Merge pull request #2501 from flatcar/krnowak/move-sssd

Update SSSD, move to portage-stable

Author: krnowak

.github/workflows/portage-stable-packages-list

@@ -252,7 +252,6 @@ dev-libs/libltdl
 dev-libs/libmspack
 dev-libs/libnl
 dev-libs/libp11
-dev-libs/libpcre
 dev-libs/libpcre2
 dev-libs/libpipeline
 dev-libs/libpwquality
@@ -502,6 +501,7 @@ net-dialup/lrzsz
 net-dialup/minicom
 
 net-dns/bind
+net-dns/bind-tools
 net-dns/c-ares
 net-dns/dnsmasq
 net-dns/libidn2
@@ -512,7 +512,6 @@ net-firewall/ipset
 net-fs/cifs-utils
 
 net-libs/gnutls
-net-libs/http-parser
 net-libs/libmicrohttpd
 net-libs/libmnl
 net-libs/libnetfilter_conntrack
@@ -614,6 +613,8 @@ sys-apps/util-linux
 sys-apps/which
 sys-apps/zram-generator
 
+sys-auth/sssd
+
 sys-block/open-iscsi
 sys-block/open-isns
 sys-block/parted

changelog/security/2024-12-03-sssd-update.md

@@ -0,0 +1 @@
+- sssd ([CVE-2023-3758](https://nvd.nist.gov/vuln/detail/CVE-2023-3758))

changelog/updates/2024-12-03-sssd-update.md

@@ -0,0 +1 @@
+- sssd ([2.9.5](https://sssd.io/release-notes/sssd-2.9.5.html) (includes [2.9.4](https://sssd.io/release-notes/sssd-2.9.4.html), [2.9.3](https://sssd.io/release-notes/sssd-2.9.3.html), [2.9.2](https://sssd.io/release-notes/sssd-2.9.2.html), [2.9.1](https://sssd.io/release-notes/sssd-2.9.1.html), [2.9.0](https://sssd.io/release-notes/sssd-2.9.0.html), [2.8.0](https://sssd.io/release-notes/sssd-2.8.0.html), [2.7.0](https://sssd.io/release-notes/sssd-2.7.0.html), [2.6.0](https://sssd.io/release-notes/sssd-2.6.0.html), [2.5.0](https://sssd.io/release-notes/sssd-2.5.0.html), [2.4.0](https://sssd.io/release-notes/sssd-2.4.0.html))

sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-auth/sssd

@@ -1 +1,15 @@
-export ac_cv_member_struct_ldap_conncb_lc_arg=no
+# `--enable-sss-default-nss-plugin` enables nss lookup with sss
+# plugin, even if sssd is not running.
+export EXTRA_ECONF="--enable-sss-default-nss-plugin"
+
+# We haven't switched to having pam config in /etc, so move the files
+# to /usr.
+cros_post_src_install_move_pamd() {
+	mkdir -p "${ED}/usr/share/"
+	mv "${ED}/etc/pam.d" "${ED}/usr/share/pam.d"
+}
+
+# This is to make sure that some sssd config is always in place.
+cros_post_src_set_initial_config() {
+	cp -a "${ED}"/etc/sssd/sssd{-example,}.conf
+}

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/sssd/0001-Assume-that-callbacks-are-not-broken-in-OpenLDAP-whe.patch

@@ -0,0 +1,34 @@
+From a559550c8e2d162735ff8a43de6dc59af71cf3df Mon Sep 17 00:00:00 2001
+From: Krzesimir Nowak <[email protected]>
+Date: Tue, 3 Dec 2024 19:05:44 +0100
+Subject: [PATCH] Assume that callbacks are not broken in OpenLDAP when
+ cross-compiling
+
+If we do cross-compiling against a known broken version of OpenLDAP,
+we can do `export ac_cv_member_struct_ldap_conncb_lc_arg=no` before
+running configure. This is rather unlikely now, as the test was done
+to detect a bug that was fixed 16 years ago.
+
+This allows the project to be configured successfully when
+cross-compiling, without disabling connection callbacks.
+---
+ src/external/ldap.m4 | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/external/ldap.m4 b/src/external/ldap.m4
+index f42023cd4..09e44fc7b 100644
+--- a/src/external/ldap.m4
++++ b/src/external/ldap.m4
+@@ -80,7 +80,8 @@ AC_CHECK_MEMBERS([struct ldap_conncb.lc_arg],
+                    [AC_DEFINE([HAVE_LDAP_CONNCB], [1],
+                      [Define if LDAP connection callbacks are available])],
+                    [AC_MSG_WARN([Found broken callback implementation])],
+-                   [])],
++                   [AC_DEFINE([HAVE_LDAP_CONNCB], [1],
++                     [Define if LDAP connection callbacks are available])])],
+                  [], [[#include <ldap.h>]])
+ 
+ AC_CHECK_TYPE([LDAPDerefRes],
+-- 
+2.34.1
+

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/sssd/README.md

@@ -0,0 +1,3 @@
+The `0001-Assume-that-callbacks-are-not-broken-in-OpenLDAP-whe.patch` allows
+the project to be cross-compiled without disabling LDAP connection
+callbacks. It is being upstreamed.

sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/oem-aci/parent

@@ -1,6 +1,3 @@
 # Only ship microcode currently distributed by Intel
 # See https://bugs.gentoo.org/654638#c11 by iucode-tool maintainer
 sys-firmware/intel-microcode vanilla
-
-# Enable gssapi only for amd64, to avoid build errors in arm64.
-net-dns/bind                 gssapi

sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use

@@ -104,6 +104,7 @@
 # Keep versions on both arches in sync.
 =sys-apps/kexec-tools-2.0.28 ~arm64
 =sys-apps/zram-generator-1.1.2-r1 ~arm64
+=sys-auth/sssd-2.9.5 ~arm64
 =sys-boot/mokutil-0.7.2 **
 
 # Enable ipvsadm for arm64.

sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/generic/oem-aci/parent

@@ -51,8 +51,8 @@ sys-fs/squashfs-tools xz lz4 lzma lzo zstd
 # make the kernel version discoverable via the traditional gentoo symlink
 sys-kernel/coreos-sources symlink
 
-# set build options for ssdp
-net-nds/openldap minimal sasl
+# set build options for sssd
+net-nds/openldap minimal sasl experimental
 sys-libs/glibc nscd
 
 # disable database build because otherwise it tries to generate a database in /etc
@@ -100,7 +100,8 @@ sys-apps/kmod lzma
 app-portage/portage-utils -qmanifest
 
 # Disable unnecessary regedit in samba to minimize the package size.
-net-fs/samba -regedit
+# winbind needed by sssd
+net-fs/samba -regedit winbind
 
 # Drop extra dependencies
 sys-libs/ldb -lmdb -python
@@ -160,3 +161,7 @@ sys-fs/zfs minimal -rootfs
 # Do not tinker with /boot partition at installation time.
 sys-firmware/intel-microcode -initramfs
 sys-fs/zfs-kmod -initramfs
+
+# For sys-auth/sssd
+net-dns/bind       gssapi
+net-dns/bind-tools gssapi

sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use

@@ -31,6 +31,3 @@ x11-libs/pixman static-libs
 
 # Get latest EDK2 firmware for Secure Boot on arm64.
 app-emulation/qemu -pin-upstream-blobs
-
-# Enable gssapi for SDK
-net-dns/bind                 gssapi