* Tue Apr 09 2024 Miroslav Rezanina <mrezanin@redhat.com> - 1.38.0-1

- Rebase to 1.38.0
- Added selinux subpackage
- resolves: RHEL-31884
This commit is contained in:
Miroslav Rezanina 2024-04-09 05:58:46 +02:00
parent 8ae077769e
commit c8a2ccfe39
12 changed files with 591 additions and 385 deletions

View File

@ -1,44 +0,0 @@
From ac87babe2d1652e3f37715efe9f29ad6f16eb9df Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Mon, 4 Dec 2023 10:23:29 +0000
Subject: [PATCH] configure: Fix initialization from incompatible pointer type
With GCC 14:
configure:20816: checking if environ is declared in header files
configure:20833: gcc -c -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grec
ord-gcc-switches -pipe -Wall -Werror=format-security
-Werror=implicit-function-declaration -Werror=implicit-int
-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
-fno-omit-frame-pointer -mno-omit-leaf-frame-pointer conftest.c >&5
conftest.c: In function 'test':
conftest.c:62:22: error: initialization of 'const char **' from incompatible p
ointer type 'char **'
62 | const char **env = environ;
| ^~~~~~~
Thanks: Florian Weimer
(cherry picked from commit 32a9ee6650654469cd591a3ae26842c54f898392)
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 3b12e357..beab4674 100644
--- a/configure.ac
+++ b/configure.ac
@@ -335,7 +335,7 @@ AC_LANG_SOURCE([[
static int
test (void)
{
- const char **env = environ;
+ char **env = environ;
return env ? 1 : 0; // this just forces env to be used
}
]])
--
2.39.3

View File

@ -1,58 +0,0 @@
From 054798ca11b9f0b71fbad302edf66b52519f5aa2 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 14 Dec 2023 17:47:10 +0000
Subject: [PATCH] file: Rework documentation for dir= parameter
The existing documentation tended towards jargon and lacked examples.
(cherry picked from commit 7cbd49ced6414e49fcf4ff1a967929a2b83ab44e)
---
plugins/file/nbdkit-file-plugin.pod | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/plugins/file/nbdkit-file-plugin.pod b/plugins/file/nbdkit-file-plugin.pod
index 857ad21e..e47eae97 100644
--- a/plugins/file/nbdkit-file-plugin.pod
+++ b/plugins/file/nbdkit-file-plugin.pod
@@ -64,13 +64,23 @@ symbolic links. Other special files in the directory (such as
subdirectories, pipes, or Unix sockets) are ignored.
When this mode is used, the file to be served is chosen by the export
-name passed by the client, where the client can request a list of
-available exports using NBD_OPT_LIST. A client that requests the
-default export (C<"">) will be rejected. However, you can use
-L<nbdkit-exportname-filter(1)> to adjust what export names the client
-sees or uses as a default. For security, when using directory mode,
+name passed by the client. For security, when using directory mode,
this plugin will not accept export names containing slash (C</>).
+To list exports, use L<nbdinfo(1)> I<--list> option, for example:
+
+ nbdinfo --list nbd://localhost
+
+An NBD client can request a list of available exports using
+C<NBD_OPT_LIST>.
+
+A client that requests the default export (C<"">) will be rejected.
+However, you can use L<nbdkit-exportname-filter(1)> to adjust what
+export names the client sees, and which one the client uses as a
+default. For example to make F</dir/file> be the default export:
+
+ nbdkit file dir=/dir --filter=exportname default-export=file
+
=item B<dirfd=>FILE_DESCRIPTOR
(nbdkit E<ge> 1.34, not Windows)
@@ -262,7 +272,8 @@ L<nbdkit-tmpdisk-plugin(1)>,
L<nbdkit-exportname-filter(1)>,
L<nbdkit-fua-filter(1)>,
L<nbdkit-luks-filter(1)>,
-L<nbdkit-noextents-filter(1)>.
+L<nbdkit-noextents-filter(1)>,
+L<nbdinfo(1)>.
=head1 AUTHORS
--
2.39.3

View File

@ -1,28 +0,0 @@
From 596f97316e65c151741e6ee42893023f6e945c01 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Sat, 16 Dec 2023 18:08:37 +0000
Subject: [PATCH] file: Fix markup when referencing dir= option from dirfd=
docs
Fixes: commit dd28b005430d020ccd1825437937c317332d3007
(cherry picked from commit 5b8c9c49cc352e9b0fba4dde9e0f57c53c9c2457)
---
plugins/file/nbdkit-file-plugin.pod | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/plugins/file/nbdkit-file-plugin.pod b/plugins/file/nbdkit-file-plugin.pod
index e47eae97..5feb8ea9 100644
--- a/plugins/file/nbdkit-file-plugin.pod
+++ b/plugins/file/nbdkit-file-plugin.pod
@@ -85,7 +85,7 @@ default. For example to make F</dir/file> be the default export:
(nbdkit E<ge> 1.34, not Windows)
-This is like the I<dir> option, but instead of specifying the
+This is like the C<dir=> option, but instead of specifying the
directory by name, the parent process should open the directory and
pass this file descriptor by inheritance to nbdkit.
--
2.39.3

View File

@ -1,108 +0,0 @@
From 0d080223a8567a5ef673deb6ac49152fd67dd1b7 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Sat, 16 Dec 2023 18:03:13 +0000
Subject: [PATCH] file: Further rework documentation of dir= parameter
Move the documentation to a new section, allowing us to expand on this
topic. This also makes the HTML documentation linkable.
Updates: commit 7cbd49ced6414e49fcf4ff1a967929a2b83ab44e
(cherry picked from commit 74621ec608d0edd76c2d8de140e7d1d5626c8251)
---
plugins/file/nbdkit-file-plugin.pod | 66 +++++++++++++++++++++--------
1 file changed, 49 insertions(+), 17 deletions(-)
diff --git a/plugins/file/nbdkit-file-plugin.pod b/plugins/file/nbdkit-file-plugin.pod
index 5feb8ea9..de8fbeba 100644
--- a/plugins/file/nbdkit-file-plugin.pod
+++ b/plugins/file/nbdkit-file-plugin.pod
@@ -63,23 +63,7 @@ directory named C<DIRECTORY>, including those found by following
symbolic links. Other special files in the directory (such as
subdirectories, pipes, or Unix sockets) are ignored.
-When this mode is used, the file to be served is chosen by the export
-name passed by the client. For security, when using directory mode,
-this plugin will not accept export names containing slash (C</>).
-
-To list exports, use L<nbdinfo(1)> I<--list> option, for example:
-
- nbdinfo --list nbd://localhost
-
-An NBD client can request a list of available exports using
-C<NBD_OPT_LIST>.
-
-A client that requests the default export (C<"">) will be rejected.
-However, you can use L<nbdkit-exportname-filter(1)> to adjust what
-export names the client sees, and which one the client uses as a
-default. For example to make F</dir/file> be the default export:
-
- nbdkit file dir=/dir --filter=exportname default-export=file
+See L</Serving multiple files and block devices> below.
=item B<dirfd=>FILE_DESCRIPTOR
@@ -89,6 +73,8 @@ This is like the C<dir=> option, but instead of specifying the
directory by name, the parent process should open the directory and
pass this file descriptor by inheritance to nbdkit.
+See L</Serving multiple files and block devices> below.
+
=item B<fadvise=normal>
=item B<fadvise=random>
@@ -140,6 +126,52 @@ L<https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file#win32-devi
=head1 NOTES
+=head2 Serving multiple files and block devices
+
+Using C<dir=DIRECTORY> (or C<dirfd=DIRFD>) you can serve all regular
+files and block devices located directly inside the directory named
+C<DIRECTORY>, including those found by following symbolic links.
+Other special files in the directory (such as subdirectories, pipes,
+or Unix sockets) are ignored.
+
+When this mode is used, the file to be served is chosen by the export
+name passed by the client. For security, when using directory mode,
+this plugin will not accept export names containing slash (C</>).
+
+For example:
+
+ $ ls -l /var/tmp/exports
+ total 0
+ -rw-r--r--. 1 rjones rjones 1048576 Dec 14 15:34 disk1
+ -rw-r--r--. 1 rjones rjones 2097152 Dec 14 15:34 disk2
+ lrwxrwxrwx. 1 rjones rjones 9 Dec 14 15:35 sda1 -> /dev/sda1
+ $ nbdkit file dir=/var/tmp/exports
+
+will serve three exports called C<"disk1">, C<"disk2"> and C<"sda1">.
+The first two are regular files and the last is a block device. You
+can add or remove files or symbolic links from the directory while
+nbdkit is running.
+
+To list exports, use L<nbdinfo(1)> I<--list> option, for example:
+
+ $ nbdinfo --list nbd://localhost
+ protocol: newstyle-fixed without TLS, using structured packets
+ export="disk1":
+ export-size: 1048576 (1M)
+ uri: nbd://localhost:10809/disk1
+ [etc]
+
+An NBD client can request a list of available exports using
+C<NBD_OPT_LIST>. For libnbd clients see nbd_opt_list(3).
+
+A client that requests the default export (C<"">) will be rejected.
+However, you can use L<nbdkit-exportname-filter(1)> to adjust the
+default export as well as other transformations of export names. For
+example to make F</var/tmp/exports/disk1> be the default export:
+
+ nbdkit file dir=/var/tmp/exports \
+ --filter=exportname default-export=disk1
+
=head2 Optimizing for random or sequential access
If you know in advance that the NBD client will access the file
--
2.39.3

View File

@ -1,29 +0,0 @@
From c155987ee521c2d6a163d2814dc869ec1e89fd90 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Sat, 16 Dec 2023 18:32:50 +0000
Subject: [PATCH] exportname: Fix markup for linking to other man pages
Fixes: commit 7623b2cc45078cca88fdd2d96c70c7f82a0db49d
(cherry picked from commit 6104f55f3851f3b82dc69f7e78c32e9c7a93dbc9)
---
filters/exportname/nbdkit-exportname-filter.pod | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/filters/exportname/nbdkit-exportname-filter.pod b/filters/exportname/nbdkit-exportname-filter.pod
index 1d69f7d4..f95a37be 100644
--- a/filters/exportname/nbdkit-exportname-filter.pod
+++ b/filters/exportname/nbdkit-exportname-filter.pod
@@ -10,8 +10,8 @@ nbdkit-exportname-filter - adjust export names between client and plugin
=head1 DESCRIPTION
-Some plugins (such as C<nbdkit-file-plugin(1)> and filters (such as
-C<nbdkit-ext2-filter(1)> are able to serve different content based on
+Some plugins (such as L<nbdkit-file-plugin(1)> and filters (such as
+L<nbdkit-ext2-filter(1)> are able to serve different content based on
the export name requested by the client. The NBD protocol allows a
server to advertise the set of export names it is serving. However,
the list advertised (or absent) from the plugin may not always match
--
2.39.3

View File

@ -1,30 +0,0 @@
From b8eb91e9102a2ae6cb96b0f2ffdb96b724cbb1b7 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Wed, 20 Dec 2023 10:38:27 +0000
Subject: [PATCH] partition: Don't call nbdkit_error twice on error path
Fixes: commit 7b9301a4c569456a4f96784229a2cd48e8957662
(cherry picked from commit 036b178a4affd00b8bbdb6cb140e81b62f57a374)
---
filters/partition/partition-gpt.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/filters/partition/partition-gpt.c b/filters/partition/partition-gpt.c
index 80acddb4..930e2081 100644
--- a/filters/partition/partition-gpt.c
+++ b/filters/partition/partition-gpt.c
@@ -92,10 +92,8 @@ find_gpt_partition (nbdkit_next *next,
int err;
if (get_gpt_header (header_bytes,
- &nr_partition_entries, &size_partition_entry) == -1) {
- nbdkit_error ("cannot support non-standard GPT header");
+ &nr_partition_entries, &size_partition_entry) == -1)
return -1;
- }
if (partnum > nr_partition_entries) {
nbdkit_error ("GPT partition number out of range");
--
2.39.3

View File

@ -1,52 +0,0 @@
From 3b168aa842dc80a6d95b2c1ccb52a8ef664e7aba Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Wed, 20 Dec 2023 10:34:10 +0000
Subject: [PATCH] partition: Suggest alternate partition-sectorsize
When we reach this error it means that we have failed to detect the
"EFI PART" signature (indicating GPT) and we've fallen back to parsing
MBR, but in doing so we have discovered a GPT protective MBR which
should only happen for GPT. A possible cause for missing the
signature was because we have the wrong sector size.
Therefore check for the current sector size (which should be either
512 or 4096) and suggest that the user sets the other sector size.
Also avoids the case where the user already set partition-sectorsize=4k
and we were suggesting that they set it again.
Reported-by: Ming Xie
Fixes: commit 7b9301a4c569456a4f96784229a2cd48e8957662
Fixes: https://issues.redhat.com/browse/RHEL-19815
(cherry picked from commit cd761c9bf770b23f678fd82f0d1c8d4cce2ed1b5)
---
filters/partition/partition-mbr.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/filters/partition/partition-mbr.c b/filters/partition/partition-mbr.c
index 3927c31f..6a81addb 100644
--- a/filters/partition/partition-mbr.c
+++ b/filters/partition/partition-mbr.c
@@ -87,9 +87,16 @@ find_mbr_partition (nbdkit_next *next,
!is_extended (partition.part_type_byte) &&
partnum == i+1) {
if (partition.part_type_byte == 0xEE) {
- nbdkit_error ("rejecting GPT protective entry from MBR, "
- "if the underlying storage uses 4K sectors "
- "try using partition-sectorsize=4k");
+ if (sector_size == 512)
+ nbdkit_error ("rejecting GPT protective entry from MBR, "
+ "if the underlying storage uses 4K sectors "
+ "try using partition-sectorsize=4k");
+ else if (sector_size == 4096)
+ nbdkit_error ("rejecting GPT protective entry from MBR, "
+ "if the underlying storage uses 512 byte sectors "
+ "try using partition-sectorsize=512");
+ else
+ nbdkit_error ("rejecting GPT protective entry from MBR");
return -1;
}
*offset_r = partition.start_sector * (int64_t) sector_size;
--
2.39.3

3
nbdkit.fc Normal file
View File

@ -0,0 +1,3 @@
/usr/sbin/nbdkit -- gen_context(system_u:object_r:nbdkit_exec_t,s0)
/usr/lib/systemd/system/nbdkit.* gen_context(system_u:object_r:nbdkit_unit_file_t,s0)

207
nbdkit.if Normal file
View File

@ -0,0 +1,207 @@
## <summary>policy for nbdkit</summary>
########################################
## <summary>
## Execute nbdkit_exec_t in the nbdkit domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`nbdkit_domtrans',`
gen_require(`
type nbdkit_t, nbdkit_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, nbdkit_exec_t, nbdkit_t)
')
######################################
## <summary>
## Execute nbdkit in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nbdkit_exec',`
gen_require(`
type nbdkit_exec_t;
')
corecmd_search_bin($1)
can_exec($1, nbdkit_exec_t)
')
########################################
## <summary>
## Execute nbdkit in the nbdkit domain, and
## allow the specified role the nbdkit domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the nbdkit domain.
## </summary>
## </param>
#
interface(`nbdkit_run',`
gen_require(`
type nbdkit_t;
attribute_role nbdkit_roles;
')
nbdkit_domtrans($1)
roleattribute $2 nbdkit_roles;
')
########################################
## <summary>
## Role access for nbdkit
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`nbdkit_role',`
gen_require(`
type nbdkit_t;
attribute_role nbdkit_roles;
')
roleattribute $1 nbdkit_roles;
nbdkit_domtrans($2)
ps_process_pattern($2, nbdkit_t)
allow $2 nbdkit_t:process { signull signal sigkill };
')
########################################
## <summary>
## Allow attempts to connect to nbdkit
## with a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`nbdkit_stream_connect',`
gen_require(`
type nbdkit_t;
')
allow $1 nbdkit_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Allow nbdkit_exec_t to be an entrypoint
## of the specified domain
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`nbdkit_entrypoint',`
gen_require(`
type nbdkit_exec_t;
')
allow $1 nbdkit_exec_t:file entrypoint;
')
# ----------------------------------------------------------------------
# RWMJ: See:
# https://issues.redhat.com/browse/RHEL-5174?focusedId=23387259&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-23387259
# Remove this when virt.if gets updated.
########################################
#
# Interface compatibility blocks
#
# The following definitions ensure compatibility with distribution policy
# versions that do not contain given interfaces (epel, or older Fedora
# releases).
# Each block tests for existence of given interface and defines it if needed.
#
########################################
## <summary>
## Read and write to svirt_image dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
ifndef(`virt_rw_svirt_image_dirs',`
interface(`virt_rw_svirt_image_dirs',`
gen_require(`
type svirt_image_t;
')
allow $1 svirt_image_t:dir rw_dir_perms;
')
')
########################################
## <summary>
## Create svirt_image sock_files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
ifndef(`virt_create_svirt_image_sock_files',`
interface(`virt_create_svirt_image_sock_files',`
gen_require(`
type svirt_image_t;
')
allow $1 svirt_image_t:sock_file create_sock_file_perms;
')
')
########################################
## <summary>
## Read and write virtlogd pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
ifndef(`virtlogd_rw_pipes',`
interface(`virtlogd_rw_pipes',`
gen_require(`
type virtlogd_t;
')
allow $1 virtlogd_t:fifo_file rw_fifo_file_perms;
')
')

View File

@ -22,8 +22,20 @@
%global have_ocaml 1
%endif
# libblkio was broken on i686: https://bugzilla.redhat.com/2229372
# but somehow "fixed itself", keep an eye on it.
%global have_blkio 1
# Enable mingw subpackage on Fedora only.
%if 0%{?fedora}
%global have_mingw 1
%endif
# Enable nbdkit-selinux package.
%global with_selinux 1
%global modulename nbdkit
%global selinuxtype targeted
# Architectures where we run the complete test suite including
# the libguestfs tests.
#
@ -36,25 +48,14 @@
# it as a bug and add it to this list.
%global broken_test_arches NONE
%if 0%{?rhel} == 7
# On RHEL 7, nothing in the virt stack is shipped on aarch64 and
# libguestfs was not shipped on POWER (fixed in 7.5). We could in
# theory make all of this work by having lots more conditionals, but
# for now limit this package to x86_64 on RHEL.
ExclusiveArch: x86_64
%endif
# If we should verify tarball signature with GPGv2.
%global verify_tarball_signature 1
# If there are patches which touch autotools files, set this to 1.
%global patches_touch_autotools 1
# The source directory.
%global source_directory 1.36-stable
%global source_directory 1.38-stable
Name: nbdkit
Version: 1.36.2
Version: 1.38.0
Release: 1%{?dist}
Summary: NBD server
@ -79,25 +80,23 @@ Source3: copy-patches.sh
# Patches come from the upstream repository:
# https://gitlab.com/nbdkit/nbdkit/-/commits/rhel-9.4/
# Patches.
Patch0001: 0001-configure-Fix-initialization-from-incompatible-point.patch
Patch0002: 0002-file-Rework-documentation-for-dir-parameter.patch
Patch0003: 0003-file-Fix-markup-when-referencing-dir-option-from-dir.patch
Patch0004: 0004-file-Further-rework-documentation-of-dir-parameter.patch
Patch0005: 0005-exportname-Fix-markup-for-linking-to-other-man-pages.patch
Patch0006: 0006-partition-Don-t-call-nbdkit_error-twice-on-error-pat.patch
Patch0007: 0007-partition-Suggest-alternate-partition-sectorsize.patch
# For automatic RPM Provides generation.
# See: https://rpm-software-management.github.io/rpm/manual/dependency_generators.html
Source4: nbdkit.attr
Source5: nbdkit-find-provides
BuildRequires: make
%if 0%{patches_touch_autotools}
BuildRequires: autoconf, automake, libtool
%endif
# For nbdkit-selinux package:
Source6: %{modulename}.te
Source7: %{modulename}.if
Source8: %{modulename}.fc
# For applying the patches:
BuildRequires: git
# For rebuilding autoconf cruft:
BuildRequires: autoconf, automake, libtool
BuildRequires: make
BuildRequires: gcc, gcc-c++
BuildRequires: %{_bindir}/pod2man
BuildRequires: gnutls-devel
@ -173,12 +172,38 @@ BuildRequires: %{_bindir}/stat
# itself, but it's a simple noarch package so easy to install.
BuildRequires: nbdkit-srpm-macros >= 1.30.0
%if 0%{?have_mingw}
BuildRequires: mingw32-filesystem
BuildRequires: mingw64-filesystem
BuildRequires: mingw32-gcc
BuildRequires: mingw64-gcc
BuildRequires: mingw32-gcc-c++
BuildRequires: mingw64-gcc-c++
BuildRequires: mingw32-dlfcn
BuildRequires: mingw64-dlfcn
BuildRequires: mingw32-gnutls
BuildRequires: mingw64-gnutls
BuildRequires: mingw32-winpthreads
BuildRequires: mingw64-winpthreads
BuildRequires: mingw32-xz
BuildRequires: mingw64-xz
BuildRequires: mingw32-zlib
BuildRequires: mingw64-zlib
%endif
# nbdkit is a metapackage pulling the server and a useful subset
# of the plugins and filters.
Requires: nbdkit-server%{?_isa} = %{version}-%{release}
Requires: nbdkit-basic-plugins%{?_isa} = %{version}-%{release}
Requires: nbdkit-basic-filters%{?_isa} = %{version}-%{release}
%if 0%{?with_selinux}
# This ensures that the nbdkit-selinux package and all its
# dependencies are not pulled into containers and other systems that
# do not use SELinux.
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
%endif
%description
NBD is a protocol for accessing block devices (hard disks and
@ -324,6 +349,22 @@ Requires: %{name}-server%{?_isa} = %{version}-%{release}
This package contains cURL (HTTP/FTP) support for %{name}.
%if !0%{?rhel}
# In theory this is noarch, but because plugins are placed in _libdir
# which varies across architectures, RPM does not allow this.
%package gcs-plugin
Summary: Gooogle Cloud Storage plugin %{name}
Requires: %{name}-python-plugin%{?_isa} = %{version}-%{release}
Requires: %{name}-server%{?_isa} = %{version}-%{release}
# XXX Should not need to add this.
Requires: python3-google-cloud-storage
%description gcs-plugin
This package lets you open disk images stored in Google
Cloud Storage using %{name}.
%endif
%if !0%{?rhel} && 0%{?have_libguestfs}
%package guestfs-plugin
Summary: libguestfs plugin for %{name}
@ -441,7 +482,8 @@ This package lets you write Ruby plugins for %{name}.
# which varies across architectures, RPM does not allow this.
%package S3-plugin
Summary: Amazon S3 and Ceph plugin for %{name}
Requires: %{name}-python-plugin >= 1.22
Requires: %{name}-python-plugin%{?_isa} = %{version}-%{release}
Requires: %{name}-server%{?_isa} = %{version}-%{release}
# XXX Should not need to add this.
Requires: python3-boto3
@ -582,6 +624,8 @@ nbdkit-rate-filter Limit bandwidth by connection or server.
nbdkit-readahead-filter Prefetch data when reading sequentially.
nbdkit-readonly-filter Switch a plugin between read-only and writable.
nbdkit-retry-filter Reopen connection on error.
nbdkit-retry-request-filter Retry single requests on error.
@ -671,17 +715,70 @@ Install this package if you want intelligent bash tab-completion
for %{name}.
%if 0%{?with_selinux}
%package selinux
Summary: %{name} SELinux policy
BuildArch: noarch
Requires: selinux-policy-%{selinuxtype}
Requires(post):selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel
%{?selinux_requires}
%description selinux
%{nbdkit} SELinux policy module.
%endif
%if 0%{?have_mingw}
%package -n mingw32-%{name}
Summary: nbdkit binary, plugins, filters, development files for Windows
BuildArch: noarch
Requires: mingw32-filesystem
Requires: pkgconfig
%description -n mingw32-%{name}
NBD is a protocol for accessing block devices (hard disks and
disk-like things) over the network.
nbdkit is a toolkit for creating NBD servers.
This package contains the nbdkit binary, plugins, filters and
development kit for 32 bit versions of Windows.
%package -n mingw64-%{name}
Summary: nbdkit binary, plugins, filters, development files for Windows
BuildArch: noarch
Requires: mingw64-filesystem
Requires: pkgconfig
%description -n mingw64-%{name}
NBD is a protocol for accessing block devices (hard disks and
disk-like things) over the network.
nbdkit is a toolkit for creating NBD servers.
This package contains the nbdkit binary, plugins, filters and
development kit for 64 bit versions of Windows.
%{?mingw_debug_package}
%endif
%prep
%if 0%{verify_tarball_signature}
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%endif
%autosetup -p1
%if 0%{patches_touch_autotools}
%autosetup -p1 -S git
autoreconf -i
%endif
%build
mkdir build_native
pushd build_native
%global _configure ../configure
# Golang bindings are not enabled in the build since they don't
# need to be. Most people would use them by copying the upstream
# package into their vendor/ directory.
@ -761,8 +858,64 @@ grep '^PYTHON_VERSION = 3' Makefile
%make_build
%if 0%{?with_selinux}
# SELinux policy (originally from selinux-policy-contrib)
# this policy module will override the production module
mkdir selinux
cp -p %{SOURCE6} selinux/
cp -p %{SOURCE7} selinux/
cp -p %{SOURCE8} selinux/
make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
bzip2 -9 %{modulename}.pp
%endif
popd
%if 0%{?have_mingw}
# MC=no is a temporary hack until this bug is fixed in binutils:
# https://sourceware.org/bugzilla/show_bug.cgi?id=31283
%mingw_configure \
MC=no \
--disable-static \
--enable-shared \
--with-extra='%{name}-%{version}-%{release}' \
--with-tls-priority=@NBDKIT,SYSTEM \
--disable-golang \
--disable-libguestfs-tests \
--disable-linuxdisk \
--disable-lua \
--disable-ocaml \
--disable-perl \
--disable-python \
--disable-ruby \
--disable-rust \
--disable-tcl \
--disable-torrent \
--disable-valgrind \
--disable-vddk \
--without-bash-completions \
--without-curl \
--without-ext2 \
--with-gnutls \
--without-iso \
--without-libblkio \
--without-libguestfs \
--without-libnbd \
--without-libvirt \
--with-liblzma \
--without-manpages \
--without-selinux \
--without-ssh \
--with-zlib \
%{nil}
%mingw_make %{?_smp_mflags}
%endif
%install
pushd build_native
%make_install
# Delete libtool crap.
@ -778,8 +931,10 @@ for f in cc cdi ; do
rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/nbdkit-$f-plugin.so
rm -f $RPM_BUILD_ROOT%{_mandir}/man?/nbdkit-$f-plugin.*
done
rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/nbdkit-S3-plugin
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/nbdkit-S3-plugin.1*
for f in gcs S3 ; do
rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/nbdkit-$f-plugin
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/nbdkit-$f-plugin.1*
done
rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/filters/nbdkit-qcow2dec-filter.so
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/nbdkit-qcow2dec-filter.1*
%endif
@ -789,9 +944,34 @@ mkdir -p $RPM_BUILD_ROOT%{_rpmconfigdir}/fileattrs/
install -m 0644 %{SOURCE4} $RPM_BUILD_ROOT%{_rpmconfigdir}/fileattrs/
install -m 0755 %{SOURCE5} $RPM_BUILD_ROOT%{_rpmconfigdir}/
%if 0%{?with_selinux}
install -D -m 0644 %{modulename}.pp.bz2 $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
install -D -p -m 0644 selinux/%{modulename}.if $RPM_BUILD_ROOT%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
%endif
popd
%if 0%{?have_mingw}
%mingw_make_install
# Remove .la files
rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/*.la
rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/*.la
# The .def files aren't interesting for other binaries
rm -f $RPM_BUILD_ROOT%{mingw32_bindir}/*.def
rm -f $RPM_BUILD_ROOT%{mingw64_bindir}/*.def
# Remove man pages which duplicate stuff in Fedora already.
rm -rf $RPM_BUILD_ROOT%{mingw32_mandir}
rm -rf $RPM_BUILD_ROOT%{mingw64_mandir}
%mingw_debug_install_post
%endif
%check
%ifnarch %{broken_test_arches}
pushd build_native
function skip_test ()
{
for f in "$@"; do
@ -836,6 +1016,7 @@ export LIBGUESTFS_TRACE=1
cat tests/test-suite.log
exit 1
}
popd
%endif
@ -844,6 +1025,26 @@ export LIBGUESTFS_TRACE=1
%endif
%if 0%{?with_selinux}
# SELinux contexts are saved so that only affected files can be
# relabeled after the policy module installation
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{modulename}
fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
# if with_selinux
%endif
%files
# metapackage so empty
@ -949,6 +1150,15 @@ export LIBGUESTFS_TRACE=1
%{_mandir}/man1/nbdkit-curl-plugin.1*
%if !0%{?rhel}
%files gcs-plugin
%doc README.md
%license LICENSE
%{_libdir}/%{name}/plugins/nbdkit-gcs-plugin
%{_mandir}/man1/nbdkit-gcs-plugin.1*
%endif
%if !0%{?rhel} && 0%{?have_libguestfs}
%files guestfs-plugin
%doc README.md
@ -1125,6 +1335,7 @@ export LIBGUESTFS_TRACE=1
%endif
%{_libdir}/%{name}/filters/nbdkit-rate-filter.so
%{_libdir}/%{name}/filters/nbdkit-readahead-filter.so
%{_libdir}/%{name}/filters/nbdkit-readonly-filter.so
%{_libdir}/%{name}/filters/nbdkit-retry-filter.so
%{_libdir}/%{name}/filters/nbdkit-retry-request-filter.so
%{_libdir}/%{name}/filters/nbdkit-scan-filter.so
@ -1165,6 +1376,7 @@ export LIBGUESTFS_TRACE=1
%endif
%{_mandir}/man1/nbdkit-rate-filter.1*
%{_mandir}/man1/nbdkit-readahead-filter.1*
%{_mandir}/man1/nbdkit-readonly-filter.1*
%{_mandir}/man1/nbdkit-retry-filter.1*
%{_mandir}/man1/nbdkit-retry-request-filter.1*
%{_mandir}/man1/nbdkit-scan-filter.1*
@ -1216,7 +1428,7 @@ export LIBGUESTFS_TRACE=1
# Include the source of the example plugins in the documentation.
%doc plugins/example*/*.c
%if !0%{?rhel}
%doc plugins/example4/nbdkit-example4-plugin
%doc build_native/plugins/example4/nbdkit-example4-plugin
%doc plugins/lua/example.lua
%endif
%if !0%{?rhel} && 0%{?have_ocaml}
@ -1256,8 +1468,41 @@ export LIBGUESTFS_TRACE=1
%{_datadir}/bash-completion/completions/nbdkit
%if 0%{?with_selinux}
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%endif
%if 0%{?have_mingw}
%files -n mingw32-%{name}
%license LICENSE
%{mingw32_sbindir}/nbdkit.exe
%{mingw32_libdir}/%{name}/
%{mingw32_libdir}/libnbdkit.a
%{mingw32_libdir}/pkgconfig/%{name}.pc
%{mingw32_includedir}/*.h
%files -n mingw64-%{name}
%license LICENSE
%{mingw64_sbindir}/nbdkit.exe
%{mingw64_libdir}/%{name}/
%{mingw64_libdir}/libnbdkit.a
%{mingw64_libdir}/pkgconfig/%{name}.pc
%{mingw64_includedir}/*.h
%endif
%changelog
* Tue Dec 20 2023 Richard W.M. Jones <rjones@redhat.com> - 1.36.2-1
* Tue Apr 09 2024 Miroslav Rezanina <mrezanin@redhat.com> - 1.38.0-1
- Rebase to 1.38.0
- Added selinux subpackage
- resolves: RHEL-31884
* Wed Dec 20 2023 Richard W.M. Jones <rjones@redhat.com> - 1.36.2-1
- Rebase to 1.36.2
resolves: RHEL-14475
- partition: Suggest alternate partition-sectorsize

100
nbdkit.te Normal file
View File

@ -0,0 +1,100 @@
policy_module(nbdkit, 1.0.0)
########################################
#
# Declarations
#
gen_require(`
type unconfined_t;
')
type nbdkit_t;
type nbdkit_exec_t;
application_domain(nbdkit_t, nbdkit_exec_t)
mcs_constrained(nbdkit_t)
role system_r types nbdkit_t;
type nbdkit_home_t;
userdom_user_home_content(nbdkit_home_t)
type nbdkit_tmp_t;
files_tmp_file(nbdkit_tmp_t)
type nbdkit_unit_file_t;
systemd_unit_file(nbdkit_unit_file_t)
permissive nbdkit_t;
########################################
#
# nbdkit local policy
#
allow nbdkit_t self:capability { setgid setuid };
allow nbdkit_t self:fifo_file rw_fifo_file_perms;
allow nbdkit_t self:netlink_route_socket rw_netlink_socket_perms;
allow nbdkit_t self:process { fork setsockcreate signal_perms };
allow nbdkit_t self:tcp_socket create_stream_socket_perms;
allow nbdkit_t self:udp_socket create_socket_perms;
manage_dirs_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t)
manage_files_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t)
userdom_user_tmp_filetrans(nbdkit_t, nbdkit_tmp_t, { dir file })
manage_dirs_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t)
manage_files_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t)
userdom_user_home_dir_filetrans(nbdkit_t, nbdkit_home_t, { dir file })
corenet_tcp_connect_http_port(nbdkit_t)
corenet_tcp_connect_ssh_port(nbdkit_t)
corenet_tcp_connect_tftp_port(nbdkit_t)
corenet_tcp_bind_generic_port(nbdkit_t)
corenet_tcp_bind_generic_node(nbdkit_t)
domain_use_interactive_fds(nbdkit_t)
files_read_etc_files(nbdkit_t)
init_abstract_socket_activation(nbdkit_t)
init_ioctl_stream_sockets(nbdkit_t)
init_rw_stream_sockets(nbdkit_t)
optional_policy(`
auth_use_nsswitch(nbdkit_t)
')
optional_policy(`
logging_send_syslog_msg(nbdkit_t)
')
optional_policy(`
miscfiles_read_localization(nbdkit_t)
miscfiles_read_generic_certs(nbdkit_t)
')
optional_policy(`
sysnet_dns_name_resolve(nbdkit_t)
sysnet_read_config(nbdkit_t)
')
optional_policy(`
userdom_read_user_home_content_files(nbdkit_t)
userdom_use_inherited_user_ptys(nbdkit_t)
')
optional_policy(`
virt_create_svirt_image_sock_files(nbdkit_t)
virt_read_qemu_pid_files(nbdkit_t)
virtlogd_rw_pipes(nbdkit_t)
virt_rw_svirt_image(nbdkit_t)
virt_rw_svirt_image_dirs(nbdkit_t)
virt_search_lib(nbdkit_t)
virt_stream_connect_svirt(nbdkit_t)
')
# FIXME: It would be nice to allow libvirt to transition nbdkit_exec_t to
# nbdkit_t when libvirtd was started manually from the commandline (i.e. in
# unconfined_t), but we don't want this transition to happen automatically
# when starting directly from the shell. I'm not sure how to achieve this...
#nbdkit_domtrans(unconfined_t, nbdkit_exec_t, nbdkit_t)

View File

@ -1,2 +1,2 @@
SHA512 (nbdkit-1.36.2.tar.gz) = a776808c6e7ab488b109e993fed5a6174e6fc35f894dace74b18cef9f8e0f640fb90bd4fd74183fc025da1f607c8907ee438369146bfbb2a48f6753748b9cf04
SHA512 (nbdkit-1.36.2.tar.gz.sig) = 04ef71b3fae7bf126333a8f02f6498db0b615057c942071502606b45ae5da1eafb15378a444a5388e3a3da67768687d4c151c259f9bd23ba583554cd54c054db
SHA512 (nbdkit-1.38.0.tar.gz) = 7817ab29f2c4821237ac9114e820186b6fcbe5658fb702ecd41941fc70ffd060294c3d71fbcb37176f4609d3e25996ea71e20ea58d0aee2c8bf6b4b30254d074
SHA512 (nbdkit-1.38.0.tar.gz.sig) = e81960962737f57c586bbf4dea9b2f7f208bb7258919ddd808006d4d14582ebd8e6b7d0e9f64ed48176c74c8c6ec00f042060be6a91ac0d8db20a1d936a53b42