Compare commits
No commits in common. "c8" and "c8-beta" have entirely different histories.
@ -1,23 +0,0 @@
|
||||
From 3fff129472d353a189a8f0c7bc768534e4c09d16 Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Valena <pvalena@redhat.com>
|
||||
Date: Wed, 7 May 2025 17:54:41 +0200
|
||||
Subject: [PATCH] ci: fix differential shellcheck
|
||||
|
||||
---
|
||||
.github/workflows/differential-shellcheck.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml
|
||||
index 55273b3d..098bd8f7 100644
|
||||
--- a/.github/workflows/differential-shellcheck.yml
|
||||
+++ b/.github/workflows/differential-shellcheck.yml
|
||||
@@ -5,7 +5,7 @@ on:
|
||||
|
||||
jobs:
|
||||
test:
|
||||
- runs-on: ubuntu-20.04
|
||||
+ runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Repository checkout
|
||||
|
||||
@ -1,26 +0,0 @@
|
||||
From b61af7e8c89d2b9625fd7e6285168231c0cf2d03 Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Valena <pvalena@redhat.com>
|
||||
Date: Mon, 19 Aug 2024 09:41:27 +0200
|
||||
Subject: [PATCH] feat(fips): include fips module unconditionally
|
||||
|
||||
rhel-only
|
||||
|
||||
Resolves: RHEL-53355
|
||||
---
|
||||
modules.d/01fips/module-setup.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
|
||||
index 71bea53a..66eac19f 100755
|
||||
--- a/modules.d/01fips/module-setup.sh
|
||||
+++ b/modules.d/01fips/module-setup.sh
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
# called by dracut
|
||||
check() {
|
||||
- return 255
|
||||
+ return 0
|
||||
}
|
||||
|
||||
# called by dracut
|
||||
|
||||
@ -1,33 +0,0 @@
|
||||
From 4cbaead393233e6967bd804d57cbd0d73b992431 Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Valena <pvalena@redhat.com>
|
||||
Date: Thu, 6 Mar 2025 14:30:26 +0100
|
||||
Subject: [PATCH] fix(rescue): create hmac file for rescue kernel
|
||||
|
||||
Resolves: RHEL-53364
|
||||
---
|
||||
51-dracut-rescue.install | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/51-dracut-rescue.install b/51-dracut-rescue.install
|
||||
index 47eb8e7d..e50468dd 100755
|
||||
--- a/51-dracut-rescue.install
|
||||
+++ b/51-dracut-rescue.install
|
||||
@@ -89,6 +89,17 @@ case "$COMMAND" in
|
||||
echo "Can't copy '$KERNEL_IMAGE to '$BOOT_DIR_ABS/$KERNEL'!" >&2
|
||||
fi
|
||||
|
||||
+ HMAC=".${KERNEL}.hmac"
|
||||
+
|
||||
+ KERNEL_DIR="${KERNEL_IMAGE%/*}"
|
||||
+ KERNEL_FILE="${KERNEL_IMAGE##*/}"
|
||||
+
|
||||
+ HMAC_FILE="${KERNEL_DIR}/.${KERNEL_FILE}.hmac"
|
||||
+
|
||||
+ if ! sed -E "s/([0-9a-f]+)(\s+).*$/\1\2${KERNEL}/" "$HMAC_FILE" > "$BOOT_DIR_ABS/$HMAC"; then
|
||||
+ echo "Can't create '$BOOT_DIR_ABS/$HMAC' from '$HMAC_FILE'!" >&2
|
||||
+ fi
|
||||
+
|
||||
if [[ ! -f "$BOOT_DIR_ABS/$INITRD" ]]; then
|
||||
dracut -f --no-hostonly -a "rescue" "$BOOT_DIR_ABS/$INITRD" "$KERNEL_VERSION"
|
||||
((ret+=$?))
|
||||
|
||||
@ -1,24 +0,0 @@
|
||||
From c81062cf34a1a652d68b45fc876d93a4ed5c9ada Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Valena <pvalena@redhat.com>
|
||||
Date: Sun, 28 Jan 2024 18:06:15 +0100
|
||||
Subject: [PATCH] fix(spec): own 50-network-legacy.conf
|
||||
|
||||
Without %config, to have the file removed with the package as well.
|
||||
|
||||
Resolves: RHEL-5673
|
||||
---
|
||||
dracut.spec | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/dracut.spec b/dracut.spec
|
||||
index a417f780..5215985a 100644
|
||||
--- a/dracut.spec
|
||||
+++ b/dracut.spec
|
||||
@@ -446,6 +446,7 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
|
||||
%{dracutlibdir}/modules.d/95znet
|
||||
%endif
|
||||
%{dracutlibdir}/modules.d/99uefi-lib
|
||||
+%attr(0644,root,root) %ghost %{_sysconfdir}/dracut.conf.d/50-network-legacy.conf
|
||||
|
||||
%files caps
|
||||
%{dracutlibdir}/modules.d/02caps
|
||||
@ -1,53 +0,0 @@
|
||||
From 6654f9b7ca5dc00012cd7c4aa6dcf24611adab41 Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Marzinski <bmarzins@redhat.com>
|
||||
Date: Thu, 24 Apr 2025 17:51:01 -0400
|
||||
Subject: [PATCH] fix(multipath): disable user_friendly_names with mpathconf
|
||||
|
||||
If dracut is creating /etc/multipath.conf by calling mpathconf in either
|
||||
multipathd-configure.service or multipathd.sh, there is a chance that
|
||||
the multipath config in the real root differs. Specifically, it might
|
||||
have chosen different user_friendly_names for the devices. When the
|
||||
systems switches to the real root, multipath may not be able to switch
|
||||
the devices to their configured names because those might already be
|
||||
in use. To avoid this, call mpathconf with "--user_friendly_names n"
|
||||
to create a multipath.conf with user_friendly_names disabled. If all
|
||||
devices use WWID names, it is always possible for multipath to rename
|
||||
them later.
|
||||
|
||||
Fixes b8a92b715 ("multipath: add automatic configuration for multipath")
|
||||
|
||||
(cherry picked from commit f36f2869859eb5f9613a94a28dfaf31505e645cc)
|
||||
|
||||
Resolves: RHEL-91319
|
||||
---
|
||||
modules.d/90multipath/multipathd-configure.service | 2 +-
|
||||
modules.d/90multipath/multipathd.sh | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/modules.d/90multipath/multipathd-configure.service b/modules.d/90multipath/multipathd-configure.service
|
||||
index de690615..6dedd9b9 100644
|
||||
--- a/modules.d/90multipath/multipathd-configure.service
|
||||
+++ b/modules.d/90multipath/multipathd-configure.service
|
||||
@@ -13,7 +13,7 @@ ConditionPathExists=!/etc/multipath.conf
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStartPre=-/usr/bin/mkdir -p /etc/multipath/multipath.conf.d
|
||||
-ExecStart=/usr/sbin/mpathconf --enable
|
||||
+ExecStart=/usr/sbin/mpathconf --enable --user_friendly_names n
|
||||
|
||||
[Install]
|
||||
WantedBy=sysinit.target
|
||||
diff --git a/modules.d/90multipath/multipathd.sh b/modules.d/90multipath/multipathd.sh
|
||||
index b0183ffe..fc8f79f3 100755
|
||||
--- a/modules.d/90multipath/multipathd.sh
|
||||
+++ b/modules.d/90multipath/multipathd.sh
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
if [ "$(getarg rd.multipath)" = "default" ] && [ ! -e /etc/multipath.conf ]; then
|
||||
mkdir -p /etc/multipath/multipath.conf.d
|
||||
- mpathconf --enable
|
||||
+ mpathconf --enable --user_friendly_names n
|
||||
fi
|
||||
|
||||
if getargbool 1 rd.multipath -d -n rd_NO_MULTIPATH && [ -e /etc/multipath.conf ]; then
|
||||
|
||||
@ -1,65 +0,0 @@
|
||||
From 4c9d4c3f773619a7730927f0e2e5ac0f7f53692f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?=E2=80=9CMasahiro?= <mmatsuya@redhat.com>
|
||||
Date: Fri, 3 Feb 2023 12:08:26 +0900
|
||||
Subject: [PATCH] fix(url-lib.sh): nfs_already_mounted() with trailing slash in
|
||||
nfs path
|
||||
|
||||
nfs_already_mounted() doesn't work when the installation ISO and kickstart file on a same NFS share are specified with inst.repo and inst.ks boot parameter as below.
|
||||
|
||||
inst.repo=nfs:192.168.1.1:/home/data/rhel9.iso inst.ks=nfs:192.168.1.1:/home/data/ks.cfg
|
||||
|
||||
NOTE: /home/data is configured for nfs share on 192.168.1.1
|
||||
|
||||
One problem is a file (not a directory) was passed into nfs_already_mounted().
|
||||
nfs_already_mounted() is the function to judge if the given directory is already mounted.
|
||||
So, filepath should be passed in nfs_fetch_url().
|
||||
|
||||
The other problem is about the trailing slash in the nfs path in /proc/mounts.
|
||||
|
||||
The /proc/mounts has an entry after nfs mount of inst.repo.
|
||||
|
||||
192.168.1.1:/data/ /run/install/isodir nfs ro,relatime,<snip>
|
||||
|
||||
In this case, nfs_already_mounted() returns "/run/install/isodir//home/data/ks.cfg" wrongly. The following is from the log.
|
||||
|
||||
[ 14.556279] localhost.localdomain dracut-initqueue[1282]: ///lib/url-lib.sh@156(nfs_fetch_url): nfs_already_mounted 192.168.122.1 /home/data/ks.cfg
|
||||
[ 14.556279] localhost.localdomain dracut-initqueue[1282]: ///lib/url-lib.sh@137(nfs_already_mounted): local server=192.168.122.1 path=/home/data/ks.cfg s= p=
|
||||
...
|
||||
[ 14.654966] localhost.localdomain dracut-initqueue[1282]: ///lib/url-lib.sh@140(nfs_already_mounted): '[' 192.168.122.1 = 192.168.122.1 ']'
|
||||
[ 14.654966] localhost.localdomain dracut-initqueue[1282]: ///lib/url-lib.sh@141(nfs_already_mounted): '[' /home/data/ks.cfg = /home/data/ ']'
|
||||
[ 14.654966] localhost.localdomain dracut-initqueue[1282]: ///lib/url-lib.sh@143(nfs_already_mounted): str_starts /home/data/ks.cfg /home/data/
|
||||
[ 14.654966] localhost.localdomain dracut-initqueue[1282]: ///lib/dracut-lib.sh@51(str_starts): '[' ks.cfg '!=' /home/data/ks.cfg ']'
|
||||
[ 14.654966] localhost.localdomain dracut-initqueue[1282]: ///lib/url-lib.sh@144(nfs_already_mounted): echo /run/install/isodir//home/data/ks.cfg
|
||||
...
|
||||
[ 14.658069] localhost.localdomain dracut-initqueue[934]: //lib/url-lib.sh@156(nfs_fetch_url): mntdir=/run/install/isodir//home/data/ks.cfg
|
||||
|
||||
This function doesn't expect the trailiing slash of the nfs path in /proc/mounts, so it should be removed before processing it.
|
||||
|
||||
(cherry picked from commit b731369c5fe7f9247337fe08017638a38f36cfca)
|
||||
|
||||
Resolves: RHEL-108623
|
||||
---
|
||||
modules.d/45url-lib/url-lib.sh | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules.d/45url-lib/url-lib.sh b/modules.d/45url-lib/url-lib.sh
|
||||
index 56d0d683..e7c0d563 100755
|
||||
--- a/modules.d/45url-lib/url-lib.sh
|
||||
+++ b/modules.d/45url-lib/url-lib.sh
|
||||
@@ -122,6 +122,7 @@ nfs_already_mounted() {
|
||||
local server="$1" path="$2" localdir="" s="" p=""
|
||||
cat /proc/mounts | while read src mnt rest || [ -n "$src" ]; do
|
||||
splitsep ":" "$src" s p
|
||||
+ p=${p%/}
|
||||
if [ "$server" = "$s" ]; then
|
||||
if [ "$path" = "$p" ]; then
|
||||
echo $mnt
|
||||
@@ -138,7 +139,7 @@ nfs_fetch_url() {
|
||||
local filepath="${path%/*}" filename="${path##*/}" mntdir=""
|
||||
|
||||
# skip mount if server:/filepath is already mounted
|
||||
- mntdir=$(nfs_already_mounted "$server" "$path")
|
||||
+ mntdir=$(nfs_already_mounted "$server" "$filepath")
|
||||
if [ -z "$mntdir" ]; then
|
||||
local mntdir="$(mkuniqdir /run nfs_mnt)"
|
||||
mount_nfs "$nfs:$server:$filepath${options:+:$options}" "$mntdir"
|
||||
@ -1,166 +0,0 @@
|
||||
From ae15f5f15dfed1a6fbd4c5a014a5e32e4649067c Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Valena <pvalena@redhat.com>
|
||||
Date: Thu, 23 Apr 2026 17:20:04 +0200
|
||||
Subject: [PATCH] fix(network-legacy): replace `echo` writes with `printf` to
|
||||
prevent injection via DHCP
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
DHCP-provided variables (hostname, gateway) were written with echo into
|
||||
files later sourced as shell by net-lib.sh — allowing command injection
|
||||
from a rogue DHCP server.
|
||||
|
||||
Use printf with explicit variable escaping `%q` for sourced files:
|
||||
- .hostname files (DHCP hostname, sourced at net-lib.sh:131)
|
||||
- .gw files (DHCP routers, sourced at net-lib.sh:140)
|
||||
- do_static gateway and hostname (kernel cmdline ip= parameter)
|
||||
|
||||
Plain text config files (.resolv.conf) are left as echo — they are
|
||||
read by awk, not sourced as shell, so %q escaping would be incorrect.
|
||||
|
||||
(cherry picked from commit 7243b11f71f17d08a6b60024dfab8e3ddf338458)
|
||||
|
||||
Resolves: RHEL-170847
|
||||
---
|
||||
modules.d/35network-legacy/dhclient-script.sh | 28 ++++++++++++++++++---------
|
||||
modules.d/35network-legacy/ifup.sh | 25 ++++++++++++++----------
|
||||
2 files changed, 34 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/modules.d/35network-legacy/dhclient-script.sh b/modules.d/35network-legacy/dhclient-script.sh
|
||||
index 44633b30..a6463c3c 100755
|
||||
--- a/modules.d/35network-legacy/dhclient-script.sh
|
||||
+++ b/modules.d/35network-legacy/dhclient-script.sh
|
||||
@@ -46,23 +46,25 @@ setup_interface() {
|
||||
if [ -n "$gw" ] ; then
|
||||
if [ "$mask" = "255.255.255.255" ] ; then
|
||||
# point-to-point connection => set explicit route to gateway
|
||||
- echo ip route add $gw dev $netif > /tmp/net.$netif.gw
|
||||
+ printf 'ip route add %q dev %q\n' "$gw" "$netif" > /tmp/net."$netif".gw
|
||||
fi
|
||||
|
||||
echo "$gw" | {
|
||||
IFS=' ' read -r main_gw other_gw
|
||||
- echo ip route replace default via $main_gw dev $netif >> /tmp/net.$netif.gw
|
||||
+ printf 'ip route replace default via %q dev %q\n' "$main_gw" "$netif" >> /tmp/net."$netif".gw
|
||||
if [ -n "$other_gw" ] ; then
|
||||
for g in $other_gw; do
|
||||
- echo ip route add default via $g dev $netif >> /tmp/net.$netif.gw
|
||||
+ printf 'ip route add default via %q dev %q\n' "$g" "$netif" >> /tmp/net."$netif".gw
|
||||
done
|
||||
fi
|
||||
}
|
||||
fi
|
||||
|
||||
if getargbool 1 rd.peerdns; then
|
||||
- [ -n "${search}${domain}" ] && echo "search $search $domain" > /tmp/net.$netif.resolv.conf
|
||||
- if [ -n "$namesrv" ] ; then
|
||||
+ if [ -n "${search}${domain}" ]; then
|
||||
+ echo "search $search $domain" > /tmp/net."$netif".resolv.conf
|
||||
+ fi
|
||||
+ if [ -n "$namesrv" ]; then
|
||||
for s in $namesrv; do
|
||||
echo nameserver $s
|
||||
done
|
||||
@@ -70,7 +72,10 @@ setup_interface() {
|
||||
fi
|
||||
# Note: hostname can be fqdn OR short hostname, so chop off any
|
||||
# trailing domain name and explicity add any domain if set.
|
||||
- [ -n "$hostname" ] && echo "echo ${hostname%.$domain}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net.$netif.hostname
|
||||
+ if [ -n "$hostname" ]; then
|
||||
+ safe_hostname=$(printf '%s' "${hostname%."$domain"}${domain:+.$domain}")
|
||||
+ printf 'echo %q > /proc/sys/kernel/hostname\n' "$safe_hostname" > /tmp/net."$netif".hostname
|
||||
+ fi
|
||||
}
|
||||
|
||||
setup_interface6() {
|
||||
@@ -91,8 +96,10 @@ setup_interface6() {
|
||||
${preferred_lft:+preferred_lft ${preferred_lft}}
|
||||
|
||||
if getargbool 1 rd.peerdns; then
|
||||
- [ -n "${search}${domain}" ] && echo "search $search $domain" > /tmp/net.$netif.resolv.conf
|
||||
- if [ -n "$namesrv" ] ; then
|
||||
+ if [ -n "${search}${domain}" ]; then
|
||||
+ echo "search $search $domain" > /tmp/net."$netif".resolv.conf
|
||||
+ fi
|
||||
+ if [ -n "$namesrv" ]; then
|
||||
for s in $namesrv; do
|
||||
echo nameserver $s
|
||||
done
|
||||
@@ -101,7 +108,10 @@ setup_interface6() {
|
||||
|
||||
# Note: hostname can be fqdn OR short hostname, so chop off any
|
||||
# trailing domain name and explicity add any domain if set.
|
||||
- [ -n "$hostname" ] && echo "echo ${hostname%.$domain}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net.$netif.hostname
|
||||
+ if [ -n "$hostname" ]; then
|
||||
+ safe_hostname=$(printf '%s' "${hostname%."$domain"}${domain:+.$domain}")
|
||||
+ printf 'echo %q > /proc/sys/kernel/hostname\n' "$safe_hostname" > /tmp/net."$netif".hostname
|
||||
+ fi
|
||||
}
|
||||
|
||||
parse_option_121() {
|
||||
diff --git a/modules.d/35network-legacy/ifup.sh b/modules.d/35network-legacy/ifup.sh
|
||||
index 0e9a6928..3d4aadee 100755
|
||||
--- a/modules.d/35network-legacy/ifup.sh
|
||||
+++ b/modules.d/35network-legacy/ifup.sh
|
||||
@@ -88,10 +88,11 @@ do_ipv6auto() {
|
||||
linkup $netif
|
||||
wait_for_ipv6_auto $netif
|
||||
ret=$?
|
||||
-
|
||||
- [ -n "$hostname" ] && echo "echo $hostname > /proc/sys/kernel/hostname" > /tmp/net.$netif.hostname
|
||||
-
|
||||
- return $ret
|
||||
+ if [ -n "$hostname" ]; then
|
||||
+ safe_hostname=$(printf '%s' "${hostname}")
|
||||
+ printf 'echo %q > /proc/sys/kernel/hostname\n' "$safe_hostname" > /tmp/net."$netif".hostname
|
||||
+ fi
|
||||
+ return "$ret"
|
||||
}
|
||||
|
||||
# Handle static ip configuration
|
||||
@@ -142,8 +143,12 @@ do_static() {
|
||||
ip addr add $ip/$mask ${srv:+peer $srv} brd + dev $netif
|
||||
fi
|
||||
|
||||
- [ -n "$gw" ] && echo ip route replace default via $gw dev $netif > /tmp/net.$netif.gw
|
||||
- [ -n "$hostname" ] && echo "echo $hostname > /proc/sys/kernel/hostname" > /tmp/net.$netif.hostname
|
||||
+ [ -n "$gw" ] && printf "ip route replace default via %q dev %q\n" "$gw" "$netif" > "/tmp/net.${netif}.gw"
|
||||
+
|
||||
+ if [ -n "$hostname" ]; then
|
||||
+ safe_hostname=$(printf '%s' "${hostname}")
|
||||
+ printf 'echo %q > /proc/sys/kernel/hostname\n' "$safe_hostname" > /tmp/net."$netif".hostname
|
||||
+ fi
|
||||
|
||||
return 0
|
||||
}
|
||||
@@ -366,8 +371,8 @@ fi
|
||||
[ -n "$2" -a "$2" = "-m" ] && [ -z "$netroot" ] && manualup="$2"
|
||||
|
||||
if [ -n "$manualup" ]; then
|
||||
- >/tmp/net.$netif.manualup
|
||||
- rm -f /tmp/net.${netif}.did-setup
|
||||
+ : > "/tmp/net.${netif}.manualup"
|
||||
+ rm -f "/tmp/net.${netif}.did-setup"
|
||||
else
|
||||
[ -e /tmp/net.${netif}.did-setup ] && exit 0
|
||||
[ -z "$DO_VLAN" ] && \
|
||||
@@ -425,7 +430,7 @@ for p in $(getargs ip=); do
|
||||
# Store config for later use
|
||||
for i in ip srv gw mask hostname macaddr mtu dns1 dns2; do
|
||||
eval '[ "$'$i'" ] && echo '$i'="$'$i'"'
|
||||
- done > /tmp/net.$netif.override
|
||||
+ done > "/tmp/net.${netif}.override"
|
||||
|
||||
for autoopt in $(str_replace "$autoconf" "," " "); do
|
||||
case $autoopt in
|
||||
@@ -447,7 +452,7 @@ for p in $(getargs ip=); do
|
||||
# setup nameserver
|
||||
for s in "$dns1" "$dns2" $(getargs nameserver); do
|
||||
[ -n "$s" ] || continue
|
||||
- echo nameserver $s >> /tmp/net.$netif.resolv.conf
|
||||
+ echo "nameserver $s" >> "/tmp/net.${netif}.resolv.conf"
|
||||
done
|
||||
|
||||
if [ $ret -eq 0 ]; then
|
||||
|
||||
@ -1,107 +0,0 @@
|
||||
From 28a91383a6fadd3120ea58c00106fe5af4708a1d Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Valena <pvalena@redhat.com>
|
||||
Date: Wed, 29 Apr 2026 04:46:15 +0200
|
||||
Subject: [PATCH] fix(iscsi): replace `echo` writes with `printf` to prevent
|
||||
variable injection
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Use printf with explicit variable escaping `%q` for shell scripts:
|
||||
- mount-lun.sh hookdir script (iscsi_lun variable)
|
||||
- udev rule (iscsi_lun sanitized via tr -d '"')
|
||||
- initiatorname.iscsi (sourced as shell at iscsiroot.sh:161-163)
|
||||
|
||||
Note: initiatorname.iscsi is also read by iscsid as plain text (no
|
||||
shell unquoting). For valid IQNs ([a-z0-9.:_-]), %q is a no-op, so
|
||||
iscsid sees the value unchanged. For malicious values with special
|
||||
characters, %q would produce shell escaping that iscsid reads
|
||||
literally — breaking the connection rather than allowing injection.
|
||||
|
||||
(cherry picked from commit e61fe6afe015744baebfd96411015ae360c1af08)
|
||||
|
||||
Related: RHEL-170847
|
||||
---
|
||||
modules.d/95iscsi/iscsiroot.sh | 16 ++++++++--------
|
||||
modules.d/95iscsi/parse-iscsiroot.sh | 4 ++--
|
||||
2 files changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/modules.d/95iscsi/iscsiroot.sh b/modules.d/95iscsi/iscsiroot.sh
|
||||
index 029060e0..4485e3f9 100755
|
||||
--- a/modules.d/95iscsi/iscsiroot.sh
|
||||
+++ b/modules.d/95iscsi/iscsiroot.sh
|
||||
@@ -132,12 +132,12 @@ handle_netroot()
|
||||
fsopts=${fsopts:+$fsopts,}${iscsirw}
|
||||
|
||||
if [ -z "$iscsi_initiator" ] && [ -f /sys/firmware/ibft/initiator/initiator-name ] && ! [ -f /tmp/iscsi_set_initiator ]; then
|
||||
- iscsi_initiator=$(while read line || [ -n "$line" ]; do echo $line;done < /sys/firmware/ibft/initiator/initiator-name)
|
||||
- echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi
|
||||
+ iscsi_initiator=$(while read -r line || [ -n "$line" ]; do echo "$line"; done < /sys/firmware/ibft/initiator/initiator-name)
|
||||
+ printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi
|
||||
rm -f /etc/iscsi/initiatorname.iscsi
|
||||
mkdir -p /etc/iscsi
|
||||
ln -fs /run/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
|
||||
- > /tmp/iscsi_set_initiator
|
||||
+ : > /tmp/iscsi_set_initiator
|
||||
if [ -n "$DRACUT_SYSTEMD" ]; then
|
||||
systemctl try-restart iscsid
|
||||
# FIXME: iscsid is not yet ready, when the service is :-/
|
||||
@@ -154,7 +154,7 @@ handle_netroot()
|
||||
|
||||
if [ -z "$iscsi_initiator" ]; then
|
||||
iscsi_initiator=$(iscsi-iname)
|
||||
- echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi
|
||||
+ printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi
|
||||
rm -f /etc/iscsi/initiatorname.iscsi
|
||||
mkdir -p /etc/iscsi
|
||||
ln -fs /run/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
|
||||
@@ -179,7 +179,7 @@ handle_netroot()
|
||||
iscsi_lun=0
|
||||
fi
|
||||
|
||||
- echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi
|
||||
+ printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi
|
||||
ln -fs /run/initiatorname.iscsi /dev/.initiatorname.iscsi
|
||||
if ! [ -e /etc/iscsi/initiatorname.iscsi ]; then
|
||||
mkdir -p /etc/iscsi
|
||||
@@ -200,14 +200,14 @@ handle_netroot()
|
||||
|
||||
if [ "$root" = "dhcp" ] || [ "$netroot" = "dhcp" ]; then
|
||||
# if root is not specified try to mount the whole iSCSI LUN
|
||||
- printf 'SYMLINK=="disk/by-path/*-iscsi-*-%s", SYMLINK+="root"\n' "$iscsi_lun" >> /etc/udev/rules.d/99-iscsi-root.rules
|
||||
+ printf 'SYMLINK=="disk/by-path/*-iscsi-*-%s", SYMLINK+="root"\n' "$(printf '%s' "$iscsi_lun" | tr -d '"')" >> /etc/udev/rules.d/99-iscsi-root.rules
|
||||
udevadm control --reload
|
||||
write_fs_tab /dev/root
|
||||
wait_for_dev -n /dev/root
|
||||
|
||||
# install mount script
|
||||
- [ -z "$DRACUT_SYSTEMD" ] && \
|
||||
- echo "iscsi_lun=$iscsi_lun . /bin/mount-lun.sh " > $hookdir/mount/01-$$-iscsi.sh
|
||||
+ [ -z "$DRACUT_SYSTEMD" ] \
|
||||
+ && printf 'iscsi_lun=%q . /bin/mount-lun.sh\n' "$iscsi_lun" > "$hookdir"/mount/01-$$-iscsi.sh
|
||||
fi
|
||||
|
||||
targets=$(iscsiadm -m discovery -t st -p $iscsi_target_ip:${iscsi_target_port:+$iscsi_target_port} | sed 's/^.*iqn/iqn/')
|
||||
diff --git a/modules.d/95iscsi/parse-iscsiroot.sh b/modules.d/95iscsi/parse-iscsiroot.sh
|
||||
index 8d6e3e8c..1a26041d 100755
|
||||
--- a/modules.d/95iscsi/parse-iscsiroot.sh
|
||||
+++ b/modules.d/95iscsi/parse-iscsiroot.sh
|
||||
@@ -105,7 +105,7 @@ fi
|
||||
|
||||
if arg=$(getarg rd.iscsi.initiator -d iscsi_initiator=) && [ -n "$arg" ] && ! [ -f /run/initiatorname.iscsi ] ; then
|
||||
iscsi_initiator=$arg
|
||||
- echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi
|
||||
+ printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi
|
||||
ln -fs /run/initiatorname.iscsi /dev/.initiatorname.iscsi
|
||||
rm -f /etc/iscsi/initiatorname.iscsi
|
||||
mkdir -p /etc/iscsi
|
||||
@@ -121,7 +121,7 @@ fi
|
||||
if [ -z $iscsi_initiator ] && [ -f /sys/firmware/ibft/initiator/initiator-name ] && ! [ -f /tmp/iscsi_set_initiator ]; then
|
||||
iscsi_initiator=$(while read line || [ -n "$line" ]; do echo $line;done < /sys/firmware/ibft/initiator/initiator-name)
|
||||
if [ -n "$iscsi_initiator" ]; then
|
||||
- echo "InitiatorName=$iscsi_initiator" > /run/initiatorname.iscsi
|
||||
+ printf 'InitiatorName=%q\n' "$iscsi_initiator" > /run/initiatorname.iscsi
|
||||
rm -f /etc/iscsi/initiatorname.iscsi
|
||||
mkdir -p /etc/iscsi
|
||||
ln -fs /run/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
|
||||
|
||||
@ -1,50 +0,0 @@
|
||||
From 4107f122969044e3e6f2e976cf8294dd9d91a1ee Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Valena <pvalena@redhat.com>
|
||||
Date: Tue, 12 May 2026 03:25:20 +0200
|
||||
Subject: [PATCH] fix(network): warn on suspicious shell metacharacters in
|
||||
hostname file
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
setup_net() sources /tmp/net.$netif.hostname as shell, which is written
|
||||
by dhclient-script.sh or ifup.sh. Add a defensive check that warns if
|
||||
the file contains shell metacharacters ($, `, ;, &, |, () that should
|
||||
never appear in a legitimate hostname, indicating possible DHCP-based
|
||||
command injection attempts.
|
||||
|
||||
The file is still sourced for compatibility — the writer-side fix
|
||||
(printf '%q') already prevents execution of injected content.
|
||||
|
||||
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
||||
|
||||
Related: RHEL-170847
|
||||
---
|
||||
modules.d/40network/net-lib.sh | 13 ++++++++++---
|
||||
1 file changed, 10 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/modules.d/40network/net-lib.sh b/modules.d/40network/net-lib.sh
|
||||
index 128d6343..bbfb0a9f 100755
|
||||
--- a/modules.d/40network/net-lib.sh
|
||||
+++ b/modules.d/40network/net-lib.sh
|
||||
@@ -117,9 +117,16 @@ setup_net() {
|
||||
[ -e "/tmp/net.ifaces" ] && read IFACES < /tmp/net.ifaces
|
||||
[ -z "$IFACES" ] && IFACES="$netif"
|
||||
# run the scripts written by ifup
|
||||
- [ -e /tmp/net.$netif.hostname ] && . /tmp/net.$netif.hostname
|
||||
- [ -e /tmp/net.$netif.override ] && . /tmp/net.$netif.override
|
||||
- [ -e /tmp/dhclient.$netif.dhcpopts ] && . /tmp/dhclient.$netif.dhcpopts
|
||||
+ if [ -e /tmp/net."$netif".hostname ]; then
|
||||
+ if grep -qE '[$`;&|(]' /tmp/net."$netif".hostname 2>/dev/null; then
|
||||
+ warn "setup_net $netif: /tmp/net.$netif.hostname contains suspicious shell metacharacters"
|
||||
+ fi
|
||||
+ # shellcheck disable=SC1090
|
||||
+ . /tmp/net."$netif".hostname
|
||||
+ fi
|
||||
+ [ -e /tmp/net."$netif".override ] && . /tmp/net."$netif".override
|
||||
+ [ -e /tmp/dhclient."$netif".dhcpopts ] && . /tmp/dhclient."$netif".dhcpopts
|
||||
+
|
||||
# set up resolv.conf
|
||||
[ -e /tmp/net.$netif.resolv.conf ] && \
|
||||
awk '!array[$0]++' /tmp/net.$netif.resolv.conf > /etc/resolv.conf
|
||||
|
||||
@ -1,72 +0,0 @@
|
||||
From eaf700abda3eb7a1f7eecd6b8f374adc4bfe6349 Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Valena <pvalena@redhat.com>
|
||||
Date: Tue, 12 May 2026 03:27:22 +0200
|
||||
Subject: [PATCH] fix(base): escape arguments in initqueue hook script
|
||||
generation
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
initqueue.sh writes arguments directly into generated hook scripts
|
||||
via `echo "$exe" "$@"`. These scripts are later sourced by
|
||||
dracut-initqueue.sh, so shell metacharacters in arguments (e.g.
|
||||
DHCP-derived $netroot passed from parse-iscsiroot.sh) execute as
|
||||
root in initramfs.
|
||||
|
||||
Replace `echo` with `printf '%q'` to shell-escape all arguments
|
||||
before writing them into the hook script, preventing command
|
||||
injection via DHCP-controlled netroot values.
|
||||
|
||||
Remove the fragile embedded single-quote wrapping ("'$var'") from
|
||||
parse-iscsiroot.sh call sites (lines 90, 102) — those relied on
|
||||
echo writing quotes verbatim for the shell to strip when sourcing.
|
||||
With printf '%q', initqueue now handles escaping centrally, so the
|
||||
manual wrapping is no longer needed and would cause literal quote
|
||||
characters to leak into iscsiroot arguments.
|
||||
|
||||
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
||||
|
||||
Related: RHEL-170847
|
||||
---
|
||||
modules.d/95iscsi/parse-iscsiroot.sh | 6 +++---
|
||||
modules.d/99base/initqueue.sh | 3 ++-
|
||||
2 files changed, 5 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/modules.d/95iscsi/parse-iscsiroot.sh b/modules.d/95iscsi/parse-iscsiroot.sh
|
||||
index 1a26041d..241f1bdd 100755
|
||||
--- a/modules.d/95iscsi/parse-iscsiroot.sh
|
||||
+++ b/modules.d/95iscsi/parse-iscsiroot.sh
|
||||
@@ -87,7 +87,7 @@ if [ -n "$iscsi_firmware" ]; then
|
||||
echo "${DRACUT_SYSTEMD+systemctl is-active initrd-root-device.target || }[ -f '/tmp/iscsistarted-firmware' ]" > $hookdir/initqueue/finished/iscsi_started.sh
|
||||
initqueue --unique --online /sbin/iscsiroot online "iscsi:" "$NEWROOT"
|
||||
initqueue --unique --onetime --timeout /sbin/iscsiroot timeout "iscsi:" "$NEWROOT"
|
||||
- initqueue --unique --onetime --settled /sbin/iscsiroot online "iscsi:" "'$NEWROOT'"
|
||||
+ initqueue --unique --onetime --settled /sbin/iscsiroot online "iscsi:" "$NEWROOT"
|
||||
fi
|
||||
|
||||
# ISCSI actually supported?
|
||||
@@ -98,8 +98,8 @@ fi
|
||||
modprobe --all -b -q qla4xxx cxgb3i cxgb4i bnx2i be2iscsi
|
||||
|
||||
if [ -n "$netroot" ] && [ "$root" != "/dev/root" ] && [ "$root" != "dhcp" ]; then
|
||||
- if ! getargbool 1 rd.neednet >/dev/null || ! getarg "ip="; then
|
||||
- initqueue --unique --onetime --settled /sbin/iscsiroot dummy "'$netroot'" "'$NEWROOT'"
|
||||
+ if ! getargbool 1 rd.neednet > /dev/null || ! getarg "ip="; then
|
||||
+ initqueue --unique --onetime --settled /sbin/iscsiroot dummy "$netroot" "$NEWROOT"
|
||||
fi
|
||||
fi
|
||||
|
||||
diff --git a/modules.d/99base/initqueue.sh b/modules.d/99base/initqueue.sh
|
||||
index c3016383..184414ab 100755
|
||||
--- a/modules.d/99base/initqueue.sh
|
||||
+++ b/modules.d/99base/initqueue.sh
|
||||
@@ -52,7 +52,8 @@ fi
|
||||
{
|
||||
[ -n "$onetime" ] && echo '[ -e "$job" ] && rm -f -- "$job"'
|
||||
[ -n "$env" ] && echo "$env"
|
||||
- echo "$exe" "$@"
|
||||
+ printf '%q ' "$exe" "$@"
|
||||
+ printf '\n'
|
||||
} > "/tmp/$$-${job}.sh"
|
||||
|
||||
mv -f "/tmp/$$-${job}.sh" "$hookdir/initqueue${qname}/${job}.sh"
|
||||
@ -1,43 +0,0 @@
|
||||
From 632d574019b8c89b4d09492518525ec9c524338e Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Valena <pvalena@redhat.com>
|
||||
Date: Fri, 29 May 2026 17:53:37 +0200
|
||||
Subject: [PATCH] fix(network-manager): escape DHCP lease values in dhcpopts
|
||||
generation
|
||||
|
||||
The sed-based substitution in nm-run.sh writes DHCP-controlled values
|
||||
from NetworkManager device state files directly into shell variable
|
||||
assignments without any escaping. The generated dhcpopts file is later
|
||||
sourced as shell, allowing a rogue DHCP server to inject arbitrary
|
||||
commands via crafted root-path, next-server, or dhcp-bootfile values.
|
||||
|
||||
Replace the sed pipeline with a while/read loop using printf '%q' to
|
||||
shell-escape all values before writing them into the dhcpopts file.
|
||||
This is consistent with how later dracut versions (rhel-9+) handle the
|
||||
same data via kf_parse() with printf '%q'.
|
||||
|
||||
Related: RHEL-170847
|
||||
|
||||
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
||||
---
|
||||
modules.d/35network-manager/nm-run.sh | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules.d/35network-manager/nm-run.sh b/modules.d/35network-manager/nm-run.sh
|
||||
index 94c19545..0a92afb6 100755
|
||||
--- a/modules.d/35network-manager/nm-run.sh
|
||||
+++ b/modules.d/35network-manager/nm-run.sh
|
||||
@@ -22,7 +22,13 @@ do
|
||||
state=/run/NetworkManager/devices/$(cat $_i/ifindex)
|
||||
grep -q connection-uuid= $state 2>/dev/null || continue
|
||||
ifname=${_i##*/}
|
||||
- sed -n 's/root-path/new_root_path/p;s/next-server/new_next_server/p;s/dhcp-bootfile/filename/p' <$state >/tmp/dhclient.$ifname.dhcpopts
|
||||
+ while IFS='=' read -r key val; do
|
||||
+ case "$key" in
|
||||
+ root-path) printf 'new_root_path=%q\n' "$val" ;;
|
||||
+ next-server) printf 'new_next_server=%q\n' "$val" ;;
|
||||
+ dhcp-bootfile) printf 'filename=%q\n' "$val" ;;
|
||||
+ esac
|
||||
+ done < "$state" > /tmp/dhclient."$ifname".dhcpopts
|
||||
source_hook initqueue/online $ifname
|
||||
/sbin/netroot $ifname
|
||||
done
|
||||
@ -5,7 +5,7 @@
|
||||
# strip the automatically generated dep here and instead co-own the
|
||||
# directory.
|
||||
%global __requires_exclude pkg-config
|
||||
%define dist_free_release 244.git20260529
|
||||
%define dist_free_release 233.git20240115
|
||||
|
||||
Name: dracut
|
||||
Version: 049
|
||||
@ -260,17 +260,6 @@ Patch229: 0229.patch
|
||||
Patch230: 0230.patch
|
||||
Patch231: 0231.patch
|
||||
Patch232: 0232.patch
|
||||
Patch233: 0233.patch
|
||||
Patch234: 0234.patch
|
||||
Patch235: 0235.patch
|
||||
Patch236: 0236.patch
|
||||
Patch237: 0237.patch
|
||||
Patch238: 0238.patch
|
||||
Patch239: 0239.patch
|
||||
Patch240: 0240.patch
|
||||
Patch241: 0241.patch
|
||||
Patch242: 0242.patch
|
||||
Patch243: 0243.patch
|
||||
|
||||
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
|
||||
|
||||
@ -690,7 +679,6 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
|
||||
%{dracutlibdir}/modules.d/95znet
|
||||
%endif
|
||||
%{dracutlibdir}/modules.d/99uefi-lib
|
||||
%attr(0644,root,root) %ghost %{_sysconfdir}/dracut.conf.d/50-network-legacy.conf
|
||||
|
||||
%files caps
|
||||
%{dracutlibdir}/modules.d/02caps
|
||||
@ -727,24 +715,6 @@ echo '# Since rhel-8.3 dracut moved to use NetworkManager
|
||||
add_dracutmodules+=" network-legacy "' > /etc/dracut.conf.d/50-network-legacy.conf
|
||||
|
||||
%changelog
|
||||
* Fri May 29 2026 Pavel Valena <pvalena@redhat.com> - 049-244.git20260529
|
||||
- fix(network-manager): escape DHCP lease values in dhcpopts
|
||||
- fix(network-legacy): replace `echo` writes with `printf` to
|
||||
- fix(iscsi): replace `echo` writes with `printf` to prevent
|
||||
- fix(network): warn on suspicious shell metacharacters in
|
||||
- fix(base): escape arguments in initqueue hook script
|
||||
|
||||
* Thu Nov 27 2025 Pavel Valena <pvalena@redhat.com> - 049-239.git20251127
|
||||
- fix(multipath): disable user_friendly_names with mpathconf
|
||||
- fix(url-lib.sh): nfs_already_mounted() with trailing slash in
|
||||
|
||||
* Wed Jun 04 2025 Pavel Valena <pvalena@redhat.com> - 049-237.git20250603
|
||||
- fix(rescue): create hmac file for rescue kernel
|
||||
- fix(spec): drop %config from 50-network-legacy.conf
|
||||
|
||||
* Tue Apr 15 2025 Pavel Valena <pvalena@redhat.com> - 049-234.git20240115
|
||||
- spec: own 50-network-legacy.conf
|
||||
|
||||
* Mon Jan 15 2024 Pavel Valena <pvalena@redhat.com> - 049-233.git20240115
|
||||
- fix(dracut.sh): remove microcode check based on
|
||||
- fix(qeth_rules): check the existence of
|
||||
|
||||
Loading…
Reference in New Issue
Block a user