diff options
Diffstat (limited to 'pcr')
-rw-r--r-- | pcr/systemd-knock/PKGBUILD | 94 | ||||
-rw-r--r-- | pcr/systemd-knock/systemd-hwdb.hook (renamed from pcr/systemd-knock/udev-hwdb.hook) | 4 | ||||
-rw-r--r-- | pcr/systemd-knock/systemd-update.hook | 11 | ||||
-rw-r--r-- | pcr/systemd-knock/systemd.install | 10 |
4 files changed, 77 insertions, 42 deletions
diff --git a/pcr/systemd-knock/PKGBUILD b/pcr/systemd-knock/PKGBUILD index 590ff3bfb..fa4075fce 100644 --- a/pcr/systemd-knock/PKGBUILD +++ b/pcr/systemd-knock/PKGBUILD @@ -9,7 +9,7 @@ pkgbase=systemd-knock pkgname=('systemd-knock' 'libsystemd-knock' 'systemd-knock-sysvcompat' 'libsystemd-knock-standalone' 'libudev-knock' 'nss-knock-myhostname' 'nss-knock-mymachines' 'nss-knock-resolve') pkgver=232 -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64' 'armv7h') url="https://www.github.com/systemd/systemd" makedepends=('acl' 'cryptsetup' 'docbook-xsl' 'gperf' 'lz4' 'xz' 'pam' 'libelf' @@ -29,9 +29,10 @@ source=("git://github.com/systemd/systemd.git#tag=v$pkgver" 'parabola.conf' 'loader.conf' 'systemd-user.pam' + 'systemd-hwdb.hook' 'systemd-sysusers.hook' 'systemd-tmpfiles.hook' - 'udev-hwdb.hook' + 'systemd-update.hook' '0001-disable-RestrictAddressFamilies-on-i686.patch' '0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch' '0001-nspawn-don-t-hide-bind-tmp-mounts.patch' @@ -53,9 +54,10 @@ sha512sums=('SKIP' '70b3f1d6aaa9cd4b6b34055a587554770c34194100b17b2ef3aaf4f16f68da0865f6b3ae443b3252d395e80efabd412b763259ffb76c902b60e23b6b522e3cc8' '6c6f579644ea2ebb6b46ee274ab15110718b0de40def8c30173ba8480b045d403f2aedd15b50ad9b96453f4ad56920d1350ff76563755bb9a80b10fa7f64f1d9' 'b90c99d768dc2a4f020ba854edf45ccf1b86a09d2f66e475de21fe589ff7e32c33ef4aa0876d7f1864491488fd7edb2682fc0d68e83a6d4890a0778dc2d6fe19' + '2c1f765e7cefc50f07ad994634ea25d9396e6b9c0de46e58f18377e642a471517a0dbf5eb547070a38c6ecf84ec8e030f650a6cee010871cd7a466a32534adda' '9d27d97f172a503f5b7044480a0b9ccc0c4ed5dbb2eb3b2b1aa929332c3bcfe38ef0c0310b6566f23b34f9c05b77035221164a7ab7677784c4a54664f12fca22' '0f4efddd25256e09c42b953caeee4b93eb49ecc6eaebf02e616b4dcbfdac9860c3d8a3d1a106325b2ebc4dbc6e08ac46702abcb67a06737227ccb052aaa2a067' - '888ab01bc6e09beb08d7126472c34c9e1aa35ea34e62a09e900ae34c93b1de2fcc988586efd8d0dc962393974f45c77b206d59a86cf53e370f061bf9a1b1a862' + '10190fba9f39a8f4b620a0829e0ba8ed63bb4dbeca712966011ee7807880d01ab2abff1a80baafeb6674db70526a473fe585db8190e864f318fc4d6068552618' '89f9b2d3918c679ce4f76c2b10dc7fcb7e04f1925a5f92542f06891de2a123a91df7eb67fd4ce71506a8132f5440b3560b7bb667e1c1813944b115c1dfe35e3f' 'b993a42c5534582631f7b379d54f6abc37e3aaa56ecf869a6d86ff14ae5a52628f4e447b6a30751bc1c14c30cec63a5c6d0aa268362d235ed477b639cac3a219' '68478403433aafc91a03fda5d83813d2ed1dfc6ab7416b2927a803314ecf826edcb6c659587e74df65de3ccb1edf958522f56ff9ac461a1f696b6dede1d4dd35' @@ -83,45 +85,60 @@ _backports=( '3d4cf7de48a74726694abbaa09f9804b845ff3ba' # build-sys: check for lz4 in the old and new numbering scheme (#4717) ) -#_validate_tag() { -# local success fingerprint trusted status tag=v$pkgver -# -# parse_gpg_statusfile /dev/stdin < <(git verify-tag --raw "$tag" 2>&1) -# -# if (( ! success )); then -# error 'failed to validate tag %s\n' "$tag" -# return 1 -# fi -# -# if ! in_array "$fingerprint" "${validpgpkeys[@]}" && (( ! trusted )); then -# error 'unknown or untrusted public key: %s\n' "$fingerprint" -# return 1 -# fi -# -# case $status in -# 'expired') -# warning 'the signature has expired' -# ;; -# 'expiredkey') -# warning 'the key has expired' -# ;; -# esac -# -# return 0 -#} +_validate_tag() { + local success fingerprint trusted status tag=v$pkgver + + parse_gpg_statusfile /dev/stdin < <(git verify-tag --raw "$tag" 2>&1) + + if (( ! success )); then + error 'failed to validate tag %s\n' "$tag" + return 1 + fi + + if ! in_array "$fingerprint" "${validpgpkeys[@]}" && (( ! trusted )); then + error 'unknown or untrusted public key: %s\n' "$fingerprint" + return 1 + fi + + case $status in + 'expired') + warning 'the signature has expired' + ;; + 'expiredkey') + warning 'the key has expired' + ;; + esac + + return 0 +} prepare() { cd "$_pkgbase" -# _validate_tag || return + _validate_tag || return if (( ${#_backports[*]} > 0 )); then git cherry-pick -n "${_backports[@]}" fi - # apply FSDG, Knock and another patches + # https://github.com/systemd/systemd/issues/4789 + patch -Np1 <../0001-nspawn-don-t-hide-bind-tmp-mounts.patch + + # these patches aren't upstream, but they make v232 more useable. + + # https://github.com/systemd/systemd/issues/4575 + patch -Np1 <../0001-disable-RestrictAddressFamilies-on-i686.patch + + # https://github.com/systemd/systemd/issues/4595 + # https://github.com/systemd/systemd/issues/3826 + patch -Np1 <../0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch + + # apply Knock patches + patch -Np1 -i "$srcdir"/0001-adds-TCP-Stealth-support-to-systemd-231.patch + + # apply FSDG patches local patchfile - for patchfile in "$srcdir"/*.patch; do + for patchfile in "$srcdir"/????-FSDG-*.patch; do patch -Np1 -i "$patchfile" done @@ -142,21 +159,14 @@ build() { CXXFLAGS+=" -fno-lto" fi - local enable_gnuefi='' - if [ "$CARCH" != "armv7h" ]; then - enable_gnuefi='--enable-gnuefi' - fi - local configure_options=( --libexecdir=/usr/lib --localstatedir=/var --sysconfdir=/etc --enable-lz4 - $enable_gnuefi --disable-audit --disable-ima - --enable-tcp-stealth --with-sysvinit-path= --with-sysvrcnd-path= @@ -165,6 +175,9 @@ build() { --with-dbuspolicydir=/usr/share/dbus-1/system.d --without-kill-user-processes ) + if [ "$CARCH" != "armv7h" ]; then + configure_options+=(--enable-gnuefi) + fi ./configure "${configure_options[@]}" @@ -270,9 +283,10 @@ package_systemd-knock() { install -Dm644 "$srcdir/loader.conf" "$pkgdir"/usr/share/systemd/bootctl/loader.conf install -Dm644 "$srcdir/splash-parabola.bmp" "$pkgdir"/usr/share/systemd/bootctl/splash-parabola.bmp + install -Dm644 "$srcdir/systemd-hwdb.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-hwdb.hook" install -Dm644 "$srcdir/systemd-sysusers.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-sysusers.hook" install -Dm644 "$srcdir/systemd-tmpfiles.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-tmpfiles.hook" - install -Dm644 "$srcdir/udev-hwdb.hook" "$pkgdir/usr/share/libalpm/hooks/udev-hwdb.hook" + install -Dm644 "$srcdir/systemd-update.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-update.hook" # overwrite the systemd-user PAM configuration with our own install -Dm644 systemd-user.pam "$pkgdir/etc/pam.d/systemd-user" diff --git a/pcr/systemd-knock/udev-hwdb.hook b/pcr/systemd-knock/systemd-hwdb.hook index 7bc055b4e..d7c987724 100644 --- a/pcr/systemd-knock/udev-hwdb.hook +++ b/pcr/systemd-knock/systemd-hwdb.hook @@ -6,6 +6,6 @@ Operation = Remove Target = usr/lib/udev/hwdb.d/* [Action] -Description = Updating udev Hardware Database... +Description = Updating udev hardware database... When = PostTransaction -Exec = /usr/bin/udevadm hwdb --update +Exec = /usr/bin/systemd-hwdb --usr update diff --git a/pcr/systemd-knock/systemd-update.hook b/pcr/systemd-knock/systemd-update.hook new file mode 100644 index 000000000..3697fbd70 --- /dev/null +++ b/pcr/systemd-knock/systemd-update.hook @@ -0,0 +1,11 @@ +[Trigger] +Type = File +Operation = Install +Operation = Upgrade +Operation = Remove +Target = usr/ + +[Action] +Description = Arming ConditionNeedsUpdate... +When = PostTransaction +Exec = /usr/bin/touch -c /usr diff --git a/pcr/systemd-knock/systemd.install b/pcr/systemd-knock/systemd.install index b59de2008..f799c882d 100644 --- a/pcr/systemd-knock/systemd.install +++ b/pcr/systemd-knock/systemd.install @@ -36,6 +36,15 @@ _230_1_changes() { echo ':: systemd-bootchart is no longer included with systemd' } +_232_8_changes() { + # paper over possible effects of CVE-2016-10156 + local stamps=(/var/lib/systemd/timers/*.timer) + + if [[ -f ${stamps[0]} ]]; then + chmod 0644 "${stamps[@]}" + fi +} + post_install() { systemd-machine-id-setup @@ -68,6 +77,7 @@ post_upgrade() { 219-2 219-4 230-1 + 232-8 ) for v in "${upgrades[@]}"; do |