diff options
author | Mike Gilbert <floppym@gentoo.org> | 2019-02-17 13:31:37 -0500 |
---|---|---|
committer | Mike Gilbert <floppym@gentoo.org> | 2019-02-18 18:31:56 -0500 |
commit | c0e6ffa5671fad0b3830348ff960b8ec4e3d2f27 (patch) | |
tree | ef848494eb2164e9effe11175c84842559c73057 | |
parent | eclass: Fix kernel dependency for gcc v8 patch in kernel-2.eclass (diff) | |
download | gentoo-c0e6ffa5671fad0b3830348ff960b8ec4e3d2f27.tar.gz gentoo-c0e6ffa5671fad0b3830348ff960b8ec4e3d2f27.tar.bz2 gentoo-c0e6ffa5671fad0b3830348ff960b8ec4e3d2f27.zip |
sys-apps/systemd: backport patches for CVE-2019-6454
Bug: https://bugs.gentoo.org/677944
Package-Manager: Portage-2.3.59_p2, Repoman-2.3.12_p67
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
4 files changed, 751 insertions, 0 deletions
diff --git a/sys-apps/systemd/files/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch b/sys-apps/systemd/files/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch new file mode 100644 index 000000000000..6a0c8d1b0c51 --- /dev/null +++ b/sys-apps/systemd/files/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch @@ -0,0 +1,48 @@ +From 29de632674473729d1e9497b6fe47e7c88682ed9 Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone <rschiron@redhat.com> +Date: Mon, 4 Feb 2019 14:29:09 +0100 +Subject: [PATCH 1/3] Refuse dbus message paths longer than BUS_PATH_SIZE_MAX + limit. + +Even though the dbus specification does not enforce any length limit on the +path of a dbus message, having to analyze too long strings in PID1 may be +time-consuming and it may have security impacts. + +In any case, the limit is set so high that real-life applications should not +have a problem with it. +--- + src/libsystemd/sd-bus/bus-internal.c | 2 +- + src/libsystemd/sd-bus/bus-internal.h | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c +index 40acae2133..598b7f110c 100644 +--- a/src/libsystemd/sd-bus/bus-internal.c ++++ b/src/libsystemd/sd-bus/bus-internal.c +@@ -43,7 +43,7 @@ bool object_path_is_valid(const char *p) { + if (slash) + return false; + +- return true; ++ return (q - p) <= BUS_PATH_SIZE_MAX; + } + + char* object_path_startswith(const char *a, const char *b) { +diff --git a/src/libsystemd/sd-bus/bus-internal.h b/src/libsystemd/sd-bus/bus-internal.h +index f208b294d8..a8d61bf72a 100644 +--- a/src/libsystemd/sd-bus/bus-internal.h ++++ b/src/libsystemd/sd-bus/bus-internal.h +@@ -332,6 +332,10 @@ struct sd_bus { + + #define BUS_MESSAGE_SIZE_MAX (128*1024*1024) + #define BUS_AUTH_SIZE_MAX (64*1024) ++/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one ++ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however, ++ * to not clash unnecessarily with real-life applications. */ ++#define BUS_PATH_SIZE_MAX (64*1024) + + #define BUS_CONTAINER_DEPTH 128 + +-- +2.20.1 + diff --git a/sys-apps/systemd/files/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch b/sys-apps/systemd/files/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch new file mode 100644 index 000000000000..bbc6db974d4a --- /dev/null +++ b/sys-apps/systemd/files/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch @@ -0,0 +1,188 @@ +From 1ffe59592c5cbf924eb81a3662b4252ba6de7132 Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone <rschiron@redhat.com> +Date: Mon, 4 Feb 2019 14:29:28 +0100 +Subject: [PATCH 2/3] Allocate temporary strings to hold dbus paths on the heap + +Paths are limited to BUS_PATH_SIZE_MAX but the maximum size is anyway too big +to be allocated on the stack, so let's switch to the heap where there is a +clear way to understand if the allocation fails. +--- + src/libsystemd/sd-bus/bus-objects.c | 68 +++++++++++++++++++++++------ + 1 file changed, 54 insertions(+), 14 deletions(-) + +diff --git a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c +index 58329f3fe7..54b977418e 100644 +--- a/src/libsystemd/sd-bus/bus-objects.c ++++ b/src/libsystemd/sd-bus/bus-objects.c +@@ -1133,7 +1133,8 @@ static int object_manager_serialize_path_and_fallbacks( + const char *path, + sd_bus_error *error) { + +- char *prefix; ++ _cleanup_free_ char *prefix = NULL; ++ size_t pl; + int r; + + assert(bus); +@@ -1149,7 +1150,12 @@ static int object_manager_serialize_path_and_fallbacks( + return 0; + + /* Second, add fallback vtables registered for any of the prefixes */ +- prefix = newa(char, strlen(path) + 1); ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; ++ + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = object_manager_serialize_path(bus, reply, prefix, path, true, error); + if (r < 0) +@@ -1345,6 +1351,7 @@ static int object_find_and_run( + } + + int bus_process_object(sd_bus *bus, sd_bus_message *m) { ++ _cleanup_free_ char *prefix = NULL; + int r; + size_t pl; + bool found_object = false; +@@ -1369,9 +1376,12 @@ int bus_process_object(sd_bus *bus, sd_bus_message *m) { + assert(m->member); + + pl = strlen(m->path); +- do { +- char prefix[pl+1]; ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; + ++ do { + bus->nodes_modified = false; + + r = object_find_and_run(bus, m, m->path, false, &found_object); +@@ -1498,9 +1508,15 @@ static int bus_find_parent_object_manager(sd_bus *bus, struct node **out, const + + n = hashmap_get(bus->nodes, path); + if (!n) { +- char *prefix; ++ _cleanup_free_ char *prefix = NULL; ++ size_t pl; ++ ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; + +- prefix = newa(char, strlen(path) + 1); + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + n = hashmap_get(bus->nodes, prefix); + if (n) +@@ -2083,8 +2099,9 @@ _public_ int sd_bus_emit_properties_changed_strv( + const char *interface, + char **names) { + ++ _cleanup_free_ char *prefix = NULL; + bool found_interface = false; +- char *prefix; ++ size_t pl; + int r; + + assert_return(bus, -EINVAL); +@@ -2105,6 +2122,12 @@ _public_ int sd_bus_emit_properties_changed_strv( + + BUS_DONT_DESTROY(bus); + ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; ++ + do { + bus->nodes_modified = false; + +@@ -2114,7 +2137,6 @@ _public_ int sd_bus_emit_properties_changed_strv( + if (bus->nodes_modified) + continue; + +- prefix = newa(char, strlen(path) + 1); + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names); + if (r != 0) +@@ -2246,7 +2268,8 @@ static int object_added_append_all_prefix( + + static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) { + _cleanup_set_free_ Set *s = NULL; +- char *prefix; ++ _cleanup_free_ char *prefix = NULL; ++ size_t pl; + int r; + + assert(bus); +@@ -2291,7 +2314,12 @@ static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *p + if (bus->nodes_modified) + return 0; + +- prefix = newa(char, strlen(path) + 1); ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; ++ + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = object_added_append_all_prefix(bus, m, s, prefix, path, true); + if (r < 0) +@@ -2430,7 +2458,8 @@ static int object_removed_append_all_prefix( + + static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) { + _cleanup_set_free_ Set *s = NULL; +- char *prefix; ++ _cleanup_free_ char *prefix = NULL; ++ size_t pl; + int r; + + assert(bus); +@@ -2462,7 +2491,12 @@ static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char + if (bus->nodes_modified) + return 0; + +- prefix = newa(char, strlen(path) + 1); ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; ++ + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = object_removed_append_all_prefix(bus, m, s, prefix, path, true); + if (r < 0) +@@ -2612,7 +2646,8 @@ static int interfaces_added_append_one( + const char *path, + const char *interface) { + +- char *prefix; ++ _cleanup_free_ char *prefix = NULL; ++ size_t pl; + int r; + + assert(bus); +@@ -2626,7 +2661,12 @@ static int interfaces_added_append_one( + if (bus->nodes_modified) + return 0; + +- prefix = newa(char, strlen(path) + 1); ++ pl = strlen(path); ++ assert(pl <= BUS_PATH_SIZE_MAX); ++ prefix = new(char, pl + 1); ++ if (!prefix) ++ return -ENOMEM; ++ + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true); + if (r != 0) +-- +2.20.1 + diff --git a/sys-apps/systemd/files/CVE-2019-6454/0003-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch b/sys-apps/systemd/files/CVE-2019-6454/0003-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch new file mode 100644 index 000000000000..cc03893a588d --- /dev/null +++ b/sys-apps/systemd/files/CVE-2019-6454/0003-sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch @@ -0,0 +1,54 @@ +From 8d3cea620ab661897fb485ece7332a9073c1783d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lennart@poettering.net> +Date: Wed, 13 Feb 2019 16:51:22 +0100 +Subject: [PATCH 3/3] sd-bus: if we receive an invalid dbus message, ignore and + proceeed + +dbus-daemon might have a slightly different idea of what a valid msg is +than us (for example regarding valid msg and field sizes). Let's hence +try to proceed if we can and thus drop messages rather than fail the +connection if we fail to validate a message. + +Hopefully the differences in what is considered valid are not visible +for real-life usecases, but are specific to exploit attempts only. +--- + src/libsystemd/sd-bus/bus-socket.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c +index 30d6455b6f..441b4a816f 100644 +--- a/src/libsystemd/sd-bus/bus-socket.c ++++ b/src/libsystemd/sd-bus/bus-socket.c +@@ -1072,7 +1072,7 @@ static int bus_socket_read_message_need(sd_bus *bus, size_t *need) { + } + + static int bus_socket_make_message(sd_bus *bus, size_t size) { +- sd_bus_message *t; ++ sd_bus_message *t = NULL; + void *b; + int r; + +@@ -1097,7 +1097,9 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) { + bus->fds, bus->n_fds, + NULL, + &t); +- if (r < 0) { ++ if (r == -EBADMSG) ++ log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description)); ++ else if (r < 0) { + free(b); + return r; + } +@@ -1108,7 +1110,8 @@ static int bus_socket_make_message(sd_bus *bus, size_t size) { + bus->fds = NULL; + bus->n_fds = 0; + +- bus->rqueue[bus->rqueue_size++] = t; ++ if (t) ++ bus->rqueue[bus->rqueue_size++] = t; + + return 1; + } +-- +2.20.1 + diff --git a/sys-apps/systemd/systemd-241-r1.ebuild b/sys-apps/systemd/systemd-241-r1.ebuild new file mode 100644 index 000000000000..47f33c6fcff7 --- /dev/null +++ b/sys-apps/systemd/systemd-241-r1.ebuild @@ -0,0 +1,461 @@ +# Copyright 2011-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +if [[ ${PV} == 9999 ]]; then + EGIT_REPO_URI="https://github.com/systemd/systemd.git" + inherit git-r3 +else + MY_PV=${PV/_/-} + MY_P=${PN}-${MY_PV} + S=${WORKDIR}/${MY_P} + SRC_URI="https://github.com/systemd/systemd/archive/v${MY_PV}/${MY_P}.tar.gz" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86" +fi + +PYTHON_COMPAT=( python{3_5,3_6,3_7} ) + +inherit bash-completion-r1 linux-info meson multilib-minimal ninja-utils pam python-any-r1 systemd toolchain-funcs udev user + +DESCRIPTION="System and service manager for Linux" +HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd" + +LICENSE="GPL-2 LGPL-2.1 MIT public-domain" +SLOT="0/2" +IUSE="acl apparmor audit build cryptsetup curl elfutils +gcrypt gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux +split-usr ssl +sysv-utils test vanilla xkb" + +REQUIRED_USE="importd? ( curl gcrypt lzma )" +RESTRICT="!test? ( test )" + +MINKV="3.11" + +COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] + sys-libs/libcap:0=[${MULTILIB_USEDEP}] + !<sys-libs/glibc-2.16 + acl? ( sys-apps/acl:0= ) + apparmor? ( sys-libs/libapparmor:0= ) + audit? ( >=sys-process/audit-2:0= ) + cryptsetup? ( >=sys-fs/cryptsetup-1.6:0= ) + curl? ( net-misc/curl:0= ) + elfutils? ( >=dev-libs/elfutils-0.158:0= ) + gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] ) + http? ( + >=net-libs/libmicrohttpd-0.9.33:0= + ssl? ( >=net-libs/gnutls-3.1.4:0= ) + ) + idn? ( + libidn2? ( net-dns/libidn2:= ) + !libidn2? ( net-dns/libidn:= ) + ) + importd? ( + app-arch/bzip2:0= + sys-libs/zlib:0= + ) + kmod? ( >=sys-apps/kmod-15:0= ) + lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] ) + lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] ) + nat? ( net-firewall/iptables:0= ) + pam? ( virtual/pam:=[${MULTILIB_USEDEP}] ) + pcre? ( dev-libs/libpcre2 ) + qrcode? ( media-gfx/qrencode:0= ) + seccomp? ( >=sys-libs/libseccomp-2.3.3:0= ) + selinux? ( sys-libs/libselinux:0= ) + xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )" + +# baselayout-2.2 has /run +RDEPEND="${COMMON_DEPEND} + >=sys-apps/baselayout-2.2 + selinux? ( sec-policy/selinux-base-policy[systemd] ) + sysv-utils? ( !sys-apps/sysvinit ) + !sysv-utils? ( sys-apps/sysvinit ) + resolvconf? ( !net-dns/openresolv ) + !build? ( || ( + sys-apps/util-linux[kill(-)] + sys-process/procps[kill(+)] + sys-apps/coreutils[kill(-)] + ) ) + !sys-auth/nss-myhostname + !<sys-kernel/dracut-044 + !sys-fs/eudev + !sys-fs/udev" + +# sys-apps/dbus: the daemon only (+ build-time lib dep for tests) +PDEPEND=">=sys-apps/dbus-1.9.8[systemd] + >=sys-apps/hwids-20150417[udev] + >=sys-fs/udev-init-scripts-25 + policykit? ( sys-auth/polkit ) + !vanilla? ( sys-apps/gentoo-systemd-integration )" + +# Newer linux-headers needed by ia64, bug #480218 +DEPEND=" + >=sys-kernel/linux-headers-${MINKV} + gnuefi? ( >=sys-boot/gnu-efi-3.0.2 ) +" + +BDEPEND=" + app-arch/xz-utils:0 + dev-util/gperf + >=dev-util/meson-0.46 + >=dev-util/intltool-0.50 + >=sys-apps/coreutils-8.16 + virtual/pkgconfig[${MULTILIB_USEDEP}] + test? ( sys-apps/dbus ) + app-text/docbook-xml-dtd:4.2 + app-text/docbook-xml-dtd:4.5 + app-text/docbook-xsl-stylesheets + dev-libs/libxslt:0 + $(python_gen_any_dep 'dev-python/lxml[${PYTHON_USEDEP}]') +" + +pkg_pretend() { + if [[ ${MERGE_TYPE} != buildonly ]]; then + local CONFIG_CHECK="~AUTOFS4_FS ~BLK_DEV_BSG ~CGROUPS + ~CHECKPOINT_RESTORE ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE + ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS + ~TIMERFD ~TMPFS_XATTR ~UNIX + ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH + ~!FW_LOADER_USER_HELPER_FALLBACK ~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED + ~!SYSFS_DEPRECATED_V2" + + use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL" + use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER" + kernel_is -lt 3 7 && CONFIG_CHECK+=" ~HOTPLUG" + kernel_is -lt 4 7 && CONFIG_CHECK+=" ~DEVPTS_MULTIPLE_INSTANCES" + kernel_is -ge 4 10 && CONFIG_CHECK+=" ~CGROUP_BPF" + + if linux_config_exists; then + local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH) + if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then + ewarn "It's recommended to set an empty value to the following kernel config option:" + ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}" + fi + if linux_chkconfig_present X86; then + CONFIG_CHECK+=" ~DMIID" + fi + fi + + if kernel_is -lt ${MINKV//./ }; then + ewarn "Kernel version at least ${MINKV} required" + fi + + check_extra_config + fi +} + +pkg_setup() { + : +} + +src_unpack() { + default + [[ ${PV} != 9999 ]] || git-r3_src_unpack +} + +src_prepare() { + # Do NOT add patches here + local PATCHES=() + + [[ -d "${WORKDIR}"/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) + + # Add local patches here + PATCHES+=( + "${FILESDIR}"/CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch + "${FILESDIR}"/CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch + ) + + if ! use vanilla; then + PATCHES+=( + "${FILESDIR}/gentoo-Dont-enable-audit-by-default.patch" + "${FILESDIR}/gentoo-systemd-user-pam.patch" + "${FILESDIR}/gentoo-uucp-group-r1.patch" + "${FILESDIR}/gentoo-generator-path-r1.patch" + ) + fi + + default +} + +src_configure() { + # Prevent conflicts with i686 cross toolchain, bug 559726 + tc-export AR CC NM OBJCOPY RANLIB + + python_setup + + multilib-minimal_src_configure +} + +meson_use() { + usex "$1" true false +} + +meson_multilib() { + if multilib_is_native_abi; then + echo true + else + echo false + fi +} + +meson_multilib_native_use() { + if multilib_is_native_abi && use "$1"; then + echo true + else + echo false + fi +} + +multilib_src_configure() { + local myconf=( + --localstatedir="${EPREFIX}/var" + -Dpamlibdir="$(getpam_mod_dir)" + # avoid bash-completion dep + -Dbashcompletiondir="$(get_bashcompdir)" + # make sure we get /bin:/sbin in PATH + -Dsplit-usr=$(usex split-usr true false) + -Drootprefix="$(usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr")" + -Dsysvinit-path= + -Dsysvrcnd-path= + # Avoid infinite exec recursion, bug 642724 + -Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit" + # no deps + -Defi=$(meson_multilib) + -Dima=true + # Optional components/dependencies + -Dacl=$(meson_multilib_native_use acl) + -Dapparmor=$(meson_multilib_native_use apparmor) + -Daudit=$(meson_multilib_native_use audit) + -Dlibcryptsetup=$(meson_multilib_native_use cryptsetup) + -Dlibcurl=$(meson_multilib_native_use curl) + -Delfutils=$(meson_multilib_native_use elfutils) + -Dgcrypt=$(meson_use gcrypt) + -Dgnu-efi=$(meson_multilib_native_use gnuefi) + -Defi-libdir="${EPREFIX}/usr/$(get_libdir)" + -Dmicrohttpd=$(meson_multilib_native_use http) + $(usex http -Dgnutls=$(meson_multilib_native_use ssl) -Dgnutls=false) + -Dimportd=$(meson_multilib_native_use importd) + -Dbzip2=$(meson_multilib_native_use importd) + -Dzlib=$(meson_multilib_native_use importd) + -Dkmod=$(meson_multilib_native_use kmod) + -Dlz4=$(meson_use lz4) + -Dxz=$(meson_use lzma) + -Dlibiptc=$(meson_multilib_native_use nat) + -Dpam=$(meson_use pam) + -Dpcre2=$(meson_multilib_native_use pcre) + -Dpolkit=$(meson_multilib_native_use policykit) + -Dqrencode=$(meson_multilib_native_use qrcode) + -Dseccomp=$(meson_multilib_native_use seccomp) + -Dselinux=$(meson_multilib_native_use selinux) + #-Dtests=$(meson_multilib_native_use test) + -Ddbus=$(meson_multilib_native_use test) + -Dxkbcommon=$(meson_multilib_native_use xkb) + # hardcode a few paths to spare some deps + -Dkill-path=/bin/kill + -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" + # Breaks screen, tmux, etc. + -Ddefault-kill-user-processes=false + + # multilib options + -Dbacklight=$(meson_multilib) + -Dbinfmt=$(meson_multilib) + -Dcoredump=$(meson_multilib) + -Denvironment-d=$(meson_multilib) + -Dfirstboot=$(meson_multilib) + -Dhibernate=$(meson_multilib) + -Dhostnamed=$(meson_multilib) + -Dhwdb=$(meson_multilib) + -Dldconfig=$(meson_multilib) + -Dlocaled=$(meson_multilib) + -Dman=$(meson_multilib) + -Dnetworkd=$(meson_multilib) + -Dquotacheck=$(meson_multilib) + -Drandomseed=$(meson_multilib) + -Drfkill=$(meson_multilib) + -Dsysusers=$(meson_multilib) + -Dtimedated=$(meson_multilib) + -Dtimesyncd=$(meson_multilib) + -Dtmpfiles=$(meson_multilib) + -Dvconsole=$(meson_multilib) + ) + + if multilib_is_native_abi && use idn; then + myconf+=( + -Dlibidn2=$(usex libidn2 true false) + -Dlibidn=$(usex libidn2 false true) + ) + else + myconf+=( + -Dlibidn2=false + -Dlibidn=false + ) + fi + + meson_src_configure "${myconf[@]}" +} + +multilib_src_compile() { + eninja +} + +multilib_src_test() { + unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR + eninja test +} + +multilib_src_install() { + DESTDIR="${D}" eninja install +} + +multilib_src_install_all() { + local rootprefix=$(usex split-usr '' /usr) + + # meson doesn't know about docdir + mv "${ED}"/usr/share/doc/{systemd,${PF}} || die + + einstalldocs + dodoc "${FILESDIR}"/nsswitch.conf + + if ! use resolvconf; then + rm -f "${ED}${rootprefix}"/sbin/resolvconf || die + fi + + if ! use sysv-utils; then + rm "${ED}${rootprefix}"/sbin/{halt,init,poweroff,reboot,runlevel,shutdown,telinit} || die + rm "${ED}"/usr/share/man/man1/init.1 || die + rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 || die + fi + + if ! use resolvconf && ! use sysv-utils; then + rmdir "${ED}${rootprefix}"/sbin || die + fi + + # Preserve empty dirs in /etc & /var, bug #437008 + keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} + keepdir /etc/systemd/{ntp-units.d,user} /var/lib/systemd + keepdir /etc/udev/{hwdb.d,rules.d} + keepdir /var/log/journal/remote + + # Symlink /etc/sysctl.conf for easy migration. + dosym ../sysctl.conf /etc/sysctl.d/99-sysctl.conf + + # If we install these symlinks, there is no way for the sysadmin to remove them + # permanently. + rm -f "${ED}"/etc/systemd/system/multi-user.target.wants/systemd-networkd.service || die + rm -f "${ED}"/etc/systemd/system/dbus-org.freedesktop.network1.service || die + rm -f "${ED}"/etc/systemd/system/multi-user.target.wants/systemd-resolved.service || die + rm -f "${ED}"/etc/systemd/system/dbus-org.freedesktop.resolve1.service || die + rm -fr "${ED}"/etc/systemd/system/network-online.target.wants || die + rm -fr "${ED}"/etc/systemd/system/sockets.target.wants || die + rm -fr "${ED}"/etc/systemd/system/sysinit.target.wants || die + + local udevdir=/lib/udev + use split-usr || udevdir=/usr/lib/udev + + rm -r "${ED}${udevdir}/hwdb.d" || die + + if use split-usr; then + # Avoid breaking boot/reboot + dosym ../../../lib/systemd/systemd /usr/lib/systemd/systemd + dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown + fi +} + +migrate_locale() { + local envd_locale_def="${EROOT}/etc/env.d/02locale" + local envd_locale=( "${EROOT}"/etc/env.d/??locale ) + local locale_conf="${EROOT}/etc/locale.conf" + + if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then + # If locale.conf does not exist... + if [[ -e ${envd_locale} ]]; then + # ...either copy env.d/??locale if there's one + ebegin "Moving ${envd_locale} to ${locale_conf}" + mv "${envd_locale}" "${locale_conf}" + eend ${?} || FAIL=1 + else + # ...or create a dummy default + ebegin "Creating ${locale_conf}" + cat > "${locale_conf}" <<-EOF + # This file has been created by the sys-apps/systemd ebuild. + # See locale.conf(5) and localectl(1). + + # LANG=${LANG} + EOF + eend ${?} || FAIL=1 + fi + fi + + if [[ ! -L ${envd_locale} ]]; then + # now, if env.d/??locale is not a symlink (to locale.conf)... + if [[ -e ${envd_locale} ]]; then + # ...warn the user that he has duplicate locale settings + ewarn + ewarn "To ensure consistent behavior, you should replace ${envd_locale}" + ewarn "with a symlink to ${locale_conf}. Please migrate your settings" + ewarn "and create the symlink with the following command:" + ewarn "ln -s -n -f ../locale.conf ${envd_locale}" + ewarn + else + # ...or just create the symlink if there's nothing here + ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink" + ln -n -s ../locale.conf "${envd_locale_def}" + eend ${?} || FAIL=1 + fi + fi +} + +pkg_postinst() { + newusergroup() { + enewgroup "$1" + enewuser "$1" -1 -1 -1 "$1" + } + + enewgroup input + enewgroup kvm 78 + enewgroup render + enewgroup systemd-journal + newusergroup systemd-bus-proxy + newusergroup systemd-coredump + newusergroup systemd-journal-gateway + newusergroup systemd-journal-remote + newusergroup systemd-journal-upload + newusergroup systemd-network + newusergroup systemd-resolve + newusergroup systemd-timesync + + systemd_update_catalog + + # Keep this here in case the database format changes so it gets updated + # when required. Despite that this file is owned by sys-apps/hwids. + if has_version "sys-apps/hwids[udev]"; then + udevadm hwdb --update --root="${EROOT}" + fi + + udev_reload || FAIL=1 + + # Bug 465468, make sure locales are respect, and ensure consistency + # between OpenRC & systemd + migrate_locale + + systemd_reenable systemd-networkd.service systemd-resolved.service + + if [[ -z ${ROOT} && -d /run/systemd/system ]]; then + ebegin "Reexecuting system manager" + systemctl daemon-reexec + eend $? + fi + + if [[ ${FAIL} ]]; then + eerror "One of the postinst commands failed. Please check the postinst output" + eerror "for errors. You may need to clean up your system and/or try installing" + eerror "systemd again." + eerror + fi +} + +pkg_prerm() { + # If removing systemd completely, remove the catalog database. + if [[ ! ${REPLACED_BY_VERSION} ]]; then + rm -f -v "${EROOT}"/var/lib/systemd/catalog/database + fi +} |