From patchwork Wed Dec 23 23:06:55 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Matthias Fischer <matthias.fischer@ipfire.org>
X-Patchwork-Id: 3751
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4D1TP34zknz3wx8
	for <patchwork@web04.haj.ipfire.org>; Wed, 23 Dec 2020 23:07:03 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4D1TP25KSpz128;
	Wed, 23 Dec 2020 23:07:02 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4D1TP24Yylz2xpb;
	Wed, 23 Dec 2020 23:07:02 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4D1TP10Xj6z2xdM
 for <development@lists.ipfire.org>; Wed, 23 Dec 2020 23:07:01 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4D1TNz6r0XzBP
 for <development@lists.ipfire.org>; Wed, 23 Dec 2020 23:06:59 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1608764820;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=S5xLZb0JcQ9hA6y05spZI6AWEHrwLQlnPvTISHzVC70=;
 b=6KrkTQWVt5ex2vOWWpw5YClKMU4479+VMTMvCD08qQpcdjJZm+mKvfpAU5dYHQXP6lWWZI
 B82IU6pBJof9+RBA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1608764820;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=S5xLZb0JcQ9hA6y05spZI6AWEHrwLQlnPvTISHzVC70=;
 b=iFCCCgG8/5AC6T747F2pgQ4Cy9cQ0HHjCYXBF9adKm28V+tV9WxyySuaTdQ66qk9Sy+bZX
 RD8TICgILeJDT7QZH6SIhgUPzncTx0naLGoEk5xCx9pt6LlYqfX6TOWalJHpQrOV8gwHRG
 qkGgf+xIyR1aMAUHRTxVY/GbGzeKTB4P4cWYopBxg7RVsOj3Xnd1TKlwg1gi0XSXwm/abp
 a7FrwyR+DzlCAkeYQnurRrUWQ+U4h4X6O9/7O0tsZM4OZI/xz5AjDZXV09w6R8fbjxscH8
 VlCFlPKAppO7+wj+v6IrQ1buBpyqRrwv3aMZN8O2Pu9N1nrE88/FFBWe+KRf1A==
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] [V2] dhcpcd: Update to 9.3.4
Date: Thu, 24 Dec 2020 00:06:55 +0100
Message-Id: <20201223230655.2068-1-matthias.fischer@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

For details see:
https://roy.marples.name/archives/dhcpcd-discuss/0003334.html

This version contains the official fix from here:
https://roy.marples.name/cgit/dhcpcd.git/commit/?id=12cdb2be46e25e1ab99df18324b787ad8749dff7

This should fix Bug #12552 (dhcpcd-9.3.4 crash with bad system call)
on 32bit/i686 systems.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 lfs/dhcpcd                                    |  7 ++--
 ...r_SECCOMP_as_it_just_uses_socketcall.patch | 36 +++++++++++++++++++
 2 files changed, 41 insertions(+), 2 deletions(-)
 create mode 100644 src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch

diff --git a/lfs/dhcpcd b/lfs/dhcpcd
index 3bd33dc56..4e34e19d5 100644
--- a/lfs/dhcpcd
+++ b/lfs/dhcpcd
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 9.1.4
+VER        = 9.3.4
 
 THISAPP    = dhcpcd-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = dd77711cf3232002bb075f5210269f88
+$(DL_FILE)_MD5 = badb02dfc69fe9bbeec35a02efcdb4db
 
 install : $(TARGET)
 
@@ -70,6 +70,9 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch
+
 	cd $(DIR_APP) && ./configure --prefix="" --sysconfdir=/var/ipfire/dhcpc \
 			--dbdir=/var/ipfire/dhcpc \
 			--libexecdir=/var/ipfire/dhcpc \
diff --git a/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch b/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch
new file mode 100644
index 000000000..9efcde219
--- /dev/null
+++ b/src/patches/dhcpcd/01_Fix_Linux_i386_for_SECCOMP_as_it_just_uses_socketcall.patch
@@ -0,0 +1,36 @@
+diff --git a/src/privsep-linux.c b/src/privsep-linux.c
+index 050a30cf..d31d720d 100644
+--- a/src/privsep-linux.c
++++ b/src/privsep-linux.c
+@@ -32,6 +32,7 @@
+ 
+ #include <linux/audit.h>
+ #include <linux/filter.h>
++#include <linux/net.h>
+ #include <linux/seccomp.h>
+ #include <linux/sockios.h>
+ 
+@@ -304,6 +305,23 @@ static struct sock_filter ps_seccomp_filter[] = {
+ #ifdef __NR_sendto
+ 	SECCOMP_ALLOW(__NR_sendto),
+ #endif
++#ifdef __NR_socketcall
++	/* i386 needs this and demonstrates why SECCOMP
++	 * is poor compared to OpenBSD pledge(2) and FreeBSD capsicum(4)
++	 * as this is soooo tied to the kernel API which changes per arch
++	 * and likely libc as well. */
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT4),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_LISTEN),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_GETSOCKOPT),	/* overflow */
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECV),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVFROM),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVMSG),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SEND),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDMSG),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDTO),
++	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
++#endif
+ #ifdef __NR_shutdown
+ 	SECCOMP_ALLOW(__NR_shutdown),
+ #endif