Revision bump: restore compatibility with hardened setups, wrt bug #519480, add optional debugfs support. Drop old revision

(Portage version: 2.2.12/cvs/Linux x86_64, signed Manifest commit with key 0x1F357D42)

3 files changed, 99 insertions, 8 deletions

diff --git a/net-firewall/ipt_netflow/ChangeLog b/net-firewall/ipt_netflow/ChangeLog
index 9281212db47d..03b9008cc699 100644
--- a/net-firewall/ipt_netflow/ChangeLog
+++ b/net-firewall/ipt_netflow/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for net-firewall/ipt_netflow
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-firewall/ipt_netflow/ChangeLog,v 1.15 2014/08/09 09:58:09 jer Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/ipt_netflow/ChangeLog,v 1.16 2014/08/19 07:21:25 pinkbyte Exp $
+
+*ipt_netflow-2.0-r1 (19 Aug 2014)
+
+  19 Aug 2014; Sergey Popov <pinkbyte@gentoo.org> -ipt_netflow-2.0.ebuild,
+  +ipt_netflow-2.0-r1.ebuild, +files/ipt_netflow-2.0-pax-const.patch:
+  Revision bump: restore compatibility with hardened setups, wrt bug #519480,
+  add optional debugfs support. Drop old revision
 
 *ipt_netflow-2.0 (09 Aug 2014)
 
diff --git a/net-firewall/ipt_netflow/files/ipt_netflow-2.0-pax-const.patch b/net-firewall/ipt_netflow/files/ipt_netflow-2.0-pax-const.patch
new file mode 100644
index 000000000000..8a1270109652
--- /dev/null
+++ b/net-firewall/ipt_netflow/files/ipt_netflow-2.0-pax-const.patch
@@ -0,0 +1,69 @@
+Patch by Jeremy Drake, https://bugs.gentoo.org/show_bug.cgi?id=466430
+
+Adds support for building with PaX hardened kernel
+
+Adapted to version 2.0 by Sergey Popov <pinkbyte@gentoo.org>
+
+--- ipt_NETFLOW.c.orig	2014-08-07 08:05:08.000000000 +0400
++++ ipt_NETFLOW.c	2014-08-18 11:10:08.000000000 +0400
+@@ -845,13 +845,13 @@
+ 			 void __user *buffer, size_t *lenp, loff_t *fpos)
+ {
+ 	void *orig = ctl->data;
++	ctl_table_no_const lctl = *ctl;
+ 	int ret, hsize;
+ 
+ 	if (write)
+-		ctl->data = &hsize;
+-	ret = proc_dointvec(ctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
++		lctl.data = &hsize;
++	ret = proc_dointvec(&lctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
+ 	if (write) {
+-		ctl->data = orig;
+ 		if (hsize < LOCK_COUNT)
+ 			return -EPERM;
+ 		return set_hashsize(hsize)?:ret;
+@@ -864,6 +864,7 @@
+ {
+ 	int ret;
+ 	struct ipt_netflow_sock *usock;
++	ctl_table_no_const lctl = *ctl;
+ 
+ 	mutex_lock(&sock_lock);
+ 	if (list_empty(&usock_list)) {
+@@ -875,8 +876,8 @@
+ 		sndbuf = usock->sock->sk->sk_sndbuf;
+ 	mutex_unlock(&sock_lock);
+ 
+-	ctl->data = &sndbuf;
+-	ret = proc_dointvec(ctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
++	lctl.data = &sndbuf;
++	ret = proc_dointvec(&lctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
+ 	if (!write)
+ 		return ret;
+ 	if (sndbuf < SOCK_MIN_SNDBUF)
+@@ -943,9 +944,10 @@
+ {
+ 	int ret;
+ 	int val = 0;
++	ctl_table_no_const lctl = *ctl;
+ 
+-	ctl->data = &val;
+-	ret = proc_dointvec(ctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
++	lctl.data = &val;
++	ret = proc_dointvec(&lctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
+ 
+ 	if (!write)
+ 		return ret;
+@@ -966,8 +968,9 @@
+ 	int ret;
+ 	int ver = protocol;
+ 
+-	ctl->data = &ver;
+-	ret = proc_dointvec(ctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
++	ctl_table_no_const lctl = *ctl;
++	lctl.data = &ver;
++	ret = proc_dointvec(&lctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
+ 
+ 	if (!write)
+ 		return ret;
diff --git a/net-firewall/ipt_netflow/ipt_netflow-2.0.ebuild b/net-firewall/ipt_netflow/ipt_netflow-2.0-r1.ebuild
index 0612b60c6c3c..d2ade4923940 100644
--- a/net-firewall/ipt_netflow/ipt_netflow-2.0.ebuild
+++ b/net-firewall/ipt_netflow/ipt_netflow-2.0-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-firewall/ipt_netflow/ipt_netflow-2.0.ebuild,v 1.1 2014/08/09 09:58:09 jer Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/ipt_netflow/ipt_netflow-2.0-r1.ebuild,v 1.1 2014/08/19 07:21:25 pinkbyte Exp $
 
 EAPI=5
 inherit eutils linux-info linux-mod multilib toolchain-funcs
@@ -13,7 +13,7 @@ LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="~amd64 ~x86"
 
-IUSE="pax_kernel"
+IUSE="debug pax_kernel"
 
 RDEPEND="net-firewall/iptables"
 DEPEND="${RDEPEND}
@@ -22,14 +22,19 @@ DEPEND="${RDEPEND}
 "
 
 # set S before MODULE_NAMES
-S=${WORKDIR}/${PN/_/-}-${PV}
+S="${WORKDIR}/${PN/_/-}-${PV}"
 
 BUILD_TARGETS="all"
-CONFIG_CHECK="~IP_NF_IPTABLES"
 MODULE_NAMES="ipt_NETFLOW(ipt_netflow:${S})"
 
 IPT_LIB="/usr/$(get_libdir)/xtables"
 
+pkg_setup() {
+	local CONFIG_CHECK="~IP_NF_IPTABLES"
+	use debug && CONFIG_CHECK+=" ~DEBUG_FS"
+	linux-mod_pkg_setup
+}
+
 src_prepare() {
 	sed -i \
 		-e 's:make -C:$(MAKE) -C:g' \
@@ -38,22 +43,32 @@ src_prepare() {
 		Makefile.in || die
 
 	# bug #455984
-	epatch "${FILESDIR}"/${PN}-2.0-configure.patch
+	epatch "${FILESDIR}/${PN}-2.0-configure.patch"
+
+	# bugs #466430 and #519480
+	if use pax_kernel; then
+		epatch "${FILESDIR}/${PN}-2.0-pax-const.patch"
+	fi
 
 	epatch_user
 }
 
+do_conf() {
+	echo ./configure $*
+	./configure $* || die 'configure failed'
+}
+
 src_configure() {
 	local IPT_VERSION="$($(tc-getPKG_CONFIG) --modversion xtables)"
 	# econf can not be used, cause configure script fails when see unknown parameter
 	# ipt-src need to be defined, see bug #455984
-	./configure \
+	do_conf \
 		--ipt-lib="${IPT_LIB}" \
 		--ipt-src="/usr/" \
 		--ipt-ver="${IPT_VERSION}" \
 		--kdir="${KV_DIR}" \
 		--kver="${KV_FULL}" \
-	|| die 'configure failed'
+		$(use debug && echo '--enable-debugfs')
 }
 
 src_compile() {