diff --git a/.gitignore b/.gitignore index 717dc58..2137911 100644 --- a/.gitignore +++ b/.gitignore @@ -57,3 +57,4 @@ /libblockdev-3.1.0.tar.gz /smart-tests.tar.gz /libblockdev-3.2.0.tar.gz +/libblockdev-3.4.0.tar.gz diff --git a/0001-nvme_Avoid_element-type_g-i_annotations.patch b/0001-nvme_Avoid_element-type_g-i_annotations.patch deleted file mode 100644 index 60efeeb..0000000 --- a/0001-nvme_Avoid_element-type_g-i_annotations.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 6cce09cff6567caf992dfe37a6e78192117ac040 Mon Sep 17 00:00:00 2001 -From: Tomas Bzatek -Date: Wed, 6 Nov 2024 15:15:10 +0100 -Subject: [PATCH] nvme: Avoid element-type g-i annotations - -For some reason this is causing more harm and seems to work fine -when absent. ---- - src/lib/plugin_apis/nvme.api | 4 ++-- - src/plugins/nvme/nvme.h | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/lib/plugin_apis/nvme.api b/src/lib/plugin_apis/nvme.api -index 2f17e0c96..604eaf9b1 100644 ---- a/src/lib/plugin_apis/nvme.api -+++ b/src/lib/plugin_apis/nvme.api -@@ -364,7 +364,7 @@ GType bd_nvme_namespace_info_get_type (); - * @features: features and capabilities present for this namespace, see #BDNVMENamespaceFeature. - * @format_progress_remaining: The percentage value remaining of a format operation in progress. - * @write_protected: %TRUE if the namespace is currently write protected and all write access to the namespace shall fail. -- * @lba_formats: (array zero-terminated=1) (element-type BDNVMELBAFormat): A list of supported LBA Formats. -+ * @lba_formats: (array zero-terminated=1): A list of supported LBA Formats. - * @current_lba_format: A LBA Format currently used for the namespace. Contains zeroes in case of - * an invalid or no supported LBA Format reported. - */ -@@ -800,7 +800,7 @@ GType bd_nvme_self_test_log_get_type (); - * BDNVMESelfTestLog: - * @current_operation: Current running device self-test operation. There's no corresponding record in @entries for a device self-test operation that is in progress. - * @current_operation_completion: Percentage of the currently running device self-test operation. Only valid when @current_operation is other than #BD_NVME_SELF_TEST_ACTION_NOT_RUNNING. -- * @entries: (array zero-terminated=1) (element-type BDNVMESelfTestLogEntry): Self-test log entries for the last 20 operations, sorted from newest (first element) to oldest. -+ * @entries: (array zero-terminated=1): Self-test log entries for the last 20 operations, sorted from newest (first element) to oldest. - */ - typedef struct BDNVMESelfTestLog { - BDNVMESelfTestAction current_operation; -diff --git a/src/plugins/nvme/nvme.h b/src/plugins/nvme/nvme.h -index ba5304167..e073a6542 100644 ---- a/src/plugins/nvme/nvme.h -+++ b/src/plugins/nvme/nvme.h -@@ -234,7 +234,7 @@ typedef enum { - * @features: features and capabilities present for this namespace, see #BDNVMENamespaceFeature. - * @format_progress_remaining: The percentage value remaining of a format operation in progress. - * @write_protected: %TRUE if the namespace is currently write protected and all write access to the namespace shall fail. -- * @lba_formats: (array zero-terminated=1) (element-type BDNVMELBAFormat): A list of supported LBA Formats. -+ * @lba_formats: (array zero-terminated=1): A list of supported LBA Formats. - * @current_lba_format: A LBA Format currently used for the namespace. Contains zeroes in case of - * an invalid or no supported LBA Format reported. - */ -@@ -442,7 +442,7 @@ typedef struct BDNVMESelfTestLogEntry { - * BDNVMESelfTestLog: - * @current_operation: Current running device self-test operation. There's no corresponding record in @entries for a device self-test operation that is in progress. - * @current_operation_completion: Percentage of the currently running device self-test operation. Only valid when @current_operation is other than #BD_NVME_SELF_TEST_ACTION_NOT_RUNNING. -- * @entries: (array zero-terminated=1) (element-type BDNVMESelfTestLogEntry): Self-test log entries for the last 20 operations, sorted from newest (first element) to oldest. -+ * @entries: (array zero-terminated=1): Self-test log entries for the last 20 operations, sorted from newest (first element) to oldest. - */ - typedef struct BDNVMESelfTestLog { - BDNVMESelfTestAction current_operation; diff --git a/0002-crypto-Add-a-function-to-set-persistent-flags-for-LU.patch b/0002-crypto-Add-a-function-to-set-persistent-flags-for-LU.patch deleted file mode 100644 index 5ec1159..0000000 --- a/0002-crypto-Add-a-function-to-set-persistent-flags-for-LU.patch +++ /dev/null @@ -1,229 +0,0 @@ -From 370a280837875413f6cdce255ee61912f6eec40f Mon Sep 17 00:00:00 2001 -From: Vojtech Trefny -Date: Thu, 6 Mar 2025 14:41:16 +0100 -Subject: [PATCH] crypto: Add a function to set persistent flags for LUKS - -This will be used to set the allow-discards flag on LUKS devices -during installation by Blivet. ---- - configure.ac | 2 + - src/lib/plugin_apis/crypto.api | 24 +++++++++++ - src/plugins/crypto.c | 76 ++++++++++++++++++++++++++++++++++ - src/plugins/crypto.h | 11 +++++ - tests/crypto_test.py | 29 +++++++++++++ - 5 files changed, 142 insertions(+) - -diff --git a/configure.ac b/configure.ac -index 0089bb7f..43f395a8 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -206,6 +206,8 @@ AS_IF([test "x$with_crypto" != "xno"], - [AC_DEFINE([LIBCRYPTSETUP_26])], []) - AS_IF([$PKG_CONFIG --atleast-version=2.7.0 libcryptsetup], - [AC_DEFINE([LIBCRYPTSETUP_27])], []) -+ AS_IF([$PKG_CONFIG --atleast-version=2.8.0 libcryptsetup], -+ [AC_DEFINE([LIBCRYPTSETUP_28])], []) - AC_CHECK_HEADER([linux/sed-opal.h], - [AC_DEFINE([HAVE_LINUX_OPAL])], []) - AS_IF([test "x$with_escrow" != "xno"], -diff --git a/src/lib/plugin_apis/crypto.api b/src/lib/plugin_apis/crypto.api -index cbd41d68..cab6cba7 100644 ---- a/src/lib/plugin_apis/crypto.api -+++ b/src/lib/plugin_apis/crypto.api -@@ -380,6 +380,16 @@ typedef enum { - BD_CRYPTO_LUKS_HW_ENCRYPTION_OPAL_HW_AND_SW, - } BDCryptoLUKSHWEncryptionType; - -+typedef enum { -+ BD_CRYPTO_LUKS_ACTIVATE_ALLOW_DISCARDS = 1 << 0, -+ BD_CRYPTO_LUKS_ACTIVATE_SAME_CPU_CRYPT = 1 << 1, -+ BD_CRYPTO_LUKS_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS = 1 << 2, -+ BD_CRYPTO_LUKS_ACTIVATE_NO_JOURNAL = 1 << 3, -+ BD_CRYPTO_LUKS_ACTIVATE_NO_READ_WORKQUEUE = 1 << 4, -+ BD_CRYPTO_LUKS_ACTIVATE_NO_WRITE_WORKQUEUE = 1 << 5, -+ BD_CRYPTO_LUKS_ACTIVATE_HIGH_PRIORITY = 1 << 6, -+} BDCryptoLUKSPersistentFlags; -+ - /** - * BDCryptoLUKSInfo: - * @version: LUKS version -@@ -1111,6 +1121,20 @@ gboolean bd_crypto_luks_set_uuid (const gchar *device, const gchar *uuid, GError - */ - gboolean bd_crypto_luks_convert (const gchar *device, BDCryptoLUKSVersion target_version, GError **error); - -+/** -+ * bd_crypto_luks_set_persistent_flags: -+ * @device: a LUKS device to set the persistent flags on -+ * @flags: flags to set -+ * @error: (out) (optional): place to store error (if any) -+ * -+ * Note: This function is valid only for LUKS2. -+ * -+ * Returns: whether the given @flags were successfully set or not -+ * -+ * Tech category: %BD_CRYPTO_TECH_LUKS-%BD_CRYPTO_TECH_MODE_MODIFY -+ */ -+gboolean bd_crypto_luks_set_persistent_flags (const gchar *device, BDCryptoLUKSPersistentFlags flags, GError **error); -+ - /** - * bd_crypto_luks_info: - * @device: a device to get information about -diff --git a/src/plugins/crypto.c b/src/plugins/crypto.c -index 5dc904a0..aea403bf 100644 ---- a/src/plugins/crypto.c -+++ b/src/plugins/crypto.c -@@ -2289,6 +2289,82 @@ gboolean bd_crypto_luks_convert (const gchar *device, BDCryptoLUKSVersion target - return TRUE; - } - -+/** -+ * bd_crypto_luks_set_persistent_flags: -+ * @device: a LUKS device to set the persistent flags on -+ * @flags: flags to set -+ * @error: (out) (optional): place to store error (if any) -+ * -+ * Note: This function is valid only for LUKS2. -+ * -+ * Returns: whether the given @flags were successfully set or not -+ * -+ * Tech category: %BD_CRYPTO_TECH_LUKS-%BD_CRYPTO_TECH_MODE_MODIFY -+ */ -+gboolean bd_crypto_luks_set_persistent_flags (const gchar *device, BDCryptoLUKSPersistentFlags flags, GError **error) { -+ struct crypt_device *cd = NULL; -+ gint ret = 0; -+ guint32 crypt_flags = 0; -+ -+ ret = crypt_init (&cd, device); -+ if (ret != 0) { -+ g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE, -+ "Failed to initialize device: %s", strerror_l (-ret, c_locale)); -+ return FALSE; -+ } -+ -+ ret = crypt_load (cd, CRYPT_LUKS, NULL); -+ if (ret != 0) { -+ g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE, -+ "Failed to load device: %s", strerror_l (-ret, c_locale)); -+ crypt_free (cd); -+ return FALSE; -+ } -+ -+ if (g_strcmp0 (crypt_get_type (cd), CRYPT_LUKS2) != 0) { -+ g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE, -+ "Persistent flags can be set only on LUKS v2"); -+ crypt_free (cd); -+ return FALSE; -+ } -+ -+ if (flags & BD_CRYPTO_LUKS_ACTIVATE_ALLOW_DISCARDS) -+ crypt_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS; -+ if (flags & BD_CRYPTO_LUKS_ACTIVATE_SAME_CPU_CRYPT) -+ crypt_flags |= CRYPT_ACTIVATE_SAME_CPU_CRYPT; -+ if (flags & BD_CRYPTO_LUKS_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS) -+ crypt_flags |= CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS; -+ if (flags & BD_CRYPTO_LUKS_ACTIVATE_NO_JOURNAL) -+ crypt_flags |= CRYPT_ACTIVATE_NO_JOURNAL; -+ if (flags & BD_CRYPTO_LUKS_ACTIVATE_NO_READ_WORKQUEUE) -+ crypt_flags |= CRYPT_ACTIVATE_NO_READ_WORKQUEUE; -+ if (flags & BD_CRYPTO_LUKS_ACTIVATE_NO_WRITE_WORKQUEUE) -+ crypt_flags |= CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE; -+ if (flags & BD_CRYPTO_LUKS_ACTIVATE_HIGH_PRIORITY) { -+#ifdef LIBCRYPTSETUP_28 -+ crypt_flags |= CRYPT_ACTIVATE_HIGH_PRIORITY; -+#else -+ g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_TECH_UNAVAIL, -+ "Libcryptsetup 2.8 or newer is needed for 'high priority' flag support"); -+ crypt_free (cd); -+ return FALSE; -+#endif -+ } -+ -+ -+ ret = crypt_persistent_flags_set (cd, CRYPT_FLAGS_ACTIVATION, crypt_flags); -+ if (ret != 0) { -+ g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE, -+ "Failed to set flags: %s", strerror_l (-ret, c_locale)); -+ crypt_free (cd); -+ return FALSE; -+ } -+ -+ crypt_free (cd); -+ -+ return TRUE; -+} -+ - static gint synced_close (gint fd) { - gint ret = 0; - ret = fsync (fd); -diff --git a/src/plugins/crypto.h b/src/plugins/crypto.h -index 2ac0788e..82f5b157 100644 ---- a/src/plugins/crypto.h -+++ b/src/plugins/crypto.h -@@ -162,6 +162,16 @@ typedef enum { - BD_CRYPTO_LUKS_HW_ENCRYPTION_OPAL_HW_AND_SW, - } BDCryptoLUKSHWEncryptionType; - -+typedef enum { -+ BD_CRYPTO_LUKS_ACTIVATE_ALLOW_DISCARDS = 1 << 0, -+ BD_CRYPTO_LUKS_ACTIVATE_SAME_CPU_CRYPT = 1 << 1, -+ BD_CRYPTO_LUKS_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS = 1 << 2, -+ BD_CRYPTO_LUKS_ACTIVATE_NO_JOURNAL = 1 << 3, -+ BD_CRYPTO_LUKS_ACTIVATE_NO_READ_WORKQUEUE = 1 << 4, -+ BD_CRYPTO_LUKS_ACTIVATE_NO_WRITE_WORKQUEUE = 1 << 5, -+ BD_CRYPTO_LUKS_ACTIVATE_HIGH_PRIORITY = 1 << 6, -+} BDCryptoLUKSPersistentFlags; -+ - /** - * BDCryptoLUKSInfo: - * @version: LUKS version -@@ -293,6 +303,7 @@ gboolean bd_crypto_luks_header_restore (const gchar *device, const gchar *backup - gboolean bd_crypto_luks_set_label (const gchar *device, const gchar *label, const gchar *subsystem, GError **error); - gboolean bd_crypto_luks_set_uuid (const gchar *device, const gchar *uuid, GError **error); - gboolean bd_crypto_luks_convert (const gchar *device, BDCryptoLUKSVersion target_version, GError **error); -+gboolean bd_crypto_luks_set_persistent_flags (const gchar *device, BDCryptoLUKSPersistentFlags flags, GError **error); - - BDCryptoLUKSInfo* bd_crypto_luks_info (const gchar *device, GError **error); - BDCryptoBITLKInfo* bd_crypto_bitlk_info (const gchar *device, GError **error); -diff --git a/tests/crypto_test.py b/tests/crypto_test.py -index 616ad1ea..2cc443ea 100644 ---- a/tests/crypto_test.py -+++ b/tests/crypto_test.py -@@ -1152,6 +1152,35 @@ class CryptoTestSetUuid(CryptoTestCase): - self.assertNotEqual(info.uuid, self.test_uuid) - - -+class CryptoTestSetPersistentFlags(CryptoTestCase): -+ -+ @tag_test(TestTags.SLOW, TestTags.CORE) -+ def test_luks_set_persistent_flags(self): -+ """Verify that we can set flags on a LUKS device""" -+ -+ self._luks_format(self.loop_dev, PASSWD) -+ -+ with self.assertRaisesRegex(GLib.GError, "Persistent flags can be set only on LUKS v2"): -+ BlockDev.crypto_luks_set_persistent_flags(self.loop_dev, -+ BlockDev.CryptoLUKSPersistentFlags.ALLOW_DISCARDS) -+ -+ @tag_test(TestTags.SLOW, TestTags.CORE) -+ def test_luks_set_persistent_flags(self): -+ """Verify that we can set flags on a LUKS 2 device""" -+ -+ self._luks2_format(self.loop_dev, PASSWD) -+ -+ succ = BlockDev.crypto_luks_set_persistent_flags(self.loop_dev, -+ BlockDev.CryptoLUKSPersistentFlags.ALLOW_DISCARDS) -+ self.assertTrue(succ) -+ -+ _ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev) -+ m = re.search(r"Flags:\s*(\S+)\s*", out) -+ if not m or len(m.groups()) != 1: -+ self.fail("Failed to get label information from:\n%s %s" % (out, err)) -+ self.assertEqual(m.group(1), "allow-discards") -+ -+ - class CryptoTestConvert(CryptoTestCase): - - @tag_test(TestTags.SLOW, TestTags.CORE) --- -2.48.1 - diff --git a/0003-Don-t-allow-suid-and-dev-set-on-fs-resize.patch b/0003-Don-t-allow-suid-and-dev-set-on-fs-resize.patch deleted file mode 100644 index d2fd952..0000000 --- a/0003-Don-t-allow-suid-and-dev-set-on-fs-resize.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 9d1465a9093dd9929ab4c57f6c83df362699820d Mon Sep 17 00:00:00 2001 -From: Thomas Blume -Date: Fri, 16 May 2025 14:27:10 +0200 -Subject: [PATCH] Don't allow suid and dev set on fs resize - -Fixes: CVE-2025-6019 ---- - src/plugins/fs/generic.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/plugins/fs/generic.c b/src/plugins/fs/generic.c -index 2b2180aa..60f7d75e 100644 ---- a/src/plugins/fs/generic.c -+++ b/src/plugins/fs/generic.c -@@ -661,7 +661,7 @@ static gchar* fs_mount (const gchar *device, gchar *fstype, gboolean read_only, - "Failed to create temporary directory for mounting '%s'.", device); - return NULL; - } -- ret = bd_fs_mount (device, mountpoint, fstype, read_only ? "ro" : NULL, NULL, &l_error); -+ ret = bd_fs_mount (device, mountpoint, fstype, read_only ? "nosuid,nodev,ro" : "nosuid,nodev", NULL, &l_error); - if (!ret) { - g_propagate_prefixed_error (error, l_error, "Failed to mount '%s': ", device); - g_rmdir (mountpoint); --- -2.49.0 - diff --git a/libblockdev.spec b/libblockdev.spec index 90da5db..b8cd4c7 100644 --- a/libblockdev.spec +++ b/libblockdev.spec @@ -85,15 +85,12 @@ %define configure_opts %{?python3_copts} %{?lvm_dbus_copts} %{?btrfs_copts} %{?crypto_copts} %{?dm_copts} %{?loop_copts} %{?lvm_copts} %{?lvm_dbus_copts} %{?mdraid_copts} %{?mpath_copts} %{?swap_copts} %{?part_copts} %{?fs_copts} %{?nvdimm_copts} %{?tools_copts} %{?gi_copts} %{?nvme_copts} %{?smart_copts} %{?smartmontools_copts} Name: libblockdev -Version: 3.2.0 -Release: 5%{?dist} +Version: 3.4.0 +Release: 1%{?dist} Summary: A library for low-level manipulation with block devices License: LGPL-2.1-or-later URL: https://github.com/storaged-project/libblockdev Source0: https://github.com/storaged-project/libblockdev/releases/download/%{version}/%{name}-%{version}.tar.gz -Patch0: 0001-nvme_Avoid_element-type_g-i_annotations.patch -Patch1: 0002-crypto-Add-a-function-to-set-persistent-flags-for-LU.patch -Patch2: 0003-Don-t-allow-suid-and-dev-set-on-fs-resize.patch BuildRequires: make BuildRequires: glib2-devel @@ -949,6 +946,10 @@ find %{buildroot} -type f -name "*.la" | xargs %{__rm} %files plugins-all %changelog +* Thu Sep 25 2025 Vojtech Trefny - 3.4.0-1 +- Update to 3.4.0 + Resolves: RHEL-114971 + * Mon Jun 23 2025 Vojtech Trefny - 3.2.0-5 - Don't allow suid and dev set on fs resize Resolves: RHEL-96031 diff --git a/sources b/sources index e7efae0..85a77e7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libblockdev-3.2.0.tar.gz) = 02a56f566a768a4f4bc68e3e40c80a080cb5ced58675dfae7986f55aea57f887425ebab19d9c2659887d489f08ace082aca0cf97ed3d95e266fb83a236a2f66c +SHA512 (libblockdev-3.4.0.tar.gz) = d722ee1f41b76158b41f57ea4062adaba274c5ffdd88fa40b0b605a8557e68ba095e6a6649b8f6efeff9ad814532b5b19aa541a1688ef4b34ea23078d946c1d3