From 8cc927a2356f1f579f26c9d14130dae5d1be898e Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 9 Dec 2025 12:50:24 +0100 Subject: [PATCH] Rebase to latest upstream version Resolves: RHEL-2518 Resolves: RHEL-5044 Resolves: RHEL-5050 Resolves: RHEL-16141 Resolves: RHEL-44580 Resolves: RHEL-56353 Resolves: RHEL-78631 Resolves: RHEL-73686 --- .gitignore | 1 + ...r-issues-found-by-static-code-scanne.patch | 198 --------------- ...rb5-add-adcli_krb5_get_error_message.patch | 226 ------------------ adcli.spec | 80 ++++++- sources | 2 +- 5 files changed, 74 insertions(+), 433 deletions(-) delete mode 100644 0001-Various-fixes-for-issues-found-by-static-code-scanne.patch delete mode 100644 0002-krb5-add-adcli_krb5_get_error_message.patch diff --git a/.gitignore b/.gitignore index 440751f..e6fcc1d 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ /adcli-0.9.0.tar.gz /adcli-0.9.1.tar.gz /adcli-0.9.2.tar.gz +/adcli-0.9.3.1.tar.gz diff --git a/0001-Various-fixes-for-issues-found-by-static-code-scanne.patch b/0001-Various-fixes-for-issues-found-by-static-code-scanne.patch deleted file mode 100644 index 1f71f80..0000000 --- a/0001-Various-fixes-for-issues-found-by-static-code-scanne.patch +++ /dev/null @@ -1,198 +0,0 @@ -From fab13daeaf23cc4a26b10cfe0c3d7ac469a9da76 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 5 Nov 2024 14:22:47 +0100 -Subject: [PATCH 1/2] Various fixes for issues found by static code scanners - ---- - library/adconn.c | 17 ++++++++++++----- - library/adenroll.c | 4 ++-- - library/adutil.c | 2 +- - library/seq.c | 13 +++++++++---- - library/seq.h | 3 ++- - tools/tools.c | 24 +++++++++++++++++------- - 6 files changed, 43 insertions(+), 20 deletions(-) - -diff --git a/library/adconn.c b/library/adconn.c -index 087225d..e668b8d 100644 ---- a/library/adconn.c -+++ b/library/adconn.c -@@ -402,9 +402,9 @@ clear_krb5_conf_snippet (adcli_conn *conn) - static adcli_result - setup_krb5_conf_snippet (adcli_conn *conn) - { -- char *filename; -- char *snippet; -- char *controller; -+ char *filename = NULL; -+ char *snippet = NULL; -+ char *controller = NULL; - int errn; - int ret; - int fd; -@@ -429,7 +429,10 @@ setup_krb5_conf_snippet (adcli_conn *conn) - controller = strdup (conn->domain_controller); - } - -- return_unexpected_if_fail (controller != NULL); -+ if (controller == NULL) { -+ free (filename); -+ return_unexpected_if_reached (); -+ } - - if (asprintf (&snippet, "[realms]\n" - " %s = {\n" -@@ -442,8 +445,11 @@ setup_krb5_conf_snippet (adcli_conn *conn) - " %s = %s\n", - conn->domain_realm, controller, controller, controller, - conn->canonical_host, conn->domain_realm, -- conn->domain_controller, conn->domain_realm) < 0) -+ conn->domain_controller, conn->domain_realm) < 0) { -+ free (controller); -+ free (filename); - return_unexpected_if_reached (); -+ } - - old_mask = umask (0177); - fd = mkstemp (filename); -@@ -451,6 +457,7 @@ setup_krb5_conf_snippet (adcli_conn *conn) - if (fd < 0) { - _adcli_warn ("Couldn't create krb5.conf snippet file in: %s: %s", - conn->krb5_conf_dir, strerror (errno)); -+ free (filename); - - } else { - conn->krb5_conf_snippet = filename; -diff --git a/library/adenroll.c b/library/adenroll.c -index b6558ed..e978f46 100644 ---- a/library/adenroll.c -+++ b/library/adenroll.c -@@ -2340,9 +2340,9 @@ update_keytab_for_principals (adcli_enroll *enroll, - - for (i = 0; enroll->keytab_principals[i] != 0; i++) { - if (krb5_unparse_name (k5, enroll->keytab_principals[i], &name) != 0) -- name = ""; -+ name = NULL; - res = add_principal_to_keytab (enroll, k5, enroll->keytab_principals[i], -- name, &which_salt, flags); -+ name != NULL ? name : "", &which_salt, flags); - krb5_free_unparsed_name (k5, name); - - if (res != ADCLI_SUCCESS) -diff --git a/library/adutil.c b/library/adutil.c -index 36822e2..a112ad8 100644 ---- a/library/adutil.c -+++ b/library/adutil.c -@@ -169,7 +169,7 @@ _adcli_strv_dup (char **strv) - return NULL; - - count = seq_count (strv); -- return seq_dup (strv, &count, (seq_copy)strdup); -+ return seq_dup (strv, &count, (seq_copy)strdup, (seq_destroy)free); - } - - char * -diff --git a/library/seq.c b/library/seq.c -index 8e7475d..5410918 100644 ---- a/library/seq.c -+++ b/library/seq.c -@@ -299,7 +299,8 @@ seq_lookup (seq_voidp sequence, - void * - seq_dup (seq_voidp sequence, - int *length, -- seq_copy copy) -+ seq_copy copy, -+ seq_destroy destroy) - { - void **seq = sequence; - void **copied; -@@ -308,6 +309,7 @@ seq_dup (seq_voidp sequence, - int at; - - assert (length != NULL); -+ assert ( (copy != NULL && destroy != NULL) || (copy == NULL && destroy == NULL) ); - - len = *length; - alloc = alloc_size (len + 1); -@@ -321,7 +323,10 @@ seq_dup (seq_voidp sequence, - copied[at] = seq[at]; - } else { - copied[at] = copy (seq[at]); -- bail_on_null (copied[at]); -+ if (copied[at] == NULL) { -+ destroy (copied); -+ return NULL; -+ } - } - } - -@@ -707,7 +712,7 @@ test_dup (void) - seq = seq_insert (seq, &len, "3", (seq_compar)strcmp, NULL); - seq = seq_insert (seq, &len, "1", (seq_compar)strcmp, NULL); - -- dup = seq_dup (seq, &len, NULL); -+ dup = seq_dup (seq, &len, NULL, NULL); - assert (dup != NULL); - - assert_str_eq (dup[0], "1"); -@@ -734,7 +739,7 @@ test_dup_deep (void) - seq = seq_insert (seq, &len, "3", (seq_compar)strcmp, NULL); - seq = seq_insert (seq, &len, "1", (seq_compar)strcmp, NULL); - -- dup = seq_dup (seq, &len, (seq_copy)strdup); -+ dup = seq_dup (seq, &len, (seq_copy)strdup, (seq_destroy)free); - assert (dup != NULL); - - assert_str_eq (dup[0], "1"); -diff --git a/library/seq.h b/library/seq.h -index 5d48848..3fec747 100644 ---- a/library/seq.h -+++ b/library/seq.h -@@ -89,7 +89,8 @@ int seq_count (seq_voidp seq); - - seq_voidp seq_dup (seq_voidp seq, - int *length, -- seq_copy copy); -+ seq_copy copy, -+ seq_destroy destroy); - - void seq_free (seq_voidp seq, - seq_destroy destroy); -diff --git a/tools/tools.c b/tools/tools.c -index 7e382ae..444485c 100644 ---- a/tools/tools.c -+++ b/tools/tools.c -@@ -399,14 +399,24 @@ setup_krb5_conf_directory (adcli_conn *conn) - warnx ("couldn't create temporary directory in: %s: %s", - parent, strerror (errn)); - } else { -- if (asprintf (&filename, "%s/krb5.conf", directory) < 0 || -- asprintf (&snippets, "%s/krb5.d", directory) < 0 || -- asprintf (&contents, "includedir %s\n%s%s\n", snippets, -- krb5_conf ? "include " : "", -- krb5_conf ? krb5_conf : "") < 0) { -+ if (asprintf (&filename, "%s/krb5.conf", directory) < 0) { -+ warnx ("unexpected: out of memory"); -+ failed = 1; -+ } -+ if (!failed && asprintf (&snippets, "%s/krb5.d", directory) < 0) { -+ free (filename); -+ filename = NULL; -+ warnx ("unexpected: out of memory"); -+ failed = 1; -+ } -+ if (!failed && asprintf (&contents, "includedir %s\n%s%s\n", snippets, -+ krb5_conf ? "include " : "", -+ krb5_conf ? krb5_conf : "") < 0) { -+ free (snippets); -+ snippets = NULL; -+ free (filename); -+ filename = NULL; - warnx ("unexpected: out of memory"); -- filename = NULL; /* content is undefined */ -- snippets = NULL; /* content is undefined */ - contents = NULL; /* content is undefined */ - failed = 1; - } --- -2.48.1 - diff --git a/0002-krb5-add-adcli_krb5_get_error_message.patch b/0002-krb5-add-adcli_krb5_get_error_message.patch deleted file mode 100644 index 1369d12..0000000 --- a/0002-krb5-add-adcli_krb5_get_error_message.patch +++ /dev/null @@ -1,226 +0,0 @@ -From d3db46e8b03f0f2db0df01466b597fde588a06bf Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 5 Nov 2024 19:00:54 +0100 -Subject: [PATCH 2/2] krb5: add adcli_krb5_get_error_message() - -The krb5_get_error_message() call returns an error message in an -allocated string which must be freed. This makes it hard to simply use -krb5_get_error_message() in a printf() argument list. -adcli_krb5_get_error_message() used a static memory area to make the -usage more easy. ---- - library/adconn.c | 10 +++++----- - library/adenroll.c | 18 +++++++++--------- - library/adentry.c | 2 +- - library/adkrb5.c | 22 +++++++++++++++++++--- - library/adprivate.h | 2 ++ - 5 files changed, 36 insertions(+), 18 deletions(-) - -diff --git a/library/adconn.c b/library/adconn.c -index e668b8d..2c94af9 100644 ---- a/library/adconn.c -+++ b/library/adconn.c -@@ -367,20 +367,20 @@ handle_kinit_krb5_code (adcli_conn *conn, - code == KRB5_PREAUTH_FAILED) { - if (type == ADCLI_LOGIN_COMPUTER_ACCOUNT) { - _adcli_err ("Couldn't authenticate as machine account: %s: %s", -- name, krb5_get_error_message (conn->k5, code)); -+ name, adcli_krb5_get_error_message (conn->k5, code)); - } else { - _adcli_err ("Couldn't authenticate as: %s: %s", -- name, krb5_get_error_message (conn->k5, code)); -+ name, adcli_krb5_get_error_message (conn->k5, code)); - } - return ADCLI_ERR_CREDENTIALS; - - } else { - if (type == ADCLI_LOGIN_COMPUTER_ACCOUNT) { - _adcli_err ("Couldn't get kerberos ticket for machine account: %s: %s", -- name, krb5_get_error_message (conn->k5, code)); -+ name, adcli_krb5_get_error_message (conn->k5, code)); - } else { - _adcli_err ("Couldn't get kerberos ticket for: %s: %s", -- name, krb5_get_error_message (conn->k5, code)); -+ name, adcli_krb5_get_error_message (conn->k5, code)); - } - return ADCLI_ERR_DIRECTORY; - } -@@ -726,7 +726,7 @@ prep_kerberos_and_kinit (adcli_conn *conn) - - if (code != 0) { - _adcli_err ("Couldn't open kerberos credential cache: %s: %s", -- conn->login_ccache_name, krb5_get_error_message (NULL, code)); -+ conn->login_ccache_name, adcli_krb5_get_error_message (NULL, code)); - return ADCLI_ERR_CONFIG; - } - } -diff --git a/library/adenroll.c b/library/adenroll.c -index e978f46..c854c9e 100644 ---- a/library/adenroll.c -+++ b/library/adenroll.c -@@ -549,7 +549,7 @@ ensure_keytab_principals (adcli_result res, - if (code != 0) { - _adcli_err ("Couldn't parse kerberos user principal: %s: %s", - enroll->user_principal, -- krb5_get_error_message (k5, code)); -+ adcli_krb5_get_error_message (k5, code)); - return ADCLI_ERR_CONFIG; - } - } -@@ -1523,7 +1523,7 @@ set_password_with_user_creds (adcli_enroll *enroll) - if (code != 0) { - _adcli_err ("Couldn't set password for %s account: %s: %s", - s_or_c (enroll), -- enroll->computer_sam, krb5_get_error_message (k5, code)); -+ enroll->computer_sam, adcli_krb5_get_error_message (k5, code)); - /* TODO: Parse out these values */ - res = ADCLI_ERR_DIRECTORY; - -@@ -1584,7 +1584,7 @@ set_password_with_computer_creds (adcli_enroll *enroll) - if (code != 0) { - _adcli_err ("Couldn't get change password ticket for %s account: %s: %s", - s_or_c (enroll), -- enroll->computer_sam, krb5_get_error_message (k5, code)); -+ enroll->computer_sam, adcli_krb5_get_error_message (k5, code)); - return ADCLI_ERR_DIRECTORY; - } - -@@ -1596,7 +1596,7 @@ set_password_with_computer_creds (adcli_enroll *enroll) - if (code != 0) { - _adcli_err ("Couldn't change password for %s account: %s: %s", - s_or_c (enroll), -- enroll->computer_sam, krb5_get_error_message (k5, code)); -+ enroll->computer_sam, adcli_krb5_get_error_message (k5, code)); - /* TODO: Parse out these values */ - res = ADCLI_ERR_DIRECTORY; - -@@ -2113,7 +2113,7 @@ load_host_keytab (adcli_enroll *enroll) - code = _adcli_krb5_keytab_enumerate (k5, keytab, load_keytab_entry, enroll); - if (code != 0) { - _adcli_err ("Couldn't enumerate keytab: %s: %s", -- enroll->keytab_name, krb5_get_error_message (k5, code)); -+ enroll->keytab_name, adcli_krb5_get_error_message (k5, code)); - res = ADCLI_ERR_FAIL; - } - krb5_kt_close (k5, keytab); -@@ -2225,7 +2225,7 @@ remove_principal_from_keytab (adcli_enroll *enroll, - - if (code != 0) { - _adcli_err ("Couldn't update keytab: %s: %s", -- enroll->keytab_name, krb5_get_error_message (k5, code)); -+ enroll->keytab_name, adcli_krb5_get_error_message (k5, code)); - return ADCLI_ERR_FAIL; - } - -@@ -2257,7 +2257,7 @@ add_principal_to_keytab (adcli_enroll *enroll, - - if (code != 0) { - _adcli_err ("Couldn't update keytab: %s: %s", -- enroll->keytab_name, krb5_get_error_message (k5, code)); -+ enroll->keytab_name, adcli_krb5_get_error_message (k5, code)); - return ADCLI_ERR_FAIL; - } - -@@ -2296,7 +2296,7 @@ add_principal_to_keytab (adcli_enroll *enroll, - enctypes, salts, which_salt); - if (code != 0) { - _adcli_warn ("Couldn't authenticate with keytab while discovering which salt to use: %s: %s", -- principal_name, krb5_get_error_message (k5, code)); -+ principal_name, adcli_krb5_get_error_message (k5, code)); - *which_salt = DEFAULT_SALT; - } else { - assert (*which_salt >= 0); -@@ -2313,7 +2313,7 @@ add_principal_to_keytab (adcli_enroll *enroll, - - if (code != 0) { - _adcli_err ("Couldn't add keytab entries: %s: %s", -- enroll->keytab_name, krb5_get_error_message (k5, code)); -+ enroll->keytab_name, adcli_krb5_get_error_message (k5, code)); - return ADCLI_ERR_FAIL; - } - -diff --git a/library/adentry.c b/library/adentry.c -index 0d9b9af..38ec7ca 100644 ---- a/library/adentry.c -+++ b/library/adentry.c -@@ -515,7 +515,7 @@ adcli_entry_set_passwd (adcli_entry *entry, const char *user_pwd) - if (code != 0) { - _adcli_err ("Couldn't set password for %s account: %s: %s", - entry->object_class, -- entry->sam_name, krb5_get_error_message (k5, code)); -+ entry->sam_name, adcli_krb5_get_error_message (k5, code)); - /* TODO: Parse out these values */ - res = ADCLI_ERR_DIRECTORY; - -diff --git a/library/adkrb5.c b/library/adkrb5.c -index be3ede5..7a9ee8f 100644 ---- a/library/adkrb5.c -+++ b/library/adkrb5.c -@@ -33,6 +33,7 @@ - #include - #include - #include -+#include - - krb5_error_code - _adcli_krb5_build_principal (krb5_context k5, -@@ -174,7 +175,7 @@ _adcli_krb5_init_context (krb5_context *k5) - - } else if (code != 0) { - _adcli_err ("Failed to create kerberos context: %s", -- krb5_get_error_message (NULL, code)); -+ adcli_krb5_get_error_message (NULL, code)); - return ADCLI_ERR_UNEXPECTED; - } - -@@ -192,7 +193,7 @@ _adcli_krb5_open_keytab (krb5_context k5, - code = krb5_kt_resolve (k5, keytab_name, keytab); - if (code != 0) { - _adcli_err ("Failed to open keytab: %s: %s", -- keytab_name, krb5_get_error_message (k5, code)); -+ keytab_name, adcli_krb5_get_error_message (k5, code)); - return ADCLI_ERR_FAIL; - } - -@@ -200,7 +201,7 @@ _adcli_krb5_open_keytab (krb5_context k5, - code = krb5_kt_default (k5, keytab); - if (code != 0) { - _adcli_err ("Failed to open default keytab: %s", -- krb5_get_error_message (k5, code)); -+ adcli_krb5_get_error_message (k5, code)); - return ADCLI_ERR_FAIL; - } - } -@@ -570,3 +571,18 @@ _adcli_krb5_format_enctypes (krb5_enctype *enctypes) - - return value; - } -+ -+const char *adcli_krb5_get_error_message (krb5_context ctx, krb5_error_code code) -+{ -+ static char out[4096]; -+ const char *tmp; -+ size_t len; -+ -+ tmp = krb5_get_error_message (ctx, code); -+ len = strlen (tmp); -+ memcpy (out, tmp, MIN (sizeof (out), len)); -+ out[sizeof(out) - 1] = '\0'; -+ krb5_free_error_message (ctx, tmp); -+ -+ return out; -+} -diff --git a/library/adprivate.h b/library/adprivate.h -index bf0381c..cca58f9 100644 ---- a/library/adprivate.h -+++ b/library/adprivate.h -@@ -323,4 +323,6 @@ adcli_result _adcli_call_external_program (const char *binary, - uint8_t **stdout_data, - size_t *stdout_data_len); - -+const char *adcli_krb5_get_error_message (krb5_context ctx, -+ krb5_error_code code); - #endif /* ADPRIVATE_H_ */ --- -2.48.1 - diff --git a/adcli.spec b/adcli.spec index 9ffa3ee..ef4db0b 100644 --- a/adcli.spec +++ b/adcli.spec @@ -1,14 +1,14 @@ +%global with_selinux 1 +%global selinuxtype targeted +%global modulename adcli + Name: adcli -Version: 0.9.2 -Release: 9%{?dist} +Version: 0.9.3.1 +Release: 1%{?dist} Summary: Active Directory enrollment License: LGPL-2.1-or-later URL: https://gitlab.freedesktop.org/realmd/adcli -Source0: https://gitlab.freedesktop.org/realmd/adcli/uploads/ea560656ac921b3fe0d455976aaae9be/adcli-%{version}.tar.gz - -# fixes for issues found by static analyser -Patch1: 0001-Various-fixes-for-issues-found-by-static-code-scanne.patch -Patch2: 0002-krb5-add-adcli_krb5_get_error_message.patch +Source0: https://gitlab.freedesktop.org/-/project/1196/uploads/5a1c55410c0965835b81fbd28d820d46/adcli-%{version}.tar.gz BuildRequires: gcc BuildRequires: intltool pkgconfig @@ -19,6 +19,13 @@ BuildRequires: openldap-devel BuildRequires: libxslt BuildRequires: xmlto BuildRequires: make +BuildRequires: libnetapi-devel + +# Build dependencies for SELinux policy +%if %{with selinux} +BuildRequires: libselinux-devel +BuildRequires: selinux-policy-devel +%endif Requires: cyrus-sasl-gssapi Conflicts: adcli-doc < %{version}-%{release} @@ -27,10 +34,31 @@ Conflicts: adcli-doc < %{version}-%{release} # the adcli tool itself is to be used by callers Obsoletes: adcli-devel < 0.5 +%if %{with selinux} +# This ensures that the *-selinux package and all it’s dependencies are not +# pulled into containers and other systems that do not use SELinux. The +# policy defines types and file contexts for client and server. +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%endif + %description adcli is a tool for joining an Active Directory domain using standard LDAP and Kerberos calls. +%if %{with selinux} +# SELinux subpackage +%package selinux +Summary: The adcli SELinux policy +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +%{?selinux_requires} + +%description selinux +Custom SELinux policy module for adcli to make sure generated Kerberos keytab +files have the right SELinux context. +%endif + %define _hardened_build 1 %prep @@ -54,13 +82,32 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' %ldconfig_scriptlets +%if %{with selinux} +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + +%endif + %files %{_sbindir}/adcli %doc AUTHORS COPYING ChangeLog NEWS README %doc %{_mandir}/*/* %package doc -Summary: adcli documentation +Summary: The adcli documentation package BuildArch: noarch Conflicts: adcli < %{version}-%{release} @@ -72,7 +119,24 @@ documentation. %files doc %doc %{_datadir}/doc/adcli/* +%if %{with selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} +%endif + %changelog +* Tue Dec 09 2025 Sumit Bose - 0.9.3.1-1 +- Rebase to latest upstream version + Resolves: RHEL-2518 + Resolves: RHEL-5044 + Resolves: RHEL-5050 + Resolves: RHEL-16141 + Resolves: RHEL-44580 + Resolves: RHEL-56353 + Resolves: RHEL-78631 + Resolves: RHEL-73686 + * Thu Feb 13 2025 Sumit Bose - 0.9.2-9 - Fixes for RHEL SAST Automation Resolves: RHEL-45146 diff --git a/sources b/sources index 1dd0180..aa241fa 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (adcli-0.9.2.tar.gz) = 0953ffb940b9abdf6277731b3fa14656b9af5686902f1b8c44389c2537e6c33db5b5272061964cf60fd6a7831e581c5362bff89d0adddc9b17059ed3a30e3971 +SHA512 (adcli-0.9.3.1.tar.gz) = 3f501173b5344b38f33a3f65faec9e894da81b44b37bb161da103d8a29459d8807dfe566a5dd0a8c7eec466567b6cca4331c81dd70158b5478a61b03be37355d