2 files changed, 133 insertions, 10 deletions

diff --git a/main/memcached/APKBUILD b/main/memcached/APKBUILD
index cc500b5fdc..69fa064cce 100644
--- a/main/memcached/APKBUILD
+++ b/main/memcached/APKBUILD
@@ -1,29 +1,41 @@
 # Contributor: Jeff Bilyk <jbilyk@alpinelinux.org>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=memcached
-pkgver=1.5.5
-pkgrel=1
+pkgver=1.5.6
+pkgrel=0
 pkgdesc="Distributed memory object caching system"
 url="http://memcached.org/"
 arch="all"
 license="BSD"
-makedepends="cyrus-sasl-dev libevent-dev libseccomp-dev linux-headers"
+depends_dev="${pkgname}=${pkgver}-r${pkgrel}"
+makedepends="$depends_dev cyrus-sasl-dev libevent-dev libseccomp-dev linux-headers"
 install="$pkgname.pre-install"
 subpackages="$pkgname-dev $pkgname-doc"
-source="http://www.memcached.org/files/${pkgname}-${pkgver}.tar.gz
+source="https://www.memcached.org/files/${pkgname}-${pkgver}.tar.gz
+	$pkgname.seccomp-musl.patch
 	$pkgname.confd
 	$pkgname.initd"
-builddir="${srcdir}/${pkgname}-${pkgver}"
+builddir="$srcdir/$pkgname-$pkgver"
 
 build() {
+	# extstore is broken on 32-bit
+	# https://github.com/memcached/memcached/issues/319
+	local _extstore='--enable-extstore'
+	case "$CARCH" in
+		(x86)
+			_extstore=''
+			;;
+	esac
+
 	cd "$builddir"
 	./configure \
-		--build=$CBUILD \
-		--host=$CHOST \
+		--build="$CBUILD" \
+		--host="$CHOST" \
 		--prefix=/usr \
 		--enable-sasl \
 		--enable-sasl-pwdb \
-		--enable-seccomp
+		--enable-seccomp \
+		$_extstore
 	make
 }
 
@@ -41,9 +53,11 @@ package() {
 		"$pkgdir/etc/conf.d/$pkgname"
 }
 
-sha1sums="29cb75cc234dbaceed6e89db029af8363706f0fe  memcached-1.5.4.tar.gz
+sha1sums="ca35929e74b132c2495a6957cfdc80556337fb90  memcached-1.5.6.tar.gz
+76e40b4e2a7c5198e78c8c7ce9b21d18f902399a  memcached.seccomp-musl.patch
 a9c12a750a354c8d33849d106e285ddba150b6d2  memcached.confd
 4092666ae58207034e0de40d25b15c6b6cd31b5f  memcached.initd"
-sha512sums="38883600398b5d9378bb57508ed94b80ed2c4ef0e2610e328a60bcb79268f85c67c99159993040b36eac964138822862fa78f62c649560abc4818233b1b2f3d0  memcached-1.5.5.tar.gz
+sha512sums="b8bb3b69358a476c6f11f42e89565dd0261cba3f1eaa6b0999dba7c2cb2d7c5e9ca24dedc6b7fd46ec78e40e52d66fe4694ebafd6bbd4557d25d66757d9024a4  memcached-1.5.6.tar.gz
+a84c0a22cf722b88462635cfec77892b3cff58dec880e89706c1797b56d5b924ad26e57db25e563d35d466d760b3c48ea9818cfc97269997e1ed701a2db3d0f4  memcached.seccomp-musl.patch
 31bd788433b8021ed332f86d291e7f03222ae234520e52ba673b581d5da2adf5656e8f73e8b985df73258dea9b2a1b8ef36195163fe47a92fda59825deedfed4  memcached.confd
 9615769b14175a25b50c9871b48c0635b5397ebe45231b43ee29a603eceb7b16bfc5ac744017b89b19082209c09597b3038a03ed0d5d9b45c60454d5b2717a55  memcached.initd"
diff --git a/main/memcached/memcached.seccomp-musl.patch b/main/memcached/memcached.seccomp-musl.patch
new file mode 100644
index 0000000000..914ac7754c
--- /dev/null
+++ b/main/memcached/memcached.seccomp-musl.patch
@@ -0,0 +1,109 @@
+From 35bc9e35d960f96d7fc099ba49fc9a365f9700f0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stanis=C5=82aw=20Pitucha?= <viraptor@gmail.com>
+Date: Wed, 28 Feb 2018 22:18:29 +1100
+Subject: [PATCH] Support seccomp on musl
+X-Patch-URL: https://patch-diff.githubusercontent.com/raw/memcached/memcached/pull/349.patch
+
+Musl-based distributions like Alpine didn't work with seccomp profile
+enabled. This was due to musl using different syscalls than glibc under
+the cover.
+
+- writev/readv and epoll_pwait have been allowed
+- specific ioctl has been allowed to enableprinting the error/exit
+  message
+- brk has been allowed at runtime
+- worker writes to stderr have been allowed (this was also broken on
+  glibc)
+---
+ linux_priv.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/linux_priv.c b/linux_priv.c
+index 04155dd60..f1ea406af 100644
+--- a/linux_priv.c
++++ b/linux_priv.c
+@@ -2,6 +2,7 @@
+ #include <seccomp.h>
+ #include <errno.h>
+ #include <stdlib.h>
++#include <sys/ioctl.h>
+ #include "memcached.h"
+ 
+ // In the future when the system is more tested this could be switched
+@@ -16,21 +17,27 @@ void drop_privileges(void) {
+ 
+     int rc = 0;
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigreturn), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_wait), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_pwait), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(writev), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, SCMP_A1(SCMP_CMP_EQ, TIOCGWINSZ));
+ 
+ #ifdef MEMCACHED_DEBUG
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(readv), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(lseek), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0);
+@@ -57,10 +64,13 @@ void drop_worker_privileges(void) {
+ 
+     int rc = 0;
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigreturn), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_wait), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_pwait), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(readv), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpeername), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+@@ -70,6 +80,8 @@ void drop_worker_privileges(void) {
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvfrom), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, SCMP_A1(SCMP_CMP_EQ, TIOCGWINSZ));
+ 
+     // for spawning the LRU crawler
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clone), 0);
+@@ -83,9 +95,9 @@ void drop_worker_privileges(void) {
+ 
+     if (settings.shutdown_command) {
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(tgkill), 0);
++        rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(tkill), 0);
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
+-        rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0);
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0);
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(gettid), 0);
+     }
+@@ -95,8 +107,14 @@ void drop_worker_privileges(void) {
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 0);
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(lseek), 0);
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
++        rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(writev), 0);
+     } else {
++        // stdout
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_EQ, 1));
++        rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(writev), 1, SCMP_A0(SCMP_CMP_EQ, 1));
++        // stderr
++        rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_EQ, 2));
++        rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(writev), 1, SCMP_A0(SCMP_CMP_EQ, 2));
+     }
+ 
+     if (rc != 0) {