diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1ff5f31 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/rtkit-0.11.tar.xz diff --git a/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch b/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch new file mode 100644 index 0000000..92e54b9 --- /dev/null +++ b/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch @@ -0,0 +1,48 @@ +From f44c5776b25ca2abd7569fb8532c6aede9b0c6b0 Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Thu, 22 Aug 2013 16:05:22 -0400 +Subject: [PATCH] [SECURITY] Pass uid of caller to polkit + +Otherwise, we force polkit to look up the uid itself in /proc, which +is racy if they execve() a setuid binary. +--- + rtkit-daemon.c | 11 ++++++++++- + 1 files changed, 10 insertions(+), 1 deletions(-) + +diff --git a/rtkit-daemon.c b/rtkit-daemon.c +index 2ebe673..3ecc1f7 100644 +--- a/rtkit-daemon.c ++++ b/rtkit-daemon.c +@@ -1170,12 +1170,14 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process + DBusMessage *m = NULL, *r = NULL; + const char *unix_process = "unix-process"; + const char *pid = "pid"; ++ const char *uid = "uid"; + const char *start_time = "start-time"; + const char *cancel_id = ""; + uint32_t flags = 0; + uint32_t pid_u32 = p->pid; +- uint64_t start_time_u64 = p->starttime; ++ uint32_t uid_u32 = (uint32_t)u->uid; + DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant; ++ uint64_t start_time_u64 = p->starttime; + int ret; + dbus_bool_t authorized = FALSE; + +@@ -1206,6 +1208,13 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process + assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant)); + assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict)); + ++ assert_se(dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict)); ++ assert_se(dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &uid)); ++ assert_se(dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant)); ++ assert_se(dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &uid_u32)); ++ assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant)); ++ assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict)); ++ + assert_se(dbus_message_iter_close_container(&iter_struct, &iter_array)); + assert_se(dbus_message_iter_close_container(&iter_msg, &iter_struct)); + +-- +1.7.1 + diff --git a/EMPTY b/EMPTY deleted file mode 100644 index 0519ecb..0000000 --- a/EMPTY +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/format-security.patch b/format-security.patch new file mode 100644 index 0000000..994bebf --- /dev/null +++ b/format-security.patch @@ -0,0 +1,13 @@ +diff -ruN rtkit-0.11.orig/Makefile.am rtkit-0.11/Makefile.am +--- rtkit-0.11.orig/Makefile.am 2017-05-12 12:56:52.245623657 -0400 ++++ rtkit-0.11/Makefile.am 2017-05-12 13:24:27.206304970 -0400 +@@ -18,6 +18,8 @@ + AM_CFLAGS = $(WARNINGFLAGS) $(PTHREAD_CFLAGS) + AM_LDFLAGS = $(GCLDFLAGS) + ++CFLAGS += -Wno-error=format-security ++ + ACLOCAL_AMFLAGS = -I m4 + + policykitdir = $(datadir)/polkit-1/actions/ +Binary files rtkit-0.11.orig/.Makefile.am.swp and rtkit-0.11/.Makefile.am.swp differ diff --git a/rtkit-controlgroup.patch b/rtkit-controlgroup.patch new file mode 100644 index 0000000..7a36dee --- /dev/null +++ b/rtkit-controlgroup.patch @@ -0,0 +1,14 @@ +diff --git rtkit-0.11/rtkit-daemon.service.in~ rtkit-0.11/rtkit-daemon.service.in +index 3dfefa6..d0dc786 100644 +--- rtkit-0.11/rtkit-daemon.service.in~ ++++ rtkit-0.11/rtkit-daemon.service.in +@@ -27,9 +27,5 @@ CapabilityBoundingSet=CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SYS_CH + PrivateTmp=yes + PrivateNetwork=yes + +-# Work around the fact that the Linux currently doesn't assign any RT +-# budget to CPU control groups that have none configured explicitly +-ControlGroup=cpu:/ +- + [Install] + WantedBy=graphical.target diff --git a/rtkit-mq_getattr.patch b/rtkit-mq_getattr.patch new file mode 100644 index 0000000..2cb63c7 --- /dev/null +++ b/rtkit-mq_getattr.patch @@ -0,0 +1,12 @@ +diff --git a/configure.ac b/configure.ac +index 5a77363..45721a5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -112,6 +112,7 @@ CC="$PTHREAD_CC" + + AC_SEARCH_LIBS([sched_setscheduler], [rt]) + AC_SEARCH_LIBS([clock_gettime], [rt]) ++AC_SEARCH_LIBS([mq_getattr], [rt]) + AC_SEARCH_LIBS([cap_init], [cap]) + + PKG_CHECK_MODULES(DBUS, dbus-1) diff --git a/rtkit.spec b/rtkit.spec new file mode 100644 index 0000000..15032ba --- /dev/null +++ b/rtkit.spec @@ -0,0 +1,188 @@ +%global _hardened_build 1 + +Name: rtkit +Version: 0.11 +Release: 19%{?dist} +Summary: Realtime Policy and Watchdog Daemon +Group: System Environment/Base +# The daemon itself is GPLv3+, the reference implementation for the client BSD +License: GPLv3+ and BSD +URL: http://git.0pointer.net/rtkit.git/ +Requires: dbus +Requires: polkit +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +BuildRequires: dbus-devel >= 1.2 +BuildRequires: libcap-devel +BuildRequires: polkit-devel +BuildRequires: autoconf automake libtool +BuildRequires: systemd +Source0: http://0pointer.de/public/%{name}-%{version}.tar.xz +Patch1: rtkit-mq_getattr.patch +Patch2: 0001-SECURITY-Pass-uid-of-caller-to-polkit.patch +Patch3: rtkit-controlgroup.patch + +# Temporarily disable -Werror=format-security since it breaks the build +Patch4: format-security.patch + +%description +RealtimeKit is a D-Bus system service that changes the +scheduling policy of user processes/threads to SCHED_RR (i.e. realtime +scheduling mode) on request. It is intended to be used as a secure +mechanism to allow real-time scheduling to be used by normal user +processes. + +%prep +%setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 + +%build +autoreconf -fvi +%configure --with-systemdsystemunitdir=/usr/lib/systemd/system +make V=1 %{?_smp_mflags} +./rtkit-daemon --introspect > org.freedesktop.RealtimeKit1.xml + +%install +%make_install +install -Dm0644 org.freedesktop.RealtimeKit1.xml %{buildroot}%{_datadir}/dbus-1/interfaces/org.freedesktop.RealtimeKit1.xml + +%pre +getent group rtkit >/dev/null 2>&1 || groupadd \ + -r \ + -g 172 \ + rtkit +getent passwd rtkit >/dev/null 2>&1 || useradd \ + -r -l \ + -u 172 \ + -g rtkit \ + -d /proc \ + -s /sbin/nologin \ + -c "RealtimeKit" \ + rtkit +:; + +%post +%systemd_post rtkit-daemon.service +dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig >/dev/null 2>&1 || : + +%preun +%systemd_preun rtkit-daemon.service + +%postun +%systemd_postun + +%files +%doc README GPL LICENSE rtkit.c rtkit.h +%attr(0755,root,root) %{_sbindir}/rtkitctl +%attr(0755,root,root) %{_libexecdir}/rtkit-daemon +%{_datadir}/dbus-1/system-services/org.freedesktop.RealtimeKit1.service +%{_datadir}/dbus-1/interfaces/org.freedesktop.RealtimeKit1.xml +%{_datadir}/polkit-1/actions/org.freedesktop.RealtimeKit1.policy +%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.RealtimeKit1.conf +%{_prefix}/lib/systemd/system/rtkit-daemon.service +%{_mandir}/man8/* + +%changelog +* Thu Jan 17 2019 Michal Sekletár - 0.11-19 +- add systemd to BuildRequires (#1654656) + +* Fri Feb 09 2018 Fedora Release Engineering - 0.11-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 0.11-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.11-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri May 12 2017 Stephen Gallagher - 0.11-15 +- Temporarily disable -Werror=format-security to unbreak the build +- Build with verbose command-line visible in the logs +- Resolves: rhbz#1424270 + +* Sat Feb 11 2017 Fedora Release Engineering - 0.11-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 0.11-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Nov 4 2015 Zbigniew Jędrzejewski-Szmek - 0.11-12 +- Make dbus interface file non-executable (#1245938) + +* Thu Jun 18 2015 Fedora Release Engineering - 0.11-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Aug 18 2014 Fedora Release Engineering - 0.11-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 0.11-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Nov 16 2013 Zbigniew Jędrzejewski-Szmek - 0.11-8 +- Use a simpler patch for -lrt. +- Remove ControlGroup setting from the service file + Resolves: #1010534 +- Turn on hardening flags + Resolves: #996735, #1008399 + +* Mon Sep 23 2013 Colin Walters - 0.11-7 +- CVE-2013-4326 + Resolves: #1009543 + +* Thu Aug 22 2013 Colin Walters - 0.11-6 +- Add patch to make this build again + +* Sun Aug 04 2013 Fedora Release Engineering - 0.11-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 14 2013 Fedora Release Engineering - 0.11-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Sep 14 2012 Lennart Poettering - 0.11-3 +- Make use of the new systemd macros + +* Sat Jul 21 2012 Fedora Release Engineering - 0.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue May 15 2012 Lennart Poettering - 0.11-1 +- New upstream release + +* Sat Jan 14 2012 Fedora Release Engineering - 0.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Feb 17 2011 Lennart Poettering - 0.10-1 +- new upstream release + +* Wed Feb 09 2011 Fedora Release Engineering - 0.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Aug 4 2010 Lennart Poettering - 0.9-2 +- Convert systemd-install to systemctl + +* Tue Jul 13 2010 Lennart Poettering - 0.9-1 +- New upstream release + +* Tue Jun 29 2010 Lennart Poettering - 0.8-1 +- New upstream release + +* Fri Dec 18 2009 Lennart Poettering - 0.5-1 +- New release +- By default don't demote unknown threads +- Make messages less cute +- Fixes 530582 + +* Wed Aug 5 2009 Lennart Poettering - 0.4-1 +- New release + +* Sun Jul 26 2009 Fedora Release Engineering - 0.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jul 2 2009 Lennart Poettering - 0.3-1 +- New release + +* Wed Jun 17 2009 Lennart Poettering - 0.2-1 +- Initial packaging diff --git a/sources b/sources new file mode 100644 index 0000000..08ba29c --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (rtkit-0.11.tar.xz) = 4641af965dc64c0f498ae469fbee1ceb337204fa7d778fbbb41f2b5c5e88947e633c7e9ad037274fdd778c3c097a4a1dbb0b2add287d74eccbcd2d357cb2da22