Radix cross Linux

Index: Makefile
===================================================================
--- Makefile	(nonexistent)
+++ Makefile	(revision 5)
@@ -0,0 +1,58 @@
+
+COMPONENT_TARGETS = $(HARDWARE_NOARCH)
+
+
+include ../../../../build-system/constants.mk
+
+
+url          = $(DOWNLOAD_SERVER)/sources/packages/n/dhcpcd
+
+versions     = 9.4.1
+pkgname      = dhcpcd
+suffix       = tar.xz
+
+tarballs     = $(addsuffix .$(suffix), $(addprefix $(pkgname)-, $(versions)))
+sha1s        = $(addsuffix .sha1sum, $(tarballs))
+
+patches      = $(CURDIR)/patches/dhcpcd-9.4.1-conf.patch
+patches     += $(CURDIR)/patches/dhcpcd-9.4.1-getrandom.patch
+
+.NOTPARALLEL: $(patches)
+
+
+BUILD_TARGETS = $(tarballs) $(sha1s) $(patches)
+
+
+include ../../../../build-system/core.mk
+
+
+.PHONY: download_clean
+
+
+$(tarballs):
+	@echo -e "\n======= Downloading source tarballs =======" ; \
+	 for tarball in $(tarballs) ; do \
+	   echo "$(url)/$$tarball" | xargs -n 1 -P 100 wget $(WGET_OPTIONS) - & \
+	 done ; wait
+
+$(sha1s): $(tarballs)
+	@for sha in $@ ; do \
+	   echo -e "\n======= Downloading '$$sha' signature =======\n" ; \
+	   echo "$(url)/$$sha" | xargs -n 1 -P 100 wget $(WGET_OPTIONS) - & wait %1 ; \
+	   touch $$sha ; \
+	   echo -e "\n======= Check the '$$sha' sha1sum =======\n" ; \
+	   sha1sum --check $$sha ; ret="$$?" ; \
+	   if [ "$$ret" == "1" ]; then \
+	     echo -e "\n======= ERROR: Bad '$$sha' sha1sum =======\n" ; \
+	     exit 1 ; \
+	   fi ; \
+	 done
+
+$(patches): $(sha1s)
+	@echo -e "\n======= Create Patches =======\n" ; \
+	 ( cd create-9.4.1-conf-patch      ; ./create.patch.sh ) ; \
+	 ( cd create-9.4.1-getrandom-patch ; ./create.patch.sh ) ; \
+	 echo -e "\n"
+
+download_clean:
+	@rm -f $(tarballs) $(sha1s) $(patches)
Index: create-9.4.1-conf-patch/create.patch.sh
===================================================================
--- create-9.4.1-conf-patch/create.patch.sh	(nonexistent)
+++ create-9.4.1-conf-patch/create.patch.sh	(revision 5)
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+VERSION=9.4.1
+
+tar --files-from=file.list -xJvf ../dhcpcd-$VERSION.tar.xz
+mv dhcpcd-$VERSION dhcpcd-$VERSION-orig
+
+cp -rf ./dhcpcd-$VERSION-new ./dhcpcd-$VERSION
+
+diff --unified -Nr  dhcpcd-$VERSION-orig  dhcpcd-$VERSION > dhcpcd-$VERSION-conf.patch
+
+mv dhcpcd-$VERSION-conf.patch ../patches
+
+rm -rf ./dhcpcd-$VERSION
+rm -rf ./dhcpcd-$VERSION-orig

Property changes on: create-9.4.1-conf-patch/create.patch.sh
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: create-9.4.1-conf-patch/dhcpcd-9.4.1-new/src/dhcpcd.conf
===================================================================
--- create-9.4.1-conf-patch/dhcpcd-9.4.1-new/src/dhcpcd.conf	(nonexistent)
+++ create-9.4.1-conf-patch/dhcpcd-9.4.1-new/src/dhcpcd.conf	(revision 5)
@@ -0,0 +1,56 @@
+# A sample configuration for dhcpcd.
+# See dhcpcd.conf(5) for details.
+
+# Allow users of this group to interact with dhcpcd via the control socket.
+#controlgroup wheel
+
+# Inform the DHCP server of our hostname for DDNS.
+# Use hostname_short:
+hostname_short
+
+# Use the hardware address of the interface for the Client ID.
+#clientid
+# or
+# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361.
+# Some non-RFC compliant DHCP servers do not reply with this set.
+# In this case, comment out duid and enable clientid above.
+duid
+
+# Persist interface configuration when dhcpcd exits.
+persistent
+
+# vendorclassid is set to blank to avoid sending the default of
+# dhcpcd-<version>:<os>:<machine>:<platform>
+vendorclassid
+
+# A list of options to request from the DHCP server.
+option domain_name_servers, domain_name, domain_search
+option classless_static_routes
+# Respect the network MTU. This is applied to DHCP routes.
+option interface_mtu
+
+# Request a hostname from the network
+option host_name
+
+# Most distributions have NTP support.
+# Request ntp server by default:
+option ntp_servers
+
+# Rapid commit support.
+# Safe to enable by default because it requires the equivalent option set
+# on the server to actually work.
+option rapid_commit
+
+# A ServerID is required by RFC2131.
+require dhcp_server_identifier
+
+# Generate SLAAC address using the Hardware Address of the interface
+#slaac hwaddr
+# OR generate Stable Private IPv6 Addresses based from the DUID
+slaac private
+
+# Local Link configuration
+noipv4ll
+
+# Don't invoke wpa_supplicant by default
+nohook wpa_supplicant
Index: create-9.4.1-conf-patch/dhcpcd-9.4.1-new/src
===================================================================
--- create-9.4.1-conf-patch/dhcpcd-9.4.1-new/src	(nonexistent)
+++ create-9.4.1-conf-patch/dhcpcd-9.4.1-new/src	(revision 5)

Property changes on: create-9.4.1-conf-patch/dhcpcd-9.4.1-new/src
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~
Index: create-9.4.1-conf-patch/dhcpcd-9.4.1-new
===================================================================
--- create-9.4.1-conf-patch/dhcpcd-9.4.1-new	(nonexistent)
+++ create-9.4.1-conf-patch/dhcpcd-9.4.1-new	(revision 5)

Property changes on: create-9.4.1-conf-patch/dhcpcd-9.4.1-new
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~
Index: create-9.4.1-conf-patch/file.list
===================================================================
--- create-9.4.1-conf-patch/file.list	(nonexistent)
+++ create-9.4.1-conf-patch/file.list	(revision 5)
@@ -0,0 +1 @@
+dhcpcd-9.4.1/src/dhcpcd.conf
Index: create-9.4.1-conf-patch
===================================================================
--- create-9.4.1-conf-patch	(nonexistent)
+++ create-9.4.1-conf-patch	(revision 5)

Property changes on: create-9.4.1-conf-patch
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~
Index: create-9.4.1-getrandom-patch/create.patch.sh
===================================================================
--- create-9.4.1-getrandom-patch/create.patch.sh	(nonexistent)
+++ create-9.4.1-getrandom-patch/create.patch.sh	(revision 5)
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+VERSION=9.4.1
+
+tar --files-from=file.list -xJvf ../dhcpcd-$VERSION.tar.xz
+mv dhcpcd-$VERSION dhcpcd-$VERSION-orig
+
+cp -rf ./dhcpcd-$VERSION-new ./dhcpcd-$VERSION
+
+diff --unified -Nr  dhcpcd-$VERSION-orig  dhcpcd-$VERSION > dhcpcd-$VERSION-getrandom.patch
+
+mv dhcpcd-$VERSION-getrandom.patch ../patches
+
+rm -rf ./dhcpcd-$VERSION
+rm -rf ./dhcpcd-$VERSION-orig

Property changes on: create-9.4.1-getrandom-patch/create.patch.sh
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: create-9.4.1-getrandom-patch/dhcpcd-9.4.1-new/src/privsep-linux.c
===================================================================
--- create-9.4.1-getrandom-patch/dhcpcd-9.4.1-new/src/privsep-linux.c	(nonexistent)
+++ create-9.4.1-getrandom-patch/dhcpcd-9.4.1-new/src/privsep-linux.c	(revision 5)
@@ -0,0 +1,458 @@
+/* SPDX-License-Identifier: BSD-2-Clause */
+/*
+ * Privilege Separation for dhcpcd, Linux driver
+ * Copyright (c) 2006-2021 Roy Marples <roy@marples.name>
+ * All rights reserved
+
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/ioctl.h>
+#include <sys/prctl.h>
+#include <sys/socket.h>
+#include <sys/syscall.h>
+#include <sys/termios.h>	/* For TCGETS */
+
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/net.h>
+#include <linux/seccomp.h>
+#include <linux/sockios.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "common.h"
+#include "if.h"
+#include "logerr.h"
+#include "privsep.h"
+
+/*
+ * Set this to debug SECCOMP.
+ * Then run dhcpcd with strace -f and strace will even translate
+ * the failing syscall into the __NR_name define we need to use below.
+ * DO NOT ENABLE THIS FOR PRODUCTION BUILDS!
+ */
+//#define SECCOMP_FILTER_DEBUG
+
+static ssize_t
+ps_root_dosendnetlink(int protocol, struct msghdr *msg)
+{
+	struct sockaddr_nl snl = { .nl_family = AF_NETLINK };
+	int s;
+	unsigned char buf[16 * 1024];
+	struct iovec riov = {
+		.iov_base = buf,
+		.iov_len = sizeof(buf),
+	};
+	ssize_t retval;
+
+	if ((s = if_linksocket(&snl, protocol, 0)) == -1)
+		return -1;
+
+	if (sendmsg(s, msg, 0) == -1) {
+		retval = -1;
+		goto out;
+	}
+
+	retval = if_getnetlink(NULL, &riov, s, 0, NULL, NULL);
+out:
+	close(s);
+	return retval;
+}
+
+ssize_t
+ps_root_os(struct ps_msghdr *psm, struct msghdr *msg,
+    __unused void **rdata, __unused size_t *rlen)
+{
+
+	switch (psm->ps_cmd) {
+	case PS_ROUTE:
+		return ps_root_dosendnetlink((int)psm->ps_flags, msg);
+	default:
+		errno = ENOTSUP;
+		return -1;
+	}
+}
+
+ssize_t
+ps_root_sendnetlink(struct dhcpcd_ctx *ctx, int protocol, struct msghdr *msg)
+{
+
+	if (ps_sendmsg(ctx, ctx->ps_root_fd, PS_ROUTE,
+	    (unsigned long)protocol, msg) == -1)
+		return -1;
+	return ps_root_readerror(ctx, NULL, 0);
+}
+
+#if (BYTE_ORDER == LITTLE_ENDIAN)
+# define SECCOMP_ARG_LO	0
+# define SECCOMP_ARG_HI	sizeof(uint32_t)
+#elif (BYTE_ORDER == BIG_ENDIAN)
+# define SECCOMP_ARG_LO	sizeof(uint32_t)
+# define SECCOMP_ARG_HI	0
+#else
+# error "Uknown endian"
+#endif
+
+#define SECCOMP_ALLOW(_nr)						    \
+	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 1),		    \
+	BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW)
+
+#define SECCOMP_ALLOW_ARG(_nr, _arg, _val)				    \
+	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, (_nr), 0, 6),		    \
+	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,				    \
+	    offsetof(struct seccomp_data, args[(_arg)]) + SECCOMP_ARG_LO),  \
+	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,				    \
+	    ((_val) & 0xffffffff), 0, 3),				    \
+	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,				    \
+	    offsetof(struct seccomp_data, args[(_arg)]) + SECCOMP_ARG_HI),  \
+	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K,				    \
+	    (((uint32_t)((uint64_t)(_val) >> 32)) & 0xffffffff), 0, 1),	    \
+	BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),			\
+	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,				\
+		offsetof(struct seccomp_data, nr))
+
+#ifdef SECCOMP_FILTER_DEBUG
+#define SECCOMP_FILTER_FAIL	SECCOMP_RET_TRAP
+#else
+#define SECCOMP_FILTER_FAIL	SECCOMP_RET_KILL
+#endif
+
+/* I personally find this quite nutty.
+ * Why can a system header not define a default for this? */
+#if defined(__i386__)
+#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
+#elif defined(__x86_64__)
+#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
+#elif defined(__arc__)
+#  if defined(__A7__)
+#    if (BYTE_ORDER == LITTLE_ENDIAN)
+#      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACT
+#    else
+#      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACTBE
+#    endif
+#  elif defined(__HS__)
+#    if (BYTE_ORDER == LITTLE_ENDIAN)
+#      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2
+#    else
+#      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2BE
+#    endif
+#  else
+#    error "Platform does not support seccomp filter yet"
+#  endif
+#elif defined(__arm__)
+#  ifndef EM_ARM
+#    define EM_ARM 40
+#  endif
+#  if (BYTE_ORDER == LITTLE_ENDIAN)
+#    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
+#  else
+#    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARMEB
+#  endif
+#elif defined(__aarch64__)
+#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
+#elif defined(__alpha__)
+#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ALPHA
+#elif defined(__hppa__)
+#  if defined(__LP64__)
+#    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC64
+#  else
+#    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PARISC
+#  endif
+#elif defined(__ia64__)
+#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_IA64
+#elif defined(__microblaze__)
+#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MICROBLAZE
+#elif defined(__m68k__)
+#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_M68K
+#elif defined(__mips__)
+#  if defined(__MIPSEL__)
+#    if defined(__LP64__)
+#      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
+#    else
+#      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
+#    endif
+#  elif defined(__LP64__)
+#    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
+#  else
+#    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
+#  endif
+#elif defined(__nds32__)
+#  if (BYTE_ORDER == LITTLE_ENDIAN)
+#    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32
+#else
+#    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NDS32BE
+#endif
+#elif defined(__nios2__)
+#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_NIOS2
+#elif defined(__or1k__)
+#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC
+#elif defined(__powerpc64__)
+#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64
+#elif defined(__powerpc__)
+#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC
+#elif defined(__riscv)
+#  if defined(__LP64__)
+#    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV64
+#  else
+#    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_RISCV32
+#  endif
+#elif defined(__s390x__)
+#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390X
+#elif defined(__s390__)
+#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_S390
+#elif defined(__sh__)
+#  if defined(__LP64__)
+#    if (BYTE_ORDER == LITTLE_ENDIAN)
+#      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL64
+#    else
+#      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH64
+#    endif
+#  else
+#    if (BYTE_ORDER == LITTLE_ENDIAN)
+#      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SHEL
+#    else
+#      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SH
+#    endif
+#  endif
+#elif defined(__sparc__)
+#  if defined(__arch64__)
+#    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC64
+#  else
+#    define SECCOMP_AUDIT_ARCH AUDIT_ARCH_SPARC
+#  endif
+#elif defined(__xtensa__)
+#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_XTENSA
+#else
+#  error "Platform does not support seccomp filter yet"
+#endif
+
+static struct sock_filter ps_seccomp_filter[] = {
+	/* Check syscall arch */
+	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,
+	    offsetof(struct seccomp_data, arch)),
+	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, SECCOMP_AUDIT_ARCH, 1, 0),
+	BPF_STMT(BPF_RET + BPF_K, SECCOMP_FILTER_FAIL),
+	/* Allow syscalls */
+	BPF_STMT(BPF_LD + BPF_W + BPF_ABS,
+		offsetof(struct seccomp_data, nr)),
+#ifdef __NR_accept
+	SECCOMP_ALLOW(__NR_accept),
+#endif
+#ifdef __NR_brk
+	SECCOMP_ALLOW(__NR_brk),
+#endif
+#ifdef __NR_clock_gettime
+	SECCOMP_ALLOW(__NR_clock_gettime),
+#endif
+#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
+	SECCOMP_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
+#endif
+#ifdef __NR_clock_gettime64
+	SECCOMP_ALLOW(__NR_clock_gettime64),
+#endif
+#ifdef __NR_close
+	SECCOMP_ALLOW(__NR_close),
+#endif
+#ifdef __NR_exit_group
+	SECCOMP_ALLOW(__NR_exit_group),
+#endif
+#ifdef __NR_fcntl
+	SECCOMP_ALLOW(__NR_fcntl),
+#endif
+#ifdef __NR_fcntl64
+	SECCOMP_ALLOW(__NR_fcntl64),
+#endif
+#ifdef __NR_fstat
+	SECCOMP_ALLOW(__NR_fstat),
+#endif
+#ifdef __NR_fstat64
+	SECCOMP_ALLOW(__NR_fstat64),
+#endif
+#ifdef __NR_gettimeofday
+	SECCOMP_ALLOW(__NR_gettimeofday),
+#endif
+#ifdef __NR_getpid
+	SECCOMP_ALLOW(__NR_getpid),
+#endif
+#ifdef __NR_getsockopt
+	/* For route socket overflow */
+	SECCOMP_ALLOW_ARG(__NR_getsockopt, 1, SOL_SOCKET),
+	SECCOMP_ALLOW_ARG(__NR_getsockopt, 2, SO_RCVBUF),
+#endif
+#ifdef __NR_ioctl
+	SECCOMP_ALLOW_ARG(__NR_ioctl, 1, SIOCGIFFLAGS),
+	SECCOMP_ALLOW_ARG(__NR_ioctl, 1, SIOCGIFHWADDR),
+	SECCOMP_ALLOW_ARG(__NR_ioctl, 1, SIOCGIFINDEX),
+	SECCOMP_ALLOW_ARG(__NR_ioctl, 1, SIOCGIFMTU),
+	SECCOMP_ALLOW_ARG(__NR_ioctl, 1, SIOCGIFVLAN),
+	/* printf over serial terminal requires this */
+	SECCOMP_ALLOW_ARG(__NR_ioctl, 1, TCGETS),
+	/* SECCOMP BPF is newer than nl80211 so we don't need SIOCGIWESSID
+	 * which lives in the impossible to include linux/wireless.h header */
+#endif
+#ifdef __NR_mmap
+	SECCOMP_ALLOW(__NR_mmap),
+#endif
+#ifdef __NR_munmap
+	SECCOMP_ALLOW(__NR_munmap),
+#endif
+#ifdef __NR_nanosleep
+	SECCOMP_ALLOW(__NR_nanosleep),	/* XXX should use ppoll instead */
+#endif
+#ifdef __NR_ppoll
+	SECCOMP_ALLOW(__NR_ppoll),
+#endif
+#ifdef __NR_ppoll_time64
+	SECCOMP_ALLOW(__NR_ppoll_time64),
+#endif
+#ifdef __NR_read
+	SECCOMP_ALLOW(__NR_read),
+#endif
+#ifdef __NR_readv
+	SECCOMP_ALLOW(__NR_readv),
+#endif
+#ifdef __NR_recv
+	SECCOMP_ALLOW(__NR_recv),
+#endif
+#ifdef __NR_recvfrom
+	SECCOMP_ALLOW(__NR_recvfrom),
+#endif
+#ifdef __NR_recvmsg
+	SECCOMP_ALLOW(__NR_recvmsg),
+#endif
+#ifdef __NR_rt_sigreturn
+	SECCOMP_ALLOW(__NR_rt_sigreturn),
+#endif
+#ifdef __NR_send
+	SECCOMP_ALLOW(__NR_send),
+#endif
+#ifdef __NR_sendmsg
+	SECCOMP_ALLOW(__NR_sendmsg),
+#endif
+#ifdef __NR_sendto
+	SECCOMP_ALLOW(__NR_sendto),
+#endif
+#ifdef __NR_socketcall
+	/* i386 needs this and demonstrates why SECCOMP
+	 * is poor compared to OpenBSD pledge(2) and FreeBSD capsicum(4)
+	 * as this is soooo tied to the kernel API which changes per arch
+	 * and likely libc as well. */
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_ACCEPT4),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_LISTEN),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_GETSOCKOPT),	/* overflow */
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECV),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVFROM),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_RECVMSG),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SEND),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDMSG),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SENDTO),
+	SECCOMP_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
+#endif
+#ifdef __NR_shutdown
+	SECCOMP_ALLOW(__NR_shutdown),
+#endif
+#ifdef __NR_time
+	SECCOMP_ALLOW(__NR_time),
+#endif
+#ifdef __NR_wait4
+	SECCOMP_ALLOW(__NR_wait4),
+#endif
+#ifdef __NR_waitpid
+	SECCOMP_ALLOW(__NR_waitpid),
+#endif
+#ifdef __NR_write
+	SECCOMP_ALLOW(__NR_write),
+#endif
+#ifdef __NR_writev
+	SECCOMP_ALLOW(__NR_writev),
+#endif
+#ifdef __NR_uname
+	SECCOMP_ALLOW(__NR_uname),
+#endif
+#ifdef __NR_getrandom
+	SECCOMP_ALLOW(__NR_getrandom),
+#endif
+
+	/* Deny everything else */
+	BPF_STMT(BPF_RET + BPF_K, SECCOMP_FILTER_FAIL),
+};
+
+static struct sock_fprog ps_seccomp_prog = {
+	.len = (unsigned short)__arraycount(ps_seccomp_filter),
+	.filter = ps_seccomp_filter,
+};
+
+#ifdef SECCOMP_FILTER_DEBUG
+static void
+ps_seccomp_violation(__unused int signum, siginfo_t *si, __unused void *context)
+{
+
+	logerrx("%s: unexpected syscall %d (arch=0x%x)",
+	    __func__, si->si_syscall, si->si_arch);
+	_exit(EXIT_FAILURE);
+}
+
+static int
+ps_seccomp_debug(void)
+{
+	struct sigaction sa = {
+		.sa_flags = SA_SIGINFO,
+		.sa_sigaction = &ps_seccomp_violation,
+	};
+	sigset_t mask;
+
+	/* Install a signal handler to catch any issues with our filter. */
+	sigemptyset(&mask);
+	sigaddset(&mask, SIGSYS);
+	if (sigaction(SIGSYS, &sa, NULL) == -1 ||
+	    sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
+		return -1;
+
+	return 0;
+}
+#endif
+
+int
+ps_seccomp_enter(void)
+{
+
+#ifdef SECCOMP_FILTER_DEBUG
+	ps_seccomp_debug();
+#endif
+
+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1 ||
+	    prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &ps_seccomp_prog) == -1)
+	{
+		if (errno == EINVAL)
+			errno = ENOSYS;
+		return -1;
+	}
+	return 0;
+}
Index: create-9.4.1-getrandom-patch/dhcpcd-9.4.1-new/src
===================================================================
--- create-9.4.1-getrandom-patch/dhcpcd-9.4.1-new/src	(nonexistent)
+++ create-9.4.1-getrandom-patch/dhcpcd-9.4.1-new/src	(revision 5)

Property changes on: create-9.4.1-getrandom-patch/dhcpcd-9.4.1-new/src
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~
Index: create-9.4.1-getrandom-patch/dhcpcd-9.4.1-new
===================================================================
--- create-9.4.1-getrandom-patch/dhcpcd-9.4.1-new	(nonexistent)
+++ create-9.4.1-getrandom-patch/dhcpcd-9.4.1-new	(revision 5)

Property changes on: create-9.4.1-getrandom-patch/dhcpcd-9.4.1-new
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~
Index: create-9.4.1-getrandom-patch/file.list
===================================================================
--- create-9.4.1-getrandom-patch/file.list	(nonexistent)
+++ create-9.4.1-getrandom-patch/file.list	(revision 5)
@@ -0,0 +1 @@
+dhcpcd-9.4.1/src/privsep-linux.c
Index: create-9.4.1-getrandom-patch
===================================================================
--- create-9.4.1-getrandom-patch	(nonexistent)
+++ create-9.4.1-getrandom-patch	(revision 5)

Property changes on: create-9.4.1-getrandom-patch
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~
Index: patches/README
===================================================================
--- patches/README	(nonexistent)
+++ patches/README	(revision 5)
@@ -0,0 +1,6 @@
+
+/* begin *
+
+   TODO: Leave some comment here.
+
+ * end */
Index: patches
===================================================================
--- patches	(nonexistent)
+++ patches	(revision 5)

Property changes on: patches
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~
Index: .
===================================================================
--- .	(nonexistent)
+++ .	(revision 5)

Property changes on: .
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~