From 84f4f5104bd456840dcd53fdff0ecc7501ccfea7 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 28 Mar 2024 11:56:35 +0000 Subject: [PATCH] import CS toolbox-0.0.99.5-2.el9 --- .gitignore | 2 +- .toolbox.metadata | 2 +- ...ation-paths-for-coreos-toolbox-users.patch | 39 ++--- ...se-podman-1-when-generating-the-comp.patch | 89 ----------- ...alidate-subordinate-IDs-when-generat.patch | 149 ------------------ ...ags-match-Fedora-s-gobuild-for-PPC64.patch | 54 +++++++ ...e-build-flags-match-Fedora-s-gobuild.patch | 54 +++++++ ...flags-match-RHEL-s-gobuild-for-PPC64.patch | 4 +- ...the-build-flags-match-RHEL-s-gobuild.patch | 4 +- ...r-Be-aware-of-security-hardened-moun.patch | 76 --------- SPECS/toolbox.spec | 106 +++++++++---- 11 files changed, 210 insertions(+), 369 deletions(-) delete mode 100644 SOURCES/toolbox-Don-t-use-podman-1-when-generating-the-comp.patch delete mode 100644 SOURCES/toolbox-Don-t-validate-subordinate-IDs-when-generat.patch create mode 100644 SOURCES/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch create mode 100644 SOURCES/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch delete mode 100644 SOURCES/toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch diff --git a/.gitignore b/.gitignore index 664c5f3..3d03030 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/toolbox-0.0.99.4-vendored.tar.xz +SOURCES/toolbox-0.0.99.5-vendored.tar.xz diff --git a/.toolbox.metadata b/.toolbox.metadata index 45e9044..4b7410d 100644 --- a/.toolbox.metadata +++ b/.toolbox.metadata @@ -1 +1 @@ -3a2506e53c44cab54d476ee38af7197175e8af10 SOURCES/toolbox-0.0.99.4-vendored.tar.xz +9b8595f66d8dd76636c308426919bb81cba5498a SOURCES/toolbox-0.0.99.5-vendored.tar.xz diff --git a/SOURCES/toolbox-Add-migration-paths-for-coreos-toolbox-users.patch b/SOURCES/toolbox-Add-migration-paths-for-coreos-toolbox-users.patch index 88003a3..1e3e254 100644 --- a/SOURCES/toolbox-Add-migration-paths-for-coreos-toolbox-users.patch +++ b/SOURCES/toolbox-Add-migration-paths-for-coreos-toolbox-users.patch @@ -1,4 +1,4 @@ -From d461caa5b1a278124d039df93140d2d5bf4eabe7 Mon Sep 17 00:00:00 2001 +From 4587b6e9240bf936b760e901435c4cfdd9c582b6 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Wed, 18 Aug 2021 17:55:21 +0200 Subject: [PATCH 1/2] cmd/run: Make sosreport work by setting the HOST @@ -10,10 +10,10 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1940037 1 file changed, 1 insertion(+) diff --git a/src/cmd/run.go b/src/cmd/run.go -index 7657ffa50821..23d422623b14 100644 +index e2e31d9da4e6..84ad46518bfc 100644 --- a/src/cmd/run.go +++ b/src/cmd/run.go -@@ -501,6 +501,7 @@ func constructExecArgs(container, preserveFDs string, +@@ -498,6 +498,7 @@ func constructExecArgs(container, preserveFDs string, execArgs = append(execArgs, envOptions...) execArgs = append(execArgs, []string{ @@ -22,10 +22,10 @@ index 7657ffa50821..23d422623b14 100644 "--preserve-fds", preserveFDs, }...) -- -2.39.2 +2.43.0 -From 3c2c67752e8f88f72058799cbce3612fc937b230 Mon Sep 17 00:00:00 2001 +From 892c33ed75443de90a2caa90959387bbc270c564 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Fri, 10 Dec 2021 13:42:15 +0100 Subject: [PATCH 2/2] test/system: Update to test the migration path for @@ -36,33 +36,36 @@ This reverts the changes to the tests made in commit ca899c8a561f357ae32c6ba6813520fd8b682abb and the parts of commit 3aeb7cf288319e35eb9c5e26ea18d97452462c1e that were removed. --- - test/system/002-help.bats | 11 ----------- + test/system/002-help.bats | 14 -------------- test/system/100-root.bats | 27 +++++++++++++++++++++++++++ - 2 files changed, 27 insertions(+), 11 deletions(-) + 2 files changed, 27 insertions(+), 14 deletions(-) create mode 100644 test/system/100-root.bats diff --git a/test/system/002-help.bats b/test/system/002-help.bats -index 7e4565e9d23d..58a4c2c87ece 100644 +index 695c51f92e7e..5fa4c6fe0b4c 100644 --- a/test/system/002-help.bats +++ b/test/system/002-help.bats -@@ -23,17 +23,6 @@ setup() { +@@ -23,20 +23,6 @@ setup() { _setup_environment } --@test "help: Try to run toolbox with no command" { -- run $TOOLBOX +-@test "help: Smoke test" { +- run --keep-empty-lines --separate-stderr "$TOOLBOX" - - assert_failure +- assert [ ${#lines[@]} -eq 0 ] +- lines=("${stderr_lines[@]}") - assert_line --index 0 "Error: missing command" -- assert_line --index 1 "create Create a new toolbox container" -- assert_line --index 2 "enter Enter an existing toolbox container" -- assert_line --index 3 "list List all existing toolbox containers and images" -- assert_line --index 4 "Run 'toolbox --help' for usage." +- assert_line --index 2 "create Create a new toolbox container" +- assert_line --index 3 "enter Enter an existing toolbox container" +- assert_line --index 4 "list List all existing toolbox containers and images" +- assert_line --index 6 "Run 'toolbox --help' for usage." +- assert [ ${#stderr_lines[@]} -eq 7 ] -} - - @test "help: Run command 'help'" { + @test "help: Command 'help'" { if ! command -v man 2>/dev/null; then - skip "Test works only if man is in PATH" + skip "not found man(1)" diff --git a/test/system/100-root.bats b/test/system/100-root.bats new file mode 100644 index 000000000000..32d87904213e @@ -97,5 +100,5 @@ index 000000000000..32d87904213e + skip "Testing of entering toolboxes is not implemented" +} -- -2.39.2 +2.43.0 diff --git a/SOURCES/toolbox-Don-t-use-podman-1-when-generating-the-comp.patch b/SOURCES/toolbox-Don-t-use-podman-1-when-generating-the-comp.patch deleted file mode 100644 index 85c7289..0000000 --- a/SOURCES/toolbox-Don-t-use-podman-1-when-generating-the-comp.patch +++ /dev/null @@ -1,89 +0,0 @@ -From fc5f568c5d82f4a16982268fa67092e52be91fbe Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Tue, 28 Feb 2023 17:12:04 +0100 -Subject: [PATCH] cmd/root: Don't use podman(1) when generating the completions - -Ever since commit bafbbe81c9220cb3, the shell completions are generated -while building Toolbx using the 'completion' command. This involves -running toolbox(1) itself, and hence invoking 'podman version' to decide -if 'podman system migrate' is needed or not. - -Unfortunately, some build environments, like Fedora's, are set up inside -a chroot(2) or systemd-nspawn(1) or similar, where 'podman version' may -not work because it does various things with namespaces(7) and clone(2) -that can, under certain circumstances, encounter an EPERM. - -Therefore, it's better to avoid using podman(1) when generating the -shell completions, especially, since they are generated by Cobra itself -and podman(1) is not involved at all. - -Note that podman(1) is needed when the generated shell completions are -actually used in interactive command line environments. The shell -completions invoke the hidden '__complete' command to get the results -that are presented to the user, and, if needed, 'podman system migrate' -will continue to be run as part of that. - -This partially reverts commit f3e005d0142d7ec76d5ac8f0a2f331a52fd46011 -because podman(1) is now only an optional runtime dependency for the -system tests. - -https://github.com/containers/podman/issues/17657 ---- - meson.build | 2 +- - src/cmd/root.go | 9 +++++++-- - 2 files changed, 8 insertions(+), 3 deletions(-) - -diff --git a/meson.build b/meson.build -index 6f044bb204e3..653a3d3ac588 100644 ---- a/meson.build -+++ b/meson.build -@@ -18,12 +18,12 @@ subid_dep = cc.find_library('subid', has_headers: ['shadow/subid.h']) - - go = find_program('go') - go_md2man = find_program('go-md2man') --podman = find_program('podman') - - bats = find_program('bats', required: false) - codespell = find_program('codespell', required: false) - htpasswd = find_program('htpasswd', required: false) - openssl = find_program('openssl', required: false) -+podman = find_program('podman', required: false) - shellcheck = find_program('shellcheck', required: false) - skopeo = find_program('skopeo', required: false) - -diff --git a/src/cmd/root.go b/src/cmd/root.go -index 304b03dcd889..9975ccc7a4c8 100644 ---- a/src/cmd/root.go -+++ b/src/cmd/root.go -@@ -166,7 +166,7 @@ func preRun(cmd *cobra.Command, args []string) error { - - logrus.Debugf("TOOLBOX_PATH is %s", toolboxPath) - -- if err := migrate(); err != nil { -+ if err := migrate(cmd, args); err != nil { - return err - } - -@@ -211,13 +211,18 @@ func rootRun(cmd *cobra.Command, args []string) error { - return rootRunImpl(cmd, args) - } - --func migrate() error { -+func migrate(cmd *cobra.Command, args []string) error { - logrus.Debug("Migrating to newer Podman") - - if utils.IsInsideContainer() { - return nil - } - -+ if cmdName, completionCmdName := cmd.Name(), completionCmd.Name(); cmdName == completionCmdName { -+ logrus.Debugf("Migration not needed: command %s doesn't need it", cmdName) -+ return nil -+ } -+ - configDir, err := os.UserConfigDir() - if err != nil { - logrus.Debugf("Migrating to newer Podman: failed to get the user config directory: %s", err) --- -2.39.1 - diff --git a/SOURCES/toolbox-Don-t-validate-subordinate-IDs-when-generat.patch b/SOURCES/toolbox-Don-t-validate-subordinate-IDs-when-generat.patch deleted file mode 100644 index 3d5812e..0000000 --- a/SOURCES/toolbox-Don-t-validate-subordinate-IDs-when-generat.patch +++ /dev/null @@ -1,149 +0,0 @@ -From 52de8d4a933ab6a4b1b6ef1c02c7e9f1f834c4a5 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Wed, 1 Mar 2023 19:41:56 +0100 -Subject: [PATCH 1/3] cmd/root: Sprinkle a debug log - -https://github.com/containers/toolbox/pull/1251 ---- - src/cmd/root.go | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/cmd/root.go b/src/cmd/root.go -index 304b03dcd889..82fbfd651c33 100644 ---- a/src/cmd/root.go -+++ b/src/cmd/root.go -@@ -215,6 +215,7 @@ func migrate() error { - logrus.Debug("Migrating to newer Podman") - - if utils.IsInsideContainer() { -+ logrus.Debug("Migration not needed: running inside a container") - return nil - } - --- -2.39.2 - - -From 0beab62c935cd1166d6b03f58c519bbc7b040221 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Wed, 1 Mar 2023 19:46:11 +0100 -Subject: [PATCH 2/3] cmd/root: Shuffle some code around and sprinkle some - debug logs - -Having a separate convenience function reduces the indentation levels by -at least one, and sometimes two, and makes it easy to have more detailed -debug logs. - -This will make the subsequent commit easier to read. - -https://github.com/containers/toolbox/issues/1246 ---- - src/cmd/root.go | 32 ++++++++++++++++++++++++-------- - 1 file changed, 24 insertions(+), 8 deletions(-) - -diff --git a/src/cmd/root.go b/src/cmd/root.go -index 82fbfd651c33..4c740ec60d38 100644 ---- a/src/cmd/root.go -+++ b/src/cmd/root.go -@@ -1,5 +1,5 @@ - /* -- * Copyright © 2019 – 2022 Red Hat Inc. -+ * Copyright © 2019 – 2023 Red Hat Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. -@@ -139,13 +139,8 @@ func preRun(cmd *cobra.Command, args []string) error { - if !utils.IsInsideContainer() { - logrus.Debugf("Running on a cgroups v%d host", cgroupsVersion) - -- if currentUser.Uid != "0" { -- logrus.Debugf("Looking for sub-GID and sub-UID ranges for user %s", currentUser.Username) -- -- if _, err := utils.ValidateSubIDRanges(currentUser); err != nil { -- logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err) -- return newSubIDError() -- } -+ if _, err := validateSubIDRanges(cmd, args, currentUser); err != nil { -+ return err - } - } - -@@ -387,3 +382,24 @@ func setUpLoggers() error { - - return nil - } -+ -+func validateSubIDRanges(cmd *cobra.Command, args []string, user *user.User) (bool, error) { -+ logrus.Debugf("Looking for sub-GID and sub-UID ranges for user %s", user.Username) -+ -+ if user.Uid == "0" { -+ logrus.Debugf("Look-up not needed: user %s doesn't need them", user.Username) -+ return true, nil -+ } -+ -+ if utils.IsInsideContainer() { -+ logrus.Debug("Look-up not needed: running inside a container") -+ return true, nil -+ } -+ -+ if _, err := utils.ValidateSubIDRanges(user); err != nil { -+ logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err) -+ return false, newSubIDError() -+ } -+ -+ return true, nil -+} --- -2.39.2 - - -From d09c9cd1de41b6e85a6953902c9982778a423f3c Mon Sep 17 00:00:00 2001 -From: Jan Zerebecki -Date: Wed, 1 Mar 2023 19:52:28 +0100 -Subject: [PATCH 3/3] cmd/root: Don't validate subordinate IDs when generating - the completions - -Ever since commit bafbbe81c9220cb3, the shell completions are generated -while building Toolbx using the 'completion' command. This involves -running toolbox(1) itself, and hence validating the subordinate user and -group ID ranges. - -Unfortunately, some build environments, like openSUSE's, don't have -subordinate ID ranges set up. Therefore, it's better to not validate -the subordinate ID ranges when generating the shell completions, since -they are generated by Cobra itself and subordinate ID ranges are not -involved at all. - -Note that subordinate ID ranges may be needed when the generated shell -completions are actually used in interactive command line environments. -The shell completions invoke the hidden '__complete' command to get the -results that are presented to the user, and, if needed, the subordinate -ID ranges will continue to be used by podman(1) as part of that. - -Some changes by Debarshi Ray. - -https://github.com/containers/toolbox/issues/1246 -https://github.com/containers/toolbox/pull/1249 ---- - src/cmd/root.go | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/cmd/root.go b/src/cmd/root.go -index 4c740ec60d38..efee8ce9990b 100644 ---- a/src/cmd/root.go -+++ b/src/cmd/root.go -@@ -396,6 +396,11 @@ func validateSubIDRanges(cmd *cobra.Command, args []string, user *user.User) (bo - return true, nil - } - -+ if cmdName, completionCmdName := cmd.Name(), completionCmd.Name(); cmdName == completionCmdName { -+ logrus.Debugf("Look-up not needed: command %s doesn't need them", cmdName) -+ return true, nil -+ } -+ - if _, err := utils.ValidateSubIDRanges(user); err != nil { - logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err) - return false, newSubIDError() --- -2.39.2 - diff --git a/SOURCES/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch b/SOURCES/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch new file mode 100644 index 0000000..35ecc83 --- /dev/null +++ b/SOURCES/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch @@ -0,0 +1,54 @@ +From 4f8b443ab925c84d059d894ddcfcf4dcf66a747e Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Mon, 29 Jun 2020 17:57:47 +0200 +Subject: [PATCH] build: Make the build flags match Fedora's %{gobuildflags} + for PPC64 + +The Go toolchain also doesn't like the LDFLAGS environment variable as +exported by Fedora's %{meson} RPM macro. + +Note that these flags are only meant for the "ppc64" CPU architecture, +and should be kept updated to match Fedora's Go guidelines. Use +'rpm --eval "%{gobuildflags}"' to expand the %{gobuildflags} macro. +--- + src/go-build-wrapper | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/go-build-wrapper b/src/go-build-wrapper +index c572d6dfb02b..cae2de426a96 100755 +--- a/src/go-build-wrapper ++++ b/src/go-build-wrapper +@@ -33,9 +33,9 @@ if ! cd "$1"; then + exit 1 + fi + +-tags="" ++tags="-tags rpm_crashtraceback,${BUILDTAGS:-}" + if $7; then +- tags="-tags migration_path_for_coreos_toolbox" ++ tags="$tags,migration_path_for_coreos_toolbox" + fi + + if ! libc_dir=$("$5" --print-file-name=libc.so); then +@@ -70,11 +70,16 @@ fi + + dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename" + ++unset LDFLAGS ++ + # shellcheck disable=SC2086 + go build \ ++ -compiler gc \ + $tags \ +- -trimpath \ +- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ ++ -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ ++ -a \ ++ -v \ ++ -x \ + -o "$2/$3" + + exit "$?" +-- +2.43.0 + diff --git a/SOURCES/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch b/SOURCES/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch new file mode 100644 index 0000000..c290d36 --- /dev/null +++ b/SOURCES/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch @@ -0,0 +1,54 @@ +From 3175ef2fab1f61f5784361070ac338dabda3c04e Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Mon, 29 Jun 2020 17:57:47 +0200 +Subject: [PATCH] build: Make the build flags match Fedora's %{gobuildflags} + +The Go toolchain doesn't like the LDFLAGS environment variable as +exported by Fedora's %{meson} RPM macro. + +Note that these flags are meant for every CPU architecture other than +PPC64, and should be kept updated to match Fedora's Go guidelines. Use +'rpm --eval "%{gobuildflags}"' to expand the %{gobuildflags} macro. +--- + src/go-build-wrapper | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/go-build-wrapper b/src/go-build-wrapper +index c572d6dfb02b..0e6a2efa6853 100755 +--- a/src/go-build-wrapper ++++ b/src/go-build-wrapper +@@ -33,9 +33,9 @@ if ! cd "$1"; then + exit 1 + fi + +-tags="" ++tags="-tags rpm_crashtraceback,${BUILDTAGS:-}" + if $7; then +- tags="-tags migration_path_for_coreos_toolbox" ++ tags="$tags,migration_path_for_coreos_toolbox" + fi + + if ! libc_dir=$("$5" --print-file-name=libc.so); then +@@ -70,11 +70,17 @@ fi + + dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename" + ++unset LDFLAGS ++ + # shellcheck disable=SC2086 + go build \ ++ -buildmode pie \ ++ -compiler gc \ + $tags \ +- -trimpath \ +- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ ++ -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ ++ -a \ ++ -v \ ++ -x \ + -o "$2/$3" + + exit "$?" +-- +2.43.0 + diff --git a/SOURCES/toolbox-Make-the-build-flags-match-RHEL-s-gobuild-for-PPC64.patch b/SOURCES/toolbox-Make-the-build-flags-match-RHEL-s-gobuild-for-PPC64.patch index 15b52a8..d458e9e 100644 --- a/SOURCES/toolbox-Make-the-build-flags-match-RHEL-s-gobuild-for-PPC64.patch +++ b/SOURCES/toolbox-Make-the-build-flags-match-RHEL-s-gobuild-for-PPC64.patch @@ -1,4 +1,4 @@ -From 973600219168f3c4efeb627c103085555327eaa5 Mon Sep 17 00:00:00 2001 +From 721c6b8d3bbbb5d451eaac4d332ddecd48f5ca85 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Mon, 29 Jun 2020 17:57:47 +0200 Subject: [PATCH] build: Make the build flags match RHEL's %{gobuildflags} for @@ -51,5 +51,5 @@ index c572d6dfb02b..86f174716608 100755 exit "$?" -- -2.39.2 +2.43.0 diff --git a/SOURCES/toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch b/SOURCES/toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch index 1fed4da..d5d47e4 100644 --- a/SOURCES/toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch +++ b/SOURCES/toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch @@ -1,4 +1,4 @@ -From aeaa8cd30a8c5ad33ee1fe6b9e84ecbb28f7264c Mon Sep 17 00:00:00 2001 +From 417dc7a7a378dbab6bbaafc21b9e554b60c9402f Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Mon, 29 Jun 2020 17:57:47 +0200 Subject: [PATCH] build: Make the build flags match RHEL's %{gobuildflags} @@ -51,5 +51,5 @@ index c572d6dfb02b..d39764fda0c1 100755 exit "$?" -- -2.39.2 +2.43.0 diff --git a/SOURCES/toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch b/SOURCES/toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch deleted file mode 100644 index 73b91f5..0000000 --- a/SOURCES/toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 1cc9e07b7c36fe9f9784b40b58f0a2a3694dd328 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Thu, 13 Jul 2023 13:08:40 +0200 -Subject: [PATCH] cmd/initContainer: Be aware of security hardened mount points - -Sometimes locations such as /var/lib/flatpak, /var/lib/systemd/coredump -and /var/log/journal sit on security hardened mount points that are -marked as 'nosuid,nodev,noexec' [1]. In such cases, when Toolbx is used -rootless, an attempt to bind mount these locations read-only at runtime -with mount(8) fails because of permission problems: - # mount --rbind -o ro - mount: : filesystem was mounted, but any subsequent - operation failed: Unknown error 5005. - -(Note that the above error message from mount(8) was subsequently -improved to show something more meaningful than 'Unknown error' [2].) - -The problem is that 'init-container' is running inside the container's -mount and user namespace, and the source paths were mounted inside the -host's namespace with 'nosuid,nodev,noexec'. The above mount(8) call -tries to remove the 'nosuid,nodev,noexec' flags from the mount point and -replace them with only 'ro', which is something that can't be done from -a child namespace. - -Note that this doesn't fail when Toolbx is running as root. This is -because the container uses the host's user namespace and is able to -remove the 'nosuid,nodev,noexec' flags from the mount point and replace -them with only 'ro'. Even though it doesn't fail, the flags shouldn't -get replaced like that inside the container, because it removes the -security hardening of those mount points. - -There's actually no benefit in bind mounting these paths as read-only. -It was historically done this way 'just to be safe' because a user isn't -expected to write to these locations from inside a container. However, -Toolbx doesn't intend to provide any heightened security beyond what's -already available on the host. - -Hence, it's better to get out of the way and leave it to the permissions -on the source location from the host operating system to guard the -castle. This is accomplished by not passing any file system options to -mount(8) [1]. - -Based on an idea from Si. - -[1] https://man7.org/linux/man-pages/man8/mount.8.html - -[2] util-linux commit 9420ca34dc8b6f0f - https://github.com/util-linux/util-linux/commit/9420ca34dc8b6f0f - https://github.com/util-linux/util-linux/pull/2376 - -https://github.com/containers/toolbox/issues/911 ---- - src/cmd/initContainer.go | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go -index 222aa42e1036..41b825b33f58 100644 ---- a/src/cmd/initContainer.go -+++ b/src/cmd/initContainer.go -@@ -62,10 +62,10 @@ var ( - {"/run/udev/data", "/run/host/run/udev/data", ""}, - {"/run/udev/tags", "/run/host/run/udev/tags", ""}, - {"/tmp", "/run/host/tmp", "rslave"}, -- {"/var/lib/flatpak", "/run/host/var/lib/flatpak", "ro"}, -+ {"/var/lib/flatpak", "/run/host/var/lib/flatpak", ""}, - {"/var/lib/libvirt", "/run/host/var/lib/libvirt", ""}, -- {"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", "ro"}, -- {"/var/log/journal", "/run/host/var/log/journal", "ro"}, -+ {"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", ""}, -+ {"/var/log/journal", "/run/host/var/log/journal", ""}, - {"/var/mnt", "/run/host/var/mnt", "rslave"}, - } - ) --- -2.41.0 - diff --git a/SPECS/toolbox.spec b/SPECS/toolbox.spec index 8107baf..ffc6fbd 100644 --- a/SPECS/toolbox.spec +++ b/SPECS/toolbox.spec @@ -1,41 +1,44 @@ %global __brp_check_rpaths %{nil} Name: toolbox -Version: 0.0.99.4 +Version: 0.0.99.5 %global goipath github.com/containers/%{name} -%if 0%{?rhel} == 9 +%if 0%{?fedora} +%gometa -f +%endif + +%if 0%{?rhel} +%if 0%{?rhel} <= 9 %gometa %else %gometa -f %endif +%endif -Release: 5%{?dist} -Summary: Tool for containerized command line environments on Linux +Release: 2%{?dist} +Summary: Tool for interactive command line environments on Linux License: ASL 2.0 URL: https://containertoolbx.org/ Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}-vendored.tar.xz -%if 0%{?rhel} -Source1: %{name}.conf -%endif - -# Upstream -Patch0: toolbox-Don-t-use-podman-1-when-generating-the-comp.patch -Patch1: toolbox-Don-t-validate-subordinate-IDs-when-generat.patch -Patch2: toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch # RHEL specific -Patch100: toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch -Patch101: toolbox-Make-the-build-flags-match-RHEL-s-gobuild-for-PPC64.patch -%if 0%{?rhel} -Patch102: toolbox-Add-migration-paths-for-coreos-toolbox-users.patch -%endif +Source1: %{name}.conf + +# Fedora specific +Patch100: toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch +Patch101: toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch + +# RHEL specific +Patch200: toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch +Patch201: toolbox-Make-the-build-flags-match-RHEL-s-gobuild-for-PPC64.patch +Patch202: toolbox-Add-migration-paths-for-coreos-toolbox-users.patch BuildRequires: gcc BuildRequires: go-md2man -BuildRequires: golang >= 1.20.6-4 +BuildRequires: golang >= 1.21.7 BuildRequires: meson >= 0.58.0 BuildRequires: pkgconfig(bash-completion) BuildRequires: shadow-utils-subid-devel @@ -45,14 +48,15 @@ BuildRequires: systemd-rpm-macros BuildRequires: golang(github.com/HarryMichal/go-version) >= 1.0.1 BuildRequires: golang(github.com/acobaugh/osrelease) >= 0.1.0 BuildRequires: golang(github.com/briandowns/spinner) >= 1.17.0 -BuildRequires: golang(github.com/docker/go-units) >= 0.4.0 +BuildRequires: golang(github.com/docker/go-units) >= 0.5.0 BuildRequires: golang(github.com/fsnotify/fsnotify) >= 1.5.1 BuildRequires: golang(github.com/godbus/dbus) >= 5.0.6 BuildRequires: golang(github.com/sirupsen/logrus) >= 1.8.1 BuildRequires: golang(github.com/spf13/cobra) >= 1.3.0 BuildRequires: golang(github.com/spf13/viper) >= 1.10.1 -BuildRequires: golang(golang.org/x/sys/unix) -BuildRequires: golang(golang.org/x/term) +BuildRequires: golang(golang.org/x/sys/unix) >= 0.1.0 +BuildRequires: golang(golang.org/x/text) >= 0.3.8 +BuildRequires: golang(gopkg.in/yaml.v3) >= 3.0.0 BuildRequires: pkgconfig(fish) # for tests # BuildRequires: codespell @@ -60,17 +64,26 @@ BuildRequires: pkgconfig(fish) # BuildRequires: ShellCheck %endif +Recommends: skopeo +Recommends: subscription-manager + Requires: containers-common -Requires: podman >= 1.4.0 +Requires: podman >= 1.6.4 %if ! 0%{?rhel} Requires: flatpak-session-helper %endif %description -Toolbox is a tool for Linux operating systems, which allows the use of -containerized command line environments. It is built on top of Podman and -other standard container technologies from OCI. +Toolbx is a tool for Linux, which allows the use of interactive command line +environments for development and troubleshooting the host operating system, +without having to install software on the host. It is built on top of Podman +and other standard container technologies from OCI. + +Toolbx environments have seamless access to the user's home directory, the +Wayland and X11 sockets, networking (including Avahi), removable devices (like +USB sticks), systemd journal, SSH agent, D-Bus, ulimits, /dev and the udev +database, etc.. %package tests @@ -78,31 +91,40 @@ Summary: Tests for %{name} Requires: %{name}%{?_isa} = %{version}-%{release} Requires: coreutils -Requires: gawk Requires: grep +Requires: httpd-tools +Requires: openssl Requires: skopeo %if ! 0%{?rhel} -Requires: bats +Requires: bats >= 1.7.0 %endif + %description tests The %{name}-tests package contains system tests for %{name}. %prep %setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 +%if 0%{?fedora} %ifnarch ppc64 %patch100 -p1 %else %patch101 -p1 %endif +%endif %if 0%{?rhel} -%patch102 -p1 +%ifnarch ppc64 +%patch200 -p1 +%else +%patch201 -p1 +%endif + +%if 0%{?rhel} <= 9 +%patch202 -p1 +%endif %endif %gomkdir -s %{_builddir}/%{extractdir}/src %{?rhel:-k} @@ -116,7 +138,9 @@ export CGO_CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_ %meson \ %if 0%{?rhel} -Dfish_completions_dir=%{_datadir}/fish/vendor_completions.d \ +%if 0%{?rhel} <= 9 -Dmigration_path_for_coreos_toolbox=true \ +%endif %endif -Dprofile_dir=%{_sysconfdir}/profile.d \ -Dtmpfiles_dir=%{_tmpfilesdir} \ @@ -133,8 +157,10 @@ export CGO_CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_ %meson_install %if 0%{?rhel} +%if 0%{?rhel} <= 9 install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/%{name}.conf %endif +%endif %files @@ -151,11 +177,29 @@ install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/%{name}.conf %{_sysconfdir}/profile.d/%{name}.sh %{_tmpfilesdir}/%{name}.conf + %files tests %{_datadir}/%{name} %changelog +* Mon Feb 19 2024 Debarshi Ray - 0.0.99.5-2 +- Rebuild for CVE-2023-39326 +Resolves: RHEL-21817 + +* Mon Jan 15 2024 Debarshi Ray - 0.0.99.5-1 +- Update to 0.0.99.5 +Resolves: RHEL-19772 + +* Mon Nov 27 2023 Debarshi Ray - 0.0.99.4-7 +- Rebuild for CVE-2023-39318, CVE-2023-39319, CVE-2023-39325 and + CVE-2023-44487 +Resolves: RHEL-4435, RHEL-4439, RHEL-12694 + +* Mon Oct 02 2023 Debarshi Ray - 0.0.99.4-6 +- Simplify removing the user's password +Resolves: RHEL-1834 + * Fri Aug 11 2023 Debarshi Ray - 0.0.99.4-5 - Be aware of security hardened mount points Resolves: #2222789