new release

rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support new release rebased tuned to latest upstream resolves: RHEL-70454 tuned-ppd: removed the use of StrEnum tuned-ppd: fixed traceback resolves: RHEL-74384 tuned-ppd: multiple fixes and updates docs: plugins docs are now automatically generated from the docstrings plugin_cpu: fixed no_turbo boolean option parsing plugin_cpu: allowed raw energy_performance_preference values plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters plugin_bootloader: added variables to BLS entries only if grub is used plugin_scheduler: do not assume that perf events have type attribute plugin_scheduler: updated sched knobs for kernels 6.6+ plugin_scheduler: log process info when its affinity cannot be changed resolves: RHEL-69933 plugin_scheduler: postpone cgroup blacklist check, double-check after fail plugin_scheduler: made perf support optional plugin_net: added support for hotplug and rename makefile: added support for installation to custom $BINDIR/$SBINDIR functions: dropped cpuspeed support
2025-01-19 21:55:06 +01:00 · 2025-01-19 21:55:06 +01:00 · 49ee00e46f
commit 49ee00e46f
parent b2cae20acd
3 changed files with 108 additions and 349 deletions
--- a/0001-CVE-2024-52336-and-CVE-2024-52337-fixes.patch
+++ b/0001-CVE-2024-52336-and-CVE-2024-52337-fixes.patch
@ -1,281 +0,0 @@
 From 83928aaa29ff281734a12f225a3ea9acd0af96bb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com>
 Date: Mon, 11 Nov 2024 17:02:44 +0100
 Subject: [PATCH] CVE-2024-52336 and CVE-2024-52337 fixes
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 - tighten polkit policy
 - API method parameters sanity check
 - scripts can be executed only from the profile directories
 Resolves: CVE-2024-52336
 Resolves: CVE-2024-52337
 Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
 ---
 com.redhat.tuned.policy        | 14 +++++++-------
 tuned/consts.py                |  4 ++++
 tuned/daemon/controller.py     | 35 ++++++++++++++++++++++++++--------
 tuned/plugins/base.py          | 12 ++++++++++++
 tuned/plugins/plugin_script.py |  4 ++++
 tuned/utils/commands.py        |  4 ++++
 6 files changed, 58 insertions(+), 15 deletions(-)
 diff --git a/com.redhat.tuned.policy b/com.redhat.tuned.policy
 index f5c972a..077fb74 100644
 --- a/com.redhat.tuned.policy
 +++ b/com.redhat.tuned.policy
@@ -43,7 +43,7 @@
     <defaults>
       <allow_any>auth_admin</allow_any>
       <allow_inactive>auth_admin</allow_inactive>
 -      <allow_active>yes</allow_active>
 +      <allow_active>auth_admin</allow_active>
     </defaults>
   </action>
@@ -103,7 +103,7 @@
     <defaults>
       <allow_any>auth_admin</allow_any>
       <allow_inactive>auth_admin</allow_inactive>
 -      <allow_active>yes</allow_active>
 +      <allow_active>auth_admin</allow_active>
     </defaults>
   </action>
@@ -113,7 +113,7 @@
     <defaults>
       <allow_any>auth_admin</allow_any>
       <allow_inactive>auth_admin</allow_inactive>
 -      <allow_active>yes</allow_active>
 +      <allow_active>auth_admin</allow_active>
     </defaults>
   </action>
@@ -123,7 +123,7 @@
     <defaults>
       <allow_any>auth_admin</allow_any>
       <allow_inactive>auth_admin</allow_inactive>
 -      <allow_active>yes</allow_active>
 +      <allow_active>auth_admin</allow_active>
     </defaults>
   </action>
@@ -223,7 +223,7 @@
     <defaults>
       <allow_any>auth_admin</allow_any>
       <allow_inactive>auth_admin</allow_inactive>
 -      <allow_active>yes</allow_active>
 +      <allow_active>auth_admin</allow_active>
     </defaults>
   </action>
@@ -253,7 +253,7 @@
     <defaults>
       <allow_any>auth_admin</allow_any>
       <allow_inactive>auth_admin</allow_inactive>
 -      <allow_active>yes</allow_active>
 +      <allow_active>auth_admin</allow_active>
     </defaults>
   </action>
@@ -263,7 +263,7 @@
     <defaults>
       <allow_any>auth_admin</allow_any>
       <allow_inactive>auth_admin</allow_inactive>
 -      <allow_active>yes</allow_active>
 +      <allow_active>auth_admin</allow_active>
     </defaults>
   </action>
 diff --git a/tuned/consts.py b/tuned/consts.py
 index 912225d..4606aee 100644
 --- a/tuned/consts.py
 +++ b/tuned/consts.py
@@ -1,4 +1,8 @@
 import logging
 +import string
 +
 +NAMES_ALLOWED_CHARS = string.ascii_letters + string.digits + " !@'+-.,/:;_$&*()%<=>?#[]{|}^~" + '"'
 +NAMES_MAX_LENGTH = 4096
 GLOBAL_CONFIG_FILE = "/etc/tuned/tuned-main.conf"
 ACTIVE_PROFILE_FILE = "/etc/tuned/active_profile"
 diff --git a/tuned/daemon/controller.py b/tuned/daemon/controller.py
 index 4f43d54..726e3a2 100644
 --- a/tuned/daemon/controller.py
 +++ b/tuned/daemon/controller.py
@@ -189,6 +189,8 @@ class Controller(tuned.exports.interfaces.ExportableInterface):
 	def switch_profile(self, profile_name, caller = None):
 		if caller == "":
 			return (False, "Unauthorized")
 +		if not self._cmd.is_valid_name(profile_name):
 +			return (False, "Invalid profile_name")
 		return self._switch_profile(profile_name, True)
 	@exports.export("", "(bs)")
@@ -262,8 +264,8 @@ class Controller(tuned.exports.interfaces.ExportableInterface):
 	@exports.export("s", "(bsss)")
 	def profile_info(self, profile_name, caller = None):
 -		if caller == "":
 -			return tuple(False, "", "", "")
 +		if caller == "" or not self._cmd.is_valid_name(profile_name):
 +			return (False, "", "", "")
 		if profile_name is None or profile_name == "":
 			profile_name = self.active_profile()
 		return tuple(self._daemon.profile_loader.profile_locator.get_profile_attrs(profile_name, [consts.PROFILE_ATTR_SUMMARY, consts.PROFILE_ATTR_DESCRIPTION], [""]))
@@ -294,7 +296,7 @@ class Controller(tuned.exports.interfaces.ExportableInterface):
 		dictionary -- {plugin_name: {parameter_name: default_value}}
 		"""
 		if caller == "":
 -			return False
 +			return {}
 		plugins = {}
 		for plugin_class in self._daemon.get_all_plugins():
 			plugin_name = plugin_class.__module__.split(".")[-1].split("_", 1)[1]
@@ -307,8 +309,8 @@ class Controller(tuned.exports.interfaces.ExportableInterface):
 	@exports.export("s","s")
 	def get_plugin_documentation(self, plugin_name, caller = None):
 		"""Return docstring of plugin's class"""
 -		if caller == "":
 -			return False
 +		if caller == "" or not self._cmd.is_valid_name(plugin_name):
 +			return ""
 		return self._daemon.get_plugin_documentation(str(plugin_name))
 	@exports.export("s","a{ss}")
@@ -321,8 +323,8 @@ class Controller(tuned.exports.interfaces.ExportableInterface):
 		Return:
 		dictionary -- {parameter_name: hint}
 		"""
 -		if caller == "":
 -			return False
 +		if caller == "" or not self._cmd.is_valid_name(plugin_name):
 +			return {}
 		return self._daemon.get_plugin_hints(str(plugin_name))
 	@exports.export("s", "b")
@@ -335,7 +337,7 @@ class Controller(tuned.exports.interfaces.ExportableInterface):
 		Return:
 		bool -- True on success
 		"""
 -		if caller == "":
 +		if caller == "" or not self._cmd.is_valid_name(path):
 			return False
 		if self._daemon._application and self._daemon._application._unix_socket_exporter:
 			self._daemon._application._unix_socket_exporter.register_signal_path(path)
@@ -349,6 +351,10 @@ class Controller(tuned.exports.interfaces.ExportableInterface):
 	def instance_acquire_devices(self, devices, instance_name, caller = None):
 		if caller == "":
 			return (False, "Unauthorized")
 +		if not self._cmd.is_valid_name(devices):
 +			return (False, "Invalid devices")
 +		if not self._cmd.is_valid_name(instance_name):
 +			return (False, "Invalid instance_name")
 		found = False
 		for instance_target in self._daemon._unit_manager.instances:
 			if instance_target.name == instance_name:
@@ -399,6 +405,8 @@ class Controller(tuned.exports.interfaces.ExportableInterface):
 		"""
 		if caller == "":
 			return (False, "Unauthorized", [])
 +		if not self._cmd.is_valid_name(plugin_name):
 +			return (False, "Invalid plugin_name", [])
 		if plugin_name != "" and plugin_name not in self.get_all_plugins().keys():
 			rets = "Plugin '%s' does not exist" % plugin_name
 			log.error(rets)
@@ -422,6 +430,8 @@ class Controller(tuned.exports.interfaces.ExportableInterface):
 		"""
 		if caller == "":
 			return (False, "Unauthorized", [])
 +		if not self._cmd.is_valid_name(instance_name):
 +			return (False, "Invalid instance_name", [])
 		for instance in self._daemon._unit_manager.instances:
 			if instance.name == instance_name:
 				return (True, "OK", sorted(list(instance.processed_devices)))
@@ -444,6 +454,13 @@ class Controller(tuned.exports.interfaces.ExportableInterface):
 		"""
 		if caller == "":
 			return (False, "Unauthorized")
 +		if not self._cmd.is_valid_name(plugin_name):
 +			return (False, "Invalid plugin_name")
 +		if not self._cmd.is_valid_name(instance_name):
 +			return (False, "Invalid instance_name")
 +		for (key, value) in options.items():
 +			if not self._cmd.is_valid_name(key) or not self._cmd.is_valid_name(value):
 +				return (False, "Invalid options")
 		plugins = {p.name: p for p in self._daemon._unit_manager.plugins}
 		if not plugin_name in plugins.keys():
 			rets = "Plugin '%s' not found" % plugin_name
@@ -499,6 +516,8 @@ class Controller(tuned.exports.interfaces.ExportableInterface):
 		"""
 		if caller == "":
 			return (False, "Unauthorized")
 +		if not self._cmd.is_valid_name(instance_name):
 +			return (False, "Invalid instance_name")
 		try:
 			instance = [i for i in self._daemon._unit_manager.instances if i.name == instance_name][0]
 		except IndexError:
 diff --git a/tuned/plugins/base.py b/tuned/plugins/base.py
 index cd54aea..3c4122f 100644
 --- a/tuned/plugins/base.py
 +++ b/tuned/plugins/base.py
@@ -213,6 +213,14 @@ class Plugin(object):
 	def _instance_post_static(self, instance, enabling):
 		pass
 +	def _safe_script_path(self, path):
 +		path = os.path.realpath(path)
 +		profile_paths = self._global_cfg.get_list(consts.CFG_PROFILE_DIRS, consts.CFG_DEF_PROFILE_DIRS)
 +		for p in profile_paths:
 +			if path.startswith(p):
 +				return True
 +		return False
 +
 	def _call_device_script(self, instance, script, op, devices, rollback = consts.ROLLBACK_SOFT):
 		if script is None:
 			return None
@@ -223,6 +231,10 @@ class Plugin(object):
 			log.error("Relative paths cannot be used in script_pre or script_post. " \
 				+ "Use ${i:PROFILE_DIR}.")
 			return False
 +		if not self._safe_script_path(script):
 +			log.error("Paths outside of the profile directories cannot be used in the " \
 +				+ "script_pre or script_post, ignoring script: '%s'" % script)
 +			return False
 		dir_name = os.path.dirname(script)
 		ret = True
 		for dev in devices:
 diff --git a/tuned/plugins/plugin_script.py b/tuned/plugins/plugin_script.py
 index ab605e4..5a5700f 100644
 --- a/tuned/plugins/plugin_script.py
 +++ b/tuned/plugins/plugin_script.py
@@ -75,6 +75,10 @@ class ScriptPlugin(base.Plugin):
 		for script in scripts:
 			environ = os.environ
 			environ.update(self._variables.get_env())
 +			if not self._safe_script_path(script):
 +				log.error("Paths outside of the profile directories cannot be used in the script, " \
 +					+ "ignoring script: '%s'." % script)
 +				continue
 			log.info("calling script '%s' with arguments '%s'" % (script, str(arguments)))
 			log.debug("using environment '%s'" % str(list(environ.items())))
 			try:
 diff --git a/tuned/utils/commands.py b/tuned/utils/commands.py
 index a5a13c3..c4f7c93 100644
 --- a/tuned/utils/commands.py
 +++ b/tuned/utils/commands.py
@@ -548,3 +548,7 @@ class commands:
 			import string
 			trans = string.maketrans(source_chars, dest_chars)
 		return text.translate(trans)
 +
 +	# Checks if name contains only valid characters and has valid length or is empty string or None
 +	def is_valid_name(self, name):
 +		return not name or (all(c in consts.NAMES_ALLOWED_CHARS for c in name) and len(name) <= consts.NAMES_MAX_LENGTH)
 -- 
 2.47.0
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (tuned-2.24.0.tar.gz) = d004cd621e26195fff14b39f29b2143cf47de09641454acd3029d61142c3d000a452f018356c84c32772bd99fc766f6ee847d2a8eddbde8ae34aaa0ecefa644e
+SHA512 (tuned-2.25.0-rc.1.tar.gz) = 798daedaf1f7220a75f5a448eae9b9c90b7989c2f52b050b144d62b9ad03640c4a4f446c24a04b8cf6056ee0d7f1ee8c995cdc9c5d04b6bed499a509e08522d9
--- a/tuned.spec
+++ b/tuned.spec
@ -1,3 +1,11 @@
 %if 0%{?rhel} && 0%{?rhel} < 10
 %global user_profiles_dir %{_sysconfdir}/tuned
 %global system_profiles_dir %{_prefix}/lib/tuned
 %else
 %global user_profiles_dir %{_sysconfdir}/tuned/profiles
 %global system_profiles_dir %{_prefix}/lib/tuned/profiles
 %endif
 %if 0%{?fedora}
 %if 0%{?fedora} > 27
 %bcond_without python3
@ -26,16 +34,16 @@
 %endif
 %endif
-#%%global prerelease rc
+%global prerelease rc
-#%%global prereleasenum 1
+%global prereleasenum 1
 %global prerel1 %{?prerelease:.%{prerelease}%{prereleasenum}}
 %global prerel2 %{?prerelease:-%{prerelease}.%{prereleasenum}}
 Summary: A dynamic adaptive system tuning daemon
 Name: tuned
-Version: 2.24.0
+Version: 2.25.0
-Release: 3%{?prerel1}%{?dist}
+Release: 0.1%{?prerel1}%{?dist}
 License: GPL-2.0-or-later AND CC-BY-SA-3.0
 Source0: https://github.com/redhat-performance/%{name}/archive/v%{version}%{?prerel2}/%{name}-%{version}%{?prerel2}.tar.gz
 # RHEL-9 specific recommend.conf:
@ -60,7 +68,8 @@ BuildRequires: %{_py}-mock
 %endif
 BuildRequires: %{_py}-pyudev
 Requires: %{_py}-pyudev
-Requires: %{_py}-linux-procfs, %{_py}-perf
+Requires: %{_py}-linux-procfs
 Requires: %{_py}-inotify
 %if %{without python3}
 Requires: %{_py}-schedutils
 %endif
@ -69,9 +78,6 @@ Requires: %{_py}-schedutils
 # BuildRequires for 'make test'
 BuildRequires: python3-dbus, python3-gobject-base
 Requires: python3-dbus, python3-gobject-base
 %if 0%{?fedora} > 22 || 0%{?rhel} > 7
 Recommends: dmidecode
 %endif
 %else
 # BuildRequires for 'make test'
 BuildRequires: dbus-python, pygobject3-base
@ -81,11 +87,15 @@ Requires: virt-what, ethtool, gawk
 Requires: util-linux, dbus, polkit
 %if 0%{?fedora} > 22 || 0%{?rhel} > 7
 Recommends: dmidecode
 # https://src.fedoraproject.org/rpms/tuned/pull-request/8
 Recommends: %{_py}-perf
 # i686 excluded
 Recommends: kernel-tools
 Requires: hdparm
 Requires: kmod
 Requires: iproute
 %else
 Requires: %{_py}-perf
 %endif
 # syspurpose
 %if 0%{?rhel} > 8
@ -98,7 +108,6 @@ Recommends: subscription-manager
 Requires: python3-syspurpose
 %endif
 %endif
 Patch0: 0001-CVE-2024-52336-and-CVE-2024-52337-fixes.patch
 %description
 The tuned package contains a daemon that tunes system settings dynamically.
@ -188,7 +197,6 @@ Additional tuned profile(s) targeted to Atomic host and guest.
 %package profiles-realtime
 Summary: Additional tuned profile(s) targeted to realtime
 Requires: %{name} = %{version}
 Requires: tuna
 %description profiles-realtime
 Additional tuned profile(s) targeted to realtime.
@ -197,7 +205,6 @@ Additional tuned profile(s) targeted to realtime.
 Summary: Additional tuned profile(s) targeted to Network Function Virtualization (NFV) guest
 Requires: %{name} = %{version}
 Requires: %{name}-profiles-realtime = %{version}
 Requires: tuna
 %description profiles-nfv-guest
 Additional tuned profile(s) targeted to Network Function Virtualization (NFV) guest.
@ -206,7 +213,6 @@ Additional tuned profile(s) targeted to Network Function Virtualization (NFV) gu
 Summary: Additional tuned profile(s) targeted to Network Function Virtualization (NFV) host
 Requires: %{name} = %{version}
 Requires: %{name}-profiles-realtime = %{version}
 Requires: tuna
 %description profiles-nfv-host
 Additional tuned profile(s) targeted to Network Function Virtualization (NFV) host.
@ -260,6 +266,9 @@ Additional TuneD profile(s) optimized for OpenShift.
 %package ppd
 Summary: PPD compatibility daemon
 Requires: %{name} = %{version}
 %if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
 Obsoletes: power-profiles-daemon < 0.23-2
 %endif
 # The compatibility daemon is swappable for power-profiles-daemon
 Provides: ppd-service
 Conflicts: ppd-service
@ -276,15 +285,15 @@ rm -f recommend.conf
 cp -p %{SOURCE1} recommend.conf
 %build
 # Docs cannot be generated on RHEL now due to missing asciidoctor dependency
 # asciidoc doesn't seem to be compatible
 %if ! 0%{?rhel}
 make html %{make_python_arg}
 %endif
 %install
-make install DESTDIR=%{buildroot} DOCDIR=%{docdir} %{make_python_arg}
+make install DESTDIR="%{buildroot}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" \
-make install-ppd DESTDIR=%{buildroot} DOCDIR=%{docdir} %{make_python_arg}
+  DOCDIR="%{docdir}" %{make_python_arg} \
  TUNED_USER_PROFILES_DIR="%{user_profiles_dir}" \
  TUNED_SYSTEM_PROFILES_DIR="%{system_profiles_dir}"
 make install-ppd DESTDIR="%{buildroot}" BINDIR="%{_bindir}" \
  SBINDIR="%{_sbindir}" DOCDIR="%{docdir}" %{make_python_arg}
 %if ! 0%{?rhel}
 # manual
@ -450,39 +459,44 @@ fi
 %exclude %{_sysconfdir}/tuned/realtime-virtual-host-variables.conf
 %exclude %{_sysconfdir}/tuned/cpu-partitioning-variables.conf
 %exclude %{_sysconfdir}/tuned/cpu-partitioning-powersave-variables.conf
-%exclude %{_prefix}/lib/tuned/profiles/default
+%exclude %{system_profiles_dir}/default
-%exclude %{_prefix}/lib/tuned/profiles/desktop-powersave
+%exclude %{system_profiles_dir}/desktop-powersave
-%exclude %{_prefix}/lib/tuned/profiles/laptop-ac-powersave
+%exclude %{system_profiles_dir}/laptop-ac-powersave
-%exclude %{_prefix}/lib/tuned/profiles/server-powersave
+%exclude %{system_profiles_dir}/server-powersave
-%exclude %{_prefix}/lib/tuned/profiles/laptop-battery-powersave
+%exclude %{system_profiles_dir}/laptop-battery-powersave
-%exclude %{_prefix}/lib/tuned/profiles/enterprise-storage
+%exclude %{system_profiles_dir}/enterprise-storage
-%exclude %{_prefix}/lib/tuned/profiles/spindown-disk
+%exclude %{system_profiles_dir}/spindown-disk
-%exclude %{_prefix}/lib/tuned/profiles/sap-netweaver
+%exclude %{system_profiles_dir}/sap-netweaver
-%exclude %{_prefix}/lib/tuned/profiles/sap-hana
+%exclude %{system_profiles_dir}/sap-hana
-%exclude %{_prefix}/lib/tuned/profiles/sap-hana-kvm-guest
+%exclude %{system_profiles_dir}/sap-hana-kvm-guest
-%exclude %{_prefix}/lib/tuned/profiles/mssql
+%exclude %{system_profiles_dir}/mssql
-%exclude %{_prefix}/lib/tuned/profiles/oracle
+%exclude %{system_profiles_dir}/oracle
-%exclude %{_prefix}/lib/tuned/profiles/atomic-host
+%exclude %{system_profiles_dir}/atomic-host
-%exclude %{_prefix}/lib/tuned/profiles/atomic-guest
+%exclude %{system_profiles_dir}/atomic-guest
-%exclude %{_prefix}/lib/tuned/profiles/realtime
+%exclude %{system_profiles_dir}/realtime
-%exclude %{_prefix}/lib/tuned/profiles/realtime-virtual-guest
+%exclude %{system_profiles_dir}/realtime-virtual-guest
-%exclude %{_prefix}/lib/tuned/profiles/realtime-virtual-host
+%exclude %{system_profiles_dir}/realtime-virtual-host
-%exclude %{_prefix}/lib/tuned/profiles/cpu-partitioning
+%exclude %{system_profiles_dir}/cpu-partitioning
-%exclude %{_prefix}/lib/tuned/profiles/cpu-partitioning-powersave
+%exclude %{system_profiles_dir}/cpu-partitioning-powersave
-%exclude %{_prefix}/lib/tuned/profiles/spectrumscale-ece
+%exclude %{system_profiles_dir}/spectrumscale-ece
-%exclude %{_prefix}/lib/tuned/profiles/postgresql
+%exclude %{system_profiles_dir}/postgresql
-%exclude %{_prefix}/lib/tuned/profiles/openshift
+%exclude %{system_profiles_dir}/openshift
-%exclude %{_prefix}/lib/tuned/profiles/openshift-control-plane
+%exclude %{system_profiles_dir}/openshift-control-plane
-%exclude %{_prefix}/lib/tuned/profiles/openshift-node
+%exclude %{system_profiles_dir}/openshift-node
 %{_prefix}/lib/tuned
 %dir %{_sysconfdir}/tuned
 %dir %{_sysconfdir}/tuned/recommend.d
-%dir %{_sysconfdir}/tuned/profiles
+
 %if "%{user_profiles_dir}" != "%{_sysconfdir}/tuned"
 %dir %{user_profiles_dir}
 %endif
 %dir %{_libexecdir}/tuned
 %{_libexecdir}/tuned/defirqaffinity*
 %config(noreplace) %verify(not size mtime md5) %{_sysconfdir}/tuned/active_profile
 %config(noreplace) %verify(not size mtime md5) %{_sysconfdir}/tuned/profile_mode
 %config(noreplace) %verify(not size mtime md5) %{_sysconfdir}/tuned/post_loaded_profile
 %config(noreplace) %verify(not size mtime md5) %{_sysconfdir}/tuned/ppd_base_profile
 %config(noreplace) %{_sysconfdir}/tuned/tuned-main.conf
 %config(noreplace) %verify(not size mtime md5) %{_sysconfdir}/tuned/bootcmdline
 %verify(not size mtime md5) %{_sysconfdir}/modprobe.d/tuned.conf
@ -531,40 +545,40 @@ fi
 %{_mandir}/man8/scomes.*
 %files profiles-sap
-%{_prefix}/lib/tuned/profiles/sap-netweaver
+%{system_profiles_dir}/sap-netweaver
 %{_mandir}/man7/tuned-profiles-sap.7*
 %files profiles-sap-hana
-%{_prefix}/lib/tuned/profiles/sap-hana
+%{system_profiles_dir}/sap-hana
-%{_prefix}/lib/tuned/profiles/sap-hana-kvm-guest
+%{system_profiles_dir}/sap-hana-kvm-guest
 %{_mandir}/man7/tuned-profiles-sap-hana.7*
 %files profiles-mssql
-%{_prefix}/lib/tuned/profiles/mssql
+%{system_profiles_dir}/mssql
 %{_mandir}/man7/tuned-profiles-mssql.7*
 %files profiles-oracle
-%{_prefix}/lib/tuned/profiles/oracle
+%{system_profiles_dir}/oracle
 %{_mandir}/man7/tuned-profiles-oracle.7*
 %files profiles-atomic
-%{_prefix}/lib/tuned/profiles/atomic-host
+%{system_profiles_dir}/atomic-host
-%{_prefix}/lib/tuned/profiles/atomic-guest
+%{system_profiles_dir}/atomic-guest
 %{_mandir}/man7/tuned-profiles-atomic.7*
 %files profiles-realtime
 %config(noreplace) %{_sysconfdir}/tuned/realtime-variables.conf
-%{_prefix}/lib/tuned/profiles/realtime
+%{system_profiles_dir}/realtime
 %{_mandir}/man7/tuned-profiles-realtime.7*
 %files profiles-nfv-guest
 %config(noreplace) %{_sysconfdir}/tuned/realtime-virtual-guest-variables.conf
-%{_prefix}/lib/tuned/profiles/realtime-virtual-guest
+%{system_profiles_dir}/realtime-virtual-guest
 %{_mandir}/man7/tuned-profiles-nfv-guest.7*
 %files profiles-nfv-host
 %config(noreplace) %{_sysconfdir}/tuned/realtime-virtual-host-variables.conf
-%{_prefix}/lib/tuned/profiles/realtime-virtual-host
+%{system_profiles_dir}/realtime-virtual-host
 %{_mandir}/man7/tuned-profiles-nfv-host.7*
 %files profiles-nfv
@ -573,32 +587,32 @@ fi
 %files profiles-cpu-partitioning
 %config(noreplace) %{_sysconfdir}/tuned/cpu-partitioning-variables.conf
 %config(noreplace) %{_sysconfdir}/tuned/cpu-partitioning-powersave-variables.conf
-%{_prefix}/lib/tuned/profiles/cpu-partitioning
+%{system_profiles_dir}/cpu-partitioning
-%{_prefix}/lib/tuned/profiles/cpu-partitioning-powersave
+%{system_profiles_dir}/cpu-partitioning-powersave
 %{_mandir}/man7/tuned-profiles-cpu-partitioning.7*
 %files profiles-spectrumscale
-%{_prefix}/lib/tuned/profiles/spectrumscale-ece
+%{system_profiles_dir}/spectrumscale-ece
 %{_mandir}/man7/tuned-profiles-spectrumscale-ece.7*
 %files profiles-compat
-%{_prefix}/lib/tuned/profiles/default
+%{system_profiles_dir}/default
-%{_prefix}/lib/tuned/profiles/desktop-powersave
+%{system_profiles_dir}/desktop-powersave
-%{_prefix}/lib/tuned/profiles/laptop-ac-powersave
+%{system_profiles_dir}/laptop-ac-powersave
-%{_prefix}/lib/tuned/profiles/server-powersave
+%{system_profiles_dir}/server-powersave
-%{_prefix}/lib/tuned/profiles/laptop-battery-powersave
+%{system_profiles_dir}/laptop-battery-powersave
-%{_prefix}/lib/tuned/profiles/enterprise-storage
+%{system_profiles_dir}/enterprise-storage
-%{_prefix}/lib/tuned/profiles/spindown-disk
+%{system_profiles_dir}/spindown-disk
 %{_mandir}/man7/tuned-profiles-compat.7*
 %files profiles-postgresql
-%{_prefix}/lib/tuned/profiles/postgresql
+%{system_profiles_dir}/postgresql
 %{_mandir}/man7/tuned-profiles-postgresql.7*
 %files profiles-openshift
-%{_prefix}/lib/tuned/profiles/openshift
+%{system_profiles_dir}/openshift
-%{_prefix}/lib/tuned/profiles/openshift-control-plane
+%{system_profiles_dir}/openshift-control-plane
-%{_prefix}/lib/tuned/profiles/openshift-node
+%{system_profiles_dir}/openshift-node
 %{_mandir}/man7/tuned-profiles-openshift.7*
 %files ppd
@ -607,9 +621,35 @@ fi
 %{_datadir}/dbus-1/system-services/net.hadess.PowerProfiles.service
 %{_datadir}/dbus-1/system.d/net.hadess.PowerProfiles.conf
 %{_datadir}/polkit-1/actions/net.hadess.PowerProfiles.policy
 %{_datadir}/dbus-1/system-services/org.freedesktop.UPower.PowerProfiles.service
 %{_datadir}/dbus-1/system.d/org.freedesktop.UPower.PowerProfiles.conf
 %{_datadir}/polkit-1/actions/org.freedesktop.UPower.PowerProfiles.policy
 %config(noreplace) %{_sysconfdir}/tuned/ppd.conf
 %changelog
 * Sun Jan 19 2025 Jaroslav Škarvada <jskarvad@redhat.com> - 2.25.0-0.1.rc1
 - new release
  - rebased tuned to latest upstream
    resolves: RHEL-70454
  - tuned-ppd: removed the use of StrEnum
  - tuned-ppd: fixed traceback
    resolves: RHEL-74384
  - tuned-ppd: multiple fixes and updates
  - docs: plugins docs are now automatically generated from the docstrings
  - plugin_cpu: fixed no_turbo boolean option parsing
  - plugin_cpu: allowed raw energy_performance_preference values
  - plugin_vm: added support for dirty_(bytes|ratio) sysctl parameters
  - plugin_bootloader: added variables to BLS entries only if grub is used
  - plugin_scheduler: do not assume that perf events have type attribute
  - plugin_scheduler: updated sched knobs for kernels 6.6+
  - plugin_scheduler: log process info when its affinity cannot be changed
    resolves: RHEL-69933
  - plugin_scheduler: postpone cgroup blacklist check, double-check after fail
  - plugin_scheduler: made perf support optional
  - plugin_net: added support for hotplug and rename
  - makefile: added support for installation to custom $BINDIR/$SBINDIR
  - functions: dropped cpuspeed support
 * Mon Nov 18 2024 Jaroslav Škarvada <jskarvad@redhat.com> - 2.24.0-3
 - Fixed privileged execution of arbitrary scripts by active local user,
  (CVE-2024-52336)
`@ -1 +1 @@`
	`SHA512 (tuned-2.24.0.tar.gz) = d004cd621e26195fff14b39f29b2143cf47de09641454acd3029d61142c3d000a452f018356c84c32772bd99fc766f6ee847d2a8eddbde8ae34aaa0ecefa644e`	`SHA512 (tuned-2.25.0-rc.1.tar.gz) = 798daedaf1f7220a75f5a448eae9b9c90b7989c2f52b050b144d62b9ad03640c4a4f446c24a04b8cf6056ee0d7f1ee8c995cdc9c5d04b6bed499a509e08522d9`