summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--aports/base-layout/APKBUILD14
-rw-r--r--aports/base-layout/profile22
-rw-r--r--aports/broadcom-wl/APKBUILD2
-rw-r--r--aports/busybox/0001-avoid-redefined-warnings-when-building-with-utmps.patch8
-rw-r--r--aports/busybox/0001-sed-check-errors-writing-file-with-sed-i.patch66
-rw-r--r--aports/busybox/0004-app-location-for-cpio-vi-and-lspci.patch10
-rw-r--r--aports/busybox/0018-ash-fix-ifs-cleanup-on-error-paths.patch91
-rw-r--r--aports/busybox/APKBUILD97
-rw-r--r--aports/busybox/CVE-2022-30065.patch63
-rw-r--r--aports/busybox/defaults.initd12
-rw-r--r--aports/busybox/mdev.conf134
-rw-r--r--aports/busybox/mdev.initd33
-rw-r--r--aports/busybox/persistent-storage83
-rw-r--r--aports/busybox/udhcpd.confd1
-rw-r--r--aports/hostapd/0001-hostapd-Add-the-missing-CONFIG_SAE-option-to-the-def.patch30
-rw-r--r--aports/hostapd/APKBUILD67
-rw-r--r--aports/hostapd/hostapd.confd9
-rw-r--r--aports/hostapd/hostapd.initd52
-rw-r--r--aports/iptables/APKBUILD2
-rw-r--r--aports/linux-lts/APKBUILD6
-rw-r--r--aports/linux-lts/config-lts.x86_6413
-rw-r--r--aports/openrc/0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch111
-rw-r--r--aports/openrc/0003-rc-pull-in-sysinit-and-boot-as-stacked-levels-when-n.patch4
-rw-r--r--aports/openrc/0009-dont-overwrite-empty-supervise_daemon_args.patch40
-rw-r--r--aports/openrc/0009-fix-bootmisc-mv-error.patch27
-rw-r--r--aports/openrc/0010-noexec-devfs.patch14
-rw-r--r--aports/openrc/APKBUILD34
-rw-r--r--aports/openrc/hwdrivers.initd4
-rw-r--r--aports/openrc/remount-root.patch42
-rw-r--r--aports/openrc/seedrng.patch640
-rw-r--r--aports/openrc/supervise-daemon-defaults.patch31
-rw-r--r--aports/openrc/test-networking.sh65
-rw-r--r--aports/rtl8821ce/APKBUILD2
-rw-r--r--aports/wpa_supplicant/APKBUILD11
-rw-r--r--aports/wpa_supplicant/CVE-2019-16275.patch73
-rw-r--r--aports/wpa_supplicant/CVE-2021-0326.patch37
-rw-r--r--aports/wpa_supplicant/CVE-2021-27803.patch50
-rw-r--r--aports/wpa_supplicant/config14
-rw-r--r--aports/wpa_supplicant/unsafe-renegotiation-1.patch103
-rw-r--r--aports/wpa_supplicant/unsafe-renegotiation-2.patch105
40 files changed, 899 insertions, 1323 deletions
diff --git a/aports/base-layout/APKBUILD b/aports/base-layout/APKBUILD
index 7597bc4..9b46b78 100644
--- a/aports/base-layout/APKBUILD
+++ b/aports/base-layout/APKBUILD
@@ -1,16 +1,16 @@
# Maintainer: Gabor Pali <pali.gabor@gmail.com>
pkgname=baselayout
-pkgver=3.2.0
-pkgrel=21 # base: 23
+pkgver=3.4.0
+pkgrel=0 # base: 0
pkgdesc="Base dir structure and init scripts (Alpine Linux)"
url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout"
-arch="all"
+arch="noarch"
license="GPL-2.0-only"
pkggroups="shadow"
options="!fhs !check"
install=
-_nbver=6.2
+_nbver=6.4
source="crontab
locale.sh
@@ -195,7 +195,7 @@ b2fc9b72846a43a45ba9a8749e581cef34d1915836833b51b7919dfbf4e275b7d55fec4dea7b23df
806b8f23f823a9471846d12fa6b55690b95eedb4c613b82aefaba7ffef23f83e17552befd891a487864f72ef24e395d8611738933f684a85eb4c336cb20994f8 group
7cc3c23062c730ec7a1d7850423d9901047005520da5b347b7b24e5f33a9c9a9129b430557f7f41e565f143624b7f3c47e3f6e4a6a446e75f0ea245c03d70880 inittab
06d12a7b9ca14fe17e412d0f24814620b67d035ae859be7906cbf4782dd69e359a6a555dafb98060b7fb7e4714aaa676c88d9017cded36e6d8398e23369bb290 passwd
-b14920eae431d1f15b066e264a94f804540c5dcbf91caef034019d95456c975c0c054672e53369082682dd9454a034f26bd45b312adfc0ab68a0311d97b037ac profile
-eadc83e47fcc354ab83fd109bee452bda170886fb684e67faf615930c11480919505f4af60c685b124efc54af0ded9522663132f911eac6622144f8b4c8be695 protocols-6.2
-adfae0d2f569c2a2f413b7e27683a007fc8ca689b8c3349672fe0dcb6208c192ede4402eff09c604b7e7b4fd9d8df93b875efa5bdaa6c14ff1d8022a7caad5cd services-6.2
+a15252a5eb90983775f63e54d37242f4c76c5c358ad6d8c1622c7da35f1b8a722249e7375a07e9f08fbb25318bd1eb033d3927aed82c3f5e9b854ad550dad2ce profile
+3a00083bcdf5a9e884c9d07877d52311e3d99e79cbee656e236ba06e08ba0dddb7ba76494fdc9dd1a826c48e197a790a69e6bb458e9df64832d6b5e904e9fd15 protocols-6.4
+47b0f3ee73af2d259bd206a026204be0ea25531a895a0b035a904b38fe5407bc3dd2beab7f8fcb3d760587e6159702ebdb9cbc4f508942befdf7f10c10c87888 services-6.4
"
diff --git a/aports/base-layout/profile b/aports/base-layout/profile
index fd7506b..e62587b 100644
--- a/aports/base-layout/profile
+++ b/aports/base-layout/profile
@@ -22,20 +22,18 @@ export PATH
export PAGER=less
umask 022
-# set up fallback default PS1
-: "${HOSTNAME:=$(hostname)}"
-PS1='${HOSTNAME%%.*}:$PWD'
-[ "$(id -u)" = "0" ] && PS1="${PS1}# "
-[ "$(id -u)" = "0" ] || PS1="${PS1}\$ "
-
# use nicer PS1 for bash and busybox ash
-[ -n "$BASH_VERSION" -o "$BB_ASH_VERSION" ] && PS1='\h:\w\$ '
-
+if [ -n "$BASH_VERSION" -o "$BB_ASH_VERSION" ]; then
+ PS1='\h:\w\$ '
# use nicer PS1 for zsh
-[ -n "$ZSH_VERSION" ] && PS1='%m:%~%# '
-
-# export PS1 as before
-export PS1
+elif [ -n "$ZSH_VERSION" ]; then
+ PS1='%m:%~%# '
+# set up fallback default PS1
+else
+ : "${HOSTNAME:=$(hostname)}"
+ PS1='${HOSTNAME%%.*}:$PWD'
+ [ "$(id -u)" -eq 0 ] && PS1="${PS1}# " || PS1="${PS1}\$ "
+fi
for script in /etc/profile.d/*.sh ; do
if [ -r "$script" ] ; then
diff --git a/aports/broadcom-wl/APKBUILD b/aports/broadcom-wl/APKBUILD
index ae7cd74..4e19807 100644
--- a/aports/broadcom-wl/APKBUILD
+++ b/aports/broadcom-wl/APKBUILD
@@ -2,7 +2,7 @@
pkgname=broadcom-wl
pkgver=6.30.223.271
-pkgrel=5
+pkgrel=6
pkgdesc='Broadcom 802.11 Linux STA wireless driver'
arch="x86_64"
url='https://www.broadcom.com/support/download-search/?pf=Wireless+LAN+Infrastructure'
diff --git a/aports/busybox/0001-avoid-redefined-warnings-when-building-with-utmps.patch b/aports/busybox/0001-avoid-redefined-warnings-when-building-with-utmps.patch
index 083b8a8..1ce06f8 100644
--- a/aports/busybox/0001-avoid-redefined-warnings-when-building-with-utmps.patch
+++ b/aports/busybox/0001-avoid-redefined-warnings-when-building-with-utmps.patch
@@ -1,6 +1,6 @@
-From 770825e4730fadc0b7fc5a0f154eb368a37564a0 Mon Sep 17 00:00:00 2001
+From 711de34e8fa42bd9ec704cc922db937edada84d8 Mon Sep 17 00:00:00 2001
From: Laurent Bercot <ska-devel@skarnet.org>
-Date: Wed, 20 Jul 2022 10:39:22 +0200
+Date: Fri, 22 Jul 2022 01:35:14 +0200
Subject: [PATCH] Avoid redefined warnings when buiding with utmps
Do not use _PATH_UTMP or _PATH_WTMP, and do not touch
@@ -13,7 +13,7 @@ the files directly.
4 files changed, 10 insertions(+), 12 deletions(-)
diff --git a/include/libbb.h b/include/libbb.h
-index abbc9ac59..9710e804c 100644
+index abbc9ac59..405108b17 100644
--- a/include/libbb.h
+++ b/include/libbb.h
@@ -107,14 +107,12 @@
@@ -21,7 +21,7 @@ index abbc9ac59..9710e804c 100644
# else
# if !defined(__FreeBSD__)
-# include <utmp.h>
-+# include <utmps/utmps.h>
++# include <utmpx.h>
+# define _CORRECT_PATH_UTMPX "/run/utmps/utmp"
+# define _CORRECT_PATH_WTMP "/var/log/wtmp"
# else
diff --git a/aports/busybox/0001-sed-check-errors-writing-file-with-sed-i.patch b/aports/busybox/0001-sed-check-errors-writing-file-with-sed-i.patch
new file mode 100644
index 0000000..90a5115
--- /dev/null
+++ b/aports/busybox/0001-sed-check-errors-writing-file-with-sed-i.patch
@@ -0,0 +1,66 @@
+From b99395ebf70eadb248da0ecf913eea0236eceea1 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@atmark-techno.com>
+Date: Wed, 16 Nov 2022 11:52:29 +0900
+Subject: [PATCH] sed: check errors writing file with sed -i
+
+sed would currently not error if write failed when modifying a file.
+
+This can be reproduced with the following 'script':
+$ sudo mount -t tmpfs tmpfs -o size=1M /tmp/m
+$ sudo chmod 777 /tmp/m
+$ echo foo > /tmp/m/foo
+$ dd if=/dev/zero of=/tmp/m/fill bs=4k
+dd: error writing '/tmp/m/fill': No space left on device
+256+0 records in
+255+0 records out
+1044480 bytes (1.0 MB, 1020 KiB) copied, 0.00234567 s, 445 MB/s
+$ busybox sed -i -e 's/.*/bar/' /tmp/m/foo
+$ echo $?
+0
+$ cat /tmp/m/foo
+<empty>
+
+new behaviour:
+$ echo foo > /tmp/m/foo
+$ ./busybox sed -i -e 's/.*/bar/' /tmp/m/foo
+sed: write error
+$ echo $?
+4
+$ cat /tmp/m/foo
+foo
+
+function old new delta
+sed_main 754 801 +47
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 1/0 up/down: 47/0) Total: 47 bytes
+ text data bss dec hex filename
+ 66957 2398 1552 70907 114fb busybox_old
+ 67004 2398 1552 70954 1152a busybox_unstripped
+
+Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
+---
+Upstream patch:
+http://lists.busybox.net/pipermail/busybox/2022-November/089967.html
+
+ editors/sed.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/editors/sed.c b/editors/sed.c
+index 32a4b61f6d4c..be709eef3a9c 100644
+--- a/editors/sed.c
++++ b/editors/sed.c
+@@ -1639,6 +1639,11 @@ int sed_main(int argc UNUSED_PARAM, char **argv)
+ fchown(nonstdoutfd, statbuf.st_uid, statbuf.st_gid);
+
+ process_files();
++ fflush(G.nonstdout);
++ if (ferror(G.nonstdout)) {
++ xfunc_error_retval = 4; /* It's what gnu sed exits with... */
++ bb_simple_error_msg_and_die(bb_msg_write_error);
++ }
+ fclose(G.nonstdout);
+ G.nonstdout = stdout;
+
+--
+2.35.1
+
diff --git a/aports/busybox/0004-app-location-for-cpio-vi-and-lspci.patch b/aports/busybox/0004-app-location-for-cpio-vi-and-lspci.patch
index 964db5df..2ca4bcd 100644
--- a/aports/busybox/0004-app-location-for-cpio-vi-and-lspci.patch
+++ b/aports/busybox/0004-app-location-for-cpio-vi-and-lspci.patch
@@ -1,4 +1,4 @@
-From 3f44fe588d0d68ff5897928b65c0749505937d8d Mon Sep 17 00:00:00 2001
+From 97d4a0ffc6f58813fd91e5728d474b984f29b9a6 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Tue, 27 Dec 2016 20:46:59 +0100
Subject: [PATCH] app location for cpio, vi and lspci
@@ -11,12 +11,12 @@ Adjust location to where alpine linux installs them
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/archival/cpio.c b/archival/cpio.c
-index d84f6937d..29e7d396a 100644
+index 7149782d7..ee80efd9f 100644
--- a/archival/cpio.c
+++ b/archival/cpio.c
-@@ -39,7 +39,7 @@
+@@ -53,7 +53,7 @@
//config: help
- //config: Passthrough mode. Rarely used.
+ //config: Optionally renumber inodes when creating archives.
-//applet:IF_CPIO(APPLET(cpio, BB_DIR_BIN, BB_SUID_DROP))
+//applet:IF_CPIO(APPLET(cpio, BB_DIR_USR_BIN, BB_SUID_DROP))
@@ -24,7 +24,7 @@ index d84f6937d..29e7d396a 100644
//kbuild:lib-$(CONFIG_CPIO) += cpio.o
diff --git a/editors/vi.c b/editors/vi.c
-index 3e1bd0820..774da291f 100644
+index 3dbe5b471..b29c16098 100644
--- a/editors/vi.c
+++ b/editors/vi.c
@@ -176,7 +176,7 @@
diff --git a/aports/busybox/0018-ash-fix-ifs-cleanup-on-error-paths.patch b/aports/busybox/0018-ash-fix-ifs-cleanup-on-error-paths.patch
new file mode 100644
index 0000000..c09bc84
--- /dev/null
+++ b/aports/busybox/0018-ash-fix-ifs-cleanup-on-error-paths.patch
@@ -0,0 +1,91 @@
+From 1c5455284234e894dfb6086bf7f3e9a6d5d9611f Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Tue, 2 Aug 2022 11:13:44 +0200
+Subject: [PATCH] ash: fix ifs cleanup on error paths
+
+Patch by Alex Gorinson <algore3698@gmail.com>
+
+function old new delta
+evalvar 477 495 +18
+varvalue 603 618 +15
+subevalvar 1557 1572 +15
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 3/0 up/down: 48/0) Total: 48 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ shell/ash.c | 2 ++
+ shell/ash_test/ash-heredoc/heredoc_and_cmd.right | 2 ++
+ shell/ash_test/ash-heredoc/heredoc_and_cmd.tests | 8 ++++++++
+ shell/hush_test/hush-heredoc/heredoc_and_cmd.right | 2 ++
+ shell/hush_test/hush-heredoc/heredoc_and_cmd.tests | 8 ++++++++
+ 5 files changed, 22 insertions(+)
+ create mode 100644 shell/ash_test/ash-heredoc/heredoc_and_cmd.right
+ create mode 100755 shell/ash_test/ash-heredoc/heredoc_and_cmd.tests
+ create mode 100644 shell/hush_test/hush-heredoc/heredoc_and_cmd.right
+ create mode 100755 shell/hush_test/hush-heredoc/heredoc_and_cmd.tests
+
+diff --git a/shell/ash.c b/shell/ash.c
+index d29de37b7..c731a333b 100644
+--- a/shell/ash.c
++++ b/shell/ash.c
+@@ -7028,6 +7028,7 @@ varunset(const char *end, const char *var, const char *umsg, int varflags)
+ msg = umsg;
+ }
+ }
++ ifsfree();
+ ash_msg_and_raise_error("%.*s: %s%s", (int)(end - var - 1), var, msg, tail);
+ }
+
+@@ -7453,6 +7454,7 @@ varvalue(char *name, int varflags, int flags, int quoted)
+ if (discard)
+ return -1;
+
++ ifsfree();
+ raise_error_syntax("bad substitution");
+ }
+
+diff --git a/shell/ash_test/ash-heredoc/heredoc_and_cmd.right b/shell/ash_test/ash-heredoc/heredoc_and_cmd.right
+new file mode 100644
+index 000000000..25ae70561
+--- /dev/null
++++ b/shell/ash_test/ash-heredoc/heredoc_and_cmd.right
+@@ -0,0 +1,2 @@
++./heredoc_and_cmd.tests: line 4: D: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++Y
+diff --git a/shell/ash_test/ash-heredoc/heredoc_and_cmd.tests b/shell/ash_test/ash-heredoc/heredoc_and_cmd.tests
+new file mode 100755
+index 000000000..197542de7
+--- /dev/null
++++ b/shell/ash_test/ash-heredoc/heredoc_and_cmd.tests
+@@ -0,0 +1,8 @@
++# The bug was only happening with <<REDIR;CMD form below:
++M='AAAAAAAAAAAAAAAAA'
++fff(){
++date <<000; echo Y
++${D?$M$M$M$M$M$M}
++000
++}
++fff
+diff --git a/shell/hush_test/hush-heredoc/heredoc_and_cmd.right b/shell/hush_test/hush-heredoc/heredoc_and_cmd.right
+new file mode 100644
+index 000000000..5c19a0621
+--- /dev/null
++++ b/shell/hush_test/hush-heredoc/heredoc_and_cmd.right
+@@ -0,0 +1,2 @@
++hush: D: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++Y
+diff --git a/shell/hush_test/hush-heredoc/heredoc_and_cmd.tests b/shell/hush_test/hush-heredoc/heredoc_and_cmd.tests
+new file mode 100755
+index 000000000..197542de7
+--- /dev/null
++++ b/shell/hush_test/hush-heredoc/heredoc_and_cmd.tests
+@@ -0,0 +1,8 @@
++# The bug was only happening with <<REDIR;CMD form below:
++M='AAAAAAAAAAAAAAAAA'
++fff(){
++date <<000; echo Y
++${D?$M$M$M$M$M$M}
++000
++}
++fff
diff --git a/aports/busybox/APKBUILD b/aports/busybox/APKBUILD
index 18e2308..112c885 100644
--- a/aports/busybox/APKBUILD
+++ b/aports/busybox/APKBUILD
@@ -1,13 +1,13 @@
# Maintainer: Gabor Pali <pali.gabor@gmail.com>
pkgname=busybox
pkgver=1.35.0
-pkgrel=2 # base: 17, -initscripts: 4.2-r0
+pkgrel=3 # base: 29
pkgdesc="Size optimized toolbox of many common UNIX utilities"
url="https://busybox.net/"
arch="all"
license="GPL-2.0-only"
makedepends_build="perl"
-makedepends_host="linux-headers openssl-dev"
+makedepends_host="linux-headers openssl-dev>3"
# Only build with UTMPS support if we are not bootstrapping.
# skalibs-static is needed for utmps-static
[ -z "$BOOTSTRAP" ] && makedepends_host="$makedepends_host utmps-dev utmps-static skalibs-static"
@@ -17,6 +17,14 @@ provides="/bin/sh"
install=
subpackages=
options="!check"
+
+_openrc_files="acpid.initd
+ crond.confd crond.initd
+ defaults.initd
+ syslog.confd syslog.initd
+ udhcpd.confd udhcpd.initd"
+_mdev_openrc_files="mdev.initd"
+
source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2
0001-nologin-Install-applet-to-sbin-instead-of-usr-sbin.patch
0001-adduser-default-to-sbin-nologin-as-shell-for-system-.patch
@@ -37,34 +45,29 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2
0015-ed-don-t-use-memcpy-with-overlapping-memory-regions.patch
0016-ash-don-t-read-past-end-of-var-in-subvareval-for-bas.patch
0017-ash-Fix-use-after-free-on-idx-variable.patch
+ 0018-ash-fix-ifs-cleanup-on-error-paths.patch
+
0001-ash-add-built-in-BB_ASH_VERSION-variable.patch
+
0001-pgrep-add-support-for-matching-against-UID-and-RUID.patch
+
0001-avoid-redefined-warnings-when-building-with-utmps.patch
+
0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
0002-nslookup-sanitize-all-printed-strings-with-printable.patch
0001-modinfo-add-k-option-for-kernel-version.patch
CVE-2022-30065.patch
+ 0001-sed-check-errors-writing-file-with-sed-i.patch
acpid.logrotate
config
default.script
-
- acpid.initd
- crond.initd
- mdev.initd
- syslog.initd
- udhcpd.initd
- defaults.initd
-
- crond.confd
- syslog.confd
- udhcpd.confd
- mdev.conf
- persistent-storage
- "
+ $_openrc_files
+ $_mdev_openrc_files
+"
# secfixes:
-# 1.35.0-r15:
+# 1.35.0-r17:
# - CVE-2022-30065
# 1.35.0-r7:
# - ALPINE-13661
@@ -108,6 +111,12 @@ prepare() {
}
build() {
+ local _extra_cflags= _extra_libs=
+ if [ -z "$BOOTSTRAP" ] ; then
+ _extra_cflags="$(pkg-config --cflags --static utmps)"
+ _extra_libs="$(pkg-config --libs --static utmps)"
+ fi
+
cd "$srcdir"/build
echo "COPIED CONFIG to $(pwd)/.config"
cp "$srcdir"/config .config
@@ -115,16 +124,25 @@ build() {
-e "s/CONFIG_EXTRA_COMPAT=y/CONFIG_EXTRA_COMPAT=n/" \
.config
make -C "$builddir" O="$PWD" silentoldconfig
- make
+ make CONFIG_EXTRA_CFLAGS="$_extra_cflags" CONFIG_EXTRA_LDLIBS="$_extra_libs"
}
package() {
- local i
+ local file
- cd "$srcdir"/build
mkdir -p "$pkgdir"/usr/sbin "$pkgdir"/usr/bin "$pkgdir"/tmp \
- "$pkgdir"/var/cache/misc "$pkgdir"/bin "$pkgdir"/sbin
+ "$pkgdir"/var/cache/misc "$pkgdir"/bin "$pkgdir"/sbin \
+ "$pkgdir"/etc/conf.d "$pkgdir"/etc/init.d
chmod 1777 "$pkgdir"/tmp
+ cd "$srcdir"
+ for file in *.confd; do
+ install -D -m 0644 ${file} "$pkgdir"/etc/conf.d/${file%%\.confd}
+ done
+ for file in *.initd; do
+ install -D -m 0755 ${file} "$pkgdir"/etc/init.d/${file%%\.initd}
+ done
+
+ cd "$srcdir"/build
install -m755 busybox "$pkgdir"/bin/busybox
for target in $("$pkgdir"/bin/busybox --list-full | sort); do
@@ -162,27 +180,12 @@ EOF
install -Dm755 "$srcdir"/default.script \
"$pkgdir"/usr/share/udhcpc/default.script
- # deploy init scripts
cd "$srcdir"
- mkdir -p "$pkgdir"/etc/conf.d "$pkgdir"/etc/init.d "$pkgdir"/lib/mdev\
- "$pkgdir"/etc/acpi/PWRF
- for i in *.initd; do
- install -m755 "$srcdir"/$i "$pkgdir"/etc/init.d/${i%.*} || return 1
- done
- for i in *.confd; do
- install -m644 "$srcdir"/$i "$pkgdir"/etc/conf.d/${i%.*} || return 1
- done
- install -m644 mdev.conf "$pkgdir"/etc
- install -m755 persistent-storage \
- "$pkgdir"/lib/mdev/
-
+ mkdir -p "$pkgdir"/etc/acpi/PWRF
# poweroff script for acpid
- cat >"$pkgdir"/etc/acpi/PWRF/00000080 <<EOF
-#!/bin/sh
-poweroff
-EOF
- chmod +x "$pkgdir"/etc/acpi/PWRF/00000080
+ { echo '#!/bin/sh'; echo poweroff ; } > "$pkgdir"/etc/acpi/PWRF/00000080
+ chmod 0755 "$pkgdir"/etc/acpi/PWRF/00000080
}
sha512sums="
@@ -193,7 +196,7 @@ a2787a3ecaf6746dadef62166e8ee6ecaa166147e5ad8b917c5838536057c875bab5f9cf40c3e05e
0cac9b944928500293e366b42e03211d4159d05b622da60664825e5ee87c9bf6d5a8ea5e794584713f7464efb4cdc431e02f439c717b7e62b1864a228bc8cbac 0001-modutils-check-ELF-header-before-calling-finit_module.patch
d8694293edc8cd55cecafeb902f03c01af318e13966f399365cf792b840793891ac086bb67ef83e7a5a2e01b246497a6c6511cb6a856834f6672dee4bca76896 0002-fsck-resolve-LABEL-.-UUID-.-spec-to-device.patch
8c34dd5ce9a6e84279fa6494cbae0b254778976f341af1d0ccc2a3afb405fb22d374e9623ea83d1500da77c7463db2ed5218d2c9f49350a21114bd0bb17fd87d 0003-ash-exec-busybox.static.patch
-a8fc2ccced4054f5eff6ea00389906a543a1716202b19ab71fda1de0e6860c8377ed3c306ffb9efabe9fb16779a306da6770b871229f6bd1d725a84fdaa03fef 0004-app-location-for-cpio-vi-and-lspci.patch
+f9745497abd4d04621f089c62d9f2104c30d54f342125f597292253f2974d385c5f4a46e7d87a5d1b641b11b34ba5221183dd5dad1e3bbe74a787fb8d6a994b7 0004-app-location-for-cpio-vi-and-lspci.patch
f12916e70f7cc1ef4f6d85d09b9a496a52a494e6318029fdce9a9c812ab5c7b2a046c33b66834127bf809f243c91a53c3c5e27efca026a96fe6b03421de26e60 0005-udhcpc-set-default-discover-retries-to-5.patch
89215c328a46afc686c458a133dd88dcda817586df60eb041a694715e73dc78a297fc0f9a92e8ee7d0a39ce7f6053a6b8e38f3ee078ff90ed13fac2608510105 0006-ping-make-ping-work-without-root-privileges.patch
7873b98c676a92faea61511d50c1efac1220354d20afd53de19e2c8f1472559cb333b9dd4e0d6432616d8c5f59885f1503c448c86a912e8031c9bfed628c2db1 0007-fbsplash-support-console-switching.patch
@@ -206,25 +209,25 @@ ecbe5c890d966f09280c7eb534109f785c68e292765f17ed7ff62fcc61d20f61443c4155add0a1eb
0040800382a6e3adcc6a8094b821488c7e297fc80304afba23a4fca43b7b26ac699378dfbd930ebbf9985336b3e431301f7ca93e2d041a071902a48740d263ef 0015-ed-don-t-use-memcpy-with-overlapping-memory-regions.patch
4c95dc4bf6aff9018bfb52b400f6d8375a1d22493b44ea516cb12dba6556f12797a3cba55768d2e59ff57c0f3247ec1ff95edb8f17561f3d37ec18d83ca47eb0 0016-ash-don-t-read-past-end-of-var-in-subvareval-for-bas.patch
ccdf098fb15eaa316708181469a1193d6eec7067131e7b7645e0219bf03cfd07f4f79e8f62c1e560f6146dcc38186a29bdee08aaa39f290e11d020b8f07d2f65 0017-ash-Fix-use-after-free-on-idx-variable.patch
+3abdbd25f1f0daa24b0aabe92880c28dc2d3b59eb29fad357dfaf2b78bb895466bbf4495e2185370d9219d65b22e65e525769e369e50fb1fdfd71b5229a4f429 0018-ash-fix-ifs-cleanup-on-error-paths.patch
6d100fe44da2b97c2cbdda253d0504b487212d195144d9315cddbe8c51d18fae3745701923b170b40e35f54b592f94f02cadbffd9cb716661c12a7f1da022763 0001-ash-add-built-in-BB_ASH_VERSION-variable.patch
e33dbc27d77c4636f4852d5d5216ef60a9a4343484e4559e391c13c813bf65c782b889914eff2e1f038d74cf02cb0d23824ebbb1044b5f8c86260d5a1bbc4e4d 0001-pgrep-add-support-for-matching-against-UID-and-RUID.patch
-b4b8195390da70c96503e66e18420b8aea5754f64300082632fcaccd4ebe86cb771d6d4b912f5162e0538e6f756a9377689ad9a138f683cd729c3f54770304bf 0001-avoid-redefined-warnings-when-building-with-utmps.patch
+7608fbb9deddc9268ba53bc5b762a00fa16744d595f6f8a2f5a857339e754ea0c3da084a1e48269c8281553e9171d2bb29b8530fbe85e6a934f97c3cfcdbe31b 0001-avoid-redefined-warnings-when-building-with-utmps.patch
b52050678e79e4da856956906d07fcb620cbf35f2ef6b5a8ee3b8d244ea63b4b98eef505451184d5b4937740d91eef154ed748c30d329ac485be51b37626f251 0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
ead4ad65d270d8659e1898fa16f76b6cbcf567d8aba238eacccda3764edb4362240d9359d6389873bedc126d405f805fc6dfce653a7181618ebcc67c94bd08d2 0002-nslookup-sanitize-all-printed-strings-with-printable.patch
4f6ddd59d6096943f617b0938fca428114190b8b37732d6783faab291451a2c30c452ed39299db22d1d9679d007022f87d43e93b38a4f6ced64a8659e9233773 0001-modinfo-add-k-option-for-kernel-version.patch
22e2fa8f7a6105fd9990f93b71c235980fd4eab62269939a0e3a920fe517ee4f913c6bd0148a554b67fe01d1660bf0fd76a80e9dcac290b4b8b2c304ef6080a9 CVE-2022-30065.patch
+d1a2fcbf9de623531953e7ad869e41e896aa79a0917983e6f0d20ddf7393e11220dda8be93c796b7abbf34006d8f03e871a6ab293988267df5aadb74cbd8aeb1 0001-sed-check-errors-writing-file-with-sed-i.patch
aa93095e20de88730f526c6f463cef711b290b9582cdbd8c1ba2bd290019150cbeaa7007c2e15f0362d5b9315dd63f60511878f0ea05e893f4fdfb4a54af3fb1 acpid.logrotate
0b92eafab0722a6c9cc4880e3be4976de9713e1e1c715c6c727a948cbd68268fce01ce308291834f70d0cf3328f7c8a44cbdb5b7c70d90f91b15efcb5b90acb3 config
e063599f412df919b75584fee9501925418ef21689232792e9d61178f4e34a65c3cff8a3b1b4cf3e5be61efea2065cc303db35c53ec07b361d3a65e888247544 default.script
dd548670114a92404b8e35fb915fdbe5994498b05b0a418583271c3dd72fb7800950e42c095c902a014eb198c046b8a346d43dccd8e7a158048ae33767c572ed acpid.initd
+34c6f3197064bb91619b899b28a201bd4d920b18bded3845440b2cb36dc6f16cabf447c96878349b16e46c30184cbe48bac00a01c5f7cf1be038c0b7136064c5 crond.confd
c9d0fb0f8cc27d661d3b4e58c56eb598ca368890576e18ffffd42efdf68ba35537656be9be319b2e2818aa0152d3ca8611bece2433512fbfcd4eed7988765549 crond.initd
-1aed59fb048f0636ee8a095a089a20554a20eda84c70485a894ae60b0f97b792b7ce8e832557457258f59a2750735c4a25e247364ccf1180e9652b292a5f9e8d mdev.initd
-acfd45bda4526ab551a30faec1742ad1569aa85e0d315959c3e3a3d6a693f94c74efeb57a00b8791524651e8a61d3f7ea3e3e08a4b0291ec46309f594ee8124c syslog.initd
-1d4574ec7cc6d7e9952bb50b4fcb10a910868688da03a25aede492835313c686247bde1faa17f50243d61a93bfc1d8fa54cf821d7be908581e365b0f1b6a5588 udhcpd.initd
23ef7f32447f239b617d5ae221b024c7b47ca4faa9a27f80a4a6a473fd148cb4339a728fee3bb55ce67d531a141ec07c66dca533138652058d3a6a936b68d3c7 defaults.initd
-34c6f3197064bb91619b899b28a201bd4d920b18bded3845440b2cb36dc6f16cabf447c96878349b16e46c30184cbe48bac00a01c5f7cf1be038c0b7136064c5 crond.confd
bf8173ee33a5d2b61cbdbc1b070e599a17a21e5433a0d8aa9beef71e4ac831304076af8e7e58dc594cdee61562329793afdc57af91e5496bf5fffb9b734a3d9c syslog.confd
+acfd45bda4526ab551a30faec1742ad1569aa85e0d315959c3e3a3d6a693f94c74efeb57a00b8791524651e8a61d3f7ea3e3e08a4b0291ec46309f594ee8124c syslog.initd
2947b23728d3ad6839f660fee11fc4c86d0d1a3fc450ceff85480932b0699e7b7293eb7258cf0e957542ed3c7a4416376ebb284992e6682aede61f48069b1043 udhcpd.confd
-634fa067629febcdd8ba9516fbaafddd5be2d38ac37bff9eccfacce0fcf3b259426c12ff967b179bd93b2962401a4a2f15709d32da0623bd078688b8611817cd mdev.conf
-2873ec2ba41fe96b010b14fe3fc87d347b71eb6079c12e05ac72eac6c7f146e25096c0b29b2b9d69cbe6840e16dbf4a93ee81132de9fac497e41ab5e8bce2243 persistent-storage
+1d4574ec7cc6d7e9952bb50b4fcb10a910868688da03a25aede492835313c686247bde1faa17f50243d61a93bfc1d8fa54cf821d7be908581e365b0f1b6a5588 udhcpd.initd
+6ce0b2a8fe69cc7ea657c5b9076aba51c8f0beeaafa4a887d8673bcc9f9cf8ee40f4b07d2d901ec7a1a1e4f29c150c496559559e803595d0bd487dec56b530a2 mdev.initd
"
diff --git a/aports/busybox/CVE-2022-30065.patch b/aports/busybox/CVE-2022-30065.patch
new file mode 100644
index 0000000..4a9cd67
--- /dev/null
+++ b/aports/busybox/CVE-2022-30065.patch
@@ -0,0 +1,63 @@
+From 3c284dcb726ff6599d3b87fb366fb04411cf5595 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Fri, 17 Jun 2022 09:52:11 +0000
+Subject: [PATCH 1/2] awk: fix use after free (CVE-2022-30065)
+
+fixes https://bugs.busybox.net/show_bug.cgi?id=14781
+
+Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
+---
+ editors/awk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/editors/awk.c b/editors/awk.c
+index 079d0bde5..728ee8685 100644
+--- a/editors/awk.c
++++ b/editors/awk.c
+@@ -3128,6 +3128,9 @@ static var *evaluate(node *op, var *res)
+
+ case XC( OC_MOVE ):
+ debug_printf_eval("MOVE\n");
++ /* make sure that we never return a temp var */
++ if (L.v == TMPVAR0)
++ L.v = res;
+ /* if source is a temporary string, jusk relink it to dest */
+ if (R.v == TMPVAR1
+ && !(R.v->type & VF_NUMBER)
+--
+2.36.1
+
+
+From 30c8f8e69230ef27f116a2c10ca2e4a6cc343dad Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Thu, 16 Jun 2022 21:54:48 +0200
+Subject: [PATCH 2/2] awk: add tests for CVE-2022-30065
+
+Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
+---
+ testsuite/awk.tests | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/testsuite/awk.tests b/testsuite/awk.tests
+index 93e25d8c1..6c3a03c37 100755
+--- a/testsuite/awk.tests
++++ b/testsuite/awk.tests
+@@ -479,4 +479,15 @@ testing 'awk backslash+newline eaten with no trace' \
+ "Hello world\n" \
+ '' ''
+
++testing 'awk use-after-free (CVE-2022-30065)' \
++ "awk '\$3i\$3in\$9=\$r||\$9=i6/6-9f'" \
++ "" \
++ "" \
++ ""
++
++testing 'awk assign while test' \
++ "awk '\$1==\$1=\"foo\" {print \$1}'" \
++ "foo\n" \
++ "" \
++ "foo"
+ exit $FAILCOUNT
+--
+2.36.1
+
diff --git a/aports/busybox/defaults.initd b/aports/busybox/defaults.initd
new file mode 100644
index 0000000..a92a942
--- /dev/null
+++ b/aports/busybox/defaults.initd
@@ -0,0 +1,12 @@
+#!/sbin/openrc-run
+
+description="Sets service-specific defaults."
+
+start() {
+ ebegin "Setting defaults"
+ . /etc/udhcpc/udhcpc.conf
+ if [ ! -s "$UDHCPD_CONF" ] ; then
+ sed 's|%%DNS%%||' < "$UDHCPD_CONF_TEMPLATE" > "$UDHCPD_CONF"
+ fi
+ eend $?
+}
diff --git a/aports/busybox/mdev.conf b/aports/busybox/mdev.conf
deleted file mode 100644
index 903786f..0000000
--- a/aports/busybox/mdev.conf
+++ /dev/null
@@ -1,134 +0,0 @@
-#
-# This is a sample mdev.conf.
-#
-
-# Devices:
-# Syntax: %s %d:%d %s
-# devices user:group mode
-
-$MODALIAS=.* root:root 0660 @modprobe -q -b "$MODALIAS"
-
-# null does already exist; therefore ownership has to be changed with command
-null root:root 0666 @chmod 666 $MDEV
-zero root:root 0666
-grsec root:root 0660
-full root:root 0666
-
-random root:root 0666
-urandom root:root 0444
-hwrandom root:root 0660
-
-console root:tty 0600
-
-# load frambuffer console when first frambuffer is found
-fb0 root:video 0660 @modprobe -q -b fbcon
-vchiq root:video 0660
-
-fd0 root:floppy 0660
-kmem root:root 0640
-mem root:root 0640
-port root:root 0640
-ptmx root:tty 0666
-
-# Kernel-based Virtual Machine.
-kvm root:kvm 660
-
-# ram.*
-ram([0-9]*) root:disk 0660 >rd/%1
-loop([0-9]+) root:disk 0660 >loop/%1
-
-# persistent storage
-dasd.* root:disk 0660 */lib/mdev/persistent-storage
-mmcblk.* root:disk 0660 */lib/mdev/persistent-storage
-nbd.* root:disk 0660 */lib/mdev/persistent-storage
-nvme.* root:disk 0660 */lib/mdev/persistent-storage
-sd[a-z].* root:disk 0660 */lib/mdev/persistent-storage
-sr[0-9]+ root:cdrom 0660 */lib/mdev/persistent-storage
-vd[a-z].* root:disk 0660 */lib/mdev/persistent-storage
-xvd[a-z].* root:disk 0660 */lib/mdev/persistent-storage
-
-md[0-9] root:disk 0660
-
-tty root:tty 0666
-tty[0-9] root:root 0600
-tty[0-9][0-9] root:tty 0660
-ttyS[0-9]* root:uucp 0660
-pty.* root:tty 0660
-vcs[0-9]* root:tty 0660
-vcsa[0-9]* root:tty 0660
-
-# rpi bluetooth
-#ttyAMA0 root:tty 660 @btattach -B /dev/$MDEV -P bcm -S 115200 -N &
-
-ttyACM[0-9] root:dialout 0660 @ln -sf $MDEV modem
-ttyUSB[0-9] root:dialout 0660 @ln -sf $MDEV modem
-ttyLTM[0-9] root:dialout 0660 @ln -sf $MDEV modem
-ttySHSF[0-9] root:dialout 0660 @ln -sf $MDEV modem
-slamr root:dialout 0660 @ln -sf $MDEV slamr0
-slusb root:dialout 0660 @ln -sf $MDEV slusb0
-fuse root:root 0666
-
-# dri device
-dri/.* root:video 0660
-card[0-9] root:video 0660 =dri/
-
-# alsa sound devices and audio stuff
-pcm.* root:audio 0660 =snd/
-control.* root:audio 0660 =snd/
-midi.* root:audio 0660 =snd/
-seq root:audio 0660 =snd/
-timer root:audio 0660 =snd/
-
-adsp root:audio 0660 >sound/
-audio root:audio 0660 >sound/
-dsp root:audio 0660 >sound/
-mixer root:audio 0660 >sound/
-sequencer.* root:audio 0660 >sound/
-
-SUBSYSTEM=sound;.* root:audio 0660
-
-# virtio-ports
-SUBSYSTEM=virtio-ports;vport.* root:root 0600 @mkdir -p virtio-ports; ln -sf ../$MDEV virtio-ports/$(cat /sys/class/virtio-ports/$MDEV/name)
-
-# misc stuff
-agpgart root:root 0660 >misc/
-psaux root:root 0660 >misc/
-rtc root:root 0664 >misc/
-
-# input stuff
-event[0-9]+ root:input 0640 =input/
-mice root:input 0640 =input/
-mouse[0-9] root:input 0640 =input/
-js[0-9] root:input 0640 =input/
-ts[0-9] root:input 0600 =input/
-
-# v4l stuff
-vbi[0-9] root:video 0660 >v4l/
-video[0-9]+ root:video 0660 >v4l/
-
-# dvb stuff
-dvb.* root:video 0660 */lib/mdev/dvbdev
-
-# load drivers for usb devices
-usb[0-9]+ root:root 0660 */lib/mdev/usbdev
-
-# net devices
-# 666 is fine: https://www.kernel.org/doc/Documentation/networking/tuntap.txt
-net/tun[0-9]* root:netdev 0666
-net/tap[0-9]* root:netdev 0666
-
-# zaptel devices
-zap(.*) root:dialout 0660 =zap/%1
-dahdi!(.*) root:dialout 0660 =dahdi/%1
-dahdi/(.*) root:dialout 0660 =dahdi/%1
-
-# raid controllers
-cciss!(.*) root:disk 0660 =cciss/%1
-cciss/(.*) root:disk 0660 =cciss/%1
-ida!(.*) root:disk 0660 =ida/%1
-ida/(.*) root:disk 0660 =ida/%1
-rd!(.*) root:disk 0660 =rd/%1
-rd/(.*) root:disk 0660 =rd/%1
-
-# fallback for any!device -> any/device
-(.*)!(.*) root:root 0660 =%1/%2
diff --git a/aports/busybox/mdev.initd b/aports/busybox/mdev.initd
index 9dbb994..630d837 100644
--- a/aports/busybox/mdev.initd
+++ b/aports/busybox/mdev.initd
@@ -1,39 +1,40 @@
#!/sbin/openrc-run
+description="the mdev device manager"
+
depend() {
provide dev
need sysfs dev-mount
before checkfs fsck
- keyword -vserver -lxc
+ keyword -containers -vserver -lxc
}
-start() {
- # check if udev is specified on cmd line
- if get_bootparam "udev"; then
- ewarn "Skipping mdev as udev requested in kernel cmdline"
- return 0
- fi
-
+_start_service () {
ebegin "Starting busybox mdev"
mkdir -p /dev
-
- # use mdev for hotplug
echo "/sbin/mdev" > /proc/sys/kernel/hotplug
-
+ eend $?
+}
+
+_start_coldplug () {
+ ebegin "Scanning hardware for mdev"
# mdev -s will not create /dev/usb[1-9] devices with recent kernels
- # so we trigger hotplug events for usb for now
+ # so we manually trigger events for usb
for i in $(find /sys/devices -name 'usb[0-9]*'); do
[ -e $i/uevent ] && echo add > $i/uevent
done
-
- # create devices
+ # trigger the rest of the coldplug
mdev -s
eend $?
}
+start() {
+ _start_service
+ _start_coldplug
+}
+
stop() {
ebegin "Stopping busybox mdev"
- echo "" > /proc/sys/kernel/hotplug
+ echo > /proc/sys/kernel/hotplug
eend
}
-
diff --git a/aports/busybox/persistent-storage b/aports/busybox/persistent-storage
deleted file mode 100644
index 4b821bc..0000000
--- a/aports/busybox/persistent-storage
+++ /dev/null
@@ -1,83 +0,0 @@
-#!/bin/sh
-
-symlink_action() {
- case "$ACTION" in
- add) ln -sf "$1" "$2";;
- remove) rm -f "$2";;
- esac
-}
-
-: ${SYSFS:=/sys}
-
-# cdrom symlink
-case "$MDEV" in
- sr*|xvd*)
- caps="$(cat $SYSFS/block/$MDEV/capability 2>/dev/null)"
- if [ $(( 0x${caps:-0} & 8 )) -gt 0 ]; then
- symlink_action $MDEV cdrom
- fi
-esac
-
-# by-id symlinks
-mkdir -p disk/by-id
-
-partition=$(cat $SYSFS/class/block/$MDEV/partition 2>/dev/null)
-case "$partition" in
- [0-9]*) partsuffix="-part$partition";;
-esac
-
-wwid=$(cat $SYSFS/class/block/$MDEV/wwid 2>/dev/null)
-: ${wwid:=$(cat $SYSFS/class/block/$MDEV/device/wwid 2>/dev/null)}
-
-if [ -n "$wwid" ]; then
- case "$MDEV" in
- nvme*) symlink_action ../../$MDEV disk/by-id/nvme-${wwid}${partsuffix};;
- esac
- case "$wwid" in
- naa.*) symlink_action ../../$MDEV disk/by-id/wwn-0x${wwid#naa.};;
- esac
-fi
-
-serial=$(sed -E -e 's/^\s+//' -e 's/\s+$//' -e 's/ /_/g' \
- $SYSFS/class/block/$MDEV/device/serial 2>/dev/null)
-
-model=$(sed -E -e 's/^\s+//' -e 's/\s+$//' -e 's/ /_/g' \
- $SYSFS/class/block/$MDEV/device/model 2>/dev/null)
-
-if [ -n "$serial" ] && [ -n "$model" ]; then
- case "$MDEV" in
- nvme*) symlink_action ../../$MDEV disk/by-id/nvme-${model}_${serial}${partsuffix};;
- esac
-fi
-
-# virtio-blk
-if [ -n "$serial" ]; then
- case "$MDEV" in
- vd*) symlink_action ../../$MDEV disk/by-id/virtio-${serial}${partsuffix};;
- esac
-fi
-
-# by-uuid, by-partuuid
-eval $(blkid /dev/$MDEV | cut -d: -f2-)
-if [ -n "$UUID" ]; then
- mkdir -p disk/by-uuid
- symlink_action ../../$MDEV disk/by-uuid/$UUID
-fi
-if [ -n "$PARTUUID" ]; then
- mkdir -p disk/by-partuuid
- symlink_action ../../$MDEV disk/by-partuuid/$PARTUUID
-fi
-
-# backwards compatibility with /dev/usbdisk for /dev/sd*
-if [ "${MDEV#sd}" != "$MDEV" ]; then
- sysdev=$(readlink $SYSFS/class/block/$MDEV)
- case "$sysdev" in
- *usb[0-9]*)
- # require vfat for devices without partition
- if ! [ -e $SYSFS/block/$MDEV ] || [ TYPE="vfat" ]; then
- symlink_action $MDEV usbdisk
- fi
- ;;
- esac
-fi
-
diff --git a/aports/busybox/udhcpd.confd b/aports/busybox/udhcpd.confd
new file mode 100644
index 0000000..69aaec3
--- /dev/null
+++ b/aports/busybox/udhcpd.confd
@@ -0,0 +1 @@
+UDHCPD_OPTS="-S /tmp/udhcpd.conf"
diff --git a/aports/hostapd/0001-hostapd-Add-the-missing-CONFIG_SAE-option-to-the-def.patch b/aports/hostapd/0001-hostapd-Add-the-missing-CONFIG_SAE-option-to-the-def.patch
new file mode 100644
index 0000000..97d6e04
--- /dev/null
+++ b/aports/hostapd/0001-hostapd-Add-the-missing-CONFIG_SAE-option-to-the-def.patch
@@ -0,0 +1,30 @@
+From 6ff8bda992463a8c0dc34ee18820ca56cf9cccc0 Mon Sep 17 00:00:00 2001
+From: Yegor Yefremov <yegorslists@googlemail.com>
+Date: Wed, 30 Mar 2022 10:11:16 +0200
+Subject: [PATCH] hostapd: Add the missing CONFIG_SAE option to the defconfig
+
+CONFIG_SAE was added to wpa_supplicant's defconfig but wasn't
+added to the hostapd's defconfig file.
+
+Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
+---
+ hostapd/defconfig | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hostapd/defconfig b/hostapd/defconfig
+index 6b50b6c59..611f96ffa 100644
+--- a/hostapd/defconfig
++++ b/hostapd/defconfig
+@@ -161,6 +161,9 @@ CONFIG_IPV6=y
+ # final IEEE 802.11ax version.
+ #CONFIG_IEEE80211AX=y
+
++# Simultaneous Authentication of Equals (SAE), WPA3-Personal
++#CONFIG_SAE=y
++
+ # Remove debugging code that is printing out debug messages to stdout.
+ # This can be used to reduce the size of the hostapd considerably if debugging
+ # code is not needed.
+--
+2.30.2
+
diff --git a/aports/hostapd/APKBUILD b/aports/hostapd/APKBUILD
index 12d4224..3e767b9 100644
--- a/aports/hostapd/APKBUILD
+++ b/aports/hostapd/APKBUILD
@@ -1,18 +1,20 @@
# Maintainer: Gabor Pali <pali.gabor@gmail.com>
pkgname=hostapd
pkgver=2.10
-pkgrel=1 # base: 1
+pkgrel=2 # base: 5
pkgdesc="daemon for wireless software access points"
url="https://w1.fi/hostapd/"
arch="all"
license="BSD-3-Clause"
-makedepends="openssl1.1-compat-dev libnl3-dev linux-headers"
+makedepends="openssl-dev>3 libnl3-dev linux-headers"
subpackages=
source="https://w1.fi/releases/hostapd-$pkgver.tar.gz
$pkgname.initd
$pkgname.confd
+ 0001-hostapd-Add-the-missing-CONFIG_SAE-option-to-the-def.patch
"
options="!check" #no testsuite
+patch_args="-p2"
builddir="$srcdir"/$pkgname-$pkgver/hostapd
# secfixes:
@@ -40,46 +42,51 @@ builddir="$srcdir"/$pkgname-$pkgver/hostapd
# - CVE-2017-13088
prepare() {
- cd "$builddir"
+ default_prepare
+
sed -i -e "s:/etc/hostapd:/etc/hostapd/hostapd:g" \
hostapd.conf
# toolchain setup
- sed \
- -e '/^#CONFIG_DRIVER_NL80211=y/s/^#//' \
- -e '/^#CONFIG_RADIUS_SERVER=y/s/^#//' \
- -e '/^#CONFIG_DRIVER_WIRED=y/s/^#//' \
- -e '/^#CONFIG_DRIVER_NONE=y/s/^#//' \
- -e '/^#CONFIG_IEEE80211N=y/s/^#//' \
- -e '/^#CONFIG_IEEE80211R=y/s/^#//' \
- -e '/^#CONFIG_IEEE80211AC=y/s/^#//' \
- -e '/^#CONFIG_IEEE80211AX=y/s/^#//' \
- -e '/^#CONFIG_FULL_DYNAMIC_VLAN=y/s/^#//' \
- -e '/^#CONFIG_LIBNL32=y/s/^#//' \
- -e '/^#CONFIG_ACS=y/s/^#//' \
- -e '/^#CONFIG_WEP=y/s/^#//' \
- defconfig >> .config
- echo "CC ?= ${CC:-gcc}" >> .config
- echo "CFLAGS += -I/usr/include/libnl3" >> .config
- echo "LIBS += -L/usr/lib" >> .config
+ {
+ sed \
+ -e '/^#CONFIG_DRIVER_NL80211=y/s/^#//' \
+ -e '/^#CONFIG_RADIUS_SERVER=y/s/^#//' \
+ -e '/^#CONFIG_DRIVER_WIRED=y/s/^#//' \
+ -e '/^#CONFIG_DRIVER_NONE=y/s/^#//' \
+ -e '/^#CONFIG_IEEE80211N=y/s/^#//' \
+ -e '/^#CONFIG_IEEE80211R=y/s/^#//' \
+ -e '/^#CONFIG_IEEE80211AC=y/s/^#//' \
+ -e '/^#CONFIG_IEEE80211AX=y/s/^#//' \
+ -e '/^#CONFIG_FULL_DYNAMIC_VLAN=y/s/^#//' \
+ -e '/^#CONFIG_LIBNL32=y/s/^#//' \
+ -e '/^#CONFIG_ACS=y/s/^#//' \
+ -e '/^#CONFIG_WEP=y/s/^#//' \
+ defconfig
+
+ echo "CC ?= ${CC:-gcc}"
+ echo "CFLAGS += -I/usr/include/libnl3"
+ echo "LIBS += -L/usr/lib"
+ } >> .config
}
build() {
- cd "$builddir"
+ export CFLAGS="$CFLAGS -flto=auto"
+
make
}
package() {
- cd "$builddir"
-
- install -Dm755 hostapd "$pkgdir"/usr/sbin/hostapd \
- && install -Dm755 "$srcdir"/hostapd.initd \
- "$pkgdir"/etc/init.d/hostapd \
- && install -Dm644 "$srcdir"/hostapd.confd \
- "$pkgdir"/etc/conf.d/hostapd
+ install -Dm755 hostapd \
+ -t "$pkgdir"/usr/sbin/
+ install -Dm755 "$srcdir"/hostapd.initd \
+ "$pkgdir"/etc/init.d/hostapd
+ install -Dm644 "$srcdir"/hostapd.confd \
+ "$pkgdir"/etc/conf.d/hostapd
}
sha512sums="
243baa82d621f859d2507d8d5beb0ebda15a75548a62451dc9bca42717dcc8607adac49b354919a41d8257d16d07ac7268203a79750db0cfb34b51f80ff1ce8f hostapd-2.10.tar.gz
-b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3 hostapd.initd
-0882263bbd7c0b05bf51f51d66e11a23a0b8ca7da2a3b8a30166d2c5f044c0c134e6bccb1d02c9e81819ca8fb0c0fb55c7121a08fe7233ccaa73ff8ab9a238fe hostapd.confd
+adeca34c6254ac6fccd84e6f08f8c394225e1b89e2c8771b46da5c85fe3fdabc568628530c39da3ab30b72e98891b07bbdb63f74217e79d6afb9796715d822f1 hostapd.initd
+95a80f5ceafd70da3d11207e591300d0e4f03d48724147cf3572420b177d50687524b715fe2001d826020e8b28959fa8c7b8334a5cbbfeec7c82d1db9a0b333a hostapd.confd
+7cde99c431f1cf746473ae53c3009735c2a718e7038c3bc1629fc45ca85a191d799e975960da96e3cf14a56389ba06eee78453a9dd457941d6af758b730cbd05 0001-hostapd-Add-the-missing-CONFIG_SAE-option-to-the-def.patch
"
diff --git a/aports/hostapd/hostapd.confd b/aports/hostapd/hostapd.confd
index 6038115..2260629 100644
--- a/aports/hostapd/hostapd.confd
+++ b/aports/hostapd/hostapd.confd
@@ -1,5 +1,4 @@
-# Space separated list of configuration files
-CONFIGS="/etc/hostapd/hostapd.conf"
-
-# Extra options to pass to hostapd, see hostapd(8)
-OPTIONS=""
+cfgfile="/etc/hostapd/hostapd.conf"
+command_args=""
+# Uncomment to run with process supervisor.
+# supervisor="supervise-daemon"
diff --git a/aports/hostapd/hostapd.initd b/aports/hostapd/hostapd.initd
index 7813fd1..a7b6033 100644
--- a/aports/hostapd/hostapd.initd
+++ b/aports/hostapd/hostapd.initd
@@ -1,46 +1,34 @@
#!/sbin/openrc-run
-# Copyright 1999-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-wireless/hostapd/files/hostapd-0.6.9-init.d,v 1.2 2009/05/17 10:18:18 gurligebis Exp $
+
+name="hostapd"
+description="User space daemon for access point and authentication servers"
extra_started_commands="reload"
+# $CONFIGS and $OPTIONS are deprecated since Alpine v3.17.
+# NOTE: cfgfile can contain more than one file path in this case.
+: ${cfgfile:=${CONFIGS:-"/etc/hostapd/hostapd.conf"}}
+
+command="/usr/sbin/hostapd"
+command_args="${command_args:-$OPTIONS} $cfgfile"
+command_background="yes"
+pidfile="/run/$RC_SVCNAME.pid"
+
+required_files="$cfgfile"
+
depend() {
need net
after firewall
use logger
}
-checkconfig() {
- local file
-
- for file in ${CONFIGS}; do
- if [ ! -r "${file}" ]; then
- eerror "hostapd configuration file (${CONFIG}) not found"
- return 1
- fi
- done
-}
-
-start() {
- checkconfig || return 1
-
- ebegin "Starting ${SVCNAME}"
- start-stop-daemon --start --exec /usr/sbin/hostapd \
- -- -B ${OPTIONS} ${CONFIGS}
- eend $?
-}
-
-stop() {
- ebegin "Stopping ${SVCNAME}"
- start-stop-daemon --stop --exec /usr/sbin/hostapd
- eend $?
-}
-
reload() {
- checkconfig || return 1
+ ebegin "Reloading $name configuration"
- ebegin "Reloading ${SVCNAME} configuration"
- kill -HUP $(pidof /usr/sbin/hostapd) > /dev/null 2>&1
+ if [ "$supervisor" ]; then
+ $supervisor "$RC_SVCNAME" --signal HUP
+ else
+ start-stop-daemon --signal HUP --pidfile "$pidfile"
+ fi
eend $?
}
diff --git a/aports/iptables/APKBUILD b/aports/iptables/APKBUILD
index 4dc6dc6..f6ed3cc 100644
--- a/aports/iptables/APKBUILD
+++ b/aports/iptables/APKBUILD
@@ -2,7 +2,7 @@
pkgname=iptables
pkgver=1.8.8
-pkgrel=0 # base: 1
+pkgrel=0 # base: 2
pkgdesc="Linux kernel firewall, NAT and packet mangling tools"
url="https://www.netfilter.org/projects/iptables/index.html"
arch="all"
diff --git a/aports/linux-lts/APKBUILD b/aports/linux-lts/APKBUILD
index 1884f92..cdcdcd5 100644
--- a/aports/linux-lts/APKBUILD
+++ b/aports/linux-lts/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Gabor Pali <pali.gabor@gmail.com>
pkgname=linux-lts
-pkgver=5.15.68
+pkgver=5.15.85
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=$pkgver;;
@@ -162,7 +162,7 @@ _dev() {
sha512sums="
d25ad40b5bcd6a4c6042fd0fd84e196e7a58024734c3e9a484fd0d5d54a0c1d87db8a3c784eff55e43b6f021709dc685eb0efa18d2aec327e4f88a79f405705a linux-5.15.tar.xz
-d88b8df06cc3aa02b94071fbcd980c85709235e6776031c06324db961e421554998a3242db0efe65bc989b63e8933b42137392bb11b7b5c4e9e851e64959bf9a config-lts.x86_64
+94cda531cdfc6337a19cde9888a2fde07b478756ddbd78039bde93e74e1677b2272995119b6f037f5b7a39305a41483d12b89933fce61f120c5f864b5d92d74c config-lts.x86_64
65504e60731f7254079caa997cd44585f8b9608aa66e0879e677872f89b91aa77b67f28617eddef7fe9932a73a5942466c12c733432405ee7e42944daadef6d4 0001-mt76-mt7921-add-support-for-PCIe-ID-0x0608.patch
-2c499cd943c2e018fea2d2e776e058e5e7ad6ab97ecc657df271d05ad4e1364c79d4c32d487d0039e7e37079858ccda3a0541f8d24f9e78f60071158e2794ef4 patch-5.15.68.xz
+aa7d75ab949a266495391728a93096e30d0579ec490ee97b3a5f7cb4ef4268c17fbc3ba337a289e14c3bebc7e7be4dc7656abe86abc3cb8d691e2d5f21a480b5 patch-5.15.85.xz
"
diff --git a/aports/linux-lts/config-lts.x86_64 b/aports/linux-lts/config-lts.x86_64
index 009d779..352db0c 100644
--- a/aports/linux-lts/config-lts.x86_64
+++ b/aports/linux-lts/config-lts.x86_64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.15.68 Kernel Configuration
+# Linux/x86_64 5.15.85 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (Alpine 10.3.1_git20211027) 10.3.1 20211027"
CONFIG_CC_IS_GCC=y
@@ -382,7 +382,10 @@ CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y
# Power management and ACPI options
#
# CONFIG_SUSPEND is not set
-# CONFIG_PM is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_PM_CLK=y
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
CONFIG_ARCH_SUPPORTS_ACPI=y
CONFIG_ACPI=y
CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
@@ -609,6 +612,7 @@ CONFIG_EFI_PARTITION=y
CONFIG_BLK_MQ_PCI=y
CONFIG_BLK_MQ_VIRTIO=y
+CONFIG_BLK_PM=y
#
# IO Schedulers
@@ -745,6 +749,7 @@ CONFIG_SYN_COOKIES=y
# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set
+CONFIG_INET_TABLE_PERTURB_ORDER=16
CONFIG_INET_TUNNEL=y
# CONFIG_INET_DIAG is not set
CONFIG_TCP_CONG_ADVANCED=y
@@ -1081,6 +1086,7 @@ CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
# CONFIG_PCIEASPM_PERFORMANCE is not set
+CONFIG_PCIE_PME=y
# CONFIG_PCIE_PTM is not set
CONFIG_PCI_MSI=y
CONFIG_PCI_MSI_IRQ_DOMAIN=y
@@ -1442,6 +1448,7 @@ CONFIG_ATH9K_PCI=y
# CONFIG_ATH9K_AHB is not set
# CONFIG_ATH9K_DEBUGFS is not set
# CONFIG_ATH9K_DYNACK is not set
+# CONFIG_ATH9K_WOW is not set
CONFIG_ATH9K_RFKILL=y
# CONFIG_ATH9K_CHANNEL_CONTEXT is not set
CONFIG_ATH9K_PCOEM=y
@@ -2884,6 +2891,8 @@ CONFIG_SYMBOLIC_ERRNAME=y
CONFIG_DEBUG_BUGVERBOSE=y
# end of printk and dmesg options
+CONFIG_AS_HAS_NON_CONST_LEB128=y
+
#
# Compile-time checks and compiler options
#
diff --git a/aports/openrc/0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch b/aports/openrc/0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch
index 3d41060..c2b4f02 100644
--- a/aports/openrc/0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch
+++ b/aports/openrc/0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch
@@ -1,14 +1,19 @@
-From 78245081fe109ed7777b79ba9c99890d56c21272 Mon Sep 17 00:00:00 2001
+From 908f77d4f1930c1ac0be036d3d2e10ff15f84fbf Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Wed, 1 Feb 2017 04:04:52 +0000
Subject: [PATCH] call /sbin/mkmntdirs in localmount OpenRC service
---
- init.d/localmount.in | 2 ++
- 1 file changed, 2 insertions(+)
+ init.d/localmount.in | 2 ++
+ src/meson.build | 1 +
+ src/mkmntdirs/meson.build | 5 +++
+ src/mkmntdirs/mkmntdirs.c | 67 +++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 75 insertions(+)
+ create mode 100644 src/mkmntdirs/meson.build
+ create mode 100644 src/mkmntdirs/mkmntdirs.c
diff --git a/init.d/localmount.in b/init.d/localmount.in
-index c571504a..14189396 100644
+index 8a66eb8d..19693b6b 100644
--- a/init.d/localmount.in
+++ b/init.d/localmount.in
@@ -21,6 +21,8 @@ depend()
@@ -20,6 +25,102 @@ index c571504a..14189396 100644
# Mount local filesystems in /etc/fstab.
# The types variable must start with no, and must be a type
local critical= types="noproc" x= no_netdev= rc=
+diff --git a/src/meson.build b/src/meson.build
+index 76f6d8a1..0f640eec 100644
+--- a/src/meson.build
++++ b/src/meson.build
+@@ -12,6 +12,7 @@ subdir('is_newer_than')
+ subdir('is_older_than')
+ subdir('kill_all')
+ subdir('mark_service')
++subdir('mkmntdirs')
+ subdir('mountinfo')
+ subdir('on_ac_power')
+ subdir('openrc')
+diff --git a/src/mkmntdirs/meson.build b/src/mkmntdirs/meson.build
+new file mode 100644
+index 00000000..20f9762d
+--- /dev/null
++++ b/src/mkmntdirs/meson.build
+@@ -0,0 +1,5 @@
++executable('mkmntdirs',
++ ['mkmntdirs.c'],
++ c_args : cc_branding_flags,
++ install: true,
++ install_dir: sbindir)
+diff --git a/src/mkmntdirs/mkmntdirs.c b/src/mkmntdirs/mkmntdirs.c
+new file mode 100644
+index 00000000..eaeae732
+--- /dev/null
++++ b/src/mkmntdirs/mkmntdirs.c
+@@ -0,0 +1,67 @@
++/*
++ * Create mount directories in fstab
++ *
++ * Copyright(c) 2008 Natanael Copa <natanael.copa@gmail.com>
++ * May be distributed under the terms of GPL-2
++ *
++ * usage: mkmntdirs [fstab]
++ *
++ */
++
++#include <sys/stat.h>
++#include <sys/types.h>
++
++#include <err.h>
++#include <mntent.h>
++#include <stdio.h>
++#include <string.h>
++
++
++#ifdef DEBUG
++#define mkdir_recursive(p) puts((p))
++#else
++static void mkdir_recursive(char *path)
++{
++ char *s = path;
++ while (1) {
++ int c = '\0';
++ while (*s) {
++ if (*s == '/') {
++ do {
++ ++s;
++ } while (*s == '/');
++ c = *s; /* Save the current char */
++ *s = '\0'; /* and replace it with nul. */
++ break;
++ }
++ ++s;
++ }
++ mkdir(path, 0755);
++ if (c == '\0')
++ return;
++ *s = c;
++ }
++}
++#endif
++
++int main(int argc, const char *argv[])
++{
++ const char *filename = "/etc/fstab";
++ FILE *f;
++ struct mntent *ent;
++ if (argc == 2)
++ filename = argv[1];
++
++ f = setmntent(filename, "r");
++ if (f == NULL)
++ err(1, "%s", filename);
++
++ while ((ent = getmntent(f)) != NULL) {
++ if (strcmp(ent->mnt_dir, "none") != 0)
++ mkdir_recursive(ent->mnt_dir);
++ }
++
++ endmntent(f);
++ return 0;
++}
++
--
-2.33.1
+2.37.1
diff --git a/aports/openrc/0003-rc-pull-in-sysinit-and-boot-as-stacked-levels-when-n.patch b/aports/openrc/0003-rc-pull-in-sysinit-and-boot-as-stacked-levels-when-n.patch
index 546ccb7..265a51e 100644
--- a/aports/openrc/0003-rc-pull-in-sysinit-and-boot-as-stacked-levels-when-n.patch
+++ b/aports/openrc/0003-rc-pull-in-sysinit-and-boot-as-stacked-levels-when-n.patch
@@ -21,8 +21,8 @@ Fixes issue #54.
diff --git a/src/rc/rc.c b/src/rc/rc.c
index ef46925d..82786074 100644
---- a/src/rc/rc.c
-+++ b/src/rc/rc.c
+--- a/src/openrc/rc.c
++++ b/src/openrc/rc.c
@@ -729,6 +729,7 @@ int main(int argc, char **argv)
const char *bootlevel = NULL;
char *newlevel = NULL;
diff --git a/aports/openrc/0009-dont-overwrite-empty-supervise_daemon_args.patch b/aports/openrc/0009-dont-overwrite-empty-supervise_daemon_args.patch
new file mode 100644
index 0000000..4716d06
--- /dev/null
+++ b/aports/openrc/0009-dont-overwrite-empty-supervise_daemon_args.patch
@@ -0,0 +1,40 @@
+Patch-Source: https://github.com/OpenRC/openrc/pull/558
+--
+From a2f1d65f1646e5f539e986f22964cf078ba58fce Mon Sep 17 00:00:00 2001
+From: Jakub Jirutka <jakub@jirutka.cz>
+Date: Sun, 6 Nov 2022 02:14:26 +0100
+Subject: [PATCH] supervise-daemon: don't overwrite empty supervise_daemon_args
+
+If supervise_daemon_args is not set *or empty*, it defaults to
+`start_stop_daemon_args`. This is bad because supervise-daemon doesn't
+accept the same options as `start-stop-daemon`. So if we set e.g.
+`start_stop_daemon_args="--wait 50"`, but not `supervise_daemon_args`,
+and the user adds `supervisor=supervise-daemon` to the corresponding
+/etc/conf.d/<service> file, the service will fail to start due to
+unrecognized option "wait".
+
+It would be best to remove this fallback, but that might break some
+existing scripts that depend on it. So this commit just changes it to
+use `start_stop_daemon_args` as the default for `supervise_daemon_args`
+only if `supervise_daemon_args` is not set at all, but not if it's
+empty.
+
+This at least simplifies workarounds; we can just add
+`supervise_daemon_args="$supervise_daemon_args"` to init scripts.
+---
+ sh/supervise-daemon.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sh/supervise-daemon.sh b/sh/supervise-daemon.sh
+index 8d2d6faff..8eb98a17a 100644
+--- a/sh/supervise-daemon.sh
++++ b/sh/supervise-daemon.sh
+@@ -41,7 +41,7 @@ supervise_start()
+ ${no_new_privs:+--no_new_privs} \
+ ${command_user+--user} $command_user \
+ ${umask+--umask} $umask \
+- ${supervise_daemon_args:-${start_stop_daemon_args}} \
++ ${supervise_daemon_args-${start_stop_daemon_args}} \
+ $command \
+ -- $command_args $command_args_foreground
+ rc=$?
diff --git a/aports/openrc/0009-fix-bootmisc-mv-error.patch b/aports/openrc/0009-fix-bootmisc-mv-error.patch
deleted file mode 100644
index e87f9bb..0000000
--- a/aports/openrc/0009-fix-bootmisc-mv-error.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From: Dermot Bradley <dermot_bradley@yahoo.com>
-Date: Sat, 29 Jan 2022 19:28 +0000
-Subject: prevent a bootmisc trying to move a nonexistant file
-
-During boot if the "previous_dmesg" setting is enabled in
-/etc/conf.d/bootmisc then during the 1st boot of a machine the
-bootmisc init.d script will attempt to move a nonexistant dmesg
-file, so generating an error on the console.
-
-Modify the script to only move an existing file.
-
-Upstream has merged this as PR 496 so it will be in the next release.
-
----
-
-diff -aur a/init.d/bootmisc.in b/init.d/bootmisc.in
---- a/init.d/bootmisc.in
-+++ b/init.d/bootmisc.in
-@@ -226,7 +226,7 @@
- case "$RC_SYS" in
- VSERVER|OPENVZ|LXC|SYSTEMD-NSPAWN) ;;
- *)
-- if yesno ${previous_dmesg:-no}; then
-+ if yesno ${previous_dmesg:-no} && [ -e /var/log/dmesg ]; then
- mv /var/log/dmesg /var/log/dmesg.old
- fi
- dmesg > /var/log/dmesg
diff --git a/aports/openrc/0010-noexec-devfs.patch b/aports/openrc/0010-noexec-devfs.patch
deleted file mode 100644
index 9a8928c..0000000
--- a/aports/openrc/0010-noexec-devfs.patch
+++ /dev/null
@@ -1,14 +0,0 @@
---- a/init.d/devfs.in
-+++ b/init.d/devfs.in
-@@ -24,8 +24,9 @@ mount_dev()
- action=--mount
- conf_d_dir="${RC_SERVICE%/*/*}/conf.d"
- msg=Mounting
-- # Some devices require exec, Bug #92921
-- mountopts="exec,nosuid,mode=0755"
-+ # Some devices require exec, https://bugs.gentoo.org/92921
-+ # Users with such requirements can use an fstab entry for /dev
-+ mountopts="noexec,nosuid,mode=0755"
- if yesno ${skip_mount_dev:-no} ; then
- einfo "/dev will not be mounted due to user request"
- return 0
diff --git a/aports/openrc/APKBUILD b/aports/openrc/APKBUILD
index daff08b..c0289bd 100644
--- a/aports/openrc/APKBUILD
+++ b/aports/openrc/APKBUILD
@@ -1,18 +1,18 @@
# Maintainer: Gabor Pali <pali.gabor@gmail.com>
pkgname=openrc
-pkgver=0.44.10
+pkgver=0.45.2
pkgrel=0 # base: 7
pkgdesc="OpenRC manages the services, startup and shutdown of a host"
url="https://github.com/OpenRC/openrc"
arch="all"
license="BSD-2-Clause"
depends="ifupdown-any"
-makedepends="bsd-compat-headers linux-headers meson"
+makedepends_host="bsd-compat-headers libcap-dev linux-headers"
+makedepends_build="meson"
checkdepends=
subpackages=
install=
source="$pkgname-$pkgver.tar.gz::https://github.com/OpenRC/openrc/archive/$pkgver.tar.gz
-
0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch
0002-fsck-don-t-add-C0-to-busybox-fsck.patch
0003-rc-pull-in-sysinit-and-boot-as-stacked-levels-when-n.patch
@@ -21,9 +21,12 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/OpenRC/openrc/archive/$pkgve
0006-Add-support-for-starting-services-in-a-specified-VRF.patch
0007-Clean-up-staticroute-config-remove-irrelevant-parts-.patch
0008-bootmisc-switch-wipe_tmp-setting-to-no-by-default.patch
- 0009-fix-bootmisc-mv-error.patch
- 0010-noexec-devfs.patch
- seedrng.patch
+ 0009-dont-overwrite-empty-supervise_daemon_args.patch
+ $pkgname-grep-3.8.patch::https://github.com/OpenRC/openrc/commit/9380347f042f7d294317f4420b648422817eb75a.patch
+
+ remount-root.patch
+ supervise-daemon-defaults.patch
+
openrc.logrotate
hostname.initd
hwdrivers.initd
@@ -46,8 +49,8 @@ prepare() {
# meson overrides this with the aports tag,
# we get there first :)
sed -i -e "s|@VCS_TAG@|$pkgver|" \
- src/common/version.h.in \
- src/common/version.in
+ src/shared/version.h.in \
+ src/shared/version.in
}
@@ -123,21 +126,22 @@ package() {
}
sha512sums="
-0e41f5268c6b8c325a6773511ca58c38ba52a1987aa47165794df8a99359bd1bfcb99d30e0d129b9242a2661663234f6f85c92c55c891dbb6c5b8a11d93edea4 openrc-0.44.10.tar.gz
-6085d127f7385eb86a00676a263c8613748fb0cbbf064bc908d346a1b368e226d8a3014e871d281f57d334a70ec1301269fe431e085f0e907b4f6ef8a99bf07f 0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch
+ca2958772240f6e5037e39db1ee62a81091a2efa654da967f68e03a721868c6c0a41d32a2bddf55c8eadbc9bf5837b710cc2e4564844a7fbc0e585366da4fdf9 openrc-0.45.2.tar.gz
+257861f5f0562e9b9a9fccebae474bd75c4bb51f005a2b8132fd551f061f65863de46c5bc4437f137b4a9d3ca741f9de9274bfa7b418eda70497ed4b5fd3056d 0001-call-sbin-mkmntdirs-in-localmount-OpenRC-service.patch
3f47b4f7e6c5b7fb53ff8a13470fbada67f7470e5eba71a683e6c022162c3905f560d561c3d61698e3fde367d6ae715edf76e99949f52a22a3bbf79debc33f64 0002-fsck-don-t-add-C0-to-busybox-fsck.patch
-61c72be18283108163bde4349616e55adb535bd34312ee09f90fcd85277ffe17dcef792bbf465877c0d8b1fec87a3836f714d8d849a9cf322902a89bc1256e13 0003-rc-pull-in-sysinit-and-boot-as-stacked-levels-when-n.patch
+0bd69d9e8e9c321a5e67cf924be07b9dd0b58801143c18f74bebf442958fc878e46a65f07cc2842566a8c3434e788ef3ca0c90c607de6b10931f01324bfc1b11 0003-rc-pull-in-sysinit-and-boot-as-stacked-levels-when-n.patch
71a743bf969110a27259405ef4b4dc4fad608b8e49039fd6afb1b1486d0f1dfccc3ef5275410fa3d6d1554ccee59c5a3424be4f2919e14453ebb709282c588a7 0004-make-consolefont-service-compatible-with-busyboxs-se.patch
9e2ae6c8e189ceae0f3f2662d9504f796e9a6a987a26ee2e10add85746b6596eb04cc256dc532a39f711b4e1aa07f1d12a384ef45d23cab49878b887bf0a878c 0005-Support-early-loading-of-keymap-if-kbd-is-installed.patch
8bf00b82d7fc0eb1b529ec735009f91d277141ba7e5c04e23d10bbcf36eb453f0b31d48aec45e50b5be4c14f611acc4454933f3cefdf8beab07d851328223464 0006-Add-support-for-starting-services-in-a-specified-VRF.patch
431ac28808e684bea5511386bf5f06efe7f509f1dbe7e15ae6309563d813deae8f3edd872a0943ef8088e3cf778d7bc5ebd15a893dc4a08f4022b7a56bbafc63 0007-Clean-up-staticroute-config-remove-irrelevant-parts-.patch
475f4ea63b9b5d7eb9c623e96b6cc3d3072abcb7194d0045b84e0688836c8514fccfc68b0eae0b4bee60878cdea8042c3ce7e48406ee7a2f0e4a3e128a153468 0008-bootmisc-switch-wipe_tmp-setting-to-no-by-default.patch
-354b2df343ddf82aedba104039bbdb1dd5fdd9c4abac52f89e881341443b73fcf000ed9e8b88e9610f1c3218cb89722ff6a774e1ef2f7fe71fa6ff62b75f572b 0009-fix-bootmisc-mv-error.patch
-0535d7837ae0c695f25208199f4dec3a4031558366da346a8a1dd13c0fa2a044f14088b75eca37ce0f4a681e85c82b84aac3d65aac9176639e82b33a9355cb2a 0010-noexec-devfs.patch
-715af2188cf4d1ed42f75b31ad718f5c533ea6f8cfc3c5df0fd7fc4240cd342dc637b7edf358c5da1e77d700618adaa7927ddaeae60698dd9f130dd64d83d8d5 seedrng.patch
+7bdd5e97186fd9c9d17d3d9a19e16f8432e0abc27b067d2191c8038d3c32c5502ee0b5b6d539bc3550400cba63b6bccfcca05a7a3b95e352ea692b6a1be8000e 0009-dont-overwrite-empty-supervise_daemon_args.patch
+0a19a00af670e38742cea8e7f59a8ef329cc2fe7f57582ce8dcd0bfb90f7b5116cc0e64a6138f56c1c20c35354f835d1638bd14d6d2ebef2e5b4332a12ec8021 openrc-grep-3.8.patch
+5e60f2ea652349d716646ccf05b13a510e5797daafc5e491dd35cc3850c543a7e7499a70956f91f30702c524989386d6e08735d7ad9b7bda5ff0c2c249d52cf8 remount-root.patch
+1323a8476580f7b56a9cf1b24b26b10da76c5916cf23d7dab01f08a3261751341dfe01d1ed884df8e6ea17ff6a52021cc40fb3101e99b77d4ae7f3f61ee330e8 supervise-daemon-defaults.patch
12bb6354e808fbf47bbab963de55ee7901738b4a912659982c57ef2777fff9a670e867fcb8ec316a76b151032c92dc89a950d7d1d835ef53f753a8f3b41d2cec openrc.logrotate
493f27d588e64bb2bb542b32493ed05873f4724e8ad1751002982d7b4e07963cfb72f93603b2d678f305177cf9556d408a87b793744c6b7cd46cf9be4b744c02 hostname.initd
-c06eac7264f6cc6888563feeae5ca745aae538323077903de1b19102e4f16baa34c18b8c27af5dd5423e7670834e2261e9aa55f2b1ec8d8fdc2be105fe894d55 hwdrivers.initd
+787d783f91919c115809890f18d06d0812055f0aca42378e081d2cfbe2ff20a1db8d937b823ec4adbe0d380a6f02a2310dc74f6c3a2c36fd5d5371d51ad6d459 hwdrivers.initd
7113c930f7f5fb5b345b115db175f8e5837e3541b3e022d5cecf1b59067ed4b40b2adea2324a008035b97d653311217ac5cf961b4d0fc8b714a8b2505883cdc6 modules.initd
61857beb0ce1b462ff4bde595ee3808d12b1c51935e6a6bc263bf26a4adc99b434676277e270d82ed2886ceb9c82cb2a5604887bc25fef20bec223097c4d0ee4 modloop.initd
80e43ded522e2d48b876131c7c9997debd43f3790e0985801a8c1dd60bc6e09f625b35a127bf225eb45a65eec7808a50d1c08a5e8abceafc61726211e061e0a2 modloop.confd
diff --git a/aports/openrc/hwdrivers.initd b/aports/openrc/hwdrivers.initd
index 80184c9..c713990 100644
--- a/aports/openrc/hwdrivers.initd
+++ b/aports/openrc/hwdrivers.initd
@@ -16,10 +16,10 @@ start() {
fi
ebegin "Loading hardware drivers"
- find /sys -name modalias -type f -print0 | xargs -0 sort -u \
+ find /sys -name modalias -type f -print0 2> /dev/null | xargs -0 sort -u \
| xargs modprobe -b -a 2> /dev/null
# we run it twice so we detect all devices
- find /sys -name modalias -type f -print0 | xargs -0 sort -u \
+ find /sys -name modalias -type f -print0 2> /dev/null | xargs -0 sort -u \
| xargs modprobe -b -a 2> /dev/null
# check if framebuffer drivers got pulled in
diff --git a/aports/openrc/remount-root.patch b/aports/openrc/remount-root.patch
new file mode 100644
index 0000000..ae4f5b6
--- /dev/null
+++ b/aports/openrc/remount-root.patch
@@ -0,0 +1,42 @@
+From 489413c913af0708e9cfad987d6b3385d904e1ee Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?S=C3=B6ren=20Tempel?= <soeren+git@soeren-tempel.net>
+Date: Mon, 20 Jun 2022 19:04:49 +0200
+Subject: [PATCH] init.d/root: also remount / with options provided in
+ /etc/fstab
+
+Without this commit, the root OpenRC service remounts all mounted
+filesystems (except /) with the options defined in /etc/fstab via
+fstabinfo. It is presently unclear to me why / was excluded from
+remounting in 497ff7ee41168d863971efb52e2ca6b42f765832 and unfortunately
+neither the commit nor the associated Bugzilla issue [1] provides
+further information on this.
+
+At Alpine, our initramfs does currently not remount / with all options
+defined in /etc/fstab [2]. As part of the discussion on the Alpine side
+of things we wondered why OpenRC does not remount / since this would be
+the easier solution for us. For this reason, this commit changes the
+behavior of the OpenRC root services accordingly to also remount / with
+the options defined in /etc/fstab.
+
+[1]: https://bugs.gentoo.org/401573
+[2]: https://gitlab.alpinelinux.org/alpine/mkinitfs/-/merge_requests/103
+This fixes #533.
+---
+ init.d/root.in | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/init.d/root.in b/init.d/root.in
+index 045bcd0f..2f7d82f2 100644
+--- a/init.d/root.in
++++ b/init.d/root.in
+@@ -49,9 +49,7 @@ start()
+ local mountpoint
+ for mountpoint in $(fstabinfo); do
+ case "${mountpoint}" in
+- /)
+- ;;
+- /*)
++ /*) # Don't remount swap etc.
+ mountinfo -q "${mountpoint}" && \
+ fstabinfo --remount "${mountpoint}"
+ ;;
diff --git a/aports/openrc/seedrng.patch b/aports/openrc/seedrng.patch
deleted file mode 100644
index ff61d81..0000000
--- a/aports/openrc/seedrng.patch
+++ /dev/null
@@ -1,640 +0,0 @@
-From 076c2552aeff88a27fe275dfaae61dedf4bb4bd5 Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Thu, 24 Mar 2022 22:07:16 -0600
-Subject: [PATCH] Use seedrng for seeding the random number generator
-
-The RNG can't actually be seeded from a shell script, due to the
-reliance on ioctls. For this reason, the seedrng project provides a
-basic script meant to be copy and pasted into projects like OpenRC and
-tweaked as needed: https://git.zx2c4.com/seedrng/about/
-
-This commit imports it into OpenRC and wires up /etc/init.d/urandom to
-call it. It shouldn't be called by other things on the system, so it
-lives in rc_sbindir.
-
-Closes #506.
-Closes #507.
-
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
----
- AUTHORS | 1 +
- conf.d/urandom | 9 +-
- init.d/urandom.in | 41 ++--
- src/rc/Makefile | 6 +-
- src/rc/meson.build | 10 +-
- src/rc/seedrng.c | 453 +++++++++++++++++++++++++++++++++++++++++++++
- 6 files changed, 499 insertions(+), 21 deletions(-)
- create mode 100644 src/rc/seedrng.c
-
-diff --git a/AUTHORS b/AUTHORS
-index 0616d5175..ede0f471b 100644
---- a/AUTHORS
-+++ b/AUTHORS
-@@ -43,6 +43,7 @@ Ian Stakenvicius <axs@gentoo.org>
- Jakob Drexel <jake42@rommel.stw.uni-erlangen.de>
- James Le Cuirot <chewi@aura-online.co.uk>
- Jan Psota <jasiu@belsznica.pl>
-+Jason A. Donenfeld <Jason@zx2c4.com>
- Jason Zaman <jason@perfinion.com>
- Joe Harvell <jharvell@dogpad.net>
- Joe M <joe9mail@gmail.com>
-diff --git a/conf.d/urandom b/conf.d/urandom
-index f721a2491..744e4f702 100644
---- a/conf.d/urandom
-+++ b/conf.d/urandom
-@@ -2,4 +2,11 @@
- # (say for crypt swap), so you will need to customize this
- # behavior. If you have /var on a separate partition, then
- # make sure this path lives on your root device somewhere.
--urandom_seed="/var/lib/misc/random-seed"
-+seed_dir="/var/lib/seedrng"
-+lock_file="/var/run/seedrng.lock"
-+
-+# Set this to true if you do not want seed files to actually
-+# credit the RNG. Set this if you plan to replicate this
-+# file system image and do not have the wherewithal to first
-+# delete the contents of /var/lib/seedrng.
-+skip_credit="false"
-diff --git a/init.d/urandom.in b/init.d/urandom.in
-index 0d6ab66e0..cda431fdb 100644
---- a/init.d/urandom.in
-+++ b/init.d/urandom.in
-@@ -1,5 +1,5 @@
- #!@SBINDIR@/openrc-run
--# Copyright (c) 2007-2015 The OpenRC Authors.
-+# Copyright (c) 2007-2022 The OpenRC Authors.
- # See the Authors file at the top-level directory of this distribution and
- # https://github.com/OpenRC/openrc/blob/HEAD/AUTHORS
- #
-@@ -9,7 +9,10 @@
- # This file may not be copied, modified, propagated, or distributed
- # except according to the terms contained in the LICENSE file.
-
--: ${urandom_seed:=${URANDOM_SEED:-/var/lib/misc/random-seed}}
-+export SEEDRNG_SEED_DIR="${seed_dir:-/var/lib/seedrng}"
-+export SEEDRNG_LOCK_FILE="${lock_file:-/var/run/seedrng.lock}"
-+export SEEDRNG_SKIP_CREDIT="${skip_credit:-false}"
-+: ${urandom_seed:=${SEEDRNG_SEED_DIR}/../misc/random-seed}
- description="Initializes the random number generator."
-
- depend()
-@@ -21,33 +24,35 @@ depend()
-
- save_seed()
- {
-- local psz=1
--
-- if [ -e /proc/sys/kernel/random/poolsize ]; then
-- : $(( psz = $(cat /proc/sys/kernel/random/poolsize) / 4096 ))
-- fi
--
- ( # sub shell to prevent umask pollution
- umask 077
-- dd if=/dev/urandom of="$urandom_seed" count=${psz} 2>/dev/null
-+ dd if=/dev/urandom of="$urandom_seed" count=1 2>/dev/null
- )
- }
-
- start()
- {
-- [ -c /dev/urandom ] || return
-- if [ -f "$urandom_seed" ]; then
-- ebegin "Initializing random number generator"
-- cat "$urandom_seed" > /dev/urandom
-- eend $? "Error initializing random number generator"
-+ if [ "$RC_UNAME" = Linux ]; then
-+ seedrng
-+ else
-+ [ -c /dev/urandom ] || return
-+ if [ -f "$urandom_seed" ]; then
-+ ebegin "Initializing random number generator"
-+ cat "$urandom_seed" > /dev/urandom
-+ eend $? "Error initializing random number generator"
-+ fi
-+ rm -f "$urandom_seed" && save_seed
- fi
-- rm -f "$urandom_seed" && save_seed
- return 0
- }
-
- stop()
- {
-- ebegin "Saving random seed"
-- save_seed
-- eend $? "Failed to save random seed"
-+ if [ "$RC_UNAME" = Linux ]; then
-+ seedrng
-+ else
-+ ebegin "Saving random seed"
-+ save_seed
-+ eend $? "Failed to save random seed"
-+ fi
- }
-diff --git a/src/rc/Makefile b/src/rc/Makefile
-index fd796d920..62539f134 100644
---- a/src/rc/Makefile
-+++ b/src/rc/Makefile
-@@ -15,7 +15,7 @@ endif
-
- ifeq (${OS},Linux)
- SRCS+= kill_all.c openrc-init.c openrc-shutdown.c rc-sysvinit.c broadcast.c \
-- rc-wtmp.c
-+ rc-wtmp.c seedrng.c
- endif
-
- CLEANFILES= version.h rc-selinux.o
-@@ -47,6 +47,7 @@ RC_SBINPROGS= mark_service_starting mark_service_started \
-
- ifeq (${OS},Linux)
- RC_BINPROGS+= kill_all
-+RC_SBINPROGS+= seedrng
- SBINPROGS+= openrc-init openrc-shutdown
- endif
-
-@@ -180,3 +181,6 @@ shell_var: shell_var.o
-
- swclock: swclock.o _usage.o rc-misc.o
- ${CC} ${LOCAL_CFLAGS} ${LOCAL_LDFLAGS} ${CFLAGS} ${LDFLAGS} -o $@ $^ ${LDADD}
-+
-+seedrng: seedrng.o
-+ ${CC} ${LOCAL_CFLAGS} ${LOCAL_LDFLAGS} ${CFLAGS} ${LDFLAGS} -o $@ $^ ${LDADD}
-diff --git a/src/rc/meson.build b/src/rc/meson.build
-index 8fdf3ac3b..b724c51f2 100644
---- a/src/rc/meson.build
-+++ b/src/rc/meson.build
-@@ -268,7 +268,15 @@ if os == 'Linux'
- link_with: [libeinfo,librc],
- install: true,
- install_dir: rc_bindir)
-- endif
-+
-+ executable('seedrng',
-+ ['seedrng.c'],
-+ c_args : cc_branding_flags,
-+ include_directories: [incdir, einfo_incdir, rc_incdir],
-+ link_with: [libeinfo, librc],
-+ install: true,
-+ install_dir: rc_sbindir)
-+endif
-
- executable('shell_var',
- ['shell_var.c'],
-diff --git a/src/rc/seedrng.c b/src/rc/seedrng.c
-new file mode 100644
-index 000000000..c1f941457
---- /dev/null
-+++ b/src/rc/seedrng.c
-@@ -0,0 +1,453 @@
-+/*
-+ * seedrng.c
-+ * Seed kernel RNG from seed file, based on code from:
-+ * https://git.zx2c4.com/seedrng/about/
-+ */
-+
-+/*
-+ * Copyright (c) 2022 The OpenRC Authors.
-+ * See the Authors file at the top-level directory of this distribution and
-+ * https://github.com/OpenRC/openrc/blob/HEAD/AUTHORS
-+ *
-+ * This file is part of OpenRC. It is subject to the license terms in
-+ * the LICENSE file found in the top-level directory of this
-+ * distribution and at https://github.com/OpenRC/openrc/blob/HEAD/LICENSE
-+ * This file may not be copied, modified, propagated, or distributed
-+ * except according to the terms contained in the LICENSE file.
-+ */
-+
-+#include <linux/random.h>
-+#include <sys/random.h>
-+#include <sys/ioctl.h>
-+#include <sys/file.h>
-+#include <sys/stat.h>
-+#include <sys/types.h>
-+#include <fcntl.h>
-+#include <poll.h>
-+#include <unistd.h>
-+#include <time.h>
-+#include <errno.h>
-+#include <endian.h>
-+#include <stdbool.h>
-+#include <stdint.h>
-+#include <string.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+
-+#include "rc.h"
-+#include "einfo.h"
-+#include "helpers.h"
-+
-+#ifndef GRND_INSECURE
-+#define GRND_INSECURE 0x0004 /* Apparently some headers don't ship with this yet. */
-+#endif
-+
-+static const char *SEED_DIR;
-+static const char *LOCK_FILE;
-+static char *CREDITABLE_SEED;
-+static char *NON_CREDITABLE_SEED;
-+
-+enum blake2s_lengths {
-+ BLAKE2S_BLOCK_LEN = 64,
-+ BLAKE2S_HASH_LEN = 32,
-+ BLAKE2S_KEY_LEN = 32
-+};
-+
-+enum seedrng_lengths {
-+ MAX_SEED_LEN = 512,
-+ MIN_SEED_LEN = BLAKE2S_HASH_LEN
-+};
-+
-+struct blake2s_state {
-+ uint32_t h[8];
-+ uint32_t t[2];
-+ uint32_t f[2];
-+ uint8_t buf[BLAKE2S_BLOCK_LEN];
-+ unsigned int buflen;
-+ unsigned int outlen;
-+};
-+
-+#define le32_to_cpup(a) le32toh(*(a))
-+#define cpu_to_le32(a) htole32(a)
-+#ifndef ARRAY_SIZE
-+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
-+#endif
-+#ifndef DIV_ROUND_UP
-+#define DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d))
-+#endif
-+
-+static inline void cpu_to_le32_array(uint32_t *buf, unsigned int words)
-+{
-+ while (words--) {
-+ *buf = cpu_to_le32(*buf);
-+ ++buf;
-+ }
-+}
-+
-+static inline void le32_to_cpu_array(uint32_t *buf, unsigned int words)
-+{
-+ while (words--) {
-+ *buf = le32_to_cpup(buf);
-+ ++buf;
-+ }
-+}
-+
-+static inline uint32_t ror32(uint32_t word, unsigned int shift)
-+{
-+ return (word >> (shift & 31)) | (word << ((-shift) & 31));
-+}
-+
-+static const uint32_t blake2s_iv[8] = {
-+ 0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL,
-+ 0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL
-+};
-+
-+static const uint8_t blake2s_sigma[10][16] = {
-+ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
-+ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
-+ { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
-+ { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
-+ { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
-+ { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
-+ { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
-+ { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
-+ { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
-+ { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
-+};
-+
-+static void blake2s_set_lastblock(struct blake2s_state *state)
-+{
-+ state->f[0] = -1;
-+}
-+
-+static void blake2s_increment_counter(struct blake2s_state *state, const uint32_t inc)
-+{
-+ state->t[0] += inc;
-+ state->t[1] += (state->t[0] < inc);
-+}
-+
-+static void blake2s_init_param(struct blake2s_state *state, const uint32_t param)
-+{
-+ int i;
-+
-+ memset(state, 0, sizeof(*state));
-+ for (i = 0; i < 8; ++i)
-+ state->h[i] = blake2s_iv[i];
-+ state->h[0] ^= param;
-+}
-+
-+static void blake2s_init(struct blake2s_state *state, const size_t outlen)
-+{
-+ blake2s_init_param(state, 0x01010000 | outlen);
-+ state->outlen = outlen;
-+}
-+
-+static void blake2s_compress(struct blake2s_state *state, const uint8_t *block, size_t nblocks, const uint32_t inc)
-+{
-+ uint32_t m[16];
-+ uint32_t v[16];
-+ int i;
-+
-+ while (nblocks > 0) {
-+ blake2s_increment_counter(state, inc);
-+ memcpy(m, block, BLAKE2S_BLOCK_LEN);
-+ le32_to_cpu_array(m, ARRAY_SIZE(m));
-+ memcpy(v, state->h, 32);
-+ v[ 8] = blake2s_iv[0];
-+ v[ 9] = blake2s_iv[1];
-+ v[10] = blake2s_iv[2];
-+ v[11] = blake2s_iv[3];
-+ v[12] = blake2s_iv[4] ^ state->t[0];
-+ v[13] = blake2s_iv[5] ^ state->t[1];
-+ v[14] = blake2s_iv[6] ^ state->f[0];
-+ v[15] = blake2s_iv[7] ^ state->f[1];
-+
-+#define G(r, i, a, b, c, d) do { \
-+ a += b + m[blake2s_sigma[r][2 * i + 0]]; \
-+ d = ror32(d ^ a, 16); \
-+ c += d; \
-+ b = ror32(b ^ c, 12); \
-+ a += b + m[blake2s_sigma[r][2 * i + 1]]; \
-+ d = ror32(d ^ a, 8); \
-+ c += d; \
-+ b = ror32(b ^ c, 7); \
-+} while (0)
-+
-+#define ROUND(r) do { \
-+ G(r, 0, v[0], v[ 4], v[ 8], v[12]); \
-+ G(r, 1, v[1], v[ 5], v[ 9], v[13]); \
-+ G(r, 2, v[2], v[ 6], v[10], v[14]); \
-+ G(r, 3, v[3], v[ 7], v[11], v[15]); \
-+ G(r, 4, v[0], v[ 5], v[10], v[15]); \
-+ G(r, 5, v[1], v[ 6], v[11], v[12]); \
-+ G(r, 6, v[2], v[ 7], v[ 8], v[13]); \
-+ G(r, 7, v[3], v[ 4], v[ 9], v[14]); \
-+} while (0)
-+ ROUND(0);
-+ ROUND(1);
-+ ROUND(2);
-+ ROUND(3);
-+ ROUND(4);
-+ ROUND(5);
-+ ROUND(6);
-+ ROUND(7);
-+ ROUND(8);
-+ ROUND(9);
-+
-+#undef G
-+#undef ROUND
-+
-+ for (i = 0; i < 8; ++i)
-+ state->h[i] ^= v[i] ^ v[i + 8];
-+
-+ block += BLAKE2S_BLOCK_LEN;
-+ --nblocks;
-+ }
-+}
-+
-+static void blake2s_update(struct blake2s_state *state, const void *inp, size_t inlen)
-+{
-+ const size_t fill = BLAKE2S_BLOCK_LEN - state->buflen;
-+ const uint8_t *in = inp;
-+
-+ if (!inlen)
-+ return;
-+ if (inlen > fill) {
-+ memcpy(state->buf + state->buflen, in, fill);
-+ blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_LEN);
-+ state->buflen = 0;
-+ in += fill;
-+ inlen -= fill;
-+ }
-+ if (inlen > BLAKE2S_BLOCK_LEN) {
-+ const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_LEN);
-+ blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_LEN);
-+ in += BLAKE2S_BLOCK_LEN * (nblocks - 1);
-+ inlen -= BLAKE2S_BLOCK_LEN * (nblocks - 1);
-+ }
-+ memcpy(state->buf + state->buflen, in, inlen);
-+ state->buflen += inlen;
-+}
-+
-+static void blake2s_final(struct blake2s_state *state, uint8_t *out)
-+{
-+ blake2s_set_lastblock(state);
-+ memset(state->buf + state->buflen, 0, BLAKE2S_BLOCK_LEN - state->buflen);
-+ blake2s_compress(state, state->buf, 1, state->buflen);
-+ cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
-+ memcpy(out, state->h, state->outlen);
-+}
-+
-+static size_t determine_optimal_seed_len(void)
-+{
-+ size_t ret = 0;
-+ char poolsize_str[11] = { 0 };
-+ int fd = open("/proc/sys/kernel/random/poolsize", O_RDONLY);
-+
-+ if (fd < 0 || read(fd, poolsize_str, sizeof(poolsize_str) - 1) < 0) {
-+ ewarn("Unable to determine pool size, falling back to %u bits: %s", MIN_SEED_LEN * 8, strerror(errno));
-+ ret = MIN_SEED_LEN;
-+ } else
-+ ret = DIV_ROUND_UP(strtoul(poolsize_str, NULL, 10), 8);
-+ if (fd >= 0)
-+ close(fd);
-+ if (ret < MIN_SEED_LEN)
-+ ret = MIN_SEED_LEN;
-+ else if (ret > MAX_SEED_LEN)
-+ ret = MAX_SEED_LEN;
-+ return ret;
-+}
-+
-+static int read_new_seed(uint8_t *seed, size_t len, bool *is_creditable)
-+{
-+ ssize_t ret;
-+ int urandom_fd;
-+
-+ *is_creditable = false;
-+ ret = getrandom(seed, len, GRND_NONBLOCK);
-+ if (ret == (ssize_t)len) {
-+ *is_creditable = true;
-+ return 0;
-+ }
-+ if (ret == -1 && errno == ENOSYS) {
-+ struct pollfd random_fd = {
-+ .fd = open("/dev/random", O_RDONLY),
-+ .events = POLLIN
-+ };
-+ if (random_fd.fd < 0)
-+ return -errno;
-+ *is_creditable = poll(&random_fd, 1, 0) == 1;
-+ close(random_fd.fd);
-+ } else if (getrandom(seed, len, GRND_INSECURE) == (ssize_t)len)
-+ return 0;
-+ urandom_fd = open("/dev/urandom", O_RDONLY);
-+ if (urandom_fd < 0)
-+ return -errno;
-+ ret = read(urandom_fd, seed, len);
-+ if (ret == (ssize_t)len)
-+ ret = 0;
-+ else
-+ ret = -errno ? -errno : -EIO;
-+ close(urandom_fd);
-+ return ret;
-+}
-+
-+static int seed_rng(uint8_t *seed, size_t len, bool credit)
-+{
-+ struct {
-+ int entropy_count;
-+ int buf_size;
-+ uint8_t buffer[MAX_SEED_LEN];
-+ } req = {
-+ .entropy_count = credit ? len * 8 : 0,
-+ .buf_size = len
-+ };
-+ int random_fd, ret;
-+
-+ if (len > sizeof(req.buffer))
-+ return -EFBIG;
-+ memcpy(req.buffer, seed, len);
-+
-+ random_fd = open("/dev/random", O_RDWR);
-+ if (random_fd < 0)
-+ return -errno;
-+ ret = ioctl(random_fd, RNDADDENTROPY, &req);
-+ if (ret)
-+ ret = -errno ? -errno : -EIO;
-+ close(random_fd);
-+ return ret;
-+}
-+
-+static int seed_from_file_if_exists(const char *filename, bool credit, struct blake2s_state *hash)
-+{
-+ uint8_t seed[MAX_SEED_LEN];
-+ ssize_t seed_len;
-+ int fd, dfd, ret = 0;
-+
-+ fd = open(filename, O_RDONLY);
-+ if (fd < 0 && errno == ENOENT)
-+ return 0;
-+ else if (fd < 0) {
-+ ret = -errno;
-+ eerror("Unable to open seed file: %s", strerror(errno));
-+ return ret;
-+ }
-+ dfd = open(SEED_DIR, O_DIRECTORY | O_RDONLY);
-+ if (dfd < 0) {
-+ ret = -errno;
-+ close(fd);
-+ eerror("Unable to open seed directory: %s", strerror(errno));
-+ return ret;
-+ }
-+ seed_len = read(fd, seed, sizeof(seed));
-+ if (seed_len < 0) {
-+ ret = -errno;
-+ eerror("Unable to read seed file: %s", strerror(errno));
-+ }
-+ close(fd);
-+ if (ret) {
-+ close(dfd);
-+ return ret;
-+ }
-+ if ((unlink(filename) < 0 || fsync(dfd) < 0) && seed_len) {
-+ ret = -errno;
-+ eerror("Unable to remove seed after reading, so not seeding: %s", strerror(errno));
-+ }
-+ close(dfd);
-+ if (ret)
-+ return ret;
-+ if (!seed_len)
-+ return 0;
-+
-+ blake2s_update(hash, &seed_len, sizeof(seed_len));
-+ blake2s_update(hash, seed, seed_len);
-+
-+ einfo("Seeding %zd bits %s crediting", seed_len * 8, credit ? "and" : "without");
-+ ret = seed_rng(seed, seed_len, credit);
-+ if (ret < 0)
-+ eerror("Unable to seed: %s", strerror(-ret));
-+ return ret;
-+}
-+
-+static void populate_global_paths(void)
-+{
-+ SEED_DIR = getenv("SEEDRNG_SEED_DIR");
-+ if (!SEED_DIR || !*SEED_DIR)
-+ SEED_DIR = "/var/lib/seedrng";
-+ LOCK_FILE = getenv("SEEDRNG_LOCK_FILE");
-+ if (!LOCK_FILE || !*LOCK_FILE)
-+ LOCK_FILE = "/var/run/seedrng.lock";
-+ xasprintf(&CREDITABLE_SEED, "%s/seed.credit", SEED_DIR);
-+ xasprintf(&NON_CREDITABLE_SEED, "%s/seed.no-credit", SEED_DIR);
-+}
-+
-+int main(int argc _unused, char *argv[] _unused)
-+{
-+ static const char seedrng_prefix[] = "SeedRNG v1 Old+New Prefix";
-+ static const char seedrng_failure[] = "SeedRNG v1 No New Seed Failure";
-+ int ret, fd, lock, program_ret = 0;
-+ uint8_t new_seed[MAX_SEED_LEN];
-+ size_t new_seed_len;
-+ bool new_seed_creditable;
-+ struct timespec realtime = { 0 }, boottime = { 0 };
-+ struct blake2s_state hash;
-+
-+ umask(0077);
-+ if (getuid())
-+ eerrorx("This rc helper program requires root");
-+
-+ populate_global_paths();
-+ blake2s_init(&hash, BLAKE2S_HASH_LEN);
-+ blake2s_update(&hash, seedrng_prefix, strlen(seedrng_prefix));
-+ clock_gettime(CLOCK_REALTIME, &realtime);
-+ clock_gettime(CLOCK_BOOTTIME, &boottime);
-+ blake2s_update(&hash, &realtime, sizeof(realtime));
-+ blake2s_update(&hash, &boottime, sizeof(boottime));
-+
-+ if (mkdir(SEED_DIR, 0700) < 0 && errno != EEXIST)
-+ eerrorx("Unable to create \"%s\" directory: %s", SEED_DIR, strerror(errno));
-+
-+ lock = open(LOCK_FILE, O_WRONLY | O_CREAT, 0000);
-+ if (lock < 0 || flock(lock, LOCK_EX) < 0)
-+ eerrorx("Unable to open lock file: %s", strerror(errno));
-+
-+ ret = seed_from_file_if_exists(NON_CREDITABLE_SEED, false, &hash);
-+ if (ret < 0)
-+ program_ret |= 1 << 1;
-+ ret = seed_from_file_if_exists(CREDITABLE_SEED, !rc_yesno(getenv("SEEDRNG_SKIP_CREDIT")), &hash);
-+ if (ret < 0)
-+ program_ret |= 1 << 2;
-+
-+ new_seed_len = determine_optimal_seed_len();
-+ ret = read_new_seed(new_seed, new_seed_len, &new_seed_creditable);
-+ if (ret < 0) {
-+ eerror("Unable to read new seed: %s", strerror(-ret));
-+ new_seed_len = BLAKE2S_HASH_LEN;
-+ strncpy((char *)new_seed, seedrng_failure, new_seed_len);
-+ program_ret |= 1 << 3;
-+ }
-+ blake2s_update(&hash, &new_seed_len, sizeof(new_seed_len));
-+ blake2s_update(&hash, new_seed, new_seed_len);
-+ blake2s_final(&hash, new_seed + new_seed_len - BLAKE2S_HASH_LEN);
-+
-+ einfo("Saving %zu bits of %s seed for next boot", new_seed_len * 8, new_seed_creditable ? "creditable" : "non-creditable");
-+ fd = open(NON_CREDITABLE_SEED, O_WRONLY | O_CREAT | O_TRUNC, 0400);
-+ if (fd < 0) {
-+ eerror("Unable to open seed file for writing: %s", strerror(errno));
-+ program_ret |= 1 << 4;
-+ goto out;
-+ }
-+ if (write(fd, new_seed, new_seed_len) != (ssize_t)new_seed_len || fsync(fd) < 0) {
-+ eerror("Unable to write seed file: %s", strerror(errno));
-+ program_ret |= 1 << 5;
-+ goto out;
-+ }
-+ if (new_seed_creditable && rename(NON_CREDITABLE_SEED, CREDITABLE_SEED) < 0) {
-+ ewarn("Unable to make new seed creditable: %s", strerror(errno));
-+ program_ret |= 1 << 6;
-+ }
-+out:
-+ close(fd);
-+ close(lock);
-+ return program_ret;
-+}
diff --git a/aports/openrc/supervise-daemon-defaults.patch b/aports/openrc/supervise-daemon-defaults.patch
new file mode 100644
index 0000000..53a70bb
--- /dev/null
+++ b/aports/openrc/supervise-daemon-defaults.patch
@@ -0,0 +1,31 @@
+From: Jakub Jirutka <jakub@jirutka.cz>
+Date: Wed, 16 Nov 2022 01:47:34 +0100
+Subject: [PATCH] Provide more reasonable defaults for supervise-daemon
+
+The vendor's default parameters for the supervise-daemon are unreasonable
+or even unusable for most of the services (empirically found), especially
+respawn_delay=0 (i.e. respawn crashed service immediately).
+
+--- a/etc/rc.conf
++++ b/etc/rc.conf
+@@ -315,3 +315,20 @@
+ # If this is set to no, we do not send sigkill to all processes in the
+ # cgroup.
+ #rc_send_sigkill="YES"
++
++##############################################################################
++# SUPERVISE DAEMON CONFIGURATION VARIABLES
++# These variables sets more reasonable defaults for supervise-daemon(8).
++# They may be overriden on a per service basis.
++
++# Wait this number of seconds before restarting a daemon after it crashes.
++respawn_delay=2
++
++# Sets the maximum number of times a daemon will be respawned during a respawn
++# period. If a daemon dies more than this number of times during a respawn
++# period, supervise-daemon(8) will give up trying to respawn it and exit.
++# 0 means unlimited.
++respawn_max=5
++
++# Sets the length in seconds of a respawn period.
++respawn_period=1800
diff --git a/aports/openrc/test-networking.sh b/aports/openrc/test-networking.sh
deleted file mode 100644
index 5e5f70b..0000000
--- a/aports/openrc/test-networking.sh
+++ /dev/null
@@ -1,65 +0,0 @@
-#!/bin/sh
-
-# unit tests for find_ifaces and find_running_ifaces in networking.initd
-
-cfgfile=/tmp/openrc-test-network.$$
-sourcefile=$cfgfile.source
-sourcedir=$cfgfile.d
-ifstate=$cfgfile.state
-
-cat >$cfgfile<<EOF
-auto eth0
-iface eth0 inet dhcp
-
-source $sourcefile
-
-source-directory $sourcedir
-EOF
-
-cat >$sourcefile<<EOF
-auto eth1
-iface eth1 inet dhcp
-EOF
-
-mkdir -p $sourcedir
-cat >$sourcedir/a<<EOF
-auto eth2
-iface eth2 inet dhcp
-EOF
-
-cat >$ifstate<<EOF
-eth4=eth4 1
-EOF
-
-errors=0
-fail() {
- echo "$@"
- errors=$(( $errors + 1))
-}
-
-# test fallback, when ifquery does not exist
-ifquery=does-not-exist
-. ./networking.initd
-
-find_ifaces | grep -q -w eth0 || fail "Did not find eth0"
-find_ifaces | grep -q -E '(eth1|eth2)' && fail "Unexpectedly found eth1 or eth2"
-
-# test that ifquery finds source and source-directory
-unset ifquery
-. ./networking.initd
-for i in eth0 eth1 eth2; do
- find_ifaces | grep -q -w "$i" || fail "Did not find $i"
-done
-
-# test that ifquery picks up the running state file
-find_running_ifaces | grep -q -w "eth4" || fail "Did not detect eth4 running"
-
-
-# test /etc/init.d/net.eth5
-RC_SVCNAME=net.eth5
-. ./networking.initd
-find_ifaces | grep -q -w "eth5" || fail "Did not detect eth5"
-find_running_ifaces | grep -q -w "eth5" || fail "Did not detect eth5 running"
-
-rm -rf $cfgfile $sourcefile $sourcedir $ifstate
-exit $errors
diff --git a/aports/rtl8821ce/APKBUILD b/aports/rtl8821ce/APKBUILD
index 0b48b5f..e3028a7 100644
--- a/aports/rtl8821ce/APKBUILD
+++ b/aports/rtl8821ce/APKBUILD
@@ -2,7 +2,7 @@
pkgname='rtl8821ce'
pkgver=20220911
-pkgrel=0
+pkgrel=1
_gitrev='50c1b120b06a3b0805e23ca9a4dbd274d74bb305'
pkgdesc='Driver for Realtek 8821CE, an 802.11ac device'
arch="x86_64"
diff --git a/aports/wpa_supplicant/APKBUILD b/aports/wpa_supplicant/APKBUILD
index 5e7e18b..a9da28f 100644
--- a/aports/wpa_supplicant/APKBUILD
+++ b/aports/wpa_supplicant/APKBUILD
@@ -2,18 +2,20 @@
pkgname=wpa_supplicant
pkgver=2.10
-pkgrel=0 # base: 1
+pkgrel=1 # base: 4
pkgdesc="utility providing key negotiation for WPA wireless networks"
url="https://w1.fi/wpa_supplicant/"
arch="all"
options="!check" # has no tests
license="BSD-3-Clause"
subpackages=
-makedepends="linux-headers openssl1.1-compat-dev dbus-dev libnl3-dev pcsc-lite-dev"
+makedepends="linux-headers openssl-dev>3 dbus-dev libnl3-dev pcsc-lite-dev"
source="https://w1.fi/releases/wpa_supplicant-$pkgver.tar.gz
wpa_supplicant.initd
wpa_supplicant.confd
eloop.patch
+ unsafe-renegotiation-1.patch
+ unsafe-renegotiation-2.patch
no-tools.patch
config"
@@ -55,6 +57,7 @@ prepare() {
}
build() {
+ export CFLAGS="$CFLAGS -flto=auto"
cd "$builddir"/wpa_supplicant
make LIBDIR=/lib BINDIR=/sbin
}
@@ -75,6 +78,8 @@ sha512sums="
92c4cbaa9776a354275640c9411d2f547f4c0e00415af4ab30039f1a0be6a11082d49e2514905010f0abcc4a9276353276da9864e3d5f7264a0f0767c8cc9d78 wpa_supplicant.initd
c7e4041fe41743c5e63a07edc9234d0c44c4c0f193a180b27342b43f3be45fb87b42ee0f9e4a20614cf6ad58cf64d25f74d1e75e2e1d521c2f6d45cdc5737eae wpa_supplicant.confd
2be055dd1f7da5a3d8e79c2f2c0220ddd31df309452da18f290144d2112d6dbde0fc633bb2ad02c386a39d7785323acaf5f70e5969995a1e8303a094eb5fe232 eloop.patch
+9528735924faf876a7094de46760605e5e66e265187421a668be06dbf03d7b4db6b84cbad793fcd6bd614e3ba540f82f1f80660d75e8a6070eeb7e9abb54ed28 unsafe-renegotiation-1.patch
+a92ba3ed3f41022a8af9396d2b703ee47f78aa05c1fddb42919a7fe6a6fad71e3515c63457e97e252ae0a32c6c34d67ea6efe0278df1e141cf36e650237e5295 unsafe-renegotiation-2.patch
3278eff7118f9dc9e177adc3ed91cad562a8edde396af8619321ac8552a86e9c7de25212d5578ea17cbe4b6dc928d83cd6e9a7f0d41e07576656e6e9274107d6 no-tools.patch
-0e1af7084026c3b50b3a77636758f1ce3c1004e1e6d7eb71038e42c5c63866e2bbee3b0933b1131b80a6f2f6848983847a017ba2555a3162f0ccd3aa57fcf257 config
+021d7d192b2e8e6bc89457ce4c8ada7eb897b3c4e8202697da44bde4cab49c0424156569c7a04dc58cae26e0e83e5f56421946679629535d0a749cda31f890c5 config
"
diff --git a/aports/wpa_supplicant/CVE-2019-16275.patch b/aports/wpa_supplicant/CVE-2019-16275.patch
deleted file mode 100644
index d764a9d..0000000
--- a/aports/wpa_supplicant/CVE-2019-16275.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Thu, 29 Aug 2019 11:52:04 +0300
-Subject: [PATCH] AP: Silently ignore management frame from unexpected source
- address
-
-Do not process any received Management frames with unexpected/invalid SA
-so that we do not add any state for unexpected STA addresses or end up
-sending out frames to unexpected destination. This prevents unexpected
-sequences where an unprotected frame might end up causing the AP to send
-out a response to another device and that other device processing the
-unexpected response.
-
-In particular, this prevents some potential denial of service cases
-where the unexpected response frame from the AP might result in a
-connected station dropping its association.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/ap/drv_callbacks.c | 13 +++++++++++++
- src/ap/ieee802_11.c | 12 ++++++++++++
- 2 files changed, 25 insertions(+)
-
-diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
-index 31587685fe3b..34ca379edc3d 100644
---- a/src/ap/drv_callbacks.c
-+++ b/src/ap/drv_callbacks.c
-@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
- "hostapd_notif_assoc: Skip event with no address");
- return -1;
- }
-+
-+ if (is_multicast_ether_addr(addr) ||
-+ is_zero_ether_addr(addr) ||
-+ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
-+ /* Do not process any frames with unexpected/invalid SA so that
-+ * we do not add any state for unexpected STA addresses or end
-+ * up sending out frames to unexpected destination. */
-+ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
-+ " in received indication - ignore this indication silently",
-+ __func__, MAC2STR(addr));
-+ return 0;
-+ }
-+
- random_add_randomness(addr, ETH_ALEN);
-
- hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
-diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
-index c85a28db44b7..e7065372e158 100644
---- a/src/ap/ieee802_11.c
-+++ b/src/ap/ieee802_11.c
-@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
- fc = le_to_host16(mgmt->frame_control);
- stype = WLAN_FC_GET_STYPE(fc);
-
-+ if (is_multicast_ether_addr(mgmt->sa) ||
-+ is_zero_ether_addr(mgmt->sa) ||
-+ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
-+ /* Do not process any frames with unexpected/invalid SA so that
-+ * we do not add any state for unexpected STA addresses or end
-+ * up sending out frames to unexpected destination. */
-+ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
-+ " in received frame - ignore this frame silently",
-+ MAC2STR(mgmt->sa));
-+ return 0;
-+ }
-+
- if (stype == WLAN_FC_STYPE_BEACON) {
- handle_beacon(hapd, mgmt, len, fi);
- return 1;
---
-2.20.1
-
diff --git a/aports/wpa_supplicant/CVE-2021-0326.patch b/aports/wpa_supplicant/CVE-2021-0326.patch
deleted file mode 100644
index 2ad5f44..0000000
--- a/aports/wpa_supplicant/CVE-2021-0326.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@codeaurora.org>
-Date: Mon, 9 Nov 2020 11:43:12 +0200
-Subject: P2P: Fix copying of secondary device types for P2P group client
-
-Parsing and copying of WPS secondary device types list was verifying
-that the contents is not too long for the internal maximum in the case
-of WPS messages, but similar validation was missing from the case of P2P
-group information which encodes this information in a different
-attribute. This could result in writing beyond the memory area assigned
-for these entries and corrupting memory within an instance of struct
-p2p_device. This could result in invalid operations and unexpected
-behavior when trying to free pointers from that corrupted memory.
-
-Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
-Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
----
- src/p2p/p2p.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
-index 74b7b52..5cbfc21 100644
---- a/src/p2p/p2p.c
-+++ b/src/p2p/p2p.c
-@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
- dev->info.config_methods = cli->config_methods;
- os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
- dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
-+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
-+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
- os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
- dev->info.wps_sec_dev_type_list_len);
- }
---
-cgit v0.12
-
diff --git a/aports/wpa_supplicant/CVE-2021-27803.patch b/aports/wpa_supplicant/CVE-2021-27803.patch
deleted file mode 100644
index 1942bb3..0000000
--- a/aports/wpa_supplicant/CVE-2021-27803.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@codeaurora.org>
-Date: Tue, 8 Dec 2020 23:52:50 +0200
-Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
-
-p2p_add_device() may remove the oldest entry if there is no room in the
-peer table for a new peer. This would result in any pointer to that
-removed entry becoming stale. A corner case with an invalid PD Request
-frame could result in such a case ending up using (read+write) freed
-memory. This could only by triggered when the peer table has reached its
-maximum size and the PD Request frame is received from the P2P Device
-Address of the oldest remaining entry and the frame has incorrect P2P
-Device Address in the payload.
-
-Fix this by fetching the dev pointer again after having called
-p2p_add_device() so that the stale pointer cannot be used.
-
-Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
----
- src/p2p/p2p_pd.c | 12 +++++-------
- 1 file changed, 5 insertions(+), 7 deletions(-)
-
-diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
-index 3994ec03f86b..05fd593494ef 100644
---- a/src/p2p/p2p_pd.c
-+++ b/src/p2p/p2p_pd.c
-@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
- goto out;
- }
-
-+ dev = p2p_get_device(p2p, sa);
- if (!dev) {
-- dev = p2p_get_device(p2p, sa);
-- if (!dev) {
-- p2p_dbg(p2p,
-- "Provision Discovery device not found "
-- MACSTR, MAC2STR(sa));
-- goto out;
-- }
-+ p2p_dbg(p2p,
-+ "Provision Discovery device not found "
-+ MACSTR, MAC2STR(sa));
-+ goto out;
- }
- } else if (msg.wfd_subelems) {
- wpabuf_free(dev->info.wfd_subelems);
---
-2.25.1
-
diff --git a/aports/wpa_supplicant/config b/aports/wpa_supplicant/config
index ab425d0..12f711a 100644
--- a/aports/wpa_supplicant/config
+++ b/aports/wpa_supplicant/config
@@ -32,7 +32,7 @@
CONFIG_DRIVER_NL80211=y
# QCA vendor extensions to nl80211
-#CONFIG_DRIVER_NL80211_QCA=y
+CONFIG_DRIVER_NL80211_QCA=y
# driver_nl80211.c requires libnl. If you are compiling it yourself
# you may need to point hostapd to your version of libnl.
@@ -207,7 +207,7 @@ CONFIG_HT_OVERRIDES=y
CONFIG_VHT_OVERRIDES=y
# Development testing
-CONFIG_EAPOL_TEST=n
+#CONFIG_EAPOL_TEST=y
# Enable IPv6 support in eapol_test.
# See: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12429
@@ -486,7 +486,7 @@ CONFIG_DELAYED_MIC_ERROR_REPORT=y
# Should we attempt to use the getrandom(2) call that provides more reliable
# yet secure randomness source than /dev/random on Linux 3.17 and newer.
# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
-#CONFIG_GETRANDOM=y
+CONFIG_GETRANDOM=y
# IEEE 802.11n (High Throughput) support (mainly for AP mode)
#CONFIG_IEEE80211N=y
@@ -503,10 +503,10 @@ CONFIG_DELAYED_MIC_ERROR_REPORT=y
# This can be used to enable functionality to improve interworking with
# external networks (GAS/ANQP to learn more about the networks and network
# selection based on available credentials).
-#CONFIG_INTERWORKING=y
+CONFIG_INTERWORKING=y
# Hotspot 2.0
-#CONFIG_HS20=y
+CONFIG_HS20=y
# Enable interface matching in wpa_supplicant
#CONFIG_MATCH_IFACE=y
@@ -527,7 +527,7 @@ CONFIG_AP=y
CONFIG_P2P=y
# Enable TDLS support
-#CONFIG_TDLS=y
+CONFIG_TDLS=y
# Wi-Fi Display
# This can be used to enable Wi-Fi Display extensions for P2P using an external
@@ -585,7 +585,7 @@ CONFIG_AUTOSCAN_PERIODIC=y
#
# For more details refer to:
# http://wireless.kernel.org/en/users/Documentation/acs
-#CONFIG_ACS=y
+CONFIG_ACS=y
# Support Multi Band Operation
#CONFIG_MBO=y
diff --git a/aports/wpa_supplicant/unsafe-renegotiation-1.patch b/aports/wpa_supplicant/unsafe-renegotiation-1.patch
new file mode 100644
index 0000000..0802a1b
--- /dev/null
+++ b/aports/wpa_supplicant/unsafe-renegotiation-1.patch
@@ -0,0 +1,103 @@
+Patch-Source: https://w1.fi/cgit/hostap/commit/?id=566ce69a8d0e64093309cbde80235aa522fbf84e
+From 566ce69a8d0e64093309cbde80235aa522fbf84e Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <quic_jouni@quicinc.com>
+Date: Thu, 5 May 2022 00:07:44 +0300
+Subject: EAP peer: Workaround for servers that do not support safe TLS
+ renegotiation
+
+The TLS protocol design for renegotiation was identified to have a
+significant security flaw in 2009 and an extension to secure this design
+was published in 2010 (RFC 5746). However, some old RADIUS
+authentication servers without support for this are still used commonly.
+
+This is obviously not good from the security view point, but since there
+are cases where the user of a network service has no realistic means for
+getting the authentication server upgraded, TLS handshake may still need
+to be allowed to be able to use the network.
+
+OpenSSL 3.0 disabled the client side workaround by default and this
+resulted in issues connection to some networks with insecure
+authentication servers. With OpenSSL 3.0, the client is now enforcing
+security by refusing to authenticate with such servers. The pre-3.0
+behavior of ignoring this issue and leaving security to the server can
+now be enabled with a new phase1 parameter allow_unsafe_renegotiation=1.
+This should be used only when having to connect to a network that has an
+insecure authentication server that cannot be upgraded.
+
+The old (pre-2010) TLS renegotiation mechanism might open security
+vulnerabilities if the authentication server were to allow TLS
+renegotiation to be initiated. While this is unlikely to cause real
+issues with EAP-TLS, there might be cases where use of PEAP or TTLS with
+an authentication server that does not support RFC 5746 might result in
+a security vulnerability.
+
+Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
+---
+ src/crypto/tls.h | 1 +
+ src/crypto/tls_openssl.c | 5 +++++
+ src/eap_peer/eap_tls_common.c | 4 ++++
+ wpa_supplicant/wpa_supplicant.conf | 5 +++++
+ 4 files changed, 15 insertions(+)
+
+diff --git a/src/crypto/tls.h b/src/crypto/tls.h
+index ccaac94c9..7ea32ee4a 100644
+--- a/src/crypto/tls.h
++++ b/src/crypto/tls.h
+@@ -112,6 +112,7 @@ struct tls_config {
+ #define TLS_CONN_ENABLE_TLSv1_1 BIT(15)
+ #define TLS_CONN_ENABLE_TLSv1_2 BIT(16)
+ #define TLS_CONN_TEAP_ANON_DH BIT(17)
++#define TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION BIT(18)
+
+ /**
+ * struct tls_connection_params - Parameters for TLS connection
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 388c6b0f4..0d23f44ad 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -3081,6 +3081,11 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
+ SSL_clear_options(ssl, SSL_OP_NO_TICKET);
+ #endif /* SSL_OP_NO_TICKET */
+
++#ifdef SSL_OP_LEGACY_SERVER_CONNECT
++ if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION)
++ SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
++#endif /* SSL_OP_LEGACY_SERVER_CONNECT */
++
+ #ifdef SSL_OP_NO_TLSv1
+ if (flags & TLS_CONN_DISABLE_TLSv1_0)
+ SSL_set_options(ssl, SSL_OP_NO_TLSv1);
+diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
+index 06c9b211e..6193b4bdb 100644
+--- a/src/eap_peer/eap_tls_common.c
++++ b/src/eap_peer/eap_tls_common.c
+@@ -102,6 +102,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
+ params->flags |= TLS_CONN_SUITEB_NO_ECDH;
+ if (os_strstr(txt, "tls_suiteb_no_ecdh=0"))
+ params->flags &= ~TLS_CONN_SUITEB_NO_ECDH;
++ if (os_strstr(txt, "allow_unsafe_renegotiation=1"))
++ params->flags |= TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
++ if (os_strstr(txt, "allow_unsafe_renegotiation=0"))
++ params->flags &= ~TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
+ }
+
+
+diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
+index a1dc769c9..b5304a77e 100644
+--- a/wpa_supplicant/wpa_supplicant.conf
++++ b/wpa_supplicant/wpa_supplicant.conf
+@@ -1370,6 +1370,11 @@ fast_reauth=1
+ # tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default)
+ # tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in
+ # particular when using Suite B with RSA keys of >= 3K (3072) bits
++# allow_unsafe_renegotiation=1 - allow connection with a TLS server that does
++# not support safe renegotiation (RFC 5746); please note that this
++# workaround should be only when having to authenticate with an old
++# authentication server that cannot be updated to use secure TLS
++# implementation.
+ #
+ # Following certificate/private key fields are used in inner Phase2
+ # authentication when using EAP-TTLS or EAP-PEAP.
+--
+cgit v1.2.3-18-g5258
+
diff --git a/aports/wpa_supplicant/unsafe-renegotiation-2.patch b/aports/wpa_supplicant/unsafe-renegotiation-2.patch
new file mode 100644
index 0000000..2046637
--- /dev/null
+++ b/aports/wpa_supplicant/unsafe-renegotiation-2.patch
@@ -0,0 +1,105 @@
+Patch-Source: https://w1.fi/cgit/hostap/commit/?id=a561d12d24c2c8bb0f825d4a3a55a5e47e845853
+From a561d12d24c2c8bb0f825d4a3a55a5e47e845853 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <quic_jouni@quicinc.com>
+Date: Wed, 4 May 2022 23:55:38 +0300
+Subject: EAP peer status notification for server not supporting RFC 5746
+
+Add a notification message to indicate reason for TLS handshake failure
+due to the server not supporting safe renegotiation (RFC 5746).
+
+Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
+---
+ src/ap/authsrv.c | 3 +++
+ src/crypto/tls.h | 3 ++-
+ src/crypto/tls_openssl.c | 15 +++++++++++++--
+ src/eap_peer/eap.c | 5 +++++
+ 4 files changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
+index 516c1da74..fd9c96fad 100644
+--- a/src/ap/authsrv.c
++++ b/src/ap/authsrv.c
+@@ -169,6 +169,9 @@ static void authsrv_tls_event(void *ctx, enum tls_event ev,
+ wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s",
+ data->alert.description);
+ break;
++ case TLS_UNSAFE_RENEGOTIATION_DISABLED:
++ /* Not applicable to TLS server */
++ break;
+ }
+ }
+ #endif /* EAP_TLS_FUNCS */
+diff --git a/src/crypto/tls.h b/src/crypto/tls.h
+index 7ea32ee4a..7a2ee32df 100644
+--- a/src/crypto/tls.h
++++ b/src/crypto/tls.h
+@@ -22,7 +22,8 @@ enum tls_event {
+ TLS_CERT_CHAIN_SUCCESS,
+ TLS_CERT_CHAIN_FAILURE,
+ TLS_PEER_CERTIFICATE,
+- TLS_ALERT
++ TLS_ALERT,
++ TLS_UNSAFE_RENEGOTIATION_DISABLED,
+ };
+
+ /*
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 0d23f44ad..912471ba2 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -4443,6 +4443,7 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
+ static struct wpabuf *
+ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
+ {
++ struct tls_context *context = conn->context;
+ int res;
+ struct wpabuf *out_data;
+
+@@ -4472,7 +4473,19 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
+ wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to "
+ "write");
+ else {
++ unsigned long error = ERR_peek_last_error();
++
+ tls_show_errors(MSG_INFO, __func__, "SSL_connect");
++
++ if (context->event_cb &&
++ ERR_GET_LIB(error) == ERR_LIB_SSL &&
++ ERR_GET_REASON(error) ==
++ SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED) {
++ context->event_cb(
++ context->cb_ctx,
++ TLS_UNSAFE_RENEGOTIATION_DISABLED,
++ NULL);
++ }
+ conn->failed++;
+ if (!conn->server && !conn->client_hello_generated) {
+ /* The server would not understand TLS Alert
+@@ -4495,8 +4508,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
+ if ((conn->flags & TLS_CONN_SUITEB) && !conn->server &&
+ os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 &&
+ conn->server_dh_prime_len < 3072) {
+- struct tls_context *context = conn->context;
+-
+ /*
+ * This should not be reached since earlier cert_cb should have
+ * terminated the handshake. Keep this check here for extra
+diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
+index 429b20d3a..729388f4f 100644
+--- a/src/eap_peer/eap.c
++++ b/src/eap_peer/eap.c
+@@ -2172,6 +2172,11 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev,
+ eap_notify_status(sm, "remote TLS alert",
+ data->alert.description);
+ break;
++ case TLS_UNSAFE_RENEGOTIATION_DISABLED:
++ wpa_printf(MSG_INFO,
++ "TLS handshake failed due to the server not supporting safe renegotiation (RFC 5746); phase1 parameter allow_unsafe_renegotiation=1 can be used to work around this");
++ eap_notify_status(sm, "unsafe server renegotiation", "failure");
++ break;
+ }
+
+ os_free(hash_hex);
+--
+cgit v1.2.3-18-g5258
+