From 793e3450e3cd1862784f32de34170ae8f643b4f9 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 10 Mar 2017 11:55:51 -0500
Subject: [PATCH] Backport patch for running in koji

---
 ...use-unshare-net-in-nspawn-by-default.patch | 78 +++++++++++++++++++
 ...-always-include-the-packages-entries.patch | 68 ++++++++++++++++
 rpm-ostree.spec                               |  9 ++-
 3 files changed, 154 insertions(+), 1 deletion(-)
 create mode 100644 0001-bwrap-Don-t-use-unshare-net-in-nspawn-by-default.patch
 create mode 100644 0001-status-always-include-the-packages-entries.patch

diff --git a/0001-bwrap-Don-t-use-unshare-net-in-nspawn-by-default.patch b/0001-bwrap-Don-t-use-unshare-net-in-nspawn-by-default.patch
new file mode 100644
index 0000000..1bd9571
--- /dev/null
+++ b/0001-bwrap-Don-t-use-unshare-net-in-nspawn-by-default.patch
@@ -0,0 +1,78 @@
+From 6a7a3af76e1c1c91b449dd5358170ba9df09622c Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Fri, 10 Mar 2017 09:48:03 -0500
+Subject: [PATCH] bwrap: Don't use --unshare-net in nspawn by default
+
+This will fix rpm-ostree-in-mock-in-koji. The drawback is minor: post scripts
+will have network access. But we're going to be testing the no-network case in
+our Docker-based builds, so that's fine.
+---
+ scripts/bwrap-script-shell.sh |  6 +++++-
+ src/libpriv/rpmostree-bwrap.c | 20 +++++++++++++++++++-
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/bwrap-script-shell.sh b/scripts/bwrap-script-shell.sh
+index 98cadb6..e368869 100755
+--- a/scripts/bwrap-script-shell.sh
++++ b/scripts/bwrap-script-shell.sh
+@@ -6,9 +6,13 @@ shift
+ cd ${rootfs}
+ # ⚠⚠⚠ If you change this, also update src/libpriv/rpmostree-scripts.c ⚠⚠⚠
+ BWRAP_ARGV="--dev /dev --proc /proc --dir /tmp --chdir / \
+-     --unshare-pid --unshare-net --unshare-uts \
++     --unshare-pid --unshare-uts \
+      --unshare-ipc --unshare-cgroup-try \
+ "
++if ! test "${container:-}" = "systemd-nspawn"; then
++    BWRAP_ARGV="$BWRAP_ARGV --unshare-net"
++fi
++
+ for src in /sys/{block,bus,class,dev}; do
+     BWRAP_ARGV="$BWRAP_ARGV --ro-bind $src $src"
+ done
+diff --git a/src/libpriv/rpmostree-bwrap.c b/src/libpriv/rpmostree-bwrap.c
+index 9d40059..5258439 100644
+--- a/src/libpriv/rpmostree-bwrap.c
++++ b/src/libpriv/rpmostree-bwrap.c
+@@ -177,6 +177,22 @@ setup_rofiles_usr (RpmOstreeBwrap *bwrap,
+   return ret;
+ }
+ 
++/* nspawn by default doesn't give us CAP_NET_ADMIN; see
++ * https://pagure.io/releng/issue/6602#comment-71214
++ * https://pagure.io/koji/pull-request/344#comment-21060
++ *
++ * Theoretically we should do capable(CAP_NET_ADMIN)
++ * but that's a lot of ugly code, and the only known
++ * place we hit this right now is nspawn.  Plus
++ * we want to use userns down the line anyways where
++ * we'll regain CAP_NET_ADMIN.
++ */
++static gboolean
++running_in_nspawn (void)
++{
++  return g_strcmp0 (getenv ("container"), "systemd-nspawn") == 0;
++}
++
+ RpmOstreeBwrap *
+ rpmostree_bwrap_new (int rootfs_fd,
+                      RpmOstreeBwrapMutability mutable,
+@@ -209,12 +225,14 @@ rpmostree_bwrap_new (int rootfs_fd,
+                                       * but it may need some mapping work.
+                                       */
+                                      "--unshare-pid",
+-                                     "--unshare-net",
+                                      "--unshare-uts",
+                                      "--unshare-ipc",
+                                      "--unshare-cgroup-try",
+                                      NULL);
+ 
++  if (!running_in_nspawn ())
++    rpmostree_bwrap_append_bwrap_argv (ret, "--unshare-net", NULL);
++
+   for (guint i = 0; i < G_N_ELEMENTS (usr_links); i++)
+     {
+       const char *subdir = usr_links[i];
+-- 
+2.9.3
+
diff --git a/0001-status-always-include-the-packages-entries.patch b/0001-status-always-include-the-packages-entries.patch
new file mode 100644
index 0000000..cde7dab
--- /dev/null
+++ b/0001-status-always-include-the-packages-entries.patch
@@ -0,0 +1,68 @@
+From 49cbdb739ab372b57ea025a8eed8aaf80a8e634b Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jlebon@redhat.com>
+Date: Thu, 9 Mar 2017 16:39:03 -0500
+Subject: [PATCH] status: always include the packages entries
+
+Pull #646 introduced a subtle regression: we went from always including
+a "packages" entry to only including it if there are packages present.
+Albeit it's easy to guard against, though to be nice, let's make it
+easier for consumers by always including it.
+
+Reported-by: Micah Abbott <miabbott@redhat.com>
+
+Closes: #670
+Approved by: cgwalters
+---
+ src/daemon/rpmostreed-deployment-utils.c | 15 +++++++++------
+ tests/vmcheck/test-layering-basic.sh     |  6 ++++++
+ 2 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/src/daemon/rpmostreed-deployment-utils.c b/src/daemon/rpmostreed-deployment-utils.c
+index 42a990a..6961a0d 100644
+--- a/src/daemon/rpmostreed-deployment-utils.c
++++ b/src/daemon/rpmostreed-deployment-utils.c
+@@ -236,15 +236,18 @@ rpmostreed_deployment_generate_variant (OstreeDeployment *deployment,
+     }
+ 
+   g_variant_dict_insert (&dict, "origin", "s", refspec);
+-  if (g_hash_table_size (rpmostree_origin_get_packages (origin)) > 0)
+-    {
+-      g_autofree char **pkgs =
+-        (char**)g_hash_table_get_keys_as_array (rpmostree_origin_get_packages (origin), NULL);
+-      g_variant_dict_insert (&dict, "requested-packages", "^as", pkgs);
+-    }
++
++  g_autofree char **requested_pkgs =
++    (char**)g_hash_table_get_keys_as_array (rpmostree_origin_get_packages (origin), NULL);
++  g_variant_dict_insert (&dict, "requested-packages", "^as", requested_pkgs);
+ 
+   if (is_layered && g_strv_length (layered_pkgs) > 0)
+     g_variant_dict_insert (&dict, "packages", "^as", layered_pkgs);
++  else
++    {
++      const char *const p[] = { NULL };
++      g_variant_dict_insert (&dict, "packages", "^as", p);
++    }
+ 
+   if (sigs != NULL)
+     g_variant_dict_insert_value (&dict, "signatures", sigs);
+diff --git a/tests/vmcheck/test-layering-basic.sh b/tests/vmcheck/test-layering-basic.sh
+index 79e9562..ce10201 100755
+--- a/tests/vmcheck/test-layering-basic.sh
++++ b/tests/vmcheck/test-layering-basic.sh
+@@ -37,6 +37,12 @@ vm_assert_status_jq \
+   '.deployments[0]["base-checksum"]|not' \
+   '.deployments[0]["pending-base-checksum"]|not'
+ 
++# make sure that package-related entries are always present,
++# even when they're empty
++vm_assert_status_jq \
++  '.deployments[0]["packages"]' \
++  '.deployments[0]["requested-packages"]'
++
+ # Be sure an unprivileged user exists
+ vm_cmd getent passwd bin
+ if vm_cmd "runuser -u bin rpm-ostree pkg-add foo-1.0"; then
+-- 
+2.9.3
+
diff --git a/rpm-ostree.spec b/rpm-ostree.spec
index b456564..1a5a6ec 100644
--- a/rpm-ostree.spec
+++ b/rpm-ostree.spec
@@ -1,12 +1,16 @@
 Summary: Hybrid image/package system
 Name: rpm-ostree
 Version: 2017.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 #VCS: https://github.com/cgwalters/rpm-ostree
 # This tarball is generated via "make -f Makefile.dist-packaging dist-snapshot"
 Source0: rpm-ostree-%{version}.tar.xz
 License: LGPLv2+
 URL: https://github.com/projectatomic/rpm-ostree
+
+Patch0: 0001-bwrap-Don-t-use-unshare-net-in-nspawn-by-default.patch
+Patch1: 0001-status-always-include-the-packages-entries.patch
+
 # We always run autogen.sh
 BuildRequires: autoconf automake libtool git
 # For docs
@@ -129,6 +133,9 @@ python autofiles.py > files.devel \
 %files devel -f files.devel
 
 %changelog
+* Fri Mar 10 2017 Colin Walters <walters@verbum.org> - 2017.3-2
+- Backport patch for running in koji
+
 * Mon Mar 06 2017 Colin Walters <walters@verbum.org> - 2017.3-1
 - New upstream version
   Fixes: CVE-2017-2623