openssh: Change privsep directory to /var/lib/sshd

The old one /var/empty/sshd violated our FHS

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

samba: Drop /var/run

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

unbound: Do not create /var/run

This violates our FHS specs.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

tcl: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

sssd: Use /var/lib/sss and drop /var/run

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

squid: Drop /var/run

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

snort: Set correct permissions of helper script

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

spectre-meltdown-checker: Install binary with correct permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

python3-pygobject3: Fix header file permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

python3-cairo: Fix header permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ppp: Fix binary permissions and drop deprecated dirs in /var

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

plymouth: Drop /var/run

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-WWW-Curl: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-WWW-Curl: Enable testsuite

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-XML-Parser: Fix library permissions

* Also enable the testsuite
* Drop old fragment from QA

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-XML-Parser: Set correct perl dependencies

Do not longer use perl-core/perl-devel as build
dependencies.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-TermReadkey: Enable testsuite

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-TermReadkey: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-SGMLSpm: Drop unneccessary perl script

We do not need this and it violates our FHS specs.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-Parse-Yapp: Fix library and binary permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-Net-SSLeay: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-libintl-perl: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-IO-AIO: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-HTML-Tagset: Add proper perl build dependencies

Do not longer depend on perl-core or perl-devel.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-HTML-Parser: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-GSSAPI: Fix library permissions

* Also enable the testsuite

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-FCGI: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-DBI: Fix library and binary permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-Digest-SHA1: Enable testsuite

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-Digest-SHA1: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-Crypt-OpenSSL-X509: Enable testsuite

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-Crypt-OpenSSL-X509: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-Coro: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl-BDB: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

libvirt: Fix binary permissions and drop /var/run

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

pciutils: Install header files with correct permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

bash: Set correct permissions for /root and binaries

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

openssh: Fix permissions for sshd-keygen

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

openldap: Do not ship /run/openldap anymore

This violetes our FHS specs

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

nettle: Fix library permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

net-snmp: Do not create /var/run anymore

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

netpbm: Drop unneeded pkgconfig_template file

Anyway it was located at an invalid place.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

mdadm: Use systemd tmpfile

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

lvm2: Do not ship /run and it's content

This violetes our FHS specs

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

lm-sensors: Proper use compiler and linker flags during build time

Those flags are required during build time and not during installation.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

lldpd: Do not create /run/lldpd

This violates our FHS specs.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

kea: Drop /var/run

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

krb5: Change /var/kerberos to /var/lib/kerberos

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

libdb: Fix binary and header file permissions

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

iptraf-ng: Proper use our compiler and linker flags

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

iptraf-ng: Do not longer create /var/lock

This folder violetes our FHS specs.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

intel-microcode: Set correct permissions for dirs and files

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

gettext: The config.rpath script needs to be executeable

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dma: Update to 0.13

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

chrpath: Install documentation to the correct place

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dhcpcd: Fix permissions of dhcpcd binary

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

cyrus-sasl: Use /run instead of /var/run

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

cups: Fix file permissions in /usr/include and drop /var/run

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

sudo: Use systemd tmpfiles mechanism

Use the tmpfiles mechanism from systemd to proper
recreate the /run/sudo directory.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

bird: Drop /var/run

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

git: Hook examples should not be executeable

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

gettext: Drop unneccessary stuff

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

sgml-common: Drop HTML documentation

We do not need this on our systems - anyway it
has been installed in a wrong directory.

Also replaced all hardcoded path values.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

docbook-xsl: Fix file and directory permissions

The violated our FHS standards.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

docbook-utils: Drop HTML documentation

We do not need this on our systems - Anyway it has been
installed to a wrong place by default.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

docbook-dtds: Install files not executeable

This is not required and vilates our FSH standards.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

qemu: Drop unused firmware files and /var/run

* Drop firmware files for platforms we do not support.
* Drop /var/run directory which violetes the FSH.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl: Fix library permissions

They did not fit the FSH and our own specs.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

util-linux: Do no create /run/uuidd

The folder will be created by systemd and violates the FSH.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

systemd: Do not create /run/log/journal

This will be done by the corresponding tmpfiles configuration
and violetes the FHS.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

setup: Do not create /run/motd.d folder

This folder will be created from systemd by the corresponding
tmpfiles script and fails our FHS checks.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

dwz: New package

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

xxhash: New package

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

glibc: Make this package confirm to FHS/Hardening

This patch changes many things about glibc in one go. Sorry.

We move glibc out of /lib so that we no longer install any files where
they should not be according to our FHS.

We also enable SSP-all and ensure that everything is properly hardened.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

glibc: Disable building NSCD

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libvirt: Fix compiling virt-shell-login with GCC 12

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

graphviz: Proper harden some binaries

Use some additional compiler flags, to proper
harden them.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

jsoncpp: Disable building object failes

We do not need those and they fail the hardening check.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libunwind: Update to 1.6.2

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: Use our LDFLAGS for gcc plugins

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libdb: Do not strip during build time

We need the debug symbols for our hardening checks and anyway
will strip them later for the debuginfo packages.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cups: Enable building debug symbols during build time

We need those for our hardening checks and to create the related debuginfo
packages.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ncurses: Avoid stripping the symbols from binaries

Do not strip any symbols from the binaries during build time.
We need those for our hardening checks and will do the stripping for
the debuginfo packages afterwards.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

mc: Proper harden consaver binary

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

mc: Patch/Drop python 2 based helper scripts

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libnl: Drop package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

iw: Link agains libnl3

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

iproute2: Does not longer depend on libnl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libpcap: Does not longer depend on libnl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libvirt: Does not longer depend on libnl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libcap: Fix hardening

* Add CFLAGS to workaround a compiler bug with
  affects SSP in some cases.

* Add patch to proper use our CFLAGS

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

e2fsprogs: Fix hardening

Add CFLAGS to workaround a compiler bug with
affects SSP in some cases.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bzip2: Respect CFLAGS and LDFLAGS

Add two patches to proper use our CFLAGS and LDFLAGS.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

avahi: Compile with -fstack-protector-all

We have to use the configure flag to disable the
stack-protector to avoid overwriting our own stack protector
flags.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl: Force perl to build with -fstack-protector-all

Forcing perl to build with -fstack-protector-all and not with
-fstack-protector-strong.

More details could be found here:
https://git.ipfire.org/?p=pakfire.git;a=commit;h=f1153a857affb461de71d0c7e62cbf39de0c802b

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

perl: Fix broken dependency for perl-core meta package

The perl-DynaLoader package has been moved back into main perl
package.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

krb5: Proper harden some binaries

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

krb5: Use macro logic to build the package

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vim: Do not strip binaries during install

We need the symbols for our hardening checks. They anyway will be
stripped afterwards and packed into the debuginfo packages.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nfs-utils: Do not strip binary during installation

We need the symbols for our hardening checks. The files anyway
will be stripped afterwards and those symbols will be packed into
the debuginfo packages.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>