add missing /var/lib/opencryptoki/HSM_MK_CHANGE

disable unsupported sandbox options and add /run to ReadWritePaths to exclude /run directory from being made read-only on rhel8 Related: #2159697
2023-05-17 13:41:18 +02:00 · 2023-05-17 13:41:18 +02:00 · 25187255f5
commit 25187255f5
parent 9e22d31c4b
2 changed files with 39 additions and 2 deletions
--- a/opencryptoki-3.21-sandboxing.patch
+++ b/opencryptoki-3.21-sandboxing.patch
@ -0,0 +1,27 @@
 diff -up opencryptoki-3.21.0/misc/pkcsslotd.service.in.me opencryptoki-3.21.0/misc/pkcsslotd.service.in
 --- opencryptoki-3.21.0/misc/pkcsslotd.service.in.me	2023-05-16 20:50:08.128841932 +0200
 +++ opencryptoki-3.21.0/misc/pkcsslotd.service.in	2023-05-16 21:19:35.208570589 +0200
@@ -22,17 +22,17 @@ PrivateUsers=no
 PrivateNetwork=no
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
 IPAddressDeny=any
 -ProtectClock=yes
 +#ProtectClock=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 -ProtectKernelLogs=yes
 +#ProtectKernelLogs=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 -ProtectHostname=yes
 -ProtectProc=default
 +#ProtectHostname=yes
 +#ProtectProc=default
 ProtectSystem=strict
 -ReadWritePaths=@localstatedir@
 -ProcSubset=all
 +ReadWritePaths=@localstatedir@ /run
 +#ProcSubset=all
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@ -1,7 +1,7 @@
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
 Version: 3.21.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: CPL
 Group: System Environment/Base
 URL: https://github.com/opencryptoki/opencryptoki
@ -12,6 +12,9 @@ Patch0: opencryptoki-3.11.0-group.patch
 Patch1: opencryptoki-3.11.0-lockdir.patch
 # add missing p11sak_defined_attrs.conf
 Patch2: opencryptoki-3.21.0-p11sak.patch
 # comment some unsupported sandbox options and add /run to ReadWritePaths to exclude
 # /run directory from being made read-only on rhel8
 Patch3: opencryptoki-3.21-sandboxing.patch
 # upstream patches
@ -294,10 +297,10 @@ fi
 %{_libdir}/opencryptoki/methods
 %{_libdir}/pkcs11/methods
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/HSM_MK_CHANGE
 %ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}
 %ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/*
 %dir %attr(710,pkcsslotd,pkcs11) /run/%{name}
 %dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
 %files libs
 %license LICENSE
@ -313,6 +316,7 @@ fi
 %{_libdir}/pkcs11/libopencryptoki.so
 %{_libdir}/pkcs11/PKCS11_API.so
 %{_libdir}/pkcs11/stdll
 %dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
 %files devel
 %{_includedir}/%{name}/
@ -371,6 +375,12 @@ fi
 %changelog
 * Tue May 16 2023 Than Ngo <than@redhat.com> - 3.21.0-2
 - add missing /var/lib/opencryptoki/HSM_MK_CHANGE
 - disable unsupported sandbox options and add /run to ReadWritePaths to exclude
  /run directory from being made read-only on rhel8
 Related: #2159697
 * Mon May 15 2023 Than Ngo <than@redhat.com> - 3.21.0-1
 - Resolves: #1984865, ep11 and cca: support concurrent HSM master key changes
 - Resolves: #2110500, ep11 token: PKCS #11 3.0 - support AES_XTS