Compare commits

..

No commits in common. "a8-beta-multiple-keys" and "c8" have entirely different histories.

4 changed files with 101 additions and 260 deletions

View File

@ -0,0 +1,93 @@
From 8eac75556d0f53f3ba6cd12d2545bc8dbebb11f4 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 4 Jun 2024 06:57:19 -0400
Subject: [PATCH] repo: Don't try to perform labeling if SELinux is disabled
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The default for container execution is that `/sys/fs/selinux`
is not mounted, and the libselinux library function `is_selinux_enabled`
should be used to dynamically check if the system should attempt to perform SELinux labeling.
This is how it's done by rpm, ostree, and systemd for example.
But this code unconditionally tries to label if it finds a policy,
which breaks in an obscure corner case
when executed inside a container that includes policy files (e.g.
fedora/rhel-bootc) but when we're not using overlayfs for the backend
(with BUILDAH_BACKEND=vfs).
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
libdnf/repo/Repo.cpp | 50 +++++++++++++++++++++++---------------------
1 file changed, 26 insertions(+), 24 deletions(-)
diff --git a/libdnf/repo/Repo.cpp b/libdnf/repo/Repo.cpp
index 68b82ccc..4f646f8c 100644
--- a/libdnf/repo/Repo.cpp
+++ b/libdnf/repo/Repo.cpp
@@ -676,34 +676,36 @@ static int create_temporary_directory(char *name_template) {
int old_default_context_was_retrieved= 0;
struct selabel_handle *labeling_handle = NULL;
- /* A purpose of this piece of code is to deal with applications whose
- * security policy overrides a file context for temporary files but don't
- * know that libdnf executes GnuPG which expects a default file context. */
- if (0 == getfscreatecon(&old_default_context)) {
- old_default_context_was_retrieved = 1;
- } else {
- logger->debug(tfm::format("Failed to retrieve a default SELinux context"));
- }
+ if (is_selinux_enabled()) {
+ /* A purpose of this piece of code is to deal with applications whose
+ * security policy overrides a file context for temporary files but don't
+ * know that libdnf executes GnuPG which expects a default file context. */
+ if (0 == getfscreatecon(&old_default_context)) {
+ old_default_context_was_retrieved = 1;
+ } else {
+ logger->debug(tfm::format("Failed to retrieve a default SELinux context"));
+ }
- labeling_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
- if (NULL == labeling_handle) {
- logger->debug(tfm::format("Failed to open a SELinux labeling handle: %s",
- strerror(errno)));
- } else {
- if (selabel_lookup(labeling_handle, &new_default_context, name_template, 0700)) {
- /* Here we could hard-code "system_u:object_r:user_tmp_t:s0", but
- * that value should be really defined in default file context
- * SELinux policy. Only log that the policy is incpomplete. */
- logger->debug(tfm::format("Failed to look up a default SELinux label for \"%s\"",
- name_template));
+ labeling_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ if (NULL == labeling_handle) {
+ logger->debug(tfm::format("Failed to open a SELinux labeling handle: %s",
+ strerror(errno)));
} else {
- if (setfscreatecon(new_default_context)) {
- logger->debug(tfm::format("Failed to set default SELinux context to \"%s\"",
- new_default_context));
+ if (selabel_lookup(labeling_handle, &new_default_context, name_template, 0700)) {
+ /* Here we could hard-code "system_u:object_r:user_tmp_t:s0", but
+ * that value should be really defined in default file context
+ * SELinux policy. Only log that the policy is incpomplete. */
+ logger->debug(tfm::format("Failed to look up a default SELinux label for \"%s\"",
+ name_template));
+ } else {
+ if (setfscreatecon(new_default_context)) {
+ logger->debug(tfm::format("Failed to set default SELinux context to \"%s\"",
+ new_default_context));
+ }
+ freecon(new_default_context);
}
- freecon(new_default_context);
+ selabel_close(labeling_handle);
}
- selabel_close(labeling_handle);
}
#endif
--
2.45.2

View File

@ -1,23 +0,0 @@
diff -aruN libdnf-0.63.0/docs/hawkey/conf.py libdnf-0.63.0_alma/docs/hawkey/conf.py
--- libdnf-0.63.0/docs/hawkey/conf.py 2021-05-18 17:07:23.000000000 +0300
+++ libdnf-0.63.0_alma/docs/hawkey/conf.py 2021-12-30 11:03:39.179244600 +0300
@@ -260,6 +260,6 @@
rst_prolog = """
.. default-domain:: py
.. _libsolv: https://github.com/openSUSE/libsolv
-.. _bugzilla: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=hawkey
+.. _bugzilla: https://bugs.almalinux.org/
"""
diff -aruN libdnf-0.63.0/libdnf/conf/Const.hpp libdnf-0.63.0_alma/libdnf/conf/Const.hpp
--- libdnf-0.63.0/libdnf/conf/Const.hpp 2021-05-18 17:07:23.000000000 +0300
+++ libdnf-0.63.0_alma/libdnf/conf/Const.hpp 2021-12-30 11:03:47.004789800 +0300
@@ -41,7 +41,7 @@
"installonlypkg(vm)",
"multiversion(kernel)"};
-constexpr const char * BUGTRACKER="https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=dnf";
+constexpr const char * BUGTRACKER="https://bugs.almalinux.org/";
}

View File

@ -1,228 +0,0 @@
From 5b87a29c78fe7b3fce8ac167a1a650449d25f54c Mon Sep 17 00:00:00 2001
From: Dmitriy Popov <dpopov@cloudlinux.com>
Date: Wed, 1 May 2024 23:16:47 +0300
Subject: [PATCH] dnf-keyring-support-multiple-keys
Since it is known from the bug (and practically proven) that "rpm --import"
is capable of supporting multiple containers in one file, unlike the internal
implementation, due to the need to globally rewrite the structure of parameters.
https://github.com/rpm-software-management/rpm/pull/2242
"This does not affect rpmkeys --import because it explicitly checks
for multiple PGPTAG_PUBLIC_KEY packets and imports them separately"
The patch implies the logic of the cli rpmcliImportPubkeys
in dnf_keyring_add_public_key, except that instead of direct import,
it continues to expand the keyring as before, and then imports it,
making this change atomic.
Signed-off-by: Dmitriy Popov <dpopov@cloudlinux.com>
---
libdnf/dnf-keyring.cpp | 167 +++++++++++++++++++++++------------------
1 file changed, 96 insertions(+), 71 deletions(-)
diff --git a/libdnf/dnf-keyring.cpp b/libdnf/dnf-keyring.cpp
index 62a6248..f4afd35 100644
--- a/libdnf/dnf-keyring.cpp
+++ b/libdnf/dnf-keyring.cpp
@@ -62,13 +62,16 @@ dnf_keyring_add_public_key(rpmKeyring keyring,
gboolean ret = TRUE;
int rc;
gsize len;
- pgpArmor armor;
pgpDig dig = NULL;
rpmPubkey pubkey = NULL;
rpmPubkey *subkeys = NULL;
int nsubkeys = 0;
uint8_t *pkt = NULL;
g_autofree gchar *data = NULL;
+ char const * const pgpmark = "-----BEGIN PGP ";
+ size_t marklen = strlen(pgpmark);
+ int keyno = 1;
+ char *start = NULL;
/* ignore symlinks and directories */
if (!g_file_test(filename, G_FILE_TEST_IS_REGULAR))
@@ -81,79 +84,99 @@ dnf_keyring_add_public_key(rpmKeyring keyring,
if (!ret)
goto out;
- /* rip off the ASCII armor and parse it */
- armor = pgpParsePkts(data, &pkt, &len);
- if (armor < 0) {
- ret = FALSE;
- g_set_error(error,
- DNF_ERROR,
- DNF_ERROR_GPG_SIGNATURE_INVALID,
- "failed to parse PKI file %s",
- filename);
- goto out;
- }
-
- /* make sure it's something we can add to rpm */
- if (armor != PGPARMOR_PUBKEY) {
- ret = FALSE;
- g_set_error(error,
- DNF_ERROR,
- DNF_ERROR_GPG_SIGNATURE_INVALID,
- "PKI file %s is not a public key",
- filename);
- goto out;
- }
+ start = strstr(data, pgpmark);
- /* test each one */
- pubkey = rpmPubkeyNew(pkt, len);
- if (pubkey == NULL) {
- ret = FALSE;
- g_set_error(error,
- DNF_ERROR,
- DNF_ERROR_GPG_SIGNATURE_INVALID,
- "failed to parse public key for %s",
- filename);
- goto out;
- }
-
- /* does the key exist in the keyring */
- dig = rpmPubkeyDig(pubkey);
- rc = rpmKeyringLookup(keyring, dig);
- if (rc == RPMRC_OK) {
- ret = TRUE;
- g_debug("%s is already present", filename);
- goto out;
- }
+ do {
+ uint8_t *pkt = NULL;
+ uint8_t *pkti = NULL;
+ size_t pktlen = 0;
+ size_t certlen;
+
+ /* Read pgp packet. */
+ if (pgpParsePkts(start, &pkt, &pktlen) == PGPARMOR_PUBKEY) {
+ pkti = pkt;
+
+ /* Iterate over certificates in pkt */
+ while (pktlen > 0) {
+ if (pgpPubKeyCertLen(pkti, pktlen, &certlen)) {
+ g_debug("%s: key %d import failed.\n", filename, keyno);
+ break;
+ }
+
+ /* test each one */
+ pubkey = rpmPubkeyNew(pkti, certlen);
+ if (pubkey == NULL) {
+ ret = FALSE;
+ g_set_error(error,
+ DNF_ERROR,
+ DNF_ERROR_GPG_SIGNATURE_INVALID,
+ "failed to parse public key for %s",
+ filename);
+ goto out;
+ }
+
+ /* add to in-memory keyring */
+ rc = rpmKeyringAddKey(keyring, pubkey);
+ if (rc == 1) {
+ ret = TRUE;
+ g_debug("%s is already added", filename);
+ goto out;
+ } else if (rc < 0) {
+ ret = FALSE;
+ g_set_error(error,
+ DNF_ERROR,
+ DNF_ERROR_GPG_SIGNATURE_INVALID,
+ "failed to add public key %s to rpmdb",
+ filename);
+ goto out;
+ }
+
+ subkeys = rpmGetSubkeys(pubkey, &nsubkeys);
+ for (int i = 0; i < nsubkeys; i++) {
+ rpmPubkey subkey = subkeys[i];
+ if (rpmKeyringAddKey(keyring, subkey) < 0) {
+ ret = FALSE;
+ g_set_error(error,
+ DNF_ERROR,
+ DNF_ERROR_GPG_SIGNATURE_INVALID,
+ "failed to add subkeys for %s to rpmdb",
+ filename);
+ goto out;
+ }
+ }
+
+ pkti += certlen;
+ pktlen -= certlen;
+ }
+ } else {
+ g_debug("%s: key %d not an armored public key.\n", filename, keyno);
+ }
- /* add to rpmdb automatically, without a prompt */
- rc = rpmKeyringAddKey(keyring, pubkey);
- if (rc == 1) {
- ret = TRUE;
- g_debug("%s is already added", filename);
- goto out;
- } else if (rc < 0) {
- ret = FALSE;
- g_set_error(error,
- DNF_ERROR,
- DNF_ERROR_GPG_SIGNATURE_INVALID,
- "failed to add public key %s to rpmdb",
- filename);
- goto out;
- }
+ /* See if there are more keys in the buffer */
+ if (start && start + marklen < data + len) {
+ start = strstr(start + marklen, pgpmark);
+ } else {
+ start = NULL;
+ }
- subkeys = rpmGetSubkeys(pubkey, &nsubkeys);
- for (int i = 0; i < nsubkeys; i++) {
- rpmPubkey subkey = subkeys[i];
- if (rpmKeyringAddKey(keyring, subkey) < 0) {
- ret = FALSE;
- g_set_error(error,
- DNF_ERROR,
- DNF_ERROR_GPG_SIGNATURE_INVALID,
- "failed to add subkeys for %s to rpmdb",
- filename);
- goto out;
+ keyno++;
+ if (pkt != NULL)
+ free(pkt); /* yes, free() */
+ pkt = NULL;
+ if (pubkey != NULL)
+ rpmPubkeyFree(pubkey);
+ pubkey = NULL;
+ if (subkeys != NULL) {
+ for (int i = 0; i < nsubkeys; i++) {
+ if (subkeys[i] != NULL) {
+ rpmPubkeyFree (subkeys[i]);
+ subkeys[i] = NULL;
+ }
+ }
+ free (subkeys);
+ subkeys = NULL;
}
- }
+ } while (start != NULL);
/* success */
g_debug("added missing public key %s to rpmdb", filename);
@@ -165,7 +188,9 @@ out:
rpmPubkeyFree(pubkey);
if (subkeys != NULL) {
for (int i = 0; i < nsubkeys; i++) {
- rpmPubkeyFree(subkeys[i]);
+ if (subkeys[i] != NULL) {
+ rpmPubkeyFree (subkeys[i]);
+ }
}
free(subkeys);
}
--
2.34.1

View File

@ -58,7 +58,7 @@
Name: libdnf Name: libdnf
Version: %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version} Version: %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version}
Release: 19%{?dist}.alma.2 Release: 20%{?dist}
Summary: Library providing simplified C and Python API to libsolv Summary: Library providing simplified C and Python API to libsolv
License: LGPLv2+ License: LGPLv2+
URL: https://github.com/rpm-software-management/libdnf URL: https://github.com/rpm-software-management/libdnf
@ -112,10 +112,8 @@ Patch46: 0046-Update-translations-RHEL-8.9.patch
Patch47: 0047-filterAdvisory-installed_solvables-sort-RhBug2212838.patch Patch47: 0047-filterAdvisory-installed_solvables-sort-RhBug2212838.patch
Patch48: 0048-Avoid-reinstal-installonly-packages-marked-for-ERASE.patch Patch48: 0048-Avoid-reinstal-installonly-packages-marked-for-ERASE.patch
Patch49: 0049-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch Patch49: 0049-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch
Patch50: 0050-repo-Don-t-try-to-perform-labeling-if-SELinux-is-dis.patch
# Almalinux patches
Patch10001: almalinux_bugtracker.patch
Patch10002: dnf-keyring-support-multiple-keys.patch
BuildRequires: cmake BuildRequires: cmake
BuildRequires: gcc BuildRequires: gcc
@ -365,20 +363,20 @@ popd
%endif %endif
%changelog %changelog
* Wed Mar 27 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.63.0-19.alma.2 * Mon Jun 24 2024 Petr Pisar <ppisar@redhat.com> - 0.63.0-20
- Add patch to fix issue with multiple keys in dnf-keyring - Do not set a default SELinux creation context if SELinux appears to be
disabled (RHEL-43231)
* Wed Mar 27 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.63.0-19.alma
- AlmaLinux changes
* Wed Oct 18 2023 Petr Pisar <ppisar@redhat.com> - 0.63.0-19 * Wed Oct 18 2023 Petr Pisar <ppisar@redhat.com> - 0.63.0-19
- Set default SELinux labels on GnuPG directories (RHEL-6421) - Set default SELinux labels on GnuPG directories (RHEL-6421)
* Fri Oct 13 2023 Jaroslav Rohel <jrohel@redhat.com> - 0.63.0-18 * Fri Oct 13 2023 Jaroslav Rohel <jrohel@redhat.com> - 0.63.0-18
- filterAdvisory: match installed_solvables sort with lower_bound (RhBug:2212838, RHEL-1244) - filterAdvisory: match installed_solvables sort with lower_bound (RhBug:2212838, RHEL-1244)
- Avoid reinstalling installonly packages marked for ERASE (RhBug:2163474, RHEL-1253) - Avoid reinstalling installonly packages marked for ERASE (RhBug:2163474, RHEL-1253)
* Fri Sep 08 2023 Marek Blaha <mblaha@redhat.com> - 0.63.0-17 * Fri Sep 08 2023 Marek Blaha <mblaha@redhat.com> - 0.63.0-17
- Update translations - Update translations
* Wed May 31 2023 Nicola Sella <nsella@redhat.com> - 0.63-0-16 * Wed May 31 2023 Nicola Sella <nsella@redhat.com> - 0.63-0-16
- Support "proxy=_none_" in main config (RhBug:2155713) - Support "proxy=_none_" in main config (RhBug:2155713)
@ -390,6 +388,7 @@ popd
* Wed Oct 26 2022 Nicola Sella <nsella@redhat.com> - 0.63.0-13 * Wed Oct 26 2022 Nicola Sella <nsella@redhat.com> - 0.63.0-13
- Allow change of arch during security updates with noarch (RhBug:2124483) - Allow change of arch during security updates with noarch (RhBug:2124483)
* Tue Sep 13 2022 Lukas Hrazky <lhrazky@redhat.com> - 0.63.0-12 * Tue Sep 13 2022 Lukas Hrazky <lhrazky@redhat.com> - 0.63.0-12
- Fix listing a repository without cpeid (RhBug:2066334) - Fix listing a repository without cpeid (RhBug:2066334)