diff --git a/srcpkgs/kcgi/patches/3f41e39c020d5b135e98fe025f259a5ac999129e.patch b/srcpkgs/kcgi/patches/3f41e39c020d5b135e98fe025f259a5ac999129e.patch new file mode 100644 index 00000000000..81c6dcc9b0a --- /dev/null +++ b/srcpkgs/kcgi/patches/3f41e39c020d5b135e98fe025f259a5ac999129e.patch @@ -0,0 +1,36 @@ +From 3f41e39c020d5b135e98fe025f259a5ac999129e Mon Sep 17 00:00:00 2001 +From: Duncan Overbruck +Date: Mon, 20 Nov 2023 21:59:50 +0100 +Subject: [PATCH] allow some missing syscalls for i386 with glibc + +--- + sandbox-seccomp-filter.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index a2e009d..46db374 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -102,6 +102,9 @@ static const struct sock_filter preauth_ctrl[] = { + #endif + #ifdef __NR_accept /* not defined for __i386__ (linux) */ + SC_ALLOW(accept), ++#endif ++#ifdef __NR_socketcall /* used for accept on __i386__ (linux) */ ++ SC_ALLOW(socketcall), + #endif + SC_ALLOW(fcntl), + #ifdef __NR_fcntl64 /* only noted on arm */ +@@ -190,6 +193,9 @@ static const struct sock_filter preauth_work[] = { + SC_ALLOW(fstat), /* for kutil_openlog logging */ + #ifdef __NR_newfstatat + SC_ALLOW(newfstatat), /* for kutil_openlog logging */ ++#endif ++#ifdef __NR_statx ++ SC_ALLOW(statx), /* for kutil_openlog logging */ + #endif + SC_ALLOW(write), + SC_ALLOW(writev), +-- +2.42.0 + diff --git a/srcpkgs/kcgi/patches/ppc-sandbox.patch b/srcpkgs/kcgi/patches/ppc-sandbox.patch deleted file mode 100644 index 6d90b927016..00000000000 --- a/srcpkgs/kcgi/patches/ppc-sandbox.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- a/configure -+++ b/configure -@@ -444,6 +444,15 @@ if [ ${HAVE_SECCOMP_FILTER} -eq 1 ]; then - arm*) - echo "#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM" - ;; -+ ppc64le) -+ echo "#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64LE" -+ ;; -+ ppc64) -+ echo "#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64" -+ ;; -+ ppc) -+ echo "#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC" -+ ;; - esac - fi - diff --git a/srcpkgs/kcgi/patches/seccomp.patch b/srcpkgs/kcgi/patches/seccomp.patch deleted file mode 100644 index 2cc0885bcd7..00000000000 --- a/srcpkgs/kcgi/patches/seccomp.patch +++ /dev/null @@ -1,85 +0,0 @@ ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -89,7 +89,12 @@ - /* Load the syscall number for checking. */ - BPF_STMT(BPF_LD+BPF_W+BPF_ABS, - offsetof(struct seccomp_data, nr)), -+#ifdef __NR_open - SC_DENY(open, EACCES), -+#endif -+#ifdef __NR_openat -+ SC_DENY(openat, EACCES), -+#endif - SC_ALLOW(getpid), - SC_ALLOW(gettimeofday), - SC_ALLOW(clock_gettime), -@@ -121,12 +126,16 @@ - #ifdef __NR_ppoll - SC_ALLOW(ppoll), - #endif -+#ifdef __NR_poll - SC_ALLOW(poll), -+#endif - #ifdef __NR__newselect - SC_ALLOW(_newselect), - #else -+#ifdef __NR_select - SC_ALLOW(select), - #endif -+#endif - SC_ALLOW(madvise), - #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ - SC_ALLOW(mmap2), -@@ -159,7 +168,12 @@ - /* Load the syscall number for checking. */ - BPF_STMT(BPF_LD+BPF_W+BPF_ABS, - offsetof(struct seccomp_data, nr)), -+#ifdef __NR_open - SC_DENY(open, EACCES), -+#endif -+#ifdef __NR_openat -+ SC_DENY(openat, EACCES), -+#endif - SC_ALLOW(getpid), - #ifdef __NR_getrandom - SC_ALLOW(getrandom), -@@ -184,11 +198,15 @@ - #ifdef __NR_ppoll - SC_ALLOW(ppoll), - #endif -+#ifdef __NR_poll - SC_ALLOW(poll), -+#endif - #ifdef __NR__newselect - SC_ALLOW(_newselect), - #else -+#ifdef __NR_select - SC_ALLOW(select), -+#endif - #endif - SC_ALLOW(madvise), - #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -122,6 +122,9 @@ - #ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ - SC_ALLOW(shutdown), - #endif -+#ifdef __NR_socketcall -+ SC_ALLOW(socketcall), -+#endif - SC_ALLOW(brk), - #ifdef __NR_ppoll - SC_ALLOW(ppoll), ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -193,6 +193,9 @@ - #ifdef __NR_newfstatat - SC_ALLOW(newfstatat), /* for kutil_openlog logging */ - #endif -+#ifdef __NR_fstat64 -+ SC_ALLOW(fstat64), /* for kutil_openlog logging */ -+#endif - SC_ALLOW(write), - SC_ALLOW(writev), - SC_ALLOW(close), diff --git a/srcpkgs/kcgi/template b/srcpkgs/kcgi/template index 7d7525e43ab..a01073b0560 100644 --- a/srcpkgs/kcgi/template +++ b/srcpkgs/kcgi/template @@ -1,6 +1,6 @@ # Template file for 'kcgi' pkgname=kcgi -version=0.13.0 +version=0.13.1 revision=1 build_style=configure configure_args="PREFIX=/usr MANDIR=/usr/share/man SBINDIR=/usr/bin" @@ -15,7 +15,7 @@ license="ISC" homepage="http://kristaps.bsd.lv/kcgi/" changelog="https://kristaps.bsd.lv/kcgi/archive.html" distfiles="http://kristaps.bsd.lv/kcgi/snapshots/kcgi-${version}.tgz" -checksum=d886e5700f5ec72b00cb668e9f06b7b3906b6ccdc5bab4c89e436d4cc4c0c7a1 +checksum=3246ee78a091b496f7040c5f29fb9e45a7aa2873f4d8d77a30b6437f07db4d49 export CFLAGS="-DENABLE_SECCOMP_FILTER=1"