Compare commits
No commits in common. "c9s-rebase-2.1.6" and "c8" have entirely different histories.
c9s-rebase
...
c8
@ -1 +0,0 @@
|
||||
1
|
||||
125
.gitignore
vendored
125
.gitignore
vendored
@ -1,115 +1,10 @@
|
||||
/fwupd-0.1.0.tar.xz
|
||||
/fwupd-0.1.1.tar.xz
|
||||
/fwupd-0.1.2.tar.xz
|
||||
/fwupd-0.1.3.tar.xz
|
||||
/fwupd-0.1.4.tar.xz
|
||||
/fwupd-0.1.5.tar.xz
|
||||
/fwupd-0.1.6.tar.xz
|
||||
/fwupd-0.5.0.tar.xz
|
||||
/fwupd-0.5.1.tar.xz
|
||||
/fwupd-0.5.2.tar.xz
|
||||
/fwupd-0.5.3.tar.xz
|
||||
/fwupd-0.5.4.tar.xz
|
||||
/fwupd-0.6.0.tar.xz
|
||||
/fwupd-0.6.1.tar.xz
|
||||
/fwupd-0.6.2.tar.xz
|
||||
/fwupd-0.6.3.tar.xz
|
||||
/fwupd-0.7.0.tar.xz
|
||||
/fwupd-0.7.1.tar.xz
|
||||
/fwupd-0.7.2.tar.xz
|
||||
/fwupd-0.7.3.tar.xz
|
||||
/fwupd-0.7.4.tar.xz
|
||||
/fwupd-0.7.5.tar.xz
|
||||
/fwupd-0.8.0.tar.xz
|
||||
/fwupd-0.8.1.tar.xz
|
||||
/fwupd-0.8.2.tar.xz
|
||||
/fwupd-0.9.2.tar.xz
|
||||
/fwupd-0.9.3.tar.xz
|
||||
/fwupd-0.9.4.tar.xz
|
||||
/fwupd-0.9.5.tar.xz
|
||||
/fwupd-0.9.6.tar.xz
|
||||
/fwupd-0.9.7.tar.xz
|
||||
/fwupd-1.0.0.tar.xz
|
||||
/fwupd-1.0.1.tar.xz
|
||||
/fwupd-1.0.2.tar.xz
|
||||
/fwupd-1.0.3.tar.xz
|
||||
/fwupd-1.0.4.tar.xz
|
||||
/fwupd-1.0.5.tar.xz
|
||||
/fwupd-1.0.6.tar.xz
|
||||
/fwupd-1.0.7.tar.xz
|
||||
/fwupd-1.0.8.tar.xz
|
||||
/fwupd-1.1.0.tar.xz
|
||||
/fwupd-1.1.1.tar.xz
|
||||
/fwupd-1.1.2.tar.xz
|
||||
/fwupd-1.1.3.tar.xz
|
||||
/fwupd-1.2.0.tar.xz
|
||||
/fwupd-1.2.1.tar.xz
|
||||
/fwupd-1.2.2.tar.xz
|
||||
/fwupd-1.2.3.tar.xz
|
||||
/fwupd-1.2.4.tar.xz
|
||||
/fwupd-1.2.5.tar.xz
|
||||
/fwupd-1.2.6.tar.xz
|
||||
/fwupd-1.2.7.tar.xz
|
||||
/fwupd-1.2.8.tar.xz
|
||||
/fwupd-1.2.9.tar.xz
|
||||
/fwupd-1.2.10.tar.xz
|
||||
/fwupd-1.3.2.tar.xz
|
||||
/fwupd-1.3.3.tar.xz
|
||||
/fwupd-1.3.4.tar.xz
|
||||
/fwupd-1.3.5.tar.xz
|
||||
/fwupd-1.3.6.tar.xz
|
||||
/fwupd-1.3.7.tar.xz
|
||||
/fwupd-1.3.8.tar.xz
|
||||
/fwupd-1.3.9.tar.xz
|
||||
/fwupd-1.4.0.tar.xz
|
||||
/fwupd-1.4.1.tar.xz
|
||||
/fwupd-1.4.2.tar.xz
|
||||
/fwupd-1.4.3.tar.xz
|
||||
/fwupd-1.4.4.tar.xz
|
||||
/fwupd-1.4.5.tar.xz
|
||||
/fwupd-1.4.6.tar.xz
|
||||
/fwupd-1.5.0.tar.xz
|
||||
/fwupd-1.5.1.tar.xz
|
||||
/fwupd-1.5.2.tar.xz
|
||||
/fwupd-1.5.3.tar.xz
|
||||
/fwupd-1.5.4.tar.xz
|
||||
/fwupd-1.5.5.tar.xz
|
||||
/fwupd-1.5.9.tar.xz
|
||||
/DBXUpdate-20100307-x64.cab
|
||||
/DBXUpdate-20140413-x64.cab
|
||||
/DBXUpdate-20160809-x64.cab
|
||||
/DBXUpdate-20200729-aa64.cab
|
||||
/DBXUpdate-20200729-ia32.cab
|
||||
/DBXUpdate-20200729-x64.cab
|
||||
/fwupd-1.7.1.tar.xz
|
||||
/fwupd-efi-1.1.tar.xz
|
||||
/fwupd-1.7.4.tar.xz
|
||||
/fwupd-1.7.9.tar.xz
|
||||
/fwupd-efi-1.3.tar.xz
|
||||
/DBXUpdate-20210429-x64.cab
|
||||
/DBXUpdate-20220812-aa64.cab
|
||||
/DBXUpdate-20220812-ia32.cab
|
||||
/DBXUpdate-20220812-x64.cab
|
||||
/fwupd-1.7.10.tar.xz
|
||||
/fwupd-efi-1.3.tar.xz
|
||||
/fwupd-efi-1.4.tar.xz
|
||||
/fwupd-1.8.10.tar.xz
|
||||
/fwupd-1.8.16.tar.xz
|
||||
/DBXUpdate-20230509-aa64.cab
|
||||
/DBXUpdate-20230509-ia32.cab
|
||||
/DBXUpdate-20230509-x64.cab
|
||||
/fwupd-1.9.10.tar.xz
|
||||
/fwupd-1.9.11.tar.xz
|
||||
/fwupd-1.9.12.tar.xz
|
||||
/fwupd-1.9.13.tar.xz
|
||||
/fwupd-1.9.26.tar.xz
|
||||
/fwupd-1.9.29.tar.xz
|
||||
/DBXUpdate-20241101-x64.cab
|
||||
/fwupd-1.9.31.tar.xz
|
||||
/DBXUpdate-20250507-legacy-x64.cab
|
||||
/fwupd-2.0.19.tar.xz
|
||||
/40d3a4630619b83026f66bc64d97a582bbd9223ad53aa3f519ff5e2121d11ca6-DBXUpdate-20250507-x64.cab
|
||||
/1.7.tar.gz
|
||||
/fwupd-2.1.6.tar.xz
|
||||
/fwupd-efi-1.8.tar.gz
|
||||
/9edea8bc287bf9bf4659856b28cf421f330eb2f658c163eab0a03512a98c0e78-DBXUpdate-20260402-x64.cab
|
||||
SOURCES/DBXUpdate-20100307-x64.cab
|
||||
SOURCES/DBXUpdate-20140413-x64.cab
|
||||
SOURCES/DBXUpdate-20160809-x64.cab
|
||||
SOURCES/DBXUpdate-20200729-aa64.cab
|
||||
SOURCES/DBXUpdate-20200729-ia32.cab
|
||||
SOURCES/DBXUpdate-20200729-x64.cab
|
||||
SOURCES/almalinuxsecurebootca0.cer
|
||||
SOURCES/fwupd-1.7.8.tar.xz
|
||||
SOURCES/fwupd-efi-1.3.tar.xz
|
||||
SOURCES/libjcat-0.1.9.tar.xz
|
||||
|
||||
@ -1,209 +0,0 @@
|
||||
From 2ed98c7c2e0ac77b9967933af51615385f7e471d Mon Sep 17 00:00:00 2001
|
||||
From: Richard Hughes <richard@hughsie.com>
|
||||
Date: Thu, 2 Jul 2026 14:47:33 +0100
|
||||
Subject: [PATCH] Fix the seal self tests when building on a tmpfs
|
||||
|
||||
When fwupd is exploded onto a tmpfs the assumption of 'is a local file *not* a
|
||||
memfd' breaks. When fwupd is built using rpmbuild we do not control the
|
||||
buildroot filesystem, so make the 'is a sealed fd required' check more explicit.
|
||||
---
|
||||
src/fu-dbus-daemon.c | 3 +
|
||||
src/fu-engine.c | 6 ++
|
||||
src/fu-unix-seekable-input-stream-test.c | 17 +++++-
|
||||
src/fu-unix-seekable-input-stream.c | 70 ++++++++++++++++--------
|
||||
src/fu-unix-seekable-input-stream.h | 2 +
|
||||
5 files changed, 73 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/src/fu-dbus-daemon.c b/src/fu-dbus-daemon.c
|
||||
index 72cc36fad..de8aa9a26 100644
|
||||
--- a/src/fu-dbus-daemon.c
|
||||
+++ b/src/fu-dbus-daemon.c
|
||||
@@ -1158,6 +1158,9 @@ fu_dbus_daemon_invocation_get_input_stream(GDBusMethodInvocation *invocation, GE
|
||||
stream = fu_unix_seekable_input_stream_new(g_steal_fd(&fd), TRUE, error);
|
||||
if (stream == NULL)
|
||||
return NULL;
|
||||
+ if (!fu_unix_seekable_input_stream_require_seal(FU_UNIX_SEEKABLE_INPUT_STREAM(stream),
|
||||
+ error))
|
||||
+ return NULL;
|
||||
return g_steal_pointer(&stream);
|
||||
#else
|
||||
g_set_error_literal(error, FWUPD_ERROR, FWUPD_ERROR_INTERNAL, "unsupported feature");
|
||||
diff --git a/src/fu-engine.c b/src/fu-engine.c
|
||||
index 9eaed95ab..5820ea891 100644
|
||||
--- a/src/fu-engine.c
|
||||
+++ b/src/fu-engine.c
|
||||
@@ -5069,9 +5069,15 @@ fu_engine_update_metadata(FuEngine *self,
|
||||
stream_fd = fu_unix_seekable_input_stream_new(fd, TRUE, error);
|
||||
if (stream_fd == NULL)
|
||||
return FALSE;
|
||||
+ if (!fu_unix_seekable_input_stream_require_seal(FU_UNIX_SEEKABLE_INPUT_STREAM(stream_fd),
|
||||
+ error))
|
||||
+ return FALSE;
|
||||
stream_sig = fu_unix_seekable_input_stream_new(fd_sig, TRUE, error);
|
||||
if (stream_sig == NULL)
|
||||
return FALSE;
|
||||
+ if (!fu_unix_seekable_input_stream_require_seal(FU_UNIX_SEEKABLE_INPUT_STREAM(stream_sig),
|
||||
+ error))
|
||||
+ return FALSE;
|
||||
|
||||
/* read the entire file into memory */
|
||||
bytes_raw =
|
||||
diff --git a/src/fu-unix-seekable-input-stream-test.c b/src/fu-unix-seekable-input-stream-test.c
|
||||
index d65b70add..3b5e8d8ec 100644
|
||||
--- a/src/fu-unix-seekable-input-stream-test.c
|
||||
+++ b/src/fu-unix-seekable-input-stream-test.c
|
||||
@@ -84,6 +84,7 @@ static void
|
||||
fu_unix_seekable_input_stream_sealed_memfd_func(void)
|
||||
{
|
||||
#if defined(HAVE_GIO_UNIX) && defined(HAVE_MEMFD_CREATE)
|
||||
+ gboolean ret;
|
||||
g_autofd gint fd = -1;
|
||||
g_autoptr(GError) error = NULL;
|
||||
g_autoptr(GInputStream) stream = NULL;
|
||||
@@ -93,11 +94,18 @@ fu_unix_seekable_input_stream_sealed_memfd_func(void)
|
||||
g_assert_cmpint(fd, >=, 0);
|
||||
g_assert_cmpint(write(fd, data, sizeof(data)), ==, sizeof(data));
|
||||
g_assert_cmpint(lseek(fd, 0, SEEK_SET), ==, 0);
|
||||
- g_assert_cmpint(fcntl(fd, F_ADD_SEALS, F_SEAL_WRITE | F_SEAL_SHRINK | F_SEAL_GROW), ==, 0);
|
||||
+ g_assert_cmpint(
|
||||
+ fcntl(fd, F_ADD_SEALS, F_SEAL_SEAL | F_SEAL_WRITE | F_SEAL_SHRINK | F_SEAL_GROW),
|
||||
+ ==,
|
||||
+ 0);
|
||||
|
||||
stream = fu_unix_seekable_input_stream_new(g_steal_fd(&fd), TRUE, &error);
|
||||
g_assert_no_error(error);
|
||||
g_assert_nonnull(stream);
|
||||
+ ret = fu_unix_seekable_input_stream_require_seal(FU_UNIX_SEEKABLE_INPUT_STREAM(stream),
|
||||
+ &error);
|
||||
+ g_assert_no_error(error);
|
||||
+ g_assert_true(ret);
|
||||
#else
|
||||
g_test_skip("No gio-unix-2.0 or memfd_create support, skipping");
|
||||
#endif
|
||||
@@ -107,6 +115,7 @@ static void
|
||||
fu_unix_seekable_input_stream_unsealed_memfd_func(void)
|
||||
{
|
||||
#if defined(HAVE_GIO_UNIX) && defined(HAVE_MEMFD_CREATE)
|
||||
+ gboolean ret;
|
||||
g_autofd gint fd = -1;
|
||||
g_autoptr(GError) error = NULL;
|
||||
g_autoptr(GInputStream) stream = NULL;
|
||||
@@ -118,8 +127,12 @@ fu_unix_seekable_input_stream_unsealed_memfd_func(void)
|
||||
g_assert_cmpint(lseek(fd, 0, SEEK_SET), ==, 0);
|
||||
|
||||
stream = fu_unix_seekable_input_stream_new(g_steal_fd(&fd), TRUE, &error);
|
||||
+ g_assert_no_error(error);
|
||||
+ g_assert_nonnull(stream);
|
||||
+ ret = fu_unix_seekable_input_stream_require_seal(FU_UNIX_SEEKABLE_INPUT_STREAM(stream),
|
||||
+ &error);
|
||||
g_assert_error(error, FWUPD_ERROR, FWUPD_ERROR_INVALID_FILE);
|
||||
- g_assert_null(stream);
|
||||
+ g_assert_false(ret);
|
||||
#else
|
||||
g_test_skip("No gio-unix-2.0 or memfd_create support, skipping");
|
||||
#endif
|
||||
diff --git a/src/fu-unix-seekable-input-stream.c b/src/fu-unix-seekable-input-stream.c
|
||||
index 4955c366c..591173812 100644
|
||||
--- a/src/fu-unix-seekable-input-stream.c
|
||||
+++ b/src/fu-unix-seekable-input-stream.c
|
||||
@@ -116,25 +116,6 @@ fu_unix_seekable_input_stream_seekable_iface_init(GSeekableIface *iface)
|
||||
iface->truncate_fn = fu_unix_seekable_input_stream_truncate;
|
||||
}
|
||||
|
||||
-static gboolean
|
||||
-fu_unix_seekable_input_stream_verify_sealed(gint fd, GError **error)
|
||||
-{
|
||||
-#ifdef HAVE_MEMFD_CREATE
|
||||
- gint seals = fcntl(fd, F_GET_SEALS);
|
||||
- if (seals >= 0 && (seals & (F_SEAL_WRITE | F_SEAL_SHRINK | F_SEAL_GROW)) !=
|
||||
- (F_SEAL_WRITE | F_SEAL_SHRINK | F_SEAL_GROW)) {
|
||||
- g_set_error(error,
|
||||
- FWUPD_ERROR,
|
||||
- FWUPD_ERROR_INVALID_FILE,
|
||||
- "fd is missing required seals, got 0x%x",
|
||||
- (guint)seals);
|
||||
- return FALSE;
|
||||
- }
|
||||
-#endif
|
||||
- /* success */
|
||||
- return TRUE;
|
||||
-}
|
||||
-
|
||||
/**
|
||||
* fu_unix_seekable_input_stream_new:
|
||||
* @fd: a UNIX file descriptor
|
||||
@@ -177,14 +158,57 @@ fu_unix_seekable_input_stream_new(gint fd, gboolean close_fd, GError **error)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- /* if the fd supports sealing (i.e. is a memfd) then require immutability */
|
||||
- if (!fu_unix_seekable_input_stream_verify_sealed(fd, error))
|
||||
- return NULL;
|
||||
-
|
||||
/* success */
|
||||
return g_steal_pointer(&stream);
|
||||
}
|
||||
|
||||
+/**
|
||||
+ * fu_unix_seekable_input_stream_require_seal:
|
||||
+ * @stream: a #FuUnixSeekableInputStream
|
||||
+ * @error: (nullable): optional return location for an error
|
||||
+ *
|
||||
+ * Enforces that the file descriptor backing this stream is a memfd with the required seals set.
|
||||
+ *
|
||||
+ * Returns: %TRUE if sealed
|
||||
+ *
|
||||
+ * Since: 2.1.7
|
||||
+ **/
|
||||
+gboolean
|
||||
+fu_unix_seekable_input_stream_require_seal(FuUnixSeekableInputStream *stream, GError **error)
|
||||
+{
|
||||
+#ifdef HAVE_MEMFD_CREATE
|
||||
+ gint fd;
|
||||
+ gint seals;
|
||||
+
|
||||
+ g_return_val_if_fail(FU_IS_UNIX_SEEKABLE_INPUT_STREAM(stream), FALSE);
|
||||
+ g_return_val_if_fail(error == NULL || *error == NULL, FALSE);
|
||||
+
|
||||
+ fd = g_unix_input_stream_get_fd(G_UNIX_INPUT_STREAM(stream));
|
||||
+ seals = fcntl(fd, F_GET_SEALS);
|
||||
+ if (seals < 0) {
|
||||
+ /* not supported on this fd */
|
||||
+ return TRUE;
|
||||
+ }
|
||||
+ if ((seals & F_SEAL_SEAL) == 0) {
|
||||
+ g_set_error_literal(error, FWUPD_ERROR, FWUPD_ERROR_INVALID_FILE, "fd not sealed");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ if ((seals & F_SEAL_WRITE) == 0) {
|
||||
+ g_set_error_literal(error, FWUPD_ERROR, FWUPD_ERROR_INVALID_FILE, "no WRITE seal");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ if ((seals & F_SEAL_SHRINK) == 0) {
|
||||
+ g_set_error_literal(error, FWUPD_ERROR, FWUPD_ERROR_INVALID_FILE, "no SHRINK seal");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ if ((seals & F_SEAL_GROW) == 0) {
|
||||
+ g_set_error_literal(error, FWUPD_ERROR, FWUPD_ERROR_INVALID_FILE, "no GROW seal");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+#endif
|
||||
+ return TRUE;
|
||||
+}
|
||||
+
|
||||
static void
|
||||
fu_unix_seekable_input_stream_class_init(FuUnixSeekableInputStreamClass *klass)
|
||||
{
|
||||
diff --git a/src/fu-unix-seekable-input-stream.h b/src/fu-unix-seekable-input-stream.h
|
||||
index 5f0a0656a..6d7b2acde 100644
|
||||
--- a/src/fu-unix-seekable-input-stream.h
|
||||
+++ b/src/fu-unix-seekable-input-stream.h
|
||||
@@ -18,3 +18,5 @@ G_DECLARE_FINAL_TYPE(FuUnixSeekableInputStream,
|
||||
|
||||
GInputStream *
|
||||
fu_unix_seekable_input_stream_new(gint fd, gboolean close_fd, GError **error);
|
||||
+gboolean
|
||||
+fu_unix_seekable_input_stream_require_seal(FuUnixSeekableInputStream *stream, GError **error);
|
||||
--
|
||||
2.54.0
|
||||
|
||||
@ -1,45 +0,0 @@
|
||||
From 856cde012b6ee114b8ce44e090651adbc6c6ddf8 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Hughes <richard@hughsie.com>
|
||||
Date: Mon, 12 Jan 2026 12:07:40 +0000
|
||||
Subject: [PATCH] Revert "Require gnu-efi 3.0.18 or later"
|
||||
|
||||
This reverts commit 26c6ec5c1e7765fb5dc6a4df511ab21ee6c6e67a.
|
||||
---
|
||||
efi/meson.build | 6 ++++++
|
||||
meson.build | 3 ++-
|
||||
2 files changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/efi/meson.build b/efi/meson.build
|
||||
index a034bc2..af4bfa3 100644
|
||||
--- a/efi/meson.build
|
||||
+++ b/efi/meson.build
|
||||
@@ -45,6 +45,12 @@ if efi_libdir == ''
|
||||
endif
|
||||
endif
|
||||
|
||||
+have_gnu_efi = gnu_efi_path_arch != '' and efi_libdir != ''
|
||||
+
|
||||
+if not have_gnu_efi and not gnuefi.found()
|
||||
+ error('gnu-efi headers were not found')
|
||||
+endif
|
||||
+
|
||||
# The name we need to look for on this arch and OS: elf_x86_64_fbsd_efi.lds
|
||||
lds_os = ''
|
||||
if host_cpu == 'x86_64' and host_machine.system() == 'freebsd'
|
||||
diff --git a/meson.build b/meson.build
|
||||
index d632aaa..7052105 100644
|
||||
--- a/meson.build
|
||||
+++ b/meson.build
|
||||
@@ -13,7 +13,8 @@ cc_ld = find_program(cc.get_linker_id())
|
||||
objcopy = find_program('objcopy')
|
||||
objcopy_version = run_command(objcopy, '--version', check: true).stdout().split('\n')[0].split(' ')[-1]
|
||||
|
||||
-gnuefi = dependency('gnu-efi', version: '>= 3.0.18')
|
||||
+# pkgconfig introduced in 3.0.18, allows compiling against older
|
||||
+gnuefi = dependency('gnu-efi', required: false)
|
||||
prefix = get_option('prefix')
|
||||
libdir = join_paths(prefix, get_option('libdir'))
|
||||
libexecdir = join_paths(prefix, get_option('libexecdir'))
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -1,42 +0,0 @@
|
||||
From f7352aa9e2157a5ed88d10278ef420a78c8a52f8 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Hughes <richard@hughsie.com>
|
||||
Date: Thu, 2 Jul 2026 16:16:28 +0100
|
||||
Subject: [PATCH] Seal memfds for compatibility with newer fwupd daemons
|
||||
|
||||
---
|
||||
libfwupd/fwupd-common.c | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libfwupd/fwupd-common.c b/libfwupd/fwupd-common.c
|
||||
index 3220c40a7..862210c8a 100644
|
||||
--- a/libfwupd/fwupd-common.c
|
||||
+++ b/libfwupd/fwupd-common.c
|
||||
@@ -1054,7 +1054,7 @@ fwupd_unix_input_stream_from_bytes(GBytes *bytes, GError **error)
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_MEMFD_CREATE
|
||||
- fd = memfd_create("fwupd", MFD_CLOEXEC);
|
||||
+ fd = memfd_create("fwupd", MFD_CLOEXEC | MFD_ALLOW_SEALING);
|
||||
#else
|
||||
/* emulate in-memory file by an unlinked temporary file */
|
||||
fd = g_mkstemp(tmp_file);
|
||||
@@ -1098,6 +1098,16 @@ fwupd_unix_input_stream_from_bytes(GBytes *bytes, GError **error)
|
||||
g_strerror(errno));
|
||||
return NULL;
|
||||
}
|
||||
+#ifdef HAVE_MEMFD_CREATE
|
||||
+ if (fcntl(fd, F_ADD_SEALS, F_SEAL_WRITE | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_SEAL) < 0) {
|
||||
+ g_set_error(error,
|
||||
+ FWUPD_ERROR,
|
||||
+ FWUPD_ERROR_INVALID_FILE,
|
||||
+ "failed to seal memfd: %s",
|
||||
+ strerror(errno));
|
||||
+ return NULL;
|
||||
+ }
|
||||
+#endif
|
||||
return G_UNIX_INPUT_STREAM(g_unix_input_stream_new(fd, TRUE));
|
||||
}
|
||||
|
||||
--
|
||||
2.54.0
|
||||
|
||||
29
SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch
Normal file
29
SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From 1fc24adecbb62b3cd77ef965c5daf1b72f6c7aa8 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Hughes <richard@hughsie.com>
|
||||
Date: Tue, 22 Aug 2023 10:05:27 +0100
|
||||
Subject: [PATCH] Use /usr/libexec/platform-python for RHEL
|
||||
|
||||
---
|
||||
meson.build | 6 +-----
|
||||
1 file changed, 1 insertion(+), 5 deletions(-)
|
||||
|
||||
diff --git a/meson.build b/meson.build
|
||||
index bb406d616..ac90c8ee6 100644
|
||||
--- a/meson.build
|
||||
+++ b/meson.build
|
||||
@@ -261,11 +261,7 @@ if libgcab.type_name() == 'pkgconfig' and cc.has_function('gcab_file_set_bytes',
|
||||
endif
|
||||
|
||||
bashcomp = dependency('bash-completion', required: false)
|
||||
-if host_machine.system() != 'freebsd'
|
||||
- python3 = find_program('python3')
|
||||
-else
|
||||
- python3 = find_program('python3.8', 'python3', 'python3.9')
|
||||
-endif
|
||||
+python3 = find_program('/usr/libexec/platform-python')
|
||||
|
||||
if get_option('gnutls')
|
||||
gnutls = dependency('gnutls', version : '>= 3.6.0')
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -0,0 +1,28 @@
|
||||
From 442f7f9200fbf6ec509dd0ee40eae2e37b2fb73e Mon Sep 17 00:00:00 2001
|
||||
From: Richard Hughes <richard@hughsie.com>
|
||||
Date: Tue, 20 Sep 2022 08:06:12 +0100
|
||||
Subject: [PATCH 1/3] redfish: Set the permissions of redfish.conf at install
|
||||
time
|
||||
|
||||
Although typically we set the password using fu_plugin_set_secure_config_value()
|
||||
or something like Ansible or Puppet -- the user could just edit the file with
|
||||
vim and we still want the permissions set correctly.
|
||||
---
|
||||
plugins/redfish/meson.build | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build
|
||||
index 34ba4b7f6..7b19574de 100644
|
||||
--- a/plugins/redfish/meson.build
|
||||
+++ b/plugins/redfish/meson.build
|
||||
@@ -48,6 +48,7 @@ shared_module('fu_plugin_redfish',
|
||||
|
||||
install_data(['redfish.conf'],
|
||||
install_dir: join_paths(sysconfdir, 'fwupd'),
|
||||
+ install_mode: 'rw-r-----',
|
||||
)
|
||||
|
||||
if get_option('tests')
|
||||
--
|
||||
2.39.1
|
||||
|
||||
@ -0,0 +1,47 @@
|
||||
From 4f39b747a6d860e32a3000451dd2635366c81776 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Hughes <richard@hughsie.com>
|
||||
Date: Tue, 20 Sep 2022 09:13:52 +0100
|
||||
Subject: [PATCH 2/3] redfish: Only create users using IPMI when we know it's
|
||||
going to work
|
||||
|
||||
Make the IPMI auto-account feature allow-listed on specific vendors as some IPMI
|
||||
implementations are not specification compliant and do entirely the wrong thing.
|
||||
---
|
||||
plugins/redfish/fu-plugin-redfish.c | 8 ++++++++
|
||||
plugins/redfish/redfish.quirk | 2 +-
|
||||
2 files changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/plugins/redfish/fu-plugin-redfish.c b/plugins/redfish/fu-plugin-redfish.c
|
||||
index deb0fe742..3972d4b4b 100644
|
||||
--- a/plugins/redfish/fu-plugin-redfish.c
|
||||
+++ b/plugins/redfish/fu-plugin-redfish.c
|
||||
@@ -422,6 +422,14 @@ fu_plugin_redfish_startup(FuPlugin *plugin, GError **error)
|
||||
#ifdef HAVE_LINUX_IPMI_H
|
||||
/* we got neither a type 42 entry or config value, lets try IPMI */
|
||||
if (fu_redfish_backend_get_username(data->backend) == NULL) {
|
||||
+ if (!fu_context_has_hwid_flag(fu_plugin_get_context(plugin), "ipmi-create-user")) {
|
||||
+ g_set_error_literal(error,
|
||||
+ FWUPD_ERROR,
|
||||
+ FWUPD_ERROR_NOT_SUPPORTED,
|
||||
+ "no username and password specified, "
|
||||
+ "and no vendor quirk for 'ipmi-create-user'");
|
||||
+ return FALSE;
|
||||
+ }
|
||||
if (!fu_plugin_get_config_value_boolean(plugin, "IpmiDisableCreateUser")) {
|
||||
g_debug("attempting to create user using IPMI");
|
||||
if (!fu_redfish_plugin_ipmi_create_user(plugin, error))
|
||||
diff --git a/plugins/redfish/redfish.quirk b/plugins/redfish/redfish.quirk
|
||||
index b12439926..5e9722fda 100644
|
||||
--- a/plugins/redfish/redfish.quirk
|
||||
+++ b/plugins/redfish/redfish.quirk
|
||||
@@ -1,6 +1,6 @@
|
||||
# Lenovo ThinkSystem
|
||||
[42f00735-c9ab-5374-bd63-a5deee5881e0]
|
||||
-Flags = wildcard-targets,reset-required
|
||||
+Flags = wildcard-targets,reset-required,ipmi-create-user
|
||||
|
||||
[REDFISH\VENDOR_Lenovo&ID_BMC-Backup]
|
||||
ParentGuid = REDFISH\VENDOR_Lenovo&ID_BMC-Primary
|
||||
--
|
||||
2.39.1
|
||||
|
||||
@ -0,0 +1,141 @@
|
||||
From 41575afd93ca0e68bced78ca43a4488f124906a1 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Hughes <richard@hughsie.com>
|
||||
Date: Wed, 21 Sep 2022 14:56:10 +0100
|
||||
Subject: [PATCH 3/3] Never save the Redfish passwords to a file readable by
|
||||
users
|
||||
|
||||
When the redfish plugin automatically creates an OPERATOR user account on the
|
||||
BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it
|
||||
is chmod'ed to 0660 before writing the file with g_key_file_save_to_file().
|
||||
|
||||
Under the covers, g_key_file_save_to_file() calls g_file_set_contents() with
|
||||
the keyfile string data.
|
||||
I was under the impression that G_FILE_CREATE_REPLACE_DESTINATION was being
|
||||
used to copy permissions, but alas not.
|
||||
|
||||
GLib instead calls g_file_set_contents_full() with the mode hardcoded to 0666,
|
||||
which undoes the previous chmod().
|
||||
|
||||
Use g_file_set_contents_full() with the correct mode for newer GLib versions,
|
||||
and provide a fallback with the same semantics for older versions.
|
||||
---
|
||||
contrib/fwupd.spec.in | 3 ++
|
||||
libfwupdplugin/fu-plugin.c | 65 +++++++++++++++++++++++++++++------
|
||||
libfwupdplugin/fu-self-test.c | 57 ++++++++++++++++++++++++++++++
|
||||
3 files changed, 114 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/contrib/fwupd.spec.in b/contrib/fwupd.spec.in
|
||||
index a50e30a9c..0854fcf4f 100644
|
||||
--- a/contrib/fwupd.spec.in
|
||||
+++ b/contrib/fwupd.spec.in
|
||||
@@ -313,6 +313,9 @@ for fn in /etc/fwupd/remotes.d/*.conf; do
|
||||
fi
|
||||
done
|
||||
|
||||
+# ensure this is private
|
||||
+chmod 0660 /etc/fwupd/redfish.conf
|
||||
+
|
||||
%preun
|
||||
%systemd_preun fwupd.service
|
||||
|
||||
diff --git a/libfwupdplugin/fu-plugin.c b/libfwupdplugin/fu-plugin.c
|
||||
index 18042a028..04951de85 100644
|
||||
--- a/libfwupdplugin/fu-plugin.c
|
||||
+++ b/libfwupdplugin/fu-plugin.c
|
||||
@@ -9,6 +9,7 @@
|
||||
#include "config.h"
|
||||
|
||||
#include <errno.h>
|
||||
+#include <fcntl.h>
|
||||
#include <fwupd.h>
|
||||
#include <glib/gstdio.h>
|
||||
#include <gmodule.h>
|
||||
@@ -2256,6 +2257,46 @@ fu_plugin_set_config_value(FuPlugin *self, const gchar *key, const gchar *value,
|
||||
return g_key_file_save_to_file(keyfile, conf_path, error);
|
||||
}
|
||||
|
||||
+#if !GLIB_CHECK_VERSION(2, 66, 0)
|
||||
+
|
||||
+#define G_FILE_SET_CONTENTS_CONSISTENT 0
|
||||
+typedef guint GFileSetContentsFlags;
|
||||
+static gboolean
|
||||
+g_file_set_contents_full(const gchar *filename,
|
||||
+ const gchar *contents,
|
||||
+ gssize length,
|
||||
+ GFileSetContentsFlags flags,
|
||||
+ int mode,
|
||||
+ GError **error)
|
||||
+{
|
||||
+ gint fd;
|
||||
+ gssize wrote;
|
||||
+
|
||||
+ if (length < 0)
|
||||
+ length = strlen(contents);
|
||||
+ fd = g_open(filename, O_CREAT, mode);
|
||||
+ if (fd <= 0) {
|
||||
+ g_set_error(error,
|
||||
+ G_IO_ERROR,
|
||||
+ G_IO_ERROR_FAILED,
|
||||
+ "could not open %s file",
|
||||
+ filename);
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ wrote = write(fd, contents, length);
|
||||
+ if (wrote != length) {
|
||||
+ g_set_error(error,
|
||||
+ G_IO_ERROR,
|
||||
+ G_IO_ERROR_FAILED,
|
||||
+ "did not write %s file",
|
||||
+ filename);
|
||||
+ g_close(fd, NULL);
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ return g_close(fd, error);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/**
|
||||
* fu_plugin_set_secure_config_value:
|
||||
* @self: a #FuPlugin
|
||||
@@ -2277,7 +2318,8 @@ fu_plugin_set_secure_config_value(FuPlugin *self,
|
||||
GError **error)
|
||||
{
|
||||
g_autofree gchar *conf_path = fu_plugin_get_config_filename(self);
|
||||
- gint ret;
|
||||
+ g_autofree gchar *data = NULL;
|
||||
+ g_autoptr(GKeyFile) keyfile = g_key_file_new();
|
||||
|
||||
g_return_val_if_fail(FU_IS_PLUGIN(self), FALSE);
|
||||
g_return_val_if_fail(error == NULL || *error == NULL, FALSE);
|
||||
@@ -2286,17 +2328,18 @@ fu_plugin_set_secure_config_value(FuPlugin *self,
|
||||
g_set_error(error, FWUPD_ERROR, FWUPD_ERROR_NOT_FOUND, "%s is missing", conf_path);
|
||||
return FALSE;
|
||||
}
|
||||
- ret = g_chmod(conf_path, 0660);
|
||||
- if (ret == -1) {
|
||||
- g_set_error(error,
|
||||
- FWUPD_ERROR,
|
||||
- FWUPD_ERROR_INTERNAL,
|
||||
- "failed to set permissions on %s",
|
||||
- conf_path);
|
||||
+ if (!g_key_file_load_from_file(keyfile, conf_path, G_KEY_FILE_KEEP_COMMENTS, error))
|
||||
return FALSE;
|
||||
- }
|
||||
-
|
||||
- return fu_plugin_set_config_value(self, key, value, error);
|
||||
+ g_key_file_set_string(keyfile, fu_plugin_get_name(self), key, value);
|
||||
+ data = g_key_file_to_data(keyfile, NULL, error);
|
||||
+ if (data == NULL)
|
||||
+ return FALSE;
|
||||
+ return g_file_set_contents_full(conf_path,
|
||||
+ data,
|
||||
+ -1,
|
||||
+ G_FILE_SET_CONTENTS_CONSISTENT,
|
||||
+ 0660,
|
||||
+ error);
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
2.39.1
|
||||
|
||||
1124
SPECS/fwupd.spec
Normal file
1124
SPECS/fwupd.spec
Normal file
File diff suppressed because it is too large
Load Diff
1598
fwupd.spec
1598
fwupd.spec
File diff suppressed because it is too large
Load Diff
@ -1,6 +0,0 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-9
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.hardware-fwupd.tier0.functional}
|
||||
5
main.fmf
5
main.fmf
@ -1,5 +0,0 @@
|
||||
plan:
|
||||
import:
|
||||
url: https://gitlab.cee.redhat.com/desktopqe/fwupd.git
|
||||
name: /plan/gate
|
||||
ref: rhel-9
|
||||
4
sources
4
sources
@ -1,4 +0,0 @@
|
||||
SHA512 (fwupd-2.1.6.tar.xz) = ac6400017df913b96f0df2616ffe92d4eeb4bf97d2c33fa1fe6ed8f5aba86438418d56db0b1e54a9977cb729b35c23c2010d778ef37486d0ed7058640e9c35d0
|
||||
SHA512 (fwupd-efi-1.8.tar.gz) = bd361eb60397850af025228ea9f4efbf289f8e1c2612f240ae4c5ffee8caea15c31aa0748c06e57b28a7f38b8c2708147a228d8a99077798f4435436f12e092e
|
||||
SHA512 (fwupd-1.9.31.tar.xz) = ce9cd5129d0bcbedade6ba11f661fd3350445557d3116f479a8628376e9e8d6a933e6d2632ac3576d47ad9dbf0eafd54480d2765be86f776e8f04f689287ec80
|
||||
SHA512 (9edea8bc287bf9bf4659856b28cf421f330eb2f658c163eab0a03512a98c0e78-DBXUpdate-20260402-x64.cab) = 7fff3d5757b6ca5392ae21b7eab06d216d8eb3ccf24f68399679c402d21c842b7d9b0f716071b3f1163325f216926d3941fe494ca784ef257c466477525af76f
|
||||
Loading…
Reference in New Issue
Block a user