setup: Port sysctl hardening settings from IPFire 2.x

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

strongswan: Update to 5.9.11

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

ca-certificates: Update to 2023.09

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

qemu: update to 8.1.0

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

qemu: update 8.0.4

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nano: Update to 7.2

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nftables: Update to 1.0.8

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libnftnl: Update to 1.2.6

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Unbound: Update to 1.18.0

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

psmisc: The project's homepage moved to Gitlab

However, its tarballs are still to be retrieved from SF.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: update to 6.5.3

and also enable CONFIG_INPUT_EVDEV to handle ACPI power
button.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

strace: Update to 6.5

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pakfire: Update to 0.9.29

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libbpf: New package

This is required by Pakfire.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pam: Update to 1.5.3

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

.gitignore: Ignore .pfm files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

fontconfig: Require libuuid at build time

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

systemd: Update to 254

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Mass rebuild for incorrectly packaged libtool archive files

Due to a pattern matching bug in Pakfire, those files have been
incorrectly packages instead of being deleted which results in build
errors when linking.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vim: Rebuild against new glibc

VIM immediately crashes and rebuilding it fixes the problem.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ethtool: Update to 6.5

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

glib2: Bump release to rebuild after Pakfire bug

The fix interpreter function has corrupted some scripts which no longer
can be executed any more and therefore this package needs to be rebuilt.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

perl: Fix that the package can be installed

Perl packages require "perl(strict)" which was accidentially dropped
from the manual provides list. Furthermore, perl(Test) is a common
package that is needed for building modules.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ca-certificates: Fix generating certificate store

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

p11-kit: Update to 0.25.0

This change also sets the path for p11-kit to search for certificates.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libtool: Rebuild package because of a Pakfire bug

Pakfire incorrectly changed the interpreter of the libtoolize script
which breaks it entirely.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

glibc: Update to 2.38

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libpwquality: Require zlib

This package requires zlib to build.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

mpfr: Update to 4.2.1

The testsuite keeps failing for a couple of releases now.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

patchelf: Disable the testsuite

It currently fails on ARM and I don't have the time to debug this now.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cyrus-sasl: Make the devel package require its libraries

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

perl-File-HomeDir: Fix limiting to building only on noarch

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Change how we make packages "noarch"

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libarchive: Update to 3.7.1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

*: Change how we define build architectures

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

gcc: Update to 12.3.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wget: Update to 1.12.4

Fixes: #13218 - wget 1.21.4 has been released
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: Enable IBT on x86

This change has recently been made in IPFire 2 and is being backported
in this patch.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: Disable the entire sound subsystem

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: Update to Linux 6.4

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: Update to Linux 6.3

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: Replace Python 2 interpreter by Python 3

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nghttp2: Replace Python 2 by Python 3

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libevent: Run event_rpcgen.py with Python 3

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

initscripts: Fix running the testsuite

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dbus-glib: Disable the testsuite

It requires dbus-run-session which we do not package any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

gawk: Update to 5.2.2 and disable PMA tests

Those tests cannot be run as root, so we have to disable them.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dhcpcd: Update to 10.0.1

The project has been moved to GitHub.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openssl: Make sure we perform a parallel build

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

systemd: Use sysusers mechanism inside the jail

Change the old user/group creation mechanism to use systemd's
sysusers mechanism instead.

This is a bit of a tricky part, because before systemd we do not have
this binary. So at first we have to push the sysusers files to the jails
sysusers directory and use the previous compiled and installed systemd-sysusers
binary in order to create the groups/users which are part of systemd
inside the jail.

After that, everything works quite normal when modifying the files or
direcotry owners.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

systemd: Build manpages again

This "optional" feature now has to be enabled.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

systemd: Move some basic tools into own package

The systemd-sysusers and systemd-tmpfiles tools
are used by various services and the build system in order
to install / build packages.

Moving this tools into an own package allows us to early access
them without requiremet to install the whole systemd package.

Anyway the systemd package requires those tools to proper get
installed and handle their own sysusers files.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

glibc: Disable multilib support on X86_64

This requires a 32bit glibc to link against, which we do not have.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

unbound: Create missing directory for root anchor

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

whois: Change download location

Debian moved to a recent version of which and dropped
the source tarball from their server.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

systemd: Enable sysusers subsystem

This allows dynamically user and group creation based on
sysusers config files.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

systemd: Update to 253

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

glibc: Fix runtime linker path chaos

Some architectures have a specific path for their runtime linker
hardcoded and in order to avoid installing them into /lib or /lib64
instead of /usr/lib or /usr/lib64, we are adding artificial provides.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

gcc: Harden this package

This is a major rewrite of this package which should probably be broken
down into several commits, but since GCC takes many hours to build, this
has now been mushed into one to keep us moving forward.

This patch re-introduces a full bootstrap of GCC.

We also build GCC with our own compiler flags and make it pass our
hardening checks which includes patching the build system to build GCC
itself as PIE.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

glibc: Fix RUNPATH in gconv libraries

Those libraries uses a special RUNPATH called $ORIGIN which we
do not support in IPFire. So changing this to the directory where
the are installed.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

chrpath: Drop package

This package has seen no updates for a long time and has been
replaced by the similar and better supported patchelf.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

gettext: Switch to patchelf to remove the RPATH

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

libldb: Switch to patchelf to remove the RPATH

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

libdb: Switch to patchelf to remove the RPATH

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

net-snmp: Switch to patchelf to remove the RPATH

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

tcpdump: Switch to patchelf to remove the RPATH

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

patchelf: New package

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

filesystem: Make filesystem structure FHS compliant

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: Proper build the helper binaries with our C and LDFLAGS

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

liboping: Re-enable setting capabilities

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

iputils: Re-enable setting capabilities

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

util-linux: Re-enable setting capabilities

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

nfs-utils: mount.nfs - Use capabilities instead of suid bit

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

shadow-utils: Use capabilites and remove more unused binaries

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

unbound: Use /run instead of /var/run

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

screen: Make screen FHS compliant

* Explicit use pam.
* Change socket dir to /run and add tmpfiles file.
* Only ship a simple screen binary without version
  fragments
* Remove SUID bit from binary

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

sudo: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

network: Add patch to fix logdir

Add upstream patch to proper set the location
to the logdir.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

openssh: Change privsep directory to /var/lib/sshd

The old one /var/empty/sshd violated our FHS

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

samba: Drop /var/run

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

unbound: Do not create /var/run

This violates our FHS specs.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

tcl: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

sssd: Use /var/lib/sss and drop /var/run

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

squid: Drop /var/run

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

snort: Set correct permissions of helper script

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

spectre-meltdown-checker: Install binary with correct permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

python3-pygobject3: Fix header file permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

python3-cairo: Fix header permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ppp: Fix binary permissions and drop deprecated dirs in /var

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

plymouth: Drop /var/run

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-WWW-Curl: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-WWW-Curl: Enable testsuite

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-XML-Parser: Fix library permissions

* Also enable the testsuite
* Drop old fragment from QA

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-XML-Parser: Set correct perl dependencies

Do not longer use perl-core/perl-devel as build
dependencies.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-TermReadkey: Enable testsuite

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-TermReadkey: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-SGMLSpm: Drop unneccessary perl script

We do not need this and it violates our FHS specs.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-Parse-Yapp: Fix library and binary permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-Net-SSLeay: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-libintl-perl: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>