rpms/osbuild
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import osbuild-27.2-1.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-05-18 02:45:30 -04:00 committed by Andrew Lukoshko
parent 4fb9ed8b5d
commit 83e4dab508
5 changed files with 74 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/osbuild-18.tar.gz SOURCES/osbuild-27.2.tar.gz

2
.osbuild.metadata
View File

@ -1 +1 @@
9bf4e1ce90639dcefba530df762de397f8e39bd6 SOURCES/osbuild-18.tar.gz 781efd5f4d96e25059c002a7e998429b9d682d03 SOURCES/osbuild-27.2.tar.gz

53
SOURCES/no-floats-in-sources.patch
View File

@ -1,53 +0,0 @@
From 7b0db90c76c6b0de6a4d481e63450e8f0d1a1d9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Budai?= <obudai@redhat.com>
Date: Thu, 25 Jun 2020 09:56:30 +0200
Subject: [PATCH] sources/files: do not pass floats to --max-time
curl uses strtod from the C standard library to convert the --max-time's value
from string to double. However, this is what strtod expects:
nonempty sequence of decimal digits optionally containing decimal-point
character (as determined by the current C locale)
Yeah, unfortunately, the decimal-point character is determined by the current
C locale. For example, Czech and German locale uses a comma as the
decimal-point character.
For reasons I don't fully understand, Python thinks it's running on en_US
locale, even though LC_NUMERIC is set to cs_CZ, so it uses a full stop as the
decimal-point character when converting float to string. However, as written
before, curl fails to parse this because it expects comma.
The fix I chose is simple: Use math.ceil, so only an integer can be passed to
curl. Why ceil? Because --max-time == 0 sounds fishy. math.ceil should return
an integer (and it does in Python 3.8) but the documentation is not 100% clear
on this topic, so let's be paranoid and also convert it to int after the
ceiling.
---
sources/org.osbuild.files | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sources/org.osbuild.files b/sources/org.osbuild.files
index 42ff6ca..13ce9b8 100755
--- a/sources/org.osbuild.files
+++ b/sources/org.osbuild.files
@@ -17,6 +17,7 @@ import concurrent.futures
import glob
import itertools
import json
+import math
import os
import subprocess
import sys
@@ -102,7 +103,7 @@ def fetch(url, checksum, directory):
curl_command = [
"curl",
"--silent",
- "--max-time", f"{300 - elapsed_time}",
+ "--max-time", f"{int(math.ceil(300 - elapsed_time))}",
"--connect-timeout", "60",
"--fail",
"--location",
--
2.26.2

82
SOURCES/selinux-allow-nnp-and-nosuid-transitions.patch
View File

@ -1,82 +0,0 @@
From 3c556c3386ffc2e4f722d90a723d9e97e9b72a66 Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Sun, 9 Aug 2020 13:09:06 +0200
Subject: [PATCH] selinux: allow nnp and nosuid transitions
Allow osbuild_t to no_new_privs (nnp) and nosuid domain transition
into setfiles_mac_t and install_t. nnp is a inheritable per-thread
flag (PR_SET_NO_NEW_PRIVS, see prctl(2)), whereby a promise is made
by execve(2) to not grant any new privileges that could not have
been done without the execv call. This is on contrast to what can
be done via SELinux rules, i.e. in our case `setfiles_mac_t` and
`install_t` can set arbitrary SELinux labels, but `osbuild_t`
itself can not; but `osbuild_t` enables the transitioning of
`setfiles_mac_t` for the `setfiles` binary via execve(2) from a
process with `osbuild_t`. Related, the nosuid mount flag, prevents
the suid, sgid bits to be interpreted and thus are in the same
spirit as nnp, i.e. no new privs during execve(2).
Thus SELinux domain transitions stand in contrast with nnp and
nosuid transitions, and have therefore been de-coupled. See also
the corresponding kernel patch at [1] for more information.
bubblewrap (bwrap) in contrast to `systemd-nspawn` always sets the
nnp flag, as well as the nosuid option for all bind-mounts. Since
we no use bwrap to contain processes we need to allow the nnp and
nosuid transitions from `osbuild_t` to `setfiles_mac_t` and
`install_t`.
[1] https://patchwork.kernel.org/patch/9841441/
---
selinux/osbuild.if | 19 +++++++++++++++++++
selinux/osbuild.te | 2 ++
2 files changed, 21 insertions(+)
diff --git a/selinux/osbuild.if b/selinux/osbuild.if
index 815c691..48d099f 100644
--- a/selinux/osbuild.if
+++ b/selinux/osbuild.if
@@ -93,3 +93,22 @@ interface(`osbuild_role',`
ps_process_pattern($2, osbuild_t)
allow $2 osbuild_t:process { signull signal sigkill };
')
+
+########################################
+## <summary>
+## osbuild nnp / nosuid transitions to domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be allowed to transition into.
+## </summary>
+## </param>
+#
+interface(`osbuild_nnp_nosuid_trans',`
+ gen_require(`
+ type osbuild_t;
+ class process2 { nnp_transition nosuid_transition };
+ ')
+
+ allow osbuild_t $1:process2 {nnp_transition nosuid_transition};
+')
diff --git a/selinux/osbuild.te b/selinux/osbuild.te
index 1a5f98d..e4a0c7d 100644
--- a/selinux/osbuild.te
+++ b/selinux/osbuild.te
@@ -31,6 +31,7 @@ unconfined_domain(osbuild_t)
# execute setfiles in the setfiles_mac domain
# when in the osbuild_t domain
seutil_domtrans_setfiles_mac(osbuild_t)
+osbuild_nnp_nosuid_trans(setfiles_mac_t)
# Allow sysadm and unconfined to run osbuild
optional_policy(`
@@ -63,4 +64,5 @@ optional_policy(`
# allow transitioning to install_t (for ostree)
optional_policy(`
anaconda_domtrans_install(osbuild_t)
+ osbuild_nnp_nosuid_trans(install_t)
')
--
2.26.2

84
SPECS/osbuild.spec
View File

@ -1,7 +1,7 @@
%global forgeurl https://github.com/osbuild/osbuild %global forgeurl https://github.com/osbuild/osbuild
%global selinuxtype targeted %global selinuxtype targeted
Version: 18 Version: 27.2
%forgemeta %forgemeta
@ -9,14 +9,12 @@ Version: 18
%global pkgdir %{_prefix}/lib/%{pypi_name} %global pkgdir %{_prefix}/lib/%{pypi_name}
Name: %{pypi_name} Name: %{pypi_name}
Release: 3%{?dist} Release: 1%{?dist}
License: ASL 2.0 License: ASL 2.0
URL: %{forgeurl} URL: %{forgeurl}
Source0: %{forgesource} Source0: %{forgesource}
Patch0: no-floats-in-sources.patch
Patch1: selinux-allow-nnp-and-nosuid-transitions.patch
BuildArch: noarch BuildArch: noarch
Summary: A build system for OS images Summary: A build system for OS images
@ -25,6 +23,7 @@ BuildRequires: python3-devel
BuildRequires: python3-docutils BuildRequires: python3-docutils
Requires: bash Requires: bash
Requires: bubblewrap
Requires: coreutils Requires: coreutils
Requires: curl Requires: curl
Requires: dnf Requires: dnf
@ -33,20 +32,34 @@ Requires: glibc
Requires: policycoreutils Requires: policycoreutils
Requires: qemu-img Requires: qemu-img
Requires: systemd Requires: systemd
Requires: systemd-container
Requires: tar Requires: tar
Requires: util-linux Requires: util-linux
Requires: python3-%{pypi_name} = %{version}-%{release} Requires: python3-%{pypi_name} = %{version}-%{release}
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
# Turn off dependency generators for assemblers, runners and stages. # Turn off dependency generators for runners. The reason is that runners are
# They run in a container, so there's no reason to generate dependencies # tailored to the platform, e.g. on RHEL they are using platform-python. We
# from them. As of 2020-03-25 this filters out python3.6 dependency generated # don't want to pick up those dependencies on other platform.
# by rhel runner. %global __requires_exclude_from ^%{pkgdir}/(runners)/.*$
%global __requires_exclude_from ^%{pkgdir}/(assemblers|runners|stages)/.*$
# Turn off shebang mangling on RHEL. brp-mangle-shebangs (from package
# redhat-rpm-config) is run on all executables in a package after the `install`
# section runs. The below macro turns this behavior off for:
# - runners, because they already have the correct shebang for the platform
# they're meant for, and
# - stages and assemblers, because they are run within osbuild build roots,
# which are not required to contain the same OS as the host and might thus
# have a different notion of "platform-python".
# RHEL NB: Since assemblers and stages are not excluded from the dependency
# generator, this also means that an additional dependency on /usr/bin/python3
# will be added. This is intended and needed, so that in the host build root
# /usr/bin/python3 is present so stages and assemblers can be run.
%global __brp_mangle_shebangs_exclude_from ^%{pkgdir}/(assemblers|runners|stages)/.*$
%{?python_enable_dependency_generator} %{?python_enable_dependency_generator}
%description %description
A build system for OS images A build system for OS images
@ -81,8 +94,6 @@ containers it uses to build OS artifacts.
%prep %prep
%forgesetup %forgesetup
%patch0 -p1
%patch1 -p1
%build %build
%py3_build %py3_build
@ -110,6 +121,9 @@ install -p -m 0755 $(find runners -type f -or -type l) %{buildroot}%{pkgdir}/run
mkdir -p %{buildroot}%{pkgdir}/sources mkdir -p %{buildroot}%{pkgdir}/sources
install -p -m 0755 $(find sources -type f) %{buildroot}%{pkgdir}/sources install -p -m 0755 $(find sources -type f) %{buildroot}%{pkgdir}/sources
mkdir -p %{buildroot}%{pkgdir}/inputs
install -p -m 0755 $(find inputs -type f) %{buildroot}%{pkgdir}/inputs
# mount point for bind mounting the osbuild library # mount point for bind mounting the osbuild library
mkdir -p %{buildroot}%{pkgdir}/osbuild mkdir -p %{buildroot}%{pkgdir}/osbuild
@ -176,6 +190,52 @@ fi
%changelog %changelog
* Thu Apr 8 2021 Christian Kellner <ckellner@redhat.com> - 27.2-1
- Upstream release 27.2.
- Support for explicitly selecting the qcow2 version.
* Thu Apr 1 2021 Achilleas Koutsou <akoutsou@redhat.com> - 27.1-1
- Upstream release 27.1
- Bug fixes related to OCI archive generation.
* Tue Mar 16 2021 Christian Kellner <ckellner@redhat.com> - 27-1
- Upstream release 27
- Various bug fixes related to the new container and installer
stages introdcued in version 25 and 26.
* Fri Feb 19 2021 Christian Kellner <ckellner@redhat.com> - 26-1
- Upstream release 26
- Includes the necessary stages to build boot isos.
* Fri Feb 12 2021 Christian Kellner <ckellner@redhat.com> - 25-1
- Upstream 25 release
- First tech preview of the new manifest format. Includes
various new stages and inputs to be able to build ostree
commits contained in a oci archive.
* Thu Jan 28 2021 Christian Kellner <ckellner@redhat.com> - 24-1
- Upstream 24 release
- Include new `Input` modules.
* Mon Nov 23 2020 Christian Kellner <ckellner@redhat.com> - 23-3
- only disable the dep. generator for runners, remove explicity
python3 requirement again. The dependency should be picked up
via the dependency generator now.
* Fri Nov 13 2020 Christian Kellner <ckellner@redhat.com> - 23-2
- Explicilty require python3. See the comment above the Requires
for an explanation why this is needed.
* Fri Oct 23 2020 Christian Kellner <ckellner@redhat.com> - 23-1
- Upstream release 23
- Do not mangle shebangs for assemblers, runners & stages.
* Wed Oct 14 2020 Christian Kellner <ckellner@redhat.com> - 22-1
- Upstream release 22
- Remove all patches since they are all in osbuild-22.
- bubblewrap replaced systemd-nspawn for sandboxing; change the
requirements accordingly.
* Thu Aug 13 2020 Christian Kellner <ckellner@redhat.com> - 18-3 * Thu Aug 13 2020 Christian Kellner <ckellner@redhat.com> - 18-3
- Add patch to allow nnp and nosuid domain transitions - Add patch to allow nnp and nosuid domain transitions
https://github.com/osbuild/osbuild/pull/495 https://github.com/osbuild/osbuild/pull/495