From 745a84bf1ea8c6933a06d30ff842e593c577f5a5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Wed, 3 Nov 2021 13:42:18 -0400 Subject: [PATCH] import rtkit-0.11-28.el9 --- .gitignore | 1 + .rtkit.metadata | 1 + SOURCES/0001-Fix-borked-error-check.patch | 22 + ...ECURITY-Pass-uid-of-caller-to-polkit.patch | 48 + .../0001-systemd-update-sd-daemon.-ch.patch | 306 ++++++ ...Remove-bundled-copy-of-sd-daemon.-ch.patch | 870 ++++++++++++++++++ SOURCES/format-security.patch | 13 + SOURCES/rtkit-controlgroup.patch | 14 + SOURCES/rtkit-mq_getattr.patch | 12 + SPECS/rtkit.spec | 218 +++++ 10 files changed, 1505 insertions(+) create mode 100644 .gitignore create mode 100644 .rtkit.metadata create mode 100644 SOURCES/0001-Fix-borked-error-check.patch create mode 100644 SOURCES/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch create mode 100644 SOURCES/0001-systemd-update-sd-daemon.-ch.patch create mode 100644 SOURCES/0002-Remove-bundled-copy-of-sd-daemon.-ch.patch create mode 100644 SOURCES/format-security.patch create mode 100644 SOURCES/rtkit-controlgroup.patch create mode 100644 SOURCES/rtkit-mq_getattr.patch create mode 100644 SPECS/rtkit.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a072f6a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/rtkit-0.11.tar.xz diff --git a/.rtkit.metadata b/.rtkit.metadata new file mode 100644 index 0000000..2ac1650 --- /dev/null +++ b/.rtkit.metadata @@ -0,0 +1 @@ +dc4bcaa898ef3cadb6fff35dcce752bc9f64e435 SOURCES/rtkit-0.11.tar.xz diff --git a/SOURCES/0001-Fix-borked-error-check.patch b/SOURCES/0001-Fix-borked-error-check.patch new file mode 100644 index 0000000..46b759f --- /dev/null +++ b/SOURCES/0001-Fix-borked-error-check.patch @@ -0,0 +1,22 @@ +From ef090ee5a913f2c68e0fbed2600bfe38dfe55029 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 24 Jan 2021 21:12:22 +0100 +Subject: [PATCH 1/2] Fix borked error check + +--- + rtkit-daemon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rtkit-daemon.c b/rtkit-daemon.c +index 3ecc1f7840..a15e84f8f5 100644 +--- a/rtkit-daemon.c ++++ b/rtkit-daemon.c +@@ -1463,7 +1463,7 @@ static DBusHandlerResult dbus_handler(DBusConnection *c, DBusMessage *m, void *u + if (strcmp(interface, "org.freedesktop.RealtimeKit1") == 0) { + assert_se(r = dbus_message_new_method_return(m)); + +- if (!handle_dbus_prop_get(property, r) < 0) { ++ if (handle_dbus_prop_get(property, r) < 0) { + dbus_message_unref(r); + assert_se(r = dbus_message_new_error_printf( + m, diff --git a/SOURCES/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch b/SOURCES/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch new file mode 100644 index 0000000..92e54b9 --- /dev/null +++ b/SOURCES/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch @@ -0,0 +1,48 @@ +From f44c5776b25ca2abd7569fb8532c6aede9b0c6b0 Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Thu, 22 Aug 2013 16:05:22 -0400 +Subject: [PATCH] [SECURITY] Pass uid of caller to polkit + +Otherwise, we force polkit to look up the uid itself in /proc, which +is racy if they execve() a setuid binary. +--- + rtkit-daemon.c | 11 ++++++++++- + 1 files changed, 10 insertions(+), 1 deletions(-) + +diff --git a/rtkit-daemon.c b/rtkit-daemon.c +index 2ebe673..3ecc1f7 100644 +--- a/rtkit-daemon.c ++++ b/rtkit-daemon.c +@@ -1170,12 +1170,14 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process + DBusMessage *m = NULL, *r = NULL; + const char *unix_process = "unix-process"; + const char *pid = "pid"; ++ const char *uid = "uid"; + const char *start_time = "start-time"; + const char *cancel_id = ""; + uint32_t flags = 0; + uint32_t pid_u32 = p->pid; +- uint64_t start_time_u64 = p->starttime; ++ uint32_t uid_u32 = (uint32_t)u->uid; + DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant; ++ uint64_t start_time_u64 = p->starttime; + int ret; + dbus_bool_t authorized = FALSE; + +@@ -1206,6 +1208,13 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process + assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant)); + assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict)); + ++ assert_se(dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict)); ++ assert_se(dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &uid)); ++ assert_se(dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant)); ++ assert_se(dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &uid_u32)); ++ assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant)); ++ assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict)); ++ + assert_se(dbus_message_iter_close_container(&iter_struct, &iter_array)); + assert_se(dbus_message_iter_close_container(&iter_msg, &iter_struct)); + +-- +1.7.1 + diff --git a/SOURCES/0001-systemd-update-sd-daemon.-ch.patch b/SOURCES/0001-systemd-update-sd-daemon.-ch.patch new file mode 100644 index 0000000..41195ed --- /dev/null +++ b/SOURCES/0001-systemd-update-sd-daemon.-ch.patch @@ -0,0 +1,306 @@ +From 8c902327f91616af5e87fd2a6d4b7ea38bb3aa32 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 26 Sep 2013 21:53:49 +0200 +Subject: [PATCH] systemd: update sd-daemon.[ch] + +--- + sd-daemon.c | 100 +++++++++++++++++++++++----------------------------- + sd-daemon.h | 14 ++++---- + 2 files changed, 52 insertions(+), 62 deletions(-) + +diff --git a/sd-daemon.c b/sd-daemon.c +index 763e079b4e..485b301023 100644 +--- a/sd-daemon.c ++++ b/sd-daemon.c +@@ -25,18 +25,14 @@ + ***/ + + #ifndef _GNU_SOURCE +-#define _GNU_SOURCE ++# define _GNU_SOURCE + #endif + + #include + #include + #include + #include +-#ifdef __BIONIC__ +-#include +-#else +-#include +-#endif ++#include + #include + #include + #include +@@ -47,22 +43,22 @@ + #include + #include + +-#if defined(__linux__) +-#include ++#if defined(__linux__) && !defined(SD_DAEMON_DISABLE_MQ) ++# include + #endif + + #include "sd-daemon.h" + + #if (__GNUC__ >= 4) +-#ifdef SD_EXPORT_SYMBOLS ++# ifdef SD_EXPORT_SYMBOLS + /* Export symbols */ +-#define _sd_export_ __attribute__ ((visibility("default"))) +-#else ++# define _sd_export_ __attribute__ ((visibility("default"))) ++# else + /* Don't export the symbols */ +-#define _sd_export_ __attribute__ ((visibility("hidden"))) +-#endif ++# define _sd_export_ __attribute__ ((visibility("hidden"))) ++# endif + #else +-#define _sd_export_ ++# define _sd_export_ + #endif + + _sd_export_ int sd_listen_fds(int unset_environment) { +@@ -75,7 +71,8 @@ _sd_export_ int sd_listen_fds(int unset_environment) { + char *p = NULL; + unsigned long l; + +- if (!(e = getenv("LISTEN_PID"))) { ++ e = getenv("LISTEN_PID"); ++ if (!e) { + r = 0; + goto finish; + } +@@ -83,12 +80,12 @@ _sd_export_ int sd_listen_fds(int unset_environment) { + errno = 0; + l = strtoul(e, &p, 10); + +- if (errno != 0) { ++ if (errno > 0) { + r = -errno; + goto finish; + } + +- if (!p || *p || l <= 0) { ++ if (!p || p == e || *p || l <= 0) { + r = -EINVAL; + goto finish; + } +@@ -99,7 +96,8 @@ _sd_export_ int sd_listen_fds(int unset_environment) { + goto finish; + } + +- if (!(e = getenv("LISTEN_FDS"))) { ++ e = getenv("LISTEN_FDS"); ++ if (!e) { + r = 0; + goto finish; + } +@@ -107,12 +105,12 @@ _sd_export_ int sd_listen_fds(int unset_environment) { + errno = 0; + l = strtoul(e, &p, 10); + +- if (errno != 0) { ++ if (errno > 0) { + r = -errno; + goto finish; + } + +- if (!p || *p) { ++ if (!p || p == e || *p) { + r = -EINVAL; + goto finish; + } +@@ -120,7 +118,8 @@ _sd_export_ int sd_listen_fds(int unset_environment) { + for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + (int) l; fd ++) { + int flags; + +- if ((flags = fcntl(fd, F_GETFD)) < 0) { ++ flags = fcntl(fd, F_GETFD); ++ if (flags < 0) { + r = -errno; + goto finish; + } +@@ -152,7 +151,6 @@ _sd_export_ int sd_is_fifo(int fd, const char *path) { + if (fd < 0) + return -EINVAL; + +- memset(&st_fd, 0, sizeof(st_fd)); + if (fstat(fd, &st_fd) < 0) + return -errno; + +@@ -162,7 +160,6 @@ _sd_export_ int sd_is_fifo(int fd, const char *path) { + if (path) { + struct stat st_path; + +- memset(&st_path, 0, sizeof(st_path)); + if (stat(path, &st_path) < 0) { + + if (errno == ENOENT || errno == ENOTDIR) +@@ -272,15 +269,13 @@ _sd_export_ int sd_is_socket(int fd, int family, int type, int listening) { + if (family < 0) + return -EINVAL; + +- if ((r = sd_is_socket_internal(fd, type, listening)) <= 0) ++ r = sd_is_socket_internal(fd, type, listening); ++ if (r <= 0) + return r; + + if (family > 0) { +- union sockaddr_union sockaddr; +- socklen_t l; +- +- memset(&sockaddr, 0, sizeof(sockaddr)); +- l = sizeof(sockaddr); ++ union sockaddr_union sockaddr = {}; ++ socklen_t l = sizeof(sockaddr); + + if (getsockname(fd, &sockaddr.sa, &l) < 0) + return -errno; +@@ -295,19 +290,17 @@ _sd_export_ int sd_is_socket(int fd, int family, int type, int listening) { + } + + _sd_export_ int sd_is_socket_inet(int fd, int family, int type, int listening, uint16_t port) { +- union sockaddr_union sockaddr; +- socklen_t l; ++ union sockaddr_union sockaddr = {}; ++ socklen_t l = sizeof(sockaddr); + int r; + + if (family != 0 && family != AF_INET && family != AF_INET6) + return -EINVAL; + +- if ((r = sd_is_socket_internal(fd, type, listening)) <= 0) ++ r = sd_is_socket_internal(fd, type, listening); ++ if (r <= 0) + return r; + +- memset(&sockaddr, 0, sizeof(sockaddr)); +- l = sizeof(sockaddr); +- + if (getsockname(fd, &sockaddr.sa, &l) < 0) + return -errno; + +@@ -340,16 +333,14 @@ _sd_export_ int sd_is_socket_inet(int fd, int family, int type, int listening, u + } + + _sd_export_ int sd_is_socket_unix(int fd, int type, int listening, const char *path, size_t length) { +- union sockaddr_union sockaddr; +- socklen_t l; ++ union sockaddr_union sockaddr = {}; ++ socklen_t l = sizeof(sockaddr); + int r; + +- if ((r = sd_is_socket_internal(fd, type, listening)) <= 0) ++ r = sd_is_socket_internal(fd, type, listening); ++ if (r <= 0) + return r; + +- memset(&sockaddr, 0, sizeof(sockaddr)); +- l = sizeof(sockaddr); +- + if (getsockname(fd, &sockaddr.sa, &l) < 0) + return -errno; + +@@ -360,10 +351,10 @@ _sd_export_ int sd_is_socket_unix(int fd, int type, int listening, const char *p + return 0; + + if (path) { +- if (length <= 0) ++ if (length == 0) + length = strlen(path); + +- if (length <= 0) ++ if (length == 0) + /* Unnamed socket */ + return l == offsetof(struct sockaddr_un, sun_path); + +@@ -383,7 +374,7 @@ _sd_export_ int sd_is_socket_unix(int fd, int type, int listening, const char *p + } + + _sd_export_ int sd_is_mq(int fd, const char *path) { +-#if !defined(__linux__) ++#if !defined(__linux__) || defined(SD_DAEMON_DISABLE_MQ) + return 0; + #else + struct mq_attr attr; +@@ -434,7 +425,8 @@ _sd_export_ int sd_notify(int unset_environment, const char *state) { + goto finish; + } + +- if (!(e = getenv("NOTIFY_SOCKET"))) ++ e = getenv("NOTIFY_SOCKET"); ++ if (!e) + return 0; + + /* Must be an abstract socket, or an absolute path */ +@@ -443,7 +435,8 @@ _sd_export_ int sd_notify(int unset_environment, const char *state) { + goto finish; + } + +- if ((fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0)) < 0) { ++ fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0); ++ if (fd < 0) { + r = -errno; + goto finish; + } +@@ -513,18 +506,15 @@ _sd_export_ int sd_booted(void) { + #if defined(DISABLE_SYSTEMD) || !defined(__linux__) + return 0; + #else ++ struct stat st; + +- struct stat a, b; ++ /* We test whether the runtime unit file directory has been ++ * created. This takes place in mount-setup.c, so is ++ * guaranteed to happen very early during boot. */ + +- /* We simply test whether the systemd cgroup hierarchy is +- * mounted */ +- +- if (lstat("/sys/fs/cgroup", &a) < 0) +- return 0; +- +- if (lstat("/sys/fs/cgroup/systemd", &b) < 0) ++ if (lstat("/run/systemd/system/", &st) < 0) + return 0; + +- return a.st_dev != b.st_dev; ++ return !!S_ISDIR(st.st_mode); + #endif + } +diff --git a/sd-daemon.h b/sd-daemon.h +index fe51159ee6..daa3f4c857 100644 +--- a/sd-daemon.h ++++ b/sd-daemon.h +@@ -59,20 +59,20 @@ extern "C" { + You may find an up-to-date version of these source files online: + + http://cgit.freedesktop.org/systemd/systemd/plain/src/systemd/sd-daemon.h +- http://cgit.freedesktop.org/systemd/systemd/plain/src/sd-daemon.c ++ http://cgit.freedesktop.org/systemd/systemd/plain/src/libsystemd-daemon/sd-daemon.c + + This should compile on non-Linux systems, too, but with the + exception of the sd_is_xxx() calls all functions will become NOPs. + +- See sd-daemon(7) for more information. ++ See sd-daemon(3) for more information. + */ + + #ifndef _sd_printf_attr_ +-#if __GNUC__ >= 4 +-#define _sd_printf_attr_(a,b) __attribute__ ((format (printf, a, b))) +-#else +-#define _sd_printf_attr_(a,b) +-#endif ++# if __GNUC__ >= 4 ++# define _sd_printf_attr_(a,b) __attribute__ ((format (printf, a, b))) ++# else ++# define _sd_printf_attr_(a,b) ++# endif + #endif + + /* diff --git a/SOURCES/0002-Remove-bundled-copy-of-sd-daemon.-ch.patch b/SOURCES/0002-Remove-bundled-copy-of-sd-daemon.-ch.patch new file mode 100644 index 0000000..31e5a50 --- /dev/null +++ b/SOURCES/0002-Remove-bundled-copy-of-sd-daemon.-ch.patch @@ -0,0 +1,870 @@ +From f5c88312c3fc5b7dc944eb36c2b8c62a44b78798 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 24 Jan 2021 21:19:51 +0100 +Subject: [PATCH 2/2] Remove bundled copy of sd-daemon.[ch] + +Let's just use the system version. +--- + Makefile.am | 10 +- + rtkit-daemon.c | 2 +- + sd-daemon.c | 520 ------------------------------------------------- + sd-daemon.h | 282 --------------------------- + 4 files changed, 4 insertions(+), 810 deletions(-) + delete mode 100644 sd-daemon.c + delete mode 100644 sd-daemon.h + +diff --git a/Makefile.am b/Makefile.am +index febc35535d..2217a80b3c 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -56,10 +56,10 @@ systemdsystemunit_DATA = \ + endif + + rtkit_daemon_SOURCES = \ +- rtkit-daemon.c rtkit.h \ +- sd-daemon.c sd-daemon.h ++ rtkit-daemon.c rtkit.h + rtkit_daemon_LDADD = \ +- $(DBUS_LIBS) ++ $(DBUS_LIBS) \ ++ -lsystemd + rtkit_daemon_CFLAGS = \ + $(AM_CFLAGS) \ + $(DBUS_CFLAGS) +@@ -93,7 +93,3 @@ EXTRA_DIST += \ + + DISTCHECK_CONFIGURE_FLAGS = \ + --with-systemdsystemunitdir=$$dc_install_base/$(systemdsystemunitdir) +- +-update-systemd: +- curl http://cgit.freedesktop.org/systemd/systemd/plain/src/libsystemd-daemon/sd-daemon.c > sd-daemon.c +- curl http://cgit.freedesktop.org/systemd/systemd/plain/src/systemd/sd-daemon.h > sd-daemon.h +diff --git a/rtkit-daemon.c b/rtkit-daemon.c +index a15e84f8f5..fdff7f63dc 100644 +--- a/rtkit-daemon.c ++++ b/rtkit-daemon.c +@@ -50,9 +50,9 @@ + #include + #include + #include ++#include + + #include "rtkit.h" +-#include "sd-daemon.h" + + #ifndef __linux__ + #error "This stuff only works on Linux!" +diff --git a/sd-daemon.c b/sd-daemon.c +deleted file mode 100644 +index 485b301023..0000000000 +--- a/sd-daemon.c ++++ /dev/null +@@ -1,520 +0,0 @@ +-/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +- +-/*** +- Copyright 2010 Lennart Poettering +- +- Permission is hereby granted, free of charge, to any person +- obtaining a copy of this software and associated documentation files +- (the "Software"), to deal in the Software without restriction, +- including without limitation the rights to use, copy, modify, merge, +- publish, distribute, sublicense, and/or sell copies of the Software, +- and to permit persons to whom the Software is furnished to do so, +- subject to the following conditions: +- +- The above copyright notice and this permission notice shall be +- included in all copies or substantial portions of the Software. +- +- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +- EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +- MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +- NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS +- BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN +- ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +- CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +- SOFTWARE. +-***/ +- +-#ifndef _GNU_SOURCE +-# define _GNU_SOURCE +-#endif +- +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +- +-#if defined(__linux__) && !defined(SD_DAEMON_DISABLE_MQ) +-# include +-#endif +- +-#include "sd-daemon.h" +- +-#if (__GNUC__ >= 4) +-# ifdef SD_EXPORT_SYMBOLS +-/* Export symbols */ +-# define _sd_export_ __attribute__ ((visibility("default"))) +-# else +-/* Don't export the symbols */ +-# define _sd_export_ __attribute__ ((visibility("hidden"))) +-# endif +-#else +-# define _sd_export_ +-#endif +- +-_sd_export_ int sd_listen_fds(int unset_environment) { +- +-#if defined(DISABLE_SYSTEMD) || !defined(__linux__) +- return 0; +-#else +- int r, fd; +- const char *e; +- char *p = NULL; +- unsigned long l; +- +- e = getenv("LISTEN_PID"); +- if (!e) { +- r = 0; +- goto finish; +- } +- +- errno = 0; +- l = strtoul(e, &p, 10); +- +- if (errno > 0) { +- r = -errno; +- goto finish; +- } +- +- if (!p || p == e || *p || l <= 0) { +- r = -EINVAL; +- goto finish; +- } +- +- /* Is this for us? */ +- if (getpid() != (pid_t) l) { +- r = 0; +- goto finish; +- } +- +- e = getenv("LISTEN_FDS"); +- if (!e) { +- r = 0; +- goto finish; +- } +- +- errno = 0; +- l = strtoul(e, &p, 10); +- +- if (errno > 0) { +- r = -errno; +- goto finish; +- } +- +- if (!p || p == e || *p) { +- r = -EINVAL; +- goto finish; +- } +- +- for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + (int) l; fd ++) { +- int flags; +- +- flags = fcntl(fd, F_GETFD); +- if (flags < 0) { +- r = -errno; +- goto finish; +- } +- +- if (flags & FD_CLOEXEC) +- continue; +- +- if (fcntl(fd, F_SETFD, flags | FD_CLOEXEC) < 0) { +- r = -errno; +- goto finish; +- } +- } +- +- r = (int) l; +- +-finish: +- if (unset_environment) { +- unsetenv("LISTEN_PID"); +- unsetenv("LISTEN_FDS"); +- } +- +- return r; +-#endif +-} +- +-_sd_export_ int sd_is_fifo(int fd, const char *path) { +- struct stat st_fd; +- +- if (fd < 0) +- return -EINVAL; +- +- if (fstat(fd, &st_fd) < 0) +- return -errno; +- +- if (!S_ISFIFO(st_fd.st_mode)) +- return 0; +- +- if (path) { +- struct stat st_path; +- +- if (stat(path, &st_path) < 0) { +- +- if (errno == ENOENT || errno == ENOTDIR) +- return 0; +- +- return -errno; +- } +- +- return +- st_path.st_dev == st_fd.st_dev && +- st_path.st_ino == st_fd.st_ino; +- } +- +- return 1; +-} +- +-_sd_export_ int sd_is_special(int fd, const char *path) { +- struct stat st_fd; +- +- if (fd < 0) +- return -EINVAL; +- +- if (fstat(fd, &st_fd) < 0) +- return -errno; +- +- if (!S_ISREG(st_fd.st_mode) && !S_ISCHR(st_fd.st_mode)) +- return 0; +- +- if (path) { +- struct stat st_path; +- +- if (stat(path, &st_path) < 0) { +- +- if (errno == ENOENT || errno == ENOTDIR) +- return 0; +- +- return -errno; +- } +- +- if (S_ISREG(st_fd.st_mode) && S_ISREG(st_path.st_mode)) +- return +- st_path.st_dev == st_fd.st_dev && +- st_path.st_ino == st_fd.st_ino; +- else if (S_ISCHR(st_fd.st_mode) && S_ISCHR(st_path.st_mode)) +- return st_path.st_rdev == st_fd.st_rdev; +- else +- return 0; +- } +- +- return 1; +-} +- +-static int sd_is_socket_internal(int fd, int type, int listening) { +- struct stat st_fd; +- +- if (fd < 0 || type < 0) +- return -EINVAL; +- +- if (fstat(fd, &st_fd) < 0) +- return -errno; +- +- if (!S_ISSOCK(st_fd.st_mode)) +- return 0; +- +- if (type != 0) { +- int other_type = 0; +- socklen_t l = sizeof(other_type); +- +- if (getsockopt(fd, SOL_SOCKET, SO_TYPE, &other_type, &l) < 0) +- return -errno; +- +- if (l != sizeof(other_type)) +- return -EINVAL; +- +- if (other_type != type) +- return 0; +- } +- +- if (listening >= 0) { +- int accepting = 0; +- socklen_t l = sizeof(accepting); +- +- if (getsockopt(fd, SOL_SOCKET, SO_ACCEPTCONN, &accepting, &l) < 0) +- return -errno; +- +- if (l != sizeof(accepting)) +- return -EINVAL; +- +- if (!accepting != !listening) +- return 0; +- } +- +- return 1; +-} +- +-union sockaddr_union { +- struct sockaddr sa; +- struct sockaddr_in in4; +- struct sockaddr_in6 in6; +- struct sockaddr_un un; +- struct sockaddr_storage storage; +-}; +- +-_sd_export_ int sd_is_socket(int fd, int family, int type, int listening) { +- int r; +- +- if (family < 0) +- return -EINVAL; +- +- r = sd_is_socket_internal(fd, type, listening); +- if (r <= 0) +- return r; +- +- if (family > 0) { +- union sockaddr_union sockaddr = {}; +- socklen_t l = sizeof(sockaddr); +- +- if (getsockname(fd, &sockaddr.sa, &l) < 0) +- return -errno; +- +- if (l < sizeof(sa_family_t)) +- return -EINVAL; +- +- return sockaddr.sa.sa_family == family; +- } +- +- return 1; +-} +- +-_sd_export_ int sd_is_socket_inet(int fd, int family, int type, int listening, uint16_t port) { +- union sockaddr_union sockaddr = {}; +- socklen_t l = sizeof(sockaddr); +- int r; +- +- if (family != 0 && family != AF_INET && family != AF_INET6) +- return -EINVAL; +- +- r = sd_is_socket_internal(fd, type, listening); +- if (r <= 0) +- return r; +- +- if (getsockname(fd, &sockaddr.sa, &l) < 0) +- return -errno; +- +- if (l < sizeof(sa_family_t)) +- return -EINVAL; +- +- if (sockaddr.sa.sa_family != AF_INET && +- sockaddr.sa.sa_family != AF_INET6) +- return 0; +- +- if (family > 0) +- if (sockaddr.sa.sa_family != family) +- return 0; +- +- if (port > 0) { +- if (sockaddr.sa.sa_family == AF_INET) { +- if (l < sizeof(struct sockaddr_in)) +- return -EINVAL; +- +- return htons(port) == sockaddr.in4.sin_port; +- } else { +- if (l < sizeof(struct sockaddr_in6)) +- return -EINVAL; +- +- return htons(port) == sockaddr.in6.sin6_port; +- } +- } +- +- return 1; +-} +- +-_sd_export_ int sd_is_socket_unix(int fd, int type, int listening, const char *path, size_t length) { +- union sockaddr_union sockaddr = {}; +- socklen_t l = sizeof(sockaddr); +- int r; +- +- r = sd_is_socket_internal(fd, type, listening); +- if (r <= 0) +- return r; +- +- if (getsockname(fd, &sockaddr.sa, &l) < 0) +- return -errno; +- +- if (l < sizeof(sa_family_t)) +- return -EINVAL; +- +- if (sockaddr.sa.sa_family != AF_UNIX) +- return 0; +- +- if (path) { +- if (length == 0) +- length = strlen(path); +- +- if (length == 0) +- /* Unnamed socket */ +- return l == offsetof(struct sockaddr_un, sun_path); +- +- if (path[0]) +- /* Normal path socket */ +- return +- (l >= offsetof(struct sockaddr_un, sun_path) + length + 1) && +- memcmp(path, sockaddr.un.sun_path, length+1) == 0; +- else +- /* Abstract namespace socket */ +- return +- (l == offsetof(struct sockaddr_un, sun_path) + length) && +- memcmp(path, sockaddr.un.sun_path, length) == 0; +- } +- +- return 1; +-} +- +-_sd_export_ int sd_is_mq(int fd, const char *path) { +-#if !defined(__linux__) || defined(SD_DAEMON_DISABLE_MQ) +- return 0; +-#else +- struct mq_attr attr; +- +- if (fd < 0) +- return -EINVAL; +- +- if (mq_getattr(fd, &attr) < 0) +- return -errno; +- +- if (path) { +- char fpath[PATH_MAX]; +- struct stat a, b; +- +- if (path[0] != '/') +- return -EINVAL; +- +- if (fstat(fd, &a) < 0) +- return -errno; +- +- strncpy(stpcpy(fpath, "/dev/mqueue"), path, sizeof(fpath) - 12); +- fpath[sizeof(fpath)-1] = 0; +- +- if (stat(fpath, &b) < 0) +- return -errno; +- +- if (a.st_dev != b.st_dev || +- a.st_ino != b.st_ino) +- return 0; +- } +- +- return 1; +-#endif +-} +- +-_sd_export_ int sd_notify(int unset_environment, const char *state) { +-#if defined(DISABLE_SYSTEMD) || !defined(__linux__) || !defined(SOCK_CLOEXEC) +- return 0; +-#else +- int fd = -1, r; +- struct msghdr msghdr; +- struct iovec iovec; +- union sockaddr_union sockaddr; +- const char *e; +- +- if (!state) { +- r = -EINVAL; +- goto finish; +- } +- +- e = getenv("NOTIFY_SOCKET"); +- if (!e) +- return 0; +- +- /* Must be an abstract socket, or an absolute path */ +- if ((e[0] != '@' && e[0] != '/') || e[1] == 0) { +- r = -EINVAL; +- goto finish; +- } +- +- fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0); +- if (fd < 0) { +- r = -errno; +- goto finish; +- } +- +- memset(&sockaddr, 0, sizeof(sockaddr)); +- sockaddr.sa.sa_family = AF_UNIX; +- strncpy(sockaddr.un.sun_path, e, sizeof(sockaddr.un.sun_path)); +- +- if (sockaddr.un.sun_path[0] == '@') +- sockaddr.un.sun_path[0] = 0; +- +- memset(&iovec, 0, sizeof(iovec)); +- iovec.iov_base = (char*) state; +- iovec.iov_len = strlen(state); +- +- memset(&msghdr, 0, sizeof(msghdr)); +- msghdr.msg_name = &sockaddr; +- msghdr.msg_namelen = offsetof(struct sockaddr_un, sun_path) + strlen(e); +- +- if (msghdr.msg_namelen > sizeof(struct sockaddr_un)) +- msghdr.msg_namelen = sizeof(struct sockaddr_un); +- +- msghdr.msg_iov = &iovec; +- msghdr.msg_iovlen = 1; +- +- if (sendmsg(fd, &msghdr, MSG_NOSIGNAL) < 0) { +- r = -errno; +- goto finish; +- } +- +- r = 1; +- +-finish: +- if (unset_environment) +- unsetenv("NOTIFY_SOCKET"); +- +- if (fd >= 0) +- close(fd); +- +- return r; +-#endif +-} +- +-_sd_export_ int sd_notifyf(int unset_environment, const char *format, ...) { +-#if defined(DISABLE_SYSTEMD) || !defined(__linux__) +- return 0; +-#else +- va_list ap; +- char *p = NULL; +- int r; +- +- va_start(ap, format); +- r = vasprintf(&p, format, ap); +- va_end(ap); +- +- if (r < 0 || !p) +- return -ENOMEM; +- +- r = sd_notify(unset_environment, p); +- free(p); +- +- return r; +-#endif +-} +- +-_sd_export_ int sd_booted(void) { +-#if defined(DISABLE_SYSTEMD) || !defined(__linux__) +- return 0; +-#else +- struct stat st; +- +- /* We test whether the runtime unit file directory has been +- * created. This takes place in mount-setup.c, so is +- * guaranteed to happen very early during boot. */ +- +- if (lstat("/run/systemd/system/", &st) < 0) +- return 0; +- +- return !!S_ISDIR(st.st_mode); +-#endif +-} +diff --git a/sd-daemon.h b/sd-daemon.h +deleted file mode 100644 +index daa3f4c857..0000000000 +--- a/sd-daemon.h ++++ /dev/null +@@ -1,282 +0,0 @@ +-/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ +- +-#ifndef foosddaemonhfoo +-#define foosddaemonhfoo +- +-/*** +- Copyright 2010 Lennart Poettering +- +- Permission is hereby granted, free of charge, to any person +- obtaining a copy of this software and associated documentation files +- (the "Software"), to deal in the Software without restriction, +- including without limitation the rights to use, copy, modify, merge, +- publish, distribute, sublicense, and/or sell copies of the Software, +- and to permit persons to whom the Software is furnished to do so, +- subject to the following conditions: +- +- The above copyright notice and this permission notice shall be +- included in all copies or substantial portions of the Software. +- +- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +- EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +- MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +- NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS +- BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN +- ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +- CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +- SOFTWARE. +-***/ +- +-#include +-#include +- +-#ifdef __cplusplus +-extern "C" { +-#endif +- +-/* +- Reference implementation of a few systemd related interfaces for +- writing daemons. These interfaces are trivial to implement. To +- simplify porting we provide this reference implementation. +- Applications are welcome to reimplement the algorithms described +- here if they do not want to include these two source files. +- +- The following functionality is provided: +- +- - Support for logging with log levels on stderr +- - File descriptor passing for socket-based activation +- - Daemon startup and status notification +- - Detection of systemd boots +- +- You may compile this with -DDISABLE_SYSTEMD to disable systemd +- support. This makes all those calls NOPs that are directly related to +- systemd (i.e. only sd_is_xxx() will stay useful). +- +- Since this is drop-in code we don't want any of our symbols to be +- exported in any case. Hence we declare hidden visibility for all of +- them. +- +- You may find an up-to-date version of these source files online: +- +- http://cgit.freedesktop.org/systemd/systemd/plain/src/systemd/sd-daemon.h +- http://cgit.freedesktop.org/systemd/systemd/plain/src/libsystemd-daemon/sd-daemon.c +- +- This should compile on non-Linux systems, too, but with the +- exception of the sd_is_xxx() calls all functions will become NOPs. +- +- See sd-daemon(3) for more information. +-*/ +- +-#ifndef _sd_printf_attr_ +-# if __GNUC__ >= 4 +-# define _sd_printf_attr_(a,b) __attribute__ ((format (printf, a, b))) +-# else +-# define _sd_printf_attr_(a,b) +-# endif +-#endif +- +-/* +- Log levels for usage on stderr: +- +- fprintf(stderr, SD_NOTICE "Hello World!\n"); +- +- This is similar to printk() usage in the kernel. +-*/ +-#define SD_EMERG "<0>" /* system is unusable */ +-#define SD_ALERT "<1>" /* action must be taken immediately */ +-#define SD_CRIT "<2>" /* critical conditions */ +-#define SD_ERR "<3>" /* error conditions */ +-#define SD_WARNING "<4>" /* warning conditions */ +-#define SD_NOTICE "<5>" /* normal but significant condition */ +-#define SD_INFO "<6>" /* informational */ +-#define SD_DEBUG "<7>" /* debug-level messages */ +- +-/* The first passed file descriptor is fd 3 */ +-#define SD_LISTEN_FDS_START 3 +- +-/* +- Returns how many file descriptors have been passed, or a negative +- errno code on failure. Optionally, removes the $LISTEN_FDS and +- $LISTEN_PID file descriptors from the environment (recommended, but +- problematic in threaded environments). If r is the return value of +- this function you'll find the file descriptors passed as fds +- SD_LISTEN_FDS_START to SD_LISTEN_FDS_START+r-1. Returns a negative +- errno style error code on failure. This function call ensures that +- the FD_CLOEXEC flag is set for the passed file descriptors, to make +- sure they are not passed on to child processes. If FD_CLOEXEC shall +- not be set, the caller needs to unset it after this call for all file +- descriptors that are used. +- +- See sd_listen_fds(3) for more information. +-*/ +-int sd_listen_fds(int unset_environment); +- +-/* +- Helper call for identifying a passed file descriptor. Returns 1 if +- the file descriptor is a FIFO in the file system stored under the +- specified path, 0 otherwise. If path is NULL a path name check will +- not be done and the call only verifies if the file descriptor +- refers to a FIFO. Returns a negative errno style error code on +- failure. +- +- See sd_is_fifo(3) for more information. +-*/ +-int sd_is_fifo(int fd, const char *path); +- +-/* +- Helper call for identifying a passed file descriptor. Returns 1 if +- the file descriptor is a special character device on the file +- system stored under the specified path, 0 otherwise. +- If path is NULL a path name check will not be done and the call +- only verifies if the file descriptor refers to a special character. +- Returns a negative errno style error code on failure. +- +- See sd_is_special(3) for more information. +-*/ +-int sd_is_special(int fd, const char *path); +- +-/* +- Helper call for identifying a passed file descriptor. Returns 1 if +- the file descriptor is a socket of the specified family (AF_INET, +- ...) and type (SOCK_DGRAM, SOCK_STREAM, ...), 0 otherwise. If +- family is 0 a socket family check will not be done. If type is 0 a +- socket type check will not be done and the call only verifies if +- the file descriptor refers to a socket. If listening is > 0 it is +- verified that the socket is in listening mode. (i.e. listen() has +- been called) If listening is == 0 it is verified that the socket is +- not in listening mode. If listening is < 0 no listening mode check +- is done. Returns a negative errno style error code on failure. +- +- See sd_is_socket(3) for more information. +-*/ +-int sd_is_socket(int fd, int family, int type, int listening); +- +-/* +- Helper call for identifying a passed file descriptor. Returns 1 if +- the file descriptor is an Internet socket, of the specified family +- (either AF_INET or AF_INET6) and the specified type (SOCK_DGRAM, +- SOCK_STREAM, ...), 0 otherwise. If version is 0 a protocol version +- check is not done. If type is 0 a socket type check will not be +- done. If port is 0 a socket port check will not be done. The +- listening flag is used the same way as in sd_is_socket(). Returns a +- negative errno style error code on failure. +- +- See sd_is_socket_inet(3) for more information. +-*/ +-int sd_is_socket_inet(int fd, int family, int type, int listening, uint16_t port); +- +-/* +- Helper call for identifying a passed file descriptor. Returns 1 if +- the file descriptor is an AF_UNIX socket of the specified type +- (SOCK_DGRAM, SOCK_STREAM, ...) and path, 0 otherwise. If type is 0 +- a socket type check will not be done. If path is NULL a socket path +- check will not be done. For normal AF_UNIX sockets set length to +- 0. For abstract namespace sockets set length to the length of the +- socket name (including the initial 0 byte), and pass the full +- socket path in path (including the initial 0 byte). The listening +- flag is used the same way as in sd_is_socket(). Returns a negative +- errno style error code on failure. +- +- See sd_is_socket_unix(3) for more information. +-*/ +-int sd_is_socket_unix(int fd, int type, int listening, const char *path, size_t length); +- +-/* +- Helper call for identifying a passed file descriptor. Returns 1 if +- the file descriptor is a POSIX Message Queue of the specified name, +- 0 otherwise. If path is NULL a message queue name check is not +- done. Returns a negative errno style error code on failure. +-*/ +-int sd_is_mq(int fd, const char *path); +- +-/* +- Informs systemd about changed daemon state. This takes a number of +- newline separated environment-style variable assignments in a +- string. The following variables are known: +- +- READY=1 Tells systemd that daemon startup is finished (only +- relevant for services of Type=notify). The passed +- argument is a boolean "1" or "0". Since there is +- little value in signaling non-readiness the only +- value daemons should send is "READY=1". +- +- STATUS=... Passes a single-line status string back to systemd +- that describes the daemon state. This is free-from +- and can be used for various purposes: general state +- feedback, fsck-like programs could pass completion +- percentages and failing programs could pass a human +- readable error message. Example: "STATUS=Completed +- 66% of file system check..." +- +- ERRNO=... If a daemon fails, the errno-style error code, +- formatted as string. Example: "ERRNO=2" for ENOENT. +- +- BUSERROR=... If a daemon fails, the D-Bus error-style error +- code. Example: "BUSERROR=org.freedesktop.DBus.Error.TimedOut" +- +- MAINPID=... The main pid of a daemon, in case systemd did not +- fork off the process itself. Example: "MAINPID=4711" +- +- WATCHDOG=1 Tells systemd to update the watchdog timestamp. +- Services using this feature should do this in +- regular intervals. A watchdog framework can use the +- timestamps to detect failed services. +- +- Daemons can choose to send additional variables. However, it is +- recommended to prefix variable names not listed above with X_. +- +- Returns a negative errno-style error code on failure. Returns > 0 +- if systemd could be notified, 0 if it couldn't possibly because +- systemd is not running. +- +- Example: When a daemon finished starting up, it could issue this +- call to notify systemd about it: +- +- sd_notify(0, "READY=1"); +- +- See sd_notifyf() for more complete examples. +- +- See sd_notify(3) for more information. +-*/ +-int sd_notify(int unset_environment, const char *state); +- +-/* +- Similar to sd_notify() but takes a format string. +- +- Example 1: A daemon could send the following after initialization: +- +- sd_notifyf(0, "READY=1\n" +- "STATUS=Processing requests...\n" +- "MAINPID=%lu", +- (unsigned long) getpid()); +- +- Example 2: A daemon could send the following shortly before +- exiting, on failure: +- +- sd_notifyf(0, "STATUS=Failed to start up: %s\n" +- "ERRNO=%i", +- strerror(errno), +- errno); +- +- See sd_notifyf(3) for more information. +-*/ +-int sd_notifyf(int unset_environment, const char *format, ...) _sd_printf_attr_(2,3); +- +-/* +- Returns > 0 if the system was booted with systemd. Returns < 0 on +- error. Returns 0 if the system was not booted with systemd. Note +- that all of the functions above handle non-systemd boots just +- fine. You should NOT protect them with a call to this function. Also +- note that this function checks whether the system, not the user +- session is controlled by systemd. However the functions above work +- for both user and system services. +- +- See sd_booted(3) for more information. +-*/ +-int sd_booted(void); +- +-#ifdef __cplusplus +-} +-#endif +- +-#endif diff --git a/SOURCES/format-security.patch b/SOURCES/format-security.patch new file mode 100644 index 0000000..994bebf --- /dev/null +++ b/SOURCES/format-security.patch @@ -0,0 +1,13 @@ +diff -ruN rtkit-0.11.orig/Makefile.am rtkit-0.11/Makefile.am +--- rtkit-0.11.orig/Makefile.am 2017-05-12 12:56:52.245623657 -0400 ++++ rtkit-0.11/Makefile.am 2017-05-12 13:24:27.206304970 -0400 +@@ -18,6 +18,8 @@ + AM_CFLAGS = $(WARNINGFLAGS) $(PTHREAD_CFLAGS) + AM_LDFLAGS = $(GCLDFLAGS) + ++CFLAGS += -Wno-error=format-security ++ + ACLOCAL_AMFLAGS = -I m4 + + policykitdir = $(datadir)/polkit-1/actions/ +Binary files rtkit-0.11.orig/.Makefile.am.swp and rtkit-0.11/.Makefile.am.swp differ diff --git a/SOURCES/rtkit-controlgroup.patch b/SOURCES/rtkit-controlgroup.patch new file mode 100644 index 0000000..7a36dee --- /dev/null +++ b/SOURCES/rtkit-controlgroup.patch @@ -0,0 +1,14 @@ +diff --git rtkit-0.11/rtkit-daemon.service.in~ rtkit-0.11/rtkit-daemon.service.in +index 3dfefa6..d0dc786 100644 +--- rtkit-0.11/rtkit-daemon.service.in~ ++++ rtkit-0.11/rtkit-daemon.service.in +@@ -27,9 +27,5 @@ CapabilityBoundingSet=CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SYS_CH + PrivateTmp=yes + PrivateNetwork=yes + +-# Work around the fact that the Linux currently doesn't assign any RT +-# budget to CPU control groups that have none configured explicitly +-ControlGroup=cpu:/ +- + [Install] + WantedBy=graphical.target diff --git a/SOURCES/rtkit-mq_getattr.patch b/SOURCES/rtkit-mq_getattr.patch new file mode 100644 index 0000000..2cb63c7 --- /dev/null +++ b/SOURCES/rtkit-mq_getattr.patch @@ -0,0 +1,12 @@ +diff --git a/configure.ac b/configure.ac +index 5a77363..45721a5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -112,6 +112,7 @@ CC="$PTHREAD_CC" + + AC_SEARCH_LIBS([sched_setscheduler], [rt]) + AC_SEARCH_LIBS([clock_gettime], [rt]) ++AC_SEARCH_LIBS([mq_getattr], [rt]) + AC_SEARCH_LIBS([cap_init], [cap]) + + PKG_CHECK_MODULES(DBUS, dbus-1) diff --git a/SPECS/rtkit.spec b/SPECS/rtkit.spec new file mode 100644 index 0000000..6971b31 --- /dev/null +++ b/SPECS/rtkit.spec @@ -0,0 +1,218 @@ +Name: rtkit +Version: 0.11 +Release: 28%{?dist} +Summary: Realtime Policy and Watchdog Daemon +# The daemon itself is GPLv3+, the reference implementation for the client BSD +License: GPLv3+ and BSD +URL: http://git.0pointer.net/rtkit.git/ +Requires: dbus +Requires: polkit +BuildRequires: make +BuildRequires: systemd-devel +BuildRequires: dbus-devel >= 1.2 +BuildRequires: libcap-devel +BuildRequires: polkit-devel +BuildRequires: autoconf automake libtool +Source0: http://0pointer.de/public/%{name}-%{version}.tar.xz +Patch1: rtkit-mq_getattr.patch +Patch2: 0001-SECURITY-Pass-uid-of-caller-to-polkit.patch +Patch3: rtkit-controlgroup.patch + +# Temporarily disable -Werror=format-security since it breaks the build +Patch4: format-security.patch + +Patch5: 0001-Fix-borked-error-check.patch +Patch6: 0001-systemd-update-sd-daemon.-ch.patch +Patch7: 0002-Remove-bundled-copy-of-sd-daemon.-ch.patch + +%description +RealtimeKit is a D-Bus system service that changes the +scheduling policy of user processes/threads to SCHED_RR (i.e. realtime +scheduling mode) on request. It is intended to be used as a secure +mechanism to allow real-time scheduling to be used by normal user +processes. + +%prep +%autosetup -p1 + +%build +autoreconf -fvi +%configure --with-systemdsystemunitdir=%{_unitdir} +%make_build +./rtkit-daemon --introspect > org.freedesktop.RealtimeKit1.xml + +%install +%make_install +install -Dm0644 org.freedesktop.RealtimeKit1.xml %{buildroot}%{_datadir}/dbus-1/interfaces/org.freedesktop.RealtimeKit1.xml + +%pre +getent group rtkit >/dev/null 2>&1 || groupadd \ + -r \ + -g 172 \ + rtkit +getent passwd rtkit >/dev/null 2>&1 || useradd \ + -r -l \ + -u 172 \ + -g rtkit \ + -d /proc \ + -s /sbin/nologin \ + -c "RealtimeKit" \ + rtkit +:; + +%post +%systemd_post rtkit-daemon.service +dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig >/dev/null 2>&1 || : + +%preun +%systemd_preun rtkit-daemon.service + +%postun +%systemd_postun_with_restart rtkit-daemon.service + +%files +%doc README GPL LICENSE rtkit.c rtkit.h +%attr(0755,root,root) %{_sbindir}/rtkitctl +%attr(0755,root,root) %{_libexecdir}/rtkit-daemon +%{_datadir}/dbus-1/system-services/org.freedesktop.RealtimeKit1.service +%{_datadir}/dbus-1/interfaces/org.freedesktop.RealtimeKit1.xml +%{_datadir}/polkit-1/actions/org.freedesktop.RealtimeKit1.policy +%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.RealtimeKit1.conf +%{_prefix}/lib/systemd/system/rtkit-daemon.service +%{_mandir}/man8/* + +%changelog +* Tue Aug 10 2021 Mohan Boddu - 0.11-28 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Fri Apr 16 2021 Mohan Boddu - 0.11-27 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Jan 27 2021 Fedora Release Engineering - 0.11-26 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Sun Jan 24 2021 Zbigniew Jędrzejewski-Szmek - 0.11-22 +- Stop using a bundled subset of libsystemd (#1907730) + +* Sat Aug 01 2020 Fedora Release Engineering - 0.11-25 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 0.11-24 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Jan 30 2020 Fedora Release Engineering - 0.11-23 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Aug 2 2019 Zbigniew Jędrzejewski-Szmek - 0.11-22 +- Fix %%systemd_postun macro use (#1736594) + +* Fri Jul 26 2019 Fedora Release Engineering - 0.11-22 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sat Feb 02 2019 Fedora Release Engineering - 0.11-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Tue Oct 9 2018 Zbigniew Jędrzejewski-Szmek - 0.11-20 +- Modernize a bit and fix BuildRequires (#1637496) + +* Sat Jul 14 2018 Fedora Release Engineering - 0.11-19 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Feb 09 2018 Fedora Release Engineering - 0.11-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 0.11-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.11-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri May 12 2017 Stephen Gallagher - 0.11-15 +- Temporarily disable -Werror=format-security to unbreak the build +- Build with verbose command-line visible in the logs +- Resolves: rhbz#1424270 + +* Sat Feb 11 2017 Fedora Release Engineering - 0.11-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 0.11-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Nov 4 2015 Zbigniew Jędrzejewski-Szmek - 0.11-12 +- Make dbus interface file non-executable (#1245938) + +* Thu Jun 18 2015 Fedora Release Engineering - 0.11-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Aug 18 2014 Fedora Release Engineering - 0.11-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 0.11-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Nov 16 2013 Zbigniew Jędrzejewski-Szmek - 0.11-8 +- Use a simpler patch for -lrt. +- Remove ControlGroup setting from the service file + Resolves: #1010534 +- Turn on hardening flags + Resolves: #996735, #1008399 + +* Mon Sep 23 2013 Colin Walters - 0.11-7 +- CVE-2013-4326 + Resolves: #1009543 + +* Thu Aug 22 2013 Colin Walters - 0.11-6 +- Add patch to make this build again + +* Sun Aug 04 2013 Fedora Release Engineering - 0.11-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 14 2013 Fedora Release Engineering - 0.11-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Sep 14 2012 Lennart Poettering - 0.11-3 +- Make use of the new systemd macros + +* Sat Jul 21 2012 Fedora Release Engineering - 0.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue May 15 2012 Lennart Poettering - 0.11-1 +- New upstream release + +* Sat Jan 14 2012 Fedora Release Engineering - 0.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Feb 17 2011 Lennart Poettering - 0.10-1 +- new upstream release + +* Wed Feb 09 2011 Fedora Release Engineering - 0.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Aug 4 2010 Lennart Poettering - 0.9-2 +- Convert systemd-install to systemctl + +* Tue Jul 13 2010 Lennart Poettering - 0.9-1 +- New upstream release + +* Tue Jun 29 2010 Lennart Poettering - 0.8-1 +- New upstream release + +* Fri Dec 18 2009 Lennart Poettering - 0.5-1 +- New release +- By default don't demote unknown threads +- Make messages less cute +- Fixes 530582 + +* Wed Aug 5 2009 Lennart Poettering - 0.4-1 +- New release + +* Sun Jul 26 2009 Fedora Release Engineering - 0.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jul 2 2009 Lennart Poettering - 0.3-1 +- New release + +* Wed Jun 17 2009 Lennart Poettering - 0.2-1 +- Initial packaging