Compare commits

..

No commits in common. "c10-beta" and "c8" have entirely different histories.
c10-beta ... c8

13 changed files with 736 additions and 827 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
kmod-31.tar.xz
SOURCES/kmod-25.tar.xz

1
.kmod.metadata Normal file
View File

@ -0,0 +1 @@
761ee76bc31f5db10d470dad607a5f9d68acef68 SOURCES/kmod-25.tar.xz

View File

@ -1,44 +0,0 @@
From 5c22362b6b97af9c6b7587f0c3450001e9893115 Mon Sep 17 00:00:00 2001
From: Eugene Syromiatnikov <esyr@redhat.com>
Date: Tue, 13 Aug 2024 16:17:27 +0200
Subject: [PATCH] libkmod: avoid undefined behaviour in
libkmod-builtin.c:get_string
Static analysis has reported a potential UB:
kmod-31/libkmod/libkmod-builtin.c:125: use_invalid: Using "nullp", which points to an out-of-scope variable "buf".
# 123| size_t linesz = 0;
# 124|
# 125|-> while (!nullp) {
# 126| char buf[BUFSIZ];
# 127| ssize_t sz;
It seems to be indeed an UB, as nullp is getting assined an address
inside object buf, which has a lifetime of the while loop body,
and is not available outside of it (specifically, in the while
condition, where nullp is checked for NULL). Fix it by putting
buf definition in the outer block.
---
libkmod/libkmod-builtin.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libkmod/libkmod-builtin.c b/libkmod/libkmod-builtin.c
index fd0f549..40a7d61 100644
--- a/libkmod/libkmod-builtin.c
+++ b/libkmod/libkmod-builtin.c
@@ -105,11 +105,11 @@ static off_t get_string(struct kmod_builtin_iter *iter, off_t offset,
char **line, size_t *size)
{
int sv_errno;
+ char buf[BUFSIZ];
char *nullp = NULL;
size_t linesz = 0;
while (!nullp) {
- char buf[BUFSIZ];
ssize_t sz;
size_t partsz;
--
2.13.6

View File

@ -0,0 +1,33 @@
From c2996b5fa880e81f63c25e80a4157b2239e32c5d Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Mon, 10 Dec 2018 22:29:32 +0100
Subject: [PATCH 1/2] depmod: prevent module dependency files missing during
depmod invocation
depmod deletes the module dependency files before moving the temporary
files in their place. This results in user seeing no dependency files
while they are updated. Remove the unlink call. The rename call should
suffice to move the new file in place and unlink the old one. It should
also do both atomically so there is no window when no dependency file
exists.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
tools/depmod.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/tools/depmod.c b/tools/depmod.c
index 989d9077926c..18c0d61b2db3 100644
--- a/tools/depmod.c
+++ b/tools/depmod.c
@@ -2451,7 +2451,6 @@ static int depmod_output(struct depmod *depmod, FILE *out)
break;
}
- unlinkat(dfd, itr->name, 0);
if (renameat(dfd, tmp, dfd, itr->name) != 0) {
err = -errno;
CRIT("renameat(%s, %s, %s, %s): %m\n",
--
2.33.0

View File

@ -0,0 +1,62 @@
From a06bacf500d56b72b5f9b121ebf7f6af9e3df185 Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Mon, 17 Dec 2018 23:46:28 +0100
Subject: [PATCH 2/2] depmod: prevent module dependency files corruption due to
parallel invocation.
Depmod does not use unique filename for temporary files. There is no
guarantee the user does not attempt to run mutiple depmod processes in
parallel. If that happens a temporary file might be created by
depmod(1st), truncated by depmod(2nd), and renamed to final name by
depmod(1st) resulting in corrupted file seen by user.
Due to missing mkstempat() this is more complex than it should be.
Adding PID and timestamp to the filename should be reasonably reliable.
Adding O_EXCL as mkstemp does fails creating the file rather than
corrupting existing file.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
tools/depmod.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/tools/depmod.c b/tools/depmod.c
index 18c0d61b2db3..0f7e33ccfd59 100644
--- a/tools/depmod.c
+++ b/tools/depmod.c
@@ -29,6 +29,7 @@
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
+#include <sys/time.h>
#include <sys/utsname.h>
#include <shared/array.h>
@@ -2398,6 +2399,9 @@ static int depmod_output(struct depmod *depmod, FILE *out)
};
const char *dname = depmod->cfg->dirname;
int dfd, err = 0;
+ struct timeval tv;
+
+ gettimeofday(&tv, NULL);
if (out != NULL)
dfd = -1;
@@ -2416,11 +2420,12 @@ static int depmod_output(struct depmod *depmod, FILE *out)
int r, ferr;
if (fp == NULL) {
- int flags = O_CREAT | O_TRUNC | O_WRONLY;
+ int flags = O_CREAT | O_EXCL | O_WRONLY;
int mode = 0644;
int fd;
- snprintf(tmp, sizeof(tmp), "%s.tmp", itr->name);
+ snprintf(tmp, sizeof(tmp), "%s.%i.%li.%li", itr->name, getpid(),
+ tv.tv_usec, tv.tv_sec);
fd = openat(dfd, tmp, flags, mode);
if (fd < 0) {
ERR("openat(%s, %s, %o, %o): %m\n",
--
2.33.0

View File

@ -0,0 +1,328 @@
From 391b4714b495183baefa9cb10ac8e1600c166a59 Mon Sep 17 00:00:00 2001
From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
Date: Fri, 1 Feb 2019 22:20:02 +0200
Subject: [PATCH] libkmod-signature: implement pkcs7 parsing with openssl
The patch adds data fetching from the PKCS#7 certificate using
openssl library (which is used by scripts/sign-file.c in the linux
kernel to sign modules).
In general the certificate can contain many signatures, but since
kmod (modinfo) supports only one signature at the moment, only first
one is taken.
With the current sign-file.c certificate doesn't contain signer
key's fingerprint, so "serial number" is used for the key id.
Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
---
Makefile.am | 4 +-
configure.ac | 11 ++
libkmod/libkmod-internal.h | 3 +
libkmod/libkmod-module.c | 3 +
libkmod/libkmod-signature.c | 197 +++++++++++++++++++++++++++++++++++-
5 files changed, 213 insertions(+), 5 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 1ab1db585316..de1026f8bd46 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -35,6 +35,8 @@ SED_PROCESS = \
-e 's,@liblzma_LIBS\@,${liblzma_LIBS},g' \
-e 's,@zlib_CFLAGS\@,${zlib_CFLAGS},g' \
-e 's,@zlib_LIBS\@,${zlib_LIBS},g' \
+ -e 's,@openssl_CFLAGS\@,${openssl_CFLAGS},g' \
+ -e 's,@openssl_LIBS\@,${openssl_LIBS},g' \
< $< > $@ || rm $@
%.pc: %.pc.in Makefile
@@ -87,7 +89,7 @@ libkmod_libkmod_la_DEPENDENCIES = \
${top_srcdir}/libkmod/libkmod.sym
libkmod_libkmod_la_LIBADD = \
shared/libshared.la \
- ${liblzma_LIBS} ${zlib_LIBS}
+ ${liblzma_LIBS} ${zlib_LIBS} ${openssl_LIBS}
noinst_LTLIBRARIES += libkmod/libkmod-internal.la
libkmod_libkmod_internal_la_SOURCES = $(libkmod_libkmod_la_SOURCES)
diff --git a/configure.ac b/configure.ac
index fbc7391b2d1b..2e33380a0cc2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -106,6 +106,17 @@ AS_IF([test "x$with_zlib" != "xno"], [
])
CC_FEATURE_APPEND([with_features], [with_zlib], [ZLIB])
+AC_ARG_WITH([openssl],
+ AS_HELP_STRING([--with-openssl], [handle PKCS7 signatures @<:@default=disabled@:>@]),
+ [], [with_openssl=no])
+AS_IF([test "x$with_openssl" != "xno"], [
+ PKG_CHECK_MODULES([openssl], [openssl])
+ AC_DEFINE([ENABLE_OPENSSL], [1], [Enable openssl for modinfo.])
+], [
+ AC_MSG_NOTICE([openssl support not requested])
+])
+CC_FEATURE_APPEND([with_features], [with_openssl], [OPENSSL])
+
AC_ARG_WITH([bashcompletiondir],
AS_HELP_STRING([--with-bashcompletiondir=DIR], [Bash completions directory]),
[],
diff --git a/libkmod/libkmod-internal.h b/libkmod/libkmod-internal.h
index 346579c71aab..a65ddd156f18 100644
--- a/libkmod/libkmod-internal.h
+++ b/libkmod/libkmod-internal.h
@@ -188,5 +188,8 @@ struct kmod_signature_info {
const char *algo, *hash_algo, *id_type;
const char *sig;
size_t sig_len;
+ void (*free)(void *);
+ void *private;
};
bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signature_info *sig_info) _must_check_ __attribute__((nonnull(1, 2)));
+void kmod_module_signature_info_free(struct kmod_signature_info *sig_info) __attribute__((nonnull));
diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c
index 889f26479a98..bffe715cdef4 100644
--- a/libkmod/libkmod-module.c
+++ b/libkmod/libkmod-module.c
@@ -2357,6 +2357,9 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_
ret = count;
list_error:
+ /* aux structures freed in normal case also */
+ kmod_module_signature_info_free(&sig_info);
+
if (ret < 0) {
kmod_module_info_free_list(*list);
*list = NULL;
diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
index 429ffbd8a957..48d0145a7552 100644
--- a/libkmod/libkmod-signature.c
+++ b/libkmod/libkmod-signature.c
@@ -19,6 +19,10 @@
#include <endian.h>
#include <inttypes.h>
+#ifdef ENABLE_OPENSSL
+#include <openssl/cms.h>
+#include <openssl/ssl.h>
+#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -115,15 +119,194 @@ static bool fill_default(const char *mem, off_t size,
return true;
}
-static bool fill_unknown(const char *mem, off_t size,
- const struct module_signature *modsig, size_t sig_len,
- struct kmod_signature_info *sig_info)
+#ifdef ENABLE_OPENSSL
+
+struct pkcs7_private {
+ CMS_ContentInfo *cms;
+ unsigned char *key_id;
+ BIGNUM *sno;
+};
+
+static void pkcs7_free(void *s)
+{
+ struct kmod_signature_info *si = s;
+ struct pkcs7_private *pvt = si->private;
+
+ CMS_ContentInfo_free(pvt->cms);
+ BN_free(pvt->sno);
+ free(pvt->key_id);
+ free(pvt);
+ si->private = NULL;
+}
+
+static int obj_to_hash_algo(const ASN1_OBJECT *o)
+{
+ int nid;
+
+ nid = OBJ_obj2nid(o);
+ switch (nid) {
+ case NID_md4:
+ return PKEY_HASH_MD4;
+ case NID_md5:
+ return PKEY_HASH_MD5;
+ case NID_sha1:
+ return PKEY_HASH_SHA1;
+ case NID_ripemd160:
+ return PKEY_HASH_RIPE_MD_160;
+ case NID_sha256:
+ return PKEY_HASH_SHA256;
+ case NID_sha384:
+ return PKEY_HASH_SHA384;
+ case NID_sha512:
+ return PKEY_HASH_SHA512;
+ case NID_sha224:
+ return PKEY_HASH_SHA224;
+ default:
+ return -1;
+ }
+ return -1;
+}
+
+static const char *x509_name_to_str(X509_NAME *name)
+{
+ int i;
+ X509_NAME_ENTRY *e;
+ ASN1_STRING *d;
+ ASN1_OBJECT *o;
+ int nid = -1;
+ const char *str;
+
+ for (i = 0; i < X509_NAME_entry_count(name); i++) {
+ e = X509_NAME_get_entry(name, i);
+ o = X509_NAME_ENTRY_get_object(e);
+ nid = OBJ_obj2nid(o);
+ if (nid == NID_commonName)
+ break;
+ }
+ if (nid == -1)
+ return NULL;
+
+ d = X509_NAME_ENTRY_get_data(e);
+ str = (const char *)ASN1_STRING_get0_data(d);
+
+ return str;
+}
+
+static bool fill_pkcs7(const char *mem, off_t size,
+ const struct module_signature *modsig, size_t sig_len,
+ struct kmod_signature_info *sig_info)
+{
+ const char *pkcs7_raw;
+ CMS_ContentInfo *cms;
+ STACK_OF(CMS_SignerInfo) *sis;
+ CMS_SignerInfo *si;
+ int rc;
+ ASN1_OCTET_STRING *key_id;
+ X509_NAME *issuer;
+ ASN1_INTEGER *sno;
+ ASN1_OCTET_STRING *sig;
+ BIGNUM *sno_bn;
+ X509_ALGOR *dig_alg;
+ X509_ALGOR *sig_alg;
+ const ASN1_OBJECT *o;
+ BIO *in;
+ int len;
+ unsigned char *key_id_str;
+ struct pkcs7_private *pvt;
+ const char *issuer_str;
+
+ size -= sig_len;
+ pkcs7_raw = mem + size;
+
+ in = BIO_new_mem_buf(pkcs7_raw, sig_len);
+
+ cms = d2i_CMS_bio(in, NULL);
+ if (cms == NULL) {
+ BIO_free(in);
+ return false;
+ }
+
+ BIO_free(in);
+
+ sis = CMS_get0_SignerInfos(cms);
+ if (sis == NULL)
+ goto err;
+
+ si = sk_CMS_SignerInfo_value(sis, 0);
+ if (si == NULL)
+ goto err;
+
+ rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno);
+ if (rc == 0)
+ goto err;
+
+ sig = CMS_SignerInfo_get0_signature(si);
+ if (sig == NULL)
+ goto err;
+
+ CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg);
+
+ sig_info->sig = (const char *)ASN1_STRING_get0_data(sig);
+ sig_info->sig_len = ASN1_STRING_length(sig);
+
+ sno_bn = ASN1_INTEGER_to_BN(sno, NULL);
+ if (sno_bn == NULL)
+ goto err;
+
+ len = BN_num_bytes(sno_bn);
+ key_id_str = malloc(len);
+ if (key_id_str == NULL)
+ goto err2;
+ BN_bn2bin(sno_bn, key_id_str);
+
+ sig_info->key_id = (const char *)key_id_str;
+ sig_info->key_id_len = len;
+
+ issuer_str = x509_name_to_str(issuer);
+ if (issuer_str != NULL) {
+ sig_info->signer = issuer_str;
+ sig_info->signer_len = strlen(issuer_str);
+ }
+
+ X509_ALGOR_get0(&o, NULL, NULL, dig_alg);
+
+ sig_info->hash_algo = pkey_hash_algo[obj_to_hash_algo(o)];
+ sig_info->id_type = pkey_id_type[modsig->id_type];
+
+ pvt = malloc(sizeof(*pvt));
+ if (pvt == NULL)
+ goto err3;
+
+ pvt->cms = cms;
+ pvt->key_id = key_id_str;
+ pvt->sno = sno_bn;
+ sig_info->private = pvt;
+
+ sig_info->free = pkcs7_free;
+
+ return true;
+err3:
+ free(key_id_str);
+err2:
+ BN_free(sno_bn);
+err:
+ CMS_ContentInfo_free(cms);
+ return false;
+}
+
+#else /* ENABLE OPENSSL */
+
+static bool fill_pkcs7(const char *mem, off_t size,
+ const struct module_signature *modsig, size_t sig_len,
+ struct kmod_signature_info *sig_info)
{
sig_info->hash_algo = "unknown";
sig_info->id_type = pkey_id_type[modsig->id_type];
return true;
}
+#endif /* ENABLE OPENSSL */
+
#define SIG_MAGIC "~Module signature appended~\n"
/*
@@ -167,8 +350,14 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat
switch (modsig->id_type) {
case PKEY_ID_PKCS7:
- return fill_unknown(mem, size, modsig, sig_len, sig_info);
+ return fill_pkcs7(mem, size, modsig, sig_len, sig_info);
default:
return fill_default(mem, size, modsig, sig_len, sig_info);
}
}
+
+void kmod_module_signature_info_free(struct kmod_signature_info *sig_info)
+{
+ if (sig_info->free)
+ sig_info->free(sig_info);
+}
--
2.20.1

View File

@ -0,0 +1,83 @@
From 52a0ba82e1ad180f9f91920db70a758fac49466a Mon Sep 17 00:00:00 2001
From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
Date: Thu, 31 Oct 2019 20:12:53 +0200
Subject: [PATCH] modprobe: ignore builtin module on recursive removing
If there are built-in dependencies and any of them is built-in in
the kernel, modprobe -r fails with
modprobe: FATAL: Module module_name is builtin.
It makes sense to ignore such dependencies for the case when
removing is called for non-top level module.
Example: cifs module, it declares bunch of softdeps and the first
one fails on some kernel configs:
modprobe: FATAL: Module gcm is builtin.
Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
---
tools/modprobe.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/tools/modprobe.c b/tools/modprobe.c
index a9e2331567af..44cd15c2bf57 100644
--- a/tools/modprobe.c
+++ b/tools/modprobe.c
@@ -353,7 +353,8 @@ static int rmmod_do_remove_module(struct kmod_module *mod)
return err;
}
-static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies);
+static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies,
+ bool ignore_builtin);
static int rmmod_do_deps_list(struct kmod_list *list, bool stop_on_errors)
{
@@ -361,7 +362,7 @@ static int rmmod_do_deps_list(struct kmod_list *list, bool stop_on_errors)
kmod_list_foreach_reverse(l, list) {
struct kmod_module *m = kmod_module_get_module(l);
- int r = rmmod_do_module(m, false);
+ int r = rmmod_do_module(m, false, true);
kmod_module_unref(m);
if (r < 0 && stop_on_errors)
@@ -371,7 +372,8 @@ static int rmmod_do_deps_list(struct kmod_list *list, bool stop_on_errors)
return 0;
}
-static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies)
+static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies,
+ bool ignore_builtin)
{
const char *modname = kmod_module_get_name(mod);
struct kmod_list *pre = NULL, *post = NULL;
@@ -401,8 +403,12 @@ static int rmmod_do_module(struct kmod_module *mod, bool do_dependencies)
}
goto error;
} else if (state == KMOD_MODULE_BUILTIN) {
- LOG("Module %s is builtin.\n", modname);
- err = -ENOENT;
+ if (ignore_builtin) {
+ err = 0;
+ } else {
+ LOG("Module %s is builtin.\n", modname);
+ err = -ENOENT;
+ }
goto error;
}
}
@@ -462,7 +468,7 @@ static int rmmod(struct kmod_ctx *ctx, const char *alias)
kmod_list_foreach(l, list) {
struct kmod_module *mod = kmod_module_get_module(l);
- err = rmmod_do_module(mod, true);
+ err = rmmod_do_module(mod, true, false);
kmod_module_unref(mod);
if (err < 0)
break;
--
2.24.0

View File

@ -0,0 +1,116 @@
From a11057201ed326a9e65e757202da960735e45799 Mon Sep 17 00:00:00 2001
From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
Date: Fri, 16 Nov 2018 10:56:34 +0200
Subject: [PATCH] signature: do not report wrong data for pkc#7 signature
when PKC#7 signing method is used the old structure doesn't contain
any useful data, but the data are encoded in the certificate.
The info getting/showing code is not aware of that at the moment and
since 0 is a valid constant, shows, for example, wrong "md4" for the
hash algo.
The patch splits the 2 mothods of gethering the info and reports
"unknown" for the algo.
Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
---
libkmod/libkmod-module.c | 2 +-
libkmod/libkmod-signature.c | 56 +++++++++++++++++++++++++------------
2 files changed, 39 insertions(+), 19 deletions(-)
diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c
index ee420f4ec2bf..889f26479a98 100644
--- a/libkmod/libkmod-module.c
+++ b/libkmod/libkmod-module.c
@@ -2273,7 +2273,7 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_
struct kmod_elf *elf;
char **strings;
int i, count, ret = -ENOMEM;
- struct kmod_signature_info sig_info;
+ struct kmod_signature_info sig_info = {};
if (mod == NULL || list == NULL)
return -ENOENT;
diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
index 1f3e26dea203..429ffbd8a957 100644
--- a/libkmod/libkmod-signature.c
+++ b/libkmod/libkmod-signature.c
@@ -92,6 +92,38 @@ struct module_signature {
uint32_t sig_len; /* Length of signature data (big endian) */
};
+static bool fill_default(const char *mem, off_t size,
+ const struct module_signature *modsig, size_t sig_len,
+ struct kmod_signature_info *sig_info)
+{
+ size -= sig_len;
+ sig_info->sig = mem + size;
+ sig_info->sig_len = sig_len;
+
+ size -= modsig->key_id_len;
+ sig_info->key_id = mem + size;
+ sig_info->key_id_len = modsig->key_id_len;
+
+ size -= modsig->signer_len;
+ sig_info->signer = mem + size;
+ sig_info->signer_len = modsig->signer_len;
+
+ sig_info->algo = pkey_algo[modsig->algo];
+ sig_info->hash_algo = pkey_hash_algo[modsig->hash];
+ sig_info->id_type = pkey_id_type[modsig->id_type];
+
+ return true;
+}
+
+static bool fill_unknown(const char *mem, off_t size,
+ const struct module_signature *modsig, size_t sig_len,
+ struct kmod_signature_info *sig_info)
+{
+ sig_info->hash_algo = "unknown";
+ sig_info->id_type = pkey_id_type[modsig->id_type];
+ return true;
+}
+
#define SIG_MAGIC "~Module signature appended~\n"
/*
@@ -112,7 +144,6 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat
const struct module_signature *modsig;
size_t sig_len;
-
size = kmod_file_get_size(file);
mem = kmod_file_get_contents(file);
if (size < (off_t)strlen(SIG_MAGIC))
@@ -134,21 +165,10 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat
size < (int64_t)(modsig->signer_len + modsig->key_id_len + sig_len))
return false;
- size -= sig_len;
- sig_info->sig = mem + size;
- sig_info->sig_len = sig_len;
-
- size -= modsig->key_id_len;
- sig_info->key_id = mem + size;
- sig_info->key_id_len = modsig->key_id_len;
-
- size -= modsig->signer_len;
- sig_info->signer = mem + size;
- sig_info->signer_len = modsig->signer_len;
-
- sig_info->algo = pkey_algo[modsig->algo];
- sig_info->hash_algo = pkey_hash_algo[modsig->hash];
- sig_info->id_type = pkey_id_type[modsig->id_type];
-
- return true;
+ switch (modsig->id_type) {
+ case PKEY_ID_PKCS7:
+ return fill_unknown(mem, size, modsig, sig_len, sig_info);
+ default:
+ return fill_default(mem, size, modsig, sig_len, sig_info);
+ }
}
--
2.20.1

View File

@ -179,24 +179,24 @@ compare_initramfs_modules() {
mkdir "$tmpdir/new_initramfs"
decompress_initramfs "$old_initramfs" "$tmpdir/old_initramfs.img"
pushd "$tmpdir/old_initramfs" >/dev/null || exit
pushd "$tmpdir/old_initramfs" >/dev/null
cpio -i < "$tmpdir/old_initramfs.img" 2>/dev/null
rm "$tmpdir/old_initramfs.img"
n=0; for i in `list_module_files|sort`; do
old_initramfs_modules[n]="$i"
n=$((n+1))
done
popd >/dev/null || exit
popd >/dev/null
decompress_initramfs "$new_initramfs" "$tmpdir/new_initramfs.img"
pushd "$tmpdir/new_initramfs" >/dev/null || exit
pushd "$tmpdir/new_initramfs" >/dev/null
cpio -i < "$tmpdir/new_initramfs.img" 2>/dev/null
rm "$tmpdir/new_initramfs.img"
n=0; for i in `list_module_files|sort`; do
new_initramfs_modules[n]="$i"
n=$((n+1))
done
popd >/dev/null || exit
popd >/dev/null
# Compare the length and contents of the arrays
if [ "${#old_initramfs_modules[@]}" == "${#new_initramfs_modules[@]}" -a \
@ -620,6 +620,7 @@ update_modules_for_krel() {
if ! validate_weak_links $krel && [[ -z "$force_update" ]]; then
global_link_state_restore $krel
compatible_modules=()
fi
# add compatible to installed
@ -758,7 +759,6 @@ validate_weak_links() {
# to return to caller that original proposal is not valid
# here 0 is true, 1 is false, since it will be the return code
local is_configuration_valid=0
local cat_prog
tmp=$(mktemp -p $tmpdir)
compatible_modules=()
@ -767,12 +767,7 @@ validate_weak_links() {
local symvers_path=$(find_symvers_file "$krel")
[[ -n "$symvers_path" ]] || return
cat_prog="cat"
case "$symvers" in
*.gz) cat_prog="zcat" ;;
*.xz) cat_prog="xzcat" ;;
esac
"$cat_prog" "$symvers_path" > $tmpdir/symvers-$krel
zcat "$symvers_path" > $tmpdir/symvers-$krel
fi
while ((is_updates_changed)); do
@ -946,7 +941,7 @@ do_make_groups()
declare -a mods
while read i; do
read -a mods <<< "$i"
mods=($i)
echo "${mods[0]}" |grep -q "extra/" || continue
@ -998,7 +993,7 @@ filter_extra_absoluted()
# to speed up handling in general cases
echo "$i" |grep -q "extra/" || continue
read -a mods <<< "$i"
mods=($i)
for j in "${!mods[@]}"; do
mod="${mods[$j]}"
@ -1158,7 +1153,7 @@ while :; do
shift
done
if [ ! -x "$dracut" ]
if [ ! -x "$dracut" ] && [ -z "$no_initramfs" ]
then
echo "weak-modules: could not find dracut at $dracut"
exit 1

View File

@ -1,92 +1,30 @@
# Fedora does not support CONFIG_MODVERSIONS. Without kabi support
# weak-modules is useless at best, and can be actively harmful.
# Since RHEL *does* support this and offers kabi support,
# turn it on there by default.
%if 0%{?rhel}
%bcond_without weak_modules
%bcond_without dist_conf
%else
%bcond_with weak_modules
%bcond_with dist_conf
%endif
%bcond_without zlib
%bcond_without xz
%bcond_without zstd
Name: kmod
Version: 31
Release: 8%{?dist}
Version: 25
Release: 20%{?dist}
Summary: Linux kernel module management utilities
# https://docs.fedoraproject.org/en-US/legal/license-field/#_no_effective_license_analysis
# GPL-2.0-or-later:
# build-aux/compile
# build-aux/depcomp
# build-aux/ltmain.sh
# build-aux/ltmain.sh
# build-aux/missing
# build-aux/py-compile
# build-aux/test-driver
# m4/attributes.m4
# m4/features.m4
# tools
# GPL-3.0-or-later:
# build-aux/config.guess
# build-aux/config.sub
# build-aux/git-version-gen
# libkmod/docs/gtk-doc.make
# m4/gtk-doc.m4
# FSFUL:
# configure
# FSFULLRWD:
# aclocal.m4
# libkmod/docs/Makefile.in
# m4/libtool.m4
# m4/lt~obsolete.m4
# m4/ltoptions.m4
# m4/ltsugar.m4
# m4/ltversion.m4
# Makefile.in
# LGPL-2.1-only:
# libkmod/python/kmod/error.py
# libkmod/python/kmod/__init__.py
# libkmod/python/kmod/version.py
# libkmod/python/kmod/version.py.in
# LGPL-2.1-or-later:
# config.h.in (no explicit license, the one in COPYING is assumed)
# libkmod
# man (no explicit license, the one in COPYING is assumed)
# shared
# shell-completion/bash/kmod
# testsuite
# X11:
# build-aux/install-sh
License: GPL-2.0-or-later AND GPL-3.0-or-later AND FSFUL AND FSFULLRWD AND LGPL-2.1-only AND LGPL-2.1-or-later AND X11
URL: https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git
Group: System Environment/Kernel
License: GPLv2+
URL: http://git.kernel.org/?p=utils/kernel/kmod/kmod.git;a=summary
Source0: https://www.kernel.org/pub/linux/utils/kernel/kmod/%{name}-%{version}.tar.xz
Source1: weak-modules
Source2: depmod.conf.dist
Patch1: kmod-tip.patch
# v33~1 "libkmod: avoid undefined behaviour in libkmod-builtin.c:get_string"
Patch2: 0001-libkmod-avoid-undefined-behaviour-in-libkmod-builtin.patch
Exclusiveos: Linux
BuildRequires: gcc
Patch01: kmod-signature-do-not-report-wrong-data-for-pkc-7-signatu.patch
Patch02: kmod-libkmod-signature-implement-pkcs7-parsing-with-opens.patch
Patch03: kmod-modprobe-ignore-builtin-module-on-recursive-removing.patch
Patch04: 0001-depmod-prevent-module-dependency-files-missing-durin.patch
Patch05: 0002-depmod-prevent-module-dependency-files-corruption-du.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires: chrpath
%if %{with zlib}
BuildRequires: zlib-devel
%endif
%if %{with xz}
BuildRequires: xz-devel
%endif
BuildRequires: libxslt docbook-style-xsl
BuildRequires: libxslt
BuildRequires: openssl-devel
BuildRequires: make automake
%if %{with zstd}
BuildRequires: libzstd-devel
%endif
# Remove it as soon as no need for Patch02 anymore (Makefile.am updated)
BuildRequires: automake autoconf libtool
Provides: module-init-tools = 4.0-1
Obsoletes: module-init-tools < 4.0-1
@ -100,6 +38,8 @@ examples of loaded and unloaded modules.
%package libs
Summary: Libraries to handle kernel module loading and unloading
License: LGPLv2+
Group: System Environment/Libraries
%description libs
The kmod-libs package provides runtime libraries for any application that
@ -107,6 +47,7 @@ wishes to load or unload Linux kernel modules from the running system.
%package devel
Summary: Header files for kmod development
Group: Development/Libraries
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description devel
@ -114,33 +55,30 @@ The kmod-devel package provides header files used for development of
applications that wish to load or unload Linux kernel modules.
%prep
%autosetup -p1
%setup -q
%patch01 -p1
%patch02 -p1
%patch03 -p1
%patch04 -p1
%patch05 -p1
%build
export V=1
aclocal
autoreconf --install --symlink
%configure \
--with-openssl \
%if %{with zlib}
--with-zlib \
%endif
%if %{with xz}
--with-xz \
%endif
%if %{with zstd}
--with-zstd \
%endif
--enable-debug
%{make_build} V=1
--with-openssl
make %{?_smp_mflags}
%install
%{make_install}
pushd $RPM_BUILD_ROOT%{_mandir}/man5
make install DESTDIR=$RPM_BUILD_ROOT
pushd $RPM_BUILD_ROOT/%{_mandir}/man5
ln -s modprobe.d.5.gz modprobe.conf.5.gz
popd
find %{buildroot} -type f -name "*.la" -delete
rm -rf $RPM_BUILD_ROOT%{_libdir}/*.la
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
ln -sf ../bin/kmod $RPM_BUILD_ROOT%{_sbindir}/modprobe
ln -sf ../bin/kmod $RPM_BUILD_ROOT%{_sbindir}/modinfo
@ -153,15 +91,16 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/modprobe.d
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d
mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/modprobe.d
%if %{with weak_modules}
install -pm 755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/weak-modules
%endif
%if %{with dist_conf}
mkdir -p $RPM_BUILD_ROOT/sbin
install -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/weak-modules
install -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d/dist.conf
%endif
%post libs -p /sbin/ldconfig
%postun libs -p /sbin/ldconfig
%files
%defattr(-,root,root,-)
%dir %{_sysconfdir}/depmod.d
%dir %{_sysconfdir}/modprobe.d
%dir %{_prefix}/lib/modprobe.d
@ -172,143 +111,101 @@ install -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/depmod.d/dist.conf
%{_sbindir}/rmmod
%{_sbindir}/lsmod
%{_sbindir}/depmod
%if %{with weak_modules}
%{_sbindir}/weak-modules
%endif
%{_datadir}/bash-completion/
%if %{with dist_conf}
%{_sysconfdir}/depmod.d/dist.conf
%endif
%attr(0644,root,root) %{_mandir}/man5/mod*.d*.5*
%attr(0644,root,root) %{_mandir}/man5/depmod.d.5*
%{_mandir}/man5/modprobe.conf.5*
%attr(0644,root,root) %{_mandir}/man5/*.5*
%attr(0644,root,root) %{_mandir}/man8/*.8*
%doc NEWS README.md TODO
%doc NEWS README TODO
%files libs
%{!?_licensedir:%global license %%doc}
%license COPYING
%{_libdir}/libkmod.so.*
%files devel
%{_includedir}/libkmod.h
%{_libdir}/pkgconfig/kmod.pc
%{_libdir}/pkgconfig/libkmod.pc
%{_libdir}/libkmod.so
%changelog
* Thu Aug 15 2024 Eugene Syromiatnikov <esyr@redhat.com> - 31-8
- Fix issues discovered by static analysis
- Resolves: RHEL-44931
* Mon Aug 12 2024 Eugene Syromiatnikov <esyr@redhat.com> - 31-7
- weak-modules: use either zcat or xzcat based on symvers file extension
- Resolves: RHEL-39388
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 31-6
- Bump release for June 2024 mass rebuild
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 31-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 31-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Dec 01 2023 Eugene Syromiatnikov <esyr@redhat.com> - 31-3
- migrated to SPDX license
* Thu Nov 09 2023 Josh Boyer <jwboyer@fedoraproject.org> - 31-2
- Add upstream patches to enable SHA3 support
- New upstream v31
- Resolves: rhbz#2241394
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 30-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Tue May 09 2023 Eugene Syromiatnikov <esyr@redhat.com> - 30-5
* Wed Oct 11 2023 Eugene Syromiatnikov <esyr@redhat.com> - 25-20
- Add symvers.xz support to weak-modules
- Resolves: RHEL-8903
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 30-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Nov 29 2021 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-19
- depmod: fix parallel execution issues
Resolves: rhbz#2026938
* Sat Dec 17 2022 Florian Weimer <fweimer@redhat.com> - 30-3
- Port configure script to C99
* Fri Apr 16 2021 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-18
- weak-modules: do not require dracut wneh using --no-initramfs
Resolves: rhbz#1935416
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 30-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Fri Dec 18 2020 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-17
- weak-modules: reset compatible_modules if configuration is not valid
Resolves: rhbz#1907855
* Mon Jul 4 2022 Yauheni Kaliuta <ykaliuta@redhat.com> - 30-1
- New upstream v30
- Resolves: rhbz#2102796
* Mon Dec 9 2019 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-16
- weak-modules: update_modules_for_krel: always finish sandbox
- weak-modules: groupping: use dependencies of extra/ provider
Resolves: rhbz#1778889
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 29-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Mon Dec 9 2019 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-15
- weak-modules: reverse checking order for add-kernel
Resolves: rhbz#1755196
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 29-6
- Rebuilt with OpenSSL 3.0.0
* Mon Dec 2 2019 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-14
- modprobe: do not fail on built-in modules
Resolves: rhbz#1767513
* Tue Aug 10 2021 Yauheni Kaliuta <ykaliuta@redhat.com> - 29-5
- kmod.spec: enable debug
- weak-modules: compare_initramfs_modules: exit on pushd/popd failures
- weak-modules: split modules into array with read -a
- Add default config file, /etc/depmod.d/dist.conf
* Tue Apr 16 2019 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-13
- weak-modules: handle independent modules in one run
Resolves: rhbz#1695763
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 29-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Apr 2 2019 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-12
- weak-modules: use asterisk for kernel version in sandbox
Resolves: rhbz#1689052
* Tue Jun 08 2021 Neal Gompa <ngompa13@gmail.com> - 29-3
- Fix conditional to only install weak-modules for RHEL
* Tue Feb 5 2019 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-11
- add PKCS7/openssl support.
Resolves: rhbz#1668459.
* Tue May 25 2021 Justin M. Forbes <jforbes@fedoraproject.org> - 29-2
- Rebuild for weak-modules drop in Fedora
* Tue Dec 11 2018 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-10
- weak-modules: group modules on add-kernel
- weak-modules: do not make groups if there are no extra modules
Resolves: rhbz#1649211
* Mon May 24 2021 Justin M. Forbes <jforbes@fedoraproject.org>
- Remove weak-modules for Fedora as it causes problems.
* Tue Oct 2 2018 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-9
- Rebuild with updated flags.
Resolves: rhbz#1630574.
* Fri May 14 2021 Josh Boyer <jwboyer@fedoraproject.org> - 29-1
- New upstream v29
- Resolves: rhbz#1962980
* Tue Sep 4 2018 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-8
- weak-modules: fix initial state creation for dry-run
- weak-modules: check compatibility in a temporary directory
Resolves: rhbz#1622990.
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 28-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Aug 28 2018 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-7
- weak-modules: use is_kernel_installed wrapper in update_modules_for_krel.
- weak-modules: more abstract symvers search implementation.
- weak-modules: use additional paths for System.map file.
Resolves: rhbz#1621306.
* Thu Jan 07 2021 Josh Boyer <jwboyer@fedoraproject.org> - 28-1
- New upstream v28
- Enable zstd support
- Resolves: rhbz#1913949
* Thu Aug 09 2018 Eugene Syromiatnikov <esyr@redhat.com> - 25-6
- weak-modules: check also for /lib/modules/$krel/symvers.gz as a possible
symvers file path.
Resolves: rhbz#1614119.
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 27-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 30 2018 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-5
- weak-modules: handle versions with + and other special regex symbols
- weak-modules: fix misleading message when cannot find dracut.
Resolves: rhbz#1609372.
* Wed Mar 25 2020 Yauheni Kaliuta <ykaliuta@fedoraproject.org> - 27-2
- add 0001-depmod-do-not-output-.bin-to-stdout.patch
Resolves: rhbz#1808430
* Fri Jul 27 2018 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-4
- fix dracut path, /usr/bin/dracut
* Thu Feb 20 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 27-1
- New upstream v27
* Mon Jan 20 2020 Yauheni Kaliuta <ykaliuta@fedoraproject.org> - 26-5
- weak-modules: sync with RHEL
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 26-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Feb 25 2019 Yauheni Kaliuta <yauheni.kaliuta@redhat.com> - 26-3
- weak-modules: sync with RHEL
* Sun Feb 24 2019 Yauheni Kaliuta <ykaliuta@fedoraproject.org> - 26-2
- add PKCS7/openssl support (rhbz 1320921)
* Sun Feb 24 2019 Yauheni Kaliuta <ykaliuta@fedoraproject.org> - 26-1
- Update to version 26 (rhbz 1673749)
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 25-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Oct 29 2018 James Antill <james.antill@redhat.com> - 25-4
- Remove ldconfig scriptlet, now done via. transfiletrigger in glibc (rhbz 1644063)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 25-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jul 25 2018 Yauheni Kaliuta <ykaliuta@redhat.com> - 25-3
- Add depmod.d/dist.conf.
- Update weak-modules to RHEL version.
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 25-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

View File

@ -1,561 +0,0 @@
From 1bb23d7f19d888fbdd96ae0fe929b7086713ef33 Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Tue, 18 Jul 2023 14:01:52 +0200
Subject: [PATCH 1/6] configure: Detect openssl sm3 support
Older openssl versions do not support sm3. The code has an option to
disable the sm3 hash but the lack of openssl support is not detected
automatically.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Link: https://lore.kernel.org/r/b97e20faa07e9e31c6eaf96683011aa24e80760c.1689681454.git.msuchanek@suse.de
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
---
configure.ac | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/configure.ac b/configure.ac
index 82a8532..e5bceea 100644
--- a/configure.ac
+++ b/configure.ac
@@ -123,6 +123,13 @@ AC_ARG_WITH([openssl],
AS_IF([test "x$with_openssl" != "xno"], [
PKG_CHECK_MODULES([libcrypto], [libcrypto >= 1.1.0], [LIBS="$LIBS $libcrypto_LIBS"])
AC_DEFINE([ENABLE_OPENSSL], [1], [Enable openssl for modinfo.])
+ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include <openssl/ssl.h>
+ int nid = NID_sm3;]])], [
+ AC_MSG_NOTICE([openssl supports sm3])
+ ], [
+ AC_MSG_NOTICE([openssl sm3 support not detected])
+ CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SM3"
+ ])
], [
AC_MSG_NOTICE([openssl support not requested])
])
--
2.41.0
From 4e7effbdc00307d0d1e83115e0d00cc75aae5cc6 Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Tue, 18 Jul 2023 14:01:53 +0200
Subject: [PATCH 2/6] man/depmod.d: Fix incorrect /usr/lib search path
depmod searches /lib/depmod.d but the man page says /usr/lib/depmod.d is
searched. Align the documentation with the code.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Link: https://lore.kernel.org/r/9c5a6356b1a111eb6e17ddb110494b7f1d1b44c0.1689681454.git.msuchanek@suse.de
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
---
man/depmod.d.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/man/depmod.d.xml b/man/depmod.d.xml
index 76548e9..8d3d821 100644
--- a/man/depmod.d.xml
+++ b/man/depmod.d.xml
@@ -39,7 +39,7 @@
</refnamediv>
<refsynopsisdiv>
- <para><filename>/usr/lib/depmod.d/*.conf</filename></para>
+ <para><filename>/lib/depmod.d/*.conf</filename></para>
<para><filename>/usr/local/lib/depmod.d/*.conf</filename></para>
<para><filename>/run/depmod.d/*.conf</filename></para>
<para><filename>/etc/depmod.d/*.conf</filename></para>
--
2.41.0
From 8463809f8a29b254b2cab2ce755641bc690f07c9 Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Tue, 18 Jul 2023 14:01:54 +0200
Subject: [PATCH 3/6] libkmod, depmod: Load modprobe.d, depmod.d from
${prefix}/lib.
There is an ongoing effort to limit use of files outside of /usr (or
${prefix} on general). Currently all modprobe.d paths are hardcoded to
outside of $prefix. Teach kmod to load modprobe.d from ${prefix}/lib.
On some distributions /usr/lib and /lib are the same directory because
of a compatibility symlink, and it is possible to craft configuration
files with sideeffects that would behave differently when loaded twice.
However, the override semantic ensures that one 'overrides' the other,
and only one configuration file of the same name is loaded from any of
the search directories.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Link: https://lore.kernel.org/r/a290343ce32e2a3c25b134e4f27c13b26e06c9e0.1689681454.git.msuchanek@suse.de
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
---
Makefile.am | 1 +
configure.ac | 5 +++++
libkmod/libkmod.c | 7 ++++---
man/Makefile.am | 9 +++++++--
man/depmod.d.xml | 1 +
man/modprobe.d.xml | 1 +
tools/depmod.c | 1 +
7 files changed, 20 insertions(+), 5 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 5b7abfe..e6630a3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -19,6 +19,7 @@ AM_CPPFLAGS = \
-include $(top_builddir)/config.h \
-I$(top_srcdir) \
-DSYSCONFDIR=\""$(sysconfdir)"\" \
+ -DDISTCONFDIR=\""$(distconfdir)"\" \
${zlib_CFLAGS}
AM_CFLAGS = $(OUR_CFLAGS)
diff --git a/configure.ac b/configure.ac
index e5bceea..fd88d1f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -79,6 +79,10 @@ AC_COMPILE_IFELSE(
# --with-
#####################################################################
+AC_ARG_WITH([distconfdir], AS_HELP_STRING([--with-distconfdir=DIR], [directory to search for distribution configuration files]),
+ [], [with_distconfdir='${prefix}/lib'])
+AC_SUBST([distconfdir], [$with_distconfdir])
+
AC_ARG_WITH([rootlibdir],
AS_HELP_STRING([--with-rootlibdir=DIR], [rootfs directory to install shared libraries]),
[], [with_rootlibdir=$libdir])
@@ -313,6 +317,7 @@ AC_MSG_RESULT([
prefix: ${prefix}
sysconfdir: ${sysconfdir}
+ distconfdir: ${distconfdir}
libdir: ${libdir}
rootlibdir: ${rootlibdir}
includedir: ${includedir}
diff --git a/libkmod/libkmod.c b/libkmod/libkmod.c
index 1b8773c..57fac1c 100644
--- a/libkmod/libkmod.c
+++ b/libkmod/libkmod.c
@@ -65,6 +65,7 @@ static const char *const default_config_paths[] = {
SYSCONFDIR "/modprobe.d",
"/run/modprobe.d",
"/usr/local/lib/modprobe.d",
+ DISTCONFDIR "/modprobe.d",
"/lib/modprobe.d",
NULL
};
@@ -272,9 +273,9 @@ static enum kmod_file_compression_type get_kernel_compression(struct kmod_ctx *c
* to load from user-defined configuration parameters such as
* alias, blacklists, commands (install, remove). If NULL
* defaults to /etc/modprobe.d, /run/modprobe.d,
- * /usr/local/lib/modprobe.d and /lib/modprobe.d. Give an empty
- * vector if configuration should not be read. This array must
- * be null terminated.
+ * /usr/local/lib/modprobe.d, DISTCONFDIR/modprobe.d, and
+ * /lib/modprobe.d. Give an empty vector if configuration should
+ * not be read. This array must be null terminated.
*
* Create kmod library context. This reads the kmod configuration
* and fills in the default values.
diff --git a/man/Makefile.am b/man/Makefile.am
index 11514d5..2fea8e4 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -17,9 +17,14 @@ EXTRA_DIST = $(MAN5:%.5=%.xml) $(MAN8:%.8=%.xml)
CLEANFILES = $(dist_man_MANS)
%.5 %.8: %.xml
- $(AM_V_XSLT)$(XSLT) \
+ $(AM_V_XSLT)if [ '$(distconfdir)' != '/lib' ] ; then \
+ sed -e 's|@DISTCONFDIR@|$(distconfdir)|g' $< ; \
+ else \
+ sed -e '/@DISTCONFDIR@/d' $< ; \
+ fi | \
+ $(XSLT) \
-o $@ \
--nonet \
--stringparam man.output.quietly 1 \
--param funcsynopsis.style "'ansi'" \
- http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+ http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl -
diff --git a/man/depmod.d.xml b/man/depmod.d.xml
index 8d3d821..f282a39 100644
--- a/man/depmod.d.xml
+++ b/man/depmod.d.xml
@@ -40,6 +40,7 @@
<refsynopsisdiv>
<para><filename>/lib/depmod.d/*.conf</filename></para>
+ <para><filename>@DISTCONFDIR@/depmod.d/*.conf</filename></para>
<para><filename>/usr/local/lib/depmod.d/*.conf</filename></para>
<para><filename>/run/depmod.d/*.conf</filename></para>
<para><filename>/etc/depmod.d/*.conf</filename></para>
diff --git a/man/modprobe.d.xml b/man/modprobe.d.xml
index 0ab3e91..2bf6537 100644
--- a/man/modprobe.d.xml
+++ b/man/modprobe.d.xml
@@ -41,6 +41,7 @@
<refsynopsisdiv>
<para><filename>/lib/modprobe.d/*.conf</filename></para>
+ <para><filename>@DISTCONFDIR@/modprobe.d/*.conf</filename></para>
<para><filename>/usr/local/lib/modprobe.d/*.conf</filename></para>
<para><filename>/run/modprobe.d/*.conf</filename></para>
<para><filename>/etc/modprobe.d/*.conf</filename></para>
diff --git a/tools/depmod.c b/tools/depmod.c
index 1d1d41d..630fef9 100644
--- a/tools/depmod.c
+++ b/tools/depmod.c
@@ -54,6 +54,7 @@ static const char *const default_cfg_paths[] = {
SYSCONFDIR "/depmod.d",
"/run/depmod.d",
"/usr/local/lib/depmod.d",
+ DISTCONFDIR "/depmod.d",
"/lib/depmod.d",
NULL
};
--
2.41.0
From ecef7c131618bbd9c559924ecae55764089db0dd Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Tue, 18 Jul 2023 14:01:55 +0200
Subject: [PATCH 4/6] kmod: Add pkgconfig file with kmod compile time
configuration
Show distconfdir (where system configuration files are searched/to be
installed), sysconfdir (where user configuration files are searched),
module compressions, and module signatures supported.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Link: https://lore.kernel.org/r/468b3f572d3b84f25bb53ec8fcb15ed4871914d4.1689681454.git.msuchanek@suse.de
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
---
Makefile.am | 2 +-
configure.ac | 11 +++++++++++
tools/kmod.pc.in | 9 +++++++++
3 files changed, 21 insertions(+), 1 deletion(-)
create mode 100644 tools/kmod.pc.in
diff --git a/Makefile.am b/Makefile.am
index e6630a3..2a54c25 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -96,7 +96,7 @@ libkmod_libkmod_internal_la_DEPENDENCIES = $(libkmod_libkmod_la_DEPENDENCIES)
libkmod_libkmod_internal_la_LIBADD = $(libkmod_libkmod_la_LIBADD)
pkgconfigdir = $(libdir)/pkgconfig
-pkgconfig_DATA = libkmod/libkmod.pc
+pkgconfig_DATA = libkmod/libkmod.pc tools/kmod.pc
bashcompletiondir=@bashcompletiondir@
dist_bashcompletion_DATA = \
diff --git a/configure.ac b/configure.ac
index fd88d1f..7bf8d78 100644
--- a/configure.ac
+++ b/configure.ac
@@ -21,6 +21,9 @@ LT_INIT([disable-static pic-only])
AS_IF([test "x$enable_static" = "xyes"], [AC_MSG_ERROR([--enable-static is not supported by kmod])])
AS_IF([test "x$enable_largefile" = "xno"], [AC_MSG_ERROR([--disable-largefile is not supported by kmod])])
+module_compressions=""
+module_signatures="legacy"
+
#####################################################################
# Program checks and configurations
#####################################################################
@@ -94,6 +97,7 @@ AC_ARG_WITH([zstd],
AS_IF([test "x$with_zstd" != "xno"], [
PKG_CHECK_MODULES([libzstd], [libzstd >= 1.4.4], [LIBS="$LIBS $libzstd_LIBS"])
AC_DEFINE([ENABLE_ZSTD], [1], [Enable Zstandard for modules.])
+ module_compressions="zstd $module_compressions"
], [
AC_MSG_NOTICE([Zstandard support not requested])
])
@@ -105,6 +109,7 @@ AC_ARG_WITH([xz],
AS_IF([test "x$with_xz" != "xno"], [
PKG_CHECK_MODULES([liblzma], [liblzma >= 4.99], [LIBS="$LIBS $liblzma_LIBS"])
AC_DEFINE([ENABLE_XZ], [1], [Enable Xz for modules.])
+ module_compressions="xz $module_compressions"
], [
AC_MSG_NOTICE([Xz support not requested])
])
@@ -116,6 +121,7 @@ AC_ARG_WITH([zlib],
AS_IF([test "x$with_zlib" != "xno"], [
PKG_CHECK_MODULES([zlib], [zlib], [LIBS="$LIBS $zlib_LIBS"])
AC_DEFINE([ENABLE_ZLIB], [1], [Enable zlib for modules.])
+ module_compressions="gzip $module_compressions"
], [
AC_MSG_NOTICE([zlib support not requested])
])
@@ -134,6 +140,7 @@ AS_IF([test "x$with_openssl" != "xno"], [
AC_MSG_NOTICE([openssl sm3 support not detected])
CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SM3"
])
+ module_signatures="PKCS7 $module_signatures"
], [
AC_MSG_NOTICE([openssl support not requested])
])
@@ -298,6 +305,9 @@ AC_DEFINE_UNQUOTED(KMOD_FEATURES, ["$with_features"], [Features in this build])
# Generate files from *.in
#####################################################################
+AC_SUBST([module_compressions], $module_compressions)
+AC_SUBST([module_signatures], $module_signatures)
+
AC_CONFIG_FILES([
Makefile
man/Makefile
@@ -305,6 +315,7 @@ AC_CONFIG_FILES([
libkmod/docs/version.xml
libkmod/libkmod.pc
libkmod/python/kmod/version.py
+ tools/kmod.pc
])
diff --git a/tools/kmod.pc.in b/tools/kmod.pc.in
new file mode 100644
index 0000000..2595980
--- /dev/null
+++ b/tools/kmod.pc.in
@@ -0,0 +1,9 @@
+prefix=@prefix@
+sysconfdir=@sysconfdir@
+distconfdir=@distconfdir@
+module_compressions=@module_compressions@
+module_signatures=@module_signatures@
+
+Name: kmod
+Description: Tools to deal with kernel modules
+Version: @VERSION@
--
2.41.0
From 3af2f475b0b729f20279f2ce488cc9f727f0b763 Mon Sep 17 00:00:00 2001
From: Sam James <sam@gentoo.org>
Date: Sun, 5 Nov 2023 22:02:25 +0000
Subject: [PATCH 5/6] tools: depmod: fix -Walloc-size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
GCC 14 introduces a new -Walloc-size included in -Wextra which gives:
```
tools/depmod.c:192:14: warning: allocation of insufficient size 1 for type struct index_node with size 1048 [-Walloc-size]
tools/depmod.c:255:11: warning: allocation of insufficient size 1 for type struct index_value with size 16 [-Walloc-size]
tools/depmod.c:286:35: warning: allocation of insufficient size 1 for type struct index_node with size 1048 [-Walloc-size]
tools/depmod.c:315:44: warning: allocation of insufficient size 1 for type struct index_node with size 1048 [-Walloc-size]
```
The calloc prototype is:
```
void *calloc(size_t nmemb, size_t size);
```
So, just swap the number of members and size arguments to match the prototype, as
we're initialising 1 struct of size `sizeof(struct ...)`. GCC then sees we're not
doing anything wrong.
Signed-off-by: Sam James <sam@gentoo.org>
---
tools/depmod.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/depmod.c b/tools/depmod.c
index 630fef9..ab8513b 100644
--- a/tools/depmod.c
+++ b/tools/depmod.c
@@ -190,7 +190,7 @@ static struct index_node *index_create(void)
{
struct index_node *node;
- node = NOFAIL(calloc(sizeof(struct index_node), 1));
+ node = NOFAIL(calloc(1, sizeof(struct index_node)));
node->prefix = NOFAIL(strdup(""));
node->first = INDEX_CHILDMAX;
@@ -253,7 +253,7 @@ static int index_add_value(struct index_value **values,
values = &(*values)->next;
len = strlen(value);
- v = NOFAIL(calloc(sizeof(struct index_value) + len + 1, 1));
+ v = NOFAIL(calloc(1, sizeof(struct index_value) + len + 1));
v->next = *values;
v->priority = priority;
memcpy(v->value, value, len + 1);
@@ -284,7 +284,7 @@ static int index_insert(struct index_node *node, const char *key,
struct index_node *n;
/* New child is copy of node with prefix[j+1..N] */
- n = NOFAIL(calloc(sizeof(struct index_node), 1));
+ n = NOFAIL(calloc(1, sizeof(struct index_node)));
memcpy(n, node, sizeof(struct index_node));
n->prefix = NOFAIL(strdup(&prefix[j+1]));
@@ -313,7 +313,7 @@ static int index_insert(struct index_node *node, const char *key,
node->first = ch;
if (ch > node->last)
node->last = ch;
- node->children[ch] = NOFAIL(calloc(sizeof(struct index_node), 1));
+ node->children[ch] = NOFAIL(calloc(1, sizeof(struct index_node)));
child = node->children[ch];
child->prefix = NOFAIL(strdup(&key[i+1]));
--
2.41.0
From 510c8b7f7455c6613dd1706e5e41ec7b09cf6703 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Date: Sun, 29 Oct 2023 03:03:19 +0200
Subject: [PATCH 6/6] libkmod: remove pkcs7 obj_to_hash_algo()
Switch to using OBJ_obj2txt() to calculate and print the pkcs7
signature hash name. This eliminates the need to duplicate libcrypto
NID to name mapping, detect SM3 openssl compile-time support, and
enables using any hashes that openssl and kernel know about. For
example SHA3 are being added for v6.7 and with this patch are
automatically supported.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Link: https://lore.kernel.org/r/20231029010319.157390-1-dimitri.ledkov@canonical.com
---
configure.ac | 7 -----
libkmod/libkmod-signature.c | 59 +++++++++++++------------------------
2 files changed, 20 insertions(+), 46 deletions(-)
diff --git a/configure.ac b/configure.ac
index 7bf8d78..a6b8fa0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -133,13 +133,6 @@ AC_ARG_WITH([openssl],
AS_IF([test "x$with_openssl" != "xno"], [
PKG_CHECK_MODULES([libcrypto], [libcrypto >= 1.1.0], [LIBS="$LIBS $libcrypto_LIBS"])
AC_DEFINE([ENABLE_OPENSSL], [1], [Enable openssl for modinfo.])
- AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include <openssl/ssl.h>
- int nid = NID_sm3;]])], [
- AC_MSG_NOTICE([openssl supports sm3])
- ], [
- AC_MSG_NOTICE([openssl sm3 support not detected])
- CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_SM3"
- ])
module_signatures="PKCS7 $module_signatures"
], [
AC_MSG_NOTICE([openssl support not requested])
diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
index b749a81..80f6447 100644
--- a/libkmod/libkmod-signature.c
+++ b/libkmod/libkmod-signature.c
@@ -127,6 +127,7 @@ struct pkcs7_private {
PKCS7 *pkcs7;
unsigned char *key_id;
BIGNUM *sno;
+ char *hash_algo;
};
static void pkcs7_free(void *s)
@@ -137,42 +138,11 @@ static void pkcs7_free(void *s)
PKCS7_free(pvt->pkcs7);
BN_free(pvt->sno);
free(pvt->key_id);
+ free(pvt->hash_algo);
free(pvt);
si->private = NULL;
}
-static int obj_to_hash_algo(const ASN1_OBJECT *o)
-{
- int nid;
-
- nid = OBJ_obj2nid(o);
- switch (nid) {
- case NID_md4:
- return PKEY_HASH_MD4;
- case NID_md5:
- return PKEY_HASH_MD5;
- case NID_sha1:
- return PKEY_HASH_SHA1;
- case NID_ripemd160:
- return PKEY_HASH_RIPE_MD_160;
- case NID_sha256:
- return PKEY_HASH_SHA256;
- case NID_sha384:
- return PKEY_HASH_SHA384;
- case NID_sha512:
- return PKEY_HASH_SHA512;
- case NID_sha224:
- return PKEY_HASH_SHA224;
-# ifndef OPENSSL_NO_SM3
- case NID_sm3:
- return PKEY_HASH_SM3;
-# endif
- default:
- return -1;
- }
- return -1;
-}
-
static const char *x509_name_to_str(X509_NAME *name)
{
int i;
@@ -219,7 +189,8 @@ static bool fill_pkcs7(const char *mem, off_t size,
unsigned char *key_id_str;
struct pkcs7_private *pvt;
const char *issuer_str;
- int hash_algo;
+ char *hash_algo;
+ int hash_algo_len;
size -= sig_len;
pkcs7_raw = mem + size;
@@ -278,27 +249,37 @@ static bool fill_pkcs7(const char *mem, off_t size,
X509_ALGOR_get0(&o, NULL, NULL, dig_alg);
- hash_algo = obj_to_hash_algo(o);
- if (hash_algo < 0)
+ // Use OBJ_obj2txt to calculate string length
+ hash_algo_len = OBJ_obj2txt(NULL, 0, o, 0);
+ if (hash_algo_len < 0)
goto err3;
- sig_info->hash_algo = pkey_hash_algo[hash_algo];
- // hash algo has not been recognized
- if (sig_info->hash_algo == NULL)
+ hash_algo = malloc(hash_algo_len + 1);
+ if (hash_algo == NULL)
goto err3;
+ hash_algo_len = OBJ_obj2txt(hash_algo, hash_algo_len + 1, o, 0);
+ if (hash_algo_len < 0)
+ goto err4;
+
+ // Assign libcrypto hash algo string or number
+ sig_info->hash_algo = hash_algo;
+
sig_info->id_type = pkey_id_type[modsig->id_type];
pvt = malloc(sizeof(*pvt));
if (pvt == NULL)
- goto err3;
+ goto err4;
pvt->pkcs7 = pkcs7;
pvt->key_id = key_id_str;
pvt->sno = sno_bn;
+ pvt->hash_algo = hash_algo;
sig_info->private = pvt;
sig_info->free = pkcs7_free;
return true;
+err4:
+ free(hash_algo);
err3:
free(key_id_str);
err2:
--
2.41.0

View File

@ -1 +0,0 @@
SHA512 (kmod-31.tar.xz) = 05ca70381808bec5f262b94db625662c385408988178a35e4aaf4960ee0716dc0cbfc327160ea4b61098d0c2130ab1b5142ea8156bea8e06ded7f4d288b6d085