t)
')
optional_policy(`
gen_require(`
type system_cronjob_t, system_cronjob_tmp_t;
')
cron_system_entry(lego_t, lego_exec_t)
allow system_cronjob_t lego_data_t:file setattr;
allow lego_t system_cronjob_tmp_t:file write;
')

20
sec-policy/selinux-doveadm/selinux-doveadm-2.20180701-r1.ebuild Normal file
View File

@ -0,0 +1,20 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI="5"
IUSE=""
MODS="doveadm"
POLICY_FILES="doveadm.te doveadm.fc doveadm.if"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for doveadm - Dovecot's administration utility"
RDEPEND="sec-policy/selinux-base-policy"
if [[ $PV == 9999* ]] ; then
KEYWORDS=""
else
KEYWORDS="amd64 x86"
fi

5
sec-policy/selinux-hostapd/Manifest Normal file
View File

@ -0,0 +1,5 @@
AUX hostapd.fc 299 BLAKE2B 57f03ed6b66766688e01ca1aff1dfa6882d11fc2d2e6160426478be49d5b190a945b1d41f8fc02a075a0ee9ccadcfbc23549635a02448fffb2790467df8514c5 SHA512 c403eceead2eca2cb3f525788374681c9800239f57c2403840813e03df755528ae80457dd0c13db27d31b03da3e972f3a9deac63be50eb0cb7e3597cacfe74dd
AUX hostapd.te 1713 BLAKE2B 69952a4ba1acfd7e9199c60cce4f8a12bc80e8e3e731bca9f0f5aaba04c09fb41a604c20e4dfde223225f949dcb8fbc3466a9b84740bfe1a7eeeba456476f7d7 SHA512 4d6688bb4ee118af5c253a07eda4f3a8e6f56ff37568882599c6bd8060d871ea2228a9318c36c290f941cde4f2059a4f38d6832d2162dce132c6f17820c10e2a
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
EBUILD selinux-hostapd-2.20180701-r1.ebuild 381 BLAKE2B e72b73164969be79643d5b584a57d1bc1ab4724f24d9d8e4d5964dd3193b1402277f6662db461f10d8937fdffea9dadb53f86afb855a3226be760a3df72309d3 SHA512 696ea45e4f5fac01fab8c5c44ca03f28746e9b251bc4e81f2c6c4dfb06d95eda475563bba6f6498bc2290a97cf9db7753b39f7c8178c6dad701ad85acda775b9

6
sec-policy/selinux-hostapd/files/hostapd.fc Normal file
View File

@ -0,0 +1,6 @@
/usr/sbin/hostapd -- gen_context(system_u:object_r:hostapd_exec_t,s0)
/var/run/hostapd(/.*)? gen_context(system_u:object_r:hostapd_var_run_t,s0)
/etc/hostapd(/.*)? gen_context(system_u:object_r:hostapd_conf_t,s0)
/run/hostapd.pid -- gen_context(system_u:object_r:hostapd_var_run_t,s0)

56
sec-policy/selinux-hostapd/files/hostapd.te Normal file
View File

@ -0,0 +1,56 @@
policy_module(hostapd, 1.0.0)
########################################
#
# Declarations
#
type hostapd_t;
type hostapd_exec_t;
init_daemon_domain(hostapd_t, hostapd_exec_t)
type hostapd_var_run_t;
files_pid_file(hostapd_var_run_t)
type hostapd_conf_t;
files_type(hostapd_conf_t)
########################################
#
# hostapd local policy
#
allow hostapd_t self:capability { fsetid chown net_admin net_raw dac_read_search dac_override };
allow hostapd_t self:fifo_file rw_fifo_file_perms;
allow hostapd_t self:unix_stream_socket create_stream_socket_perms;
allow hostapd_t self:netlink_socket create_socket_perms;
allow hostapd_t self:netlink_generic_socket create_socket_perms;
allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
allow hostapd_t self:packet_socket create_socket_perms;
manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
manage_sock_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file sock_file })
read_files_pattern(hostapd_t, hostapd_conf_t, hostapd_conf_t)
kernel_read_system_state(hostapd_t)
kernel_read_network_state(hostapd_t)
kernel_request_load_module(hostapd_t)
kernel_rw_net_sysctls(hostapd_t)
dev_rw_sysfs(hostapd_t)
#allow initrc_t hostapd_conf_t:file read;
dev_read_rand(hostapd_t)
dev_read_urand(hostapd_t)
dev_read_sysfs(hostapd_t)
dev_rw_wireless(hostapd_t)
domain_use_interactive_fds(hostapd_t)
auth_use_nsswitch(hostapd_t)
logging_send_syslog_msg(hostapd_t)
miscfiles_read_localization(hostapd_t)

20
sec-policy/selinux-hostapd/selinux-hostapd-2.20180701-r1.ebuild Normal file
View File

@ -0,0 +1,20 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI="5"
IUSE=""
MODS="hostapd"
POLICY_FILES="hostapd.te hostapd.fc"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for hostapd"
RDEPEND="sec-policy/selinux-base-policy"
if [[ $PV == 9999* ]] ; then
KEYWORDS=""
else
KEYWORDS="amd64 x86"
fi

6
sec-policy/selinux-knot/Manifest Normal file
View File

@ -0,0 +1,6 @@
AUX knot.fc 351 BLAKE2B c405546b5b619948a3dffccad17c4ae12dcbfbc9b538e4bb7325fc5d8560e3a1b87ab0ccac4fd3dcc14be02d9112f139fe71b9bcd40e06efd8893ddf88a5c0c8 SHA512 214002c8c118e2320c3839a7e9cfccd4bd71e6fa0140351ff2c398f27609ea8ea0c5988ee30072db2729469bfc56cbc4f16de6ddcba792e1baf428215a4661a6
AUX knot.if 4627 BLAKE2B f383b3fc55dc7c99d583a0b5d61949e5b2d328586e02db7d2e8e6b3d88d3b4a1ed67c812db38d49f71efd8b89c92d37ac9722b0bfc8f11de952f1e02725d716a SHA512 a967b731a993ecec3a9ff7189bb5866049331209f643daadd951053d29e44d133140f3fecad756dc6a6e3f1b87f880c40cae81c5c685c834d7f268bf990fab2b
AUX knot.te 2142 BLAKE2B 15de1876243e55ba3ed68ecd5bbbcb8f637e23431b5ac15958096be29dd14a248d029a27134b72d43f93bb3215b5b1f9fab7c6d9464fbdcd2ab21fb030104816 SHA512 41ad8d429d680351186b6b337fd8b122a61eea73b302bb893fe7243531ba375678239fade0496474e4ece45df667669854d3f5d3e858fe9f8b733e4b52070611
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
EBUILD selinux-knot-2.20180701-r1.ebuild 377 BLAKE2B 3e0e81a404c1810ddeedad0ab2af2d6db2270f85492ea39d60992cf0b0015f500b8e70dda185af2341684115adcb580e79fba76665fbe80ba0d1db3305103082 SHA512 18f8f1a16161f4f648cbd346b467bc4bb3c810d156e6ffbdc34d12d7686f08c0911484e8c5304045ae2aef49c71d9586b574f041c1fe337fbacf1d405579c5f4

10
sec-policy/selinux-knot/files/knot.fc Normal file
View File

@ -0,0 +1,10 @@
/usr/sbin/knotd -- gen_context(system_u:object_r:knotd_exec_t,s0)
/usr/sbin/knotc -- gen_context(system_u:object_r:knotc_exec_t,s0)
/var/run/knot(/.*)? gen_context(system_u:object_r:knot_var_run_t,s0)
/var/lib/knot(/.*)? gen_context(system_u:object_r:knot_var_lib_t,s0)
/etc/knot(/.*)? gen_context(system_u:object_r:knot_etc_t,s0)

198
sec-policy/selinux-knot/files/knot.if Normal file
View File

@ -0,0 +1,198 @@
## <summary>policy for knotc</summary>
########################################
## <summary>
## Execute knotd_exec_t in the knotd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`knotd_domtrans',`
gen_require(`
type knotd_t, knotd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, knotd_exec_t, knotd_t)
')
######################################
## <summary>
## Execute knotd in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`knotd_exec',`
gen_require(`
type knotd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, knotd_exec_t)
')
########################################
## <summary>
## Knotd /run files transitions.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`knot_var_run_trans',`
gen_require(`
type knot_var_run_t;
type var_run_t;
type tmpfiles_t;
')
manage_dirs_pattern($1, knot_var_run_t, knot_var_run_t)
manage_files_pattern($1, knot_var_run_t, knot_var_run_t)
manage_lnk_files_pattern($1, knot_var_run_t, knot_var_run_t)
manage_sock_files_pattern($1, knot_var_run_t, knot_var_run_t)
search_dirs_pattern($1, knot_var_run_t, knot_var_run_t)
files_pid_filetrans($1, knot_var_run_t, { file dir sock_file})
filetrans_pattern(tmpfiles_t, var_run_t, knot_var_run_t, dir, "knot")
')
########################################
## <summary>
## Knot /var/lib files mamange.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`knot_var_lib_manage',`
gen_require(`
type knot_var_lib_t;
')
manage_dirs_pattern($1, knot_var_lib_t, knot_var_lib_t)
manage_files_pattern($1, knot_var_lib_t, knot_var_lib_t)
manage_lnk_files_pattern($1, knot_var_lib_t, knot_var_lib_t)
allow $1 knot_var_lib_t:file map;
files_var_lib_filetrans($1, knot_var_lib_t, { file dir })
')
########################################
## <summary>
## Knotd /var/lib files transitions.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`knot_var_lib_trans',`
gen_require(`
type knot_var_lib_t;
type var_lib_t;
type tmpfiles_t;
')
knot_var_lib_manage($1)
filetrans_pattern(tmpfiles_t, var_lib_t, knot_var_lib_t, dir, "knot")
')
########################################
## <summary>
## Knot /etc/knot files read.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`knot_etc_t_read',`
gen_require(`
type knot_etc_t;
type initrc_t;
')
mmap_read_files_pattern($1, knot_etc_t, knot_etc_t)
read_files_pattern(initrc_t, knot_etc_t, knot_etc_t)
')
########################################
## <summary>
## Knot /tmp files transitions.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`knot_tmp_trans',`
gen_require(`
type knot_tmp_t;
')
files_tmp_filetrans($1, knot_tmp_t, { file dir })
allow $1 knot_tmp_t:file map;
allow $1 knot_tmp_t:file manage_file_perms;
allow $1 knot_tmp_t:dir manage_dir_perms;
')
########################################
## <summary>
## Execute knotc_exec_t in the knotc domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`knotc_domtrans',`
gen_require(`
type knotc_t, knotc_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, knotc_exec_t, knotc_t)
')
########################################
## <summary>
## Role access for knotc
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`knotc_role',`
gen_require(`
type knotc_t;
attribute_role knotc_roles;
')
roleattribute $1 knotc_roles;
knotc_domtrans($2)
ps_process_pattern($2, knotc_t)
allow $2 knotc_t:process { signull signal sigkill };
')

95
sec-policy/selinux-knot/files/knot.te Normal file
View File

@ -0,0 +1,95 @@
policy_module(knot, 1.0.0)
########################################
#
# Declarations
#
type knotd_t;
type knotd_exec_t;
init_daemon_domain(knotd_t, knotd_exec_t)
type knotc_t;
type knotc_exec_t;
application_domain(knotc_t, knotc_exec_t)
init_daemon_domain(knotc_t, knotc_exec_t)
role knotc_roles types knotc_t;
attribute_role knotc_roles;
roleattribute system_r knotc_roles;
type knot_etc_t;
files_type(knot_etc_t)
type knot_var_run_t;
files_pid_file(knot_var_run_t)
type knot_var_lib_t;
files_type(knot_var_lib_t)
type knot_tmp_t;
files_tmp_file(knot_tmp_t)
########################################
#
# knotd local policy
#
allow knotd_t self:capability { setgid setuid dac_read_search };
allow knotd_t self:process { fork signal_perms getcap getsched setsched };
allow knotd_t self:tcp_socket create_stream_socket_perms;
allow knotd_t self:udp_socket create_stream_socket_perms;
allow knotd_t self:unix_stream_socket { listen accept };
corenet_tcp_bind_generic_node(knotd_t)
corenet_udp_bind_generic_node(knotd_t)
corenet_tcp_bind_dns_port(knotd_t)
corenet_udp_bind_dns_port(knotd_t)
knot_etc_t_read(knotd_t)
knot_var_run_trans(knotd_t)
knot_var_lib_trans(knotd_t)
knot_tmp_trans(knotd_t)
kernel_read_kernel_sysctls(knotd_t)
fs_getattr_xattr_fs(knotd_t)
fs_dontaudit_getattr_tmpfs(knotd_t)
files_read_etc_files(knotd_t)
auth_use_nsswitch(knotd_t)
logging_send_syslog_msg(knotd_t)
miscfiles_read_localization(knotd_t)
########################################
#
# knotc local policy
#
allow knotc_t self:capability { dac_override dac_read_search };
allow knotc_t knotd_t:unix_stream_socket connectto;
allow knotc_t knot_var_run_t:dir search;
allow knotc_t knot_var_run_t:sock_file write_sock_file_perms;
knot_etc_t_read(knotc_t)
knot_tmp_trans(knotc_t)
knot_var_lib_manage(knotc_t)
fs_dontaudit_getattr_tmpfs(knotc_t)
files_dontaudit_search_var_lib(knotc_t)
domain_use_interactive_fds(knotc_t)
userdom_use_user_ptys(knotc_t)
miscfiles_read_localization(knotc_t)
optional_policy(`
gen_require(`
type sysadm_t;
role sysadm_r;
')
knotc_role(sysadm_r, sysadm_t)
')

20
sec-policy/selinux-knot/selinux-knot-2.20180701-r1.ebuild Normal file
View File

@ -0,0 +1,20 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI="5"
IUSE=""
MODS="knot"
POLICY_FILES="knot.te knot.fc knot.if"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for knot"
RDEPEND="sec-policy/selinux-base-policy"
if [[ $PV == 9999* ]] ; then
KEYWORDS=""
else
KEYWORDS="amd64 x86"
fi

6
sec-policy/selinux-lego/Manifest Normal file
View File

@ -0,0 +1,6 @@
AUX lego.fc 135 BLAKE2B f5518e53fe8d8aed6d19f06b53a9117f72c8773387b0a15f6970fa4e1b3ae985a60a37b8520750a7f16c8efff692c60a560fcaa66fd950675fa7a0627c0c8b97 SHA512 5e457469dc4685fa57175f1825bde5c3323fe7dd83ede73a5987086e90e8cf49c541f142ab5b83f63609323f35d2f3016123365f5dd06d7d55b796b95eba5b18
AUX lego.if 3516 BLAKE2B 2209fb75dce7c5a79423be81c0b66e3295f6ffd9113d60e58cfe90e6b41b8563f019d4aff3f2ce285a25fe2ee199eb4d4a42180c7b785d22d1180d49e4a6bc71 SHA512 c68cfdcedcf858a717c59353c2709a9687703a873048b61de634f5e05b87bcc1682380616a51a2e687dec99a6c6c385a13074668336a9cc0d37be8a2bc9f763d
AUX lego.te 2329 BLAKE2B bd04b323a09926b8262b6e1232904f22a5cf5cfc1ad7a54a1812ea5faddc07c974039619baccf657437178f27ef0bb4aba5eec9141c6aa670957ddc47a582a88 SHA512 485cd6449edce49b6e6368c21e9d388bf443c2a19ec782354c6dff16b8c4b8ce7ecd9c89cd45effd2df19edc6ed318851f387a10cd109aaf72698271f3b8da0c
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
EBUILD selinux-lego-2.20180701-r1.ebuild 377 BLAKE2B 81194e9e7d540735c490a35a783b780bb7ad68d1f8e208c1f54d3c1f8eb688b9fed8c73ebe8abb5f0acb7e62abb77101a12e059809a53437695ca212edcad558 SHA512 5ae9193ce0aae16b0f35a5fdb904c81777eddd6347e776d990c2f562252e7f52018c9b23b470365ae880267069de4e7f5ce6b466fb406c2b86bb7ed83191ce3f

2
sec-policy/selinux-lego/files/lego.fc Normal file
View File

@ -0,0 +1,2 @@
/var/lib/lego(/.*)? gen_context(system_u:object_r:lego_data_t,s0)
/usr/bin/lego -- gen_context(system_u:object_r:lego_exec_t,s0)

193
sec-policy/selinux-lego/files/lego.if Normal file
View File

@ -0,0 +1,193 @@
## <summary>policy for lego</summary>
########################################
## <summary>
## Execute lego_exec_t in the lego domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`lego_domtrans',`
gen_require(`
type lego_t, lego_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, lego_exec_t, lego_t)
')
######################################
## <summary>
## Execute lego in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`lego_exec',`
gen_require(`
type lego_exec_t;
')
corecmd_search_bin($1)
can_exec($1, lego_exec_t)
')
########################################
## <summary>
## Search lego conf directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`lego_search_data',`
gen_require(`
type lego_data_t;
')
allow $1 lego_data_t:dir search_dir_perms;
files_search_etc($1)
')
########################################
## <summary>
## Read lego conf files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`lego_read_data_files',`
gen_require(`
type lego_data_t;
')
allow $1 lego_data_t:dir list_dir_perms;
read_files_pattern($1, lego_data_t, lego_data_t)
files_search_etc($1)
files_search_var_lib($1)
')
########################################
## <summary>
## Manage lego conf files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`lego_manage_data_files',`
gen_require(`
type lego_data_t;
')
manage_files_pattern($1, lego_data_t, lego_data_t)
files_search_etc($1)
files_search_var_lib($1)
')
########################################
## <summary>
## Execute lego in the lego domain, and
## allow the specified role the lego domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the lego domain.
## </summary>
## </param>
#
interface(`lego_run',`
gen_require(`
type lego_t;
attribute_role lego_roles;
')
lego_domtrans($1)
roleattribute $2 lego_roles;
')
########################################
## <summary>
## Role access for lego
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`lego_role',`
gen_require(`
type lego_t;
attribute_role lego_roles;
')
roleattribute $1 lego_roles;
lego_domtrans($2)
ps_process_pattern($2, lego_t)
allow $2 lego_t:process { signull signal sigkill };
')
########################################
## <summary>
## All of the rules required to administrate
## an lego environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`lego_admin',`
gen_require(`
type lego_t;
')
allow $1 lego_t:process { signal_perms };
ps_process_pattern($1, lego_t)
tunable_policy(`deny_ptrace',`',`
allow $1 lego_t:process ptrace;
')
files_search_etc($1)
admin_pattern($1, lego_data_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')

112
sec-policy/selinux-lego/files/lego.te Normal file
View File

@ -0,0 +1,112 @@
policy_module(lego, 1.0.3)
########################################
#
# Declarations
#
## <desc>
## <p>
## Determine whether lego can use
## user home directories.
## </p>
## </desc>
gen_tunable(lego_use_homedirs, false)
attribute_role lego_roles;
roleattribute system_r lego_roles;
type lego_t;
type lego_exec_t;
application_domain(lego_t, lego_exec_t)
role lego_roles types lego_t;
type lego_data_t;
files_type(lego_data_t)
ubac_constrained(lego_data_t)
########################################
#
# lego local policy
#
allow lego_t self:capability { dac_override dac_read_search };
allow lego_t self:process getsched;
sysnet_read_config(lego_t)
files_search_var_lib(lego_t)
userdom_use_user_ptys(lego_t)
domain_use_interactive_fds(lego_t)
corenet_tcp_connect_http_port(lego_t)
allow lego_t self:tcp_socket create_socket_perms;
allow lego_t self:udp_socket create_socket_perms;
allow lego_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(lego_t, lego_data_t, lego_data_t)
manage_files_pattern(lego_t, lego_data_t, lego_data_t)
manage_lnk_files_pattern(lego_t, lego_data_t, lego_data_t)
files_etc_filetrans(lego_t, lego_data_t, { dir file lnk_file })
miscfiles_read_generic_certs(lego_t)
miscfiles_read_localization(lego_t)
tunable_policy(`lego_use_homedirs',`
userdom_manage_user_home_content_dirs(lego_t)
userdom_manage_user_home_content_files(lego_t)
')
optional_policy(`
gen_require(`
type sysadm_t;
role sysadm_r;
')
lego_role(sysadm_r, sysadm_t)
')
optional_policy(`
gen_require(`
role user_r;
type user_t;
')
lego_role(user_r, user_t)
')
optional_policy(`
gen_require(`
role staff_r;
type staff_t;
')
lego_role(staff_r, staff_t)
')
optional_policy(`
gen_require(`
type nginx_t;
')
lego_read_data_files(nginx_t)
')
optional_policy(`
gen_require(`
type dovecot_t;
')
lego_read_data_files(dovecot_t)
')
optional_policy(`
gen_require(`
type exim_t;
')
lego_read_data_files(exim_t)
')
optional_policy(`
gen_require(`
type system_cronjob_t, system_cronjob_tmp_t;
')
cron_system_entry(lego_t, lego_exec_t)
allow system_cronjob_t lego_data_t:file setattr;
allow lego_t system_cronjob_tmp_t:file write;
')

20
sec-policy/selinux-lego/selinux-lego-2.20180701-r1.ebuild Normal file
View File

@ -0,0 +1,20 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI="5"
IUSE=""
MODS="lego"
POLICY_FILES="lego.te lego.fc lego.if"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for lego"
RDEPEND="sec-policy/selinux-base-policy"
if [[ $PV == 9999* ]] ; then
KEYWORDS=""
else
KEYWORDS="amd64 x86"
fi

4
sec-policy/selinux-nextcloud/Manifest Normal file
View File

@ -0,0 +1,4 @@
AUX nextcloud.te 1363 BLAKE2B b18c1a2a3a1cbefba0f0d8e56e38556a7778e4d41c5e8c0cbe7016417fe361a2c0b1a18c72b1c7a587fa81482295e3bf1a226ceb49f42d6ab439a1e6d2b418a6 SHA512 034ee58a7780a2f9ee098accbb2b4e5996153de7d5bf7f95cc932193f963fe7addc58dbb2f805d25bb6ec3ccc72707580ef321053d4d321fc3607d0f9f8d873c
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
EBUILD selinux-nextcloud-2.20180701-r1.ebuild 376 BLAKE2B 582ecbc77d098512f524daf539346819dc6c480a6d7754a6e2a4224485453f19ad1c906cdd42e92e72d1a2093fd47698e13847df575a60e7369b1d80c9d00181 SHA512 d287903678e45839041fcf06e19e2245d20d2ebc4ffea8dcd8b22000ce8bba362f5f943969723926e4b86fca62c885ad2a371273910631a62d2b4b122df6caf2

57
sec-policy/selinux-nextcloud/files/nextcloud.te Normal file
View File

@ -0,0 +1,57 @@
policy_module(nextcloud, 1.0.0)
########################################
#
# Declarations
#
########################################
#
# lego local policy
#
gen_require(`
type phpfpm_t;
type phpfpm_tmp_t;
type etc_t;
type cert_t;
type httpd_sys_content_t;
type httpd_sys_rw_content_t;
class file { map open read };
class process sigkill;
class shm { create destroy read unix_read unix_write write };
')
optional_policy(`
gen_require(`
type system_cronjob_t;
type phpfpm_exec_t;
')
cron_system_entry(phpfpm_t, phpfpm_exec_t)
')
corenet_udp_bind_generic_node(phpfpm_t)
corenet_tcp_connect_http_port(phpfpm_t)
# Allow to connect to IMAP/SMTP
corenet_tcp_connect_pop_port(phpfpm_t)
corenet_tcp_connect_smtp_port(phpfpm_t)
fs_rw_hugetlbfs_files(phpfpm_t)
allow phpfpm_t hugetlbfs_t:file map;
allow phpfpm_t etc_t:file map;
allow phpfpm_t phpfpm_tmp_t:file map;
allow phpfpm_t httpd_sys_content_t:file map;
allow phpfpm_t httpd_sys_rw_content_t:file map;
allow phpfpm_t cert_t:file { open read };
allow phpfpm_t self:process sigkill;
allow phpfpm_t self:shm { create_shm_perms r_shm_perms };
files_search_var(phpfpm_t)
userdom_list_user_home_content(phpfpm_t)
userdom_read_user_home_content_files(phpfpm_t)
files_search_mnt(phpfpm_t)
files_dontaudit_list_var(phpfpm_t)

20
sec-policy/selinux-nextcloud/selinux-nextcloud-2.20180701-r1.ebuild Normal file
View File

@ -0,0 +1,20 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI="5"
IUSE=""
MODS="nextcloud"
POLICY_FILES="nextcloud.te"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for nextcloud"
RDEPEND="sec-policy/selinux-base-policy"
if [[ $PV == 9999* ]] ; then
KEYWORDS=""
else
KEYWORDS="amd64 x86"
fi

4
sec-policy/selinux-nsd/Manifest Normal file
View File

@ -0,0 +1,4 @@
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
EBUILD selinux-nsd-2.20180701-r1.ebuild 277 BLAKE2B 19b0326fc75c91994ba63b0e410241877e87b81680b9d02458b4896652c93b6b472170543d7f23de1f714f62aee29dfc932c428103b752f6ca9de5e30c92ed8a SHA512 dc3549650228861e51c8b1dda49b0ce0e7403a3e3d004c72e021b31e7987f7227d263e19e3500d6e34ba9d560a3a0876d6428f493aaea7d3ec27c132b03b62f3
MISC metadata.xml 314 BLAKE2B 804e8fd77ee3d8a8ef928de31a5db28fe522eafed3695574154fd70316f49d793c62a758dd53e5902c322c23bd9edc4f18888258e41b8701d3ae5cf4c573560c SHA512 dec699cdcba4fb0219f7fb71afbfca634d1a5767121078a206289fda39d33a622f2986064e29f16548290f4ca8aa71150667e92fbb4d799ece93209b2f1967c2

9
sec-policy/selinux-nsd/metadata.xml Normal file
View File

@ -0,0 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>selinux@gentoo.org</email>
<name>SELinux Team</name>
</maintainer>
<longdescription>Gentoo SELinux policy for alsa</longdescription>
</pkgmetadata>

15
sec-policy/selinux-nsd/selinux-nsd-2.20180701-r1.ebuild Normal file
View File

@ -0,0 +1,15 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI="6"
IUSE=""
MODS="nsd"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for nsd"
if [[ ${PV} != 9999* ]] ; then
KEYWORDS="amd64 -arm ~arm64 ~mips ~x86"
fi

6
sec-policy/selinux-rspamd/Manifest Normal file
View File

@ -0,0 +1,6 @@
AUX rspamd.fc 359 BLAKE2B 5b559490f203545c60fdaad7b9b5446c467f73312b5fa62716de5850aaf2b18b2610e36903dce0f3711ef6070c8132752a74b2161b49a1ae2770dfca7bffd4dd SHA512 5b8feaf54ea3437b12b9bad8d9f47fa52dc2f0b8993043c6d37b3e4179b36afdb047eec38294c271adbfc2c7e112f205de64c36aea71055777c3747a9fe25ea0
AUX rspamd.if 6518 BLAKE2B 3c1a62ab074e8ff0e46aec72804ef67022589cc7d40f9bfce45350b9396fb336d121bd407af2e6dea905e0b71c3609c21ef72d3dd24df46f26f8e22188333552 SHA512 79dd3e7ecf5b80f2e60f28a887ab69b037097427472c2b12a2960b325aec9d3ed60b5c11518287512a9a439b99880857aec3446a30383f30c1be1035e03d9798
AUX rspamd.te 3621 BLAKE2B b155e0f160627b81be85208950468d483e2a1a6eddb0d43671ca5adb15f637c675f54fe24ff17811d14c0f34211afc4b6c2c8e08077f928b59e5ae36d44d8b61 SHA512 71540931c4e6e1eed253f60d2118df36788fb59a9dfe200ffa03d7be2afcc0eb97773a6cda0e38f91ccd254a53df3e4dbc33e1f0a3529f6ae92f9c689e88e95d
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
EBUILD selinux-rspamd-2.20180701-r1.ebuild 387 BLAKE2B 029838949f858eccc5ffd50ef22ad623253db4494b881e150ecaab40b4c5976a7d483fa96f7591e748f6401bd1fdf270b514f26bd6810034a4084dd9f7029468 SHA512 16894cabddda31b87d354f7a34d4f0877027db0c381bd4347c5a540e34e4b848f5053f037454577c7f2e2e575a2bfeb36106b39107fa442192633662fcd1e4f3

9
sec-policy/selinux-rspamd/files/rspamd.fc Normal file
View File

@ -0,0 +1,9 @@
/usr/bin/rspamd.* -- gen_context(system_u:object_r:rspamd_exec_t,s0)
/etc/rspamd(/.*)? gen_context(system_u:object_r:rspamd_conf_t,s0)
/var/lib/rspamd(/.*)? gen_context(system_u:object_r:rspamd_var_lib_t,s0)
/var/log/rspamd(/.*)? gen_context(system_u:object_r:rspamd_log_t,s0)
/var/run/rspamd(/.*)? gen_context(system_u:object_r:rspamd_var_run_t,s0)

325
sec-policy/selinux-rspamd/files/rspamd.if Normal file
View File

@ -0,0 +1,325 @@
## <summary>policy for rspamd</summary>
########################################
## <summary>
## Execute rspamd_exec_t in the rspamd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rspamd_domtrans',`
gen_require(`
type rspamd_t, rspamd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rspamd_exec_t, rspamd_t)
')
######################################
## <summary>
## Execute rspamd in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rspamd_exec',`
gen_require(`
type rspamd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rspamd_exec_t)
')
########################################
## <summary>
## Read rspamd's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`rspamd_read_log',`
gen_require(`
type rspamd_log_t;
')
logging_search_logs($1)
read_files_pattern($1, rspamd_log_t, rspamd_log_t)
')
########################################
## <summary>
## Append to rspamd log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rspamd_append_log',`
gen_require(`
type rspamd_log_t;
')
logging_search_logs($1)
append_files_pattern($1, rspamd_log_t, rspamd_log_t)
')
########################################
## <summary>
## Manage rspamd log files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rspamd_manage_log',`
gen_require(`
type rspamd_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, rspamd_log_t, rspamd_log_t)
manage_files_pattern($1, rspamd_log_t, rspamd_log_t)
manage_lnk_files_pattern($1, rspamd_log_t, rspamd_log_t)
')
########################################
## <summary>
## Search rspamd lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rspamd_search_lib',`
gen_require(`
type rspamd_var_lib_t;
')
allow $1 rspamd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Read rspamd lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rspamd_read_lib_files',`
gen_require(`
type rspamd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
')
########################################
## <summary>
## Manage rspamd lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rspamd_manage_lib_files',`
gen_require(`
type rspamd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
')
########################################
## <summary>
## Manage rspamd lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rspamd_manage_lib_dirs',`
gen_require(`
type rspamd_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
')
########################################
## <summary>
## Read rspamd PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rspamd_read_pid_files',`
gen_require(`
type rspamd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, rspamd_var_run_t, rspamd_var_run_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an rspamd environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`rspamd_admin',`
gen_require(`
type rspamd_t;
type rspamd_log_t;
type rspamd_var_lib_t;
type rspamd_var_run_t;
')
allow $1 rspamd_t:process { signal_perms };
ps_process_pattern($1, rspamd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 rspamd_t:process ptrace;
')
logging_search_logs($1)
admin_pattern($1, rspamd_log_t)
files_search_var_lib($1)
admin_pattern($1, rspamd_var_lib_t)
files_search_pids($1)
admin_pattern($1, rspamd_var_run_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')
############################################################################
# network.if
############################################################################
########################################
## <summary>
## Bind TCP sockets to the rspamd worker port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_tcp_bind_rspamd_wrkr_port',`
gen_require(`
type rspamd_wrkr_port_t;
')
allow $1 rspamd_wrkr_port_t:tcp_socket name_bind;
')
########################################
## <summary>
## Bind TCP sockets to the rspamd controller port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_tcp_bind_rspamd_cntrllr_port',`
gen_require(`
type rspamd_cntrllr_port_t;
')
allow $1 rspamd_cntrllr_port_t:tcp_socket name_bind;
')
########################################
## <summary>
## Bind TCP sockets to the rspamd proxy port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_tcp_bind_rspamd_prx_port',`
gen_require(`
type rspamd_prx_port_t;
')
allow $1 rspamd_prx_port_t:tcp_socket name_bind;
')
########################################
## <summary>
## Make a TCP connection to the rspamd worker port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_tcp_connect_rspamd_wrkr_port',`
gen_require(`
type rspamd_wrkr_port_t;
')
allow $1 rspamd_wrkr_port_t:tcp_socket name_connect;
')

120
sec-policy/selinux-rspamd/files/rspamd.te Normal file
View File

@ -0,0 +1,120 @@
policy_module(rspamd, 1.0.0)
########################################
#
# Declarations
#
type rspamd_t;
type rspamd_exec_t;
init_daemon_domain(rspamd_t, rspamd_exec_t)
#permissive rspamd_t;
type rspamd_conf_t;
files_type(rspamd_conf_t)
type rspamd_tmpfs_t;
files_tmpfs_file(rspamd_tmpfs_t)
type rspamd_log_t;
logging_log_file(rspamd_log_t)
type rspamd_var_lib_t;
files_type(rspamd_var_lib_t)
type rspamd_var_run_t;
files_pid_file(rspamd_var_run_t)
type rspamd_wrkr_port_t;
corenet_port(rspamd_wrkr_port_t)
#portcon tcp 11333 gen_context(system_u:object_r:rspamd_wrkr_port_t,s0)
type rspamd_cntrllr_port_t;
corenet_port(rspamd_cntrllr_port_t)
#portcon tcp 11334 gen_context(system_u:object_r:rspamd_cntrllr_port_t,s0)
type rspamd_prx_port_t;
corenet_port(rspamd_prx_port_t)
#portcon tcp 11332 gen_context(system_u:object_r:rspamd_prx_port_t,s0)
########################################
#
# rspamd local policy
#
#allow rspamd_t self:capability { chown setgid setuid };
#allow rspamd_t self:process { fork setrlimit signal_perms };
allow rspamd_t self:unix_stream_socket create_stream_socket_perms;
allow rspamd_t self:fifo_file rw_fifo_file_perms;
allow rspamd_t self:capability { chown dac_override dac_read_search kill net_bind_service setgid setuid };
allow rspamd_t self:process { getsched setrlimit signal execmem };
allow rspamd_t self:tcp_socket { listen accept };
corenet_tcp_bind_generic_node(rspamd_t)
corenet_udp_bind_generic_node(rspamd_t)
corenet_tcp_bind_rspamd_wrkr_port(rspamd_t)
corenet_tcp_bind_rspamd_cntrllr_port(rspamd_t)
corenet_tcp_bind_rspamd_prx_port(rspamd_t)
corenet_tcp_connect_http_port(rspamd_t)
corenet_tcp_connect_smtp_port(rspamd_t)
corenet_tcp_connect_redis_port(rspamd_t)
kernel_read_kernel_sysctls(rspamd_t)
allow rspamd_t rspamd_conf_t:file map;
list_dirs_pattern(rspamd_t, rspamd_conf_t, rspamd_conf_t)
read_files_pattern(rspamd_t, rspamd_conf_t, rspamd_conf_t)
read_lnk_files_pattern(rspamd_t, rspamd_conf_t, rspamd_conf_t)
allow rspamd_t rspamd_tmpfs_t:file map;
manage_files_pattern(rspamd_t, rspamd_tmpfs_t, rspamd_tmpfs_t)
fs_tmpfs_filetrans(rspamd_t, rspamd_tmpfs_t, file)
manage_dirs_pattern(rspamd_t, rspamd_log_t, rspamd_log_t)
manage_files_pattern(rspamd_t, rspamd_log_t, rspamd_log_t)
manage_lnk_files_pattern(rspamd_t, rspamd_log_t, rspamd_log_t)
logging_log_filetrans(rspamd_t, rspamd_log_t, { dir file lnk_file })
files_list_var(rspamd_t)
allow rspamd_t rspamd_var_lib_t:file map;
manage_dirs_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
manage_files_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
manage_lnk_files_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
manage_sock_files_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
files_var_lib_filetrans(rspamd_t, rspamd_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(rspamd_t, rspamd_var_run_t, rspamd_var_run_t)
manage_files_pattern(rspamd_t, rspamd_var_run_t, rspamd_var_run_t)
manage_lnk_files_pattern(rspamd_t, rspamd_var_run_t, rspamd_var_run_t)
files_pid_filetrans(rspamd_t, rspamd_var_run_t, { dir file lnk_file })
userdom_use_user_ptys(rspamd_t)
domain_use_interactive_fds(rspamd_t)
#files_read_etc_files(rspamd_t)
files_read_usr_files(rspamd_t)
files_map_usr_files(rspamd_t)
files_dontaudit_list_var(rspamd_t)
auth_use_nsswitch(rspamd_t)
logging_send_syslog_msg(rspamd_t)
miscfiles_read_localization(rspamd_t)
sysnet_dns_name_resolve(rspamd_t)
optional_policy(`
gen_require(`
type exim_t;
')
corenet_tcp_connect_rspamd_wrkr_port(exim_t)
')
optional_policy(`
clamav_stream_connect(rspamd_t)
')

20
sec-policy/selinux-rspamd/selinux-rspamd-2.20180701-r1.ebuild Normal file
View File

@ -0,0 +1,20 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI="5"
IUSE=""
MODS="rspamd"
POLICY_FILES="rspamd.te rspamd.fc rspamd.if"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for rspamd"
RDEPEND="sec-policy/selinux-base-policy"
if [[ $PV == 9999* ]] ; then
KEYWORDS=""
else
KEYWORDS="amd64 x86"
fi

4
sec-policy/selinux-server-custom/Manifest Normal file
View File

@ -0,0 +1,4 @@
AUX server-custom.te 4534 BLAKE2B 5cda8ae24fdff6101c505139f3b9f2c5003cf5e7231ee2144f8ed04311e5ee2c83ae7a8ba5f33b2d09423077d624b9490c7683f117e6d43f81edddd89022d47a SHA512 699a67ef140ca9cf9f950731e0a788f793a8c2dc11f804967bf5c4cb9760090e6aa631d5e329d1a71d4153dfdbaf9ba39dfe6bf2a7fa2ecc47843813d6b6f161
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
EBUILD selinux-server-custom-2.20180701-r1.ebuild 388 BLAKE2B 7967baa6b3ffbd099510af5cb138a3b309fe70266100aae1f7c34072f2f6fdd1918fb0e8edd24f693b1bedee2c8a47c80e81208f5ad762693add2eba918c1c82 SHA512 da5bde5eb21ab5aa097e9ca8638697af92985774fbe0b91cea5fe1097b24b3703255c3af987ecac2f2d32ae6f894c64dcf54fb99c81ff2fdc230c8a89a3dcdee

101
sec-policy/selinux-server-custom/files/server-custom.te Normal file
View File

@ -0,0 +1,101 @@
policy_module(server-custom, 1.0.2)
gen_require(`
type ping_t, rsync_t, nginx_t, syncthing_t;
type ssh_keygen_t, lvm_t, lvm_metadata_t;
type portage_t, portage_ebuild_t;
type sysadm_t, tmpfiles_t, syslogd_t, hugetlbfs_t;
type kmod_t, tracefs_t, postgresql_t, postgresql_tmp_t;
type named_t, dovecot_t, dovecot_auth_t, redis_t;
type mail_spool_t, exim_t, dovecot_deliver_t, mailserver_delivery;
type freshclam_t, phpfpm_t, kernel_t, iptables_t;
role sysadm_r;
')
####### Policy
# Musl specific requirements for address resolve
corenet_udp_bind_generic_node(ping_t)
corenet_udp_bind_generic_node(portage_t)
corenet_udp_bind_generic_node(rsync_t)
corenet_udp_bind_generic_node(nginx_t)
corenet_udp_bind_generic_node(exim_t)
corenet_udp_bind_generic_node(freshclam_t)
# PHP ROUNDCUBE
corenet_tcp_connect_sieve_port(phpfpm_t)
# NGINX failed to start without additional permissions
allow nginx_t self:capability { dac_override dac_read_search };
allow nginx_t self:process getsched;
# Syncthing failed to start/stop without additional permissions
corecmd_exec_bin(syncthing_t)
# WARNING: Failed to lower process priority: set process group: permission denied
# WARNING: Failed to lower process priority: set niceness: permission denied
allow syncthing_t self:process { signal_perms setpgid setsched };
# Able to run "ip ropute show" to determinate gateway for NAT-PMP
# sysnet_domtrans_ifconfig(syncthing_t)
# Able to read network state (/proc/*/route) to determinate gateway for NAT-t And to check for cpu capabilities (/proc/cpuinfo).
kernel_read_network_state(syncthing_t)
files_search_mnt(syncthing_t)
# Unbound
allow named_t self:capability net_admin;
# PostgreSQL
allow postgresql_t hugetlbfs_t:file map;
allow postgresql_t postgresql_tmp_t:file map;
# Exim
#allow exim_t self:capability dac_read_search;
#allow exim_t self:process getsched;
allow dovecot_deliver_t exim_t:unix_stream_socket { read write };
# Redis
allow redis_t self:process getsched;
files_search_var_lib(redis_t)
# DOVECOT
# dovecot[28606]: Error: imap: Index (in-memory index): Lost log for seq=1 offset=0: Failed to map file seq=2 offset=40..18446744073709551615 (ret=0): Beginning of the log isn't available (initial_mapped=1, reason=in-memory index)
# dovecot[28606]: imap: Warning: fscking index file (in-memory index)
# dovecot[28606]: Error: imap: Failed to map transaction log /var/mail/xxx/Maildir/.Drafts/dovecot.index.log at sync_offset=40 after locking: Beginning of the log isn't available
# avc: denied { map } for pid=28895 comm="imap" path="/var/spool/mail/xxx/Maildir/.Drafts/dovecot.index.cache" dev="dm-0" ino=187521031 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0
allow dovecot_t mail_spool_t:file map;
# Dovecot SMTP Submission
corenet_sendrecv_smtp_server_packets(dovecot_t)
corenet_tcp_bind_smtp_port(dovecot_t)
corenet_sendrecv_smtp_client_packets(dovecot_t)
corenet_tcp_connect_smtp_port(dovecot_t)
# Dovecot DB connect
corenet_tcp_connect_postgresql_port(dovecot_auth_t)
# NSD failed to work properly without additional permissions
#allow nsd_t self:capability { dac_read_search net_admin };
#allow nsd_t self:capability { dac_read_search net_admin };
#allow nsd_t nsd_zone_t:file { map };
#allow nsd_t nsd_db_t:file { map };
#allow lvm_t lvm_metadata_t:file map;
# comm="modprobe" name="events" dev="tracefs"
allow kmod_t tracefs_t:dir search;
# avc: denied { dac_read_search } for pid=9036 comm="checkpath" capability=2
# avc: denied { dac_override } for pid=9036 comm="checkpath" capability=1
allow tmpfiles_t self:capability { dac_read_search };
# avc: denied { sendto } for pid=9036 comm="checkpath" path="/dev/log"
logging_send_syslog_msg(tmpfiles_t)
# type=AVC msg=audit(1535383674.057:1263): avc: denied { write } for pid=19064 comm="ebuild.sh" name="fd" dev="proc" ino=1054984 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=staff_u:sysadm_r:portage_t:s0 tclass=dir permissive=0
allow portage_t self:dir write;
# type=AVC msg=audit(1536753503.662:7355): avc: denied { map } for pid=19388 comm="eix-update" path="/var/lib/layman/musl/sys-apps/sandbox/sandbox-2.12.ebuild" dev="dm-0" ino=749977658 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=system_u:object_r:portage_ebuild_t:s0 tclass=file permissive=0
allow portage_t portage_ebuild_t:file map;
#optional_policy(`
# nsd_admin(sysadm_t, sysadm_r)
#')
# ssh_keygen_t failed to work with terminal
userdom_use_user_ptys(ssh_keygen_t)

20
sec-policy/selinux-server-custom/selinux-server-custom-2.20180701-r1.ebuild Normal file
View File

@ -0,0 +1,20 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI="5"
IUSE=""
MODS="server-custom"
POLICY_FILES="server-custom.te"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for custom things"
RDEPEND="sec-policy/selinux-base-policy"
if [[ $PV == 9999* ]] ; then
KEYWORDS=""
else
KEYWORDS="amd64 x86"
fi

4
sec-policy/selinux-toe/Manifest Normal file
View File

@ -0,0 +1,4 @@
AUX toe.cil 850 BLAKE2B 868de20c80b2a15e4b9952d238314ff847b094a33e55ca31c77cc63fe585d394c8c46a2a72852cccbd4250d1f6c21f008c3d3946f2ab54422a56aefb8e3ec0a7 SHA512 0985266aa4fd290df95d611d73b6fe1dc821c52a1280485886efdd9696e358442cf7c8016c8fe47fcdbcbddb0fcf0ef511c37f524ee5f83d9a57fba94b61a4f9
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
EBUILD selinux-toe-2.20180701-r1.ebuild 390 BLAKE2B d5f793a0130e6cd1812e83860a1f307142a86d9543e9f5052447297d7f80b11fbe7a1de18e4c121135eb6a7bada6552a36dd8454f7bf2b7a3a62a38a230438a5 SHA512 7597ec58304a19796053339032e0d65e8801372c716388554d6fb2fe7d88207f5cbf1fab842f08449910bcef82bc5d60792200e4e901b3b41dbd0132d56efef9

23
sec-policy/selinux-toe/files/toe.cil Normal file
View File

@ -0,0 +1,23 @@
; Name: TOE (Trusted Owner Execution) SELinux module.
; Author: Alexander Miroshnichenko (alexminder)
; e-mail: alexminder@gmail.com
; Purpose: Prevent users to execute untrusted their (non system_u context) or tmp files.
; License: GPL-3
;
(typeattributeset cil_gen_require (user_home_t git_user_content_t portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
(typeattribute toe_insecure_type)
(typeattribute toe_exclude_type)
(typeattributeset toe_insecure_type (user_home_t git_user_content_t))
(typeattributeset toe_exclude_type (portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
(constrain (file (execute))
(and
(neq t2 toe_insecure_type)
(or
(eq t2 toe_exclude_type)
(and
(eq u2 system_u)
(neq t2 tmpfile)
)
)
)
)

20
sec-policy/selinux-toe/selinux-toe-2.20180701-r1.ebuild Normal file
View File

@ -0,0 +1,20 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI="5"
IUSE=""
MODS="toe"
POLICY_FILES="toe.cil"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for trusted owner (sysadm_u) execution"
RDEPEND="sec-policy/selinux-base-policy"
if [[ $PV == 9999* ]] ; then
KEYWORDS=""
else
KEYWORDS="amd64 x86"
fi

6
sec-policy/selinux-transmission/Manifest Normal file
View File

@ -0,0 +1,6 @@
AUX transmission.fc 519 BLAKE2B 96edf5ac319fb0ee07c49638321cf91f714c1e1dc977f882cbd756e73ff778c9f1f3fe964e9f3e345b9d73c236b5f235e627c7a14bcd25c0586f6867decf5414 SHA512 815b13e6254b28b073e032a13d2d3d6b3ff50d4085a09f330b5466926cf4b4815f626f3fe008f527eb6e9d23bf3411341ae7c4c6880d48682b1a61dee5c660cf
AUX transmission.if 7230 BLAKE2B 67581dd8b9583aaec0c65456cc9a14562d838dee46af3e0344f63c94ee39578ac1b9b1d3fda82b051b74f9bc92d17efe4b36170c6d9cf1f15a8e35d0a769071d SHA512 b59c4725478ec2c6257cee4233cd0c1954968c6be8bf5ae4fde44f09f0d2ebbbd6c2b3d630e82030cbe2173d3bdc509d9d40938f14940768e1ccfdad4e3688cb
AUX transmission.te 3353 BLAKE2B e1a7afb093add23ecacf4e0964d9a386d02a39759cff5a089f3c41d88d63ef2c8d9f0fe00b8c0872d007dc3e80cc3f86be30420760209de5b78ded5811938565 SHA512 66562fa975a6a4524684a83938c34cd6fadf1950cc68c891898f0ddbdba562ebfeea4ced27e63dd65a89c80d4c2022d2393e568e6fa8468711893665703177a7
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
EBUILD selinux-transmission-2.20180701-r1.ebuild 417 BLAKE2B e7c1edd816214b43cc229eb00bf49f618c38583ff433f4afe76c4e2d2deb82d6b83e1799bf87bf8b3252089662ef2697cd58f27a944e452342c639550125aabc SHA512 28d9546192291811e21a2cc346e565c5e580bb1a040b63bdcfde7ba08da6383ed4de932d0e6127548431e0c477717c54c1433236609ad6493d41c2759b0bb781

11
sec-policy/selinux-transmission/files/transmission.fc Normal file
View File

@ -0,0 +1,11 @@
/usr/bin/transmission-daemon -- gen_context(system_u:object_r:transmission_exec_t,s0)
/var/lib/transmission(/.*)? gen_context(system_u:object_r:transmission_var_lib_t,s0)
/var/lib/transmission/(/.*)? gen_context(system_u:object_r:transmission_var_lib_t,s0)
/var/log/transmission(/.*)? gen_context(system_u:object_r:transmission_log_t,s0)
/var/run/transmission(/.*)? gen_context(system_u:object_r:transmission_var_run_t,s0)
/usr/share/transmission(/.*)? gen_context(system_u:object_r:transmission_share_t,s0)

326
sec-policy/selinux-transmission/files/transmission.if Normal file
View File

@ -0,0 +1,326 @@
## <summary>policy for transmission</summary>
########################################
## <summary>
## Execute transmission_exec_t in the transmission domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`transmission_domtrans',`
gen_require(`
type transmission_t, transmission_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, transmission_exec_t, transmission_t)
')
######################################
## <summary>
## Execute transmission in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`transmission_exec',`
gen_require(`
type transmission_exec_t;
')
corecmd_search_bin($1)
can_exec($1, transmission_exec_t)
')
########################################
## <summary>
## Read transmission's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`transmission_read_log',`
gen_require(`
type transmission_log_t;
')
logging_search_logs($1)
read_files_pattern($1, transmission_log_t, transmission_log_t)
')
########################################
## <summary>
## Append to transmission log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`transmission_append_log',`
gen_require(`
type transmission_log_t;
')
logging_search_logs($1)
append_files_pattern($1, transmission_log_t, transmission_log_t)
')
########################################
## <summary>
## Manage transmission log files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`transmission_manage_log',`
gen_require(`
type transmission_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, transmission_log_t, transmission_log_t)
manage_files_pattern($1, transmission_log_t, transmission_log_t)
manage_lnk_files_pattern($1, transmission_log_t, transmission_log_t)
')
########################################
## <summary>
## Search transmission lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`transmission_search_lib',`
gen_require(`
type transmission_var_lib_t;
')
allow $1 transmission_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Read transmission lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`transmission_read_lib_files',`
gen_require(`
type transmission_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, transmission_var_lib_t, transmission_var_lib_t)
')
########################################
## <summary>
## Manage transmission lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`transmission_manage_lib_files',`
gen_require(`
type transmission_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, transmission_var_lib_t, transmission_var_lib_t)
')
########################################
## <summary>
## Manage transmission lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`transmission_manage_lib_dirs',`
gen_require(`
type transmission_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, transmission_var_lib_t, transmission_var_lib_t)
')
########################################
## <summary>
## Read transmission PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`transmission_read_pid_files',`
gen_require(`
type transmission_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, transmission_var_run_t, transmission_var_run_t)
')
########################################
## <summary>
## Transmission PID files trsansiotions.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`transmission_pid_trans',`
gen_require(`
type transmission_t;
type var_run_t;
type transmission_var_run_t;
type initrc_t;
')
manage_dirs_pattern(transmission_t, transmission_var_run_t, transmission_var_run_t)
manage_files_pattern(transmission_t, transmission_var_run_t, transmission_var_run_t)
manage_lnk_files_pattern(transmission_t, transmission_var_run_t, transmission_var_run_t)
files_pid_filetrans(transmission_t, transmission_var_run_t, { dir file lnk_file })
filetrans_pattern(initrc_t, var_run_t, transmission_var_run_t, dir, "transmission")
')
########################################
## <summary>
## All of the rules required to administrate
## an transmission environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`transmission_admin',`
gen_require(`
type transmission_t;
type transmission_log_t;
type transmission_var_lib_t;
type transmission_var_run_t;
')
allow $1 transmission_t:process { signal_perms };
ps_process_pattern($1, transmission_t)
tunable_policy(`deny_ptrace',`',`
allow $1 transmission_t:process ptrace;
')
logging_search_logs($1)
admin_pattern($1, transmission_log_t)
files_search_var_lib($1)
admin_pattern($1, transmission_var_lib_t)
files_search_pids($1)
admin_pattern($1, transmission_var_run_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')
########################################
## <summary>
## Bind TCP sockets to the transmission peer port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_tcp_bind_transmission_peer_port',`
gen_require(`
type transmission_peer_port_t;
')
allow $1 transmission_peer_port_t:tcp_socket name_bind;
')
########################################
## <summary>
## Bind UDP sockets to the transmission peer port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_udp_bind_transmission_peer_port',`
gen_require(`
type transmission_peer_port_t;
')
allow $1 transmission_peer_port_t:udp_socket name_bind;
')
########################################
## <summary>
## Bind TCP sockets to the transmission rpc port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_tcp_bind_transmission_rpc_port',`
gen_require(`
type transmission_rpc_port_t;
')
allow $1 transmission_rpc_port_t:tcp_socket name_bind;
')

108
sec-policy/selinux-transmission/files/transmission.te Normal file
View File

@ -0,0 +1,108 @@
policy_module(transmission, 1.0.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow transmission to use DHT, uTP and LPD.
## The correspondig port must be transmission_peer_port_t.
## </p>
## </desc>
gen_tunable(transmission_use_udp, true)
## <desc>
## <p>
## Allow transmission to use RPC.
## The correspondig port must be transmission_rpc_port_t.
## </p>
## </desc>
gen_tunable(transmission_use_rpc, true)
type transmission_t;
type transmission_exec_t;
init_daemon_domain(transmission_t, transmission_exec_t)
#permissive transmission_t;
type transmission_log_t;
logging_log_file(transmission_log_t)
type transmission_var_lib_t;
files_type(transmission_var_lib_t)
type transmission_var_run_t;
files_pid_file(transmission_var_run_t)
type transmission_share_t;
files_type(transmission_share_t)
type transmission_peer_port_t;
corenet_port(transmission_peer_port_t)
#portcon tcp 51413 gen_context(system_u:object_r:transmission_peer_port_t,s0)
#portcon tcp 5413 gen_context(system_u:object_r:transmission_peer_port_t,s0)
#portcon tcp 6771 gen_context(system_u:object_r:transmission_peer_port_t,s0)
type transmission_rpc_port_t;
corenet_port(transmission_rpc_port_t)
#portcon tcp 9091 gen_context(system_u:object_r:transmission_rpc_port_t,s0)
########################################
#
# transmission local policy
#
allow transmission_t self:process { fork setrlimit };
allow transmission_t self:fifo_file rw_fifo_file_perms;
#allow transmission_t self:unix_stream_socket create_stream_socket_perms;
allow transmission_t self:tcp_socket { accept listen };
corenet_tcp_bind_transmission_peer_port(transmission_t)
corenet_tcp_bind_rtorrent_port(transmission_t)
corenet_tcp_bind_generic_node(transmission_t)
corenet_tcp_connect_all_ports(transmission_t)
kernel_read_kernel_sysctls(transmission_t)
kernel_read_network_state(transmission_t)
manage_dirs_pattern(transmission_t, transmission_log_t, transmission_log_t)
manage_files_pattern(transmission_t, transmission_log_t, transmission_log_t)
manage_lnk_files_pattern(transmission_t, transmission_log_t, transmission_log_t)
logging_log_filetrans(transmission_t, transmission_log_t, { dir file lnk_file })
manage_dirs_pattern(transmission_t, transmission_var_lib_t, transmission_var_lib_t)
manage_files_pattern(transmission_t, transmission_var_lib_t, transmission_var_lib_t)
manage_lnk_files_pattern(transmission_t, transmission_var_lib_t, transmission_var_lib_t)
files_var_lib_filetrans(transmission_t, transmission_var_lib_t, { dir file lnk_file })
read_files_pattern(transmission_t, transmission_share_t, transmission_share_t)
miscfiles_read_generic_certs(transmission_t)
fs_get_xattr_fs_quotas(transmission_t)
fs_getattr_xattr_fs(transmission_t)
transmission_pid_trans(transmission_t)
#domain_use_interactive_fds(transmission_t)
#files_read_etc_files(transmission_t)
auth_use_nsswitch(transmission_t)
logging_send_syslog_msg(transmission_t)
miscfiles_read_localization(transmission_t)
sysnet_dns_name_resolve(transmission_t)
tunable_policy(`transmission_use_udp',`
corenet_udp_bind_transmission_peer_port(transmission_t)
corenet_udp_bind_rtorrent_port(transmission_t)
corenet_udp_bind_generic_node(transmission_t)
')
tunable_policy(`transmission_use_rpc',`
corenet_tcp_bind_transmission_rpc_port(transmission_t)
')

20
sec-policy/selinux-transmission/selinux-transmission-2.20180701-r1.ebuild Normal file
View File

@ -0,0 +1,20 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI="5"
IUSE=""
MODS="transmission"
POLICY_FILES="transmission.te transmission.fc transmission.if"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for transmission"
RDEPEND="sec-policy/selinux-base-policy"
if [[ $PV == 9999* ]] ; then
KEYWORDS=""
else
KEYWORDS="amd64 x86"
fi

6
sec-policy/selinux-wireguard/Manifest Normal file
View File

@ -0,0 +1,6 @@
AUX wireguard.fc 250 BLAKE2B 10976a1e72bc8a7962920e4831e25bd8bd36c11d4890d0955e3d85453ebf821d2a1403b68bd178cddc3a8f09c4ce328a9628e0257d72635eb32d6184e18fa2d6 SHA512 248873b7767631ff46f014c8ccc7fcf73077962a037359a1b551a028812e6d2a351ed1f36e5e3717a39612323befa39c5d3c4e6dfc96bcdec08498bcd5f451c5
AUX wireguard.if 2642 BLAKE2B 292ac6cfda215ffa8b97a2471a42f7e778e84357b268549497ce589e2c9d27ba4e03ee2090618690e6ce34f6436d962eb9fce98a41e37823c63f27d91d9cbc1e SHA512 96a31ab31e57f71bfa7c76a95386e845a50eeb748d9632197e89d3e3d7f7ed3d29d3b30bed668f569bdebebd2803736d1638784fa9195f877b97e55f96701f71
AUX wireguard.te 2452 BLAKE2B 3408dd5f133978499884236e5fab7480c6be664a82f6862fef7d20d52c9a301fed456520cf61bb9671920d8b2019191a35a1c74702f79ea7c28ca01fa9121d4d SHA512 0af8271f9cfaabbc6f653fa307658cc039f09748972778a6302cc21fd4e9f2023ecd1ff30f2a5ab51f9816c06d6bb2ab3528c94705e582bc3d51b97955296d8b
DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
EBUILD selinux-wireguard-2.20180701-r1.ebuild 402 BLAKE2B 0b9fa44a7cd7fdd8408288b2ed754f23591051e75288e9e50e05a36a0e03eaae39f882a4df3ee3a1c367927922a9e8e57900b72297ef445582a68e2ab06bfa4a SHA512 177f53e4fde327213b713ae19e191f11417ab02ce953abb7742ad16ac685cbdf4a1e12ae4c9f4c24e46da82c16624f4fbe52bf27380d399596c5631f7ade6441

11
sec-policy/selinux-wireguard/files/wireguard.fc Normal file
View File

@ -0,0 +1,11 @@
#
# /etc
#
/etc/wireguard(/.*)? gen_context(system_u:object_r:wireguard_etc_t,s0)
#
# /usr
#
/usr/bin/wg -- gen_context(system_u:object_r:wireguard_exec_t,s0)
/usr/bin/wg-quick -- gen_context(system_u:object_r:wireguard_script_exec_t,s0)

128
sec-policy/selinux-wireguard/files/wireguard.if Normal file
View File

@ -0,0 +1,128 @@
## <summary>Policy for logical volume management programs.</summary>
########################################
## <summary>
## Execute wireguard programs in the wireguard domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`wireguard_domtrans',`
gen_require(`
type wireguard_t, wireguard_exec_t;
type wireguard_script_t, wireguard_script_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, wireguard_exec_t, wireguard_t)
domtrans_pattern($1, wireguard_script_exec_t, wireguard_script_t)
')
########################################
## <summary>
## Execute wireguard programs in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`wireguard_exec',`
gen_require(`
type wireguard_exec_t;
')
corecmd_search_bin($1)
can_exec($1, wireguard_exec_t)
')
########################################
## <summary>
## Execute wireguard programs in the wireguard domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the Wireguard domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`wireguard_run',`
gen_require(`
type wireguard_t, wireguard_script_t;
')
wireguard_domtrans($1)
role $2 types wireguard_t;
role $2 types wireguard_script_t;
')
########################################
## <summary>
## Send wireguard a null signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`wireguard_signull',`
gen_require(`
type wireguard_t;
')
allow $1 wireguard_t:process signull;
')
########################################
## <summary>
## Read Wireguard configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`wireguard_read_config',`
gen_require(`
type wireguard_etc_t;
')
files_search_etc($1)
allow $1 wireguard_etc_t:dir list_dir_perms;
read_files_pattern($1, wireguard_etc_t, wireguard_etc_t)
')
########################################
## <summary>
## Manage Wireguard configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`wireguard_manage_config',`
gen_require(`
type wireguard_etc_t;
')
files_search_etc($1)
manage_dirs_pattern($1, wireguard_etc_t, wireguard_etc_t)
manage_files_pattern($1, wireguard_etc_t, wireguard_etc_t)
')

84
sec-policy/selinux-wireguard/files/wireguard.te Normal file
View File

@ -0,0 +1,84 @@
policy_module(wireguard, 1.0.0)
########################################
#
# Declarations
#
type wireguard_t;
type wireguard_exec_t;
init_system_domain(wireguard_t, wireguard_exec_t)
# needs privowner because it assigns the identity system_u to device nodes
# but runs as the identity of the sysadmin
domain_obj_id_change_exemption(wireguard_t)
role system_r types wireguard_t;
type wireguard_script_t;
type wireguard_script_exec_t;
init_system_domain(wireguard_script_t, wireguard_script_exec_t)
domtrans_pattern(wireguard_script_t, wireguard_exec_t, wireguard_t)
type wireguard_etc_t;
files_type(wireguard_etc_t)
########################################
#
# wireguard Local policy
#
kernel_request_load_module(wireguard_t)
allow wireguard_t self:capability net_admin;
allow wireguard_t self:netlink_generic_socket create_socket_perms;
allow wireguard_t self:netlink_route_socket r_netlink_socket_perms;
allow wireguard_t self:udp_socket create_socket_perms;
allow wireguard_t wireguard_script_t:fifo_file read_fifo_file_perms;
manage_dirs_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t)
manage_files_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t)
manage_lnk_files_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t)
files_etc_filetrans(wireguard_t, wireguard_etc_t, dir)
filetrans_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t, file)
userdom_use_user_ptys(wireguard_t)
domain_use_interactive_fds(wireguard_t)
########################################
#
# wireguard-quick Local policy
#
files_read_etc_files(wireguard_script_t)
corecmd_exec_bin(wireguard_script_t)
corecmd_exec_shell(wireguard_script_t)
sysnet_domtrans_ifconfig(wireguard_script_t)
manage_dirs_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t)
manage_files_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t)
manage_lnk_files_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t)
filetrans_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t, file)
allow wireguard_script_t self:fifo_file rw_fifo_file_perms;
kernel_read_network_state(wireguard_script_t)
miscfiles_read_localization(wireguard_script_t)
userdom_use_user_ptys(wireguard_script_t)
domain_use_interactive_fds(wireguard_script_t)
########################################
#
# optional policy
#
optional_policy(`
gen_require(`
type sysadm_t;
role sysadm_r;
')
wireguard_run(sysadm_t, sysadm_r)
')

20
sec-policy/selinux-wireguard/selinux-wireguard-2.20180701-r1.ebuild Normal file
View File

@ -0,0 +1,20 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI="5"
IUSE=""
MODS="wireguard"
POLICY_FILES="wireguard.te wireguard.fc wireguard.if"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for wireguard"
RDEPEND="sec-policy/selinux-base-policy"
if [[ $PV == 9999* ]] ; then
KEYWORDS=""
else
KEYWORDS="amd64 x86"
fi

27
sys-kernel/linux-hardened-sources/Manifest Normal file
View File

@ -0,0 +1,27 @@
DIST genpatches-4.14-57.base.tar.xz 1472016 BLAKE2B 1905e983d34220a97bda5eb7b1fff09d7ac42dc129b722611c079418133231d6d41f871c20df94a3db5440c8b1374d09ae3303be9e2cb8b70f5d92b61382f3ed SHA512 bace21a042f6e45512a8ffe3cb329c70b3f3548142fbaddbd76b2be50f50276db8f4cc410a7d05915c30c443cc82934893203d3025cd4653387ff6fd64f0b4ae
DIST genpatches-4.14-57.experimental.tar.xz 5216 BLAKE2B ac751059eb363f1327b8cc6a9ad6c993cc56e3a57010f6a7d8b30220a401ec2b607b7eda601b39f1d6480fddb45f7a980ba7ffe7cf808ae382a57cc57a785f39 SHA512 efb2bf34ea83789437388b6becb4c51564c885355dffdfe0f902ded0cd0a9dbc534a891a8eddde76418a651f0da41d8a7402e672688b2cccaae5897ce0bfb744
DIST genpatches-4.14-57.extras.tar.xz 17488 BLAKE2B 6dbe6859eafa2a61d2139572a28046a1278a965aa6a82518b5658c61f18ece4054175116b5907436bc40bd4c32458752fc381cb29806d9e25550a17f81684eab SHA512 49d7a27075e7e113ef39f2da651e9302b51c66d46c4d2960acc648dcd0eb4b608118584dbcbf169d73cf1ed4e105fbae9125f06dda46d346a63f0f35bf23bb4e
DIST genpatches-4.14-66.base.tar.xz 1681920 BLAKE2B 90daa216c9bc74aae62b773d9492b9d9afd211541307765493ea01cab4c1f87e0268fdc3648efe12c9d2be14e14ba1422d44cda87683c618f0d62e469eb47342 SHA512 2eab17379a326581d74d00ace8beac6d2b84f729d6b5e5784d77cfcdfc80d442f7863e0ee8c855c3bc39c54556dafc790854df3b9ab41761bf86ed9ff4a30c68
DIST genpatches-4.14-66.experimental.tar.xz 5224 BLAKE2B 7435fa53f9278635a316a403a4e3ee03ec585338673b3148ef69190901e52dfc1c8cb19a0600eaebb54b120e65c60bb9b688883af33eb0240cd8623f7fea771c SHA512 c1024431a43cb397a65eec12c206ec57cbcf267364ad8dae4875e6ccfa90b955e468907e440db25bb93610898a7b8f8a99dba5ec542ccd850770963b1b5785bf
DIST genpatches-4.14-66.extras.tar.xz 17496 BLAKE2B d156cc7b5612ee7d6d5faed0e606a0c8ed49f952cfe77097e37e432b142b8241f3b9fab156ed71f716540bc906f21050c2901b067b3ba1498893068ad45cb9e3 SHA512 8f3c9098a559556d3e256a9b8243cc5886387f23431501093f3c0ce9599a93fb885c5056d28b9189cbcd693b4c7e3601827abd96e548e659b4a7e33bd3403045
DIST genpatches-4.14-77.base.tar.xz 1897728 BLAKE2B 0481c22f540d3a8f663717ca5771c480a4c88dcd59323ee313b0fa08f887ec855a43cccf928e21978a666509ee96c1a1eb360909278944e625c0c802a2d7e7ac SHA512 d9433d1e5b9232dca6d74928a835bed1e3f27c0affa96e335895df67cb2f7d11d2ba27cd3f6ac40cc51a5a7a670008df91061be5274d61bcc08eb0f06f90d5fe
DIST genpatches-4.14-77.experimental.tar.xz 5224 BLAKE2B 8d0b8f1e8a2953e500b9d3e654cd89d40ba0bae53a014b1bee8fb19e6580dbf33687821bb3edbffa2db8daf3fdfb521ce3232f9b4aca0f4d2661be8115220c8c SHA512 a063a5e76f391a0d8011a0a1bb1fa06e6693c7efb211e5d25bfa5f39b6dc216f3c965ec1303a1d865c4b3c1484e03a4b99f3097759a0e15b15ca8b11215a3342
DIST genpatches-4.14-77.extras.tar.xz 17492 BLAKE2B abaf103790fceab73cacd949473e50b8d678e0fb1ead41a36577a02e48805052c8d10f78ce474c215773117e9aeb97a49123b58a3ce42348520e32415838ec13 SHA512 28db86e6cfeaa3293d5a9db43774d5c0710492e9ca6b750a687b65a4d38e3a6cc196f689025bf7ce8fded4e97a221f4e2c4352e1ffc2a465fb3546a8d6712536
DIST genpatches-4.14-91.base.tar.xz 2173020 BLAKE2B a054b2d25fded4313d894a7a3713eea66d365816bf9e2b2c8f7d8d46bbacc4008400fd469c1e485b09645ac3e2003647832ea4135871f245d6b018158fd51f4c SHA512 171fc023e1bb36c695ad61692cb77332b4b53a4088a165a9a18e53a4a51a8969a7aee4656983ee3f5d330894e411de37ca4fc18aa8856a3f0e4f725583539503
DIST genpatches-4.14-91.experimental.tar.xz 5224 BLAKE2B b273895fd1286b3d6f60b244817eedd72b4db34cbe8cf2b595e5154f9d42f1f50f2a30d5f53cbe4228ed4314c9a66f3f8e493d4d2448efd08f9f0de050b4ca1a SHA512 5cd49e9f7428e451be705027a818eef41be88ac3ecf55f8fa3b3a8a4858267c7a8ba3c5901b5dbe66934c1154d49aacfdf86ced0e26c0056ef1832abe5a32e6d
DIST genpatches-4.14-91.extras.tar.xz 17484 BLAKE2B 9d8abd5f5c71b957634f475645a2549b661b485e0cb100abdb715a2349a05114cba0c5f77b815aa6104999d32e6620558c17bea8746da55f077a4f00a06a404b SHA512 3d0c7ae83e6ed69d9debe45bcd409c6225af199068957f176dead4074dda9e3c4542db1fac6f4fd2a13672d6c5b428b763a615886cf3c80fb102771ea29b29ec
DIST genpatches-4.19-25.base.tar.xz 744736 BLAKE2B e88e4c307d93db643f0b2ffb9f97b81763c1d7a903db652c52c29ace6eb2e911b0b685d66120203156caa8a50a6cf927594c62e5b45b4bf490217f367c3cc9b3 SHA512 3939582c9d641e4bd1e13f35b52dde7720bc3e9f4052145d7c88e88d0929474461fbb5d42ee58378150b8e64c276d455193467835cb38e9639e212de932434ef
DIST genpatches-4.19-25.experimental.tar.xz 5808 BLAKE2B fb7b0ae0e7aba6f696e1ca23b97a84ca92764bce107596309d4f692f24a51deee3b45c6c3d5921de28bbca79677c1582ee2c36ab307005fa2f330123e4ef9018 SHA512 574ef13dbfaee86613336e356efb50b83e11a8cf5fa83533b946d706245a462fc5d47d6cdf93586ab63770b06af637fa739811159d50439e60f45629705741a0
DIST genpatches-4.19-25.extras.tar.xz 17484 BLAKE2B 68a2cad49ec8b0f54b108728aa69accbe0e4eb209f5fde95142adfe7df5625291a7ab03a9b051e6b198bfb95b85c156aac3cc295835e74568be75d5e9575c91b SHA512 b407e59af09d8951fe2bf195c430054cadba0e1cc60d712ad7040a50ca198cdf17adb5fc932b69ec50fdd71287cd8736f34fd0d9648e32b9ae802e98dae76aa3
DIST linux-4.14.tar.xz 100770500 BLAKE2B 85dc4aa953fe65e273a24473d8de98e4f204f97c43be9fc87cf5be01f796f94cfde5c8f9c84619751f1cac51f83ce0b4681fb19c5f2965a72d4a94fe5577846a SHA512 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8
DIST linux-4.19.tar.xz 103117552 BLAKE2B 1dbf16cf410867412d17568fe42bc1e90c034183b654d270b650621ff7664a321950943d0639205bc1ee7ef6210be170c1f2c785a042ed8a4ec5e3a486d890e0 SHA512 ab67cc746b375a8b135e8b23e35e1d6787930d19b3c26b2679787d62951cbdbc3bb66f8ededeb9b890e5008b2459397f9018f1a6772fdef67780b06a4cb9f6f4
DIST linux-hardened-4.14.52.a.patch 96384 BLAKE2B 2297f1265882e89183db613152f75dde295493f43fe8808dc973c9c1ee38e13c7d3ed45015fb70e8dc0ed1de91b810fe5a315a39220b652b0626d58ef21f08ff SHA512 dbe794cbc7668706671f05278bd54c0759e6ef2beba9f2be34d5baa100afb5631718dddf25c3b4ad46d3f715ab78608509be80d0e567bc8eaae92b7039fec80a
DIST linux-hardened-4.14.61.a.patch 96384 BLAKE2B 8044c01423578d404a8a775f0e204ca531adbfc6ecb1b39aaea3fa28701a2f4920aafd50b420ba77a72866ef26deeedc0cd7750b8f4de412215f1993e6d7026b SHA512 6bf784c4b26eefdb655820cdfaa8592e339b43a0853c76bc696ecde66240170cb535af54ef8963d28319805f05d9242d70f61f83c9b030764dd614c7d561e7f5
DIST linux-hardened-4.14.71.a.patch 96384 BLAKE2B af0f1c7562066319749c62a1e0865560dfa5381650913d43219fd93daebee6747e385e4b1803736b7e00c79f088bf89730814da245ecea993fc827983b15fffe SHA512 4e725582bd9fe6e52699edf8bc0beb29d4040a0483b891df6c3aad0b85a5e83f81c5d9332842ed2c89312e3665c48f5513b6255164dd14800dec665d971f9161
DIST linux-hardened-4.14.84.a.patch 96384 BLAKE2B 3232358ded70261db9a752882d062a439559718c2df901768cd2f7ceb1cbe8991000654cfe1c4bc8a2f3b3524c0bdc943b26a02261717c1831aba00380fba17e SHA512 36f2492823d26bbe831401582ff8b1f43ef30c40d817039b73b38bda3a7718ebfe95c41254fea1e2ef801f875efbc65ae54de5e3533c345bd65393c187f9b645
DIST linux-hardened-4.19.25.a.patch 92707 BLAKE2B 9407d2b9f7c9ce4deb4711cbbf53a7d27e200843ab2550b05fe2869c7e383cca274c233ba4f9216f867652ee15833b53ec1ee8344d083f896854c7536574398c SHA512 feb38fcc59280b45f8b1d7ea4f49c890614cdb9fd0c2e7351980f479821d93f87082ae7a38026557155dfda43f489619aff6436ea366c79054b1271b6deffe0a
EBUILD linux-hardened-sources-4.14.52.ebuild 1711 BLAKE2B 85b226aac4d1aade665a2297fa4de961785617996c9d0c6afafc06fdaac6d26c8346ed1421106e471f80fa1c01782b3eeea005891d8c988931dad2f98bf188a1 SHA512 1368cecc3905f61c04cb7cc3237c9d68c4960c79e0d61ea76401a3326eb57a3650f01b72aeee8b29fb4502a512cece60d984a2983788142043d640dadc053f92
EBUILD linux-hardened-sources-4.14.61.ebuild 1711 BLAKE2B f98603311888d24a94e983c50bf7d586d1fefb9b82d514145ec132481741c2e3346dd8b8794854aceb52e98bfc2ca574b4ab590ea39426b07ba8201153ee72c6 SHA512 1bc341db4dc6bc867d288dff3b8e6e3f0c536866a3ec96641d6171a11f045c53748ce5a8a15fcecb7aa3361f00a1a51afab126cb2c24bdb019c59007e2ffb9d9
EBUILD linux-hardened-sources-4.14.71.ebuild 1713 BLAKE2B da0595a9d99d727f4804222ebcc1de582b92737799cb15463b59362387e87464e8ca6d9e12370631f9a18c664af29c1a438ed3e14c6c4f64d31e3e6c18523ac2 SHA512 0021719b56361eba8a3b8be1f91e0309818b57df2632c0bc3d13be71db8c0a0a0721c6d75d99bc011d74ba08806d19de136c835d3973beddd11841ae1b868318
EBUILD linux-hardened-sources-4.14.84.ebuild 1713 BLAKE2B 7493da3ae2083bef4f362a687b324c693a23f94d65cd1a37e423bfa69e1659134dcd463fa3e52d24f6e79d79187a10f265bd95456b34af6bad167d67e0582a5f SHA512 b64e585a38ac688e3b4b21fb56dbba4083127e1f51dfc0da733c1b2bdeb84a4fd8674b5525ecec84a5f5215d3373d120dc6dce46036475587c43043ba5510342
EBUILD linux-hardened-sources-4.19.25.ebuild 1713 BLAKE2B 66a5f28b006d057d8894e32434a299429a6522d2a0cd849c66599533fa597673243ffefc9b7e6868ffe5636c39dd8f806b75b87bf97951984b2fe35684250e34 SHA512 06f5d3f8900a80327b87224051f7b278576938031a7873748534910cc1c77e8c9a4da8b45235ad99731618671fd44663d1fbf98800de7bf5257a9d6529d27d6f

50
sys-kernel/linux-hardened-sources/linux-hardened-sources-4.14.52.ebuild Normal file
View File

@ -0,0 +1,50 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# See https://blogs.gentoo.org/ago/2017/08/21/sys-kernel-grsecurity-sources-available
EAPI="6"
ETYPE="sources"
#K_GENPATCHES_VER="not-empty" # Set to not-empty to avoid the useless download of patch-*.xz
K_WANT_GENPATCHES="base extras experimental"
K_GENPATCHES_VER="57"
K_NOSETEXTRAVERSION="1"
NAME="linux-hardened"
MINOR_VER=".a"
PN="hardened"
inherit kernel-2
detect_version
detect_arch
UNIPATCH_LIST="${DISTDIR}/${NAME}-${PV}.a.patch
${FILESDIR}/4.14/*.patch"
UNIPATCH_EXCLUDE="1500_XATTR_USER_PREFIX.patch
1510_fs-enable-link-security-restrictions-by-default.patch
2900_dev-root-proc-mount-fix.patch
4200_fbcondecor.patch
4400_alpha-sysctl-uac.patch"
LINHARD_URI="https://github.com/anthraxx/${NAME}/releases/download/${PV}${MINOR_VER}/${NAME}-${PV}${MINOR_VER}.patch"
KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches"
IUSE="experimental"
DESCRIPTION="Full sources including the Gentoo, ArchLinux and Linux Hardened patches for the ${KV_MAJOR}.${KV_MINOR} kernel tree"
SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${LINHARD_URI} ${ARCH_URI}"
src_compile() {
echo "${MINOR_VER}-hardened" > ${S}/localversion-hardened
}
pkg_postinst() {
kernel-2_pkg_postinst
einfo "For more info on this patchset, and how to report problems, see:"
einfo "${HOMEPAGE}"
}
pkg_postrm() {
kernel-2_pkg_postrm
}

Some files were not shown because too many files have changed in this diff Show More