add missing /var/lib/opencryptoki/HSM_MK_CHANGE

disable unsupported sandbox options and add /run to ReadWritePaths to exclude /run directory from being made read-only on rhel8 Related: #2159697
2023-05-17 13:41:18 +02:00 · 2023-05-17 13:41:18 +02:00 · 25187255f5
commit 25187255f5
parent 9e22d31c4b
2 changed files with 39 additions and 2 deletions
--- a/opencryptoki-3.21-sandboxing.patch
+++ b/opencryptoki-3.21-sandboxing.patch
@ -0,0 +1,27 @@
+diff -up opencryptoki-3.21.0/misc/pkcsslotd.service.in.me opencryptoki-3.21.0/misc/pkcsslotd.service.in
+--- opencryptoki-3.21.0/misc/pkcsslotd.service.in.me	2023-05-16 20:50:08.128841932 +0200
+++ opencryptoki-3.21.0/misc/pkcsslotd.service.in	2023-05-16 21:19:35.208570589 +0200
+@@ -22,17 +22,17 @@ PrivateUsers=no
+ PrivateNetwork=no
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK
+ IPAddressDeny=any
+-ProtectClock=yes
+#ProtectClock=yes
+ ProtectKernelTunables=yes
+ ProtectKernelModules=yes
+-ProtectKernelLogs=yes
+#ProtectKernelLogs=yes
+ ProtectControlGroups=yes
+ ProtectHome=yes
+-ProtectHostname=yes
+-ProtectProc=default
+#ProtectHostname=yes
+#ProtectProc=default
+ ProtectSystem=strict
+-ReadWritePaths=@localstatedir@
+-ProcSubset=all
+ReadWritePaths=@localstatedir@ /run
+#ProcSubset=all
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
+ RestrictNamespaces=yes
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@ -1,7 +1,7 @@
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
 Version: 3.21.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: CPL
 Group: System Environment/Base
 URL: https://github.com/opencryptoki/opencryptoki
@ -12,6 +12,9 @@ Patch0: opencryptoki-3.11.0-group.patch
 Patch1: opencryptoki-3.11.0-lockdir.patch
 # add missing p11sak_defined_attrs.conf
 Patch2: opencryptoki-3.21.0-p11sak.patch
+# comment some unsupported sandbox options and add /run to ReadWritePaths to exclude
+# /run directory from being made read-only on rhel8
+Patch3: opencryptoki-3.21-sandboxing.patch

 # upstream patches

@ -294,10 +297,10 @@ fi
 %{_libdir}/opencryptoki/methods
 %{_libdir}/pkcs11/methods
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/HSM_MK_CHANGE
 %ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}
 %ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/*
 %dir %attr(710,pkcsslotd,pkcs11) /run/%{name}
-%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki

 %files libs
 %license LICENSE
@ -313,6 +316,7 @@ fi
 %{_libdir}/pkcs11/libopencryptoki.so
 %{_libdir}/pkcs11/PKCS11_API.so
 %{_libdir}/pkcs11/stdll
+%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki

 %files devel
 %{_includedir}/%{name}/
@ -371,6 +375,12 @@ fi


 %changelog
+* Tue May 16 2023 Than Ngo <than@redhat.com> - 3.21.0-2
+- add missing /var/lib/opencryptoki/HSM_MK_CHANGE
+- disable unsupported sandbox options and add /run to ReadWritePaths to exclude
+  /run directory from being made read-only on rhel8
+Related: #2159697
+
 * Mon May 15 2023 Than Ngo <than@redhat.com> - 3.21.0-1
 - Resolves: #1984865, ep11 and cca: support concurrent HSM master key changes
 - Resolves: #2110500, ep11 token: PKCS #11 3.0 - support AES_XTS