From 102c73f31a112f445bf439ab806beaf035d982e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
Date: Mon, 20 Jan 2014 18:27:04 +0100
Subject: [PATCH] - include token specific directories (#1013017, #1045775,
 #1054442) - fix pkcsconf crash for non-root users (#10054661) - the libs
 subpackage must care of creating the pkcs11 group, it's the first to be
 installed

---
 opencryptoki-3.0-bz1054661.patch | 59 ++++++++++++++++++++++++++++++++
 opencryptoki.spec                | 43 +++++++++++++++++++----
 2 files changed, 95 insertions(+), 7 deletions(-)
 create mode 100644 opencryptoki-3.0-bz1054661.patch

diff --git a/opencryptoki-3.0-bz1054661.patch b/opencryptoki-3.0-bz1054661.patch
new file mode 100644
index 0000000..99e12b5
--- /dev/null
+++ b/opencryptoki-3.0-bz1054661.patch
@@ -0,0 +1,59 @@
+From 95064291fe13d4ed98e195946d931fe779f8a48f Mon Sep 17 00:00:00 2001
+From: Joy Latten <jmlatten@linux.vnet.ibm.com>
+Date: Fri, 17 Jan 2014 10:33:19 -0600
+Subject: [PATCH] Problem: A regular user in pkcs11 group cannot issue pkcsconf
+ -t. When shm_open() creates shared memory object, it honors umask of the
+ caller. This patch ensures the shared memory has expected permissions when it
+ is created.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
+Signed-off-by: Dan Horák <dan@danny.cz>
+---
+ usr/lib/pkcs11/common/shared_memory.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/usr/lib/pkcs11/common/shared_memory.c b/usr/lib/pkcs11/common/shared_memory.c
+index a8710c5..bf0411d 100644
+--- a/usr/lib/pkcs11/common/shared_memory.c
++++ b/usr/lib/pkcs11/common/shared_memory.c
+@@ -161,12 +161,29 @@ sm_open(const char *sm_name, int mode, void **p_addr, size_t len, int force)
+ 		goto done;
+ 	}
+ 
+-	fd = shm_open(name, O_RDWR | O_CREAT, mode);
++	/* try and open first... */
++	fd = shm_open(name, O_RDWR, mode);
+ 	if (fd < 0) {
+-		rc = -errno;
+-		SYS_ERROR(errno, "Failed to open shared memory \"%s\".\n",
+-				name);
+-		goto done;
++		/* maybe it needs to be created ... */
++		fd = shm_open(name, O_RDWR | O_CREAT, mode);
++		if (fd < 0) {
++			rc = -errno;
++			SYS_ERROR(errno,
++				  "Failed to open shared memory \"%s\".\n",
++				  name);
++			goto done;
++		} else {
++			/* umask may have altered permissions if we created
++			 * the shared memory in above call, so set proper
++			 * permissions just in case.
++			 */
++			if (fchmod(fd, mode) == -1) {
++				rc = -errno;
++				SYS_ERROR(errno, "fchmod(%s): %s\n",
++						name, strerror(errno));
++				goto done;
++			}
++		}
+ 	}
+ 
+ 	/*
+-- 
+1.8.1.4
+
diff --git a/opencryptoki.spec b/opencryptoki.spec
index 5ef28c6..eb2d29f 100644
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@@ -3,7 +3,7 @@
 Name:			opencryptoki
 Summary:		Implementation of the PKCS#11 (Cryptoki) specification v2.11
 Version:		3.0
-Release:		7%{?dist}
+Release:		8%{?dist}
 License:		CPL
 Group:			System Environment/Base
 URL:			http://sourceforge.net/projects/opencryptoki
@@ -19,12 +19,14 @@ Patch1:			%{name}-3.0-pkcsconf-man.patch
 Patch2:			%{name}-3.0-unit.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1001729
 # http://sourceforge.net/p/opencryptoki/opencryptoki/ci/b50eb39e3cf8ccfdb735fbddfcdae10bdb70e1c4/
-Patch3:			opencryptoki-3.0-opencryptoki-man.patch
+Patch3:			%{name}-3.0-opencryptoki-man.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1033284
 # post-3.0 upstream fixes
-Patch4:			opencryptoki-3.0-bz1033284.patch
+Patch4:			%{name}-3.0-bz1033284.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1037228
-Patch5:			opencryptoki-3.0-format.patch
+Patch5:			%{name}-3.0-format.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1054661
+Patch6:			%{name}-3.0-bz1054661.patch
 Requires(pre):		shadow-utils coreutils sed
 BuildRequires:		openssl-devel
 BuildRequires:		trousers-devel
@@ -170,10 +172,23 @@ cryptographic hardware such as IBM 4764 or 4765 that uses the
 %patch3 -p1 -b .opencryptoki-man
 %patch4 -p1 -b .bz1033284
 %patch5 -p1 -b .format
+%patch6 -p1 -b .bz1054661
 
 # Upstream tarball has unnecessary executable perms set on the sources
 find . -name '*.[ch]' -print0 | xargs -0 chmod -x
 
+# append token specific subdirs to tmpfiles.d config
+token_subdirs="icsf swtok tpm"
+%ifarch s390 s390x
+token_subdirs="$token_subdirs lite cca"
+%endif
+
+cp -p %{SOURCE1} %{name}-tmpfiles.conf
+for d in $token_subdirs
+do
+    echo "D /var/lock/opencryptoki/$d 0770 root pkcs11 -" >> %{name}-tmpfiles.conf
+done
+
 
 %build
 ./bootstrap.sh
@@ -197,7 +212,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/stdll/*.la
 
 # systemd must create /var/lock/opencryptoki
 mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d
-install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/%{name}.conf
+install -m 0644 %{name}-tmpfiles.conf $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/%{name}.conf
 
 
 %post libs -p /sbin/ldconfig
@@ -218,7 +233,7 @@ install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/%{name}.conf
 %postun ccatok -p /sbin/ldconfig
 %endif
 
-%pre
+%pre libs
 getent group pkcs11 >/dev/null || groupadd -r pkcs11
 exit 0
 
@@ -250,6 +265,7 @@ exit 0
 %{_libdir}/pkcs11/methods
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
 %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}
+%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}/*
 
 %files libs
 %doc LICENSE
@@ -258,7 +274,7 @@ exit 0
 # needs them in the main package, because:
 #   pkcs11_startup looks for opencryptoki/stdll/*.so, and
 #   documentation suggests that programs should dlopen "PKCS11_API.so".
-%dir %{_libdir}/opencryptoki
+%dir %{_libdir}/opencryptoki/
 %{_libdir}/opencryptoki/libopencryptoki.*
 %{_libdir}/opencryptoki/PKCS11_API.so
 %dir %{_libdir}/opencryptoki/stdll
@@ -273,11 +289,14 @@ exit 0
 %files swtok
 %{_libdir}/opencryptoki/stdll/libpkcs11_sw.*
 %{_libdir}/opencryptoki/stdll/PKCS11_SW.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
 
 %files tpmtok
 %doc doc/README.tpm_stdll
 %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
 %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
 
 %files icsftok
 %doc doc/README.icsf_stdll
@@ -285,21 +304,31 @@ exit 0
 %{_mandir}/man1/pkcsicsf.1*
 %{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
 %{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
 
 %ifarch s390 s390x
 %files icatok
 %{_libdir}/opencryptoki/stdll/libpkcs11_ica.*
 %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
 
 %files ccatok
 %doc doc/README-IBM_CCA_users
 %doc doc/README.cca_stdll
 %{_libdir}/opencryptoki/stdll/libpkcs11_cca.*
 %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
 %endif
 
 
 %changelog
+* Mon Jan 20 2014 Dan Horák <dan[at]danny.cz> - 3.0-8
+- include token specific directories (#1013017, #1045775, #1054442)
+- fix pkcsconf crash for non-root users (#10054661)
+- the libs subpackage must care of creating the pkcs11 group, it's the first to be installed
+
 * Tue Dec 03 2013 Dan Horák <dan[at]danny.cz> - 3.0-7
 - fix build with -Werror=format-security (#1037228)