Auto sync2gitlab import of rtkit-0.11-19.el8.src.rpm
This commit is contained in:
parent
ef4b50ba1c
commit
587c3f3e8b
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
/rtkit-0.11.tar.xz
|
48
0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
Normal file
48
0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From f44c5776b25ca2abd7569fb8532c6aede9b0c6b0 Mon Sep 17 00:00:00 2001
|
||||
From: Colin Walters <walters@verbum.org>
|
||||
Date: Thu, 22 Aug 2013 16:05:22 -0400
|
||||
Subject: [PATCH] [SECURITY] Pass uid of caller to polkit
|
||||
|
||||
Otherwise, we force polkit to look up the uid itself in /proc, which
|
||||
is racy if they execve() a setuid binary.
|
||||
---
|
||||
rtkit-daemon.c | 11 ++++++++++-
|
||||
1 files changed, 10 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/rtkit-daemon.c b/rtkit-daemon.c
|
||||
index 2ebe673..3ecc1f7 100644
|
||||
--- a/rtkit-daemon.c
|
||||
+++ b/rtkit-daemon.c
|
||||
@@ -1170,12 +1170,14 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process
|
||||
DBusMessage *m = NULL, *r = NULL;
|
||||
const char *unix_process = "unix-process";
|
||||
const char *pid = "pid";
|
||||
+ const char *uid = "uid";
|
||||
const char *start_time = "start-time";
|
||||
const char *cancel_id = "";
|
||||
uint32_t flags = 0;
|
||||
uint32_t pid_u32 = p->pid;
|
||||
- uint64_t start_time_u64 = p->starttime;
|
||||
+ uint32_t uid_u32 = (uint32_t)u->uid;
|
||||
DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant;
|
||||
+ uint64_t start_time_u64 = p->starttime;
|
||||
int ret;
|
||||
dbus_bool_t authorized = FALSE;
|
||||
|
||||
@@ -1206,6 +1208,13 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process
|
||||
assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
|
||||
assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
|
||||
|
||||
+ assert_se(dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict));
|
||||
+ assert_se(dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &uid));
|
||||
+ assert_se(dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant));
|
||||
+ assert_se(dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &uid_u32));
|
||||
+ assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
|
||||
+ assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
|
||||
+
|
||||
assert_se(dbus_message_iter_close_container(&iter_struct, &iter_array));
|
||||
assert_se(dbus_message_iter_close_container(&iter_msg, &iter_struct));
|
||||
|
||||
--
|
||||
1.7.1
|
||||
|
13
format-security.patch
Normal file
13
format-security.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff -ruN rtkit-0.11.orig/Makefile.am rtkit-0.11/Makefile.am
|
||||
--- rtkit-0.11.orig/Makefile.am 2017-05-12 12:56:52.245623657 -0400
|
||||
+++ rtkit-0.11/Makefile.am 2017-05-12 13:24:27.206304970 -0400
|
||||
@@ -18,6 +18,8 @@
|
||||
AM_CFLAGS = $(WARNINGFLAGS) $(PTHREAD_CFLAGS)
|
||||
AM_LDFLAGS = $(GCLDFLAGS)
|
||||
|
||||
+CFLAGS += -Wno-error=format-security
|
||||
+
|
||||
ACLOCAL_AMFLAGS = -I m4
|
||||
|
||||
policykitdir = $(datadir)/polkit-1/actions/
|
||||
Binary files rtkit-0.11.orig/.Makefile.am.swp and rtkit-0.11/.Makefile.am.swp differ
|
14
rtkit-controlgroup.patch
Normal file
14
rtkit-controlgroup.patch
Normal file
@ -0,0 +1,14 @@
|
||||
diff --git rtkit-0.11/rtkit-daemon.service.in~ rtkit-0.11/rtkit-daemon.service.in
|
||||
index 3dfefa6..d0dc786 100644
|
||||
--- rtkit-0.11/rtkit-daemon.service.in~
|
||||
+++ rtkit-0.11/rtkit-daemon.service.in
|
||||
@@ -27,9 +27,5 @@ CapabilityBoundingSet=CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SYS_CH
|
||||
PrivateTmp=yes
|
||||
PrivateNetwork=yes
|
||||
|
||||
-# Work around the fact that the Linux currently doesn't assign any RT
|
||||
-# budget to CPU control groups that have none configured explicitly
|
||||
-ControlGroup=cpu:/
|
||||
-
|
||||
[Install]
|
||||
WantedBy=graphical.target
|
12
rtkit-mq_getattr.patch
Normal file
12
rtkit-mq_getattr.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 5a77363..45721a5 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -112,6 +112,7 @@ CC="$PTHREAD_CC"
|
||||
|
||||
AC_SEARCH_LIBS([sched_setscheduler], [rt])
|
||||
AC_SEARCH_LIBS([clock_gettime], [rt])
|
||||
+AC_SEARCH_LIBS([mq_getattr], [rt])
|
||||
AC_SEARCH_LIBS([cap_init], [cap])
|
||||
|
||||
PKG_CHECK_MODULES(DBUS, dbus-1)
|
188
rtkit.spec
Normal file
188
rtkit.spec
Normal file
@ -0,0 +1,188 @@
|
||||
%global _hardened_build 1
|
||||
|
||||
Name: rtkit
|
||||
Version: 0.11
|
||||
Release: 19%{?dist}
|
||||
Summary: Realtime Policy and Watchdog Daemon
|
||||
Group: System Environment/Base
|
||||
# The daemon itself is GPLv3+, the reference implementation for the client BSD
|
||||
License: GPLv3+ and BSD
|
||||
URL: http://git.0pointer.net/rtkit.git/
|
||||
Requires: dbus
|
||||
Requires: polkit
|
||||
Requires(post): systemd
|
||||
Requires(preun): systemd
|
||||
Requires(postun): systemd
|
||||
BuildRequires: dbus-devel >= 1.2
|
||||
BuildRequires: libcap-devel
|
||||
BuildRequires: polkit-devel
|
||||
BuildRequires: autoconf automake libtool
|
||||
BuildRequires: systemd
|
||||
Source0: http://0pointer.de/public/%{name}-%{version}.tar.xz
|
||||
Patch1: rtkit-mq_getattr.patch
|
||||
Patch2: 0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
|
||||
Patch3: rtkit-controlgroup.patch
|
||||
|
||||
# Temporarily disable -Werror=format-security since it breaks the build
|
||||
Patch4: format-security.patch
|
||||
|
||||
%description
|
||||
RealtimeKit is a D-Bus system service that changes the
|
||||
scheduling policy of user processes/threads to SCHED_RR (i.e. realtime
|
||||
scheduling mode) on request. It is intended to be used as a secure
|
||||
mechanism to allow real-time scheduling to be used by normal user
|
||||
processes.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
|
||||
%build
|
||||
autoreconf -fvi
|
||||
%configure --with-systemdsystemunitdir=/usr/lib/systemd/system
|
||||
make V=1 %{?_smp_mflags}
|
||||
./rtkit-daemon --introspect > org.freedesktop.RealtimeKit1.xml
|
||||
|
||||
%install
|
||||
%make_install
|
||||
install -Dm0644 org.freedesktop.RealtimeKit1.xml %{buildroot}%{_datadir}/dbus-1/interfaces/org.freedesktop.RealtimeKit1.xml
|
||||
|
||||
%pre
|
||||
getent group rtkit >/dev/null 2>&1 || groupadd \
|
||||
-r \
|
||||
-g 172 \
|
||||
rtkit
|
||||
getent passwd rtkit >/dev/null 2>&1 || useradd \
|
||||
-r -l \
|
||||
-u 172 \
|
||||
-g rtkit \
|
||||
-d /proc \
|
||||
-s /sbin/nologin \
|
||||
-c "RealtimeKit" \
|
||||
rtkit
|
||||
:;
|
||||
|
||||
%post
|
||||
%systemd_post rtkit-daemon.service
|
||||
dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig >/dev/null 2>&1 || :
|
||||
|
||||
%preun
|
||||
%systemd_preun rtkit-daemon.service
|
||||
|
||||
%postun
|
||||
%systemd_postun
|
||||
|
||||
%files
|
||||
%doc README GPL LICENSE rtkit.c rtkit.h
|
||||
%attr(0755,root,root) %{_sbindir}/rtkitctl
|
||||
%attr(0755,root,root) %{_libexecdir}/rtkit-daemon
|
||||
%{_datadir}/dbus-1/system-services/org.freedesktop.RealtimeKit1.service
|
||||
%{_datadir}/dbus-1/interfaces/org.freedesktop.RealtimeKit1.xml
|
||||
%{_datadir}/polkit-1/actions/org.freedesktop.RealtimeKit1.policy
|
||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.RealtimeKit1.conf
|
||||
%{_prefix}/lib/systemd/system/rtkit-daemon.service
|
||||
%{_mandir}/man8/*
|
||||
|
||||
%changelog
|
||||
* Thu Jan 17 2019 Michal Sekletár <msekleta@redhat.com> - 0.11-19
|
||||
- add systemd to BuildRequires (#1654656)
|
||||
|
||||
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.11-18
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.11-17
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||
|
||||
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.11-16
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Fri May 12 2017 Stephen Gallagher <sgallagh@redhat.com> - 0.11-15
|
||||
- Temporarily disable -Werror=format-security to unbreak the build
|
||||
- Build with verbose command-line visible in the logs
|
||||
- Resolves: rhbz#1424270
|
||||
|
||||
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.11-14
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.11-13
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
* Wed Nov 4 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.11-12
|
||||
- Make dbus interface file non-executable (#1245938)
|
||||
|
||||
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-11
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-10
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||
|
||||
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-9
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||
|
||||
* Sat Nov 16 2013 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.11-8
|
||||
- Use a simpler patch for -lrt.
|
||||
- Remove ControlGroup setting from the service file
|
||||
Resolves: #1010534
|
||||
- Turn on hardening flags
|
||||
Resolves: #996735, #1008399
|
||||
|
||||
* Mon Sep 23 2013 Colin Walters <walters@verbum.org> - 0.11-7
|
||||
- CVE-2013-4326
|
||||
Resolves: #1009543
|
||||
|
||||
* Thu Aug 22 2013 Colin Walters <walters@verbum.org> - 0.11-6
|
||||
- Add patch to make this build again
|
||||
|
||||
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||
|
||||
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
|
||||
|
||||
* Fri Sep 14 2012 Lennart Poettering <lpoetter@redhat.com> - 0.11-3
|
||||
- Make use of the new systemd macros
|
||||
|
||||
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||
|
||||
* Tue May 15 2012 Lennart Poettering <lpoetter@redhat.com> - 0.11-1
|
||||
- New upstream release
|
||||
|
||||
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.10-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
|
||||
|
||||
* Thu Feb 17 2011 Lennart Poettering <lpoetter@redhat.com> - 0.10-1
|
||||
- new upstream release
|
||||
|
||||
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
||||
|
||||
* Wed Aug 4 2010 Lennart Poettering <lpoetter@redhat.com> - 0.9-2
|
||||
- Convert systemd-install to systemctl
|
||||
|
||||
* Tue Jul 13 2010 Lennart Poettering <lpoetter@redhat.com> - 0.9-1
|
||||
- New upstream release
|
||||
|
||||
* Tue Jun 29 2010 Lennart Poettering <lpoetter@redhat.com> - 0.8-1
|
||||
- New upstream release
|
||||
|
||||
* Fri Dec 18 2009 Lennart Poettering <lpoetter@redhat.com> - 0.5-1
|
||||
- New release
|
||||
- By default don't demote unknown threads
|
||||
- Make messages less cute
|
||||
- Fixes 530582
|
||||
|
||||
* Wed Aug 5 2009 Lennart Poettering <lpoetter@redhat.com> - 0.4-1
|
||||
- New release
|
||||
|
||||
* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
||||
|
||||
* Thu Jul 2 2009 Lennart Poettering <lpoetter@redhat.com> - 0.3-1
|
||||
- New release
|
||||
|
||||
* Wed Jun 17 2009 Lennart Poettering <lpoetter@redhat.com> - 0.2-1
|
||||
- Initial packaging
|
Loading…
Reference in New Issue
Block a user