Update to the upstream v6.15 @ 172bf0e3

Allow rngd process to drop privileges with "-D user:group"
Fix an error building with jitterentropy-3.4.0
Add a requirement for selinux-policy of a certain version
Fix a build failure on ppc64
Small edits in test scripts

Resolves: rhbz#2075977

Signed-off-by: Vladis Dronov <vdronov@redhat.com>

.gitignore

@@ -1 +1 @@
-/rng-tools-6.14.tar.gz
+/rng-tools-6.15.tar.gz

3-rt-fix-jent-define.patch

@@ -0,0 +1,14 @@
+--- configure.ac	2022-03-24 13:14:11.000000000 +0100
++++ configure.ac.new	2022-03-24 15:58:56.187367770 +0100
+@@ -95,7 +95,10 @@ AS_IF(
+ 				[AM_CONDITIONAL([JITTER], [true])
+ 				AC_DEFINE([HAVE_JITTER],1,[Enable JITTER])
+ 				AC_CHECK_LIB(jitterentropy, jent_notime_settick,
+-				[AC_DEFINE([HAVE_JITTER_NOTIME],1,[Enable JITTER_NOTIME])],
++				[
++					AC_DEFINE([HAVE_JITTER_NOTIME],1,[Enable JITTER_NOTIME])
++					AC_DEFINE([JENT_CONF_ENABLE_INTERNAL_TIMER],1,[Enable JENT_CONF_ENABLE_INTERNAL_TIMER])
++				],
+ 				[],-lpthread)],
+ 				AC_MSG_NOTICE([No Jitterentropy library found]),-lpthread)
+ 	], [AC_MSG_NOTICE([Disabling JITTER entropy source])]

60-hwrng.rules

@@ -1 +0,0 @@
-SUBSYSTEM=="misc", KERNEL=="hw_random", GROUP="rngd", MODE="0640"

rng-tools.spec

@@ -11,20 +11,15 @@
 
 Summary:        Random number generator related utilities
 Name:           rng-tools
-Version:        6.14
-Release:        2.git.b2b7934e%{?dist}
+Version:        6.15
+Release:        1%{?dist}
 License:        GPLv2+
 URL:            https://github.com/nhorman/rng-tools
 Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
 Source1:        rngd.service
-Source2:        rngd-wake-threshold.service
-Source3:        60-hwrng.rules
-Source4:        rngd.sysconfig
+Source2:        rngd.sysconfig
 
-Patch0: 1-rt-revert-build-randstat.patch
-Patch1: 2-rt-comment-out-have-aesni.patch
-
-BuildRequires: gcc make
+BuildRequires: gcc make binutils
 BuildRequires: gettext
 BuildRequires: systemd systemd-rpm-macros
 BuildRequires: autoconf automake
@@ -32,6 +27,7 @@ BuildRequires: libgcrypt-devel libcurl-devel
 BuildRequires: libxml2-devel openssl-devel
 BuildRequires: jitterentropy-devel
 BuildRequires: jansson-devel
+BuildRequires: libcap-devel
 %if %{with rtlsdr}
 BuildRequires: rtl-sdr-devel
 %endif
@@ -42,7 +38,11 @@ BuildRequires: libp11-devel
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
-Requires: jansson openssl
+Requires: selinux-policy >= 34.1.31-2
+
+Patch0: 1-rt-revert-build-randstat.patch
+Patch1: 2-rt-comment-out-have-aesni.patch
+Patch2: 3-rt-fix-jent-define.patch
 
 %description
 This is a random number generator daemon and its tools. It monitors
@@ -61,31 +61,27 @@ TPM, jitter) and supplies entropy from them to a kernel entropy pool.
 %endif
 
 ./autogen.sh
+# a dirty hack so libdarn_impl_a_CFLAGS overrides common CFLAGS
+sed -i -e 's/$(libdarn_impl_a_CFLAGS) $(CFLAGS)/$(CFLAGS) $(libdarn_impl_a_CFLAGS)/' Makefile.in
 %configure %{?_without_pkcs11} %{?_without_rtlsdr}
 %make_build
 
 %install
 %make_install
 
-# install systemd unit file and udev rules
+# install systemd unit file
 install -Dt %{buildroot}%{_unitdir} -m0644 %{SOURCE1}
-install -Dt %{buildroot}%{_unitdir} -m0644 %{SOURCE2}
-install -Dt %{buildroot}%{_udevrulesdir} -m0644 %{SOURCE3}
 # install sysconfig file
-install -D %{SOURCE4} -m0644 %{buildroot}%{_sysconfdir}/sysconfig/rngd
-
-%pre
-getent passwd rngd >/dev/null || useradd -r -M -d %{_localstatedir}/lib/rngd -s /sbin/nologin -c "Random Number Generator Daemon" rngd
+install -D %{SOURCE2} -m0644 %{buildroot}%{_sysconfdir}/sysconfig/rngd
 
 %post
-%systemd_post rngd.service rngd-wake-threshold.service
-/usr/bin/systemctl start rngd-wake-threshold.service || :
+%systemd_post rngd.service
 
 %preun
-%systemd_preun rngd.service rngd-wake-threshold.service
+%systemd_preun rngd.service
 
 %postun
-%systemd_postun_with_restart rngd.service rngd-wake-threshold.service
+%systemd_postun_with_restart rngd.service
 
 %files
 %{!?_licensedir:%global license %%doc}
@@ -95,12 +91,18 @@ getent passwd rngd >/dev/null || useradd -r -M -d %{_localstatedir}/lib/rngd -s
 %{_sbindir}/rngd
 %{_mandir}/man1/rngtest.1.*
 %{_mandir}/man8/rngd.8.*
-%attr(0644,root,root)   %{_unitdir}/rngd.service
-%attr(0644,root,root)   %{_unitdir}/rngd-wake-threshold.service
-%attr(0644,root,root)   %{_udevrulesdir}/60-hwrng.rules
-%config(noreplace) %attr(0644,root,root)   %{_sysconfdir}/sysconfig/rngd
+%attr(0644,root,root)    %{_unitdir}/rngd.service
+%config(noreplace) %attr(0644,root,root)    %{_sysconfdir}/sysconfig/rngd
 
 %changelog
+* Sat Apr 16 2022 Vladis Dronov <vdronov@redhat.com> - 6.15-1
+- Update to the upstream v6.15 @ 172bf0e3 (bz 2075977)
+- Allow rngd process to drop privileges with "-D user:group"
+- Fix an error building with jitterentropy-3.4.0
+- Add a requirement for selinux-policy of a certain version
+- Fix a build failure on ppc64
+- Small edits in test scripts
+
 * Tue Nov 23 2021 Vladis Dronov <vdronov@redhat.com> - 6.14-2.git.b2b7934e
 - Update to the upstream v6.14 @ b2b7934e (bz 2015566)
 - Add a config file for storing rngd options

rngd-wake-threshold.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=Hardware RNG Entropy Gatherer Wake threshold service
-ConditionVirtualization=!container
-Before=rngd.service
-
-[Service]
-CapabilityBoundingSet=CAP_SYS_ADMIN
-AmbientCapabilities=CAP_SYS_ADMIN
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/bin/sh -c "PSIZE=$(cat /proc/sys/kernel/random/poolsize); let THRESH=$PSIZE*3/4; echo $THRESH>/proc/sys/kernel/random/write_wakeup_threshold; udevadm trigger --sysname-match=hw_random --settle"
-
-[Install]
-WantedBy=sysinit.target

rngd.service

@@ -1,15 +1,9 @@
 [Unit]
 Description=Hardware RNG Entropy Gatherer Daemon
 ConditionVirtualization=!container
-Requires=rngd-wake-threshold.service
 
 # The "-f" option is required for the systemd service rngd to work with Type=simple
 [Service]
-User=rngd
-Group=rngd
-CapabilityBoundingSet=CAP_SYS_ADMIN
-AmbientCapabilities=CAP_SYS_ADMIN
-TimeoutStartSec=60s
 Type=simple
 EnvironmentFile=/etc/sysconfig/rngd
 ExecStart=/usr/sbin/rngd -f $RNGD_ARGS

rngd.sysconfig

@@ -1,3 +1,3 @@
 # Optional arguments passed to rngd. See rngd(8) and
 # https://bugzilla.redhat.com/show_bug.cgi?id=1252175#c21
-RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist"
+RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -D daemon:daemon"

sources

@@ -1 +1 @@
-SHA512 (rng-tools-6.14.tar.gz) = fce5c43d8a21a0d120a1f50b2b8c1efe7cbef02f7da863539749d51450992bb30c2cec96a4913ca20a608ce137a44e262471ac7f560eb8f3e9228a29b2d38fb1
+SHA512 (rng-tools-6.15.tar.gz) = 8c3bfb7ae83ef8fbf8e7f028a40e5405f96a2135617347c3cc52f62119f951972b07ea5f1a5f094ebf6c3db35f49d6384a96720cda874115c19934f440592641

tests/selftest/runtest.sh

@@ -31,7 +31,7 @@
 . /usr/share/beakerlib/beakerlib.sh || exit 1
 
 PACKAGE="rng-tools"
-PACKAGES="rng-tools automake autoconf libsysfs-devel libxml2 libxml2-devel openssl-devel libcurl-devel"
+PACKAGES="rng-tools gcc make binutils gettext automake autoconf jitterentropy-devel jansson-devel libcap-devel libxml2 libxml2-devel openssl-devel libcurl-devel libgcrypt-devel"
 UPSTREAMPKG="rng-tools-*"
 BUILDLOG=`mktemp`
 TESTLOG=`mktemp`
@@ -43,8 +43,8 @@ TESTDIR="$TOPDIR/BUILD/$UPSTREAMPKG/"
 
 rlJournalStart
     rlPhaseStartSetup
-    	for PKG in $PACKAGES; do
-	        rlAssertRpm $PKG
+	for PKG in $PACKAGES; do
+		rlAssertRpm $PKG
 	done
     rlPhaseEnd
 
@@ -57,20 +57,20 @@ rlJournalStart
 	echo "+ Buildlog:"
 	tail -n 100 $BUILDLOG
 	rlRun "pushd ."
- 	rlRun "cd $TESTDIR"
-	rlRun "make check &> $TESTLOG"   
+	rlRun "cd $TESTDIR"
+	rlRun "make check &> $TESTLOG"
 	if [ $? -eq 0 ]
 	then
 		rlPass "Selftest Passed"
 	else
 		rlFail "Selftest Failed"
 	fi
-        rlFileSubmit $TESTLOG
+	rlFileSubmit $TESTLOG
     rlPhaseEnd
 
     rlPhaseStartCleanup
-    	rlRun "popd"
-	rlRun "rm -rf $PACKAGE*.src.rpm" 0 "Removing source rpm"    
+	rlRun "popd"
+	rlRun "rm -rf $PACKAGE*.src.rpm" 0 "Removing source rpm"
     rlPhaseEnd
 rlJournalPrintText
 rlJournalEnd

tests/tests.yml

@@ -8,7 +8,9 @@
     tests:
     - selftest
     required_packages:
-        - libsysfs-devel
+        - jitterentropy-devel
+        - jansson-devel
+        - libcap-devel
         - libxml2
         - libxml2-devel
         - openssl-devel