import rpm-4.14.3-13.el8
This commit is contained in:
parent
11d32a30b4
commit
4e08ed886d
44
SOURCES/0001-Add-limits-to-autopatch-macro.patch
Normal file
44
SOURCES/0001-Add-limits-to-autopatch-macro.patch
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
From f00bb5be9caa62220c6aeaf3f7264840d5c089e3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
|
Date: Tue, 5 Feb 2019 18:15:47 +0100
|
||||||
|
Subject: [PATCH] Add limits to autopatch macro
|
||||||
|
|
||||||
|
Limits allow to apply only range of patches with given parameters.
|
||||||
|
Useful if something needs to be done between patch sets. Allows applying
|
||||||
|
of patches with different -pX parameter in one spec file.
|
||||||
|
|
||||||
|
Resolves: #626
|
||||||
|
Co-authored-by: Florian Festi <ffesti@redhat.com>
|
||||||
|
---
|
||||||
|
macros.in | 12 ++++++++++--
|
||||||
|
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/macros.in b/macros.in
|
||||||
|
index 7b5b63020..912ad5997 100644
|
||||||
|
--- a/macros.in
|
||||||
|
+++ b/macros.in
|
||||||
|
@@ -1265,11 +1265,19 @@ else\
|
||||||
|
end}
|
||||||
|
|
||||||
|
# Automatically apply all patches
|
||||||
|
-%autopatch(vp:)\
|
||||||
|
+# -m<min> Apply patches with number >= min only
|
||||||
|
+# -M<max> Apply patches with number <= max only
|
||||||
|
+%autopatch(vp:m:M:)\
|
||||||
|
%{lua:\
|
||||||
|
local options = rpm.expand("%{!-v:-q} %{-p:-p%{-p*}} ")\
|
||||||
|
+local low_limit = tonumber(rpm.expand("%{-m:%{-m*}}"))\
|
||||||
|
+local high_limit = tonumber(rpm.expand("%{-M:%{-M*}}"))\
|
||||||
|
for i, p in ipairs(patches) do\
|
||||||
|
- print(rpm.expand("%apply_patch -m %{basename:"..p.."} "..options..p.." "..i.."\\n"))\
|
||||||
|
+ local inum = patch_nums[i]\
|
||||||
|
+ if ((not low_limit or inum>=low_limit) and (not high_limit or inum<=high_limit)) \
|
||||||
|
+ then\
|
||||||
|
+ print(rpm.expand("%apply_patch -m %{basename:"..p.."} "..options..p.." "..i.."\\n")) \
|
||||||
|
+ end\
|
||||||
|
end}
|
||||||
|
|
||||||
|
# One macro to (optionally) do it all.
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
32
SOURCES/0001-Always-close-libelf-handle-1313.patch
Normal file
32
SOURCES/0001-Always-close-libelf-handle-1313.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
From 38c03ddb18e86c84d89af695f72442d8365eb64e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florian Festi <ffesti@redhat.com>
|
||||||
|
Date: Tue, 21 Jul 2020 10:45:20 +0200
|
||||||
|
Subject: [PATCH] Always close libelf handle (#1313)
|
||||||
|
|
||||||
|
Otherwise executables that are not proper elf files are leaking libelf
|
||||||
|
handles. This results in file being left open (mmap'ed) and fails the
|
||||||
|
build on NFS as those files can't be deleted properly there.
|
||||||
|
|
||||||
|
Resolves: rhbz#1840728
|
||||||
|
See also: https://bugzilla.redhat.com/show_bug.cgi?id=1840728
|
||||||
|
---
|
||||||
|
build/files.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/build/files.c b/build/files.c
|
||||||
|
index f675306f7..62489c07c 100644
|
||||||
|
--- a/build/files.c
|
||||||
|
+++ b/build/files.c
|
||||||
|
@@ -1935,8 +1935,8 @@ static int generateBuildIDs(FileList fl, ARGV_t *files)
|
||||||
|
if (terminate)
|
||||||
|
rc = 1;
|
||||||
|
}
|
||||||
|
- elf_end (elf);
|
||||||
|
}
|
||||||
|
+ elf_end (elf);
|
||||||
|
close (fd);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -0,0 +1,102 @@
|
|||||||
|
From 60066aba510b3ff4a7db092021aae71948e3f8be Mon Sep 17 00:00:00 2001
|
||||||
|
From: Panu Matilainen <pmatilai@redhat.com>
|
||||||
|
Date: Thu, 4 Jun 2020 11:18:01 +0300
|
||||||
|
Subject: [PATCH] Fix python ts.addErase() not raising exception on not-found
|
||||||
|
packages
|
||||||
|
|
||||||
|
The code would only raise an exception if TransactionSetCore.addErase()
|
||||||
|
returned an error, but the catch is that with many kinds of argument
|
||||||
|
types we'd silently skip the whole addition because no headers were found.
|
||||||
|
This looks to be a regression introduced some eleven years ago in
|
||||||
|
commit 9b20c706a4f93266450fae2f94007343b2e8fd9e.
|
||||||
|
|
||||||
|
As a special case, a match iterator argument will not raise an exception
|
||||||
|
if it doesn't actually match anything.
|
||||||
|
|
||||||
|
Fixes: #1214
|
||||||
|
---
|
||||||
|
python/rpm/transaction.py | 26 +++++++++++++++-----------
|
||||||
|
tests/rpmpython.at | 22 ++++++++++++++++++++++
|
||||||
|
2 files changed, 37 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/python/rpm/transaction.py b/python/rpm/transaction.py
|
||||||
|
index 7c4a551d3..3c9ddb207 100644
|
||||||
|
--- a/python/rpm/transaction.py
|
||||||
|
+++ b/python/rpm/transaction.py
|
||||||
|
@@ -91,14 +91,22 @@ class TransactionSet(TransactionSetCore):
|
||||||
|
|
||||||
|
def addErase(self, item):
|
||||||
|
hdrs = []
|
||||||
|
- if isinstance(item, rpm.hdr):
|
||||||
|
- hdrs = [item]
|
||||||
|
- elif isinstance(item, rpm.mi):
|
||||||
|
+ # match iterators are passed on as-is
|
||||||
|
+ if isinstance(item, rpm.mi):
|
||||||
|
hdrs = item
|
||||||
|
- elif isinstance(item, int):
|
||||||
|
- hdrs = self.dbMatch(rpm.RPMDBI_PACKAGES, item)
|
||||||
|
- elif isinstance(item, _string_types):
|
||||||
|
- hdrs = self.dbMatch(rpm.RPMDBI_LABEL, item)
|
||||||
|
+ elif isinstance(item, rpm.hdr):
|
||||||
|
+ hdrs.append(item)
|
||||||
|
+ elif isinstance(item, (int, _string_types)):
|
||||||
|
+ if isinstance(item, int):
|
||||||
|
+ dbi = rpm.RPMDBI_PACKAGES
|
||||||
|
+ else:
|
||||||
|
+ dbi = rpm.RPMDBI_LABEL
|
||||||
|
+
|
||||||
|
+ for h in self.dbMatch(dbi, item):
|
||||||
|
+ hdrs.append(h)
|
||||||
|
+
|
||||||
|
+ if not hdrs:
|
||||||
|
+ raise rpm.error("package not installed")
|
||||||
|
else:
|
||||||
|
raise TypeError("invalid type %s" % type(item))
|
||||||
|
|
||||||
|
@@ -106,10 +114,6 @@ class TransactionSet(TransactionSetCore):
|
||||||
|
if not TransactionSetCore.addErase(self, h):
|
||||||
|
raise rpm.error("package not installed")
|
||||||
|
|
||||||
|
- # garbage collection should take care but just in case...
|
||||||
|
- if isinstance(hdrs, rpm.mi):
|
||||||
|
- del hdrs
|
||||||
|
-
|
||||||
|
def run(self, callback, data):
|
||||||
|
rc = TransactionSetCore.run(self, callback, data, self._probFilter)
|
||||||
|
|
||||||
|
diff --git a/tests/rpmpython.at b/tests/rpmpython.at
|
||||||
|
index 3a7c251f1..de39c8417 100644
|
||||||
|
--- a/tests/rpmpython.at
|
||||||
|
+++ b/tests/rpmpython.at
|
||||||
|
@@ -201,6 +201,28 @@ for e in ts:
|
||||||
|
[foo-1.0-1.noarch]
|
||||||
|
)
|
||||||
|
|
||||||
|
+RPMPY_TEST([add erasure to transaction],[
|
||||||
|
+ts = rpm.ts()
|
||||||
|
+for i in ['foo', 1234]:
|
||||||
|
+ myprint('addErase %s' % i)
|
||||||
|
+ try:
|
||||||
|
+ ts.addErase(i)
|
||||||
|
+ except rpm.error as err:
|
||||||
|
+ myprint(err)
|
||||||
|
+myprint('addErase mi')
|
||||||
|
+mi = ts.dbMatch('name', 'foo')
|
||||||
|
+try:
|
||||||
|
+ ts.addErase(mi)
|
||||||
|
+except rpm.error as err:
|
||||||
|
+ myprint(err)
|
||||||
|
+],
|
||||||
|
+[addErase foo
|
||||||
|
+package not installed
|
||||||
|
+addErase 1234
|
||||||
|
+package not installed
|
||||||
|
+addErase mi]
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
RPMPY_TEST([add bogus package to transaction 1],[
|
||||||
|
ts = rpm.ts()
|
||||||
|
h = rpm.hdr()
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -0,0 +1,63 @@
|
|||||||
|
From 9ad4b813483f8cf6c641f56387248b33b6dfc570 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Panu Matilainen <pmatilai@redhat.com>
|
||||||
|
Date: Wed, 20 Feb 2019 15:28:30 +0200
|
||||||
|
Subject: [PATCH] Introduce patch_nums and source_nums Lua variables in spec
|
||||||
|
context
|
||||||
|
|
||||||
|
The pre-existing patches and sources variables only contains patch and
|
||||||
|
source filenames, but for some purposes we need access to the associated
|
||||||
|
patch/source number too. We could use the number as the table key, but
|
||||||
|
that would make the table unsorted. That we could handle in our own
|
||||||
|
macros, but would break compatibility for anybody doing custom stuff
|
||||||
|
with these. So it seems best to just add parallel arrays sharing the
|
||||||
|
same array indexes so that both values are as easily accessible,
|
||||||
|
depending on the need.
|
||||||
|
|
||||||
|
Inspired by Pascal "Pixel" Rigaux's similar patch in Mageia, which differs
|
||||||
|
in that the number-arrays are indexed by the filename and is unordered.
|
||||||
|
Compared to patches/sources this seemed against principle of least
|
||||||
|
surprise, and is slightly more cumbersome int the case we want the number
|
||||||
|
directly, such as in PR #626. The variable names differ so there
|
||||||
|
is no incompatibility to that downstream patch introduced.
|
||||||
|
---
|
||||||
|
build/parsePreamble.c | 9 +++++++++
|
||||||
|
build/spec.c | 3 ++-
|
||||||
|
2 files changed, 11 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/build/parsePreamble.c b/build/parsePreamble.c
|
||||||
|
index 812c41f9f..9520bac4b 100644
|
||||||
|
--- a/build/parsePreamble.c
|
||||||
|
+++ b/build/parsePreamble.c
|
||||||
|
@@ -322,6 +322,15 @@ static int addSource(rpmSpec spec, Package pkg, const char *field, rpmTagVal tag
|
||||||
|
rpmluaSetVar(lua, var);
|
||||||
|
rpmluavFree(var);
|
||||||
|
rpmluaPop(lua);
|
||||||
|
+
|
||||||
|
+ what = (flag & RPMBUILD_ISPATCH) ? "patch_nums" : "source_nums";
|
||||||
|
+ rpmluaPushTable(lua, what);
|
||||||
|
+ var = rpmluavNew();
|
||||||
|
+ rpmluavSetListMode(var, 1);
|
||||||
|
+ rpmluavSetValueNum(var, p->num);
|
||||||
|
+ rpmluaSetVar(lua, var);
|
||||||
|
+ rpmluavFree(var);
|
||||||
|
+ rpmluaPop(lua);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
free(body);
|
||||||
|
diff --git a/build/spec.c b/build/spec.c
|
||||||
|
index 80eaca611..55095c6ce 100644
|
||||||
|
--- a/build/spec.c
|
||||||
|
+++ b/build/spec.c
|
||||||
|
@@ -305,7 +305,8 @@ rpmSpec newSpec(void)
|
||||||
|
#ifdef WITH_LUA
|
||||||
|
/* make sure patches and sources tables always exist */
|
||||||
|
rpmlua lua = NULL; /* global state */
|
||||||
|
- const char * luavars[] = { "patches", "sources", NULL, };
|
||||||
|
+ const char * luavars[] = { "patches", "sources",
|
||||||
|
+ "patch_nums", "source_nums", NULL, };
|
||||||
|
for (const char **vp = luavars; vp && *vp; vp++) {
|
||||||
|
rpmluaDelVar(lua, *vp);
|
||||||
|
rpmluaPushTable(lua, *vp);
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
37
SOURCES/0001-Unblock-signals-in-forked-scriptlets.patch
Normal file
37
SOURCES/0001-Unblock-signals-in-forked-scriptlets.patch
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
From cb6aa82dbc10d554f8d234e934ae7c77e39a3ce2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Panu Matilainen <pmatilai@redhat.com>
|
||||||
|
Date: Tue, 12 Jan 2021 13:35:23 +0200
|
||||||
|
Subject: [PATCH] Unblock signals in forked scriptlets
|
||||||
|
|
||||||
|
Since commit c5f82d3f6223ebd0c5cc0a07ea60393ae7284929 we've blocked
|
||||||
|
most signals during transactions, which makes sense to rpm itself but
|
||||||
|
the signal mask is inherited to childs and carried even across exec(),
|
||||||
|
so all scriptlets are executing with those signals blocked as well.
|
||||||
|
Which in turn does not make sense, the scriptlets could run stuff that
|
||||||
|
actually depends on signal delivery (such as SIGALARM in RhBug:1913765).
|
||||||
|
|
||||||
|
Unblock all signals for forked scriptlet execution (Lua scriptlets are
|
||||||
|
totally different as they execute in-process for now)
|
||||||
|
---
|
||||||
|
lib/rpmscript.c | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/rpmscript.c b/lib/rpmscript.c
|
||||||
|
index 2ae3378f7..c69d29554 100644
|
||||||
|
--- a/lib/rpmscript.c
|
||||||
|
+++ b/lib/rpmscript.c
|
||||||
|
@@ -152,6 +152,11 @@ static void doScriptExec(ARGV_const_t argv, ARGV_const_t prefixes,
|
||||||
|
FD_t scriptFd, FD_t out)
|
||||||
|
{
|
||||||
|
int xx;
|
||||||
|
+ sigset_t set;
|
||||||
|
+
|
||||||
|
+ /* Unmask all signals, the scripts may need them */
|
||||||
|
+ sigfillset(&set);
|
||||||
|
+ sigprocmask(SIG_UNBLOCK, &set, NULL);
|
||||||
|
|
||||||
|
/* SIGPIPE is ignored in rpm, reset to default for the scriptlet */
|
||||||
|
(void) signal(SIGPIPE, SIG_DFL);
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
@ -0,0 +1,38 @@
|
|||||||
|
From 9cbc1fe444b048c3f7cf5ea09ab650d1c146d54a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Panu Matilainen <pmatilai@redhat.com>
|
||||||
|
Date: Wed, 20 Feb 2019 14:49:19 +0200
|
||||||
|
Subject: [PATCH] When doing the same thing more than once, use a loop...
|
||||||
|
|
||||||
|
No functional changes but this'll simplify the next commit quite a bit.
|
||||||
|
---
|
||||||
|
build/spec.c | 12 +++++-------
|
||||||
|
1 file changed, 5 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/build/spec.c b/build/spec.c
|
||||||
|
index e414e4102..80eaca611 100644
|
||||||
|
--- a/build/spec.c
|
||||||
|
+++ b/build/spec.c
|
||||||
|
@@ -303,15 +303,13 @@ rpmSpec newSpec(void)
|
||||||
|
spec->pool = rpmstrPoolCreate();
|
||||||
|
|
||||||
|
#ifdef WITH_LUA
|
||||||
|
- {
|
||||||
|
/* make sure patches and sources tables always exist */
|
||||||
|
rpmlua lua = NULL; /* global state */
|
||||||
|
- rpmluaDelVar(lua, "patches");
|
||||||
|
- rpmluaDelVar(lua, "sources");
|
||||||
|
- rpmluaPushTable(lua, "patches");
|
||||||
|
- rpmluaPushTable(lua, "sources");
|
||||||
|
- rpmluaPop(lua);
|
||||||
|
- rpmluaPop(lua);
|
||||||
|
+ const char * luavars[] = { "patches", "sources", NULL, };
|
||||||
|
+ for (const char **vp = luavars; vp && *vp; vp++) {
|
||||||
|
+ rpmluaDelVar(lua, *vp);
|
||||||
|
+ rpmluaPushTable(lua, *vp);
|
||||||
|
+ rpmluaPop(lua);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
return spec;
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -0,0 +1,44 @@
|
|||||||
|
From 8fefd2bd21b30996ad0748eab6baadf915610642 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Panu Matilainen <pmatilai@redhat.com>
|
||||||
|
Date: Thu, 13 Aug 2020 13:29:10 +0300
|
||||||
|
Subject: [PATCH] Work around buggy signature region preventing resigning
|
||||||
|
(RhBug:1851508)
|
||||||
|
|
||||||
|
Various proprietary packages in the wild have subtly malformed data
|
||||||
|
in the signature header, in particular wrt the immutable region size,
|
||||||
|
presumably from using some in-house/3rd party signing tools which do
|
||||||
|
not understand the immutable region business at all. This can prevent
|
||||||
|
resigning and signature deletion on such packages due to the more
|
||||||
|
thorough checking that rpmsign does.
|
||||||
|
|
||||||
|
As the old wisdom goes, be liberal in what you accept... we can easily
|
||||||
|
work around the crud by just taking a fresh copy of the contents that
|
||||||
|
are legit as such (otherwise the package would be uninstallable).
|
||||||
|
|
||||||
|
|
||||||
|
Adjusted for 4.14.3
|
||||||
|
|
||||||
|
--- rpm-4.14.3/sign/rpmgensig.c.orig 2020-10-29 16:00:38.785229048 +0100
|
||||||
|
+++ rpm-4.14.3/sign/rpmgensig.c 2020-10-29 16:08:55.997791345 +0100
|
||||||
|
@@ -401,12 +401,19 @@
|
||||||
|
|
||||||
|
if (headerGet(*hdrp, tag, utd, HEADERGET_DEFAULT)) {
|
||||||
|
oh = headerCopyLoad(utd->data);
|
||||||
|
- nh = headerCopy(oh);
|
||||||
|
- headerFree(oh);
|
||||||
|
rpmtdFreeData(utd);
|
||||||
|
+ } else {
|
||||||
|
+ /* XXX should we warn if the immutable region is corrupt/missing? */
|
||||||
|
+ oh = headerLink(*hdrp);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (oh) {
|
||||||
|
+ /* Perform a copy to eliminate crud from buggy signing tools etc */
|
||||||
|
+ nh = headerCopy(oh);
|
||||||
|
headerFree(*hdrp);
|
||||||
|
*hdrp = headerLink(nh);
|
||||||
|
headerFree(nh);
|
||||||
|
+ headerFree(oh);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,14 @@
|
|||||||
|
diff -up rpm-4.14.3/scripts/brp-strip.orig rpm-4.14.3/scripts/brp-strip
|
||||||
|
--- rpm-4.14.3/scripts/brp-strip.orig 2021-02-09 14:43:35.393940550 +0100
|
||||||
|
+++ rpm-4.14.3/scripts/brp-strip 2021-02-09 14:43:49.459222054 +0100
|
||||||
|
@@ -12,9 +12,8 @@ Darwin*) exit 0 ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# Strip ELF binaries
|
||||||
|
-for f in `find "$RPM_BUILD_ROOT" -type f \( -perm -0100 -or -perm -0010 -or -perm -0001 \) -exec file {} \; | \
|
||||||
|
+for f in `find "$RPM_BUILD_ROOT" -type f -exec file {} \; | \
|
||||||
|
grep -v "^${RPM_BUILD_ROOT}/\?usr/lib/debug" | \
|
||||||
|
- grep -v ' shared object,' | \
|
||||||
|
sed -n -e 's/^\(.*\):[ ]*ELF.*, not stripped.*/\1/p'`; do
|
||||||
|
$STRIP -g "$f" || :
|
||||||
|
done
|
378
SOURCES/rpm-4.14.3-add-fapolicyd-rpm-plugin.patch
Normal file
378
SOURCES/rpm-4.14.3-add-fapolicyd-rpm-plugin.patch
Normal file
@ -0,0 +1,378 @@
|
|||||||
|
From c33faabc2d09b9ad8c80b941b6114c1e4c2be80f Mon Sep 17 00:00:00 2001
|
||||||
|
Message-Id: <c33faabc2d09b9ad8c80b941b6114c1e4c2be80f.1612252390.git.pmatilai@redhat.com>
|
||||||
|
From: Radovan Sroka <rsroka@redhat.com>
|
||||||
|
Date: Tue, 27 Oct 2020 16:18:04 +0100
|
||||||
|
Subject: [PATCH] Added fapolicyd rpm plugin
|
||||||
|
|
||||||
|
Fapolicyd (File Access Policy Daemon) implements application whitelisting
|
||||||
|
to decide file access rights. Applications that are known via a reputation
|
||||||
|
source are allowed access while unknown applications are not.
|
||||||
|
|
||||||
|
The rpm plugin allows us to use rpm database as a source of trust.
|
||||||
|
We used dnf plugin since the beggining but it only provides notification
|
||||||
|
when transaction ends. With "integrity checking" requirement we need
|
||||||
|
a continual addition of files which are installed during the system
|
||||||
|
update. With fapolicyd rpm plugin we can allow using of recently
|
||||||
|
added/updated files in scriptlets during rpm transaction.
|
||||||
|
|
||||||
|
The fapolicyd plugin gathers metadata of currently installed files.
|
||||||
|
It sends the information about files and about ongoing rpm transaction
|
||||||
|
to the fapolicyd daemon. The information is written to Linux pipe which
|
||||||
|
is placed in /var/run/fapolicyd/fapolicyd.fifo.
|
||||||
|
|
||||||
|
The data format is "%s %lu %64s\n". [path, size, sha256]
|
||||||
|
|
||||||
|
The fapolicyd rpm plugin can be enabled with "--with-fapolicyd"
|
||||||
|
configure option.
|
||||||
|
|
||||||
|
Related PRs:
|
||||||
|
https://github.com/linux-application-whitelisting/fapolicyd/pull/105
|
||||||
|
https://github.com/linux-application-whitelisting/fapolicyd/pull/106
|
||||||
|
|
||||||
|
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
||||||
|
(cherry picked from commit 39595ccee321497dc3b08c7cab8a10304345429c)
|
||||||
|
|
||||||
|
Backported from commit 39595ccee321497dc3b08c7cab8a10304345429c
|
||||||
|
---
|
||||||
|
Makefile.am | 1 +
|
||||||
|
configure.ac | 8 ++
|
||||||
|
doc/Makefile.am | 2 +-
|
||||||
|
doc/rpm-plugin-fapolicyd.8 | 21 +++++
|
||||||
|
macros.in | 1 +
|
||||||
|
plugins/Makefile.am | 6 ++
|
||||||
|
plugins/fapolicyd.c | 189 +++++++++++++++++++++++++++++++++++++
|
||||||
|
7 files changed, 227 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 doc/rpm-plugin-fapolicyd.8
|
||||||
|
create mode 100644 plugins/fapolicyd.c
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index 1f20f05b7..8e92f0cde 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -16,6 +16,7 @@ DISTCHECK_CONFIGURE_FLAGS = \
|
||||||
|
--with-selinux \
|
||||||
|
--with-imaevm \
|
||||||
|
--with-crypto=openssl \
|
||||||
|
+ --with-fapolicyd \
|
||||||
|
--disable-dependency-tracking
|
||||||
|
|
||||||
|
include $(top_srcdir)/rpm.am
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 3fcb3ff20..3d0e9ef91 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -983,6 +983,14 @@ AS_IF([test "$enable_inhibit_plugin" = yes],[
|
||||||
|
])
|
||||||
|
AM_CONDITIONAL(ENABLE_INHIBIT_PLUGIN,[test "$enable_inhibit_plugin" = yes])
|
||||||
|
|
||||||
|
+#=================
|
||||||
|
+# Check for fapolicyd support
|
||||||
|
+AC_ARG_WITH(fapolicyd,
|
||||||
|
+AS_HELP_STRING([--with-fapolicyd],[build with File Access Policy Daemon support]),
|
||||||
|
+with_fapolicyd=$withval,
|
||||||
|
+with_fapolicyd=auto)
|
||||||
|
+AM_CONDITIONAL(FAPOLICYD,[test "$with_fapolicyd" = yes])
|
||||||
|
+
|
||||||
|
with_dbus=no
|
||||||
|
AS_IF([test "$enable_plugins" != no],[
|
||||||
|
AS_IF([test "$enable_inhibit_plugin" != no],[
|
||||||
|
diff --git a/doc/Makefile.am b/doc/Makefile.am
|
||||||
|
index d2f520d64..535ad3ec3 100644
|
||||||
|
--- a/doc/Makefile.am
|
||||||
|
+++ b/doc/Makefile.am
|
||||||
|
@@ -9,7 +9,7 @@ EXTRA_DIST += $(man_man1_DATA)
|
||||||
|
man_man8dir = $(mandir)/man8
|
||||||
|
man_man8_DATA = rpm.8 rpm-misc.8 rpmbuild.8 rpmdeps.8 rpmgraph.8 rpm2cpio.8
|
||||||
|
man_man8_DATA += rpmdb.8 rpmkeys.8 rpmsign.8 rpmspec.8
|
||||||
|
-man_man8_DATA += rpm-plugin-systemd-inhibit.8
|
||||||
|
+man_man8_DATA += rpm-plugin-systemd-inhibit.8 rpm-plugin-fapolicyd.8
|
||||||
|
EXTRA_DIST += $(man_man8_DATA)
|
||||||
|
|
||||||
|
man_fr_man8dir = $(mandir)/fr/man8
|
||||||
|
diff --git a/doc/rpm-plugin-fapolicyd.8 b/doc/rpm-plugin-fapolicyd.8
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..fe7a8c78e
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/doc/rpm-plugin-fapolicyd.8
|
||||||
|
@@ -0,0 +1,21 @@
|
||||||
|
+'\" t
|
||||||
|
+.TH "RPM-FAPOLICYD" "8" "28 Jan 2021" "Red Hat, Inc."
|
||||||
|
+.SH NAME
|
||||||
|
+rpm-plugin-fapolicyd \- Fapolicyd plugin for the RPM Package Manager
|
||||||
|
+
|
||||||
|
+.SH Description
|
||||||
|
+
|
||||||
|
+The plugin gathers metadata of currently installed files. It sends the
|
||||||
|
+information about files and about ongoing rpm transaction to the fapolicyd daemon.
|
||||||
|
+The information is written to Linux pipe which is placed in
|
||||||
|
+/var/run/fapolicyd/fapolicyd.fifo.
|
||||||
|
+
|
||||||
|
+.SH Configuration
|
||||||
|
+
|
||||||
|
+There are currently no options for this plugin in particular. See
|
||||||
|
+.BR rpm-plugins (8)
|
||||||
|
+on how to control plugins in general.
|
||||||
|
+
|
||||||
|
+.SH SEE ALSO
|
||||||
|
+.IR fapolicyd (8)
|
||||||
|
+.IR rpm-plugins (8)
|
||||||
|
diff --git a/macros.in b/macros.in
|
||||||
|
index a6069ee4d..2fbda64cc 100644
|
||||||
|
--- a/macros.in
|
||||||
|
+++ b/macros.in
|
||||||
|
@@ -1173,6 +1173,7 @@ package or when debugging this package.\
|
||||||
|
%__transaction_selinux %{__plugindir}/selinux.so
|
||||||
|
%__transaction_syslog %{__plugindir}/syslog.so
|
||||||
|
%__transaction_ima %{__plugindir}/ima.so
|
||||||
|
+%__transaction_fapolicyd %{__plugindir}/fapolicyd.so
|
||||||
|
%__transaction_prioreset %{__plugindir}/prioreset.so
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
diff --git a/plugins/Makefile.am b/plugins/Makefile.am
|
||||||
|
index ab4eee34f..cbfb81e19 100644
|
||||||
|
--- a/plugins/Makefile.am
|
||||||
|
+++ b/plugins/Makefile.am
|
||||||
|
@@ -42,3 +42,9 @@ ima_la_sources = ima.c
|
||||||
|
ima_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la
|
||||||
|
plugins_LTLIBRARIES += ima.la
|
||||||
|
endif
|
||||||
|
+
|
||||||
|
+if FAPOLICYD
|
||||||
|
+fapolicyd_la_sources = fapolicyd.c
|
||||||
|
+fapolicyd_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la
|
||||||
|
+plugins_LTLIBRARIES += fapolicyd.la
|
||||||
|
+endif
|
||||||
|
diff --git a/plugins/fapolicyd.c b/plugins/fapolicyd.c
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..50f50155c
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/plugins/fapolicyd.c
|
||||||
|
@@ -0,0 +1,189 @@
|
||||||
|
+#include "system.h"
|
||||||
|
+
|
||||||
|
+#include <rpm/rpmts.h>
|
||||||
|
+#include <rpm/rpmlog.h>
|
||||||
|
+#include "lib/rpmplugin.h"
|
||||||
|
+
|
||||||
|
+#include <fcntl.h>
|
||||||
|
+#include <errno.h>
|
||||||
|
+#include <unistd.h>
|
||||||
|
+#include <sys/stat.h>
|
||||||
|
+
|
||||||
|
+struct fapolicyd_data {
|
||||||
|
+ int fd;
|
||||||
|
+ long changed_files;
|
||||||
|
+ const char * fifo_path;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static struct fapolicyd_data fapolicyd_state = {
|
||||||
|
+ .fd = -1,
|
||||||
|
+ .changed_files = 0,
|
||||||
|
+ .fifo_path = "/run/fapolicyd/fapolicyd.fifo",
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static rpmRC open_fifo(struct fapolicyd_data* state)
|
||||||
|
+{
|
||||||
|
+ int fd = -1;
|
||||||
|
+ struct stat s;
|
||||||
|
+
|
||||||
|
+ fd = open(state->fifo_path, O_RDWR);
|
||||||
|
+ if (fd == -1) {
|
||||||
|
+ rpmlog(RPMLOG_DEBUG, "Open: %s -> %s\n", state->fifo_path, strerror(errno));
|
||||||
|
+ goto bad;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (stat(state->fifo_path, &s) == -1) {
|
||||||
|
+ rpmlog(RPMLOG_DEBUG, "Stat: %s -> %s\n", state->fifo_path, strerror(errno));
|
||||||
|
+ goto bad;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!S_ISFIFO(s.st_mode)) {
|
||||||
|
+ rpmlog(RPMLOG_DEBUG, "File: %s exists but it is not a pipe!\n", state->fifo_path);
|
||||||
|
+ goto bad;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* keep only file's permition bits */
|
||||||
|
+ mode_t mode = s.st_mode & ~S_IFMT;
|
||||||
|
+
|
||||||
|
+ /* we require pipe to have 0660 permission */
|
||||||
|
+ if (mode != 0660) {
|
||||||
|
+ rpmlog(RPMLOG_ERR, "File: %s has %o instead of 0660 \n",
|
||||||
|
+ state->fifo_path,
|
||||||
|
+ mode );
|
||||||
|
+ goto bad;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ state->fd = fd;
|
||||||
|
+ /* considering success */
|
||||||
|
+ return RPMRC_OK;
|
||||||
|
+
|
||||||
|
+ bad:
|
||||||
|
+ if (fd > 0)
|
||||||
|
+ close(fd);
|
||||||
|
+ return RPMRC_FAIL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static rpmRC write_fifo(struct fapolicyd_data* state, const char * str)
|
||||||
|
+{
|
||||||
|
+ ssize_t len = strlen(str);
|
||||||
|
+ ssize_t written = 0;
|
||||||
|
+ ssize_t n = 0;
|
||||||
|
+
|
||||||
|
+ while (written < len) {
|
||||||
|
+ if ((n = write(state->fd, str + written, len - written)) < 0) {
|
||||||
|
+ if (errno == EINTR || errno == EAGAIN)
|
||||||
|
+ continue;
|
||||||
|
+ rpmlog(RPMLOG_DEBUG, "Write: %s -> %s\n", state->fifo_path, strerror(errno));
|
||||||
|
+ goto bad;
|
||||||
|
+ }
|
||||||
|
+ written += n;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return RPMRC_OK;
|
||||||
|
+
|
||||||
|
+ bad:
|
||||||
|
+ return RPMRC_FAIL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static rpmRC fapolicyd_init(rpmPlugin plugin, rpmts ts)
|
||||||
|
+{
|
||||||
|
+ if (rpmtsFlags(ts) & (RPMTRANS_FLAG_TEST|RPMTRANS_FLAG_BUILD_PROBS))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ if (!rstreq(rpmtsRootDir(ts), "/"))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ (void) open_fifo(&fapolicyd_state);
|
||||||
|
+
|
||||||
|
+ end:
|
||||||
|
+ return RPMRC_OK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void fapolicyd_cleanup(rpmPlugin plugin)
|
||||||
|
+{
|
||||||
|
+ if (fapolicyd_state.fd > 0)
|
||||||
|
+ (void) close(fapolicyd_state.fd);
|
||||||
|
+
|
||||||
|
+ fapolicyd_state.fd = -1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static rpmRC fapolicyd_tsm_post(rpmPlugin plugin, rpmts ts, int res)
|
||||||
|
+{
|
||||||
|
+ if (rpmtsFlags(ts) & (RPMTRANS_FLAG_TEST|RPMTRANS_FLAG_BUILD_PROBS))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ /* we are ready */
|
||||||
|
+ if (fapolicyd_state.fd > 0) {
|
||||||
|
+ /* send a signal that transaction is over */
|
||||||
|
+ (void) write_fifo(&fapolicyd_state, "1\n");
|
||||||
|
+ /* flush cache */
|
||||||
|
+ (void) write_fifo(&fapolicyd_state, "2\n");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ end:
|
||||||
|
+ return RPMRC_OK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static rpmRC fapolicyd_scriptlet_pre(rpmPlugin plugin, const char *s_name,
|
||||||
|
+ int type)
|
||||||
|
+{
|
||||||
|
+ if (fapolicyd_state.fd == -1)
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ if (fapolicyd_state.changed_files > 0) {
|
||||||
|
+ /* send signal to flush cache */
|
||||||
|
+ (void) write_fifo(&fapolicyd_state, "2\n");
|
||||||
|
+
|
||||||
|
+ /* optimize flushing */
|
||||||
|
+ /* flush only when there was an actual change */
|
||||||
|
+ fapolicyd_state.changed_files = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ end:
|
||||||
|
+ return RPMRC_OK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static rpmRC fapolicyd_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
||||||
|
+ const char *path, const char *dest,
|
||||||
|
+ mode_t file_mode, rpmFsmOp op)
|
||||||
|
+{
|
||||||
|
+ /* not ready */
|
||||||
|
+ if (fapolicyd_state.fd == -1)
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ rpmFileAction action = XFO_ACTION(op);
|
||||||
|
+
|
||||||
|
+ /* Ignore skipped files and unowned directories */
|
||||||
|
+ if (XFA_SKIPPING(action) || (op & FAF_UNOWNED)) {
|
||||||
|
+ rpmlog(RPMLOG_DEBUG, "fapolicyd skipping early: path %s dest %s\n",
|
||||||
|
+ path, dest);
|
||||||
|
+ goto end;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!S_ISREG(rpmfiFMode(fi))) {
|
||||||
|
+ rpmlog(RPMLOG_DEBUG, "fapolicyd skipping non regular: path %s dest %s\n",
|
||||||
|
+ path, dest);
|
||||||
|
+ goto end;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ fapolicyd_state.changed_files++;
|
||||||
|
+
|
||||||
|
+ char buffer[4096];
|
||||||
|
+
|
||||||
|
+ rpm_loff_t size = rpmfiFSize(fi);
|
||||||
|
+ char * sha = rpmfiFDigestHex(fi, NULL);
|
||||||
|
+
|
||||||
|
+ snprintf(buffer, 4096, "%s %lu %64s\n", dest, size, sha);
|
||||||
|
+ (void) write_fifo(&fapolicyd_state, buffer);
|
||||||
|
+
|
||||||
|
+ end:
|
||||||
|
+ return RPMRC_OK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+struct rpmPluginHooks_s fapolicyd_hooks = {
|
||||||
|
+ .init = fapolicyd_init,
|
||||||
|
+ .cleanup = fapolicyd_cleanup,
|
||||||
|
+ .scriptlet_pre = fapolicyd_scriptlet_pre,
|
||||||
|
+ .tsm_post = fapolicyd_tsm_post,
|
||||||
|
+ .fsm_file_prepare = fapolicyd_fsm_file_prepare,
|
||||||
|
+};
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
||||||
|
commit c66cee32e74ce1e507c031605e3d7b2c1391a52c
|
||||||
|
Author: Radovan Sroka <rsroka@redhat.com>
|
||||||
|
Date: Wed Feb 10 17:04:55 2021 +0100
|
||||||
|
|
||||||
|
Fixed issues find by coverity
|
||||||
|
|
||||||
|
- enhance the check for the file descriptor fd because 0 is also a valid
|
||||||
|
descriptor
|
||||||
|
|
||||||
|
- added free() for sha so it doesn't leak memory for every file that is
|
||||||
|
processed
|
||||||
|
|
||||||
|
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
||||||
|
|
||||||
|
diff --git a/plugins/fapolicyd.c b/plugins/fapolicyd.c
|
||||||
|
index 50f50155c..48f65ae11 100644
|
||||||
|
--- a/plugins/fapolicyd.c
|
||||||
|
+++ b/plugins/fapolicyd.c
|
||||||
|
@@ -58,7 +58,7 @@ static rpmRC open_fifo(struct fapolicyd_data* state)
|
||||||
|
return RPMRC_OK;
|
||||||
|
|
||||||
|
bad:
|
||||||
|
- if (fd > 0)
|
||||||
|
+ if (fd >= 0)
|
||||||
|
close(fd);
|
||||||
|
return RPMRC_FAIL;
|
||||||
|
}
|
||||||
|
@@ -176,6 +176,8 @@ static rpmRC fapolicyd_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
||||||
|
snprintf(buffer, 4096, "%s %lu %64s\n", dest, size, sha);
|
||||||
|
(void) write_fifo(&fapolicyd_state, buffer);
|
||||||
|
|
||||||
|
+ free(sha);
|
||||||
|
+
|
||||||
|
end:
|
||||||
|
return RPMRC_OK;
|
||||||
|
}
|
@ -0,0 +1,12 @@
|
|||||||
|
diff -up rpm-4.14.3/lib/header.c.orig rpm-4.14.3/lib/header.c
|
||||||
|
--- rpm-4.14.3/lib/header.c.orig 2020-04-28 14:50:11.816399041 +0200
|
||||||
|
+++ rpm-4.14.3/lib/header.c 2021-02-03 16:47:23.567245743 +0100
|
||||||
|
@@ -1910,7 +1910,7 @@ rpmRC hdrblobRead(FD_t fd, int magic, in
|
||||||
|
|
||||||
|
if (regionTag == RPMTAG_HEADERSIGNATURES) {
|
||||||
|
il_max = 32;
|
||||||
|
- dl_max = 8192;
|
||||||
|
+ dl_max = 64 * 1024 * 1024;
|
||||||
|
}
|
||||||
|
|
||||||
|
memset(block, 0, sizeof(block));
|
@ -0,0 +1,101 @@
|
|||||||
|
diff -up rpm-4.14.3/lib/rpmscript.c.orig rpm-4.14.3/lib/rpmscript.c
|
||||||
|
--- rpm-4.14.3/lib/rpmscript.c.orig 2021-02-08 14:07:44.527197946 +0100
|
||||||
|
+++ rpm-4.14.3/lib/rpmscript.c 2021-02-08 14:09:05.732749080 +0100
|
||||||
|
@@ -46,27 +46,27 @@ struct scriptInfo_s {
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct scriptInfo_s scriptInfo[] = {
|
||||||
|
- { RPMSCRIPT_PREIN, "%prein", 0,
|
||||||
|
+ { RPMSCRIPT_PREIN, "prein", 0,
|
||||||
|
RPMTAG_PREIN, RPMTAG_PREINPROG, RPMTAG_PREINFLAGS },
|
||||||
|
- { RPMSCRIPT_PREUN, "%preun", 0,
|
||||||
|
+ { RPMSCRIPT_PREUN, "preun", 0,
|
||||||
|
RPMTAG_PREUN, RPMTAG_PREUNPROG, RPMTAG_PREUNFLAGS },
|
||||||
|
- { RPMSCRIPT_POSTIN, "%post", 0,
|
||||||
|
+ { RPMSCRIPT_POSTIN, "post", 0,
|
||||||
|
RPMTAG_POSTIN, RPMTAG_POSTINPROG, RPMTAG_POSTINFLAGS },
|
||||||
|
- { RPMSCRIPT_POSTUN, "%postun", 0,
|
||||||
|
+ { RPMSCRIPT_POSTUN, "postun", 0,
|
||||||
|
RPMTAG_POSTUN, RPMTAG_POSTUNPROG, RPMTAG_POSTUNFLAGS },
|
||||||
|
- { RPMSCRIPT_PRETRANS, "%pretrans", 0,
|
||||||
|
+ { RPMSCRIPT_PRETRANS, "pretrans", 0,
|
||||||
|
RPMTAG_PRETRANS, RPMTAG_PRETRANSPROG, RPMTAG_PRETRANSFLAGS },
|
||||||
|
- { RPMSCRIPT_POSTTRANS, "%posttrans", 0,
|
||||||
|
+ { RPMSCRIPT_POSTTRANS, "posttrans", 0,
|
||||||
|
RPMTAG_POSTTRANS, RPMTAG_POSTTRANSPROG, RPMTAG_POSTTRANSFLAGS },
|
||||||
|
- { RPMSCRIPT_TRIGGERPREIN, "%triggerprein", RPMSENSE_TRIGGERPREIN,
|
||||||
|
+ { RPMSCRIPT_TRIGGERPREIN, "triggerprein", RPMSENSE_TRIGGERPREIN,
|
||||||
|
RPMTAG_TRIGGERPREIN, 0, 0 },
|
||||||
|
- { RPMSCRIPT_TRIGGERUN, "%triggerun", RPMSENSE_TRIGGERUN,
|
||||||
|
+ { RPMSCRIPT_TRIGGERUN, "triggerun", RPMSENSE_TRIGGERUN,
|
||||||
|
RPMTAG_TRIGGERUN, 0, 0 },
|
||||||
|
- { RPMSCRIPT_TRIGGERIN, "%triggerin", RPMSENSE_TRIGGERIN,
|
||||||
|
+ { RPMSCRIPT_TRIGGERIN, "triggerin", RPMSENSE_TRIGGERIN,
|
||||||
|
RPMTAG_TRIGGERIN, 0, 0 },
|
||||||
|
- { RPMSCRIPT_TRIGGERPOSTUN, "%triggerpostun", RPMSENSE_TRIGGERPOSTUN,
|
||||||
|
+ { RPMSCRIPT_TRIGGERPOSTUN, "triggerpostun", RPMSENSE_TRIGGERPOSTUN,
|
||||||
|
RPMTAG_TRIGGERPOSTUN, 0, 0 },
|
||||||
|
- { RPMSCRIPT_VERIFY, "%verify", 0,
|
||||||
|
+ { RPMSCRIPT_VERIFY, "verify", 0,
|
||||||
|
RPMTAG_VERIFYSCRIPT, RPMTAG_VERIFYSCRIPTPROG, RPMTAG_VERIFYSCRIPTFLAGS},
|
||||||
|
{ 0, "unknown", 0,
|
||||||
|
RPMTAG_NOT_FOUND, RPMTAG_NOT_FOUND, RPMTAG_NOT_FOUND }
|
||||||
|
@@ -457,7 +457,7 @@ static const char * tag2sln(rpmTagVal ta
|
||||||
|
}
|
||||||
|
|
||||||
|
static rpmScript rpmScriptNew(Header h, rpmTagVal tag, const char *body,
|
||||||
|
- rpmscriptFlags flags)
|
||||||
|
+ rpmscriptFlags flags, const char *prefix)
|
||||||
|
{
|
||||||
|
char *nevra = headerGetAsString(h, RPMTAG_NEVRA);
|
||||||
|
rpmScript script = xcalloc(1, sizeof(*script));
|
||||||
|
@@ -465,7 +465,7 @@ static rpmScript rpmScriptNew(Header h,
|
||||||
|
script->type = getScriptType(tag);
|
||||||
|
script->flags = flags;
|
||||||
|
script->body = (body != NULL) ? xstrdup(body) : NULL;
|
||||||
|
- rasprintf(&script->descr, "%s(%s)", tag2sln(tag), nevra);
|
||||||
|
+ rasprintf(&script->descr, "%%%s%s(%s)", prefix, tag2sln(tag), nevra);
|
||||||
|
|
||||||
|
/* macros need to be expanded before possible queryformat */
|
||||||
|
if (script->body && (script->flags & RPMSCRIPT_FLAG_EXPAND)) {
|
||||||
|
@@ -556,6 +556,7 @@ rpmScript rpmScriptFromTriggerTag(Header
|
||||||
|
rpmScript script = NULL;
|
||||||
|
struct rpmtd_s tscripts, tprogs, tflags;
|
||||||
|
headerGetFlags hgflags = HEADERGET_MINMEM;
|
||||||
|
+ const char *prefix = "";
|
||||||
|
|
||||||
|
switch (tm) {
|
||||||
|
case RPMSCRIPT_NORMALTRIGGER:
|
||||||
|
@@ -567,11 +568,13 @@ rpmScript rpmScriptFromTriggerTag(Header
|
||||||
|
headerGet(h, RPMTAG_FILETRIGGERSCRIPTS, &tscripts, hgflags);
|
||||||
|
headerGet(h, RPMTAG_FILETRIGGERSCRIPTPROG, &tprogs, hgflags);
|
||||||
|
headerGet(h, RPMTAG_FILETRIGGERSCRIPTFLAGS, &tflags, hgflags);
|
||||||
|
+ prefix = "file";
|
||||||
|
break;
|
||||||
|
case RPMSCRIPT_TRANSFILETRIGGER:
|
||||||
|
headerGet(h, RPMTAG_TRANSFILETRIGGERSCRIPTS, &tscripts, hgflags);
|
||||||
|
headerGet(h, RPMTAG_TRANSFILETRIGGERSCRIPTPROG, &tprogs, hgflags);
|
||||||
|
headerGet(h, RPMTAG_TRANSFILETRIGGERSCRIPTFLAGS, &tflags, hgflags);
|
||||||
|
+ prefix = "transfile";
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -582,7 +585,8 @@ rpmScript rpmScriptFromTriggerTag(Header
|
||||||
|
if (rpmtdSetIndex(&tflags, ix) >= 0)
|
||||||
|
sflags = rpmtdGetNumber(&tflags);
|
||||||
|
|
||||||
|
- script = rpmScriptNew(h, triggerTag, rpmtdGetString(&tscripts), sflags);
|
||||||
|
+ script = rpmScriptNew(h, triggerTag,
|
||||||
|
+ rpmtdGetString(&tscripts), sflags, prefix);
|
||||||
|
|
||||||
|
/* hack up a hge-style NULL-terminated array */
|
||||||
|
script->args = xmalloc(2 * sizeof(*script->args) + strlen(prog) + 1);
|
||||||
|
@@ -608,7 +612,7 @@ rpmScript rpmScriptFromTag(Header h, rpm
|
||||||
|
|
||||||
|
script = rpmScriptNew(h, scriptTag,
|
||||||
|
headerGetString(h, scriptTag),
|
||||||
|
- headerGetNumber(h, getFlagTag(scriptTag)));
|
||||||
|
+ headerGetNumber(h, getFlagTag(scriptTag)), "");
|
||||||
|
|
||||||
|
if (headerGet(h, progTag, &prog, (HEADERGET_ALLOC|HEADERGET_ARGV))) {
|
||||||
|
script->args = prog.data;
|
@ -30,7 +30,7 @@
|
|||||||
|
|
||||||
%global rpmver 4.14.3
|
%global rpmver 4.14.3
|
||||||
#global snapver rc2
|
#global snapver rc2
|
||||||
%global rel 4
|
%global rel 13
|
||||||
|
|
||||||
%global srcver %{version}%{?snapver:-%{snapver}}
|
%global srcver %{version}%{?snapver:-%{snapver}}
|
||||||
%global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
|
%global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
|
||||||
@ -92,6 +92,17 @@ Patch140: 0001-Fix-resource-leaks-on-zstd-open-error-paths.patch
|
|||||||
# XXX should be before 0001-Pass-RPM_BUILD_NCPUS-to-build-scripts.patch
|
# XXX should be before 0001-Pass-RPM_BUILD_NCPUS-to-build-scripts.patch
|
||||||
Patch141: 0001-Isolate-_smp_build_ncpus-and-use-it-for-_smp_mflags.patch
|
Patch141: 0001-Isolate-_smp_build_ncpus-and-use-it-for-_smp_mflags.patch
|
||||||
Patch142: rpm-4.14.3-GPG-Switch-back-to-pipe-7-for-signing.patch
|
Patch142: rpm-4.14.3-GPG-Switch-back-to-pipe-7-for-signing.patch
|
||||||
|
Patch143: 0001-Work-around-buggy-signature-region-preventing-resign.patch
|
||||||
|
Patch144: 0001-Fix-python-ts.addErase-not-raising-exception-on-not-.patch
|
||||||
|
Patch145: 0001-Always-close-libelf-handle-1313.patch
|
||||||
|
Patch146: 0001-When-doing-the-same-thing-more-than-once-use-a-loop.patch
|
||||||
|
Patch147: 0001-Introduce-patch_nums-and-source_nums-Lua-variables-i.patch
|
||||||
|
Patch148: 0001-Add-limits-to-autopatch-macro.patch
|
||||||
|
Patch149: rpm-4.14.3-bump-up-the-limit-of-signature-header-to-64MB.patch
|
||||||
|
Patch150: rpm-4.14.3-add-fapolicyd-rpm-plugin.patch
|
||||||
|
Patch151: 0001-Unblock-signals-in-forked-scriptlets.patch
|
||||||
|
Patch152: rpm-4.14.3-fix-ambiguous-diagnostics-on-file-triggers.patch
|
||||||
|
Patch153: rpm-4.14.3-ELF-files-strip-when-debuginfo-disabled.patch
|
||||||
|
|
||||||
# Python 3 string API sanity
|
# Python 3 string API sanity
|
||||||
Patch500: 0001-In-Python-3-return-all-our-string-data-as-surrogate-.patch
|
Patch500: 0001-In-Python-3-return-all-our-string-data-as-surrogate-.patch
|
||||||
@ -390,6 +401,15 @@ Requires: rpm-libs%{_isa} = %{version}-%{release}
|
|||||||
Useful on legacy SysV init systems if you run rpm transactions with
|
Useful on legacy SysV init systems if you run rpm transactions with
|
||||||
nice/ionice priorities. Should not be used on systemd systems.
|
nice/ionice priorities. Should not be used on systemd systems.
|
||||||
|
|
||||||
|
%package plugin-fapolicyd
|
||||||
|
Summary: Rpm plugin for fapolicyd functionality
|
||||||
|
Requires: rpm-libs%{_isa} = %{version}-%{release}
|
||||||
|
Provides: fapolicyd-plugin
|
||||||
|
Obsoletes: fapolicyd-dnf-plugin
|
||||||
|
|
||||||
|
%description plugin-fapolicyd
|
||||||
|
%{summary}.
|
||||||
|
|
||||||
%endif # with plugins
|
%endif # with plugins
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
@ -434,9 +454,11 @@ done;
|
|||||||
--with-cap \
|
--with-cap \
|
||||||
--with-acl \
|
--with-acl \
|
||||||
%{?with_ndb: --enable-ndb} \
|
%{?with_ndb: --enable-ndb} \
|
||||||
|
%{!?with_libarchive: --without-archive} \
|
||||||
%{?with_libimaevm: --with-imaevm} \
|
%{?with_libimaevm: --with-imaevm} \
|
||||||
%{?with_zstd: --enable-zstd} \
|
%{?with_zstd: --enable-zstd} \
|
||||||
%{?with_lmdb: --enable-lmdb} \
|
%{?with_lmdb: --enable-lmdb} \
|
||||||
|
--with-fapolicyd \
|
||||||
--enable-python \
|
--enable-python \
|
||||||
--with-crypto=openssl \
|
--with-crypto=openssl \
|
||||||
PYTHON=python3
|
PYTHON=python3
|
||||||
@ -531,7 +553,9 @@ make check || cat tests/rpmtests.log
|
|||||||
%attr(0644, root, root) %verify(not md5 size mtime) %ghost %config(missingok,noreplace) /var/lib/rpm/*
|
%attr(0644, root, root) %verify(not md5 size mtime) %ghost %config(missingok,noreplace) /var/lib/rpm/*
|
||||||
|
|
||||||
%{_bindir}/rpm
|
%{_bindir}/rpm
|
||||||
|
%if %{with libarchive}
|
||||||
%{_bindir}/rpm2archive
|
%{_bindir}/rpm2archive
|
||||||
|
%endif
|
||||||
%{_bindir}/rpm2cpio
|
%{_bindir}/rpm2cpio
|
||||||
%{_bindir}/rpmdb
|
%{_bindir}/rpmdb
|
||||||
%{_bindir}/rpmkeys
|
%{_bindir}/rpmkeys
|
||||||
@ -591,6 +615,10 @@ make check || cat tests/rpmtests.log
|
|||||||
|
|
||||||
%files plugin-prioreset
|
%files plugin-prioreset
|
||||||
%{_libdir}/rpm-plugins/prioreset.so
|
%{_libdir}/rpm-plugins/prioreset.so
|
||||||
|
|
||||||
|
%files plugin-fapolicyd
|
||||||
|
%{_libdir}/rpm-plugins/fapolicyd.so
|
||||||
|
%{_mandir}/man8/rpm-plugin-fapolicyd.8*
|
||||||
%endif # with plugins
|
%endif # with plugins
|
||||||
|
|
||||||
%files build-libs
|
%files build-libs
|
||||||
@ -653,6 +681,31 @@ make check || cat tests/rpmtests.log
|
|||||||
%doc doc/librpm/html/*
|
%doc doc/librpm/html/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 12 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-13
|
||||||
|
- Fix minor issues found by COVSCAN in fapolicyd plugin
|
||||||
|
- Actually honor libarchive bcond at configure time (#1902887)
|
||||||
|
|
||||||
|
* Tue Feb 09 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-12
|
||||||
|
- Bump up the limit of signature header to 64MB (#1918777)
|
||||||
|
- Add fapolicyd plugin (#1923167)
|
||||||
|
- Unblock signals in forked scriptlets (#1913765)
|
||||||
|
- Fix ambiguous diagnostics output on file triggers (#1883338)
|
||||||
|
- Ensure ELF files get stripped when debuginfo is disabled (#1634084)
|
||||||
|
|
||||||
|
* Sun Jan 10 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-10
|
||||||
|
- Rebuild for libimaevm soname bump, now for real (#1896046)
|
||||||
|
|
||||||
|
* Thu Jan 07 2021 Florian Festi <ffesti@redhat.com> - 4.14.3-8
|
||||||
|
- Add limits to autopatch macro (#1834931)
|
||||||
|
|
||||||
|
* Thu Dec 03 2020 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-6
|
||||||
|
- Rebuild for libimaevm soname bump (#1896046)
|
||||||
|
|
||||||
|
* Fri Oct 30 2020 Florian Festi <ffesti@redhat.com> - 4.14.3-5
|
||||||
|
- Don't error out when replacing an invalid signature (#1874062)
|
||||||
|
- Raise an expection when erasing a package fails in Python (#1872623)
|
||||||
|
- Fix builds on NFS filesystems (#1840728)
|
||||||
|
|
||||||
* Fri Jun 26 2020 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-4
|
* Fri Jun 26 2020 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-4
|
||||||
- Fix hang when signing with expired key (#1746353)
|
- Fix hang when signing with expired key (#1746353)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user