diff options
author | Michał Górny <mgorny@gentoo.org> | 2018-08-15 10:24:18 +0200 |
---|---|---|
committer | Michał Górny <mgorny@gentoo.org> | 2018-08-15 12:32:40 +0200 |
commit | 4434094737edab9aa027a40b9a735d192a0282a8 (patch) | |
tree | de3d2b6cc65ad16df9ff6f5d718cb4a3f205f526 | |
parent | sys-freebsd/freebsd-sources: include multiple errata updates (diff) | |
download | gentoo-4434094737edab9aa027a40b9a735d192a0282a8.tar.gz gentoo-4434094737edab9aa027a40b9a735d192a0282a8.tar.bz2 gentoo-4434094737edab9aa027a40b9a735d192a0282a8.zip |
sys-freebsd/freebsd-usbin: Include FreeBSD-SA-18:03 patch
Include the usr.sbin part of the following Security Advisory patch:
FreeBSD-SA-18:03.speculative_execution
-rw-r--r-- | sys-freebsd/freebsd-usbin/files/freebsd-usbin-SA-1803-speculative_execution-amd64-11.patch | 189 | ||||
-rw-r--r-- | sys-freebsd/freebsd-usbin/freebsd-usbin-11.1_p1.ebuild | 191 |
2 files changed, 380 insertions, 0 deletions
diff --git a/sys-freebsd/freebsd-usbin/files/freebsd-usbin-SA-1803-speculative_execution-amd64-11.patch b/sys-freebsd/freebsd-usbin/files/freebsd-usbin-SA-1803-speculative_execution-amd64-11.patch new file mode 100644 index 000000000000..0cc67ad8f342 --- /dev/null +++ b/sys-freebsd/freebsd-usbin/files/freebsd-usbin-SA-1803-speculative_execution-amd64-11.patch @@ -0,0 +1,189 @@ +--- usr.sbin/cpucontrol/cpucontrol.8.orig ++++ usr.sbin/cpucontrol/cpucontrol.8 +@@ -24,7 +24,7 @@ + .\" + .\" $FreeBSD$ + .\" +-.Dd June 30, 2009 ++.Dd January 5, 2018 + .Dt CPUCONTROL 8 + .Os + .Sh NAME +@@ -36,44 +36,48 @@ + .Nm + .Op Fl vh + .Fl m Ar msr +-.Bk + .Ar device + .Ek ++.Bk + .Nm + .Op Fl vh + .Fl m Ar msr Ns = Ns Ar value +-.Bk + .Ar device + .Ek ++.Bk + .Nm + .Op Fl vh + .Fl m Ar msr Ns &= Ns Ar mask +-.Bk + .Ar device + .Ek ++.Bk + .Nm + .Op Fl vh + .Fl m Ar msr Ns |= Ns Ar mask +-.Bk + .Ar device + .Ek ++.Bk + .Nm + .Op Fl vh + .Fl i Ar level +-.Bk + .Ar device + .Ek ++.Bk + .Nm + .Op Fl vh + .Fl i Ar level,level_type +-.Bk + .Ar device + .Ek ++.Bk + .Nm + .Op Fl vh + .Op Fl d Ar datadir + .Fl u ++.Ar device ++.Ek + .Bk ++.Nm ++.Fl e + .Ar device + .Ek + .Sh DESCRIPTION +@@ -129,6 +133,20 @@ + .Nm + utility will walk through the configured data directories + and apply all firmware updates available for this CPU. ++.It Fl e ++Re-evaluate the kernel flags indicating the present CPU features. ++This command is typically executed after a firmware update was applied ++which changes information reported by the ++.Dv CPUID ++instruction. ++.Pp ++.Bf -symbolic ++Only execute the ++.Fl e ++command after the microcode update was applied to all CPUs in the system. ++The kernel does not operate correctly if the features of processors are ++not identical. ++.Ef + .It Fl v + Increase the verbosity level. + .It Fl h +--- usr.sbin/cpucontrol/cpucontrol.c.orig ++++ usr.sbin/cpucontrol/cpucontrol.c +@@ -60,6 +60,7 @@ + #define FLAG_I 0x01 + #define FLAG_M 0x02 + #define FLAG_U 0x04 ++#define FLAG_E 0x10 + + #define OP_INVAL 0x00 + #define OP_READ 0x01 +@@ -114,7 +115,7 @@ + if (name == NULL) + name = "cpuctl"; + fprintf(stderr, "Usage: %s [-vh] [-d datadir] [-m msr[=value] | " +- "-i level | -i level,level_type | -u] device\n", name); ++ "-i level | -i level,level_type | -e | -u] device\n", name); + exit(EX_USAGE); + } + +@@ -338,6 +339,25 @@ + } + + static int ++do_eval_cpu_features(const char *dev) ++{ ++ int fd, error; ++ ++ assert(dev != NULL); ++ ++ fd = open(dev, O_RDWR); ++ if (fd < 0) { ++ WARN(0, "error opening %s for writing", dev); ++ return (1); ++ } ++ error = ioctl(fd, CPUCTL_EVAL_CPU_FEATURES, NULL); ++ if (error < 0) ++ WARN(0, "ioctl(%s, CPUCTL_EVAL_CPU_FEATURES)", dev); ++ close(fd); ++ return (error); ++} ++ ++static int + do_update(const char *dev) + { + int fd; +@@ -431,11 +451,14 @@ + * Add all default data dirs to the list first. + */ + datadir_add(DEFAULT_DATADIR); +- while ((c = getopt(argc, argv, "d:hi:m:uv")) != -1) { ++ while ((c = getopt(argc, argv, "d:ehi:m:uv")) != -1) { + switch (c) { + case 'd': + datadir_add(optarg); + break; ++ case 'e': ++ flags |= FLAG_E; ++ break; + case 'i': + flags |= FLAG_I; + cmdarg = optarg; +@@ -464,22 +487,25 @@ + /* NOTREACHED */ + } + dev = argv[0]; +- c = flags & (FLAG_I | FLAG_M | FLAG_U); ++ c = flags & (FLAG_E | FLAG_I | FLAG_M | FLAG_U); + switch (c) { +- case FLAG_I: +- if (strstr(cmdarg, ",") != NULL) +- error = do_cpuid_count(cmdarg, dev); +- else +- error = do_cpuid(cmdarg, dev); +- break; +- case FLAG_M: +- error = do_msr(cmdarg, dev); +- break; +- case FLAG_U: +- error = do_update(dev); +- break; +- default: +- usage(); /* Only one command can be selected. */ ++ case FLAG_I: ++ if (strstr(cmdarg, ",") != NULL) ++ error = do_cpuid_count(cmdarg, dev); ++ else ++ error = do_cpuid(cmdarg, dev); ++ break; ++ case FLAG_M: ++ error = do_msr(cmdarg, dev); ++ break; ++ case FLAG_U: ++ error = do_update(dev); ++ break; ++ case FLAG_E: ++ error = do_eval_cpu_features(dev); ++ break; ++ default: ++ usage(); /* Only one command can be selected. */ + } + SLIST_FREE(&datadirs, next, free); + return (error == 0 ? 0 : 1); diff --git a/sys-freebsd/freebsd-usbin/freebsd-usbin-11.1_p1.ebuild b/sys-freebsd/freebsd-usbin/freebsd-usbin-11.1_p1.ebuild new file mode 100644 index 000000000000..7eb0e4f04f7c --- /dev/null +++ b/sys-freebsd/freebsd-usbin/freebsd-usbin-11.1_p1.ebuild @@ -0,0 +1,191 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 + +inherit bsdmk freebsd flag-o-matic eutils + +DESCRIPTION="FreeBSD /usr/sbin tools" +SLOT="0" +LICENSE="BSD zfs? ( CDDL )" + +# Security Advisory and Errata patches. +# UPSTREAM_PATCHES=() + +if [[ ${PV} != *9999* ]]; then + KEYWORDS="~amd64-fbsd ~x86-fbsd" + SRC_URI="${SRC_URI} + $(freebsd_upstream_patches)" +fi + +EXTRACTONLY=" + usr.sbin/ + contrib/ + usr.bin/ + lib/ + sbin/ + etc/ + gnu/ +" + +RDEPEND="=sys-freebsd/freebsd-lib-${RV}*[usb?,bluetooth?,netware?] + build? ( sys-apps/baselayout ) + ssl? ( dev-libs/openssl:0 ) + >=app-arch/libarchive-3 + sys-apps/tcp-wrappers + dev-util/dialog + >=dev-libs/libedit-20120311.3.0-r1 + net-libs/libpcap + kerberos? ( app-crypt/heimdal )" +DEPEND="${RDEPEND} + =sys-freebsd/freebsd-mk-defs-${RV}* + =sys-freebsd/freebsd-ubin-${RV}* + zfs? ( =sys-freebsd/freebsd-cddl-${RV}* ) + !build? ( =sys-freebsd/freebsd-sources-${RV}* + >=sys-freebsd/freebsd-sources-11.1_p3 ) + sys-apps/texinfo + sys-devel/flex" + +S="${WORKDIR}/usr.sbin" + +IUSE="acpi atm audit bluetooth floppy ipv6 kerberos minimal netware nis pam ssl usb build zfs" + +pkg_setup() { + # Add the required source files. + use nis && EXTRACTONLY+="libexec/ " + use build && EXTRACTONLY+="sys/ include/ " + use zfs && EXTRACTONLY+="cddl/ " + + # Release crunch is something like minimal. It seems to remove everything + # which is not needed to work. + use minimal && mymakeopts="${mymakeopts} RELEASE_CRUNCH= " + + use acpi || mymakeopts="${mymakeopts} WITHOUT_ACPI= " + use atm || mymakeopts="${mymakeopts} WITHOUT_ATM= " + use audit || mymakeopts="${mymakeopts} WITHOUT_AUDIT= " + use bluetooth || mymakeopts="${mymakeopts} WITHOUT_BLUETOOTH= " + use ipv6 || mymakeopts="${mymakeopts} WITHOUT_INET6= WITHOUT_INET6_SUPPORT= " + use netware || mymakeopts="${mymakeopts} WITHOUT_IPX= WITHOUT_IPX_SUPPORT= WITHOUT_NCP= " + use nis || mymakeopts="${mymakeopts} WITHOUT_NIS= " + use pam || mymakeopts="${mymakeopts} WITHOUT_PAM_SUPPORT= " + use ssl || mymakeopts="${mymakeopts} WITHOUT_OPENSSL= " + use usb || mymakeopts="${mymakeopts} WITHOUT_USB= " + use floppy || mymakeopts="${mymakeopts} WITHOUT_FLOPPY= " + use kerberos || mymakeopts="${mymakeopts} WITHOUT_GSSAPI= " + use zfs || mymakeopts="${mymakeopts} WITHOUT_CDDL= " + + mymakeopts="${mymakeopts} WITHOUT_PF= WITHOUT_LPR= WITHOUT_SENDMAIL= WITHOUT_AUTHPF= WITHOUT_MAILWRAPPER= WITHOUT_UNBOUND= " + + append-flags $(test-flags -fno-strict-aliasing) +} + +PATCHES=( + "${FILESDIR}/${PN}-adduser.patch" + "${FILESDIR}/${PN}-9.0-newsyslog.patch" + "${FILESDIR}/${PN}-11.1-bsdxml2expat.patch" + "${FILESDIR}/${PN}-10.3-bsdxml2expat.patch" + "${FILESDIR}/${PN}-11.0-workaround.patch" + "${FILESDIR}/${PN}-SA-1803-speculative_execution-amd64-11.patch" + ) + +REMOVE_SUBDIRS=" + tcpdchk tcpdmatch + sendmail praliases editmap mailstats makemap + pc-sysinstall cron mailwrapper ntp bsnmpd + tcpdump ndp inetd + wpa/wpa_supplicant wpa/hostapd wpa/hostapd_cli wpa/wpa_cli wpa/wpa_passphrase + zic amd + pkg freebsd-update service sysrc bsdinstall" + +src_prepare() { + if ! use build; then + [[ ! -e "${WORKDIR}/sys" ]] && ln -s "/usr/src/sys" "${WORKDIR}/sys" + [[ ! -e "${WORKDIR}/include" ]] && ln -s "/usr/include" "${WORKDIR}/include" + else + dummy_mk mount_smbfs + fi +} + +src_compile() { + # Preparing to build nmtree, ypldap + for dir in libnetbsd libopenbsd; do + cd "${WORKDIR}/lib/${dir}" || die + freebsd_src_compile -j1 + done + + cd "${S}" || die + freebsd_src_compile +} + +src_install() { + # By creating these directories we avoid having to do a + # more complex hack + dodir /usr/share/doc + dodir /sbin + dodir /usr/libexec + dodir /usr/bin + + # FILESDIR is used by some makefiles which will install files + # in the wrong place, just put it in the doc directory. + freebsd_src_install DOCDIR=/usr/share/doc/${PF} + + # Most of these now come from openrc. + for util in iscsid nfs nfsuserd rpc.statd rpc.lockd; do + newinitd "${FILESDIR}/"${util}.initd ${util} + if [[ -e "${FILESDIR}"/${util}.confd ]]; then \ + newconfd "${FILESDIR}"/${util}.confd ${util} + fi + done + + for class in daily monthly weekly; do + cat - > "${T}/periodic.${class}" <<EOS +#!/bin/sh +/usr/sbin/periodic ${class} +EOS + exeinto /etc/cron.${class} + newexe "${T}/periodic.${class}" periodic + done + + # Install the pw.conf file to let pw use Gentoo's skel location + insinto /etc + doins "${FILESDIR}/pw.conf" + + cd "${WORKDIR}/etc" || die + doins apmd.conf syslog.conf newsyslog.conf nscd.conf + + if use bluetooth; then + insinto /etc/bluetooth + doins bluetooth/* + rm -f "${D}"/etc/bluetooth/Makefile + fi + + cd "${S}"/ppp || die + insinto /etc/ppp + doins ppp.conf + + # Install the periodic stuff (needs probably to be ported in a more + # gentooish way) + cd "${WORKDIR}/etc/periodic" || die + + doperiodic daily daily/*.accounting + doperiodic monthly monthly/*.accounting +} + +pkg_postinst() { + # We need to run pwd_mkdb if key files are not present + # If they are, then there is no need to run pwd_mkdb + if [[ ! -e "${ROOT}etc/passwd" || ! -e "${ROOT}etc/pwd.db" || ! -e "${ROOT}etc/spwd.db" ]] ; then + if [[ -e "${ROOT}etc/master.passwd" ]] ; then + einfo "Generating passwd files from ${ROOT}etc/master.passwd" + "${ROOT}"usr/sbin/pwd_mkdb -p -d "${ROOT}etc" "${ROOT}etc/master.passwd" + else + eerror "${ROOT}etc/master.passwd does not exist!" + eerror "You will no be able to log into your system!" + fi + fi + + for logfile in messages security auth.log maillog lpd-errs xferlog cron \ + debug.log slip.log ppp.log; do + [[ -f "${ROOT}/var/log/${logfile}" ]] || touch "${ROOT}/var/log/${logfile}" + done +} |