net-misc/ntpsec: seccomp cleanup, (really) fixes seccomp on riscv

* rollup seccomp changes into single patch against 1.2.1
* remove old seccomp patches

Package-Manager: Portage-3.0.20, Repoman-3.0.3
Signed-off-by: Steve Arnold <nerdboy@gentoo.org>

6 files changed, 117 insertions, 91 deletions

diff --git a/net-misc/ntpsec/files/ntpsec-1.1.8-fix-missing-scmp_sys-on-aarch64.patch b/net-misc/ntpsec/files/ntpsec-1.1.8-fix-missing-scmp_sys-on-aarch64.patch
deleted file mode 100644
index ee75d103d2e6..000000000000
--- a/net-misc/ntpsec/files/ntpsec-1.1.8-fix-missing-scmp_sys-on-aarch64.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
-index 4e5ceaa36c1a7b452445023e201ddb6211625c52..78ac7aea263ed3d3394b2d32e79a6836f0387434 100644
---- a/ntpd/ntp_sandbox.c
-+++ b/ntpd/ntp_sandbox.c
-@@ -428,6 +428,11 @@ int scmp_sc[] = {
- 	/* gentoo 64-bit and 32-bit, Intel and Arm use mmap */
- 	SCMP_SYS(mmap),
- #endif
-+#if defined(__aarch64__)
-+	SCMP_SYS(faccessat),
-+	SCMP_SYS(newfstatat),
-+	SCMP_SYS(renameat),
-+#endif
- #if defined(__i386__) || defined(__arm__) || defined(__powerpc__)
- 	SCMP_SYS(_newselect),
- 	SCMP_SYS(_llseek),
diff --git a/net-misc/ntpsec/files/ntpsec-1.2.0-move-newfstatat.patch b/net-misc/ntpsec/files/ntpsec-1.2.0-move-newfstatat.patch
deleted file mode 100644
index 75453c6cb5f6..000000000000
--- a/net-misc/ntpsec/files/ntpsec-1.2.0-move-newfstatat.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
-index e66faaa8c..b2af654e5 100644
---- a/ntpd/ntp_sandbox.c
-+++ b/ntpd/ntp_sandbox.c
-@@ -349,6 +349,7 @@ int scmp_sc[] = {
- 	SCMP_SYS(lseek),
- 	SCMP_SYS(membarrier),	/* Needed on Alpine 3.11.3 */
- 	SCMP_SYS(munmap),
-+	SCMP_SYS(newfstatat),
- 	SCMP_SYS(open),
- #ifdef __NR_openat
- 	SCMP_SYS(openat),	/* SUSE */
-@@ -451,7 +452,6 @@ int scmp_sc[] = {
- #endif
- #if defined(__aarch64__)
- 	SCMP_SYS(faccessat),
--	SCMP_SYS(newfstatat),
- 	SCMP_SYS(renameat),
- 	SCMP_SYS(linkat),
- 	SCMP_SYS(unlinkat),
diff --git a/net-misc/ntpsec/files/ntpsec-1.2.0-seccomp.patch b/net-misc/ntpsec/files/ntpsec-1.2.0-seccomp.patch
deleted file mode 100644
index 27dd321e2a29..000000000000
--- a/net-misc/ntpsec/files/ntpsec-1.2.0-seccomp.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-https://bugs.gentoo.org/705128
-https://bugs.gentoo.org/786228
---- a/ntpd/ntp_sandbox.c
-+++ b/ntpd/ntp_sandbox.c
-@@ -463,6 +463,15 @@ int scmp_sc[] = {
-        SCMP_SYS(send),
-        SCMP_SYS(stat64),
- #endif
-+#if defined(__arm__)
-+       SCMP_SYS(statx),
-+#endif
-+#if defined(__riscv32__) || defined(__riscv64__)
-+       SCMP_SYS(faccessat),
-+#endif
-+#if defined(__aarch64__) || defined(__riscv64__)
-+       SCMP_SYS(syscall),
-+#endif
- };
-        {
-                for (unsigned int i = 0; i < COUNTOF(scmp_sc); i++) {
---- a/ntpd/ntp_sandbox.c
-+++ b/ntpd/ntp_sandbox.c
-@@ -355,6 +355,7 @@ int scmp_sc[] = {
- 	SCMP_SYS(openat),	/* SUSE */
- #endif
- 	SCMP_SYS(poll),
-+	SCMP_SYS(pread64),
- 	SCMP_SYS(pselect6),
- 	SCMP_SYS(read),
- 	SCMP_SYS(recvfrom),    /* Comment this out for testing.
diff --git a/net-misc/ntpsec/files/ntpsec-1.2.1-seccomp-glibc-2-3-4.patch b/net-misc/ntpsec/files/ntpsec-1.2.1-seccomp-glibc-2-3-4.patch
deleted file mode 100644
index 5936adaf9a49..000000000000
--- a/net-misc/ntpsec/files/ntpsec-1.2.1-seccomp-glibc-2-3-4.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-https://bugs.gentoo.org/823692
-https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1247
-https://gitlab.com/NTPsec/ntpsec/-/issues/713
-
-From 170d60b7e269154fb108bb4b010ee5ee0110bf2d Mon Sep 17 00:00:00 2001
-From: Sam James <sam@gentoo.org>
-Date: Sun, 14 Nov 2021 08:44:28 +0000
-Subject: [PATCH] ntpd/ntp_sandbox.c: allow clone3 in seccomp filter for
- glibc-2.34
-
-Signed-off-by: Sam James <sam@gentoo.org>
---- a/ntpd/ntp_sandbox.c
-+++ b/ntpd/ntp_sandbox.c
-@@ -403,6 +403,7 @@ int scmp_sc[] = {
-  * rather than generate a trap.
-  */
- 	SCMP_SYS(clone),	/* threads */
-+	SCMP_SYS(clone3),
- 	SCMP_SYS(kill),		/* generate signal */
- 	SCMP_SYS(madvise),
- 	SCMP_SYS(mprotect),
diff --git a/net-misc/ntpsec/files/ntpsec-1.2.1-seccomp-rollup.patch b/net-misc/ntpsec/files/ntpsec-1.2.1-seccomp-rollup.patch
new file mode 100644
index 000000000000..c9ba3760cce6
--- /dev/null
+++ b/net-misc/ntpsec/files/ntpsec-1.2.1-seccomp-rollup.patch
@@ -0,0 +1,116 @@
+From 9a13c2bd472786472360f1a6465d8a808f6b8311 Mon Sep 17 00:00:00 2001
+From: Stephen L Arnold <nerdboy@gentoo.org>
+Date: Thu, 2 Dec 2021 20:16:18 -0800
+Subject: [PATCH] ntpd/ntp_sandbox.c: seccomp rollup patch for arm, arm64,
+ riscv, all
+
+* add renameat2, move newfstatat and faccessat, remove arch dups
+* rollup previous patches, remove cruft
+* includes riscv fixes, previous bugs:
+  https://bugs.gentoo.org/705128
+  https://bugs.gentoo.org/786228
+  https://bugs.gentoo.org/823692
+  https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1247
+  https://gitlab.com/NTPsec/ntpsec/-/issues/713
+
+Signed-off-by: Stephen L Arnold <nerdboy@gentoo.org>
+---
+ ntpd/ntp_sandbox.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
+index e66faaa8c..04eaa003a 100644
+--- a/ntpd/ntp_sandbox.c
++++ b/ntpd/ntp_sandbox.c
+@@ -306,8 +306,8 @@ int scmp_sc[] = {
+ #endif
+ #endif  /* ENABLE_EARLY_DROPROOT */
+ 
+-        SCMP_SYS(accept),
+-        SCMP_SYS(access),
++	SCMP_SYS(accept),
++	SCMP_SYS(access),
+ 	SCMP_SYS(adjtimex),
+ 	SCMP_SYS(bind),
+ 	SCMP_SYS(brk),
+@@ -319,6 +319,9 @@ int scmp_sc[] = {
+ 	SCMP_SYS(connect),
+ 	SCMP_SYS(exit),
+ 	SCMP_SYS(exit_group),
++#ifdef __NR_faccessat
++	SCMP_SYS(faccessat),  /* riscv and aarch64 */
++#endif
+ 	SCMP_SYS(fcntl),
+ 	SCMP_SYS(fstat),
+ 	SCMP_SYS(fsync),
+@@ -349,11 +352,13 @@ int scmp_sc[] = {
+ 	SCMP_SYS(lseek),
+ 	SCMP_SYS(membarrier),	/* Needed on Alpine 3.11.3 */
+ 	SCMP_SYS(munmap),
++	SCMP_SYS(newfstatat),  /* riscv and aarch64 */
+ 	SCMP_SYS(open),
+ #ifdef __NR_openat
+ 	SCMP_SYS(openat),	/* SUSE */
+ #endif
+ 	SCMP_SYS(poll),
++	SCMP_SYS(pread64),
+ 	SCMP_SYS(pselect6),
+ 	SCMP_SYS(read),
+ 	SCMP_SYS(recvfrom),    /* Comment this out for testing.
+@@ -362,6 +367,9 @@ int scmp_sc[] = {
+ 				*/
+ 	SCMP_SYS(recvmsg),
+ 	SCMP_SYS(rename),
++#ifdef __NR_renameat2
++	SCMP_SYS(renameat2),  /* riscv */
++#endif
+ 	SCMP_SYS(rt_sigaction),
+ 	SCMP_SYS(rt_sigprocmask),
+ 	SCMP_SYS(rt_sigreturn),
+@@ -401,6 +409,7 @@ int scmp_sc[] = {
+  * rather than generate a trap.
+  */
+ 	SCMP_SYS(clone),	/* threads */
++	SCMP_SYS(clone3),
+ 	SCMP_SYS(kill),		/* generate signal */
+ 	SCMP_SYS(madvise),
+ 	SCMP_SYS(mprotect),
+@@ -415,9 +424,9 @@ int scmp_sc[] = {
+ 	SCMP_SYS(nanosleep),
+ #endif
+ #ifdef CLOCK_SHM
+-        SCMP_SYS(shmget),
+-        SCMP_SYS(shmat),
+-        SCMP_SYS(shmdt),
++	SCMP_SYS(shmget),
++	SCMP_SYS(shmat),
++	SCMP_SYS(shmdt),
+ #endif
+ 
+ 	SCMP_SYS(fcntl64),
+@@ -450,10 +459,9 @@ int scmp_sc[] = {
+ 	SCMP_SYS(mmap),
+ #endif
+ #if defined(__aarch64__)
+-	SCMP_SYS(faccessat),
+-	SCMP_SYS(newfstatat),
+-	SCMP_SYS(renameat),
+ 	SCMP_SYS(linkat),
++	SCMP_SYS(renameat),
++	SCMP_SYS(syscall),
+ 	SCMP_SYS(unlinkat),
+ #endif
+ #if defined(__i386__) || defined(__arm__) || defined(__powerpc__)
+@@ -463,6 +471,9 @@ int scmp_sc[] = {
+ 	SCMP_SYS(send),
+ 	SCMP_SYS(stat64),
+ #endif
++#if defined(__arm__)
++	SCMP_SYS(statx),
++#endif
+ };
+ 	{
+ 		for (unsigned int i = 0; i < COUNTOF(scmp_sc); i++) {
+-- 
+2.32.0
+
diff --git a/net-misc/ntpsec/ntpsec-1.2.1-r1.ebuild b/net-misc/ntpsec/ntpsec-1.2.1-r1.ebuild
index 7e9d34caf33b..8835c7ccfcfb 100644
--- a/net-misc/ntpsec/ntpsec-1.2.1-r1.ebuild
+++ b/net-misc/ntpsec/ntpsec-1.2.1-r1.ebuild
@@ -58,11 +58,8 @@ DEPEND="${CDEPEND}
 "
 
 PATCHES=(
-	"${FILESDIR}/${PN}-1.1.8-fix-missing-scmp_sys-on-aarch64.patch"
 	"${FILESDIR}/${PN}-1.1.9-remove-asciidoctor-from-config.patch"
-	"${FILESDIR}/${PN}-1.2.0-move-newfstatat.patch"
-	"${FILESDIR}/${PN}-1.2.0-seccomp.patch"
-	"${FILESDIR}/${PN}-1.2.1-seccomp-glibc-2-3-4.patch"
+	"${FILESDIR}/${PN}-1.2.1-seccomp-rollup.patch"
 )
 
 WAF_BINARY="${S}/waf"