From bb0e64dbce835816ac276e316fc6c71ad5036d8d Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Tue, 11 Jun 2019 16:09:07 +0200 Subject: [PATCH] Backport pmatilai's patches for RPM 4.15 build fix Signed-off-by: Igor Gnatenko --- ...le-rpmVerifyFile-removal-in-rpm-4.15.patch | 67 +++++++++++++ ...VERIFY_-constants-instead-of-VERIFY_.patch | 99 +++++++++++++++++++ ...Y_SIGNATURE-and-VERIFY_DIGEST-checks.patch | 56 +++++++++++ openscap.spec | 14 ++- 4 files changed, 231 insertions(+), 5 deletions(-) create mode 100644 0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch create mode 100644 0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch create mode 100644 0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch diff --git a/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch b/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch new file mode 100644 index 0000000..aa78a80 --- /dev/null +++ b/0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch @@ -0,0 +1,67 @@ +From e09334091d5678b666ea4e92d1a4b55838aa1a41 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen +Date: Tue, 11 Jun 2019 16:12:55 +0300 +Subject: [PATCH 1/3] Handle rpmVerifyFile() removal in rpm >= 4.15 + +Using rpmfiVerify() directly would be simpler but if upstream wants +to preserve compatibility with older rpms... +--- + CMakeLists.txt | 1 + + src/OVAL/probes/unix/linux/rpm-helper.c | 12 ++++++++++++ + src/OVAL/probes/unix/linux/rpm-helper.h | 5 +++++ + 3 files changed, 18 insertions(+) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 720d8d8eb..058319599 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -132,6 +132,7 @@ if(RPM_FOUND) + check_library_exists("${RPM_LIBRARY}" headerFormat "" HAVE_HEADERFORMAT) + check_library_exists("${RPMIO_LIBRARY}" rpmFreeCrypto "" HAVE_RPMFREECRYPTO) + check_library_exists("${RPM_LIBRARY}" rpmFreeFilesystems "" HAVE_RPMFREEFILESYSTEMS) ++ check_library_exists("${RPM_LIBRARY}" rpmVerifyFile "" HAVE_RPMVERIFYFILE) + set(HAVE_RPMVERCMP 1) + endif() + +diff --git a/src/OVAL/probes/unix/linux/rpm-helper.c b/src/OVAL/probes/unix/linux/rpm-helper.c +index bfb95c363..4d23cf202 100644 +--- a/src/OVAL/probes/unix/linux/rpm-helper.c ++++ b/src/OVAL/probes/unix/linux/rpm-helper.c +@@ -32,6 +32,18 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data) + } + #endif + ++#ifndef HAVE_RPMVERIFYFILE ++int rpmVerifyFile(const rpmts ts, const rpmfi fi, ++ rpmVerifyAttrs * res, rpmVerifyAttrs omitMask) ++{ ++ rpmVerifyAttrs vfy = rpmfiVerify(fi, omitMask); ++ if (res) ++ *res = vfy; ++ ++ return (vfy & RPMVERIFY_LSTATFAIL) ? 1 : 0; ++} ++#endif ++ + void rpmLibsPreload() + { + // Don't load rpmrc files. The are useless for us, +diff --git a/src/OVAL/probes/unix/linux/rpm-helper.h b/src/OVAL/probes/unix/linux/rpm-helper.h +index 4e9af8702..f879a5a5b 100644 +--- a/src/OVAL/probes/unix/linux/rpm-helper.h ++++ b/src/OVAL/probes/unix/linux/rpm-helper.h +@@ -87,6 +87,11 @@ int rpmErrorCb (rpmlogRec rec, rpmlogCallbackData data); + #define DISABLE_PLUGINS(ts) rpmDefineMacro(NULL,"__plugindir \"\"", 0); + #endif + ++#ifndef HAVE_RPMVERIFYFILE ++int rpmVerifyFile(const rpmts ts, const rpmfi fi, ++ rpmVerifyAttrs * res, rpmVerifyAttrs omitMask); ++#endif ++ + /** + * Preload libraries required by rpm + * It destroy error callback! +-- +2.22.0 + diff --git a/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch b/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch new file mode 100644 index 0000000..4294235 --- /dev/null +++ b/0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch @@ -0,0 +1,99 @@ +From 9db9474dd092a67e37af54a2eb898cea625a98cd Mon Sep 17 00:00:00 2001 +From: Panu Matilainen +Date: Tue, 11 Jun 2019 16:12:56 +0300 +Subject: [PATCH 2/3] Refer to the RPMVERIFY_* constants instead of VERIFY_* + counterparts + +The RPMVERIFY_* values always refer to corresponding file verification +attributes, which is what we're dealing with here. The VERIFY_* +constants do not exist in all versions, and include things that +do not make any sense at all for files anyway, such as VERIFY_DEPS +and VERIFY_SCRIPT which are package-level operations and VERIFY_SIGNATURE +and VERIFY_DIGEST which are not verify operations at all. +--- + src/OVAL/probes/unix/linux/rpmverify_probe.c | 21 ++++++---------- + .../probes/unix/linux/rpmverifyfile_probe.c | 25 +++++++++---------- + 2 files changed, 20 insertions(+), 26 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverify_probe.c b/src/OVAL/probes/unix/linux/rpmverify_probe.c +index 07bd09d84..dbc9523ba 100644 +--- a/src/OVAL/probes/unix/linux/rpmverify_probe.c ++++ b/src/OVAL/probes/unix/linux/rpmverify_probe.c +@@ -303,19 +303,14 @@ typedef struct { + } rpmverify_bhmap_t; + + const rpmverify_bhmap_t rpmverify_bhmap[] = { +- { "nodeps", (uint64_t)VERIFY_DEPS }, +- { "nodigest", (uint64_t)VERIFY_DIGEST }, +- { "nofiles", (uint64_t)VERIFY_FILES }, +- { "noscripts", (uint64_t)VERIFY_SCRIPT }, +- { "nosignature", (uint64_t)VERIFY_SIGNATURE }, +- { "nolinkto", (uint64_t)VERIFY_LINKTO }, +- { "nomd5", (uint64_t)VERIFY_MD5 }, +- { "nosize", (uint64_t)VERIFY_SIZE }, +- { "nouser", (uint64_t)VERIFY_USER }, +- { "nogroup", (uint64_t)VERIFY_GROUP }, +- { "nomtime", (uint64_t)VERIFY_MTIME }, +- { "nomode", (uint64_t)VERIFY_MODE }, +- { "nordev", (uint64_t)VERIFY_RDEV }, ++ { "nolinkto", (uint64_t)RPMVERIFY_LINKTO }, ++ { "nomd5", (uint64_t)RPMVERIFY_MD5 }, ++ { "nosize", (uint64_t)RPMVERIFY_FILESIZE }, ++ { "nouser", (uint64_t)RPMVERIFY_USER }, ++ { "nogroup", (uint64_t)RPMVERIFY_GROUP }, ++ { "nomtime", (uint64_t)RPMVERIFY_MTIME }, ++ { "nomode", (uint64_t)RPMVERIFY_MODE }, ++ { "nordev", (uint64_t)RPMVERIFY_RDEV }, + { "noconfigfiles", RPMVERIFY_SKIP_CONFIG }, + { "noghostfiles", RPMVERIFY_SKIP_GHOST } + }; +diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c +index d81728ebe..10fcdf8df 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c ++++ b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c +@@ -83,11 +83,10 @@ struct rpmverify_res { + * They all have the same value (1) - see 'rpm/rpmvf.h'. + */ + #define RPMVERIFY_FILEDIGEST RPMVERIFY_MD5 +- #define VERIFY_FILEDIGEST VERIFY_MD5 +- /* VERIFY_CAPS is not supported in older rpmlib. ++ /* RPMVERIFY_CAPS is not supported in older rpmlib. + * We can set it to 0 because 0 is neutral to bit OR operation. + */ +- #define VERIFY_CAPS 0 ++ #define RPMVERIFY_CAPS 0 + #endif + + #define RPMVERIFY_LOCK RPM_MUTEX_LOCK(&g_rpm->mutex) +@@ -423,18 +422,18 @@ typedef struct { + } rpmverifyfile_bhmap_t; + + const rpmverifyfile_bhmap_t rpmverifyfile_bhmap[] = { +- { "nolinkto", (uint64_t)VERIFY_LINKTO }, +- { "nomd5", (uint64_t)VERIFY_MD5 }, // deprecated since OVAL 5.11.1 +- { "nosize", (uint64_t)VERIFY_SIZE }, +- { "nouser", (uint64_t)VERIFY_USER }, +- { "nogroup", (uint64_t)VERIFY_GROUP }, +- { "nomtime", (uint64_t)VERIFY_MTIME }, +- { "nomode", (uint64_t)VERIFY_MODE }, +- { "nordev", (uint64_t)VERIFY_RDEV }, ++ { "nolinkto", (uint64_t)RPMVERIFY_LINKTO }, ++ { "nomd5", (uint64_t)RPMVERIFY_MD5 }, // deprecated since OVAL 5.11.1 ++ { "nosize", (uint64_t)RPMVERIFY_FILESIZE }, ++ { "nouser", (uint64_t)RPMVERIFY_USER }, ++ { "nogroup", (uint64_t)RPMVERIFY_GROUP }, ++ { "nomtime", (uint64_t)RPMVERIFY_MTIME }, ++ { "nomode", (uint64_t)RPMVERIFY_MODE }, ++ { "nordev", (uint64_t)RPMVERIFY_RDEV }, + { "noconfigfiles", RPMVERIFY_SKIP_CONFIG }, + { "noghostfiles", RPMVERIFY_SKIP_GHOST }, +- { "nofiledigest", (uint64_t)VERIFY_FILEDIGEST }, +- { "nocaps", (uint64_t)VERIFY_CAPS } ++ { "nofiledigest", (uint64_t)RPMVERIFY_FILEDIGEST }, ++ { "nocaps", (uint64_t)RPMVERIFY_CAPS } + }; + + int rpmverifyfile_probe_main(probe_ctx *ctx, void *arg) +-- +2.22.0 + diff --git a/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch b/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch new file mode 100644 index 0000000..cc2be0a --- /dev/null +++ b/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch @@ -0,0 +1,56 @@ +From efd08dd9d8453583f1e801ddb5ac0af65cc86f69 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen +Date: Tue, 11 Jun 2019 16:12:57 +0300 +Subject: [PATCH 3/3] Drop bogus VERIFY_SIGNATURE and VERIFY_DIGEST checks + +VERIFY_SIGNATURE and VERIFY_DIGEST are not independent verification +checks, these checks are performed internally by rpm and failure in +either will cause the entire header failing to load. These flags allow +disabling that verification, but this doesn't make sense for openscap +and doesn't work this way in rpm >= 4.15 anyway. +--- + .../probes/unix/linux/rpmverifypackage_probe.c | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c +index ed6c714d8..06059ae47 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c ++++ b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c +@@ -69,9 +69,7 @@ typedef struct { + + const rpmverifypackage_bhmap_t rpmverifypackage_bhmap[] = { + { "nodeps", (uint64_t)VERIFY_DEPS , "--nodeps"}, +- { "nodigest", (uint64_t)VERIFY_DIGEST , "--nodigest"}, + { "noscripts", (uint64_t)VERIFY_SCRIPT , "--noscript"}, +- { "nosignature", (uint64_t)VERIFY_SIGNATURE , "--nosignature"} + }; + + struct rpmverify_res { +@@ -409,24 +407,12 @@ static int rpmverifypackage_additem(probe_ctx *ctx, struct rpmverify_res *res) + probe_item_ent_add(item, "dependency_check_passed", NULL, value); + SEXP_free(value); + } +- if (res->vflags & VERIFY_DIGEST) { +- dI("VERIFY_DIGEST %d", res->vresults & VERIFY_DIGEST); +- value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_DIGEST ? "1" : "0"), 1); +- probe_item_ent_add(item, "digest_check_passed", NULL, value); +- SEXP_free(value); +- } + if (res->vflags & VERIFY_SCRIPT) { + dI("VERIFY_SCRIPT %d", res->vresults & VERIFY_SCRIPT); + value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SCRIPT ? "1" : "0"), 1); + probe_item_ent_add(item, "verification_script_successful", NULL, value); + SEXP_free(value); + } +- if (res->vflags & VERIFY_SIGNATURE) { +- dI("VERIFY_SIGNATURE %d", res->vresults & VERIFY_SIGNATURE); +- value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SIGNATURE ? "1" : "0"), 1); +- probe_item_ent_add(item, "signature_check_passed", NULL, value); +- SEXP_free(value); +- } + + return probe_item_collect(ctx, item) == 2 ? 1 : 0; + } +-- +2.22.0 + diff --git a/openscap.spec b/openscap.spec index 3f49b61..aef4bf3 100644 --- a/openscap.spec +++ b/openscap.spec @@ -6,6 +6,10 @@ Summary: Set of open source libraries enabling integration of the SCAP li License: LGPLv2+ URL: http://www.open-scap.org/ Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz +# https://github.com/OpenSCAP/openscap/pull/1352 +Patch0001: 0001-Handle-rpmVerifyFile-removal-in-rpm-4.15.patch +Patch0002: 0002-Refer-to-the-RPMVERIFY_-constants-instead-of-VERIFY_.patch +Patch0003: 0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch BuildRequires: cmake >= 2.6 BuildRequires: gcc BuildRequires: gcc-c++ @@ -109,7 +113,7 @@ BuildArch: noarch Tool for scanning Atomic containers. %prep -%setup -q +%autosetup -p1 mkdir build %build @@ -162,7 +166,7 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm %{_includedir}/openscap/sce_engine_api.h %files scanner -%{_mandir}/man8/oscap.8.gz +%{_mandir}/man8/oscap.8* %{_bindir}/oscap %{_bindir}/oscap-chroot %{_sysconfdir}/bash_completion.d @@ -170,8 +174,8 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm %files utils %doc docs/oscap-scan.cron %{_mandir}/man8/* -%exclude %{_mandir}/man8/oscap.8.gz -%exclude %{_mandir}/man8/oscap-docker.8.gz +%exclude %{_mandir}/man8/oscap.8* +%exclude %{_mandir}/man8/oscap-docker.8* %{_bindir}/* %exclude %{_bindir}/oscap %exclude %{_bindir}/oscap-docker @@ -182,7 +186,7 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm %files containers %{_bindir}/oscap-docker -%{_mandir}/man8/oscap-docker.8.gz +%{_mandir}/man8/oscap-docker.8* %{python3_sitelib}/oscap_docker_python/* %changelog