powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
Browse Source

rpm package update 

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
master
basebuilder_pel7x64builder0 6 years ago
parent
e665b8295a
commit
729c481a49
5 changed files with 264 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 156
      SOURCES/rpm-4.11.x-provide-audit-events.patch
  2. 10
      SOURCES/rpm-4.12.x-rpmSign-return-value-correction.patch
  3. 45
      SOURCES/rpm-4.13.x-enable_noghost_option.patch
  4. 28
      SOURCES/rpm-4.13.x-fix_find_debuginfo_opts_g.patch
  5. 28
      SPECS/rpm.spec

156
SOURCES/rpm-4.11.x-provide-audit-events.patch
Unescape View File

@ -0,0 +1,156 @@
--- rpm-4.11.3/configure.ac.old 2018-05-25 09:02:29.103209393 +0200
+++ rpm-4.11.3/configure.ac 2018-05-28 14:46:27.134913783 +0200
@@ -334,6 +334,22 @@
AC_SUBST(WITH_POPT_INCLUDE)
AC_SUBST(WITH_POPT_LIB)

+
+#=================
+# Check for audit library.
+AC_ARG_WITH(audit,
+AS_HELP_STRING([--with-audit],[log results using Linux Audit]),
+with_audit=$withval,
+with_audit=auto)
+
+WITH_AUDIT_LIB=
+AS_IF([test "$with_audit" = auto],[
+ AC_SEARCH_LIBS([audit_open],[audit],[WITH_AUDIT_LIB="$ac_res"],
+ [AC_MSG_ERROR([missing audit library])
+ ])
+])
+AC_SUBST(WITH_AUDIT_LIB)
+
#=================
# Process --with/without-external-db
AC_ARG_WITH(external_db, [AS_HELP_STRING([--with-external-db],[build against an external Berkeley db])],
--- rpm-4.11.3/lib/Makefile.am.old 2014-09-05 13:51:05.000000000 +0200
+++ rpm-4.11.3/lib/Makefile.am 2018-05-28 13:24:17.309657132 +0200
@@ -47,6 +47,7 @@
@WITH_SELINUX_LIB@ \
@WITH_CAP_LIB@ \
@WITH_ACL_LIB@ \
+ @WITH_AUDIT_LIB@ \
@LIBINTL@

if WITH_LUA
--- rpm-4.11.3/lib/rpmte.c.old 2018-05-25 09:02:29.173209513 +0200
+++ rpm-4.11.3/lib/rpmte.c 2018-06-18 10:38:02.929670757 +0200
@@ -3,6 +3,7 @@
* Routine(s) to handle an "rpmte" transaction element.
*/
#include "system.h"
+#include <libaudit.h>

#include <rpm/rpmtypes.h>
#include <rpm/rpmlib.h> /* RPM_MACHTABLE_* */
@@ -22,6 +23,16 @@

#include "debug.h"

+#ifndef AUDIT_SOFTWARE_UPDATE
+#define AUDIT_SOFTWARE_UPDATE 1138
+#endif
+
+RPM_GNUC_INTERNAL
+int auditEnabled = 0;
+
+RPM_GNUC_INTERNAL
+int auditGpgResult = 0;
+
/** \ingroup rpmte
* A single package instance to be installed/removed atomically.
*/
@@ -698,7 +709,15 @@

switch (rpmteType(te)) {
case TR_ADDED:
- h = rpmteDBInstance(te) ? rpmteDBHeader(te) : rpmteFDHeader(te);
+ if (rpmteDBInstance(te)) {
+ h = rpmteDBHeader(te);
+ } else {
+ if (reload_fi) {
+ auditEnabled = 1;
+ auditGpgResult = 0;
+ }
+ h = rpmteFDHeader(te);
+ }
break;
case TR_REMOVED:
h = rpmteDBHeader(te);
@@ -904,6 +923,41 @@
return rc;
}

+/*
+ * Input variables:
+ * te - transaction element
+ * keyEnforcement - gpg key enforcement status: 1 enforced, 0 not enforced
+ * gpgResult - results of gpg signature check: 1 verified, 0 otherwise
+ * result - overall result of installing the rpm: 1 success, 0 failure
+ */
+static void audit_rpm_install(rpmte te, unsigned int keyEnforcement,
+ unsigned int gpgResult, int result)
+{
+ int auditFd;
+ char eventTxt[128], *packageField, *dirField;
+ const char *dir;
+
+ auditFd = audit_open();
+ if (auditFd < 0)
+ return;
+
+ packageField = audit_encode_nv_string("sw", te->NEVRA, strlen(te->NEVRA));
+ dir = rpmtsRootDir(te->ts);
+ dirField = audit_encode_nv_string("root_dir", dir, strlen(dir));
+
+ snprintf(eventTxt, sizeof(eventTxt),
+ "%s sw_type=rpm key_enforce=%u gpg_res=%u %s",
+ packageField, keyEnforcement, gpgResult, dirField);
+ audit_log_user_comm_message(auditFd, AUDIT_SOFTWARE_UPDATE, eventTxt,
+ NULL, NULL, NULL, NULL, result);
+
+ free(packageField);
+ free(dirField);
+ audit_close(auditFd);
+
+ return;
+}
+
static rpmRC rpmteRunAllCollections(rpmte te, rpmPluginHook hook)
{
ARGV_const_t colls;
@@ -977,5 +1031,10 @@
failed = rpmteMarkFailed(te);
}

+ if (auditEnabled) {
+ audit_rpm_install(te, 0, auditGpgResult, failed ? 0 : 1);
+ auditEnabled = 0;
+ }
+
return failed;
}
--- rpm-4.11.3/lib/package.c.old 2018-05-25 09:02:29.132209443 +0200
+++ rpm-4.11.3/lib/package.c 2018-06-15 12:11:58.996022237 +0200
@@ -25,6 +25,9 @@
static unsigned int nextkeyid = 0;
static unsigned int * keyids;

+extern int auditGpgResult;
+extern int auditEnabled;
+
/** \ingroup header
* Translate and merge legacy signature tags into header.
* @param h header (dest)
@@ -646,7 +649,10 @@

/** @todo Implement disable/enable/warn/error/anal policy. */
rc = rpmVerifySignature(keyring, &sigtd, sig, ctx, &msg);
-
+
+ if (auditEnabled && (sig != NULL))
+ auditGpgResult = (rc == 0);
+
switch (rc) {
case RPMRC_OK: /* Signature is OK. */
rpmlog(RPMLOG_DEBUG, "%s: %s", fn, msg);

10
SOURCES/rpm-4.12.x-rpmSign-return-value-correction.patch
Unescape View File

@ -0,0 +1,10 @@
--- rpm-4.11.3/sign/rpmgensig.c.old 2014-09-05 13:49:16.000000000 +0200
+++ rpm-4.11.3/sign/rpmgensig.c 2018-05-03 10:58:37.104522827 +0200
@@ -506,6 +506,7 @@
}
goto exit;
}
+ res = -1;
}

/* Reallocate the signature into one contiguous region. */

45
SOURCES/rpm-4.13.x-enable_noghost_option.patch
Unescape View File

@ -0,0 +1,45 @@
--- rpm-4.11.3/doc/rpm.8.old 2018-05-25 09:24:59.329885663 +0200
+++ rpm-4.11.3/doc/rpm.8 2018-05-25 09:25:19.598901802 +0200
@@ -76,7 +76,7 @@
[\fB--nodigest\fR] [\fB--nosignature\fR]
[\fB--nolinkto\fR] [\fB--nofiledigest\fR] [\fB--nosize\fR] [\fB--nouser\fR]
[\fB--nogroup\fR] [\fB--nomtime\fR] [\fB--nomode\fR] [\fB--nordev\fR]
- [\fB--nocaps\fR] [\fB--noconfig\fR]
+ [\fB--nocaps\fR] [\fB--noconfig\fR] [\fB--noghost\fR]

.SS "install-options"
.PP
@@ -683,6 +683,9 @@
\fB--noconfig\fR
Don't verify config files.
.TP
+\fB--noghost\fR
+Don't display ghost files.
+.TP
\fB--noscripts\fR
Don't execute the \fB%verifyscript\fR scriptlet (if any).
.TP
--- rpm-4.11.3/lib/poptQV.c.old 2018-05-10 12:29:26.716304826 +0200
+++ rpm-4.11.3/lib/poptQV.c 2018-05-11 14:08:36.389255974 +0200
@@ -182,7 +182,7 @@
N_("list files in package"), NULL },

/* Duplicate file attr flags from packages into command line options. */
- { "noghost", '\0', POPT_BIT_CLR|POPT_ARGFLAG_DOC_HIDDEN,
+ { "noghost", '\0', POPT_BIT_SET|POPT_ARGFLAG_DOC_HIDDEN,
&rpmQVKArgs.qva_fflags, RPMFILE_GHOST,
N_("skip %%ghost files"), NULL },
{ "noconfig", '\0', POPT_BIT_SET|POPT_ARGFLAG_DOC_HIDDEN,
--- rpm-4.11.3/lib/verify.c.old 2018-05-10 12:29:26.715304826 +0200
+++ rpm-4.11.3/lib/verify.c 2018-05-11 14:17:16.474959233 +0200
@@ -453,6 +453,11 @@
rpmlog(RPMLOG_NOTICE, "%s\n", buf);
buf = _free(buf);
}
+
+ /* Filter out missing %ghost/%missingok errors from final result */
+ if (fileAttrs & (RPMFILE_MISSINGOK|RPMFILE_GHOST))
+ verifyResult &= ~RPMVERIFY_LSTATFAIL;
+
}
rpmfiFree(fi);

28
SOURCES/rpm-4.13.x-fix_find_debuginfo_opts_g.patch
Unescape View File

@ -0,0 +1,28 @@
--- rpm-4.11.3/scripts/find-debuginfo.sh.old 2018-05-03 09:53:34.098654333 +0200
+++ rpm-4.11.3/scripts/find-debuginfo.sh 2018-05-03 13:35:32.092303548 +0200
@@ -9,7 +9,7 @@
# [[-l filelist]... [-p 'pattern'] -o debuginfo.list]
# [builddir]
#
-# The -g flag says to use strip -g instead of full strip on DSOs.
+# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# The --strict-build-id flag says to exit with failure status if
# any ELF binary processed fails to contain a build-id note.
# The -r flag says to use eu-strip --reloc-debug-sections.
@@ -29,7 +29,7 @@
# All file names in switches are relative to builddir (. if not given).
#

-# With -g arg, pass it to strip on libraries.
+# With -g arg, pass it to strip on libraries or executables.
strip_g=false

# with -r arg, pass --reloc-debug-sections to eu-strip.
@@ -130,6 +130,7 @@
$strip_r && r=--reloc-debug-sections
$strip_g && case "$(file -bi "$2")" in
application/x-sharedlib*) g=-g ;;
+ application/x-executable*) g=-g ;;
esac
eu-strip --remove-comment $r $g -f "$1" "$2" || exit
chmod 444 "$1" || exit

28
SPECS/rpm.spec
Unescape View File

@ -21,10 +21,10 @@
Summary: The RPM package management system Summary: The RPM package management system
Name: rpm Name: rpm
Version: %{rpmver} Version: %{rpmver}
Release: %{?snapver:0.%{snapver}.}32%{?dist} Release: %{?snapver:0.%{snapver}.}35%{?dist}
Group: System Environment/Base Group: System Environment/Base
Url: http://www.rpm.org/ Url: http://www.rpm.org/
Source0: http://ftp.rpm.org/releases/rpm-4.11.x/%{name}-%{srcver}.tar.bz2 Source0: http://rpm.org/releases/rpm-4.11.x/%{name}-%{srcver}.tar.bz2
%if %{with int_bdb} %if %{with int_bdb}
Source1: db-%{bdbver}.tar.gz Source1: db-%{bdbver}.tar.gz
%else %else
@ -88,6 +88,10 @@ Patch185: rpm-4.13.x-Make-the-stftime-buffer-big-enuff.patch
Patch186: rpm-4.11.x-skipattr.patch Patch186: rpm-4.11.x-skipattr.patch
Patch187: rpm-4.13.x-Implement-noconfig-query.patch Patch187: rpm-4.13.x-Implement-noconfig-query.patch
Patch188: rpm-4.11.x-weakdep-tags.patch Patch188: rpm-4.11.x-weakdep-tags.patch
Patch189: rpm-4.12.x-rpmSign-return-value-correction.patch
Patch190: rpm-4.13.x-fix_find_debuginfo_opts_g.patch
Patch191: rpm-4.13.x-enable_noghost_option.patch
Patch192: rpm-4.11.x-provide-audit-events.patch


# Filter soname dependencies by name # Filter soname dependencies by name
Patch200: rpm-4.11.x-filter-soname-deps.patch Patch200: rpm-4.11.x-filter-soname-deps.patch
@ -152,7 +156,7 @@ BuildRequires: fakechroot


# XXX generally assumed to be installed but make it explicit as rpm # XXX generally assumed to be installed but make it explicit as rpm
# is a bit special... # is a bit special...
BuildRequires: powerel-rpm-config BuildRequires: redhat-rpm-config
BuildRequires: gawk BuildRequires: gawk
BuildRequires: elfutils-devel >= 0.112 BuildRequires: elfutils-devel >= 0.112
BuildRequires: elfutils-libelf-devel BuildRequires: elfutils-libelf-devel
@ -179,6 +183,7 @@ BuildRequires: xz-devel >= 4.999.8
# Required for systemd-inhibit plugin # Required for systemd-inhibit plugin
BuildRequires: dbus-devel BuildRequires: dbus-devel
%endif %endif
BuildRequires: audit-libs-devel


# Only required by sepdebugcrcfix patch # Only required by sepdebugcrcfix patch
BuildRequires: binutils-devel BuildRequires: binutils-devel
@ -356,6 +361,10 @@ Requires: rpm-libs%{_isa} = %{version}-%{release}
%patch186 -p1 -b .skipattr %patch186 -p1 -b .skipattr
%patch187 -p1 -b .noconfig-cli %patch187 -p1 -b .noconfig-cli
%patch188 -p1 -b .weakdep-tags %patch188 -p1 -b .weakdep-tags
%patch189 -p1 -b .rpmsign-error
%patch190 -p1 -b .find_debuginfo_opts
%patch191 -p1 -b .noghost
%patch192 -p1 -b .audit-events


%patch200 -p1 -b .filter-soname-deps %patch200 -p1 -b .filter-soname-deps
%patch201 -p1 -b .dont-filter-ld64 %patch201 -p1 -b .dont-filter-ld64
@ -618,6 +627,19 @@ exit 0
%doc COPYING doc/librpm/html/* %doc COPYING doc/librpm/html/*


%changelog %changelog
* Tue Jun 19 2018 Pavlina Moravcova Varekova <pmoravco@redhat.com> - 4.11.3-35
- Correct "root_dir" output in audit event (#1555326)

* Fri May 25 2018 Pavlina Moravcova Varekova <pmoravco@redhat.com> - 4.11.3-34
- Adjust --noghost documentation (#1395818)
- Provide audit events on update verification (#1555326)

* Thu May 10 2018 Pavlina Moravcova Varekova <pmoravco@redhat.com> - 4.11.3-33
- Repair of --noghost option implementation (#1395818)
- Backport fix rpmSign() return value in case of failure (#1419590)
- Backport passing _find_debuginfo_opts -g to eu-strip for executables
(#1540653)

* Mon Nov 13 2017 Panu Matilainen <pmatilai@redhat.com> - 4.11.3-32 * Mon Nov 13 2017 Panu Matilainen <pmatilai@redhat.com> - 4.11.3-32
- Backport weak dependency tag definitions (#1508538) - Backport weak dependency tag definitions (#1508538)



Write Preview
Loading…
Cancel
Save