kcgi: fix seccomp sandbox

srcpkgs/kcgi/patches/sandbox-musl.patch

@@ -1,22 +0,0 @@
---- sandbox-seccomp-filter.c.orig
-+++ sandbox-seccomp-filter.c
-@@ -106,7 +106,9 @@
- 	SC_ALLOW(recvmsg),
- #endif
- 	SC_ALLOW(read),
-+	SC_ALLOW(readv),
- 	SC_ALLOW(write),
-+	SC_ALLOW(writev),
- 	SC_ALLOW(close),
- #ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
- 	SC_ALLOW(shutdown),
-@@ -158,7 +160,9 @@
- 	SC_ALLOW(time),
- #endif
- 	SC_ALLOW(read),
-+	SC_ALLOW(readv),
- 	SC_ALLOW(write),
-+	SC_ALLOW(writev),
- 	SC_ALLOW(close),
- #ifdef __NR_fcntl64 /* only noted on arm */
- 	SC_ALLOW(fcntl64),

srcpkgs/kcgi/patches/sandbox.patch

@@ -0,0 +1,73 @@
+--- sandbox-seccomp-filter.c.orig
++++ sandbox-seccomp-filter.c
+@@ -85,7 +85,9 @@
+ 	/* Load the syscall number for checking. */
+ 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
+ 		offsetof(struct seccomp_data, nr)),
++#ifdef __NR_open /* not defined on AARCH64 */
+ 	SC_DENY(open, EACCES),
++#endif
+ 	SC_ALLOW(getpid),
+ 	SC_ALLOW(gettimeofday),
+ 	SC_ALLOW(clock_gettime),
+@@ -106,18 +108,24 @@
+ 	SC_ALLOW(recvmsg),
+ #endif
+ 	SC_ALLOW(read),
++	SC_ALLOW(readv),
+ 	SC_ALLOW(write),
++	SC_ALLOW(writev),
+ 	SC_ALLOW(close),
+ #ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
+ 	SC_ALLOW(shutdown),
+ #endif
+ 	SC_ALLOW(brk),
++#ifdef __NR_poll /* not defined on AARCH64 */
+ 	SC_ALLOW(poll),
++#endif
+ #ifdef __NR__newselect
+ 	SC_ALLOW(_newselect),
+ #else
++#ifdef __NR_select /* not defined on AARCH64 */
+ 	SC_ALLOW(select),
+ #endif
++#endif
+ 	SC_ALLOW(madvise),
+ #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
+ 	SC_ALLOW(mmap2),
+@@ -150,7 +158,9 @@
+ 	/* Load the syscall number for checking. */
+ 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
+ 		offsetof(struct seccomp_data, nr)),
++#ifdef __NR_open /* not defined on AARCH64 */
+ 	SC_DENY(open, EACCES),
++#endif
+ 	SC_ALLOW(getpid),
+ 	SC_ALLOW(gettimeofday),
+ 	SC_ALLOW(clock_gettime),
+@@ -158,7 +168,9 @@
+ 	SC_ALLOW(time),
+ #endif
+ 	SC_ALLOW(read),
++	SC_ALLOW(readv),
+ 	SC_ALLOW(write),
++	SC_ALLOW(writev),
+ 	SC_ALLOW(close),
+ #ifdef __NR_fcntl64 /* only noted on arm */
+ 	SC_ALLOW(fcntl64),
+@@ -167,11 +179,15 @@
+ 	SC_ALLOW(shutdown),
+ #endif
+ 	SC_ALLOW(brk),
++#ifdef __NR_poll /* not defined on AARCH64 */
+ 	SC_ALLOW(poll),
++#endif
+ #ifdef __NR__newselect
+ 	SC_ALLOW(_newselect),
+ #else
++#ifdef __NR_select /* not defined on AARCH64 */
+ 	SC_ALLOW(select),
++#endif
+ #endif
+ 	SC_ALLOW(madvise),
+ #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */

srcpkgs/kcgi/template

@@ -1,7 +1,7 @@
 # Template file for 'kcgi'
 pkgname=kcgi
 version=0.10.8
-revision=1
+revision=2
 build_style=configure
 configure_args="PREFIX=/usr MANDIR=/usr/share/man SBINDIR=/usr/bin"
 make_check_target="regress"
@@ -13,6 +13,20 @@ homepage="http://kristaps.bsd.lv/kcgi/"
 distfiles="http://kristaps.bsd.lv/kcgi/snapshots/kcgi-${version}.tgz"
 checksum=878c8134d48a3048ea0bc28315fe95698fb9c764023d9244610d7e481ef3734c
 
+post_configure() {
+	local suffix
+	case "${XBPS_TARGET_MACHINE}" in
+	i686*) suffix="X86" ;;
+	x86_64*) suffix="X86_64" ;;
+	arm*) suffix="ARM" ;;
+	aarch64*) suffix="AARCH64" ;;
+	esac
+	echo "suffix $suffix <<<<<" >&2
+	[ -z "$suffix" ] \
+		&& sed -i "/AUDIT_ARCH_X86_64/d" config.h \
+		|| sed -i "s/AUDIT_ARCH_X86_64/AUDIT_ARCH_${suffix}/" config.h
+}
+
 post_install() {
 	sed -n '2,16p' kcgi.c > LICENSE
 	vlicense LICENSE