rpm package update

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
6 years ago · 729c481a49
5 changed files with 264 additions and 3 deletions
--- a/SOURCES/rpm-4.11.x-provide-audit-events.patch
+++ b/SOURCES/rpm-4.11.x-provide-audit-events.patch
@ -0,0 +1,156 @@
				@@ -0,0 +1,156 @@
+--- rpm-4.11.3/configure.ac.old	2018-05-25 09:02:29.103209393 +0200
+++ rpm-4.11.3/configure.ac	2018-05-28 14:46:27.134913783 +0200
+@@ -334,6 +334,22 @@
+ AC_SUBST(WITH_POPT_INCLUDE)
+ AC_SUBST(WITH_POPT_LIB)
+
+
+#=================
+# Check for audit library.
+AC_ARG_WITH(audit,
+AS_HELP_STRING([--with-audit],[log results using Linux Audit]),
+with_audit=$withval,
+with_audit=auto)
+
+WITH_AUDIT_LIB=
+AS_IF([test "$with_audit" = auto],[
+    AC_SEARCH_LIBS([audit_open],[audit],[WITH_AUDIT_LIB="$ac_res"],
+       [AC_MSG_ERROR([missing audit library])
+    ])
+])
+AC_SUBST(WITH_AUDIT_LIB)
+
+ #=================
+ # Process --with/without-external-db
+ AC_ARG_WITH(external_db, [AS_HELP_STRING([--with-external-db],[build against an external Berkeley db])],
+--- rpm-4.11.3/lib/Makefile.am.old	2014-09-05 13:51:05.000000000 +0200
+++ rpm-4.11.3/lib/Makefile.am	2018-05-28 13:24:17.309657132 +0200
+@@ -47,6 +47,7 @@
+	@WITH_SELINUX_LIB@ \
+	@WITH_CAP_LIB@ \
+	@WITH_ACL_LIB@ \
+	@WITH_AUDIT_LIB@ \
+	@LIBINTL@
+
+ if WITH_LUA
+--- rpm-4.11.3/lib/rpmte.c.old	2018-05-25 09:02:29.173209513 +0200
+++ rpm-4.11.3/lib/rpmte.c	2018-06-18 10:38:02.929670757 +0200
+@@ -3,6 +3,7 @@
+  * Routine(s) to handle an "rpmte"  transaction element.
+  */
+ #include "system.h"
+#include <libaudit.h>
+
+ #include <rpm/rpmtypes.h>
+ #include <rpm/rpmlib.h>		/* RPM_MACHTABLE_* */
+@@ -22,6 +23,16 @@
+
+ #include "debug.h"
+
+#ifndef AUDIT_SOFTWARE_UPDATE
+#define AUDIT_SOFTWARE_UPDATE   1138
+#endif
+
+RPM_GNUC_INTERNAL
+int auditEnabled = 0;
+
+RPM_GNUC_INTERNAL
+int auditGpgResult = 0;
+
+ /** \ingroup rpmte
+  * A single package instance to be installed/removed atomically.
+  */
+@@ -698,7 +709,15 @@
+
+     switch (rpmteType(te)) {
+     case TR_ADDED:
+-	h = rpmteDBInstance(te) ? rpmteDBHeader(te) : rpmteFDHeader(te);
+	if (rpmteDBInstance(te)) {
+	    h = rpmteDBHeader(te);
+	} else {
+	    if (reload_fi) {
+		auditEnabled = 1;
+		auditGpgResult = 0;
+	    }
+	    h = rpmteFDHeader(te);
+	}
+	break;
+     case TR_REMOVED:
+	h = rpmteDBHeader(te);
+@@ -904,6 +923,41 @@
+     return rc;
+ }
+
+/*
+ * Input variables:
+ *      te - transaction element
+ *      keyEnforcement - gpg key enforcement status: 1 enforced, 0 not enforced
+ *      gpgResult - results of gpg signature check: 1 verified, 0 otherwise
+ *      result - overall result of installing the rpm: 1 success, 0 failure
+ */
+static void audit_rpm_install(rpmte te, unsigned int keyEnforcement,
+                unsigned int gpgResult, int result)
+{
+    int auditFd;
+    char eventTxt[128], *packageField, *dirField;
+    const char *dir;
+
+    auditFd = audit_open();
+    if (auditFd < 0)
+	return;
+
+    packageField = audit_encode_nv_string("sw", te->NEVRA, strlen(te->NEVRA));
+    dir = rpmtsRootDir(te->ts);
+    dirField = audit_encode_nv_string("root_dir", dir, strlen(dir));
+
+    snprintf(eventTxt, sizeof(eventTxt),
+	"%s sw_type=rpm key_enforce=%u gpg_res=%u %s",
+	packageField, keyEnforcement, gpgResult, dirField);
+    audit_log_user_comm_message(auditFd, AUDIT_SOFTWARE_UPDATE, eventTxt,
+	NULL, NULL, NULL, NULL, result);
+
+    free(packageField);
+    free(dirField);
+    audit_close(auditFd);
+
+    return;
+}
+
+ static rpmRC rpmteRunAllCollections(rpmte te, rpmPluginHook hook)
+ {
+     ARGV_const_t colls;
+@@ -977,5 +1031,10 @@
+	failed = rpmteMarkFailed(te);
+     }
+
+    if (auditEnabled) {
+	audit_rpm_install(te, 0, auditGpgResult, failed ? 0 : 1);
+	auditEnabled = 0;
+    }
+
+     return failed;
+ }
+--- rpm-4.11.3/lib/package.c.old	2018-05-25 09:02:29.132209443 +0200
+++ rpm-4.11.3/lib/package.c	2018-06-15 12:11:58.996022237 +0200
+@@ -25,6 +25,9 @@
+ static unsigned int nextkeyid  = 0;
+ static unsigned int * keyids;
+
+extern int auditGpgResult;
+extern int auditEnabled;
+
+ /** \ingroup header
+  * Translate and merge legacy signature tags into header.
+  * @param h		header (dest)
+@@ -646,7 +649,10 @@
+
+     /** @todo Implement disable/enable/warn/error/anal policy. */
+     rc = rpmVerifySignature(keyring, &sigtd, sig, ctx, &msg);
+-
+
+    if (auditEnabled && (sig != NULL))
+	auditGpgResult = (rc == 0);
+
+     switch (rc) {
+     case RPMRC_OK:		/* Signature is OK. */
+	rpmlog(RPMLOG_DEBUG, "%s: %s", fn, msg);
--- a/SOURCES/rpm-4.12.x-rpmSign-return-value-correction.patch
+++ b/SOURCES/rpm-4.12.x-rpmSign-return-value-correction.patch
@ -0,0 +1,10 @@
				@@ -0,0 +1,10 @@
+--- rpm-4.11.3/sign/rpmgensig.c.old	2014-09-05 13:49:16.000000000 +0200
+++ rpm-4.11.3/sign/rpmgensig.c	2018-05-03 10:58:37.104522827 +0200
+@@ -506,6 +506,7 @@
+	    }
+	    goto exit;
+	}
+	res = -1;
+     }
+
+     /* Reallocate the signature into one contiguous region. */
--- a/SOURCES/rpm-4.13.x-enable_noghost_option.patch
+++ b/SOURCES/rpm-4.13.x-enable_noghost_option.patch
@ -0,0 +1,45 @@
				@@ -0,0 +1,45 @@
+--- rpm-4.11.3/doc/rpm.8.old	2018-05-25 09:24:59.329885663 +0200
+++ rpm-4.11.3/doc/rpm.8	2018-05-25 09:25:19.598901802 +0200
+@@ -76,7 +76,7 @@
+  [\fB--nodigest\fR] [\fB--nosignature\fR]
+  [\fB--nolinkto\fR] [\fB--nofiledigest\fR] [\fB--nosize\fR] [\fB--nouser\fR]
+  [\fB--nogroup\fR] [\fB--nomtime\fR] [\fB--nomode\fR] [\fB--nordev\fR]
+- [\fB--nocaps\fR] [\fB--noconfig\fR]
+ [\fB--nocaps\fR] [\fB--noconfig\fR] [\fB--noghost\fR]
+
+ .SS "install-options"
+ .PP
+@@ -683,6 +683,9 @@
+ \fB--noconfig\fR
+ Don't verify config files.
+ .TP
+\fB--noghost\fR
+Don't display ghost files.
+.TP
+ \fB--noscripts\fR
+ Don't execute the \fB%verifyscript\fR scriptlet (if any).
+ .TP
+--- rpm-4.11.3/lib/poptQV.c.old	2018-05-10 12:29:26.716304826 +0200
+++ rpm-4.11.3/lib/poptQV.c	2018-05-11 14:08:36.389255974 +0200
+@@ -182,7 +182,7 @@
+	N_("list files in package"), NULL },
+
+  /* Duplicate file attr flags from packages into command line options. */
+- { "noghost", '\0', POPT_BIT_CLR|POPT_ARGFLAG_DOC_HIDDEN,
+ { "noghost", '\0', POPT_BIT_SET|POPT_ARGFLAG_DOC_HIDDEN,
+	&rpmQVKArgs.qva_fflags, RPMFILE_GHOST,
+         N_("skip %%ghost files"), NULL },
+  { "noconfig", '\0', POPT_BIT_SET|POPT_ARGFLAG_DOC_HIDDEN,
+--- rpm-4.11.3/lib/verify.c.old	2018-05-10 12:29:26.715304826 +0200
+++ rpm-4.11.3/lib/verify.c	2018-05-11 14:17:16.474959233 +0200
+@@ -453,6 +453,11 @@
+	    rpmlog(RPMLOG_NOTICE, "%s\n", buf);
+	    buf = _free(buf);
+	}
+
+	/* Filter out missing %ghost/%missingok errors from final result */
+	if (fileAttrs & (RPMFILE_MISSINGOK|RPMFILE_GHOST))
+	    verifyResult &= ~RPMVERIFY_LSTATFAIL;
+
+     }
+     rpmfiFree(fi);
--- a/SOURCES/rpm-4.13.x-fix_find_debuginfo_opts_g.patch
+++ b/SOURCES/rpm-4.13.x-fix_find_debuginfo_opts_g.patch
@ -0,0 +1,28 @@
				@@ -0,0 +1,28 @@
+--- rpm-4.11.3/scripts/find-debuginfo.sh.old	2018-05-03 09:53:34.098654333 +0200
+++ rpm-4.11.3/scripts/find-debuginfo.sh	2018-05-03 13:35:32.092303548 +0200
+@@ -9,7 +9,7 @@
+ #			   [[-l filelist]... [-p 'pattern'] -o debuginfo.list]
+ #			   [builddir]
+ #
+-# The -g flag says to use strip -g instead of full strip on DSOs.
+# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
+ # The --strict-build-id flag says to exit with failure status if
+ # any ELF binary processed fails to contain a build-id note.
+ # The -r flag says to use eu-strip --reloc-debug-sections.
+@@ -29,7 +29,7 @@
+ # All file names in switches are relative to builddir (. if not given).
+ #
+
+-# With -g arg, pass it to strip on libraries.
+# With -g arg, pass it to strip on libraries or executables.
+ strip_g=false
+
+ # with -r arg, pass --reloc-debug-sections to eu-strip.
+@@ -130,6 +130,7 @@
+   $strip_r && r=--reloc-debug-sections
+   $strip_g && case "$(file -bi "$2")" in
+   application/x-sharedlib*) g=-g ;;
+  application/x-executable*) g=-g ;;
+   esac
+   eu-strip --remove-comment $r $g -f "$1" "$2" || exit
+   chmod 444 "$1" || exit
--- a/SPECS/rpm.spec
+++ b/SPECS/rpm.spec
@ -21,10 +21,10 @@
				@@ -21,10 +21,10 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}32%{?dist}
+Release: %{?snapver:0.%{snapver}.}35%{?dist}
 Group: System Environment/Base
 Url: http://www.rpm.org/
-Source0: http://ftp.rpm.org/releases/rpm-4.11.x/%{name}-%{srcver}.tar.bz2
+Source0: http://rpm.org/releases/rpm-4.11.x/%{name}-%{srcver}.tar.bz2
 %if %{with int_bdb}
 Source1: db-%{bdbver}.tar.gz
 %else
@ -88,6 +88,10 @@ Patch185: rpm-4.13.x-Make-the-stftime-buffer-big-enuff.patch
				@@ -88,6 +88,10 @@ Patch185: rpm-4.13.x-Make-the-stftime-buffer-big-enuff.patch
 Patch186: rpm-4.11.x-skipattr.patch
 Patch187: rpm-4.13.x-Implement-noconfig-query.patch
 Patch188: rpm-4.11.x-weakdep-tags.patch
+Patch189: rpm-4.12.x-rpmSign-return-value-correction.patch
+Patch190: rpm-4.13.x-fix_find_debuginfo_opts_g.patch
+Patch191: rpm-4.13.x-enable_noghost_option.patch
+Patch192: rpm-4.11.x-provide-audit-events.patch

 # Filter soname dependencies by name
 Patch200: rpm-4.11.x-filter-soname-deps.patch
@ -152,7 +156,7 @@ BuildRequires: fakechroot
				@@ -152,7 +156,7 @@ BuildRequires: fakechroot

 # XXX generally assumed to be installed but make it explicit as rpm
 # is a bit special...
-BuildRequires: powerel-rpm-config
+BuildRequires: redhat-rpm-config
 BuildRequires: gawk
 BuildRequires: elfutils-devel >= 0.112
 BuildRequires: elfutils-libelf-devel
@ -179,6 +183,7 @@ BuildRequires: xz-devel >= 4.999.8
				@@ -179,6 +183,7 @@ BuildRequires: xz-devel >= 4.999.8
 # Required for systemd-inhibit plugin
 BuildRequires: dbus-devel
 %endif
+BuildRequires: audit-libs-devel

 # Only required by sepdebugcrcfix patch
 BuildRequires: binutils-devel
@ -356,6 +361,10 @@ Requires: rpm-libs%{_isa} = %{version}-%{release}
				@@ -356,6 +361,10 @@ Requires: rpm-libs%{_isa} = %{version}-%{release}
 %patch186 -p1 -b .skipattr
 %patch187 -p1 -b .noconfig-cli
 %patch188 -p1 -b .weakdep-tags
+%patch189 -p1 -b .rpmsign-error
+%patch190 -p1 -b .find_debuginfo_opts
+%patch191 -p1 -b .noghost
+%patch192 -p1 -b .audit-events

 %patch200 -p1 -b .filter-soname-deps
 %patch201 -p1 -b .dont-filter-ld64
@ -618,6 +627,19 @@ exit 0
				@@ -618,6 +627,19 @@ exit 0
 %doc COPYING doc/librpm/html/*

 %changelog
+* Tue Jun 19 2018 Pavlina Moravcova Varekova <pmoravco@redhat.com> - 4.11.3-35
+- Correct "root_dir" output in audit event (#1555326)
+
+* Fri May 25 2018 Pavlina Moravcova Varekova <pmoravco@redhat.com> - 4.11.3-34
+- Adjust --noghost documentation (#1395818)
+- Provide audit events on update verification (#1555326)
+
+* Thu May 10 2018 Pavlina Moravcova Varekova <pmoravco@redhat.com> - 4.11.3-33
+- Repair of --noghost option implementation (#1395818)
+- Backport fix rpmSign() return value in case of failure (#1419590)
+- Backport passing _find_debuginfo_opts -g to eu-strip for executables
+  (#1540653)
+
 * Mon Nov 13 2017 Panu Matilainen <pmatilai@redhat.com> - 4.11.3-32
 - Backport weak dependency tag definitions (#1508538)