diff --git a/.gitignore b/.gitignore index ef9ab3c..f99bea8 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/stalld-1.19.1.tar.bz2 +SOURCES/stalld-1.19.6.tar.bz2 diff --git a/.stalld.metadata b/.stalld.metadata index f09b2c5..2e60fd0 100644 --- a/.stalld.metadata +++ b/.stalld.metadata @@ -1 +1 @@ -5830e75cdc32cf0953ce9f223c9074681211c0d8 SOURCES/stalld-1.19.1.tar.bz2 +406389a8a23b5fa8c6511194461c4458120cc17e SOURCES/stalld-1.19.6.tar.bz2 diff --git a/SOURCES/Make-fill_process_comm-open-comm-file-as-READ_ONLY.patch b/SOURCES/Make-fill_process_comm-open-comm-file-as-READ_ONLY.patch deleted file mode 100644 index 20817a3..0000000 --- a/SOURCES/Make-fill_process_comm-open-comm-file-as-READ_ONLY.patch +++ /dev/null @@ -1,34 +0,0 @@ -From f9c0ade7cd9a514d4ca6f81f797284e11c56b31a Mon Sep 17 00:00:00 2001 -From: Chris White -Date: Wed, 21 Feb 2024 15:22:44 -0500 -Subject: [PATCH] Make fill_process_comm() open comm file as READ_ONLY - -The fill_process_comm() opens the comm file using O_RDWR. The -function itself does not perform a write operation on the file, -and opening this in read and write mode can cause selinux policy -violations where opening the file with write permission is -restricted. Since the function itself only needs to read from this -fd, changing this to READ_ONLY (O_RDONLY) - -Signed-off-by: Chris White -Signed-off-by: John Kacur ---- - src/utils.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/utils.c b/src/utils.c -index f6feca7040d8..898f4a5d06a7 100644 ---- a/src/utils.c -+++ b/src/utils.c -@@ -55,7 +55,7 @@ int fill_process_comm(int tgid, int pid, char *comm, int comm_size) - if (retval < 0) - goto out_error; - -- fd = open(path, O_RDWR); -+ fd = open(path, O_RDONLY); - if (fd < 0) { - log_msg("failed to open comm file at %s\n", path); - goto out_error; --- -2.43.0 - diff --git a/SPECS/stalld.spec b/SPECS/stalld.spec index b046e7e..b8f26a4 100644 --- a/SPECS/stalld.spec +++ b/SPECS/stalld.spec @@ -1,6 +1,6 @@ Name: stalld -Version: 1.19.1 -Release: 2%{?dist} +Version: 1.19.6 +Release: 1%{?dist} Summary: Daemon that finds starving tasks and gives them a temporary boost License: GPLv2 @@ -22,8 +22,7 @@ BuildRequires: libbpf-devel Requires: libbpf %endif -# Patches -Patch1: Make-fill_process_comm-open-comm-file-as-READ_ONLY.patch +%define _hardened_build 1 %description The stalld program monitors the set of system threads, @@ -37,7 +36,7 @@ allow 10 microseconds of runtime for 1 second of clock time. %autosetup -p1 %build -%make_build CFLAGS="%{optflags} %{build_cflags} -DVERSION="\\\"%{version}\\\""" LDFLAGS="%{build_ldflags}" +%make_build RPMCFLAGS="%{optflags} %{build_cflags} -DVERSION="\\\"%{version}\\\""" RPMLDFLAGS="%{build_ldflags}" %install %make_install DOCDIR=%{_docdir} MANDIR=%{_mandir} BINDIR=%{_bindir} DATADIR=%{_datadir} VERSION=%{version} @@ -62,6 +61,23 @@ allow 10 microseconds of runtime for 1 second of clock time. %systemd_postun_with_restart %{name}.service %changelog +* Thu Aug 22 2024 Chris White - 1.19.6-1 +- Makefile: add uninstall target +- systemd: add BE environment variable to select backend +Resolves: RHEL-33662 + +* Wed Jul 31 2024 Chris White - 1.19.5-2 +- Fix changelog to use RPMCFLAGS, allowing for bpf to be used +Resolves: RHEL-33662 + +* Thu Jul 18 2024 Chris White - 1.19.5-1 +- Updated compile options for annocheck hardening +- Ensure we resolve library symbols at load time (-z now) and are a Position Independent Executable (-pie). Refactored compile options to better deal with arch differences. +- Added an 'annocheck' makefile target for local checking. +- Makefile: change build to use FORTIFY_SOURCE=3 +- src/utils.c: fix off-by-one error in buffer allocation +Resolves: RHEL-33662 + * Wed Feb 21 2024 John Kacur - 1.19.1-2 - Make fill_process_comm() open comm file as READ_ONLY Resolves: RHEL-25846