diff options
| author | PÁLI Gábor János <pali.gabor@gmail.com> | 2022-12-30 14:47:25 +0100 |
|---|---|---|
| committer | PÁLI Gábor János <pali.gabor@gmail.com> | 2022-12-30 14:47:25 +0100 |
| commit | 1c1b02874e1749d61b9b1680f744bf8470147416 (patch) | |
| tree | 90578f8f7b73792dd41129b71bc73b0eefd81d32 | |
| parent | 1b300a88b562f707ccd1b67229bd878930c9766c (diff) | |
| download | freebsd-wifibox-alpine-1c1b02874e1749d61b9b1680f744bf8470147416.zip | |
Move to Linux 5.15.85 + Alpine 3.17.0.
40 files changed, 899 insertions, 1323 deletions
diff --git a/aports/base-layout/APKBUILD b/aports/base-layout/APKBUILD index 7597bc4..9b46b78 100644 --- a/aports/base-layout/APKBUILD +++ b/aports/base-layout/APKBUILD @@ -1,16 +1,16 @@ # Maintainer: Gabor Pali <pali.gabor@gmail.com> pkgname=baselayout -pkgver=3.2.0 -pkgrel=21 # base: 23 +pkgver=3.4.0 +pkgrel=0 # base: 0 pkgdesc="Base dir structure and init scripts (Alpine Linux)" url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout" -arch="all" +arch="noarch" license="GPL-2.0-only" pkggroups="shadow" options="!fhs !check" install= -_nbver=6.2 +_nbver=6.4 source="crontab locale.sh @@ -195,7 +195,7 @@ b2fc9b72846a43a45ba9a8749e581cef34d1915836833b51b7919dfbf4e275b7d55fec4dea7b23df 806b8f23f823a9471846d12fa6b55690b95eedb4c613b82aefaba7ffef23f83e17552befd891a487864f72ef24e395d8611738933f684a85eb4c336cb20994f8 group 7cc3c23062c730ec7a1d7850423d9901047005520da5b347b7b24e5f33a9c9a9129b430557f7f41e565f143624b7f3c47e3f6e4a6a446e75f0ea245c03d70880 inittab 06d12a7b9ca14fe17e412d0f24814620b67d035ae859be7906cbf4782dd69e359a6a555dafb98060b7fb7e4714aaa676c88d9017cded36e6d8398e23369bb290 passwd -b14920eae431d1f15b066e264a94f804540c5dcbf91caef034019d95456c975c0c054672e53369082682dd9454a034f26bd45b312adfc0ab68a0311d97b037ac profile -eadc83e47fcc354ab83fd109bee452bda170886fb684e67faf615930c11480919505f4af60c685b124efc54af0ded9522663132f911eac6622144f8b4c8be695 protocols-6.2 -adfae0d2f569c2a2f413b7e27683a007fc8ca689b8c3349672fe0dcb6208c192ede4402eff09c604b7e7b4fd9d8df93b875efa5bdaa6c14ff1d8022a7caad5cd services-6.2 +a15252a5eb90983775f63e54d37242f4c76c5c358ad6d8c1622c7da35f1b8a722249e7375a07e9f08fbb25318bd1eb033d3927aed82c3f5e9b854ad550dad2ce profile +3a00083bcdf5a9e884c9d07877d52311e3d99e79cbee656e236ba06e08ba0dddb7ba76494fdc9dd1a826c48e197a790a69e6bb458e9df64832d6b5e904e9fd15 protocols-6.4 +47b0f3ee73af2d259bd206a026204be0ea25531a895a0b035a904b38fe5407bc3dd2beab7f8fcb3d760587e6159702ebdb9cbc4f508942befdf7f10c10c87888 services-6.4 " diff --git a/aports/base-layout/profile b/aports/base-layout/profile index fd7506b..e62587b 100644 --- a/aports/base-layout/profile +++ b/aports/base-layout/profile @@ -22,20 +22,18 @@ export PATH export PAGER=less umask 022 -# set up fallback default PS1 -: "${HOSTNAME:=$(hostname)}" -PS1='${HOSTNAME%%.*}:$PWD' -[ "$(id -u)" = "0" ] && PS1="${PS1}# " -[ "$(id -u)" = "0" ] || PS1="${PS1}\$ " - # use nicer PS1 for bash and busybox ash -[ -n "$BASH_VERSION" -o "$BB_ASH_VERSION" ] && PS1='\h:\w\$ ' - +if [ -n "$BASH_VERSION" -o "$BB_ASH_VERSION" ]; then + PS1='\h:\w\$ ' # use nicer PS1 for zsh -[ -n "$ZSH_VERSION" ] && PS1='%m:%~%# ' - -# export PS1 as before -export PS1 +elif [ -n "$ZSH_VERSION" ]; then + PS1='%m:%~%# ' +# set up fallback default PS1 +else + : "${HOSTNAME:=$(hostname)}" + PS1='${HOSTNAME%%.*}:$PWD' + [ "$(id -u)" -eq 0 ] && PS1="${PS1}# " || PS1="${PS1}\$ " +fi for script in /etc/profile.d/*.sh ; do if [ -r "$script" ] ; then diff --git a/aports/broadcom-wl/APKBUILD b/aports/broadcom-wl/APKBUILD index ae7cd74..4e19807 100644 --- a/aports/broadcom-wl/APKBUILD +++ b/aports/broadcom-wl/APKBUILD @@ -2,7 +2,7 @@ pkgname=broadcom-wl pkgver=6.30.223.271 -pkgrel=5 +pkgrel=6 pkgdesc='Broadcom 802.11 Linux STA wireless driver' arch="x86_64" url='https://www.broadcom.com/support/download-search/?pf=Wireless+LAN+Infrastructure' diff --git a/aports/busybox/0001-avoid-redefined-warnings-when-building-with-utmps.patch b/aports/busybox/0001-avoid-redefined-warnings-when-building-with-utmps.patch index 083b8a8..1ce06f8 100644 --- a/aports/busybox/0001-avoid-redefined-warnings-when-building-with-utmps.patch +++ b/aports/busybox/0001-avoid-redefined-warnings-when-building-with-utmps.patch @@ -1,6 +1,6 @@ -From 770825e4730fadc0b7fc5a0f154eb368a37564a0 Mon Sep 17 00:00:00 2001 +From 711de34e8fa42bd9ec704cc922db937edada84d8 Mon Sep 17 00:00:00 2001 From: Laurent Bercot <ska-devel@skarnet.org> -Date: Wed, 20 Jul 2022 10:39:22 +0200 +Date: Fri, 22 Jul 2022 01:35:14 +0200 Subject: [PATCH] Avoid redefined warnings when buiding with utmps Do not use _PATH_UTMP or _PATH_WTMP, and do not touch @@ -13,7 +13,7 @@ the files directly. 4 files changed, 10 insertions(+), 12 deletions(-) diff --git a/include/libbb.h b/include/libbb.h -index abbc9ac59..9710e804c 100644 +index abbc9ac59..405108b17 100644 --- a/include/libbb.h +++ b/include/libbb.h @@ -107,14 +107,12 @@ @@ -21,7 +21,7 @@ index abbc9ac59..9710e804c 100644 # else # if !defined(__FreeBSD__) -# include <utmp.h> -+# include <utmps/utmps.h> ++# include <utmpx.h> +# define _CORRECT_PATH_UTMPX "/run/utmps/utmp" +# define _CORRECT_PATH_WTMP "/var/log/wtmp" # else diff --git a/aports/busybox/0001-sed-check-errors-writing-file-with-sed-i.patch b/aports/busybox/0001-sed-check-errors-writing-file-with-sed-i.patch new file mode 100644 index 0000000..90a5115 --- /dev/null +++ b/aports/busybox/0001-sed-check-errors-writing-file-with-sed-i.patch @@ -0,0 +1,66 @@ +From b99395ebf70eadb248da0ecf913eea0236eceea1 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet <dominique.martinet@atmark-techno.com> +Date: Wed, 16 Nov 2022 11:52:29 +0900 +Subject: [PATCH] sed: check errors writing file with sed -i + +sed would currently not error if write failed when modifying a file. + +This can be reproduced with the following 'script': +$ sudo mount -t tmpfs tmpfs -o size=1M /tmp/m +$ sudo chmod 777 /tmp/m +$ echo foo > /tmp/m/foo +$ dd if=/dev/zero of=/tmp/m/fill bs=4k +dd: error writing '/tmp/m/fill': No space left on device +256+0 records in +255+0 records out +1044480 bytes (1.0 MB, 1020 KiB) copied, 0.00234567 s, 445 MB/s +$ busybox sed -i -e 's/.*/bar/' /tmp/m/foo +$ echo $? +0 +$ cat /tmp/m/foo +<empty> + +new behaviour: +$ echo foo > /tmp/m/foo +$ ./busybox sed -i -e 's/.*/bar/' /tmp/m/foo +sed: write error +$ echo $? +4 +$ cat /tmp/m/foo +foo + +function old new delta +sed_main 754 801 +47 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 1/0 up/down: 47/0) Total: 47 bytes + text data bss dec hex filename + 66957 2398 1552 70907 114fb busybox_old + 67004 2398 1552 70954 1152a busybox_unstripped + +Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com> +--- +Upstream patch: +http://lists.busybox.net/pipermail/busybox/2022-November/089967.html + + editors/sed.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/editors/sed.c b/editors/sed.c +index 32a4b61f6d4c..be709eef3a9c 100644 +--- a/editors/sed.c ++++ b/editors/sed.c +@@ -1639,6 +1639,11 @@ int sed_main(int argc UNUSED_PARAM, char **argv) + fchown(nonstdoutfd, statbuf.st_uid, statbuf.st_gid); + + process_files(); ++ fflush(G.nonstdout); ++ if (ferror(G.nonstdout)) { ++ xfunc_error_retval = 4; /* It's what gnu sed exits with... */ ++ bb_simple_error_msg_and_die(bb_msg_write_error); ++ } + fclose(G.nonstdout); + G.nonstdout = stdout; + +-- +2.35.1 + diff --git a/aports/busybox/0004-app-location-for-cpio-vi-and-lspci.patch b/aports/busybox/0004-app-location-for-cpio-vi-and-lspci.patch index 964db5df..2ca4bcd 100644 --- a/aports/busybox/0004-app-location-for-cpio-vi-and-lspci.patch +++ b/aports/busybox/0004-app-location-for-cpio-vi-and-lspci.patch @@ -1,4 +1,4 @@ -From 3f44fe588d0d68ff5897928b65c0749505937d8d Mon Sep 17 00:00:00 2001 +From 97d4a0ffc6f58813fd91e5728d474b984f29b9a6 Mon Sep 17 00:00:00 2001 From: Natanael Copa <ncopa@alpinelinux.org> Date: Tue, 27 Dec 2016 20:46:59 +0100 Subject: [PATCH] app location for cpio, vi and lspci @@ -11,12 +11,12 @@ Adjust location to where alpine linux installs them 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/archival/cpio.c b/archival/cpio.c -index d84f6937d..29e7d396a 100644 +index 7149782d7..ee80efd9f 100644 --- a/archival/cpio.c +++ b/archival/cpio.c -@@ -39,7 +39,7 @@ +@@ -53,7 +53,7 @@ //config: help - //config: Passthrough mode. Rarely used. + //config: Optionally renumber inodes when creating archives. -//applet:IF_CPIO(APPLET(cpio, BB_DIR_BIN, BB_SUID_DROP)) +//applet:IF_CPIO(APPLET(cpio, BB_DIR_USR_BIN, BB_SUID_DROP)) @@ -24,7 +24,7 @@ index d84f6937d..29e7d396a 100644 //kbuild:lib-$(CONFIG_CPIO) += cpio.o diff --git a/editors/vi.c b/editors/vi.c -index 3e1bd0820..774da291f 100644 +index 3dbe5b471..b29c16098 100644 --- a/editors/vi.c +++ b/editors/vi.c @@ -176,7 +176,7 @@ diff --git a/aports/busybox/0018-ash-fix-ifs-cleanup-on-error-paths.patch b/aports/busybox/0018-ash-fix-ifs-cleanup-on-error-paths.patch new file mode 100644 index 0000000..c09bc84 --- /dev/null +++ b/aports/busybox/0018-ash-fix-ifs-cleanup-on-error-paths.patch @@ -0,0 +1,91 @@ +From 1c5455284234e894dfb6086bf7f3e9a6d5d9611f Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.linux@googlemail.com> +Date: Tue, 2 Aug 2022 11:13:44 +0200 +Subject: [PATCH] ash: fix ifs cleanup on error paths + +Patch by Alex Gorinson <algore3698@gmail.com> + +function old new delta +evalvar 477 495 +18 +varvalue 603 618 +15 +subevalvar 1557 1572 +15 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 3/0 up/down: 48/0) Total: 48 bytes + +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> +--- + shell/ash.c | 2 ++ + shell/ash_test/ash-heredoc/heredoc_and_cmd.right | 2 ++ + shell/ash_test/ash-heredoc/heredoc_and_cmd.tests | 8 ++++++++ + shell/hush_test/hush-heredoc/heredoc_and_cmd.right | 2 ++ + shell/hush_test/hush-heredoc/heredoc_and_cmd.tests | 8 ++++++++ + 5 files changed, 22 insertions(+) + create mode 100644 shell/ash_test/ash-heredoc/heredoc_and_cmd.right + create mode 100755 shell/ash_test/ash-heredoc/heredoc_and_cmd.tests + create mode 100644 shell/hush_test/hush-heredoc/heredoc_and_cmd.right + create mode 100755 shell/hush_test/hush-heredoc/heredoc_and_cmd.tests + +diff --git a/shell/ash.c b/shell/ash.c +index d29de37b7..c731a333b 100644 +--- a/shell/ash.c ++++ b/shell/ash.c +@@ -7028,6 +7028,7 @@ varunset(const char *end, const char *var, const char *umsg, int varflags) + msg = umsg; + } + } ++ ifsfree(); + ash_msg_and_raise_error("%.*s: %s%s", (int)(end - var - 1), var, msg, tail); + } + +@@ -7453,6 +7454,7 @@ varvalue(char *name, int varflags, int flags, int quoted) + if (discard) + return -1; + ++ ifsfree(); + raise_error_syntax("bad substitution"); + } + +diff --git a/shell/ash_test/ash-heredoc/heredoc_and_cmd.right b/shell/ash_test/ash-heredoc/heredoc_and_cmd.right +new file mode 100644 +index 000000000..25ae70561 +--- /dev/null ++++ b/shell/ash_test/ash-heredoc/heredoc_and_cmd.right +@@ -0,0 +1,2 @@ ++./heredoc_and_cmd.tests: line 4: D: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ++Y +diff --git a/shell/ash_test/ash-heredoc/heredoc_and_cmd.tests b/shell/ash_test/ash-heredoc/heredoc_and_cmd.tests +new file mode 100755 +index 000000000..197542de7 +--- /dev/null ++++ b/shell/ash_test/ash-heredoc/heredoc_and_cmd.tests +@@ -0,0 +1,8 @@ ++# The bug was only happening with <<REDIR;CMD form below: ++M='AAAAAAAAAAAAAAAAA' ++fff(){ ++date <<000; echo Y ++${D?$M$M$M$M$M$M} ++000 ++} ++fff +diff --git a/shell/hush_test/hush-heredoc/heredoc_and_cmd.right b/shell/hush_test/hush-heredoc/heredoc_and_cmd.right +new file mode 100644 +index 000000000..5c19a0621 +--- /dev/null ++++ b/shell/hush_test/hush-heredoc/heredoc_and_cmd.right +@@ -0,0 +1,2 @@ ++hush: D: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ++Y +diff --git a/shell/hush_test/hush-heredoc/heredoc_and_cmd.tests b/shell/hush_test/hush-heredoc/heredoc_and_cmd.tests +new file mode 100755 +index 000000000..197542de7 +--- /dev/null ++++ b/shell/hush_test/hush-heredoc/heredoc_and_cmd.tests +@@ -0,0 +1,8 @@ ++# The bug was only happening with <<REDIR;CMD form below: ++M='AAAAAAAAAAAAAAAAA' ++fff(){ ++date <<000; echo Y ++${D?$M$M$M$M$M$M} ++000 ++} ++fff diff --git a/aports/busybox/APKBUILD b/aports/busybox/APKBUILD index 18e2308..112c885 100644 --- a/aports/busybox/APKBUILD +++ b/aports/busybox/APKBUILD @@ -1,13 +1,13 @@ # Maintainer: Gabor Pali <pali.gabor@gmail.com> pkgname=busybox pkgver=1.35.0 -pkgrel=2 # base: 17, -initscripts: 4.2-r0 +pkgrel=3 # base: 29 pkgdesc="Size optimized toolbox of many common UNIX utilities" url="https://busybox.net/" arch="all" license="GPL-2.0-only" makedepends_build="perl" -makedepends_host="linux-headers openssl-dev" +makedepends_host="linux-headers openssl-dev>3" # Only build with UTMPS support if we are not bootstrapping. # skalibs-static is needed for utmps-static [ -z "$BOOTSTRAP" ] && makedepends_host="$makedepends_host utmps-dev utmps-static skalibs-static" @@ -17,6 +17,14 @@ provides="/bin/sh" install= subpackages= options="!check" + +_openrc_files="acpid.initd + crond.confd crond.initd + defaults.initd + syslog.confd syslog.initd + udhcpd.confd udhcpd.initd" +_mdev_openrc_files="mdev.initd" + source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2 0001-nologin-Install-applet-to-sbin-instead-of-usr-sbin.patch 0001-adduser-default-to-sbin-nologin-as-shell-for-system-.patch @@ -37,34 +45,29 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2 0015-ed-don-t-use-memcpy-with-overlapping-memory-regions.patch 0016-ash-don-t-read-past-end-of-var-in-subvareval-for-bas.patch 0017-ash-Fix-use-after-free-on-idx-variable.patch + 0018-ash-fix-ifs-cleanup-on-error-paths.patch + 0001-ash-add-built-in-BB_ASH_VERSION-variable.patch + 0001-pgrep-add-support-for-matching-against-UID-and-RUID.patch + 0001-avoid-redefined-warnings-when-building-with-utmps.patch + 0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch 0002-nslookup-sanitize-all-printed-strings-with-printable.patch 0001-modinfo-add-k-option-for-kernel-version.patch CVE-2022-30065.patch + 0001-sed-check-errors-writing-file-with-sed-i.patch acpid.logrotate config default.script - - acpid.initd - crond.initd - mdev.initd - syslog.initd - udhcpd.initd - defaults.initd - - crond.confd - syslog.confd - udhcpd.confd - mdev.conf - persistent-storage - " + $_openrc_files + $_mdev_openrc_files +" # secfixes: -# 1.35.0-r15: +# 1.35.0-r17: # - CVE-2022-30065 # 1.35.0-r7: # - ALPINE-13661 @@ -108,6 +111,12 @@ prepare() { } build() { + local _extra_cflags= _extra_libs= + if [ -z "$BOOTSTRAP" ] ; then + _extra_cflags="$(pkg-config --cflags --static utmps)" + _extra_libs="$(pkg-config --libs --static utmps)" + fi + cd "$srcdir"/build echo "COPIED CONFIG to $(pwd)/.config" cp "$srcdir"/config .config @@ -115,16 +124,25 @@ build() { -e "s/CONFIG_EXTRA_COMPAT=y/CONFIG_EXTRA_COMPAT=n/" \ .config make -C "$builddir" O="$PWD" silentoldconfig - make + make CONFIG_EXTRA_CFLAGS="$_extra_cflags" CONFIG_EXTRA_LDLIBS="$_extra_libs" } package() { - local i + local file - cd "$srcdir"/build mkdir -p "$pkgdir"/usr/sbin "$pkgdir"/usr/bin "$pkgdir"/tmp \ - "$pkgdir"/var/cache/misc "$pkgdir"/bin "$pkgdir"/sbin + "$pkgdir"/var/cache/misc "$pkgdir"/bin "$pkgdir"/sbin \ + "$pkgdir"/etc/conf.d "$pkgdir"/etc/init.d chmod 1777 "$pkgdir"/tmp + cd "$srcdir" + for file in *.confd; do + install -D -m 0644 ${file} "$pkgdir"/etc/conf.d/${file%%\.confd} + done + for file in *.initd; do + install -D -m 0755 ${file} "$pkgdir"/etc/init.d/${file%%\.initd} + done + + cd "$srcdir"/build install -m755 busybox "$pkgdir"/bin/busybox for target in $("$pkgdir"/bin/busybox --list-full | sort); do @@ -162,27 +180,12 @@ EOF install -Dm755 "$srcdir"/default.script \ "$pkgdir"/usr/share/udhcpc/default.script - # deploy init scripts cd "$srcdir" - mkdir -p "$pkgdir"/etc/conf.d "$pkgdir"/etc/init.d "$pkgdir"/lib/mdev\ - "$pkgdir"/etc/acpi/PWRF - for i in *.initd; do - install -m755 "$srcdir"/$i "$pkgdir"/etc/init.d/${i%.*} || return 1 - done - for i in *.confd; do - install -m644 "$srcdir"/$i "$pkgdir"/etc/conf.d/${i%.*} || return 1 - done - install -m644 mdev.conf "$pkgdir"/etc - install -m755 persistent-storage \ - "$pkgdir"/lib/mdev/ - + mkdir -p "$pkgdir"/etc/acpi/PWRF # poweroff script for acpid - cat >"$pkgdir"/etc/acpi/PWRF/00000080 <<EOF -#!/bin/sh -poweroff -EOF - chmod +x "$pkgdir"/etc/acpi/PWRF/00000080 + { echo '#!/bin/sh'; echo poweroff ; } > "$pkgdir"/etc/acpi/PWRF/00000080 + chmod 0755 "$pkgdir"/etc/acpi/PWRF/00000080 } sha512sums=" @@ -193,7 +196,7 @@ a2787a3ecaf6746dadef62166e8ee6ecaa166147e5ad8b917c5838536057c875bab5f9cf40c3e05e 0cac9b944928500293e366b42e03211d4159d05b622da60664825e5ee87c9bf6d5a8ea5e794584713f7464efb4cdc431e02f439c717b7e62b1864a228bc8cbac 0001-modutils-check-ELF-header-before-calling-finit_module.patch d8694293edc8cd55cecafeb902f03c01af318e13966f399365cf792b840793891ac086bb67ef83e7a5a2e01b246497a6c6511cb6a856834f6672dee4bca76896 0002-fsck-resolve-LABEL-.-UUID-.-spec-to-device.patch 8c34dd5ce9a6e84279fa6494cbae0b254778976f341af1d0ccc2a3afb405fb22d374e9623ea83d1500da77c7463db2ed5218d2c9f49350a21114bd0bb17fd87d 0003-ash-exec-busybox.static.patch -a8fc2ccced4054f5eff6ea00389906a543a1716202b19ab71fda1de0e6860c8377ed3c306ffb9efabe9fb16779a306da6770b871229f6bd1d725a84fdaa03fef 0004-app-location-for-cpio-vi-and-lspci.patch +f9745497abd4d04621f089c62d9f2104c30d54f342125f597292253f2974d385c5f4a46e7d87a5d1b641b11b34ba5221183dd5dad1e3bbe74a787fb8d6a994b7 0004-app-location-for-cpio-vi-and-lspci.patch f12916e70f7cc1ef4f6d85d09b9a496a52a494e6318029fdce9a9c812ab5c7b2a046c33b66834127bf809f243c91a53c3c5e27efca026a96fe6b03421de26e60 0005-udhcpc-set-default-discover-retries-to-5.patch 89215c328a46afc686c458a133dd88dcda817586df60eb041a694715e73dc78a297fc0f9a92e8ee7d0a39ce7f6053a6b8e38f3ee078ff90ed13fac2608510105 0006-ping-make-ping-work-without-root-privileges.patch 7873b98c676a92faea61511d50c1efac1220354d20afd53de19e2c8f1472559cb333b9dd4e0d6432616d8c5f59885f1503c448c86a912e8031c9bfed628c2db1 0007-fbsplash-support-console-switching.patch @@ -206,25 +209,25 @@ ecbe5c890d966f09280c7eb534109f785c68e292765f17ed7ff62fcc61d20f61443c4155add0a1eb 0040800382a6e3adcc6a8094b821488c7e297fc80304afba23a4fca43b7b26ac699378dfbd930ebbf9985336b3e431301f7ca93e2d041a071902a48740d263ef 0015-ed-don-t-use-memcpy-with-overlapping-memory-regions.patch 4c95dc4bf6aff9018bfb52b400f6d8375a1d22493b44ea516cb12dba6556f12797a3cba55768d2e59ff57c0f3247ec1ff95edb8f17561f3d37ec18d83ca47eb0 0016-ash-don-t-read-past-end-of-var-in-subvareval-for-bas.patch ccdf098fb15eaa316708181469a1193d6eec7067131e7b7645e0219bf03cfd07f4f79e8f62c1e560f6146dcc38186a29bdee08aaa39f290e11d020b8f07d2f65 0017-ash-Fix-use-after-free-on-idx-variable.patch +3abdbd25f1f0daa24b0aabe92880c28dc2d3b59eb29fad357dfaf2b78bb895466bbf4495e2185370d9219d65b22e65e525769e369e50fb1fdfd71b5229a4f429 0018-ash-fix-ifs-cleanup-on-error-paths.patch 6d100fe44da2b97c2cbdda253d0504b487212d195144d9315cddbe8c51d18fae3745701923b170b40e35f54b592f94f02cadbffd9cb716661c12a7f1da022763 0001-ash-add-built-in-BB_ASH_VERSION-variable.patch e33dbc27d77c4636f4852d5d5216ef60a9a4343484e4559e391c13c813bf65c782b889914eff2e1f038d74cf02cb0d23824ebbb1044b5f8c86260d5a1bbc4e4d 0001-pgrep-add-support-for-matching-against-UID-and-RUID.patch -b4b8195390da70c96503e66e18420b8aea5754f64300082632fcaccd4ebe86cb771d6d4b912f5162e0538e6f756a9377689ad9a138f683cd729c3f54770304bf 0001-avoid-redefined-warnings-when-building-with-utmps.patch +7608fbb9deddc9268ba53bc5b762a00fa16744d595f6f8a2f5a857339e754ea0c3da084a1e48269c8281553e9171d2bb29b8530fbe85e6a934f97c3cfcdbe31b 0001-avoid-redefined-warnings-when-building-with-utmps.patch b52050678e79e4da856956906d07fcb620cbf35f2ef6b5a8ee3b8d244ea63b4b98eef505451184d5b4937740d91eef154ed748c30d329ac485be51b37626f251 0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch ead4ad65d270d8659e1898fa16f76b6cbcf567d8aba238eacccda3764edb4362240d9359d6389873bedc126d405f805fc6dfce653a7181618ebcc67c94bd08d2 0002-nslookup-sanitize-all-printed-strings-with-printable.patch 4f6ddd59d6096943f617b0938fca428114190b8b37732d6783faab291451a2c30c452ed39299db22d1d9679d007022f87d43e93b38a4f6ced64a8659e9233773 0001-modinfo-add-k-option-for-kernel-version.patch 22e2fa8f7a6105fd9990f93b71c235980fd4eab62269939a0e3a920fe517ee4f913c6bd0148a554b67fe01d1660bf0fd76a80e9dcac290b4b8b2c304ef6080a9 CVE-2022-30065.patch +d1a2fcbf9de623531953e7ad869e41e896aa79a0917983e6f0d20ddf7393e11220dda8be93c796b7abbf34006d8f03e871a6ab293988267df5aadb74cbd8aeb1 0001-sed-check-errors-writing-file-with-sed-i.patch aa93095e20de88730f526c6f463cef711b290b9582cdbd8c1ba2bd290019150cbeaa7007c2e15f0362d5b9315dd63f60511878f0ea05e893f4fdfb4a54af3fb1 acpid.logrotate 0b92eafab0722a6c9cc4880e3be4976de9713e1e1c715c6c727a948cbd68268fce01ce308291834f70d0cf3328f7c8a44cbdb5b7c70d90f91b15efcb5b90acb3 config e063599f412df919b75584fee9501925418ef21689232792e9d61178f4e34a65c3cff8a3b1b4cf3e5be61efea2065cc303db35c53ec07b361d3a65e888247544 default.script dd548670114a92404b8e35fb915fdbe5994498b05b0a418583271c3dd72fb7800950e42c095c902a014eb198c046b8a346d43dccd8e7a158048ae33767c572ed acpid.initd +34c6f3197064bb91619b899b28a201bd4d920b18bded3845440b2cb36dc6f16cabf447c96878349b16e46c30184cbe48bac00a01c5f7cf1be038c0b7136064c5 crond.confd c9d0fb0f8cc27d661d3b4e58c56eb598ca368890576e18ffffd42efdf68ba35537656be9be319b2e2818aa0152d3ca8611bece2433512fbfcd4eed7988765549 crond.initd -1aed59fb048f0636ee8a095a089a20554a20eda84c70485a894ae60b0f97b792b7ce8e832557457258f59a2750735c4a25e247364ccf1180e9652b292a5f9e8d mdev.initd -acfd45bda4526ab551a30faec1742ad1569aa85e0d315959c3e3a3d6a693f94c74efeb57a00b8791524651e8a61d3f7ea3e3e08a4b0291ec46309f594ee8124c syslog.initd -1d4574ec7cc6d7e9952bb50b4fcb10a910868688da03a25aede492835313c686247bde1faa17f50243d61a93bfc1d8fa54cf821d7be908581e365b0f1b6a5588 udhcpd.initd 23ef7f32447f239b617d5ae221b024c7b47ca4faa9a27f80a4a6a473fd148cb4339a728fee3bb55ce67d531a141ec07c66dca533138652058d3a6a936b68d3c7 defaults.initd -34c6f3197064bb91619b899b28a201bd4d920b18bded3845440b2cb36dc6f16cabf447c96878349b16e46c30184cbe48bac00a01c5f7cf1be038c0b7136064c5 crond.confd bf8173ee33a5d2b61cbdbc1b070e599a17a21e5433a0d8aa9beef71e4ac831304076af8e7e58dc594cdee61562329793afdc57af91e5496bf5fffb9b734a3d9c syslog.confd +acfd45bda4526ab551a30faec1742ad1569aa85e0d315959c3e3a3d6a693f94c74efeb57a00b8791524651e8a61d3f7ea3e3e08a4b0291ec46309f594ee8124c syslog.initd 2947b23728d3ad6839f660fee11fc4c86d0d1a3fc450ceff85480932b0699e7b7293eb7258cf0e957542ed3c7a4416376ebb284992e6682aede61f48069b1043 udhcpd.confd -634fa067629febcdd8ba9516fbaafddd5be2d38ac37bff9eccfacce0fcf3b259426c12ff967b179bd93b2962401a4a2f15709d32da0623bd078688b8611817cd mdev.conf -2873ec2ba41fe96b010b14fe3fc87d347b71eb6079c12e05ac72eac6c7f146e25096c0b29b2b9d69cbe6840e16dbf4a93ee81132de9fac497e41ab5e8bce2243 persistent-storage +1d4574ec7cc6d7e9952bb50b4fcb10a910868688da03a25aede492835313c686247bde1faa17f50243d61a93bfc1d8fa54cf821d7be908581e365b0f1b6a5588 udhcpd.initd +6ce0b2a8fe69cc7ea657c5b9076aba51c8f0beeaafa4a887d8673bcc9f9cf8ee40f4b07d2d901ec7a1a1e4f29c150c496559559e803595d0bd487dec56b530a2 mdev.initd " diff --git a/aports/busybox/CVE-2022-30065.patch b/aports/busybox/CVE-2022-30065.patch new file mode 100644 index 0000000..4a9cd67 --- /dev/null +++ b/aports/busybox/CVE-2022-30065.patch @@ -0,0 +1,63 @@ +From 3c284dcb726ff6599d3b87fb366fb04411cf5595 Mon Sep 17 00:00:00 2001 +From: Natanael Copa <ncopa@alpinelinux.org> +Date: Fri, 17 Jun 2022 09:52:11 +0000 +Subject: [PATCH 1/2] awk: fix use after free (CVE-2022-30065) + +fixes https://bugs.busybox.net/show_bug.cgi?id=14781 + +Signed-off-by: Natanael Copa <ncopa@alpinelinux.org> +--- + editors/awk.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/editors/awk.c b/editors/awk.c +index 079d0bde5..728ee8685 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -3128,6 +3128,9 @@ static var *evaluate(node *op, var *res) + + case XC( OC_MOVE ): + debug_printf_eval("MOVE\n"); ++ /* make sure that we never return a temp var */ ++ if (L.v == TMPVAR0) ++ L.v = res; + /* if source is a temporary string, jusk relink it to dest */ + if (R.v == TMPVAR1 + && !(R.v->type & VF_NUMBER) +-- +2.36.1 + + +From 30c8f8e69230ef27f116a2c10ca2e4a6cc343dad Mon Sep 17 00:00:00 2001 +From: Natanael Copa <ncopa@alpinelinux.org> +Date: Thu, 16 Jun 2022 21:54:48 +0200 +Subject: [PATCH 2/2] awk: add tests for CVE-2022-30065 + +Signed-off-by: Natanael Copa <ncopa@alpinelinux.org> +--- + testsuite/awk.tests | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/testsuite/awk.tests b/testsuite/awk.tests +index 93e25d8c1..6c3a03c37 100755 +--- a/testsuite/awk.tests ++++ b/testsuite/awk.tests +@@ -479,4 +479,15 @@ testing 'awk backslash+newline eaten with no trace' \ + "Hello world\n" \ + '' '' + ++testing 'awk use-after-free (CVE-2022-30065)' \ ++ "awk '\$3i\$3in\$9=\$r||\$9=i6/6-9f'" \ ++ "" \ ++ "" \ ++ "" ++ ++testing 'awk assign while test' \ ++ "awk '\$1==\$1=\"foo\" {print \$1}'" \ ++ "foo\n" \ ++ "" \ ++ "foo" + exit $FAILCOUNT +-- +2.36.1 + diff --git a/aports/busybox/defaults.initd b/aports/busybox/defaults.initd new file mode 100644 index 0000000..a92a942 --- /dev/null +++ b/aports/busybox/defaults.initd @@ -0,0 +1,12 @@ +#!/sbin/openrc-run + +description="Sets service-specific defaults." + +start() { + ebegin "Setting defaults" + . /etc/udhcpc/udhcpc.conf + if [ ! -s "$UDHCPD_CONF" ] ; then + sed 's|%%DNS%%||' < "$UDHCPD_CONF_TEMPLATE" > "$UDHCPD_CONF" + fi + eend $? +} diff --git a/aports/busybox/mdev.conf b/aports/busybox/mdev.conf deleted file mode 100644 index 903786f..0000000 --- a/aports/busybox/mdev.conf +++ /dev/null @@ -1,134 +0,0 @@ -# -# This is a sample mdev.conf. -# - -# Devices: -# Syntax: %s %d:%d %s -# devices user:group mode - -$MODALIAS=.* root:root 0660 @modprobe -q -b "$MODALIAS" - -# null does already exist; therefore ownership has to be changed with command -null root:root 0666 @chmod 666 $MDEV -zero root:root 0666 -grsec root:root 0660 -full root:root 0666 - -random root:root 0666 -urandom root:root 0444 -hwrandom root:root 0660 - -console root:tty 0600 - -# load frambuffer console when first frambuffer is found -fb0 root:video 0660 @modprobe -q -b fbcon -vchiq root:video 0660 - -fd0 root:floppy 0660 -kmem root:root 0640 -mem root:root 0640 -port root:root 0640 -ptmx root:tty 0666 - -# Kernel-based Virtual Machine. -kvm root:kvm 660 - -# ram.* -ram([0-9]*) root:disk 0660 >rd/%1 -loop([0-9]+) root:disk 0660 >loop/%1 - -# persistent storage -dasd.* root:disk 0660 */lib/mdev/persistent-storage -mmcblk.* root:disk 0660 */lib/mdev/persistent-storage -nbd.* root:disk 0660 */lib/mdev/persistent-storage -nvme.* root:disk 0660 */lib/mdev/persistent-storage -sd[a-z].* root:disk 0660 */lib/mdev/persistent-storage -sr[0-9]+ root:cdrom 0660 */lib/mdev/persistent-storage -vd[a-z].* root:disk 0660 */lib/mdev/persistent-storage -xvd[a-z].* root:disk 0660 */lib/mdev/persistent-storage - -md[0-9] root:disk 0660 - -tty root:tty 0666 -tty[0-9] root:root 0600 -tty[0-9][0-9] root:tty 0660 -ttyS[0-9]* root:uucp 0660 -pty.* root:tty 0660 -vcs[0-9]* root:tty 0660 -vcsa[0-9]* root:tty 0660 - -# rpi bluetooth -#ttyAMA0 root:tty 660 @btattach -B /dev/$MDEV -P bcm -S 115200 -N & - -ttyACM[0-9] root:dialout 0660 @ln -sf $MDEV modem -ttyUSB[0-9] root:dialout 0660 @ln -sf $MDEV modem -ttyLTM[0-9] root:dialout 0660 @ln -sf $MDEV modem -ttySHSF[0-9] root:dialout 0660 @ln -sf $MDEV modem -slamr root:dialout 0660 @ln -sf $MDEV slamr0 -slusb root:dialout 0660 @ln -sf $MDEV slusb0 -fuse root:root 0666 - -# dri device -dri/.* root:video 0660 -card[0-9] root:video 0660 =dri/ - -# alsa sound devices and audio stuff -pcm.* root:audio 0660 =snd/ -control.* root:audio 0660 =snd/ -midi.* root:audio 0660 =snd/ -seq root:audio 0660 =snd/ -timer root:audio 0660 =snd/ - -adsp root:audio 0660 >sound/ -audio root:audio 0660 >sound/ -dsp root:audio 0660 >sound/ -mixer root:audio 0660 >sound/ -sequencer.* root:audio 0660 >sound/ - -SUBSYSTEM=sound;.* root:audio 0660 - -# virtio-ports -SUBSYSTEM=virtio-ports;vport.* root:root 0600 @mkdir -p virtio-ports; ln -sf ../$MDEV virtio-ports/$(cat /sys/class/virtio-ports/$MDEV/name) - -# misc stuff -agpgart root:root 0660 >misc/ -psaux root:root 0660 >misc/ -rtc root:root 0664 >misc/ - -# input stuff -event[0-9]+ root:input 0640 =input/ -mice root:input 0640 =input/ -mouse[0-9] root:input 0640 =input/ -js[0-9] root:input 0640 =input/ -ts[0-9] root:input 0600 =input/ - -# v4l stuff -vbi[0-9] root:video 0660 >v4l/ -video[0-9]+ root:video 0660 >v4l/ - -# dvb stuff -dvb.* root:video 0660 */lib/mdev/dvbdev - -# load drivers for usb devices -usb[0-9]+ root:root 0660 */lib/mdev/usbdev - -# net devices -# 666 is fine: https://www.kernel.org/doc/Documentation/networking/tuntap.txt -net/tun[0-9]* root:netdev 0666 -net/tap[0-9]* root:netdev 0666 - -# zaptel devices -zap(.*) root:dialout 0660 =zap/%1 -dahdi!(.*) root:dialout 0660 =dahdi/%1 -dahdi/(.*) root:dialout 0660 =dahdi/%1 - -# raid controllers -cciss!(.*) root:disk 0660 =cciss/%1 -cciss/(.*) root:disk 0660 =cciss/%1 -ida!(.*) root:disk 0660 =ida/%1 -ida/(.*) root:disk 0660 =ida/%1 -rd!(.*) root:disk 0660 =rd/%1 -rd/(.*) root:disk 0660 =rd/%1 - -# fallback for any!device -> any/device -(.*)!(.*) root:root 0660 =%1/%2 diff --git a/aports/busybox/mdev.initd b/aports/busybox/mdev.initd index 9dbb994..630d837 100644 --- a/aports/busybox/mdev.initd +++ b/aports/busybox/mdev.initd @@ -1,39 +1,40 @@ #!/sbin/openrc-run +description="the mdev device manager" + depend() { provide dev need sysfs dev-mount before checkfs fsck - keyword -vserver -lxc + keyword -containers -vserver -lxc } -start() { - # check if udev is specified on cmd line - if get_bootparam "udev"; then - ewarn "Skipping mdev as udev requested in kernel cmdline" - return 0 - fi - +_start_service () { ebegin "Starting busybox mdev" mkdir -p /dev - - # use mdev for hotplug echo "/sbin/mdev" > /proc/sys/kernel/hotplug - + eend $? +} + +_start_coldplug () { + ebegin "Scanning hardware for mdev" # mdev -s will not create /dev/usb[1-9] devices with recent kernels - # so we trigger hotplug events for usb for now + # so we manually trigger events for usb for i in $(find /sys/devices -name 'usb[0-9]*'); do [ -e $i/uevent ] && echo add > $i/uevent done - - # create devices + # trigger the rest of the coldplug mdev -s eend $? } +start() { + _start_service + _start_coldplug +} + stop() { ebegin "Stopping busybox mdev" - echo "" > /proc/sys/kernel/hotplug + echo > /proc/sys/kernel/hotplug eend } - diff --git a/aports/busybox/persistent-storage b/aports/busybox/persistent-storage deleted file mode 100644 index 4b821bc..0000000 --- a/aports/busybox/persistent-storage +++ /dev/null @@ -1,83 +0,0 @@ -#!/bin/sh - -symlink_action() { - case "$ACTION" in - add) ln -sf "$1" "$2";; - remove) rm -f "$2";; - esac -} - -: ${SYSFS:=/sys} - -# cdrom symlink -case "$MDEV" in - sr*|xvd*) - caps="$(cat $SYSFS/block/$MDEV/capability 2>/dev/null)" - if [ $(( 0x${caps:-0} & 8 )) -gt 0 ]; then - symlink_action $MDEV cdrom - fi -esac - -# by-id symlinks -mkdir -p disk/by-id - -partition=$(cat $SYSFS/class/block/$MDEV/partition 2>/dev/null) -case "$partition" in - [0-9]*) partsuffix="-part$partition";; -esac - -wwid=$(cat $SYSFS/class/block/$MDEV/wwid 2>/dev/null) -: ${wwid:=$(cat $SYSFS/class/block/$MDEV/device/wwid 2>/dev/null)} - -if [ -n "$wwid" ]; then - case "$MDEV" in - nvme*) symlink_action ../../$MDEV disk/by-id/nvme-${wwid}${partsuffix};; - esac - case "$wwid" in - naa.*) symlink_action ../../$MDEV disk/by-id/wwn-0x${wwid#naa.};; - esac -fi - -serial=$(sed -E -e 's/^\s+//' -e 's/\s+$//' -e 's/ /_/g' \ - $SYSFS/class/block/$MDEV/device/serial 2>/dev/null) - -model=$(sed -E -e 's/^\s+//' -e 's/\s+$//' -e 's/ /_/g' \ - $SYSFS/class/block/$MDEV/device/model 2>/dev/null) - -if [ -n "$serial" ] && [ -n "$model" ]; then - case "$MDEV" in - nvme*) symlink_action ../../$MDEV disk/by-id/nvme-${model}_${serial}${partsuffix};; - esac -fi - -# virtio-blk -if [ -n "$serial" ]; then - case "$MDEV" in - vd*) symlink_action ../../$MDEV disk/by-id/virtio-${serial}${partsuffix};; - esac -fi - -# by-uuid, by-partuuid -eval $(blkid /dev/$MDEV | cut -d: -f2-) -if [ -n "$UUID" ]; then - mkdir -p disk/by-uuid - symlink_action ../../$MDEV disk/by-uuid/$UUID -fi -if [ -n "$PARTUUID" ]; then - mkdir -p disk/by-partuuid - symlink_action ../../$MDEV disk/by-partuuid/$PARTUUID -fi - -# backwards compatibility with /dev/usbdisk for /dev/sd* -if [ "${MDEV#sd}" != "$MDEV" ]; then - sysdev=$(readlink $SYSFS/class/block/$MDEV) - case "$sysdev" in - *usb[0-9]*) - # require vfat for devices without partition - if ! [ -e $SYSFS/block/$MDEV ] || [ TYPE="vfat" ]; then - symlink_action $MDEV usbdisk - fi - ;; - esac -fi - diff --git a/aports/busybox/udhcpd.confd b/aports/busybox/udhcpd.confd new file mode 100644 index 0000000..69aaec3 --- /dev/null +++ b/aports/busybox/udhcpd.confd @@ -0,0 +1 @@ +UDHCPD_OPTS="-S /tmp/udhcpd.conf" diff --git a/aports/hostapd/0001-hostapd-Add-the-missing-CONFIG_SAE-option-to-the-def.patch b/aports/hostapd/0001-hostapd-Add-the-missing-CONFIG_SAE-option-to-the-def.patch new file mode 100644 index 0000000..97d6e04 --- /dev/null +++ b/aports/hostapd/0001-hostapd-Add-the-missing-CONFIG_SAE-option-to-the-def.patch @@ -0,0 +1,30 @@ +From 6ff8bda992463a8c0dc34ee18820ca56cf9cccc0 Mon Sep 17 00:00:00 2001 +From: Yegor Yefremov <yegorslists@googlemail.com> +Date: Wed, 30 Mar 2022 10:11:16 +0200 +Subject: [PATCH] hostapd: Add the missing CONFIG_SAE option to the defconfig + +CONFIG_SAE was added to wpa_supplicant's defconfig but wasn't +added to the hostapd's defconfig file. + +Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com> +--- + hostapd/defconfig | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hostapd/defconfig b/hostapd/defconfig +index 6b50b6c59..611f96ffa 100644 +--- a/hostapd/defconfig ++++ b/hostapd/defconfig +@@ -161,6 +161,9 @@ CONFIG_IPV6=y + # final IEEE 802.11ax version. + #CONFIG_IEEE80211AX=y + ++# Simultaneous Authentication of Equals (SAE), WPA3-Personal ++#CONFIG_SAE=y ++ + # Remove debugging code that is printing out debug messages to stdout. + # This can be used to reduce the size of the hostapd considerably if debugging + # code is not needed. +-- +2.30.2 + diff --git a/aports/hostapd/APKBUILD b/aports/hostapd/APKBUILD index 12d4224..3e767b9 100644 --- a/aports/hostapd/APKBUILD +++ b/aports/hostapd/APKBUILD @@ -1,18 +1,20 @@ # Maintainer: Gabor Pali <pali.gabor@gmail.com> pkgname=hostapd pkgver=2.10 -pkgrel=1 # base: 1 +pkgrel=2 # base: 5 pkgdesc="daemon for wireless software access points" url="https://w1.fi/hostapd/" arch="all" license="BSD-3-Clause" -makedepends="openssl1.1-compat-dev libnl3-dev linux-headers" +makedepends="openssl-dev>3 libnl3-dev linux-headers" subpackages= source="https://w1.fi/releases/hostapd-$pkgver.tar.gz $pkgname.initd $pkgname.confd + 0001-hostapd-Add-the-missing-CONFIG_SAE-option-to-the-def.patch " options="!check" #no testsuite +patch_args="-p2" builddir="$srcdir"/$pkgname-$pkgver/hostapd # secfixes: @@ -40,46 +42,51 @@ builddir="$srcdir"/$pkgname-$pkgver/hostapd # - CVE-2017-13088 prepare() { - cd "$builddir" + default_prepare + sed -i -e "s:/etc/hostapd:/etc/hostapd/hostapd:g" \ hostapd.conf # toolchain setup - sed \ - -e '/^#CONFIG_DRIVER_NL80211=y/s/^#//' \ - -e '/^#CONFIG_RADIUS_SERVER=y/s/^#//' \ - -e '/^#CONFIG_DRIVER_WIRED=y/s/^#//' \ - -e '/^#CONFIG_DRIVER_NONE=y/s/^#//' \ - -e '/^#CONFIG_IEEE80211N=y/s/^#//' \ - -e '/^#CONFIG_IEEE80211R=y/s/^#//' \ - -e '/^#CONFIG_IEEE80211AC=y/s/^#//' \ - -e '/^#CONFIG_IEEE80211AX=y/s/^#//' \ - -e '/^#CONFIG_FULL_DYNAMIC_VLAN=y/s/^#//' \ - -e '/^#CONFIG_LIBNL32=y/s/^#//' \ - -e '/^#CONFIG_ACS=y/s/^#//' \ - -e '/^#CONFIG_WEP=y/s/^#//' \ - defconfig >> .config - echo "CC ?= ${CC:-gcc}" >> .config - echo "CFLAGS += -I/usr/include/libnl3" >> .config - echo "LIBS += -L/usr/lib" >> .config + { + sed \ + -e '/^#CONFIG_DRIVER_NL80211=y/s/^#//' \ + -e '/^#CONFIG_RADIUS_SERVER=y/s/^#//' \ + -e '/^#CONFIG_DRIVER_WIRED=y/s/^#//' \ + -e '/^#CONFIG_DRIVER_NONE=y/s/^#//' \ + -e '/^#CONFIG_IEEE80211N=y/s/^#//' \ + -e '/^#CONFIG_IEEE80211R=y/s/^#//' \ + -e '/^#CONFIG_IEEE80211AC=y/s/^#//' \ + -e '/^#CONFIG_IEEE80211AX=y/s/^#//' \ + -e '/^#CONFIG_FULL_DYNAMIC_VLAN=y/s/^#//' \ + -e '/^#CONFIG_LIBNL32=y/s/^#//' \ + -e '/^#CONFIG_ACS=y/s/^#//' \ + -e '/^#CONFIG_WEP=y/s/^#//' \ + defconfig + + echo "CC ?= ${CC:-gcc}" + echo "CFLAGS += -I/usr/include/libnl3" + echo "LIBS += -L/usr/lib" + } >> .config } build() { - cd "$builddir" + export CFLAGS="$CFLAGS -flto=auto" + make } package() { - cd "$builddir" - - install -Dm755 hostapd "$pkgdir"/usr/sbin/hostapd \ - && install -Dm755 "$srcdir"/hostapd.initd \ - "$pkgdir"/etc/init.d/hostapd \ - && install -Dm644 "$srcdir"/hostapd.confd \ - "$pkgdir"/etc/conf.d/hostapd + install -Dm755 hostapd \ + -t "$pkgdir"/usr/sbin/ + install -Dm755 "$srcdir"/hostapd.initd \ + "$pkgdir"/etc/init.d/hostapd + install -Dm644 "$srcdir"/hostapd.confd \ + "$pkgdir"/etc/conf.d/hostapd } sha512sums=" 243baa82d621f859d2507d8d5beb0ebda15a75548a62451dc9bca42717dcc8607adac49b354919a41d8257d16d07ac7268203a79750db0cfb34b51f80ff1ce8f hostapd-2.10.tar.gz -b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3 hostapd.initd -0882263bbd7c0b05bf51f51d66e11a23a0b8ca7da2a3b8a30166d2c5f044c0c134e6bccb1d02c9e81819ca8fb0c0fb55c7121a08fe7233ccaa73ff8ab9a238fe hostapd.confd +adeca34c6254ac6fccd84e6f08f8c394225e1b89e2c8771b46da5c85fe3fdabc568628530c39da3ab30b72e98891b07bbdb63f74217e79d6afb9796715d822f1 hostapd.initd +95a80f5ceafd70da3d11207e591300d0e4f03d48724147cf3572420b177d50687524b715fe2001d826020e8b28959fa8c7b8334a5cbbfeec7c82d1db9a0b333a hostapd.confd +7cde99c431f1cf746473ae53c3009735c2a718e7038c3bc1629fc45ca85a191d799e975960da96e3cf14a56389ba06eee78453a9dd457941d6af758b730cbd05 0001-hostapd-Add-the-missing-CONFIG_SAE-option-to-the-def.patch " diff --git a/aports/hostapd/hostapd.confd b/aports/hostapd/hostapd.confd index 6038115..2260629 100644 --- a/aports/hostapd/hostapd.confd +++ b/aports/hostapd/hostapd.confd @@ -1,5 +1,4 @@ -# Space separated list of configuration files -CONFIGS="/etc/hostapd/hostapd.conf" - -# Extra options to pass to hostapd, see hostapd(8) -OPTIONS="" +cfgfile="/etc/hostapd/hostapd.conf" +command_args="" +# Uncomment to run with process supervisor. +# supervisor="supervise-daemon" diff --git a/aports/hostapd/hostapd.initd b/aports/hostapd/hostapd.initd index 7813fd1..a7b6033 100644 --- a/aports/hostapd/hostapd.initd +++ b/aports/hostapd/hostapd.initd @@ -1,46 +1,34 @@ #!/sbin/openrc-run -# Copyright 1999-2006 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/files/hostapd-0.6.9-init.d,v 1.2 2009/05/17 10:18:18 gurligebis Exp $ + +name="hostapd" +description="User space daemon for access point and authentication servers" extra_started_commands="reload" +# $CONFIGS and $OPTIONS are deprecated since Alpine v3.17. +# NOTE: cfgfile can contain more than one file path in this case. +: ${cfgfile:=${CONFIGS:-"/etc/hostapd/hostapd.conf"}} + +command="/usr/sbin/hostapd" +command_args="${command_args:-$OPTIONS} $cfgfile" +command_background="yes" +pidfile="/run/$RC_SVCNAME.pid" + +required_files="$cfgfile" + depend() { need net after firewall use logger } -checkconfig() { - local file - - for file in ${CONFIGS}; do - if [ ! -r "${file}" ]; then - eerror "hostapd configuration file (${CONFIG}) not found" - return 1 - fi - done -} - -start() { - checkconfig || return 1 - - ebegin "Starting ${SVCNAME}" - start-stop-daemon --start --exec /usr/sbin/hostapd \ - -- -B ${OPTIONS} ${CONFIGS} - eend $? -} - -stop() { - ebegin "Stopping ${SVCNAME}" - start-stop-daemon --stop --exec /usr/sbin/hostapd - eend $? -} - reload() { - checkconfig || return 1 + ebegin "Reloading $name configuration" - ebegin "Reloading ${SVCNAME} configuration" - kill -HUP $(pidof /usr/sbin/hostapd) > /dev/null 2>&1 + if [ "$supervisor" ]; then + $supervisor "$RC_SVCNAME" --signal HUP + else + start-stop-daemon --signal HUP --pidfile "$pidfile" + fi eend $? } diff --git a/aports/iptables/APKBUILD b/aports/iptables/APKBUILD index 4dc6dc6..f6ed3cc 100644 --- a/aports/iptables/APKBUILD +++ b/aports/iptables/APKBUILD @@ -2,7 +2,7 @@ pkgname=iptables pkgver=1.8.8 -pkgrel=0 # base: 1 +pkgrel=0 # base: 2 pkgdesc="Linux kernel firewall, NAT and packet mangling tools" url="https://www.netfilter.org/projects/iptables/index.html" arch="all" diff --git a/aports/linux-lts/APKBUILD b/aports/linux-lts/APKBUILD index 1884f92..cdcdcd5 100644 --- a/aports/linux-lts/APKBUILD +++ b/aports/linux-lts/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Gabor Pali <pali.gabor@gmail.com> pkgname=linux-lts -pkgver=5.15.68 +pkgver=5.15.85 case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=$pkgver;; @@ -162,7 +162,7 @@ _dev() { sha512sums=" d25ad40b5bcd6a4c6042fd0fd84e196e7a58024734c3e9a484fd0d5d54a0c1d87db8a3c784eff55e43b6f021709dc685eb0efa18d2aec327e4f88a79f405705a linux-5.15.tar.xz -d88b8df06cc3aa02b94071fbcd980c85709235e6776031c06324db961e421554998a3242db0efe65bc989b63e8933b42137392bb11b7b5c4e9e851e64959bf9a config-lts.x86_64 +94cda531cdfc6337a19cde9888a2fde07b478756ddbd78039bde93e74e1677b2272995119b6f037f5b7a39305a41483d12b89933fce61f120c5f864b5d92d74c config-lts.x86_64 65504e60731f7254079caa997cd44585f8b9608aa66e0879e677872f89b91aa77b67f28617eddef7fe9932a73a5942466c12c733432405ee7e42944daadef6d4 0001-mt76-mt7921-add-support-for-PCIe-ID-0x0608.patch -2c499cd943c2e018fea2d2e776e058e5e7ad6ab97ecc657df271d05ad4e1364c79d4c32d487d0039e7e37079858ccda3a0541f8d24f9e78f60071158e2794ef4 patch-5.15.68.xz +aa7d75ab949a266495391728a93096e30d0579ec490ee97b3a5f7cb4ef4268c17fbc3ba337a289e14c3bebc7e7be4dc7656abe86abc3cb8d691e2d5f21a480b5 patch-5.15.85.xz " diff --git a/aports/linux-lts/config-lts.x86_64 b/aports/linux-lts/config-lts.x86_64 index 009d779..352db0c 100644 --- a/aports/linux-lts/config-lts.x86_64 +++ b/aports/linux-lts/config-lts.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.15.68 Kernel Configuration +# Linux/x86_64 5.15.85 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.3.1_git20211027) 10.3.1 20211027" CONFIG_CC_IS_GCC=y @@ -382,7 +382,10 @@ CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y # Power management and ACPI options # # CONFIG_SUSPEND is not set -# CONFIG_PM is not set +CONFIG_PM=y +# CONFIG_PM_DEBUG is not set +CONFIG_PM_CLK=y +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set CONFIG_ARCH_SUPPORTS_ACPI=y CONFIG_ACPI=y CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y @@ -609,6 +612,7 @@ CONFIG_EFI_PARTITION=y CONFIG_BLK_MQ_PCI=y CONFIG_BLK_MQ_VIRTIO=y +CONFIG_BLK_PM=y # # IO Schedulers @@ -745,6 +749,7 @@ CONFIG_SYN_COOKIES=y # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set +CONFIG_INET_TABLE_PERTURB_ORDER=16 CONFIG_INET_TUNNEL=y # CONFIG_INET_DIAG is not set CONFIG_TCP_CONG_ADVANCED=y @@ -1081,6 +1086,7 @@ CONFIG_PCIEASPM_DEFAULT=y # CONFIG_PCIEASPM_POWERSAVE is not set # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set # CONFIG_PCIEASPM_PERFORMANCE is not set +CONFIG_PCIE_PME=y # CONFIG_PCIE_PTM is not set CONFIG_PCI_MSI=y CONFIG_PCI_MSI_IRQ_DOMAIN=y @@ -1442,6 +1448,7 @@ CONFIG_ATH9K_PCI=y # CONFIG_ATH9K_AHB is not set # CONFIG_ATH9K_DEBUGFS is not set # CONFIG_ATH9K_DYNACK is not set +# CONFIG_ATH9K_WOW is not set CONFIG_ATH9K_RFKILL=y # CONFIG_ATH9K_CHANNEL_CONTEXT is not set CONFIG_ATH9K_PCOEM=y @@ -2884,6 +2891,8 @@ CONFIG_SYMBOLIC_ERRNAME=y CONFIG_DEBUG_BUGVERBOSE=y # end of printk and dmesg options +CONFIG_AS_HAS_NON_CONST_LEB128=y + # # Compile-time checks and compiler options # diff --git a/aports/openrc/0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch b/aports/openrc/0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch index 3d41060..c2b4f02 100644 --- a/aports/openrc/0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch +++ b/aports/openrc/0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch @@ -1,14 +1,19 @@ -From 78245081fe109ed7777b79ba9c99890d56c21272 Mon Sep 17 00:00:00 2001 +From 908f77d4f1930c1ac0be036d3d2e10ff15f84fbf Mon Sep 17 00:00:00 2001 From: Natanael Copa <ncopa@alpinelinux.org> Date: Wed, 1 Feb 2017 04:04:52 +0000 Subject: [PATCH] call /sbin/mkmntdirs in localmount OpenRC service --- - init.d/localmount.in | 2 ++ - 1 file changed, 2 insertions(+) + init.d/localmount.in | 2 ++ + src/meson.build | 1 + + src/mkmntdirs/meson.build | 5 +++ + src/mkmntdirs/mkmntdirs.c | 67 +++++++++++++++++++++++++++++++++++++++ + 4 files changed, 75 insertions(+) + create mode 100644 src/mkmntdirs/meson.build + create mode 100644 src/mkmntdirs/mkmntdirs.c diff --git a/init.d/localmount.in b/init.d/localmount.in -index c571504a..14189396 100644 +index 8a66eb8d..19693b6b 100644 --- a/init.d/localmount.in +++ b/init.d/localmount.in @@ -21,6 +21,8 @@ depend() @@ -20,6 +25,102 @@ index c571504a..14189396 100644 # Mount local filesystems in /etc/fstab. # The types variable must start with no, and must be a type local critical= types="noproc" x= no_netdev= rc= +diff --git a/src/meson.build b/src/meson.build +index 76f6d8a1..0f640eec 100644 +--- a/src/meson.build ++++ b/src/meson.build +@@ -12,6 +12,7 @@ subdir('is_newer_than') + subdir('is_older_than') + subdir('kill_all') + subdir('mark_service') ++subdir('mkmntdirs') + subdir('mountinfo') + subdir('on_ac_power') + subdir('openrc') +diff --git a/src/mkmntdirs/meson.build b/src/mkmntdirs/meson.build +new file mode 100644 +index 00000000..20f9762d +--- /dev/null ++++ b/src/mkmntdirs/meson.build +@@ -0,0 +1,5 @@ ++executable('mkmntdirs', ++ ['mkmntdirs.c'], ++ c_args : cc_branding_flags, ++ install: true, ++ install_dir: sbindir) +diff --git a/src/mkmntdirs/mkmntdirs.c b/src/mkmntdirs/mkmntdirs.c +new file mode 100644 +index 00000000..eaeae732 +--- /dev/null ++++ b/src/mkmntdirs/mkmntdirs.c +@@ -0,0 +1,67 @@ ++/* ++ * Create mount directories in fstab ++ * ++ * Copyright(c) 2008 Natanael Copa <natanael.copa@gmail.com> ++ * May be distributed under the terms of GPL-2 ++ * ++ * usage: mkmntdirs [fstab] ++ * ++ */ ++ ++#include <sys/stat.h> ++#include <sys/types.h> ++ ++#include <err.h> ++#include <mntent.h> ++#include <stdio.h> ++#include <string.h> ++ ++ ++#ifdef DEBUG ++#define mkdir_recursive(p) puts((p)) ++#else ++static void mkdir_recursive(char *path) ++{ ++ char *s = path; ++ while (1) { ++ int c = '\0'; ++ while (*s) { ++ if (*s == '/') { ++ do { ++ ++s; ++ } while (*s == '/'); ++ c = *s; /* Save the current char */ ++ *s = '\0'; /* and replace it with nul. */ ++ break; ++ } ++ ++s; ++ } ++ mkdir(path, 0755); ++ if (c == '\0') ++ return; ++ *s = c; ++ } ++} ++#endif ++ ++int main(int argc, const char *argv[]) ++{ ++ const char *filename = "/etc/fstab"; ++ FILE *f; ++ struct mntent *ent; ++ if (argc == 2) ++ filename = argv[1]; ++ ++ f = setmntent(filename, "r"); ++ if (f == NULL) ++ err(1, "%s", filename); ++ ++ while ((ent = getmntent(f)) != NULL) { ++ if (strcmp(ent->mnt_dir, "none") != 0) ++ mkdir_recursive(ent->mnt_dir); ++ } ++ ++ endmntent(f); ++ return 0; ++} ++ -- -2.33.1 +2.37.1 diff --git a/aports/openrc/0003-rc-pull-in-sysinit-and-boot-as-stacked-levels-when-n.patch b/aports/openrc/0003-rc-pull-in-sysinit-and-boot-as-stacked-levels-when-n.patch index 546ccb7..265a51e 100644 --- a/aports/openrc/0003-rc-pull-in-sysinit-and-boot-as-stacked-levels-when-n.patch +++ b/aports/openrc/0003-rc-pull-in-sysinit-and-boot-as-stacked-levels-when-n.patch @@ -21,8 +21,8 @@ Fixes issue #54. diff --git a/src/rc/rc.c b/src/rc/rc.c index ef46925d..82786074 100644 ---- a/src/rc/rc.c -+++ b/src/rc/rc.c +--- a/src/openrc/rc.c ++++ b/src/openrc/rc.c @@ -729,6 +729,7 @@ int main(int argc, char **argv) const char *bootlevel = NULL; char *newlevel = NULL; diff --git a/aports/openrc/0009-dont-overwrite-empty-supervise_daemon_args.patch b/aports/openrc/0009-dont-overwrite-empty-supervise_daemon_args.patch new file mode 100644 index 0000000..4716d06 --- /dev/null +++ b/aports/openrc/0009-dont-overwrite-empty-supervise_daemon_args.patch @@ -0,0 +1,40 @@ +Patch-Source: https://github.com/OpenRC/openrc/pull/558 +-- +From a2f1d65f1646e5f539e986f22964cf078ba58fce Mon Sep 17 00:00:00 2001 +From: Jakub Jirutka <jakub@jirutka.cz> +Date: Sun, 6 Nov 2022 02:14:26 +0100 +Subject: [PATCH] supervise-daemon: don't overwrite empty supervise_daemon_args + +If supervise_daemon_args is not set *or empty*, it defaults to +`start_stop_daemon_args`. This is bad because supervise-daemon doesn't +accept the same options as `start-stop-daemon`. So if we set e.g. +`start_stop_daemon_args="--wait 50"`, but not `supervise_daemon_args`, +and the user adds `supervisor=supervise-daemon` to the corresponding +/etc/conf.d/<service> file, the service will fail to start due to +unrecognized option "wait". + +It would be best to remove this fallback, but that might break some +existing scripts that depend on it. So this commit just changes it to +use `start_stop_daemon_args` as the default for `supervise_daemon_args` +only if `supervise_daemon_args` is not set at all, but not if it's +empty. + +This at least simplifies workarounds; we can just add +`supervise_daemon_args="$supervise_daemon_args"` to init scripts. +--- + sh/supervise-daemon.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sh/supervise-daemon.sh b/sh/supervise-daemon.sh +index 8d2d6faff..8eb98a17a 100644 +--- a/sh/supervise-daemon.sh ++++ b/sh/supervise-daemon.sh +@@ -41,7 +41,7 @@ supervise_start() + ${no_new_privs:+--no_new_privs} \ + ${command_user+--user} $command_user \ + ${umask+--umask} $umask \ +- ${supervise_daemon_args:-${start_stop_daemon_args}} \ ++ ${supervise_daemon_args-${start_stop_daemon_args}} \ + $command \ + -- $command_args $command_args_foreground + rc=$? diff --git a/aports/openrc/0009-fix-bootmisc-mv-error.patch b/aports/openrc/0009-fix-bootmisc-mv-error.patch deleted file mode 100644 index e87f9bb..0000000 --- a/aports/openrc/0009-fix-bootmisc-mv-error.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Dermot Bradley <dermot_bradley@yahoo.com> -Date: Sat, 29 Jan 2022 19:28 +0000 -Subject: prevent a bootmisc trying to move a nonexistant file - -During boot if the "previous_dmesg" setting is enabled in -/etc/conf.d/bootmisc then during the 1st boot of a machine the -bootmisc init.d script will attempt to move a nonexistant dmesg -file, so generating an error on the console. - -Modify the script to only move an existing file. - -Upstream has merged this as PR 496 so it will be in the next release. - ---- - -diff -aur a/init.d/bootmisc.in b/init.d/bootmisc.in ---- a/init.d/bootmisc.in -+++ b/init.d/bootmisc.in -@@ -226,7 +226,7 @@ - case "$RC_SYS" in - VSERVER|OPENVZ|LXC|SYSTEMD-NSPAWN) ;; - *) -- if yesno ${previous_dmesg:-no}; then -+ if yesno ${previous_dmesg:-no} && [ -e /var/log/dmesg ]; then - mv /var/log/dmesg /var/log/dmesg.old - fi - dmesg > /var/log/dmesg diff --git a/aports/openrc/0010-noexec-devfs.patch b/aports/openrc/0010-noexec-devfs.patch deleted file mode 100644 index 9a8928c..0000000 --- a/aports/openrc/0010-noexec-devfs.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- a/init.d/devfs.in -+++ b/init.d/devfs.in -@@ -24,8 +24,9 @@ mount_dev() - action=--mount - conf_d_dir="${RC_SERVICE%/*/*}/conf.d" - msg=Mounting -- # Some devices require exec, Bug #92921 -- mountopts="exec,nosuid,mode=0755" -+ # Some devices require exec, https://bugs.gentoo.org/92921 -+ # Users with such requirements can use an fstab entry for /dev -+ mountopts="noexec,nosuid,mode=0755" - if yesno ${skip_mount_dev:-no} ; then - einfo "/dev will not be mounted due to user request" - return 0 diff --git a/aports/openrc/APKBUILD b/aports/openrc/APKBUILD index daff08b..c0289bd 100644 --- a/aports/openrc/APKBUILD +++ b/aports/openrc/APKBUILD @@ -1,18 +1,18 @@ # Maintainer: Gabor Pali <pali.gabor@gmail.com> pkgname=openrc -pkgver=0.44.10 +pkgver=0.45.2 pkgrel=0 # base: 7 pkgdesc="OpenRC manages the services, startup and shutdown of a host" url="https://github.com/OpenRC/openrc" arch="all" license="BSD-2-Clause" depends="ifupdown-any" -makedepends="bsd-compat-headers linux-headers meson" +makedepends_host="bsd-compat-headers libcap-dev linux-headers" +makedepends_build="meson" checkdepends= subpackages= install= source="$pkgname-$pkgver.tar.gz::https://github.com/OpenRC/openrc/archive/$pkgver.tar.gz - 0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch 0002-fsck-don-t-add-C0-to-busybox-fsck.patch 0003-rc-pull-in-sysinit-and-boot-as-stacked-levels-when-n.patch @@ -21,9 +21,12 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/OpenRC/openrc/archive/$pkgve 0006-Add-support-for-starting-services-in-a-specified-VRF.patch 0007-Clean-up-staticroute-config-remove-irrelevant-parts-.patch 0008-bootmisc-switch-wipe_tmp-setting-to-no-by-default.patch - 0009-fix-bootmisc-mv-error.patch - 0010-noexec-devfs.patch - seedrng.patch + 0009-dont-overwrite-empty-supervise_daemon_args.patch + $pkgname-grep-3.8.patch::https://github.com/OpenRC/openrc/commit/9380347f042f7d294317f4420b648422817eb75a.patch + + remount-root.patch + supervise-daemon-defaults.patch + openrc.logrotate hostname.initd hwdrivers.initd @@ -46,8 +49,8 @@ prepare() { # meson overrides this with the aports tag, # we get there first :) sed -i -e "s|@VCS_TAG@|$pkgver|" \ - src/common/version.h.in \ - src/common/version.in + src/shared/version.h.in \ + src/shared/version.in } @@ -123,21 +126,22 @@ package() { } sha512sums=" -0e41f5268c6b8c325a6773511ca58c38ba52a1987aa47165794df8a99359bd1bfcb99d30e0d129b9242a2661663234f6f85c92c55c891dbb6c5b8a11d93edea4 openrc-0.44.10.tar.gz -6085d127f7385eb86a00676a263c8613748fb0cbbf064bc908d346a1b368e226d8a3014e871d281f57d334a70ec1301269fe431e085f0e907b4f6ef8a99bf07f 0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch +ca2958772240f6e5037e39db1ee62a81091a2efa654da967f68e03a721868c6c0a41d32a2bddf55c8eadbc9bf5837b710cc2e4564844a7fbc0e585366da4fdf9 openrc-0.45.2.tar.gz +257861f5f0562e9b9a9fccebae474bd75c4bb51f005a2b8132fd551f061f65863de46c5bc4437f137b4a9d3ca741f9de9274bfa7b418eda70497ed4b5fd3056d 0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch 3f47b4f7e6c5b7fb53ff8a13470fbada67f7470e5eba71a683e6c022162c3905f560d561c3d61698e3fde367d6ae715edf76e99949f52a22a3bbf79debc33f64 0002-fsck-don-t-add-C0-to-busybox-fsck.patch -61c72be18283108163bde4349616e55adb535bd34312ee09f90fcd85277ffe17dcef792bbf465877c0d8b1fec87a3836f714d8d849a9cf322902a89bc1256e13 0003-rc-pull-in-sysinit-and-boot-as-stacked-levels-when-n.patch +0bd69d9e8e9c321a5e67cf924be07b9dd0b58801143c18f74bebf442958fc878e46a65f07cc2842566a8c3434e788ef3ca0c90c607de6b10931f01324bfc1b11 0003-rc-pull-in-sysinit-and-boot-as-stacked-levels-when-n.patch 71a743bf969110a27259405ef4b4dc4fad608b8e49039fd6afb1b1486d0f1dfccc3ef5275410fa3d6d1554ccee59c5a3424be4f2919e14453ebb709282c588a7 0004-make-consolefont-service-compatible-with-busyboxs-se.patch 9e2ae6c8e189ceae0f3f2662d9504f796e9a6a987a26ee2e10add85746b6596eb04cc256dc532a39f711b4e1aa07f1d12a384ef45d23cab49878b887bf0a878c 0005-Support-early-loading-of-keymap-if-kbd-is-installed.patch 8bf00b82d7fc0eb1b529ec735009f91d277141ba7e5c04e23d10bbcf36eb453f0b31d48aec45e50b5be4c14f611acc4454933f3cefdf8beab07d851328223464 0006-Add-support-for-starting-services-in-a-specified-VRF.patch 431ac28808e684bea5511386bf5f06efe7f509f1dbe7e15ae6309563d813deae8f3edd872a0943ef8088e3cf778d7bc5ebd15a893dc4a08f4022b7a56bbafc63 0007-Clean-up-staticroute-config-remove-irrelevant-parts-.patch 475f4ea63b9b5d7eb9c623e96b6cc3d3072abcb7194d0045b84e0688836c8514fccfc68b0eae0b4bee60878cdea8042c3ce7e48406ee7a2f0e4a3e128a153468 0008-bootmisc-switch-wipe_tmp-setting-to-no-by-default.patch -354b2df343ddf82aedba104039bbdb1dd5fdd9c4abac52f89e881341443b73fcf000ed9e8b88e9610f1c3218cb89722ff6a774e1ef2f7fe71fa6ff62b75f572b 0009-fix-bootmisc-mv-error.patch -0535d7837ae0c695f25208199f4dec3a4031558366da346a8a1dd13c0fa2a044f14088b75eca37ce0f4a681e85c82b84aac3d65aac9176639e82b33a9355cb2a 0010-noexec-devfs.patch -715af2188cf4d1ed42f75b31ad718f5c533ea6f8cfc3c5df0fd7fc4240cd342dc637b7edf358c5da1e77d700618adaa7927ddaeae60698dd9f130dd64d83d8d5 seedrng.patch +7bdd5e97186fd9c9d17d3d9a19e16f8432e0abc27b067d2191c8038d3c32c5502ee0b5b6d539bc3550400cba63b6bccfcca05a7a3b95e352ea692b6a1be8000e 0009-dont-overwrite-empty-supervise_daemon_args.patch +0a19a00af670e38742cea8e7f59a8ef329cc2fe7f57582ce8dcd0bfb90f7b5116cc0e64a6138f56c1c20c35354f835d1638bd14d6d2ebef2e5b4332a12ec8021 openrc-grep-3.8.patch +5e60f2ea652349d716646ccf05b13a510e5797daafc5e491dd35cc3850c543a7e7499a70956f91f30702c524989386d6e08735d7ad9b7bda5ff0c2c249d52cf8 remount-root.patch +1323a8476580f7b56a9cf1b24b26b10da76c5916cf23d7dab01f08a3261751341dfe01d1ed884df8e6ea17ff6a52021cc40fb3101e99b77d4ae7f3f61ee330e8 supervise-daemon-defaults.patch 12bb6354e808fbf47bbab963de55ee7901738b4a912659982c57ef2777fff9a670e867fcb8ec316a76b151032c92dc89a950d7d1d835ef53f753a8f3b41d2cec openrc.logrotate 493f27d588e64bb2bb542b32493ed05873f4724e8ad1751002982d7b4e07963cfb72f93603b2d678f305177cf9556d408a87b793744c6b7cd46cf9be4b744c02 hostname.initd -c06eac7264f6cc6888563feeae5ca745aae538323077903de1b19102e4f16baa34c18b8c27af5dd5423e7670834e2261e9aa55f2b1ec8d8fdc2be105fe894d55 hwdrivers.initd +787d783f91919c115809890f18d06d0812055f0aca42378e081d2cfbe2ff20a1db8d937b823ec4adbe0d380a6f02a2310dc74f6c3a2c36fd5d5371d51ad6d459 hwdrivers.initd 7113c930f7f5fb5b345b115db175f8e5837e3541b3e022d5cecf1b59067ed4b40b2adea2324a008035b97d653311217ac5cf961b4d0fc8b714a8b2505883cdc6 modules.initd 61857beb0ce1b462ff4bde595ee3808d12b1c51935e6a6bc263bf26a4adc99b434676277e270d82ed2886ceb9c82cb2a5604887bc25fef20bec223097c4d0ee4 modloop.initd 80e43ded522e2d48b876131c7c9997debd43f3790e0985801a8c1dd60bc6e09f625b35a127bf225eb45a65eec7808a50d1c08a5e8abceafc61726211e061e0a2 modloop.confd diff --git a/aports/openrc/hwdrivers.initd b/aports/openrc/hwdrivers.initd index 80184c9..c713990 100644 --- a/aports/openrc/hwdrivers.initd +++ b/aports/openrc/hwdrivers.initd @@ -16,10 +16,10 @@ start() { fi ebegin "Loading hardware drivers" - find /sys -name modalias -type f -print0 | xargs -0 sort -u \ + find /sys -name modalias -type f -print0 2> /dev/null | xargs -0 sort -u \ | xargs modprobe -b -a 2> /dev/null # we run it twice so we detect all devices - find /sys -name modalias -type f -print0 | xargs -0 sort -u \ + find /sys -name modalias -type f -print0 2> /dev/null | xargs -0 sort -u \ | xargs modprobe -b -a 2> /dev/null # check if framebuffer drivers got pulled in diff --git a/aports/openrc/remount-root.patch b/aports/openrc/remount-root.patch new file mode 100644 index 0000000..ae4f5b6 --- /dev/null +++ b/aports/openrc/remount-root.patch @@ -0,0 +1,42 @@ +From 489413c913af0708e9cfad987d6b3385d904e1ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=B6ren=20Tempel?= <soeren+git@soeren-tempel.net> +Date: Mon, 20 Jun 2022 19:04:49 +0200 +Subject: [PATCH] init.d/root: also remount / with options provided in + /etc/fstab + +Without this commit, the root OpenRC service remounts all mounted +filesystems (except /) with the options defined in /etc/fstab via +fstabinfo. It is presently unclear to me why / was excluded from +remounting in 497ff7ee41168d863971efb52e2ca6b42f765832 and unfortunately +neither the commit nor the associated Bugzilla issue [1] provides +further information on this. + +At Alpine, our initramfs does currently not remount / with all options +defined in /etc/fstab [2]. As part of the discussion on the Alpine side +of things we wondered why OpenRC does not remount / since this would be +the easier solution for us. For this reason, this commit changes the +behavior of the OpenRC root services accordingly to also remount / with +the options defined in /etc/fstab. + +[1]: https://bugs.gentoo.org/401573 +[2]: https://gitlab.alpinelinux.org/alpine/mkinitfs/-/merge_requests/103 +This fixes #533. +--- + init.d/root.in | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/init.d/root.in b/init.d/root.in +index 045bcd0f..2f7d82f2 100644 +--- a/init.d/root.in ++++ b/init.d/root.in +@@ -49,9 +49,7 @@ start() + local mountpoint + for mountpoint in $(fstabinfo); do + case "${mountpoint}" in +- /) +- ;; +- /*) ++ /*) # Don't remount swap etc. + mountinfo -q "${mountpoint}" && \ + fstabinfo --remount "${mountpoint}" + ;; diff --git a/aports/openrc/seedrng.patch b/aports/openrc/seedrng.patch deleted file mode 100644 index ff61d81..0000000 --- a/aports/openrc/seedrng.patch +++ /dev/null @@ -1,640 +0,0 @@ -From 076c2552aeff88a27fe275dfaae61dedf4bb4bd5 Mon Sep 17 00:00:00 2001 -From: "Jason A. Donenfeld" <Jason@zx2c4.com> -Date: Thu, 24 Mar 2022 22:07:16 -0600 -Subject: [PATCH] Use seedrng for seeding the random number generator - -The RNG can't actually be seeded from a shell script, due to the -reliance on ioctls. For this reason, the seedrng project provides a -basic script meant to be copy and pasted into projects like OpenRC and -tweaked as needed: https://git.zx2c4.com/seedrng/about/ - -This commit imports it into OpenRC and wires up /etc/init.d/urandom to -call it. It shouldn't be called by other things on the system, so it -lives in rc_sbindir. - -Closes #506. -Closes #507. - -Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> ---- - AUTHORS | 1 + - conf.d/urandom | 9 +- - init.d/urandom.in | 41 ++-- - src/rc/Makefile | 6 +- - src/rc/meson.build | 10 +- - src/rc/seedrng.c | 453 +++++++++++++++++++++++++++++++++++++++++++++ - 6 files changed, 499 insertions(+), 21 deletions(-) - create mode 100644 src/rc/seedrng.c - -diff --git a/AUTHORS b/AUTHORS -index 0616d5175..ede0f471b 100644 ---- a/AUTHORS -+++ b/AUTHORS -@@ -43,6 +43,7 @@ Ian Stakenvicius <axs@gentoo.org> - Jakob Drexel <jake42@rommel.stw.uni-erlangen.de> - James Le Cuirot <chewi@aura-online.co.uk> - Jan Psota <jasiu@belsznica.pl> -+Jason A. Donenfeld <Jason@zx2c4.com> - Jason Zaman <jason@perfinion.com> - Joe Harvell <jharvell@dogpad.net> - Joe M <joe9mail@gmail.com> -diff --git a/conf.d/urandom b/conf.d/urandom -index f721a2491..744e4f702 100644 ---- a/conf.d/urandom -+++ b/conf.d/urandom -@@ -2,4 +2,11 @@ - # (say for crypt swap), so you will need to customize this - # behavior. If you have /var on a separate partition, then - # make sure this path lives on your root device somewhere. --urandom_seed="/var/lib/misc/random-seed" -+seed_dir="/var/lib/seedrng" -+lock_file="/var/run/seedrng.lock" -+ -+# Set this to true if you do not want seed files to actually -+# credit the RNG. Set this if you plan to replicate this -+# file system image and do not have the wherewithal to first -+# delete the contents of /var/lib/seedrng. -+skip_credit="false" -diff --git a/init.d/urandom.in b/init.d/urandom.in -index 0d6ab66e0..cda431fdb 100644 ---- a/init.d/urandom.in -+++ b/init.d/urandom.in -@@ -1,5 +1,5 @@ - #!@SBINDIR@/openrc-run --# Copyright (c) 2007-2015 The OpenRC Authors. -+# Copyright (c) 2007-2022 The OpenRC Authors. - # See the Authors file at the top-level directory of this distribution and - # https://github.com/OpenRC/openrc/blob/HEAD/AUTHORS - # -@@ -9,7 +9,10 @@ - # This file may not be copied, modified, propagated, or distributed - # except according to the terms contained in the LICENSE file. - --: ${urandom_seed:=${URANDOM_SEED:-/var/lib/misc/random-seed}} -+export SEEDRNG_SEED_DIR="${seed_dir:-/var/lib/seedrng}" -+export SEEDRNG_LOCK_FILE="${lock_file:-/var/run/seedrng.lock}" -+export SEEDRNG_SKIP_CREDIT="${skip_credit:-false}" -+: ${urandom_seed:=${SEEDRNG_SEED_DIR}/../misc/random-seed} - description="Initializes the random number generator." - - depend() -@@ -21,33 +24,35 @@ depend() - - save_seed() - { -- local psz=1 -- -- if [ -e /proc/sys/kernel/random/poolsize ]; then -- : $(( psz = $(cat /proc/sys/kernel/random/poolsize) / 4096 )) -- fi -- - ( # sub shell to prevent umask pollution - umask 077 -- dd if=/dev/urandom of="$urandom_seed" count=${psz} 2>/dev/null -+ dd if=/dev/urandom of="$urandom_seed" count=1 2>/dev/null - ) - } - - start() - { -- [ -c /dev/urandom ] || return -- if [ -f "$urandom_seed" ]; then -- ebegin "Initializing random number generator" -- cat "$urandom_seed" > /dev/urandom -- eend $? "Error initializing random number generator" -+ if [ "$RC_UNAME" = Linux ]; then -+ seedrng -+ else -+ [ -c /dev/urandom ] || return -+ if [ -f "$urandom_seed" ]; then -+ ebegin "Initializing random number generator" -+ cat "$urandom_seed" > /dev/urandom -+ eend $? "Error initializing random number generator" -+ fi -+ rm -f "$urandom_seed" && save_seed - fi -- rm -f "$urandom_seed" && save_seed - return 0 - } - - stop() - { -- ebegin "Saving random seed" -- save_seed -- eend $? "Failed to save random seed" -+ if [ "$RC_UNAME" = Linux ]; then -+ seedrng -+ else -+ ebegin "Saving random seed" -+ save_seed -+ eend $? "Failed to save random seed" -+ fi - } -diff --git a/src/rc/Makefile b/src/rc/Makefile -index fd796d920..62539f134 100644 ---- a/src/rc/Makefile -+++ b/src/rc/Makefile -@@ -15,7 +15,7 @@ endif - - ifeq (${OS},Linux) - SRCS+= kill_all.c openrc-init.c openrc-shutdown.c rc-sysvinit.c broadcast.c \ -- rc-wtmp.c -+ rc-wtmp.c seedrng.c - endif - - CLEANFILES= version.h rc-selinux.o -@@ -47,6 +47,7 @@ RC_SBINPROGS= mark_service_starting mark_service_started \ - - ifeq (${OS},Linux) - RC_BINPROGS+= kill_all -+RC_SBINPROGS+= seedrng - SBINPROGS+= openrc-init openrc-shutdown - endif - -@@ -180,3 +181,6 @@ shell_var: shell_var.o - - swclock: swclock.o _usage.o rc-misc.o - ${CC} ${LOCAL_CFLAGS} ${LOCAL_LDFLAGS} ${CFLAGS} ${LDFLAGS} -o $@ $^ ${LDADD} -+ -+seedrng: seedrng.o -+ ${CC} ${LOCAL_CFLAGS} ${LOCAL_LDFLAGS} ${CFLAGS} ${LDFLAGS} -o $@ $^ ${LDADD} -diff --git a/src/rc/meson.build b/src/rc/meson.build -index 8fdf3ac3b..b724c51f2 100644 ---- a/src/rc/meson.build -+++ b/src/rc/meson.build -@@ -268,7 +268,15 @@ if os == 'Linux' - link_with: [libeinfo,librc], - install: true, - install_dir: rc_bindir) -- endif -+ -+ executable('seedrng', -+ ['seedrng.c'], -+ c_args : cc_branding_flags, -+ include_directories: [incdir, einfo_incdir, rc_incdir], -+ link_with: [libeinfo, librc], -+ install: true, -+ install_dir: rc_sbindir) -+endif - - executable('shell_var', - ['shell_var.c'], -diff --git a/src/rc/seedrng.c b/src/rc/seedrng.c -new file mode 100644 -index 000000000..c1f941457 ---- /dev/null -+++ b/src/rc/seedrng.c -@@ -0,0 +1,453 @@ -+/* -+ * seedrng.c -+ * Seed kernel RNG from seed file, based on code from: -+ * https://git.zx2c4.com/seedrng/about/ -+ */ -+ -+/* -+ * Copyright (c) 2022 The OpenRC Authors. -+ * See the Authors file at the top-level directory of this distribution and -+ * https://github.com/OpenRC/openrc/blob/HEAD/AUTHORS -+ * -+ * This file is part of OpenRC. It is subject to the license terms in -+ * the LICENSE file found in the top-level directory of this -+ * distribution and at https://github.com/OpenRC/openrc/blob/HEAD/LICENSE -+ * This file may not be copied, modified, propagated, or distributed -+ * except according to the terms contained in the LICENSE file. -+ */ -+ -+#include <linux/random.h> -+#include <sys/random.h> -+#include <sys/ioctl.h> -+#include <sys/file.h> -+#include <sys/stat.h> -+#include <sys/types.h> -+#include <fcntl.h> -+#include <poll.h> -+#include <unistd.h> -+#include <time.h> -+#include <errno.h> -+#include <endian.h> -+#include <stdbool.h> -+#include <stdint.h> -+#include <string.h> -+#include <stdio.h> -+#include <stdlib.h> -+ -+#include "rc.h" -+#include "einfo.h" -+#include "helpers.h" -+ -+#ifndef GRND_INSECURE -+#define GRND_INSECURE 0x0004 /* Apparently some headers don't ship with this yet. */ -+#endif -+ -+static const char *SEED_DIR; -+static const char *LOCK_FILE; -+static char *CREDITABLE_SEED; -+static char *NON_CREDITABLE_SEED; -+ -+enum blake2s_lengths { -+ BLAKE2S_BLOCK_LEN = 64, -+ BLAKE2S_HASH_LEN = 32, -+ BLAKE2S_KEY_LEN = 32 -+}; -+ -+enum seedrng_lengths { -+ MAX_SEED_LEN = 512, -+ MIN_SEED_LEN = BLAKE2S_HASH_LEN -+}; -+ -+struct blake2s_state { -+ uint32_t h[8]; -+ uint32_t t[2]; -+ uint32_t f[2]; -+ uint8_t buf[BLAKE2S_BLOCK_LEN]; -+ unsigned int buflen; -+ unsigned int outlen; -+}; -+ -+#define le32_to_cpup(a) le32toh(*(a)) -+#define cpu_to_le32(a) htole32(a) -+#ifndef ARRAY_SIZE -+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) -+#endif -+#ifndef DIV_ROUND_UP -+#define DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d)) -+#endif -+ -+static inline void cpu_to_le32_array(uint32_t *buf, unsigned int words) -+{ -+ while (words--) { -+ *buf = cpu_to_le32(*buf); -+ ++buf; -+ } -+} -+ -+static inline void le32_to_cpu_array(uint32_t *buf, unsigned int words) -+{ -+ while (words--) { -+ *buf = le32_to_cpup(buf); -+ ++buf; -+ } -+} -+ -+static inline uint32_t ror32(uint32_t word, unsigned int shift) -+{ -+ return (word >> (shift & 31)) | (word << ((-shift) & 31)); -+} -+ -+static const uint32_t blake2s_iv[8] = { -+ 0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL, -+ 0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL -+}; -+ -+static const uint8_t blake2s_sigma[10][16] = { -+ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, -+ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, -+ { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, -+ { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, -+ { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, -+ { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, -+ { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, -+ { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, -+ { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, -+ { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, -+}; -+ -+static void blake2s_set_lastblock(struct blake2s_state *state) -+{ -+ state->f[0] = -1; -+} -+ -+static void blake2s_increment_counter(struct blake2s_state *state, const uint32_t inc) -+{ -+ state->t[0] += inc; -+ state->t[1] += (state->t[0] < inc); -+} -+ -+static void blake2s_init_param(struct blake2s_state *state, const uint32_t param) -+{ -+ int i; -+ -+ memset(state, 0, sizeof(*state)); -+ for (i = 0; i < 8; ++i) -+ state->h[i] = blake2s_iv[i]; -+ state->h[0] ^= param; -+} -+ -+static void blake2s_init(struct blake2s_state *state, const size_t outlen) -+{ -+ blake2s_init_param(state, 0x01010000 | outlen); -+ state->outlen = outlen; -+} -+ -+static void blake2s_compress(struct blake2s_state *state, const uint8_t *block, size_t nblocks, const uint32_t inc) -+{ -+ uint32_t m[16]; -+ uint32_t v[16]; -+ int i; -+ -+ while (nblocks > 0) { -+ blake2s_increment_counter(state, inc); -+ memcpy(m, block, BLAKE2S_BLOCK_LEN); -+ le32_to_cpu_array(m, ARRAY_SIZE(m)); -+ memcpy(v, state->h, 32); -+ v[ 8] = blake2s_iv[0]; -+ v[ 9] = blake2s_iv[1]; -+ v[10] = blake2s_iv[2]; -+ v[11] = blake2s_iv[3]; -+ v[12] = blake2s_iv[4] ^ state->t[0]; -+ v[13] = blake2s_iv[5] ^ state->t[1]; -+ v[14] = blake2s_iv[6] ^ state->f[0]; -+ v[15] = blake2s_iv[7] ^ state->f[1]; -+ -+#define G(r, i, a, b, c, d) do { \ -+ a += b + m[blake2s_sigma[r][2 * i + 0]]; \ -+ d = ror32(d ^ a, 16); \ -+ c += d; \ -+ b = ror32(b ^ c, 12); \ -+ a += b + m[blake2s_sigma[r][2 * i + 1]]; \ -+ d = ror32(d ^ a, 8); \ -+ c += d; \ -+ b = ror32(b ^ c, 7); \ -+} while (0) -+ -+#define ROUND(r) do { \ -+ G(r, 0, v[0], v[ 4], v[ 8], v[12]); \ -+ G(r, 1, v[1], v[ 5], v[ 9], v[13]); \ -+ G(r, 2, v[2], v[ 6], v[10], v[14]); \ -+ G(r, 3, v[3], v[ 7], v[11], v[15]); \ -+ G(r, 4, v[0], v[ 5], v[10], v[15]); \ -+ G(r, 5, v[1], v[ 6], v[11], v[12]); \ -+ G(r, 6, v[2], v[ 7], v[ 8], v[13]); \ -+ G(r, 7, v[3], v[ 4], v[ 9], v[14]); \ -+} while (0) -+ ROUND(0); -+ ROUND(1); -+ ROUND(2); -+ ROUND(3); -+ ROUND(4); -+ ROUND(5); -+ ROUND(6); -+ ROUND(7); -+ ROUND(8); -+ ROUND(9); -+ -+#undef G -+#undef ROUND -+ -+ for (i = 0; i < 8; ++i) -+ state->h[i] ^= v[i] ^ v[i + 8]; -+ -+ block += BLAKE2S_BLOCK_LEN; -+ --nblocks; -+ } -+} -+ -+static void blake2s_update(struct blake2s_state *state, const void *inp, size_t inlen) -+{ -+ const size_t fill = BLAKE2S_BLOCK_LEN - state->buflen; -+ const uint8_t *in = inp; -+ -+ if (!inlen) -+ return; -+ if (inlen > fill) { -+ memcpy(state->buf + state->buflen, in, fill); -+ blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_LEN); -+ state->buflen = 0; -+ in += fill; -+ inlen -= fill; -+ } -+ if (inlen > BLAKE2S_BLOCK_LEN) { -+ const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_LEN); -+ blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_LEN); -+ in += BLAKE2S_BLOCK_LEN * (nblocks - 1); -+ inlen -= BLAKE2S_BLOCK_LEN * (nblocks - 1); -+ } -+ memcpy(state->buf + state->buflen, in, inlen); -+ state->buflen += inlen; -+} -+ -+static void blake2s_final(struct blake2s_state *state, uint8_t *out) -+{ -+ blake2s_set_lastblock(state); -+ memset(state->buf + state->buflen, 0, BLAKE2S_BLOCK_LEN - state->buflen); -+ blake2s_compress(state, state->buf, 1, state->buflen); -+ cpu_to_le32_array(state->h, ARRAY_SIZE(state->h)); -+ memcpy(out, state->h, state->outlen); -+} -+ -+static size_t determine_optimal_seed_len(void) -+{ -+ size_t ret = 0; -+ char poolsize_str[11] = { 0 }; -+ int fd = open("/proc/sys/kernel/random/poolsize", O_RDONLY); -+ -+ if (fd < 0 || read(fd, poolsize_str, sizeof(poolsize_str) - 1) < 0) { -+ ewarn("Unable to determine pool size, falling back to %u bits: %s", MIN_SEED_LEN * 8, strerror(errno)); -+ ret = MIN_SEED_LEN; -+ } else -+ ret = DIV_ROUND_UP(strtoul(poolsize_str, NULL, 10), 8); -+ if (fd >= 0) -+ close(fd); -+ if (ret < MIN_SEED_LEN) -+ ret = MIN_SEED_LEN; -+ else if (ret > MAX_SEED_LEN) -+ ret = MAX_SEED_LEN; -+ return ret; -+} -+ -+static int read_new_seed(uint8_t *seed, size_t len, bool *is_creditable) -+{ -+ ssize_t ret; -+ int urandom_fd; -+ -+ *is_creditable = false; -+ ret = getrandom(seed, len, GRND_NONBLOCK); -+ if (ret == (ssize_t)len) { -+ *is_creditable = true; -+ return 0; -+ } -+ if (ret == -1 && errno == ENOSYS) { -+ struct pollfd random_fd = { -+ .fd = open("/dev/random", O_RDONLY), -+ .events = POLLIN -+ }; -+ if (random_fd.fd < 0) -+ return -errno; -+ *is_creditable = poll(&random_fd, 1, 0) == 1; -+ close(random_fd.fd); -+ } else if (getrandom(seed, len, GRND_INSECURE) == (ssize_t)len) -+ return 0; -+ urandom_fd = open("/dev/urandom", O_RDONLY); -+ if (urandom_fd < 0) -+ return -errno; -+ ret = read(urandom_fd, seed, len); -+ if (ret == (ssize_t)len) -+ ret = 0; -+ else -+ ret = -errno ? -errno : -EIO; -+ close(urandom_fd); -+ return ret; -+} -+ -+static int seed_rng(uint8_t *seed, size_t len, bool credit) -+{ -+ struct { -+ int entropy_count; -+ int buf_size; -+ uint8_t buffer[MAX_SEED_LEN]; -+ } req = { -+ .entropy_count = credit ? len * 8 : 0, -+ .buf_size = len -+ }; -+ int random_fd, ret; -+ -+ if (len > sizeof(req.buffer)) -+ return -EFBIG; -+ memcpy(req.buffer, seed, len); -+ -+ random_fd = open("/dev/random", O_RDWR); -+ if (random_fd < 0) -+ return -errno; -+ ret = ioctl(random_fd, RNDADDENTROPY, &req); -+ if (ret) -+ ret = -errno ? -errno : -EIO; -+ close(random_fd); -+ return ret; -+} -+ -+static int seed_from_file_if_exists(const char *filename, bool credit, struct blake2s_state *hash) -+{ -+ uint8_t seed[MAX_SEED_LEN]; -+ ssize_t seed_len; -+ int fd, dfd, ret = 0; -+ -+ fd = open(filename, O_RDONLY); -+ if (fd < 0 && errno == ENOENT) -+ return 0; -+ else if (fd < 0) { -+ ret = -errno; -+ eerror("Unable to open seed file: %s", strerror(errno)); -+ return ret; -+ } -+ dfd = open(SEED_DIR, O_DIRECTORY | O_RDONLY); -+ if (dfd < 0) { -+ ret = -errno; -+ close(fd); -+ eerror("Unable to open seed directory: %s", strerror(errno)); -+ return ret; -+ } -+ seed_len = read(fd, seed, sizeof(seed)); -+ if (seed_len < 0) { -+ ret = -errno; -+ eerror("Unable to read seed file: %s", strerror(errno)); -+ } -+ close(fd); -+ if (ret) { -+ close(dfd); -+ return ret; -+ } -+ if ((unlink(filename) < 0 || fsync(dfd) < 0) && seed_len) { -+ ret = -errno; -+ eerror("Unable to remove seed after reading, so not seeding: %s", strerror(errno)); -+ } -+ close(dfd); -+ if (ret) -+ return ret; -+ if (!seed_len) -+ return 0; -+ -+ blake2s_update(hash, &seed_len, sizeof(seed_len)); -+ blake2s_update(hash, seed, seed_len); -+ -+ einfo("Seeding %zd bits %s crediting", seed_len * 8, credit ? "and" : "without"); -+ ret = seed_rng(seed, seed_len, credit); -+ if (ret < 0) -+ eerror("Unable to seed: %s", strerror(-ret)); -+ return ret; -+} -+ -+static void populate_global_paths(void) -+{ -+ SEED_DIR = getenv("SEEDRNG_SEED_DIR"); -+ if (!SEED_DIR || !*SEED_DIR) -+ SEED_DIR = "/var/lib/seedrng"; -+ LOCK_FILE = getenv("SEEDRNG_LOCK_FILE"); -+ if (!LOCK_FILE || !*LOCK_FILE) -+ LOCK_FILE = "/var/run/seedrng.lock"; -+ xasprintf(&CREDITABLE_SEED, "%s/seed.credit", SEED_DIR); -+ xasprintf(&NON_CREDITABLE_SEED, "%s/seed.no-credit", SEED_DIR); -+} -+ -+int main(int argc _unused, char *argv[] _unused) -+{ -+ static const char seedrng_prefix[] = "SeedRNG v1 Old+New Prefix"; -+ static const char seedrng_failure[] = "SeedRNG v1 No New Seed Failure"; -+ int ret, fd, lock, program_ret = 0; -+ uint8_t new_seed[MAX_SEED_LEN]; -+ size_t new_seed_len; -+ bool new_seed_creditable; -+ struct timespec realtime = { 0 }, boottime = { 0 }; -+ struct blake2s_state hash; -+ -+ umask(0077); -+ if (getuid()) -+ eerrorx("This rc helper program requires root"); -+ -+ populate_global_paths(); -+ blake2s_init(&hash, BLAKE2S_HASH_LEN); -+ blake2s_update(&hash, seedrng_prefix, strlen(seedrng_prefix)); -+ clock_gettime(CLOCK_REALTIME, &realtime); -+ clock_gettime(CLOCK_BOOTTIME, &boottime); -+ blake2s_update(&hash, &realtime, sizeof(realtime)); -+ blake2s_update(&hash, &boottime, sizeof(boottime)); -+ -+ if (mkdir(SEED_DIR, 0700) < 0 && errno != EEXIST) -+ eerrorx("Unable to create \"%s\" directory: %s", SEED_DIR, strerror(errno)); -+ -+ lock = open(LOCK_FILE, O_WRONLY | O_CREAT, 0000); -+ if (lock < 0 || flock(lock, LOCK_EX) < 0) -+ eerrorx("Unable to open lock file: %s", strerror(errno)); -+ -+ ret = seed_from_file_if_exists(NON_CREDITABLE_SEED, false, &hash); -+ if (ret < 0) -+ program_ret |= 1 << 1; -+ ret = seed_from_file_if_exists(CREDITABLE_SEED, !rc_yesno(getenv("SEEDRNG_SKIP_CREDIT")), &hash); -+ if (ret < 0) -+ program_ret |= 1 << 2; -+ -+ new_seed_len = determine_optimal_seed_len(); -+ ret = read_new_seed(new_seed, new_seed_len, &new_seed_creditable); -+ if (ret < 0) { -+ eerror("Unable to read new seed: %s", strerror(-ret)); -+ new_seed_len = BLAKE2S_HASH_LEN; -+ strncpy((char *)new_seed, seedrng_failure, new_seed_len); -+ program_ret |= 1 << 3; -+ } -+ blake2s_update(&hash, &new_seed_len, sizeof(new_seed_len)); -+ blake2s_update(&hash, new_seed, new_seed_len); -+ blake2s_final(&hash, new_seed + new_seed_len - BLAKE2S_HASH_LEN); -+ -+ einfo("Saving %zu bits of %s seed for next boot", new_seed_len * 8, new_seed_creditable ? "creditable" : "non-creditable"); -+ fd = open(NON_CREDITABLE_SEED, O_WRONLY | O_CREAT | O_TRUNC, 0400); -+ if (fd < 0) { -+ eerror("Unable to open seed file for writing: %s", strerror(errno)); -+ program_ret |= 1 << 4; -+ goto out; -+ } -+ if (write(fd, new_seed, new_seed_len) != (ssize_t)new_seed_len || fsync(fd) < 0) { -+ eerror("Unable to write seed file: %s", strerror(errno)); -+ program_ret |= 1 << 5; -+ goto out; -+ } -+ if (new_seed_creditable && rename(NON_CREDITABLE_SEED, CREDITABLE_SEED) < 0) { -+ ewarn("Unable to make new seed creditable: %s", strerror(errno)); -+ program_ret |= 1 << 6; -+ } -+out: -+ close(fd); -+ close(lock); -+ return program_ret; -+} diff --git a/aports/openrc/supervise-daemon-defaults.patch b/aports/openrc/supervise-daemon-defaults.patch new file mode 100644 index 0000000..53a70bb --- /dev/null +++ b/aports/openrc/supervise-daemon-defaults.patch @@ -0,0 +1,31 @@ +From: Jakub Jirutka <jakub@jirutka.cz> +Date: Wed, 16 Nov 2022 01:47:34 +0100 +Subject: [PATCH] Provide more reasonable defaults for supervise-daemon + +The vendor's default parameters for the supervise-daemon are unreasonable +or even unusable for most of the services (empirically found), especially +respawn_delay=0 (i.e. respawn crashed service immediately). + +--- a/etc/rc.conf ++++ b/etc/rc.conf +@@ -315,3 +315,20 @@ + # If this is set to no, we do not send sigkill to all processes in the + # cgroup. + #rc_send_sigkill="YES" ++ ++############################################################################## ++# SUPERVISE DAEMON CONFIGURATION VARIABLES ++# These variables sets more reasonable defaults for supervise-daemon(8). ++# They may be overriden on a per service basis. ++ ++# Wait this number of seconds before restarting a daemon after it crashes. ++respawn_delay=2 ++ ++# Sets the maximum number of times a daemon will be respawned during a respawn ++# period. If a daemon dies more than this number of times during a respawn ++# period, supervise-daemon(8) will give up trying to respawn it and exit. ++# 0 means unlimited. ++respawn_max=5 ++ ++# Sets the length in seconds of a respawn period. ++respawn_period=1800 diff --git a/aports/openrc/test-networking.sh b/aports/openrc/test-networking.sh deleted file mode 100644 index 5e5f70b..0000000 --- a/aports/openrc/test-networking.sh +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/sh - -# unit tests for find_ifaces and find_running_ifaces in networking.initd - -cfgfile=/tmp/openrc-test-network.$$ -sourcefile=$cfgfile.source -sourcedir=$cfgfile.d -ifstate=$cfgfile.state - -cat >$cfgfile<<EOF -auto eth0 -iface eth0 inet dhcp - -source $sourcefile - -source-directory $sourcedir -EOF - -cat >$sourcefile<<EOF -auto eth1 -iface eth1 inet dhcp -EOF - -mkdir -p $sourcedir -cat >$sourcedir/a<<EOF -auto eth2 -iface eth2 inet dhcp -EOF - -cat >$ifstate<<EOF -eth4=eth4 1 -EOF - -errors=0 -fail() { - echo "$@" - errors=$(( $errors + 1)) -} - -# test fallback, when ifquery does not exist -ifquery=does-not-exist -. ./networking.initd - -find_ifaces | grep -q -w eth0 || fail "Did not find eth0" -find_ifaces | grep -q -E '(eth1|eth2)' && fail "Unexpectedly found eth1 or eth2" - -# test that ifquery finds source and source-directory -unset ifquery -. ./networking.initd -for i in eth0 eth1 eth2; do - find_ifaces | grep -q -w "$i" || fail "Did not find $i" -done - -# test that ifquery picks up the running state file -find_running_ifaces | grep -q -w "eth4" || fail "Did not detect eth4 running" - - -# test /etc/init.d/net.eth5 -RC_SVCNAME=net.eth5 -. ./networking.initd -find_ifaces | grep -q -w "eth5" || fail "Did not detect eth5" -find_running_ifaces | grep -q -w "eth5" || fail "Did not detect eth5 running" - -rm -rf $cfgfile $sourcefile $sourcedir $ifstate -exit $errors diff --git a/aports/rtl8821ce/APKBUILD b/aports/rtl8821ce/APKBUILD index 0b48b5f..e3028a7 100644 --- a/aports/rtl8821ce/APKBUILD +++ b/aports/rtl8821ce/APKBUILD @@ -2,7 +2,7 @@ pkgname='rtl8821ce' pkgver=20220911 -pkgrel=0 +pkgrel=1 _gitrev='50c1b120b06a3b0805e23ca9a4dbd274d74bb305' pkgdesc='Driver for Realtek 8821CE, an 802.11ac device' arch="x86_64" diff --git a/aports/wpa_supplicant/APKBUILD b/aports/wpa_supplicant/APKBUILD index 5e7e18b..a9da28f 100644 --- a/aports/wpa_supplicant/APKBUILD +++ b/aports/wpa_supplicant/APKBUILD @@ -2,18 +2,20 @@ pkgname=wpa_supplicant pkgver=2.10 -pkgrel=0 # base: 1 +pkgrel=1 # base: 4 pkgdesc="utility providing key negotiation for WPA wireless networks" url="https://w1.fi/wpa_supplicant/" arch="all" options="!check" # has no tests license="BSD-3-Clause" subpackages= -makedepends="linux-headers openssl1.1-compat-dev dbus-dev libnl3-dev pcsc-lite-dev" +makedepends="linux-headers openssl-dev>3 dbus-dev libnl3-dev pcsc-lite-dev" source="https://w1.fi/releases/wpa_supplicant-$pkgver.tar.gz wpa_supplicant.initd wpa_supplicant.confd eloop.patch + unsafe-renegotiation-1.patch + unsafe-renegotiation-2.patch no-tools.patch config" @@ -55,6 +57,7 @@ prepare() { } build() { + export CFLAGS="$CFLAGS -flto=auto" cd "$builddir"/wpa_supplicant make LIBDIR=/lib BINDIR=/sbin } @@ -75,6 +78,8 @@ sha512sums=" 92c4cbaa9776a354275640c9411d2f547f4c0e00415af4ab30039f1a0be6a11082d49e2514905010f0abcc4a9276353276da9864e3d5f7264a0f0767c8cc9d78 wpa_supplicant.initd c7e4041fe41743c5e63a07edc9234d0c44c4c0f193a180b27342b43f3be45fb87b42ee0f9e4a20614cf6ad58cf64d25f74d1e75e2e1d521c2f6d45cdc5737eae wpa_supplicant.confd 2be055dd1f7da5a3d8e79c2f2c0220ddd31df309452da18f290144d2112d6dbde0fc633bb2ad02c386a39d7785323acaf5f70e5969995a1e8303a094eb5fe232 eloop.patch +9528735924faf876a7094de46760605e5e66e265187421a668be06dbf03d7b4db6b84cbad793fcd6bd614e3ba540f82f1f80660d75e8a6070eeb7e9abb54ed28 unsafe-renegotiation-1.patch +a92ba3ed3f41022a8af9396d2b703ee47f78aa05c1fddb42919a7fe6a6fad71e3515c63457e97e252ae0a32c6c34d67ea6efe0278df1e141cf36e650237e5295 unsafe-renegotiation-2.patch 3278eff7118f9dc9e177adc3ed91cad562a8edde396af8619321ac8552a86e9c7de25212d5578ea17cbe4b6dc928d83cd6e9a7f0d41e07576656e6e9274107d6 no-tools.patch -0e1af7084026c3b50b3a77636758f1ce3c1004e1e6d7eb71038e42c5c63866e2bbee3b0933b1131b80a6f2f6848983847a017ba2555a3162f0ccd3aa57fcf257 config +021d7d192b2e8e6bc89457ce4c8ada7eb897b3c4e8202697da44bde4cab49c0424156569c7a04dc58cae26e0e83e5f56421946679629535d0a749cda31f890c5 config " diff --git a/aports/wpa_supplicant/CVE-2019-16275.patch b/aports/wpa_supplicant/CVE-2019-16275.patch deleted file mode 100644 index d764a9d..0000000 --- a/aports/wpa_supplicant/CVE-2019-16275.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j@w1.fi> -Date: Thu, 29 Aug 2019 11:52:04 +0300 -Subject: [PATCH] AP: Silently ignore management frame from unexpected source - address - -Do not process any received Management frames with unexpected/invalid SA -so that we do not add any state for unexpected STA addresses or end up -sending out frames to unexpected destination. This prevents unexpected -sequences where an unprotected frame might end up causing the AP to send -out a response to another device and that other device processing the -unexpected response. - -In particular, this prevents some potential denial of service cases -where the unexpected response frame from the AP might result in a -connected station dropping its association. - -Signed-off-by: Jouni Malinen <j@w1.fi> ---- - src/ap/drv_callbacks.c | 13 +++++++++++++ - src/ap/ieee802_11.c | 12 ++++++++++++ - 2 files changed, 25 insertions(+) - -diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c -index 31587685fe3b..34ca379edc3d 100644 ---- a/src/ap/drv_callbacks.c -+++ b/src/ap/drv_callbacks.c -@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, - "hostapd_notif_assoc: Skip event with no address"); - return -1; - } -+ -+ if (is_multicast_ether_addr(addr) || -+ is_zero_ether_addr(addr) || -+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { -+ /* Do not process any frames with unexpected/invalid SA so that -+ * we do not add any state for unexpected STA addresses or end -+ * up sending out frames to unexpected destination. */ -+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR -+ " in received indication - ignore this indication silently", -+ __func__, MAC2STR(addr)); -+ return 0; -+ } -+ - random_add_randomness(addr, ETH_ALEN); - - hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, -diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c -index c85a28db44b7..e7065372e158 100644 ---- a/src/ap/ieee802_11.c -+++ b/src/ap/ieee802_11.c -@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, - fc = le_to_host16(mgmt->frame_control); - stype = WLAN_FC_GET_STYPE(fc); - -+ if (is_multicast_ether_addr(mgmt->sa) || -+ is_zero_ether_addr(mgmt->sa) || -+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { -+ /* Do not process any frames with unexpected/invalid SA so that -+ * we do not add any state for unexpected STA addresses or end -+ * up sending out frames to unexpected destination. */ -+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR -+ " in received frame - ignore this frame silently", -+ MAC2STR(mgmt->sa)); -+ return 0; -+ } -+ - if (stype == WLAN_FC_STYPE_BEACON) { - handle_beacon(hapd, mgmt, len, fi); - return 1; --- -2.20.1 - diff --git a/aports/wpa_supplicant/CVE-2021-0326.patch b/aports/wpa_supplicant/CVE-2021-0326.patch deleted file mode 100644 index 2ad5f44..0000000 --- a/aports/wpa_supplicant/CVE-2021-0326.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Mon, 9 Nov 2020 11:43:12 +0200 -Subject: P2P: Fix copying of secondary device types for P2P group client - -Parsing and copying of WPS secondary device types list was verifying -that the contents is not too long for the internal maximum in the case -of WPS messages, but similar validation was missing from the case of P2P -group information which encodes this information in a different -attribute. This could result in writing beyond the memory area assigned -for these entries and corrupting memory within an instance of struct -p2p_device. This could result in invalid operations and unexpected -behavior when trying to free pointers from that corrupted memory. - -Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 -Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> ---- - src/p2p/p2p.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c -index 74b7b52..5cbfc21 100644 ---- a/src/p2p/p2p.c -+++ b/src/p2p/p2p.c -@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, - dev->info.config_methods = cli->config_methods; - os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); - dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; -+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) -+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; - os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, - dev->info.wps_sec_dev_type_list_len); - } --- -cgit v0.12 - diff --git a/aports/wpa_supplicant/CVE-2021-27803.patch b/aports/wpa_supplicant/CVE-2021-27803.patch deleted file mode 100644 index 1942bb3..0000000 --- a/aports/wpa_supplicant/CVE-2021-27803.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Tue, 8 Dec 2020 23:52:50 +0200 -Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request - -p2p_add_device() may remove the oldest entry if there is no room in the -peer table for a new peer. This would result in any pointer to that -removed entry becoming stale. A corner case with an invalid PD Request -frame could result in such a case ending up using (read+write) freed -memory. This could only by triggered when the peer table has reached its -maximum size and the PD Request frame is received from the P2P Device -Address of the oldest remaining entry and the frame has incorrect P2P -Device Address in the payload. - -Fix this by fetching the dev pointer again after having called -p2p_add_device() so that the stale pointer cannot be used. - -Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> ---- - src/p2p/p2p_pd.c | 12 +++++------- - 1 file changed, 5 insertions(+), 7 deletions(-) - -diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c -index 3994ec03f86b..05fd593494ef 100644 ---- a/src/p2p/p2p_pd.c -+++ b/src/p2p/p2p_pd.c -@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, - goto out; - } - -+ dev = p2p_get_device(p2p, sa); - if (!dev) { -- dev = p2p_get_device(p2p, sa); -- if (!dev) { -- p2p_dbg(p2p, -- "Provision Discovery device not found " -- MACSTR, MAC2STR(sa)); -- goto out; -- } -+ p2p_dbg(p2p, -+ "Provision Discovery device not found " -+ MACSTR, MAC2STR(sa)); -+ goto out; - } - } else if (msg.wfd_subelems) { - wpabuf_free(dev->info.wfd_subelems); --- -2.25.1 - diff --git a/aports/wpa_supplicant/config b/aports/wpa_supplicant/config index ab425d0..12f711a 100644 --- a/aports/wpa_supplicant/config +++ b/aports/wpa_supplicant/config @@ -32,7 +32,7 @@ CONFIG_DRIVER_NL80211=y # QCA vendor extensions to nl80211 -#CONFIG_DRIVER_NL80211_QCA=y +CONFIG_DRIVER_NL80211_QCA=y # driver_nl80211.c requires libnl. If you are compiling it yourself # you may need to point hostapd to your version of libnl. @@ -207,7 +207,7 @@ CONFIG_HT_OVERRIDES=y CONFIG_VHT_OVERRIDES=y # Development testing -CONFIG_EAPOL_TEST=n +#CONFIG_EAPOL_TEST=y # Enable IPv6 support in eapol_test. # See: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12429 @@ -486,7 +486,7 @@ CONFIG_DELAYED_MIC_ERROR_REPORT=y # Should we attempt to use the getrandom(2) call that provides more reliable # yet secure randomness source than /dev/random on Linux 3.17 and newer. # Requires glibc 2.25 to build, falls back to /dev/random if unavailable. -#CONFIG_GETRANDOM=y +CONFIG_GETRANDOM=y # IEEE 802.11n (High Throughput) support (mainly for AP mode) #CONFIG_IEEE80211N=y @@ -503,10 +503,10 @@ CONFIG_DELAYED_MIC_ERROR_REPORT=y # This can be used to enable functionality to improve interworking with # external networks (GAS/ANQP to learn more about the networks and network # selection based on available credentials). -#CONFIG_INTERWORKING=y +CONFIG_INTERWORKING=y # Hotspot 2.0 -#CONFIG_HS20=y +CONFIG_HS20=y # Enable interface matching in wpa_supplicant #CONFIG_MATCH_IFACE=y @@ -527,7 +527,7 @@ CONFIG_AP=y CONFIG_P2P=y # Enable TDLS support -#CONFIG_TDLS=y +CONFIG_TDLS=y # Wi-Fi Display # This can be used to enable Wi-Fi Display extensions for P2P using an external @@ -585,7 +585,7 @@ CONFIG_AUTOSCAN_PERIODIC=y # # For more details refer to: # http://wireless.kernel.org/en/users/Documentation/acs -#CONFIG_ACS=y +CONFIG_ACS=y # Support Multi Band Operation #CONFIG_MBO=y diff --git a/aports/wpa_supplicant/unsafe-renegotiation-1.patch b/aports/wpa_supplicant/unsafe-renegotiation-1.patch new file mode 100644 index 0000000..0802a1b --- /dev/null +++ b/aports/wpa_supplicant/unsafe-renegotiation-1.patch @@ -0,0 +1,103 @@ +Patch-Source: https://w1.fi/cgit/hostap/commit/?id=566ce69a8d0e64093309cbde80235aa522fbf84e +From 566ce69a8d0e64093309cbde80235aa522fbf84e Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <quic_jouni@quicinc.com> +Date: Thu, 5 May 2022 00:07:44 +0300 +Subject: EAP peer: Workaround for servers that do not support safe TLS + renegotiation + +The TLS protocol design for renegotiation was identified to have a +significant security flaw in 2009 and an extension to secure this design +was published in 2010 (RFC 5746). However, some old RADIUS +authentication servers without support for this are still used commonly. + +This is obviously not good from the security view point, but since there +are cases where the user of a network service has no realistic means for +getting the authentication server upgraded, TLS handshake may still need +to be allowed to be able to use the network. + +OpenSSL 3.0 disabled the client side workaround by default and this +resulted in issues connection to some networks with insecure +authentication servers. With OpenSSL 3.0, the client is now enforcing +security by refusing to authenticate with such servers. The pre-3.0 +behavior of ignoring this issue and leaving security to the server can +now be enabled with a new phase1 parameter allow_unsafe_renegotiation=1. +This should be used only when having to connect to a network that has an +insecure authentication server that cannot be upgraded. + +The old (pre-2010) TLS renegotiation mechanism might open security +vulnerabilities if the authentication server were to allow TLS +renegotiation to be initiated. While this is unlikely to cause real +issues with EAP-TLS, there might be cases where use of PEAP or TTLS with +an authentication server that does not support RFC 5746 might result in +a security vulnerability. + +Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com> +--- + src/crypto/tls.h | 1 + + src/crypto/tls_openssl.c | 5 +++++ + src/eap_peer/eap_tls_common.c | 4 ++++ + wpa_supplicant/wpa_supplicant.conf | 5 +++++ + 4 files changed, 15 insertions(+) + +diff --git a/src/crypto/tls.h b/src/crypto/tls.h +index ccaac94c9..7ea32ee4a 100644 +--- a/src/crypto/tls.h ++++ b/src/crypto/tls.h +@@ -112,6 +112,7 @@ struct tls_config { + #define TLS_CONN_ENABLE_TLSv1_1 BIT(15) + #define TLS_CONN_ENABLE_TLSv1_2 BIT(16) + #define TLS_CONN_TEAP_ANON_DH BIT(17) ++#define TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION BIT(18) + + /** + * struct tls_connection_params - Parameters for TLS connection +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index 388c6b0f4..0d23f44ad 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -3081,6 +3081,11 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, + SSL_clear_options(ssl, SSL_OP_NO_TICKET); + #endif /* SSL_OP_NO_TICKET */ + ++#ifdef SSL_OP_LEGACY_SERVER_CONNECT ++ if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION) ++ SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT); ++#endif /* SSL_OP_LEGACY_SERVER_CONNECT */ ++ + #ifdef SSL_OP_NO_TLSv1 + if (flags & TLS_CONN_DISABLE_TLSv1_0) + SSL_set_options(ssl, SSL_OP_NO_TLSv1); +diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c +index 06c9b211e..6193b4bdb 100644 +--- a/src/eap_peer/eap_tls_common.c ++++ b/src/eap_peer/eap_tls_common.c +@@ -102,6 +102,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params, + params->flags |= TLS_CONN_SUITEB_NO_ECDH; + if (os_strstr(txt, "tls_suiteb_no_ecdh=0")) + params->flags &= ~TLS_CONN_SUITEB_NO_ECDH; ++ if (os_strstr(txt, "allow_unsafe_renegotiation=1")) ++ params->flags |= TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION; ++ if (os_strstr(txt, "allow_unsafe_renegotiation=0")) ++ params->flags &= ~TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION; + } + + +diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf +index a1dc769c9..b5304a77e 100644 +--- a/wpa_supplicant/wpa_supplicant.conf ++++ b/wpa_supplicant/wpa_supplicant.conf +@@ -1370,6 +1370,11 @@ fast_reauth=1 + # tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default) + # tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in + # particular when using Suite B with RSA keys of >= 3K (3072) bits ++# allow_unsafe_renegotiation=1 - allow connection with a TLS server that does ++# not support safe renegotiation (RFC 5746); please note that this ++# workaround should be only when having to authenticate with an old ++# authentication server that cannot be updated to use secure TLS ++# implementation. + # + # Following certificate/private key fields are used in inner Phase2 + # authentication when using EAP-TTLS or EAP-PEAP. +-- +cgit v1.2.3-18-g5258 + diff --git a/aports/wpa_supplicant/unsafe-renegotiation-2.patch b/aports/wpa_supplicant/unsafe-renegotiation-2.patch new file mode 100644 index 0000000..2046637 --- /dev/null +++ b/aports/wpa_supplicant/unsafe-renegotiation-2.patch @@ -0,0 +1,105 @@ +Patch-Source: https://w1.fi/cgit/hostap/commit/?id=a561d12d24c2c8bb0f825d4a3a55a5e47e845853 +From a561d12d24c2c8bb0f825d4a3a55a5e47e845853 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <quic_jouni@quicinc.com> +Date: Wed, 4 May 2022 23:55:38 +0300 +Subject: EAP peer status notification for server not supporting RFC 5746 + +Add a notification message to indicate reason for TLS handshake failure +due to the server not supporting safe renegotiation (RFC 5746). + +Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com> +--- + src/ap/authsrv.c | 3 +++ + src/crypto/tls.h | 3 ++- + src/crypto/tls_openssl.c | 15 +++++++++++++-- + src/eap_peer/eap.c | 5 +++++ + 4 files changed, 23 insertions(+), 3 deletions(-) + +diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c +index 516c1da74..fd9c96fad 100644 +--- a/src/ap/authsrv.c ++++ b/src/ap/authsrv.c +@@ -169,6 +169,9 @@ static void authsrv_tls_event(void *ctx, enum tls_event ev, + wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s", + data->alert.description); + break; ++ case TLS_UNSAFE_RENEGOTIATION_DISABLED: ++ /* Not applicable to TLS server */ ++ break; + } + } + #endif /* EAP_TLS_FUNCS */ +diff --git a/src/crypto/tls.h b/src/crypto/tls.h +index 7ea32ee4a..7a2ee32df 100644 +--- a/src/crypto/tls.h ++++ b/src/crypto/tls.h +@@ -22,7 +22,8 @@ enum tls_event { + TLS_CERT_CHAIN_SUCCESS, + TLS_CERT_CHAIN_FAILURE, + TLS_PEER_CERTIFICATE, +- TLS_ALERT ++ TLS_ALERT, ++ TLS_UNSAFE_RENEGOTIATION_DISABLED, + }; + + /* +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index 0d23f44ad..912471ba2 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -4443,6 +4443,7 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn, + static struct wpabuf * + openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) + { ++ struct tls_context *context = conn->context; + int res; + struct wpabuf *out_data; + +@@ -4472,7 +4473,19 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) + wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to " + "write"); + else { ++ unsigned long error = ERR_peek_last_error(); ++ + tls_show_errors(MSG_INFO, __func__, "SSL_connect"); ++ ++ if (context->event_cb && ++ ERR_GET_LIB(error) == ERR_LIB_SSL && ++ ERR_GET_REASON(error) == ++ SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED) { ++ context->event_cb( ++ context->cb_ctx, ++ TLS_UNSAFE_RENEGOTIATION_DISABLED, ++ NULL); ++ } + conn->failed++; + if (!conn->server && !conn->client_hello_generated) { + /* The server would not understand TLS Alert +@@ -4495,8 +4508,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) + if ((conn->flags & TLS_CONN_SUITEB) && !conn->server && + os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 && + conn->server_dh_prime_len < 3072) { +- struct tls_context *context = conn->context; +- + /* + * This should not be reached since earlier cert_cb should have + * terminated the handshake. Keep this check here for extra +diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c +index 429b20d3a..729388f4f 100644 +--- a/src/eap_peer/eap.c ++++ b/src/eap_peer/eap.c +@@ -2172,6 +2172,11 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev, + eap_notify_status(sm, "remote TLS alert", + data->alert.description); + break; ++ case TLS_UNSAFE_RENEGOTIATION_DISABLED: ++ wpa_printf(MSG_INFO, ++ "TLS handshake failed due to the server not supporting safe renegotiation (RFC 5746); phase1 parameter allow_unsafe_renegotiation=1 can be used to work around this"); ++ eap_notify_status(sm, "unsafe server renegotiation", "failure"); ++ break; + } + + os_free(hash_hex); +-- +cgit v1.2.3-18-g5258 + |