From acea7db37462e139e940ffa467ec72db8c1e84b0 Mon Sep 17 00:00:00 2001
From: Joe Bo Run <joborun@disroot.org>
Date: Sat, 6 May 2023 03:34:28 +0300
Subject: [PATCH] upg memcached

---
 ...p_privileges-by-default-for-better-s.patch | 28 ++++++
 ...yscalls-tested-on-Linux-6.1-with-gli.patch | 99 +++++++++++++++++++
 memcached/PKGBUILD                            | 32 ++++--
 memcached/PKGBUILD-arch                       | 14 ++-
 memcached/deps                                |  1 +
 5 files changed, 161 insertions(+), 13 deletions(-)
 create mode 100644 memcached/0001-tests-enable-drop_privileges-by-default-for-better-s.patch
 create mode 100644 memcached/0002-seccomp-extend-syscalls-tested-on-Linux-6.1-with-gli.patch

diff --git a/memcached/0001-tests-enable-drop_privileges-by-default-for-better-s.patch b/memcached/0001-tests-enable-drop_privileges-by-default-for-better-s.patch
new file mode 100644
index 0000000..ac69536
--- /dev/null
+++ b/memcached/0001-tests-enable-drop_privileges-by-default-for-better-s.patch
@@ -0,0 +1,28 @@
+From 5647bec11c166707eaf348830bc2f5da11d554c0 Mon Sep 17 00:00:00 2001
+From: Levente Polyak <levente@leventepolyak.net>
+Date: Fri, 5 May 2023 18:13:57 +0200
+Subject: [PATCH] tests: enable drop_privileges by default for better seccomp
+ coverage
+
+---
+ t/lib/MemcachedTest.pm | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/t/lib/MemcachedTest.pm b/t/lib/MemcachedTest.pm
+index a9557e5..4a63913 100644
+--- a/t/lib/MemcachedTest.pm
++++ b/t/lib/MemcachedTest.pm
+@@ -298,7 +298,9 @@ sub new_memcached {
+     if ($< == 0) {
+         $args .= " -u root";
+     }
+-    $args .= " -o relaxed_privileges";
++    if (supports_drop_priv()) {
++        $args .= " -o drop_privileges,relaxed_privileges";
++    }
+ 
+     my $udpport;
+     if ($args =~ /-l (\S+)/ || (($ssl_enabled || $unix_socket_disabled) && ($args !~ /-s (\S+)/))) {
+-- 
+2.40.1
+
diff --git a/memcached/0002-seccomp-extend-syscalls-tested-on-Linux-6.1-with-gli.patch b/memcached/0002-seccomp-extend-syscalls-tested-on-Linux-6.1-with-gli.patch
new file mode 100644
index 0000000..ee29962
--- /dev/null
+++ b/memcached/0002-seccomp-extend-syscalls-tested-on-Linux-6.1-with-gli.patch
@@ -0,0 +1,99 @@
+From 29f871dcab4d79a706a4af4c7a1989fd2a4c31e9 Mon Sep 17 00:00:00 2001
+From: Levente Polyak <levente@leventepolyak.net>
+Date: Fri, 5 May 2023 18:10:23 +0200
+Subject: [PATCH] seccomp: extend syscalls tested on Linux 6.1 with glibc 2.37
+
+---
+ linux_priv.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/linux_priv.c b/linux_priv.c
+index 8d132c8..4bc0ce3 100644
+--- a/linux_priv.c
++++ b/linux_priv.c
+@@ -69,6 +69,9 @@ void drop_privileges(void) {
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 0);
++#ifdef __NR_futex_time64
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex_time64), 0);
++#endif
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_wait), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_pwait), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 0);
+@@ -77,6 +80,12 @@ void drop_privileges(void) {
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(writev), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat64), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstatat64), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0);
++#ifdef __NR_statx
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(statx), 0);
++#endif
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0);
+@@ -96,6 +105,7 @@ void drop_privileges(void) {
+ 
+ #ifdef MEMCACHED_DEBUG
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(readv), 0);
+@@ -103,7 +113,6 @@ void drop_privileges(void) {
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0);
+ 
+     if (settings.relaxed_privileges) {
+-        rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0);
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mkdir), 0);
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0);
+     }
+@@ -139,6 +148,9 @@ void drop_worker_privileges(void) {
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 0);
++#ifdef __NR_futex_time64
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex_time64), 0);
++#endif
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_wait), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_pwait), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 0);
+@@ -157,12 +169,21 @@ void drop_worker_privileges(void) {
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, SCMP_A1(SCMP_CMP_EQ, TIOCGWINSZ));
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msync), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday), 0);
+ 
+     // for spawning the LRU crawler
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clone), 0);
++#ifdef __NR_clone3
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clone3), 0);
++#endif
++#ifdef __NR_rseq
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rseq), 0);
++#endif
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(set_robust_list), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(madvise), 0);
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
++    rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clock_nanosleep), 0);
+ 
+     // stat
+     rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockname), 0);
+@@ -171,8 +192,10 @@ void drop_worker_privileges(void) {
+     if (settings.shutdown_command) {
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(tgkill), 0);
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(tkill), 0);
+-        rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
++        rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat64), 0);
++        rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstatat64), 0);
++        rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0);
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0);
+         rc |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(gettid), 0);
+     }
+-- 
+2.40.1
+
diff --git a/memcached/PKGBUILD b/memcached/PKGBUILD
index da74f39..19545bd 100644
--- a/memcached/PKGBUILD
+++ b/memcached/PKGBUILD
@@ -6,16 +6,28 @@
 #-----------------------------------------| DESCRIPTION |---------------------------------------
 
 pkgname=memcached
-pkgver=1.6.18
+pkgver=1.6.19
 pkgrel=01
 pkgdesc='Distributed memory object caching system w/o systemd'
 url='https://memcached.org/'
-arch=('x86_64')
 depends=('glibc' 'libevent' 'libseccomp' 'libseccomp.so')
 optdepends=('perl: for memcached-tool usage')
 source=(https://www.memcached.org/files/${pkgname}-${pkgver}.tar.gz
         memcached.sysusers
-        memcached.tmpfiles)
+        memcached.tmpfiles
+        0001-tests-enable-drop_privileges-by-default-for-better-s.patch
+        0002-seccomp-extend-syscalls-tested-on-Linux-6.1-with-gli.patch)
+
+prepare() {
+   cd ${pkgname}-${pkgver}
+
+  patch -Np1 < ../0001-tests-enable-drop_privileges-by-default-for-better-s.patch
+  patch -Np1 < ../0002-seccomp-extend-syscalls-tested-on-Linux-6.1-with-gli.patch
+#   patch -Np1 < ../memcached.service.patch
+#   sed -e 's/^##safer##//g' -i scripts/*.service
+
+}
+
 
 build() {
   cd ${pkgname}-${pkgver}
@@ -42,14 +54,16 @@ package() {
 }
 
 
-#---- license gpg-key sha256sums ----
+#---- arch license gpg-key & sha256sums ----
+
+arch=(x86_64)
 
 license=('GPL')
 
-sha256sums=(cbdd6ab8810649ac5d92fcd0fcb0ca931d8a9dbd0ad8cc575b47222eedd64158  # memcached-1.6.18.tar.gz
+sha256sums=(2fd48b047146398b073a588e97917d9bc908ce51978580d8e0bedaa123b4c70d  # memcached-1.6.19.tar.gz
 	228c4f536f3c9f9eee4e11226ec8846a22d4ba46c2d3bf2811413efcc322609a  # memcached.sysusers
-	c4d0ae2218b99a276ff6e0084ae81e66add0ca9347e4bde70e9172db6e44002a) # memcached.tmpfiles
-
-##  2c9f6535c734e63ed29ade98e41797b05fb4a8cb5a752469659bdc6f39ae8039  memcached-1.6.18-01-x86_64.pkg.tar.lz
-
+	c4d0ae2218b99a276ff6e0084ae81e66add0ca9347e4bde70e9172db6e44002a  # memcached.tmpfiles
+	7bfe200e3bb1435e9f0bf73c2aa6a643cf11aa9d90e8ea127cff21a711e4ecb0  # 0001-tests-enable-drop_privileges-by-default-for-better-s.patch
+	027a83492f8fa0d5a2a99c0826d8d29547898e137a8330e8c4ca51502b8ada1a) # 0002-seccomp-extend-syscalls-tested-on-Linux-6.1-with-gli.patch
 
+##  86579141c0bb8a680121481a79984cef65209e39987202d36ee8b5cf3a7ce663  memcached-1.6.19-01-x86_64.pkg.tar.lz
diff --git a/memcached/PKGBUILD-arch b/memcached/PKGBUILD-arch
index 4417b54..e484104 100644
--- a/memcached/PKGBUILD-arch
+++ b/memcached/PKGBUILD-arch
@@ -3,7 +3,7 @@
 # Contributor: Michael Irwin <6d6469@gmail.com>
 
 pkgname=memcached
-pkgver=1.6.18
+pkgver=1.6.19
 pkgrel=1
 pkgdesc='Distributed memory object caching system'
 url='https://memcached.org/'
@@ -14,14 +14,20 @@ optdepends=('perl: for memcached-tool usage')
 source=(https://www.memcached.org/files/${pkgname}-${pkgver}.tar.gz
         memcached.service.patch
         memcached.tmpfiles
-        memcached.sysusers)
-sha512sums=('85e5a5e7c901b02158ea20cc58f2e7e6ba4806c40a0105185140b31fa40f3ce0fc704f6f17ea4a425a9ff543f9d30092aadbb202ea4ca46476c151e65eac97e6'
+        memcached.sysusers
+        0001-tests-enable-drop_privileges-by-default-for-better-s.patch
+        0001-seccomp-extend-syscalls-tested-on-Linux-6.1-with-gli.patch)
+sha512sums=('60d93065e0ef2b17e9da5370a497a4fbfc64c0af70e14fdfdab60c0c94c0b19e30da31d615e19565474c278141a4cb401c65fd79bd70947dd96a9fee81824a74'
             'dd21f49062054c601469f9abc9ee39a0f06c604e8805e7bc9bf2cfa65429962f93e7ac67764257c578fc15b1e75394956f350162c99b084c76a6e14d9331f31f'
             '960705ff74d25afed477e0b2a5872a3a4fb49ed3105a351f0d0224abc947778f9dbda81e80be94ab636da4a8411a9dd56a8fd4513e5b86a3096a14fa67f1548b'
-            'e6ddcab9a6fee024072b6363ef60aa176ed258369bf3a17d475f19b1f410ffd6195b9c5737dc5b1371e8974b44bdbdaa109927acaeb54fb40302a5d67d7c13a8')
+            'e6ddcab9a6fee024072b6363ef60aa176ed258369bf3a17d475f19b1f410ffd6195b9c5737dc5b1371e8974b44bdbdaa109927acaeb54fb40302a5d67d7c13a8'
+            '5da2a4fb0cdaefe9527dec67e01d881161c49a1593f11ddccf28fb55cbc25fe841ea8eca8a50387e2fef5bc304f12a5c9af4909543eafc0f8865dea39f9e8355'
+            '8d2518507cf843202dc90c10f6fce3c3fc9b41c7aaf10ff0b862c31d30bbbec7de92f9be0327ea3e58e77e29ae2a12b2f47370502bbddc04324f394cfdd7d4a8')
 
 prepare() {
   cd ${pkgname}-${pkgver}
+  patch -Np1 < ../0001-seccomp-extend-syscalls-tested-on-Linux-6.1-with-gli.patch
+  patch -Np1 < ../0001-tests-enable-drop_privileges-by-default-for-better-s.patch
   patch -Np1 < ../memcached.service.patch
   sed -e 's/^##safer##//g' -i scripts/*.service
 }
diff --git a/memcached/deps b/memcached/deps
index 5e80e1a..3ec5478 100644
--- a/memcached/deps
+++ b/memcached/deps
@@ -1,2 +1,3 @@
         
 
+