From 964fc9b75c69848c04ed2738df9a733205d5d23b Mon Sep 17 00:00:00 2001
From: André Fabian Silva Delgado <emulatorman@parabola.nu>
Date: Tue, 31 Jan 2017 23:19:11 -0300
Subject: systemd-knock-232-2: add hook for ConditionNeedsUpdate and update
 hwdb hook

---
 pcr/systemd-knock/PKGBUILD            | 94 ++++++++++++++++++++---------------
 pcr/systemd-knock/systemd-hwdb.hook   | 11 ++++
 pcr/systemd-knock/systemd-update.hook | 11 ++++
 pcr/systemd-knock/systemd.install     | 10 ++++
 pcr/systemd-knock/udev-hwdb.hook      | 11 ----
 5 files changed, 86 insertions(+), 51 deletions(-)
 create mode 100644 pcr/systemd-knock/systemd-hwdb.hook
 create mode 100644 pcr/systemd-knock/systemd-update.hook
 delete mode 100644 pcr/systemd-knock/udev-hwdb.hook

(limited to 'pcr/systemd-knock')

diff --git a/pcr/systemd-knock/PKGBUILD b/pcr/systemd-knock/PKGBUILD
index 590ff3bfb..fa4075fce 100644
--- a/pcr/systemd-knock/PKGBUILD
+++ b/pcr/systemd-knock/PKGBUILD
@@ -9,7 +9,7 @@ pkgbase=systemd-knock
 pkgname=('systemd-knock' 'libsystemd-knock' 'systemd-knock-sysvcompat'
          'libsystemd-knock-standalone' 'libudev-knock' 'nss-knock-myhostname' 'nss-knock-mymachines' 'nss-knock-resolve')
 pkgver=232
-pkgrel=1
+pkgrel=2
 arch=('i686' 'x86_64' 'armv7h')
 url="https://www.github.com/systemd/systemd"
 makedepends=('acl' 'cryptsetup' 'docbook-xsl' 'gperf' 'lz4' 'xz' 'pam' 'libelf'
@@ -29,9 +29,10 @@ source=("git://github.com/systemd/systemd.git#tag=v$pkgver"
         'parabola.conf'
         'loader.conf'
         'systemd-user.pam'
+        'systemd-hwdb.hook'
         'systemd-sysusers.hook'
         'systemd-tmpfiles.hook'
-        'udev-hwdb.hook'
+        'systemd-update.hook'
         '0001-disable-RestrictAddressFamilies-on-i686.patch'
         '0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch'
         '0001-nspawn-don-t-hide-bind-tmp-mounts.patch'
@@ -53,9 +54,10 @@ sha512sums=('SKIP'
             '70b3f1d6aaa9cd4b6b34055a587554770c34194100b17b2ef3aaf4f16f68da0865f6b3ae443b3252d395e80efabd412b763259ffb76c902b60e23b6b522e3cc8'
             '6c6f579644ea2ebb6b46ee274ab15110718b0de40def8c30173ba8480b045d403f2aedd15b50ad9b96453f4ad56920d1350ff76563755bb9a80b10fa7f64f1d9'
             'b90c99d768dc2a4f020ba854edf45ccf1b86a09d2f66e475de21fe589ff7e32c33ef4aa0876d7f1864491488fd7edb2682fc0d68e83a6d4890a0778dc2d6fe19'
+            '2c1f765e7cefc50f07ad994634ea25d9396e6b9c0de46e58f18377e642a471517a0dbf5eb547070a38c6ecf84ec8e030f650a6cee010871cd7a466a32534adda'
             '9d27d97f172a503f5b7044480a0b9ccc0c4ed5dbb2eb3b2b1aa929332c3bcfe38ef0c0310b6566f23b34f9c05b77035221164a7ab7677784c4a54664f12fca22'
             '0f4efddd25256e09c42b953caeee4b93eb49ecc6eaebf02e616b4dcbfdac9860c3d8a3d1a106325b2ebc4dbc6e08ac46702abcb67a06737227ccb052aaa2a067'
-            '888ab01bc6e09beb08d7126472c34c9e1aa35ea34e62a09e900ae34c93b1de2fcc988586efd8d0dc962393974f45c77b206d59a86cf53e370f061bf9a1b1a862'
+            '10190fba9f39a8f4b620a0829e0ba8ed63bb4dbeca712966011ee7807880d01ab2abff1a80baafeb6674db70526a473fe585db8190e864f318fc4d6068552618'
             '89f9b2d3918c679ce4f76c2b10dc7fcb7e04f1925a5f92542f06891de2a123a91df7eb67fd4ce71506a8132f5440b3560b7bb667e1c1813944b115c1dfe35e3f'
             'b993a42c5534582631f7b379d54f6abc37e3aaa56ecf869a6d86ff14ae5a52628f4e447b6a30751bc1c14c30cec63a5c6d0aa268362d235ed477b639cac3a219'
             '68478403433aafc91a03fda5d83813d2ed1dfc6ab7416b2927a803314ecf826edcb6c659587e74df65de3ccb1edf958522f56ff9ac461a1f696b6dede1d4dd35'
@@ -83,45 +85,60 @@ _backports=(
   '3d4cf7de48a74726694abbaa09f9804b845ff3ba'  # build-sys: check for lz4 in the old and new numbering scheme (#4717)
 )
 
-#_validate_tag() {
-#  local success fingerprint trusted status tag=v$pkgver
-#
-#  parse_gpg_statusfile /dev/stdin < <(git verify-tag --raw "$tag" 2>&1)
-#
-#  if (( ! success )); then
-#    error 'failed to validate tag %s\n' "$tag"
-#    return 1
-#  fi
-#
-#  if ! in_array "$fingerprint" "${validpgpkeys[@]}" && (( ! trusted )); then
-#    error 'unknown or untrusted public key: %s\n' "$fingerprint"
-#    return 1
-#  fi
-#
-#  case $status in
-#    'expired')
-#      warning 'the signature has expired'
-#      ;;
-#    'expiredkey')
-#      warning 'the key has expired'
-#      ;;
-#  esac
-#
-#  return 0
-#}
+_validate_tag() {
+  local success fingerprint trusted status tag=v$pkgver
+
+  parse_gpg_statusfile /dev/stdin < <(git verify-tag --raw "$tag" 2>&1)
+
+  if (( ! success )); then
+    error 'failed to validate tag %s\n' "$tag"
+    return 1
+  fi
+
+  if ! in_array "$fingerprint" "${validpgpkeys[@]}" && (( ! trusted )); then
+    error 'unknown or untrusted public key: %s\n' "$fingerprint"
+    return 1
+  fi
+
+  case $status in
+    'expired')
+      warning 'the signature has expired'
+      ;;
+    'expiredkey')
+      warning 'the key has expired'
+      ;;
+  esac
+
+  return 0
+}
 
 prepare() {
   cd "$_pkgbase"
 
-#  _validate_tag || return
+  _validate_tag || return
 
   if (( ${#_backports[*]} > 0 )); then
     git cherry-pick -n "${_backports[@]}"
   fi
 
-  # apply FSDG, Knock and another patches
+  # https://github.com/systemd/systemd/issues/4789
+  patch -Np1 <../0001-nspawn-don-t-hide-bind-tmp-mounts.patch
+
+  # these patches aren't upstream, but they make v232 more useable.
+
+  # https://github.com/systemd/systemd/issues/4575
+  patch -Np1 <../0001-disable-RestrictAddressFamilies-on-i686.patch
+
+  # https://github.com/systemd/systemd/issues/4595
+  # https://github.com/systemd/systemd/issues/3826
+  patch -Np1 <../0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch
+
+  # apply Knock patches
+  patch -Np1 -i "$srcdir"/0001-adds-TCP-Stealth-support-to-systemd-231.patch
+
+  # apply FSDG patches
   local patchfile
-  for patchfile in "$srcdir"/*.patch; do
+  for patchfile in "$srcdir"/????-FSDG-*.patch; do
     patch -Np1 -i "$patchfile"
   done
 
@@ -142,21 +159,14 @@ build() {
     CXXFLAGS+=" -fno-lto"
   fi
 
-  local enable_gnuefi=''
-  if [ "$CARCH" != "armv7h" ]; then
-    enable_gnuefi='--enable-gnuefi'
-  fi
-
   local configure_options=(
     --libexecdir=/usr/lib
     --localstatedir=/var
     --sysconfdir=/etc
 
     --enable-lz4
-    $enable_gnuefi
     --disable-audit
     --disable-ima
-    --enable-tcp-stealth
 
     --with-sysvinit-path=
     --with-sysvrcnd-path=
@@ -165,6 +175,9 @@ build() {
     --with-dbuspolicydir=/usr/share/dbus-1/system.d
     --without-kill-user-processes
   )
+  if [ "$CARCH" != "armv7h" ]; then
+    configure_options+=(--enable-gnuefi)
+  fi
 
   ./configure "${configure_options[@]}"
 
@@ -270,9 +283,10 @@ package_systemd-knock() {
   install -Dm644 "$srcdir/loader.conf" "$pkgdir"/usr/share/systemd/bootctl/loader.conf
   install -Dm644 "$srcdir/splash-parabola.bmp" "$pkgdir"/usr/share/systemd/bootctl/splash-parabola.bmp
 
+  install -Dm644 "$srcdir/systemd-hwdb.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-hwdb.hook"
   install -Dm644 "$srcdir/systemd-sysusers.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-sysusers.hook"
   install -Dm644 "$srcdir/systemd-tmpfiles.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-tmpfiles.hook"
-  install -Dm644 "$srcdir/udev-hwdb.hook" "$pkgdir/usr/share/libalpm/hooks/udev-hwdb.hook"
+  install -Dm644 "$srcdir/systemd-update.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-update.hook"
 
   # overwrite the systemd-user PAM configuration with our own
   install -Dm644 systemd-user.pam "$pkgdir/etc/pam.d/systemd-user"
diff --git a/pcr/systemd-knock/systemd-hwdb.hook b/pcr/systemd-knock/systemd-hwdb.hook
new file mode 100644
index 000000000..d7c987724
--- /dev/null
+++ b/pcr/systemd-knock/systemd-hwdb.hook
@@ -0,0 +1,11 @@
+[Trigger]
+Type = File
+Operation = Install
+Operation = Upgrade
+Operation = Remove
+Target = usr/lib/udev/hwdb.d/*
+
+[Action]
+Description = Updating udev hardware database...
+When = PostTransaction
+Exec = /usr/bin/systemd-hwdb --usr update
diff --git a/pcr/systemd-knock/systemd-update.hook b/pcr/systemd-knock/systemd-update.hook
new file mode 100644
index 000000000..3697fbd70
--- /dev/null
+++ b/pcr/systemd-knock/systemd-update.hook
@@ -0,0 +1,11 @@
+[Trigger]
+Type = File
+Operation = Install
+Operation = Upgrade
+Operation = Remove
+Target = usr/
+
+[Action]
+Description = Arming ConditionNeedsUpdate...
+When = PostTransaction
+Exec = /usr/bin/touch -c /usr
diff --git a/pcr/systemd-knock/systemd.install b/pcr/systemd-knock/systemd.install
index b59de2008..f799c882d 100644
--- a/pcr/systemd-knock/systemd.install
+++ b/pcr/systemd-knock/systemd.install
@@ -36,6 +36,15 @@ _230_1_changes() {
   echo ':: systemd-bootchart is no longer included with systemd'
 }
 
+_232_8_changes() {
+  # paper over possible effects of CVE-2016-10156
+  local stamps=(/var/lib/systemd/timers/*.timer)
+
+  if [[ -f ${stamps[0]} ]]; then
+    chmod 0644 "${stamps[@]}"
+  fi
+}
+
 post_install() {
   systemd-machine-id-setup
 
@@ -68,6 +77,7 @@ post_upgrade() {
     219-2
     219-4
     230-1
+    232-8
   )
 
   for v in "${upgrades[@]}"; do
diff --git a/pcr/systemd-knock/udev-hwdb.hook b/pcr/systemd-knock/udev-hwdb.hook
deleted file mode 100644
index 7bc055b4e..000000000
--- a/pcr/systemd-knock/udev-hwdb.hook
+++ /dev/null
@@ -1,11 +0,0 @@
-[Trigger]
-Type = File
-Operation = Install
-Operation = Upgrade
-Operation = Remove
-Target = usr/lib/udev/hwdb.d/*
-
-[Action]
-Description = Updating udev Hardware Database...
-When = PostTransaction
-Exec = /usr/bin/udevadm hwdb --update
-- 
cgit v1.2.3