On Sun, Jan 19, 2025 at 07:31:55PM +0000, Andrew Bower wrote: > You can find my proposed change as the head commit here: > > <https://salsa.debian.org/abower/runit/-/commits/xchpst-compat>
The salsa commit is on top of some other changes to fix the CI pipeline. I attach a patch purely against the current next branch.
From fbaf010f4e2b4044a97f124d6cd340e569c91c27 Mon Sep 17 00:00:00 2001 From: Andrew Bower <and...@bower.uk> Date: Sat, 4 Jan 2025 23:06:52 +0000 Subject: [PATCH] Add fake xchpst executable and man page for compat Install /usr/bin/xchpst and a corresponding man page to allow runscripts to invoke the extended chpst tool (xchpst) but falling back to chpst with compatible options when xchpst is not available. The paths will be diverted away by the xchpst package when installed. Closes: #1093545 --- debian/contrib/xchpst | 26 +++++++++++++++++++++ debian/contrib/xchpst.8 | 52 +++++++++++++++++++++++++++++++++++++++++ debian/copyright | 4 ++++ debian/runit.install | 2 ++ debian/runit.manpages | 2 +- 5 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 debian/contrib/xchpst create mode 100755 debian/contrib/xchpst.8 diff --git a/debian/contrib/xchpst b/debian/contrib/xchpst new file mode 100644 index 0000000..7ac6e2c --- /dev/null +++ b/debian/contrib/xchpst @@ -0,0 +1,26 @@ +#!/bin/sh +# +# Copyright: 2025 Andrew Bower <and...@bower.uk> +# License: BSD-3-Clause +# +# Fake xchpst that strips the extended options and passes everything after +# the first -@ or -- to classic chpst for use when xchpst is not available. +# +# To take advantage of xchpst compat in a runscript put all the extended +# options before a '-@' separator option and all classic chpst options +# after it. If no classic options are required then it is sufficient to use +# '--' as the separator before the target command. + +# Consume extended arguments +while [ $# -gt 0 -a "$1" != "-@" -a "$1" != "--" ] +do + shift +done + +# Consume -@ but not -- +if [ "$1" = "-@" ] +then + shift; +fi + +exec chpst "$@" diff --git a/debian/contrib/xchpst.8 b/debian/contrib/xchpst.8 new file mode 100755 index 0000000..f4a97aa --- /dev/null +++ b/debian/contrib/xchpst.8 @@ -0,0 +1,52 @@ +.Dd January 4, 2025. +.Dt xchpst 8 +.Os +.Sh NAME +.Nm xchpst.fake +.Nd fake xchpst that passes compatible arguments to chpst +.Sh SYNOPSIS +.Nm +.Op Ar XCHPST-OPTIONS +.Fl @ +.Op Ar CHPST-OPTIONS +.Op Fl - +.Op Ar COMMAND ... +.Sh DESCRIPTION +.Pp +The +.Nm +script strips all options preceding the +.Fl @ +separator +and passes the remainder of the arguments to +.Xr chpst 8 . +.Pp +The purpose of this script is to allow runscripts to take advantage of +.Nm xchpst Ns 's +advanced hardening features when the 'xchpst' package is installed and +fall back to only the classical +.Nm chpst +features otherwise, without having to have conditionality in the +runscripts which might reduce their readability. +.Pp +To be useful, +.Nm +should be installed as +.Pa /usr/bin/xchpst . +.Sh EXIT STATUS +The exit status is the return code from +.Nm chpst +or the target command. +.Sh EXAMPLES +The following command, +.Dl exec xchpst --cap-bs-keep CAP_SYS_TIME -@ -p 4 -- myntpd -D +in the absence of the real +.Nm xchpst +tool, is equivalent to: +.Dl exec chpst -p 4 -- myntpd -D +.Sh AUTHORS +.An -nosplit +.An Andrew Bower Aq Mt and...@bower.uk +.Sh BUGS +Please raise bug reports with: +.Dl reportbug runit diff --git a/debian/copyright b/debian/copyright index 23784cd..2bd3b6a 100644 --- a/debian/copyright +++ b/debian/copyright @@ -40,6 +40,10 @@ Files: debian/contrib/i-s-h/invoke-rc.d-*.in Copyright: 2000,2001 Henrique de Moraes Holschuh <h...@debian.org> License: GPL-2+ +Files: debian/contrib/xchpst* +Copyright: 2025 Andrew Bower <and...@bower.uk> +License: BSD-3-clause + License: BSD-3-clause Redistribution and use in source and binary forms, with or without modification, diff --git a/debian/runit.install b/debian/runit.install index 2a5a09c..227de01 100644 --- a/debian/runit.install +++ b/debian/runit.install @@ -36,3 +36,5 @@ debian/contrib/lib/async-timeout /usr/lib/runit debian/contrib/lib/finish-default /usr/lib/runit debian/contrib/lib/finish-exec /usr/lib/runit debian/contrib/lib/run_sysv_scripts /usr/lib/runit + +debian/contrib/xchpst /usr/bin diff --git a/debian/runit.manpages b/debian/runit.manpages index adb29bc..29aac5f 100644 --- a/debian/runit.manpages +++ b/debian/runit.manpages @@ -13,4 +13,4 @@ debian/contrib/update-service.8 debian/contrib/mk-runscript.8 debian/contrib/cpsv.8 debian/contrib/man/* - +debian/contrib/xchpst.8 -- 2.47.1
signature.asc
Description: PGP signature
