From c8a2ccfe39d649a0858f310cd0f1eeb466666ac8 Mon Sep 17 00:00:00 2001 From: Miroslav Rezanina Date: Tue, 9 Apr 2024 05:58:46 +0200 Subject: [PATCH] * Tue Apr 09 2024 Miroslav Rezanina - 1.38.0-1 - Rebase to 1.38.0 - Added selinux subpackage - resolves: RHEL-31884 --- ...itialization-from-incompatible-point.patch | 44 --- ...work-documentation-for-dir-parameter.patch | 58 ---- ...when-referencing-dir-option-from-dir.patch | 28 -- ...ework-documentation-of-dir-parameter.patch | 108 ------ ...arkup-for-linking-to-other-man-pages.patch | 29 -- ...call-nbdkit_error-twice-on-error-pat.patch | 30 -- ...ggest-alternate-partition-sectorsize.patch | 52 --- nbdkit.fc | 3 + nbdkit.if | 207 ++++++++++++ nbdkit.spec | 313 ++++++++++++++++-- nbdkit.te | 100 ++++++ sources | 4 +- 12 files changed, 591 insertions(+), 385 deletions(-) delete mode 100644 0001-configure-Fix-initialization-from-incompatible-point.patch delete mode 100644 0002-file-Rework-documentation-for-dir-parameter.patch delete mode 100644 0003-file-Fix-markup-when-referencing-dir-option-from-dir.patch delete mode 100644 0004-file-Further-rework-documentation-of-dir-parameter.patch delete mode 100644 0005-exportname-Fix-markup-for-linking-to-other-man-pages.patch delete mode 100644 0006-partition-Don-t-call-nbdkit_error-twice-on-error-pat.patch delete mode 100644 0007-partition-Suggest-alternate-partition-sectorsize.patch create mode 100644 nbdkit.fc create mode 100644 nbdkit.if create mode 100644 nbdkit.te diff --git a/0001-configure-Fix-initialization-from-incompatible-point.patch b/0001-configure-Fix-initialization-from-incompatible-point.patch deleted file mode 100644 index 77863d5..0000000 --- a/0001-configure-Fix-initialization-from-incompatible-point.patch +++ /dev/null @@ -1,44 +0,0 @@ -From ac87babe2d1652e3f37715efe9f29ad6f16eb9df Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Mon, 4 Dec 2023 10:23:29 +0000 -Subject: [PATCH] configure: Fix initialization from incompatible pointer type - -With GCC 14: - - configure:20816: checking if environ is declared in header files - configure:20833: gcc -c -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grec -ord-gcc-switches -pipe -Wall -Werror=format-security --Werror=implicit-function-declaration -Werror=implicit-int --Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS --specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong --specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic --fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection --fno-omit-frame-pointer -mno-omit-leaf-frame-pointer conftest.c >&5 - conftest.c: In function 'test': - conftest.c:62:22: error: initialization of 'const char **' from incompatible p -ointer type 'char **' - 62 | const char **env = environ; - | ^~~~~~~ - -Thanks: Florian Weimer -(cherry picked from commit 32a9ee6650654469cd591a3ae26842c54f898392) ---- - configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 3b12e357..beab4674 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -335,7 +335,7 @@ AC_LANG_SOURCE([[ - static int - test (void) - { -- const char **env = environ; -+ char **env = environ; - return env ? 1 : 0; // this just forces env to be used - } - ]]) --- -2.39.3 - diff --git a/0002-file-Rework-documentation-for-dir-parameter.patch b/0002-file-Rework-documentation-for-dir-parameter.patch deleted file mode 100644 index c368250..0000000 --- a/0002-file-Rework-documentation-for-dir-parameter.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 054798ca11b9f0b71fbad302edf66b52519f5aa2 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Thu, 14 Dec 2023 17:47:10 +0000 -Subject: [PATCH] file: Rework documentation for dir= parameter - -The existing documentation tended towards jargon and lacked examples. - -(cherry picked from commit 7cbd49ced6414e49fcf4ff1a967929a2b83ab44e) ---- - plugins/file/nbdkit-file-plugin.pod | 23 +++++++++++++++++------ - 1 file changed, 17 insertions(+), 6 deletions(-) - -diff --git a/plugins/file/nbdkit-file-plugin.pod b/plugins/file/nbdkit-file-plugin.pod -index 857ad21e..e47eae97 100644 ---- a/plugins/file/nbdkit-file-plugin.pod -+++ b/plugins/file/nbdkit-file-plugin.pod -@@ -64,13 +64,23 @@ symbolic links. Other special files in the directory (such as - subdirectories, pipes, or Unix sockets) are ignored. - - When this mode is used, the file to be served is chosen by the export --name passed by the client, where the client can request a list of --available exports using NBD_OPT_LIST. A client that requests the --default export (C<"">) will be rejected. However, you can use --L to adjust what export names the client --sees or uses as a default. For security, when using directory mode, -+name passed by the client. For security, when using directory mode, - this plugin will not accept export names containing slash (C). - -+To list exports, use L I<--list> option, for example: -+ -+ nbdinfo --list nbd://localhost -+ -+An NBD client can request a list of available exports using -+C. -+ -+A client that requests the default export (C<"">) will be rejected. -+However, you can use L to adjust what -+export names the client sees, and which one the client uses as a -+default. For example to make F be the default export: -+ -+ nbdkit file dir=/dir --filter=exportname default-export=file -+ - =item BFILE_DESCRIPTOR - - (nbdkit E 1.34, not Windows) -@@ -262,7 +272,8 @@ L, - L, - L, - L, --L. -+L, -+L. - - =head1 AUTHORS - --- -2.39.3 - diff --git a/0003-file-Fix-markup-when-referencing-dir-option-from-dir.patch b/0003-file-Fix-markup-when-referencing-dir-option-from-dir.patch deleted file mode 100644 index 56610e5..0000000 --- a/0003-file-Fix-markup-when-referencing-dir-option-from-dir.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 596f97316e65c151741e6ee42893023f6e945c01 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Sat, 16 Dec 2023 18:08:37 +0000 -Subject: [PATCH] file: Fix markup when referencing dir= option from dirfd= - docs - -Fixes: commit dd28b005430d020ccd1825437937c317332d3007 -(cherry picked from commit 5b8c9c49cc352e9b0fba4dde9e0f57c53c9c2457) ---- - plugins/file/nbdkit-file-plugin.pod | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/plugins/file/nbdkit-file-plugin.pod b/plugins/file/nbdkit-file-plugin.pod -index e47eae97..5feb8ea9 100644 ---- a/plugins/file/nbdkit-file-plugin.pod -+++ b/plugins/file/nbdkit-file-plugin.pod -@@ -85,7 +85,7 @@ default. For example to make F be the default export: - - (nbdkit E 1.34, not Windows) - --This is like the I option, but instead of specifying the -+This is like the C option, but instead of specifying the - directory by name, the parent process should open the directory and - pass this file descriptor by inheritance to nbdkit. - --- -2.39.3 - diff --git a/0004-file-Further-rework-documentation-of-dir-parameter.patch b/0004-file-Further-rework-documentation-of-dir-parameter.patch deleted file mode 100644 index 88fc6e8..0000000 --- a/0004-file-Further-rework-documentation-of-dir-parameter.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 0d080223a8567a5ef673deb6ac49152fd67dd1b7 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Sat, 16 Dec 2023 18:03:13 +0000 -Subject: [PATCH] file: Further rework documentation of dir= parameter - -Move the documentation to a new section, allowing us to expand on this -topic. This also makes the HTML documentation linkable. - -Updates: commit 7cbd49ced6414e49fcf4ff1a967929a2b83ab44e -(cherry picked from commit 74621ec608d0edd76c2d8de140e7d1d5626c8251) ---- - plugins/file/nbdkit-file-plugin.pod | 66 +++++++++++++++++++++-------- - 1 file changed, 49 insertions(+), 17 deletions(-) - -diff --git a/plugins/file/nbdkit-file-plugin.pod b/plugins/file/nbdkit-file-plugin.pod -index 5feb8ea9..de8fbeba 100644 ---- a/plugins/file/nbdkit-file-plugin.pod -+++ b/plugins/file/nbdkit-file-plugin.pod -@@ -63,23 +63,7 @@ directory named C, including those found by following - symbolic links. Other special files in the directory (such as - subdirectories, pipes, or Unix sockets) are ignored. - --When this mode is used, the file to be served is chosen by the export --name passed by the client. For security, when using directory mode, --this plugin will not accept export names containing slash (C). -- --To list exports, use L I<--list> option, for example: -- -- nbdinfo --list nbd://localhost -- --An NBD client can request a list of available exports using --C. -- --A client that requests the default export (C<"">) will be rejected. --However, you can use L to adjust what --export names the client sees, and which one the client uses as a --default. For example to make F be the default export: -- -- nbdkit file dir=/dir --filter=exportname default-export=file -+See L below. - - =item BFILE_DESCRIPTOR - -@@ -89,6 +73,8 @@ This is like the C option, but instead of specifying the - directory by name, the parent process should open the directory and - pass this file descriptor by inheritance to nbdkit. - -+See L below. -+ - =item B - - =item B -@@ -140,6 +126,52 @@ L (or C) you can serve all regular -+files and block devices located directly inside the directory named -+C, including those found by following symbolic links. -+Other special files in the directory (such as subdirectories, pipes, -+or Unix sockets) are ignored. -+ -+When this mode is used, the file to be served is chosen by the export -+name passed by the client. For security, when using directory mode, -+this plugin will not accept export names containing slash (C). -+ -+For example: -+ -+ $ ls -l /var/tmp/exports -+ total 0 -+ -rw-r--r--. 1 rjones rjones 1048576 Dec 14 15:34 disk1 -+ -rw-r--r--. 1 rjones rjones 2097152 Dec 14 15:34 disk2 -+ lrwxrwxrwx. 1 rjones rjones 9 Dec 14 15:35 sda1 -> /dev/sda1 -+ $ nbdkit file dir=/var/tmp/exports -+ -+will serve three exports called C<"disk1">, C<"disk2"> and C<"sda1">. -+The first two are regular files and the last is a block device. You -+can add or remove files or symbolic links from the directory while -+nbdkit is running. -+ -+To list exports, use L I<--list> option, for example: -+ -+ $ nbdinfo --list nbd://localhost -+ protocol: newstyle-fixed without TLS, using structured packets -+ export="disk1": -+ export-size: 1048576 (1M) -+ uri: nbd://localhost:10809/disk1 -+ [etc] -+ -+An NBD client can request a list of available exports using -+C. For libnbd clients see nbd_opt_list(3). -+ -+A client that requests the default export (C<"">) will be rejected. -+However, you can use L to adjust the -+default export as well as other transformations of export names. For -+example to make F be the default export: -+ -+ nbdkit file dir=/var/tmp/exports \ -+ --filter=exportname default-export=disk1 -+ - =head2 Optimizing for random or sequential access - - If you know in advance that the NBD client will access the file --- -2.39.3 - diff --git a/0005-exportname-Fix-markup-for-linking-to-other-man-pages.patch b/0005-exportname-Fix-markup-for-linking-to-other-man-pages.patch deleted file mode 100644 index 3c2c4f2..0000000 --- a/0005-exportname-Fix-markup-for-linking-to-other-man-pages.patch +++ /dev/null @@ -1,29 +0,0 @@ -From c155987ee521c2d6a163d2814dc869ec1e89fd90 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Sat, 16 Dec 2023 18:32:50 +0000 -Subject: [PATCH] exportname: Fix markup for linking to other man pages - -Fixes: commit 7623b2cc45078cca88fdd2d96c70c7f82a0db49d -(cherry picked from commit 6104f55f3851f3b82dc69f7e78c32e9c7a93dbc9) ---- - filters/exportname/nbdkit-exportname-filter.pod | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/filters/exportname/nbdkit-exportname-filter.pod b/filters/exportname/nbdkit-exportname-filter.pod -index 1d69f7d4..f95a37be 100644 ---- a/filters/exportname/nbdkit-exportname-filter.pod -+++ b/filters/exportname/nbdkit-exportname-filter.pod -@@ -10,8 +10,8 @@ nbdkit-exportname-filter - adjust export names between client and plugin - - =head1 DESCRIPTION - --Some plugins (such as C and filters (such as --C are able to serve different content based on -+Some plugins (such as L and filters (such as -+L are able to serve different content based on - the export name requested by the client. The NBD protocol allows a - server to advertise the set of export names it is serving. However, - the list advertised (or absent) from the plugin may not always match --- -2.39.3 - diff --git a/0006-partition-Don-t-call-nbdkit_error-twice-on-error-pat.patch b/0006-partition-Don-t-call-nbdkit_error-twice-on-error-pat.patch deleted file mode 100644 index 9127c68..0000000 --- a/0006-partition-Don-t-call-nbdkit_error-twice-on-error-pat.patch +++ /dev/null @@ -1,30 +0,0 @@ -From b8eb91e9102a2ae6cb96b0f2ffdb96b724cbb1b7 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Wed, 20 Dec 2023 10:38:27 +0000 -Subject: [PATCH] partition: Don't call nbdkit_error twice on error path - -Fixes: commit 7b9301a4c569456a4f96784229a2cd48e8957662 -(cherry picked from commit 036b178a4affd00b8bbdb6cb140e81b62f57a374) ---- - filters/partition/partition-gpt.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/filters/partition/partition-gpt.c b/filters/partition/partition-gpt.c -index 80acddb4..930e2081 100644 ---- a/filters/partition/partition-gpt.c -+++ b/filters/partition/partition-gpt.c -@@ -92,10 +92,8 @@ find_gpt_partition (nbdkit_next *next, - int err; - - if (get_gpt_header (header_bytes, -- &nr_partition_entries, &size_partition_entry) == -1) { -- nbdkit_error ("cannot support non-standard GPT header"); -+ &nr_partition_entries, &size_partition_entry) == -1) - return -1; -- } - - if (partnum > nr_partition_entries) { - nbdkit_error ("GPT partition number out of range"); --- -2.39.3 - diff --git a/0007-partition-Suggest-alternate-partition-sectorsize.patch b/0007-partition-Suggest-alternate-partition-sectorsize.patch deleted file mode 100644 index 4b8a01c..0000000 --- a/0007-partition-Suggest-alternate-partition-sectorsize.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 3b168aa842dc80a6d95b2c1ccb52a8ef664e7aba Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Wed, 20 Dec 2023 10:34:10 +0000 -Subject: [PATCH] partition: Suggest alternate partition-sectorsize - -When we reach this error it means that we have failed to detect the -"EFI PART" signature (indicating GPT) and we've fallen back to parsing -MBR, but in doing so we have discovered a GPT protective MBR which -should only happen for GPT. A possible cause for missing the -signature was because we have the wrong sector size. - -Therefore check for the current sector size (which should be either -512 or 4096) and suggest that the user sets the other sector size. - -Also avoids the case where the user already set partition-sectorsize=4k -and we were suggesting that they set it again. - -Reported-by: Ming Xie -Fixes: commit 7b9301a4c569456a4f96784229a2cd48e8957662 -Fixes: https://issues.redhat.com/browse/RHEL-19815 -(cherry picked from commit cd761c9bf770b23f678fd82f0d1c8d4cce2ed1b5) ---- - filters/partition/partition-mbr.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/filters/partition/partition-mbr.c b/filters/partition/partition-mbr.c -index 3927c31f..6a81addb 100644 ---- a/filters/partition/partition-mbr.c -+++ b/filters/partition/partition-mbr.c -@@ -87,9 +87,16 @@ find_mbr_partition (nbdkit_next *next, - !is_extended (partition.part_type_byte) && - partnum == i+1) { - if (partition.part_type_byte == 0xEE) { -- nbdkit_error ("rejecting GPT protective entry from MBR, " -- "if the underlying storage uses 4K sectors " -- "try using partition-sectorsize=4k"); -+ if (sector_size == 512) -+ nbdkit_error ("rejecting GPT protective entry from MBR, " -+ "if the underlying storage uses 4K sectors " -+ "try using partition-sectorsize=4k"); -+ else if (sector_size == 4096) -+ nbdkit_error ("rejecting GPT protective entry from MBR, " -+ "if the underlying storage uses 512 byte sectors " -+ "try using partition-sectorsize=512"); -+ else -+ nbdkit_error ("rejecting GPT protective entry from MBR"); - return -1; - } - *offset_r = partition.start_sector * (int64_t) sector_size; --- -2.39.3 - diff --git a/nbdkit.fc b/nbdkit.fc new file mode 100644 index 0000000..4877736 --- /dev/null +++ b/nbdkit.fc @@ -0,0 +1,3 @@ +/usr/sbin/nbdkit -- gen_context(system_u:object_r:nbdkit_exec_t,s0) + +/usr/lib/systemd/system/nbdkit.* gen_context(system_u:object_r:nbdkit_unit_file_t,s0) diff --git a/nbdkit.if b/nbdkit.if new file mode 100644 index 0000000..315fead --- /dev/null +++ b/nbdkit.if @@ -0,0 +1,207 @@ +## policy for nbdkit + +######################################## +## +## Execute nbdkit_exec_t in the nbdkit domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`nbdkit_domtrans',` + gen_require(` + type nbdkit_t, nbdkit_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, nbdkit_exec_t, nbdkit_t) +') + +###################################### +## +## Execute nbdkit in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`nbdkit_exec',` + gen_require(` + type nbdkit_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, nbdkit_exec_t) +') + +######################################## +## +## Execute nbdkit in the nbdkit domain, and +## allow the specified role the nbdkit domain. +## +## +## +## Domain allowed to transition +## +## +## +## +## The role to be allowed the nbdkit domain. +## +## +# +interface(`nbdkit_run',` + gen_require(` + type nbdkit_t; + attribute_role nbdkit_roles; + ') + + nbdkit_domtrans($1) + roleattribute $2 nbdkit_roles; +') + +######################################## +## +## Role access for nbdkit +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`nbdkit_role',` + gen_require(` + type nbdkit_t; + attribute_role nbdkit_roles; + ') + + roleattribute $1 nbdkit_roles; + + nbdkit_domtrans($2) + + ps_process_pattern($2, nbdkit_t) + allow $2 nbdkit_t:process { signull signal sigkill }; +') + +######################################## +## +## Allow attempts to connect to nbdkit +## with a unix stream socket. +## +## +## +## Domain to not audit. +## +## +# +interface(`nbdkit_stream_connect',` + gen_require(` + type nbdkit_t; + ') + + allow $1 nbdkit_t:unix_stream_socket connectto; +') + +######################################## +## +## Allow nbdkit_exec_t to be an entrypoint +## of the specified domain +## +## +## +## Domain allowed access. +## +## +## +# +interface(`nbdkit_entrypoint',` + gen_require(` + type nbdkit_exec_t; + ') + allow $1 nbdkit_exec_t:file entrypoint; +') + +# ---------------------------------------------------------------------- +# RWMJ: See: +# https://issues.redhat.com/browse/RHEL-5174?focusedId=23387259&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-23387259 +# Remove this when virt.if gets updated. + +######################################## +# +# Interface compatibility blocks +# +# The following definitions ensure compatibility with distribution policy +# versions that do not contain given interfaces (epel, or older Fedora +# releases). +# Each block tests for existence of given interface and defines it if needed. +# + +######################################## +## +## Read and write to svirt_image dirs. +## +## +## +## Domain allowed access. +## +## +# +ifndef(`virt_rw_svirt_image_dirs',` + interface(`virt_rw_svirt_image_dirs',` + gen_require(` + type svirt_image_t; + ') + + allow $1 svirt_image_t:dir rw_dir_perms; + ') +') + +######################################## +## +## Create svirt_image sock_files. +## +## +## +## Domain allowed access. +## +## +# +ifndef(`virt_create_svirt_image_sock_files',` + interface(`virt_create_svirt_image_sock_files',` + gen_require(` + type svirt_image_t; + ') + + allow $1 svirt_image_t:sock_file create_sock_file_perms; + ') +') + +######################################## +## +## Read and write virtlogd pipes. +## +## +## +## Domain allowed access. +## +## +# +ifndef(`virtlogd_rw_pipes',` + interface(`virtlogd_rw_pipes',` + gen_require(` + type virtlogd_t; + ') + + allow $1 virtlogd_t:fifo_file rw_fifo_file_perms; + ') +') diff --git a/nbdkit.spec b/nbdkit.spec index c12553a..46c82ed 100644 --- a/nbdkit.spec +++ b/nbdkit.spec @@ -22,8 +22,20 @@ %global have_ocaml 1 %endif +# libblkio was broken on i686: https://bugzilla.redhat.com/2229372 +# but somehow "fixed itself", keep an eye on it. %global have_blkio 1 +# Enable mingw subpackage on Fedora only. +%if 0%{?fedora} +%global have_mingw 1 +%endif + +# Enable nbdkit-selinux package. +%global with_selinux 1 +%global modulename nbdkit +%global selinuxtype targeted + # Architectures where we run the complete test suite including # the libguestfs tests. # @@ -36,25 +48,14 @@ # it as a bug and add it to this list. %global broken_test_arches NONE -%if 0%{?rhel} == 7 -# On RHEL 7, nothing in the virt stack is shipped on aarch64 and -# libguestfs was not shipped on POWER (fixed in 7.5). We could in -# theory make all of this work by having lots more conditionals, but -# for now limit this package to x86_64 on RHEL. -ExclusiveArch: x86_64 -%endif - # If we should verify tarball signature with GPGv2. %global verify_tarball_signature 1 -# If there are patches which touch autotools files, set this to 1. -%global patches_touch_autotools 1 - # The source directory. -%global source_directory 1.36-stable +%global source_directory 1.38-stable Name: nbdkit -Version: 1.36.2 +Version: 1.38.0 Release: 1%{?dist} Summary: NBD server @@ -79,25 +80,23 @@ Source3: copy-patches.sh # Patches come from the upstream repository: # https://gitlab.com/nbdkit/nbdkit/-/commits/rhel-9.4/ -# Patches. -Patch0001: 0001-configure-Fix-initialization-from-incompatible-point.patch -Patch0002: 0002-file-Rework-documentation-for-dir-parameter.patch -Patch0003: 0003-file-Fix-markup-when-referencing-dir-option-from-dir.patch -Patch0004: 0004-file-Further-rework-documentation-of-dir-parameter.patch -Patch0005: 0005-exportname-Fix-markup-for-linking-to-other-man-pages.patch -Patch0006: 0006-partition-Don-t-call-nbdkit_error-twice-on-error-pat.patch -Patch0007: 0007-partition-Suggest-alternate-partition-sectorsize.patch - # For automatic RPM Provides generation. # See: https://rpm-software-management.github.io/rpm/manual/dependency_generators.html Source4: nbdkit.attr Source5: nbdkit-find-provides -BuildRequires: make -%if 0%{patches_touch_autotools} -BuildRequires: autoconf, automake, libtool -%endif +# For nbdkit-selinux package: +Source6: %{modulename}.te +Source7: %{modulename}.if +Source8: %{modulename}.fc +# For applying the patches: +BuildRequires: git + +# For rebuilding autoconf cruft: +BuildRequires: autoconf, automake, libtool + +BuildRequires: make BuildRequires: gcc, gcc-c++ BuildRequires: %{_bindir}/pod2man BuildRequires: gnutls-devel @@ -173,12 +172,38 @@ BuildRequires: %{_bindir}/stat # itself, but it's a simple noarch package so easy to install. BuildRequires: nbdkit-srpm-macros >= 1.30.0 +%if 0%{?have_mingw} +BuildRequires: mingw32-filesystem +BuildRequires: mingw64-filesystem +BuildRequires: mingw32-gcc +BuildRequires: mingw64-gcc +BuildRequires: mingw32-gcc-c++ +BuildRequires: mingw64-gcc-c++ +BuildRequires: mingw32-dlfcn +BuildRequires: mingw64-dlfcn +BuildRequires: mingw32-gnutls +BuildRequires: mingw64-gnutls +BuildRequires: mingw32-winpthreads +BuildRequires: mingw64-winpthreads +BuildRequires: mingw32-xz +BuildRequires: mingw64-xz +BuildRequires: mingw32-zlib +BuildRequires: mingw64-zlib +%endif + # nbdkit is a metapackage pulling the server and a useful subset # of the plugins and filters. Requires: nbdkit-server%{?_isa} = %{version}-%{release} Requires: nbdkit-basic-plugins%{?_isa} = %{version}-%{release} Requires: nbdkit-basic-filters%{?_isa} = %{version}-%{release} +%if 0%{?with_selinux} +# This ensures that the nbdkit-selinux package and all its +# dependencies are not pulled into containers and other systems that +# do not use SELinux. +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%endif + %description NBD is a protocol for accessing block devices (hard disks and @@ -324,6 +349,22 @@ Requires: %{name}-server%{?_isa} = %{version}-%{release} This package contains cURL (HTTP/FTP) support for %{name}. +%if !0%{?rhel} +# In theory this is noarch, but because plugins are placed in _libdir +# which varies across architectures, RPM does not allow this. +%package gcs-plugin +Summary: Gooogle Cloud Storage plugin %{name} +Requires: %{name}-python-plugin%{?_isa} = %{version}-%{release} +Requires: %{name}-server%{?_isa} = %{version}-%{release} +# XXX Should not need to add this. +Requires: python3-google-cloud-storage + +%description gcs-plugin +This package lets you open disk images stored in Google +Cloud Storage using %{name}. +%endif + + %if !0%{?rhel} && 0%{?have_libguestfs} %package guestfs-plugin Summary: libguestfs plugin for %{name} @@ -441,7 +482,8 @@ This package lets you write Ruby plugins for %{name}. # which varies across architectures, RPM does not allow this. %package S3-plugin Summary: Amazon S3 and Ceph plugin for %{name} -Requires: %{name}-python-plugin >= 1.22 +Requires: %{name}-python-plugin%{?_isa} = %{version}-%{release} +Requires: %{name}-server%{?_isa} = %{version}-%{release} # XXX Should not need to add this. Requires: python3-boto3 @@ -582,6 +624,8 @@ nbdkit-rate-filter Limit bandwidth by connection or server. nbdkit-readahead-filter Prefetch data when reading sequentially. +nbdkit-readonly-filter Switch a plugin between read-only and writable. + nbdkit-retry-filter Reopen connection on error. nbdkit-retry-request-filter Retry single requests on error. @@ -671,17 +715,70 @@ Install this package if you want intelligent bash tab-completion for %{name}. +%if 0%{?with_selinux} +%package selinux +Summary: %{name} SELinux policy +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post):selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +%{nbdkit} SELinux policy module. +%endif + + +%if 0%{?have_mingw} +%package -n mingw32-%{name} +Summary: nbdkit binary, plugins, filters, development files for Windows +BuildArch: noarch +Requires: mingw32-filesystem +Requires: pkgconfig + +%description -n mingw32-%{name} +NBD is a protocol for accessing block devices (hard disks and +disk-like things) over the network. + +nbdkit is a toolkit for creating NBD servers. + +This package contains the nbdkit binary, plugins, filters and +development kit for 32 bit versions of Windows. + + +%package -n mingw64-%{name} +Summary: nbdkit binary, plugins, filters, development files for Windows +BuildArch: noarch +Requires: mingw64-filesystem +Requires: pkgconfig + +%description -n mingw64-%{name} +NBD is a protocol for accessing block devices (hard disks and +disk-like things) over the network. + +nbdkit is a toolkit for creating NBD servers. + +This package contains the nbdkit binary, plugins, filters and +development kit for 64 bit versions of Windows. + + +%{?mingw_debug_package} +%endif + + %prep %if 0%{verify_tarball_signature} %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %endif -%autosetup -p1 -%if 0%{patches_touch_autotools} +%autosetup -p1 -S git autoreconf -i -%endif %build +mkdir build_native +pushd build_native +%global _configure ../configure + # Golang bindings are not enabled in the build since they don't # need to be. Most people would use them by copying the upstream # package into their vendor/ directory. @@ -761,8 +858,64 @@ grep '^PYTHON_VERSION = 3' Makefile %make_build +%if 0%{?with_selinux} +# SELinux policy (originally from selinux-policy-contrib) +# this policy module will override the production module +mkdir selinux +cp -p %{SOURCE6} selinux/ +cp -p %{SOURCE7} selinux/ +cp -p %{SOURCE8} selinux/ + +make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp +bzip2 -9 %{modulename}.pp +%endif + +popd + +%if 0%{?have_mingw} +# MC=no is a temporary hack until this bug is fixed in binutils: +# https://sourceware.org/bugzilla/show_bug.cgi?id=31283 +%mingw_configure \ + MC=no \ + --disable-static \ + --enable-shared \ + --with-extra='%{name}-%{version}-%{release}' \ + --with-tls-priority=@NBDKIT,SYSTEM \ + --disable-golang \ + --disable-libguestfs-tests \ + --disable-linuxdisk \ + --disable-lua \ + --disable-ocaml \ + --disable-perl \ + --disable-python \ + --disable-ruby \ + --disable-rust \ + --disable-tcl \ + --disable-torrent \ + --disable-valgrind \ + --disable-vddk \ + --without-bash-completions \ + --without-curl \ + --without-ext2 \ + --with-gnutls \ + --without-iso \ + --without-libblkio \ + --without-libguestfs \ + --without-libnbd \ + --without-libvirt \ + --with-liblzma \ + --without-manpages \ + --without-selinux \ + --without-ssh \ + --with-zlib \ + %{nil} + +%mingw_make %{?_smp_mflags} +%endif + %install +pushd build_native %make_install # Delete libtool crap. @@ -778,8 +931,10 @@ for f in cc cdi ; do rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/nbdkit-$f-plugin.so rm -f $RPM_BUILD_ROOT%{_mandir}/man?/nbdkit-$f-plugin.* done -rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/nbdkit-S3-plugin -rm -f $RPM_BUILD_ROOT%{_mandir}/man1/nbdkit-S3-plugin.1* +for f in gcs S3 ; do + rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/nbdkit-$f-plugin + rm -f $RPM_BUILD_ROOT%{_mandir}/man1/nbdkit-$f-plugin.1* +done rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/filters/nbdkit-qcow2dec-filter.so rm -f $RPM_BUILD_ROOT%{_mandir}/man1/nbdkit-qcow2dec-filter.1* %endif @@ -789,9 +944,34 @@ mkdir -p $RPM_BUILD_ROOT%{_rpmconfigdir}/fileattrs/ install -m 0644 %{SOURCE4} $RPM_BUILD_ROOT%{_rpmconfigdir}/fileattrs/ install -m 0755 %{SOURCE5} $RPM_BUILD_ROOT%{_rpmconfigdir}/ +%if 0%{?with_selinux} +install -D -m 0644 %{modulename}.pp.bz2 $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 +install -D -p -m 0644 selinux/%{modulename}.if $RPM_BUILD_ROOT%{_datadir}/selinux/devel/include/distributed/%{modulename}.if +%endif +popd + +%if 0%{?have_mingw} +%mingw_make_install + +# Remove .la files +rm -f $RPM_BUILD_ROOT%{mingw32_libdir}/*.la +rm -f $RPM_BUILD_ROOT%{mingw64_libdir}/*.la + +# The .def files aren't interesting for other binaries +rm -f $RPM_BUILD_ROOT%{mingw32_bindir}/*.def +rm -f $RPM_BUILD_ROOT%{mingw64_bindir}/*.def + +# Remove man pages which duplicate stuff in Fedora already. +rm -rf $RPM_BUILD_ROOT%{mingw32_mandir} +rm -rf $RPM_BUILD_ROOT%{mingw64_mandir} + +%mingw_debug_install_post +%endif + %check %ifnarch %{broken_test_arches} +pushd build_native function skip_test () { for f in "$@"; do @@ -836,6 +1016,7 @@ export LIBGUESTFS_TRACE=1 cat tests/test-suite.log exit 1 } +popd %endif @@ -844,6 +1025,26 @@ export LIBGUESTFS_TRACE=1 %endif +%if 0%{?with_selinux} +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} +# if with_selinux +%endif + + %files # metapackage so empty @@ -949,6 +1150,15 @@ export LIBGUESTFS_TRACE=1 %{_mandir}/man1/nbdkit-curl-plugin.1* +%if !0%{?rhel} +%files gcs-plugin +%doc README.md +%license LICENSE +%{_libdir}/%{name}/plugins/nbdkit-gcs-plugin +%{_mandir}/man1/nbdkit-gcs-plugin.1* +%endif + + %if !0%{?rhel} && 0%{?have_libguestfs} %files guestfs-plugin %doc README.md @@ -1125,6 +1335,7 @@ export LIBGUESTFS_TRACE=1 %endif %{_libdir}/%{name}/filters/nbdkit-rate-filter.so %{_libdir}/%{name}/filters/nbdkit-readahead-filter.so +%{_libdir}/%{name}/filters/nbdkit-readonly-filter.so %{_libdir}/%{name}/filters/nbdkit-retry-filter.so %{_libdir}/%{name}/filters/nbdkit-retry-request-filter.so %{_libdir}/%{name}/filters/nbdkit-scan-filter.so @@ -1165,6 +1376,7 @@ export LIBGUESTFS_TRACE=1 %endif %{_mandir}/man1/nbdkit-rate-filter.1* %{_mandir}/man1/nbdkit-readahead-filter.1* +%{_mandir}/man1/nbdkit-readonly-filter.1* %{_mandir}/man1/nbdkit-retry-filter.1* %{_mandir}/man1/nbdkit-retry-request-filter.1* %{_mandir}/man1/nbdkit-scan-filter.1* @@ -1216,7 +1428,7 @@ export LIBGUESTFS_TRACE=1 # Include the source of the example plugins in the documentation. %doc plugins/example*/*.c %if !0%{?rhel} -%doc plugins/example4/nbdkit-example4-plugin +%doc build_native/plugins/example4/nbdkit-example4-plugin %doc plugins/lua/example.lua %endif %if !0%{?rhel} && 0%{?have_ocaml} @@ -1256,8 +1468,41 @@ export LIBGUESTFS_TRACE=1 %{_datadir}/bash-completion/completions/nbdkit +%if 0%{?with_selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* +%{_datadir}/selinux/devel/include/distributed/%{modulename}.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} +%endif + + +%if 0%{?have_mingw} +%files -n mingw32-%{name} +%license LICENSE +%{mingw32_sbindir}/nbdkit.exe +%{mingw32_libdir}/%{name}/ +%{mingw32_libdir}/libnbdkit.a +%{mingw32_libdir}/pkgconfig/%{name}.pc +%{mingw32_includedir}/*.h + + +%files -n mingw64-%{name} +%license LICENSE +%{mingw64_sbindir}/nbdkit.exe +%{mingw64_libdir}/%{name}/ +%{mingw64_libdir}/libnbdkit.a +%{mingw64_libdir}/pkgconfig/%{name}.pc +%{mingw64_includedir}/*.h +%endif + + %changelog -* Tue Dec 20 2023 Richard W.M. Jones - 1.36.2-1 +* Tue Apr 09 2024 Miroslav Rezanina - 1.38.0-1 +- Rebase to 1.38.0 +- Added selinux subpackage +- resolves: RHEL-31884 + +* Wed Dec 20 2023 Richard W.M. Jones - 1.36.2-1 - Rebase to 1.36.2 resolves: RHEL-14475 - partition: Suggest alternate partition-sectorsize diff --git a/nbdkit.te b/nbdkit.te new file mode 100644 index 0000000..dbc518e --- /dev/null +++ b/nbdkit.te @@ -0,0 +1,100 @@ +policy_module(nbdkit, 1.0.0) + +######################################## +# +# Declarations +# + +gen_require(` + type unconfined_t; +') + +type nbdkit_t; +type nbdkit_exec_t; +application_domain(nbdkit_t, nbdkit_exec_t) +mcs_constrained(nbdkit_t) +role system_r types nbdkit_t; + +type nbdkit_home_t; +userdom_user_home_content(nbdkit_home_t) + +type nbdkit_tmp_t; +files_tmp_file(nbdkit_tmp_t) + +type nbdkit_unit_file_t; +systemd_unit_file(nbdkit_unit_file_t) + +permissive nbdkit_t; + +######################################## +# +# nbdkit local policy +# +allow nbdkit_t self:capability { setgid setuid }; +allow nbdkit_t self:fifo_file rw_fifo_file_perms; +allow nbdkit_t self:netlink_route_socket rw_netlink_socket_perms; +allow nbdkit_t self:process { fork setsockcreate signal_perms }; +allow nbdkit_t self:tcp_socket create_stream_socket_perms; +allow nbdkit_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t) +manage_files_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t) +userdom_user_tmp_filetrans(nbdkit_t, nbdkit_tmp_t, { dir file }) + +manage_dirs_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t) +manage_files_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t) +userdom_user_home_dir_filetrans(nbdkit_t, nbdkit_home_t, { dir file }) + +corenet_tcp_connect_http_port(nbdkit_t) +corenet_tcp_connect_ssh_port(nbdkit_t) +corenet_tcp_connect_tftp_port(nbdkit_t) +corenet_tcp_bind_generic_port(nbdkit_t) +corenet_tcp_bind_generic_node(nbdkit_t) + +domain_use_interactive_fds(nbdkit_t) + +files_read_etc_files(nbdkit_t) + +init_abstract_socket_activation(nbdkit_t) +init_ioctl_stream_sockets(nbdkit_t) +init_rw_stream_sockets(nbdkit_t) + +optional_policy(` + auth_use_nsswitch(nbdkit_t) +') + +optional_policy(` + logging_send_syslog_msg(nbdkit_t) +') + +optional_policy(` + miscfiles_read_localization(nbdkit_t) + miscfiles_read_generic_certs(nbdkit_t) +') + +optional_policy(` + sysnet_dns_name_resolve(nbdkit_t) + sysnet_read_config(nbdkit_t) +') + +optional_policy(` + userdom_read_user_home_content_files(nbdkit_t) + userdom_use_inherited_user_ptys(nbdkit_t) +') + +optional_policy(` + virt_create_svirt_image_sock_files(nbdkit_t) + virt_read_qemu_pid_files(nbdkit_t) + virtlogd_rw_pipes(nbdkit_t) + virt_rw_svirt_image(nbdkit_t) + virt_rw_svirt_image_dirs(nbdkit_t) + virt_search_lib(nbdkit_t) + virt_stream_connect_svirt(nbdkit_t) +') + + +# FIXME: It would be nice to allow libvirt to transition nbdkit_exec_t to +# nbdkit_t when libvirtd was started manually from the commandline (i.e. in +# unconfined_t), but we don't want this transition to happen automatically +# when starting directly from the shell. I'm not sure how to achieve this... +#nbdkit_domtrans(unconfined_t, nbdkit_exec_t, nbdkit_t) diff --git a/sources b/sources index 50adcc8..3b095a3 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (nbdkit-1.36.2.tar.gz) = a776808c6e7ab488b109e993fed5a6174e6fc35f894dace74b18cef9f8e0f640fb90bd4fd74183fc025da1f607c8907ee438369146bfbb2a48f6753748b9cf04 -SHA512 (nbdkit-1.36.2.tar.gz.sig) = 04ef71b3fae7bf126333a8f02f6498db0b615057c942071502606b45ae5da1eafb15378a444a5388e3a3da67768687d4c151c259f9bd23ba583554cd54c054db +SHA512 (nbdkit-1.38.0.tar.gz) = 7817ab29f2c4821237ac9114e820186b6fcbe5658fb702ecd41941fc70ffd060294c3d71fbcb37176f4609d3e25996ea71e20ea58d0aee2c8bf6b4b30254d074 +SHA512 (nbdkit-1.38.0.tar.gz.sig) = e81960962737f57c586bbf4dea9b2f7f208bb7258919ddd808006d4d14582ebd8e6b7d0e9f64ed48176c74c8c6ec00f042060be6a91ac0d8db20a1d936a53b42