From f5428733175d75ee42bfc2d8e2b6a7c1df823160 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Tue, 4 Feb 2025 14:46:16 +0100 Subject: [PATCH] - Use systemd-sysusers - Modifie the unit file to change file ownership - opencryptoki doesn't work in image mode Resolves: RHEL-77146 --- opencryptoki-3.24.0-image-mode.patch | 11 ++++ opencryptoki-3.24.0-tmpfiles-image-mode.patch | 10 ++++ opencryptoki-ccatok.conf | 2 + opencryptoki-ep11tok.conf | 2 + opencryptoki-icatok.conf | 2 + opencryptoki-icsftok.conf | 1 + opencryptoki-swtok.conf | 3 + opencryptoki-tmpfiles.conf | 2 + opencryptoki-tpmtok.conf | 1 + opencryptoki.spec | 56 +++++++++++++++++-- opencryptoki.sysusers | 3 + 11 files changed, 88 insertions(+), 5 deletions(-) create mode 100644 opencryptoki-3.24.0-image-mode.patch create mode 100644 opencryptoki-3.24.0-tmpfiles-image-mode.patch create mode 100644 opencryptoki-ccatok.conf create mode 100644 opencryptoki-ep11tok.conf create mode 100644 opencryptoki-icatok.conf create mode 100644 opencryptoki-icsftok.conf create mode 100644 opencryptoki-swtok.conf create mode 100644 opencryptoki-tmpfiles.conf create mode 100644 opencryptoki-tpmtok.conf create mode 100644 opencryptoki.sysusers diff --git a/opencryptoki-3.24.0-image-mode.patch b/opencryptoki-3.24.0-image-mode.patch new file mode 100644 index 0000000..4308399 --- /dev/null +++ b/opencryptoki-3.24.0-image-mode.patch @@ -0,0 +1,11 @@ +diff -up opencryptoki-3.24.0/misc/pkcsslotd.service.in.me opencryptoki-3.24.0/misc/pkcsslotd.service.in +--- opencryptoki-3.24.0/misc/pkcsslotd.service.in.me 2025-02-02 16:38:29.381579155 +0100 ++++ opencryptoki-3.24.0/misc/pkcsslotd.service.in 2025-02-02 17:06:30.048042047 +0100 +@@ -9,6 +9,7 @@ Type=forking + PIDFile=/run/opencryptoki/pkcsslotd.pid + ExecStart=@sbindir@/pkcsslotd + ++ExecStartPre=+-/bin/sh -c "/bin/chown -f -h root:pkcs11 /etc/opencryptoki/{strength.conf,p11sak_defined_attrs.conf}" + # Uncomment the following line to allow pkcsslotd to increase the receive buffer + # size of the UDEV monitor's netlink socket via udev_monitor_set_receive_buffer_size(): + # AmbientCapabilities=CAP_NET_ADMIN diff --git a/opencryptoki-3.24.0-tmpfiles-image-mode.patch b/opencryptoki-3.24.0-tmpfiles-image-mode.patch new file mode 100644 index 0000000..d824b93 --- /dev/null +++ b/opencryptoki-3.24.0-tmpfiles-image-mode.patch @@ -0,0 +1,10 @@ +diff -up opencryptoki-3.24.0/misc/tmpfiles.conf.in.me opencryptoki-3.24.0/misc/tmpfiles.conf.in +--- opencryptoki-3.24.0/misc/tmpfiles.conf.in.me 2025-02-03 13:46:33.012573050 +0100 ++++ opencryptoki-3.24.0/misc/tmpfiles.conf.in 2025-02-03 13:55:59.344093340 +0100 +@@ -1,5 +1,6 @@ + # path mode uid gid age + D /run/opencryptoki 710 @pkcsslotd_user@ @pkcs_group@ - + d @localstatedir@/lib/opencryptoki 0770 root @pkcs_group@ - ++D @localstatedir@/lib/opencryptoki/HSM_MK_CHANGE 770 root @pkcs_group@ - + d @logdir@ 0770 root @pkcs_group@ - + D @lockdir@ 0770 root @pkcs_group@ - diff --git a/opencryptoki-ccatok.conf b/opencryptoki-ccatok.conf new file mode 100644 index 0000000..3528fc7 --- /dev/null +++ b/opencryptoki-ccatok.conf @@ -0,0 +1,2 @@ +D /var/lib/opencryptoki/ccatok 770 root pkcs11 - +D /var/lib/opencryptoki/ccatok/TOK_OBJ 770 root pkcs11 - diff --git a/opencryptoki-ep11tok.conf b/opencryptoki-ep11tok.conf new file mode 100644 index 0000000..687059b --- /dev/null +++ b/opencryptoki-ep11tok.conf @@ -0,0 +1,2 @@ +D /var/lib/opencryptoki/ep11tok 770 root pkcs11 - +D /var/lib/opencryptoki/ep11tok/TOK_OBJ 770 root pkcs11 - diff --git a/opencryptoki-icatok.conf b/opencryptoki-icatok.conf new file mode 100644 index 0000000..f3ca4a4 --- /dev/null +++ b/opencryptoki-icatok.conf @@ -0,0 +1,2 @@ +D /var/lib/opencryptoki/lite 770 root pkcs11 - +D /var/lib/opencryptoki/lite/TOK_OBJ 770 root pkcs11 - diff --git a/opencryptoki-icsftok.conf b/opencryptoki-icsftok.conf new file mode 100644 index 0000000..1786dd8 --- /dev/null +++ b/opencryptoki-icsftok.conf @@ -0,0 +1 @@ +D /var/lib/opencryptoki/icsf 770 root pkcs11 - diff --git a/opencryptoki-swtok.conf b/opencryptoki-swtok.conf new file mode 100644 index 0000000..6d994d3 --- /dev/null +++ b/opencryptoki-swtok.conf @@ -0,0 +1,3 @@ +# path mode uid gid age +D /var/lib/opencryptoki/swtok 770 root pkcs11 - +D /var/lib/opencryptoki/swtok/TOK_OBJ 770 root pkcs11 - diff --git a/opencryptoki-tmpfiles.conf b/opencryptoki-tmpfiles.conf new file mode 100644 index 0000000..0ffe422 --- /dev/null +++ b/opencryptoki-tmpfiles.conf @@ -0,0 +1,2 @@ +d /run/opencryptoki 0710 pkcsslotd pkcs11 - + diff --git a/opencryptoki-tpmtok.conf b/opencryptoki-tpmtok.conf new file mode 100644 index 0000000..f5cfc0f --- /dev/null +++ b/opencryptoki-tpmtok.conf @@ -0,0 +1 @@ +D /var/lib/opencryptoki/tpm 770 root pkcs11 - diff --git a/opencryptoki.spec b/opencryptoki.spec index 23e5458..7679f8b 100644 --- a/opencryptoki.spec +++ b/opencryptoki.spec @@ -1,17 +1,30 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 Version: 3.24.0 -Release: 4%{?dist} +Release: 5%{?dist} License: CPL-1.0 URL: https://github.com/opencryptoki/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source1: opencryptoki.module +Source2: opencryptoki.sysusers +# split tmpfiles for image mode +Source3: opencryptoki-ccatok.conf +Source4: opencryptoki-icatok.conf +Source5: opencryptoki-swtok.conf +Source6: opencryptoki-tpmtok.conf +Source7: opencryptoki-ep11tok.conf +Source8: opencryptoki-icsftok.conf + # fix install problem in buildroot Patch1: opencryptoki-3.24.0-p11sak.patch +# change file ownership for image mode +Patch2: opencryptoki-3.24.0-image-mode.patch +Patch3: opencryptoki-3.24.0-tmpfiles-image-mode.patch + # upstream patches -Patch2: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch -Patch3: opencryptoki-3.24.0-resource-leaks.patch +Patch100: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch +Patch101: opencryptoki-3.24.0-resource-leaks.patch Requires(pre): coreutils Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted) @@ -27,6 +40,8 @@ BuildRequires: libcap-devel BuildRequires: expect BuildRequires: make BuildRequires: systemd-rpm-macros +%{?sysusers_requires_compat} + %ifarch s390 s390x BuildRequires: libica-devel >= 3.3 # for /usr/include/libudev.h @@ -205,6 +220,24 @@ configured with Enterprise PKCS#11 (EP11) firmware. %make_install CHGRP=/bin/true +# Install sysusers.d configuration +install -p -D -m 0644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf + +# Install tmpfiles.d config +%ifarch s390 s390x +install -p -D -m 0644 %{SOURCE4} %{SOURCE7} %{buildroot}%{_tmpfilesdir}/ +%endif + +%ifarch s390 s390x x86_64 ppc64le +install -p -D -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/ +%endif + +%if 0%{?tmptok} +install -p -D -m 0644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/ +%endif + +install -p -D -m 0644 %{SOURCE5} %{SOURCE8} %{buildroot}%{_tmpfilesdir}/ + %pre # don't touch opencryptoki.conf even if it is unchanged due to new tokversion # backup config file. bz#2044179 @@ -215,8 +248,7 @@ if test $1 -gt 1 && test -f %{cfile} ; then fi %pre libs -getent group pkcs11 >/dev/null || groupadd -r pkcs11 -getent passwd pkcsslotd >/dev/null || useradd -r -g pkcs11 -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" pkcsslotd +%sysusers_create_compat %{SOURCE2} exit 0 %post @@ -233,6 +265,7 @@ if test $1 -eq 1; then %tmpfiles_create %{name}.conf fi + %preun %systemd_preun pkcsslotd.service @@ -293,6 +326,7 @@ fi %{_libdir}/pkcs11/PKCS11_API.so %{_libdir}/pkcs11/stdll %dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki +%{_sysusersdir}/%{name}.conf %files devel %{_includedir}/%{name}/ @@ -303,6 +337,7 @@ fi %{_libdir}/opencryptoki/stdll/PKCS11_SW.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/ +%{_tmpfilesdir}/%{name}-swtok.conf %if 0%{?tmptok} %files tpmtok @@ -310,6 +345,7 @@ fi %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.* %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/ +%{_tmpfilesdir}/%{name}-tpmtok.conf %endif %files icsftok @@ -319,6 +355,7 @@ fi %{_libdir}/opencryptoki/stdll/libpkcs11_icsf.* %{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/ +%{_tmpfilesdir}/%{name}-icsftok.conf %ifarch s390 s390x %files icatok @@ -326,6 +363,7 @@ fi %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/ +%{_tmpfilesdir}/%{name}-icatok.conf %endif %ifarch s390 s390x x86_64 ppc64le @@ -338,6 +376,7 @@ fi %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/ +%{_tmpfilesdir}/%{name}-ccatok.conf %endif %ifarch s390 s390x @@ -353,10 +392,17 @@ fi %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/ +%{_tmpfilesdir}/%{name}-ep11tok.conf %endif %changelog +* Sun Feb 02 2025 Than Ngo - 3.24.0-5 +- Use systemd-sysusers +- Modifie the unit file to change file ownership +- opencryptoki doesn't work in image mode + Resolves: RHEL-77146 + * Tue Nov 26 2024 Than Ngo - 3.24.0-4 - Disable ccatok on aarch64 and i686 Related: RHEL-58996 diff --git a/opencryptoki.sysusers b/opencryptoki.sysusers new file mode 100644 index 0000000..0803919 --- /dev/null +++ b/opencryptoki.sysusers @@ -0,0 +1,3 @@ +u pkcsslotd - "Opencryptoki pkcsslotd user" /run/opencryptoki /sbin/nologin +g pkcs11 - - +m pkcsslotd pkcs11