summaryrefslogtreecommitdiff
path: root/pcr
diff options
context:
space:
mode:
Diffstat (limited to 'pcr')
-rw-r--r--pcr/systemd-knock/PKGBUILD94
-rw-r--r--pcr/systemd-knock/systemd-hwdb.hook (renamed from pcr/systemd-knock/udev-hwdb.hook)4
-rw-r--r--pcr/systemd-knock/systemd-update.hook11
-rw-r--r--pcr/systemd-knock/systemd.install10
4 files changed, 77 insertions, 42 deletions
diff --git a/pcr/systemd-knock/PKGBUILD b/pcr/systemd-knock/PKGBUILD
index 590ff3bfb..fa4075fce 100644
--- a/pcr/systemd-knock/PKGBUILD
+++ b/pcr/systemd-knock/PKGBUILD
@@ -9,7 +9,7 @@ pkgbase=systemd-knock
pkgname=('systemd-knock' 'libsystemd-knock' 'systemd-knock-sysvcompat'
'libsystemd-knock-standalone' 'libudev-knock' 'nss-knock-myhostname' 'nss-knock-mymachines' 'nss-knock-resolve')
pkgver=232
-pkgrel=1
+pkgrel=2
arch=('i686' 'x86_64' 'armv7h')
url="https://www.github.com/systemd/systemd"
makedepends=('acl' 'cryptsetup' 'docbook-xsl' 'gperf' 'lz4' 'xz' 'pam' 'libelf'
@@ -29,9 +29,10 @@ source=("git://github.com/systemd/systemd.git#tag=v$pkgver"
'parabola.conf'
'loader.conf'
'systemd-user.pam'
+ 'systemd-hwdb.hook'
'systemd-sysusers.hook'
'systemd-tmpfiles.hook'
- 'udev-hwdb.hook'
+ 'systemd-update.hook'
'0001-disable-RestrictAddressFamilies-on-i686.patch'
'0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch'
'0001-nspawn-don-t-hide-bind-tmp-mounts.patch'
@@ -53,9 +54,10 @@ sha512sums=('SKIP'
'70b3f1d6aaa9cd4b6b34055a587554770c34194100b17b2ef3aaf4f16f68da0865f6b3ae443b3252d395e80efabd412b763259ffb76c902b60e23b6b522e3cc8'
'6c6f579644ea2ebb6b46ee274ab15110718b0de40def8c30173ba8480b045d403f2aedd15b50ad9b96453f4ad56920d1350ff76563755bb9a80b10fa7f64f1d9'
'b90c99d768dc2a4f020ba854edf45ccf1b86a09d2f66e475de21fe589ff7e32c33ef4aa0876d7f1864491488fd7edb2682fc0d68e83a6d4890a0778dc2d6fe19'
+ '2c1f765e7cefc50f07ad994634ea25d9396e6b9c0de46e58f18377e642a471517a0dbf5eb547070a38c6ecf84ec8e030f650a6cee010871cd7a466a32534adda'
'9d27d97f172a503f5b7044480a0b9ccc0c4ed5dbb2eb3b2b1aa929332c3bcfe38ef0c0310b6566f23b34f9c05b77035221164a7ab7677784c4a54664f12fca22'
'0f4efddd25256e09c42b953caeee4b93eb49ecc6eaebf02e616b4dcbfdac9860c3d8a3d1a106325b2ebc4dbc6e08ac46702abcb67a06737227ccb052aaa2a067'
- '888ab01bc6e09beb08d7126472c34c9e1aa35ea34e62a09e900ae34c93b1de2fcc988586efd8d0dc962393974f45c77b206d59a86cf53e370f061bf9a1b1a862'
+ '10190fba9f39a8f4b620a0829e0ba8ed63bb4dbeca712966011ee7807880d01ab2abff1a80baafeb6674db70526a473fe585db8190e864f318fc4d6068552618'
'89f9b2d3918c679ce4f76c2b10dc7fcb7e04f1925a5f92542f06891de2a123a91df7eb67fd4ce71506a8132f5440b3560b7bb667e1c1813944b115c1dfe35e3f'
'b993a42c5534582631f7b379d54f6abc37e3aaa56ecf869a6d86ff14ae5a52628f4e447b6a30751bc1c14c30cec63a5c6d0aa268362d235ed477b639cac3a219'
'68478403433aafc91a03fda5d83813d2ed1dfc6ab7416b2927a803314ecf826edcb6c659587e74df65de3ccb1edf958522f56ff9ac461a1f696b6dede1d4dd35'
@@ -83,45 +85,60 @@ _backports=(
'3d4cf7de48a74726694abbaa09f9804b845ff3ba' # build-sys: check for lz4 in the old and new numbering scheme (#4717)
)
-#_validate_tag() {
-# local success fingerprint trusted status tag=v$pkgver
-#
-# parse_gpg_statusfile /dev/stdin < <(git verify-tag --raw "$tag" 2>&1)
-#
-# if (( ! success )); then
-# error 'failed to validate tag %s\n' "$tag"
-# return 1
-# fi
-#
-# if ! in_array "$fingerprint" "${validpgpkeys[@]}" && (( ! trusted )); then
-# error 'unknown or untrusted public key: %s\n' "$fingerprint"
-# return 1
-# fi
-#
-# case $status in
-# 'expired')
-# warning 'the signature has expired'
-# ;;
-# 'expiredkey')
-# warning 'the key has expired'
-# ;;
-# esac
-#
-# return 0
-#}
+_validate_tag() {
+ local success fingerprint trusted status tag=v$pkgver
+
+ parse_gpg_statusfile /dev/stdin < <(git verify-tag --raw "$tag" 2>&1)
+
+ if (( ! success )); then
+ error 'failed to validate tag %s\n' "$tag"
+ return 1
+ fi
+
+ if ! in_array "$fingerprint" "${validpgpkeys[@]}" && (( ! trusted )); then
+ error 'unknown or untrusted public key: %s\n' "$fingerprint"
+ return 1
+ fi
+
+ case $status in
+ 'expired')
+ warning 'the signature has expired'
+ ;;
+ 'expiredkey')
+ warning 'the key has expired'
+ ;;
+ esac
+
+ return 0
+}
prepare() {
cd "$_pkgbase"
-# _validate_tag || return
+ _validate_tag || return
if (( ${#_backports[*]} > 0 )); then
git cherry-pick -n "${_backports[@]}"
fi
- # apply FSDG, Knock and another patches
+ # https://github.com/systemd/systemd/issues/4789
+ patch -Np1 <../0001-nspawn-don-t-hide-bind-tmp-mounts.patch
+
+ # these patches aren't upstream, but they make v232 more useable.
+
+ # https://github.com/systemd/systemd/issues/4575
+ patch -Np1 <../0001-disable-RestrictAddressFamilies-on-i686.patch
+
+ # https://github.com/systemd/systemd/issues/4595
+ # https://github.com/systemd/systemd/issues/3826
+ patch -Np1 <../0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch
+
+ # apply Knock patches
+ patch -Np1 -i "$srcdir"/0001-adds-TCP-Stealth-support-to-systemd-231.patch
+
+ # apply FSDG patches
local patchfile
- for patchfile in "$srcdir"/*.patch; do
+ for patchfile in "$srcdir"/????-FSDG-*.patch; do
patch -Np1 -i "$patchfile"
done
@@ -142,21 +159,14 @@ build() {
CXXFLAGS+=" -fno-lto"
fi
- local enable_gnuefi=''
- if [ "$CARCH" != "armv7h" ]; then
- enable_gnuefi='--enable-gnuefi'
- fi
-
local configure_options=(
--libexecdir=/usr/lib
--localstatedir=/var
--sysconfdir=/etc
--enable-lz4
- $enable_gnuefi
--disable-audit
--disable-ima
- --enable-tcp-stealth
--with-sysvinit-path=
--with-sysvrcnd-path=
@@ -165,6 +175,9 @@ build() {
--with-dbuspolicydir=/usr/share/dbus-1/system.d
--without-kill-user-processes
)
+ if [ "$CARCH" != "armv7h" ]; then
+ configure_options+=(--enable-gnuefi)
+ fi
./configure "${configure_options[@]}"
@@ -270,9 +283,10 @@ package_systemd-knock() {
install -Dm644 "$srcdir/loader.conf" "$pkgdir"/usr/share/systemd/bootctl/loader.conf
install -Dm644 "$srcdir/splash-parabola.bmp" "$pkgdir"/usr/share/systemd/bootctl/splash-parabola.bmp
+ install -Dm644 "$srcdir/systemd-hwdb.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-hwdb.hook"
install -Dm644 "$srcdir/systemd-sysusers.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-sysusers.hook"
install -Dm644 "$srcdir/systemd-tmpfiles.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-tmpfiles.hook"
- install -Dm644 "$srcdir/udev-hwdb.hook" "$pkgdir/usr/share/libalpm/hooks/udev-hwdb.hook"
+ install -Dm644 "$srcdir/systemd-update.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-update.hook"
# overwrite the systemd-user PAM configuration with our own
install -Dm644 systemd-user.pam "$pkgdir/etc/pam.d/systemd-user"
diff --git a/pcr/systemd-knock/udev-hwdb.hook b/pcr/systemd-knock/systemd-hwdb.hook
index 7bc055b4e..d7c987724 100644
--- a/pcr/systemd-knock/udev-hwdb.hook
+++ b/pcr/systemd-knock/systemd-hwdb.hook
@@ -6,6 +6,6 @@ Operation = Remove
Target = usr/lib/udev/hwdb.d/*
[Action]
-Description = Updating udev Hardware Database...
+Description = Updating udev hardware database...
When = PostTransaction
-Exec = /usr/bin/udevadm hwdb --update
+Exec = /usr/bin/systemd-hwdb --usr update
diff --git a/pcr/systemd-knock/systemd-update.hook b/pcr/systemd-knock/systemd-update.hook
new file mode 100644
index 000000000..3697fbd70
--- /dev/null
+++ b/pcr/systemd-knock/systemd-update.hook
@@ -0,0 +1,11 @@
+[Trigger]
+Type = File
+Operation = Install
+Operation = Upgrade
+Operation = Remove
+Target = usr/
+
+[Action]
+Description = Arming ConditionNeedsUpdate...
+When = PostTransaction
+Exec = /usr/bin/touch -c /usr
diff --git a/pcr/systemd-knock/systemd.install b/pcr/systemd-knock/systemd.install
index b59de2008..f799c882d 100644
--- a/pcr/systemd-knock/systemd.install
+++ b/pcr/systemd-knock/systemd.install
@@ -36,6 +36,15 @@ _230_1_changes() {
echo ':: systemd-bootchart is no longer included with systemd'
}
+_232_8_changes() {
+ # paper over possible effects of CVE-2016-10156
+ local stamps=(/var/lib/systemd/timers/*.timer)
+
+ if [[ -f ${stamps[0]} ]]; then
+ chmod 0644 "${stamps[@]}"
+ fi
+}
+
post_install() {
systemd-machine-id-setup
@@ -68,6 +77,7 @@ post_upgrade() {
219-2
219-4
230-1
+ 232-8
)
for v in "${upgrades[@]}"; do