2 files changed, 33 insertions, 0 deletions
diff --git a/app/CMakeLists.txt b/app/CMakeLists.txt
index 6511df1..1962fbf 100644
--- a/app/CMakeLists.txt
+++ b/app/CMakeLists.txt
@@ -56,6 +56,8 @@ ExternalProject_Add(tinc
  DEPENDS           lzo libressl
  URL               https://github.com/gsliepen/tinc/archive/f5223937e62e1cc5e9b3d322490dd3af8d666750.tar.gz
  URL_HASH          SHA256=3fe923e8fbb1e0192986039e91d6945ffbbe326ee8c2c0a13bacf80e87dad4a9
+  # TODO: remove patch once merged in upstream (https://github.com/gsliepen/tinc/pull/251)
+  PATCH_COMMAND     patch -p1 < ${PROJECT_SOURCE_DIR}/src/main/c/0001-tincctl-restrict-umask-argument-for-FORTIFY.patch
  CONFIGURE_COMMAND autoreconf -fsi <SOURCE_DIR> &&
                    <SOURCE_DIR>/configure ${xCONFIG}
                      --with-openssl=${CMAKE_CURRENT_BINARY_DIR}/usr/local
diff --git a/app/src/main/c/0001-tincctl-restrict-umask-argument-for-FORTIFY.patch b/app/src/main/c/0001-tincctl-restrict-umask-argument-for-FORTIFY.patch
new file mode 100644
index 0000000..85ab949
--- /dev/null
+++ b/app/src/main/c/0001-tincctl-restrict-umask-argument-for-FORTIFY.patch
@@ -0,0 +1,31 @@
+From b6498e6402d9681743b697c1c9f0760448b3be54 Mon Sep 17 00:00:00 2001
+From: pacien <pacien.trangirard@pacien.net>
+Date: Wed, 9 Sep 2020 01:24:28 +0200
+Subject: [PATCH] tincctl: restrict umask argument for FORTIFY
+`umask(mode)` calls that do not verify `(mode & 0777) == mode` are
+rejected when the libc FORTIFY checks are enabled [1].
+The unrestricted `~perms` was indeed making this assertion fail.
+[1]: https://android.googlesource.com/platform/bionic/+/refs/tags/android-11.0.0_r3/libc/bionic/fortify.cpp#404
+---
+ src/tincctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/tincctl.c b/src/tincctl.c
+index 08f30189..11c1a96c 100644
+--- a/src/tincctl.c
+++ b/src/tincctl.c
+@@ -237,7 +237,7 @@ static bool parse_options(int argc, char **argv) {
+ FILE *fopenmask(const char *filename, const char *mode, mode_t perms) {
+        mode_t mask = umask(0);
+        perms &= ~mask;
+-       umask(~perms);
+       umask(~perms & 0777);
+        FILE *f = fopen(filename, mode);
+ 
+        if(!f) {
+-- 
+2.25.4

diff --git a/app/CMakeLists.txt b/app/CMakeLists.txt index 6511df1..1962fbf 100644 --- a/app/CMakeLists.txt +++ b/app/CMakeLists.txt
@@ -56,6 +56,8 @@ ExternalProject_Add(tinc
56	DEPENDS lzo libressl	56	DEPENDS lzo libressl
57	URL https://github.com/gsliepen/tinc/archive/f5223937e62e1cc5e9b3d322490dd3af8d666750.tar.gz	57	URL https://github.com/gsliepen/tinc/archive/f5223937e62e1cc5e9b3d322490dd3af8d666750.tar.gz
58	URL_HASH SHA256=3fe923e8fbb1e0192986039e91d6945ffbbe326ee8c2c0a13bacf80e87dad4a9	58	URL_HASH SHA256=3fe923e8fbb1e0192986039e91d6945ffbbe326ee8c2c0a13bacf80e87dad4a9
		59	# TODO: remove patch once merged in upstream (https://github.com/gsliepen/tinc/pull/251)
		60	PATCH_COMMAND patch -p1 < ${PROJECT_SOURCE_DIR}/src/main/c/0001-tincctl-restrict-umask-argument-for-FORTIFY.patch
59	CONFIGURE_COMMAND autoreconf -fsi <SOURCE_DIR> &&	61	CONFIGURE_COMMAND autoreconf -fsi <SOURCE_DIR> &&
60	<SOURCE_DIR>/configure ${xCONFIG}	62	<SOURCE_DIR>/configure ${xCONFIG}
61	--with-openssl=${CMAKE_CURRENT_BINARY_DIR}/usr/local	63	--with-openssl=${CMAKE_CURRENT_BINARY_DIR}/usr/local


diff --git a/app/src/main/c/0001-tincctl-restrict-umask-argument-for-FORTIFY.patch b/app/src/main/c/0001-tincctl-restrict-umask-argument-for-FORTIFY.patch new file mode 100644 index 0000000..85ab949 --- /dev/null +++ b/app/src/main/c/0001-tincctl-restrict-umask-argument-for-FORTIFY.patch
@@ -0,0 +1,31 @@
		1	From b6498e6402d9681743b697c1c9f0760448b3be54 Mon Sep 17 00:00:00 2001
		2	From: pacien <pacien.trangirard@pacien.net>
		3	Date: Wed, 9 Sep 2020 01:24:28 +0200
		4	Subject: [PATCH] tincctl: restrict umask argument for FORTIFY
		5
		6	`umask(mode)` calls that do not verify `(mode & 0777) == mode` are
		7	rejected when the libc FORTIFY checks are enabled [1].
		8
		9	The unrestricted `~perms` was indeed making this assertion fail.
		10
		11	[1]: https://android.googlesource.com/platform/bionic/+/refs/tags/android-11.0.0_r3/libc/bionic/fortify.cpp#404
		12	---
		13	src/tincctl.c \| 2 +-
		14	1 file changed, 1 insertion(+), 1 deletion(-)
		15
		16	diff --git a/src/tincctl.c b/src/tincctl.c
		17	index 08f30189..11c1a96c 100644
		18	--- a/src/tincctl.c
		19	+++ b/src/tincctl.c
		20	@@ -237,7 +237,7 @@ static bool parse_options(int argc, char **argv) {
		21	FILE fopenmask(const char filename, const char *mode, mode_t perms) {
		22	mode_t mask = umask(0);
		23	perms &= ~mask;
		24	- umask(~perms);
		25	+ umask(~perms & 0777);
		26	FILE *f = fopen(filename, mode);
		27
		28	if(!f) {
		29	--
		30	2.25.4
		31