From a5ce2b5d223e56e3325a25e161d4031514265c5a Mon Sep 17 00:00:00 2001
From: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
Date: Tue, 27 Nov 2018 18:54:01 +0100
Subject: [PATCH] bolt package creation

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
---
 SOURCES/py2-compat.patch               | 101 +++++++++++++++++++++++++
 SOURCES/restricting-capabilities.patch |  26 +++++++
 SPECS/bolt.spec                        |  92 ++++++++++++++++++++++
 3 files changed, 219 insertions(+)
 create mode 100644 SOURCES/py2-compat.patch
 create mode 100644 SOURCES/restricting-capabilities.patch
 create mode 100644 SPECS/bolt.spec

diff --git a/SOURCES/py2-compat.patch b/SOURCES/py2-compat.patch
new file mode 100644
index 00000000..119f7d04
--- /dev/null
+++ b/SOURCES/py2-compat.patch
@@ -0,0 +1,101 @@
+From 826d887e8c76654e16dab2249b6035b748bdfeeb Mon Sep 17 00:00:00 2001
+From: Christian Kellner <christian@kellner.me>
+Date: Wed, 6 Jun 2018 20:12:26 +0200
+Subject: [PATCH] test: integration: py2 compatibility
+
+The integration test was designed to run with python3, but we it
+can be made to work with python2 quite easily so do that.
+---
+ tests/test-integration | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tests/test-integration b/tests/test-integration
+index 40c917d..f24900a 100755
+--- a/tests/test-integration
++++ b/tests/test-integration
+@@ -1,4 +1,5 @@
+ #!/usr/bin/python3
++# -*- coding: utf-8 -*-
+ #
+ # bolt integration test suite
+ #
+@@ -19,6 +20,8 @@
+ # Authors:
+ #       Christian J. Kellner <christian@kellner.me>
+ 
++from __future__ import print_function
++
+ import binascii
+ import os
+ import shutil
+-- 
+2.17.1
+
+From d8e8920806a9d1afa691e4d5e7f16c67806d110c Mon Sep 17 00:00:00 2001
+From: Christian Kellner <christian@kellner.me>
+Date: Wed, 6 Jun 2018 20:20:02 +0200
+Subject: [PATCH] test: integration: import configparser globally
+
+Instead of importing it twice locally in two functions, import it
+globally; do so in the checked block because it is not installed
+by default and thus might be missing.
+---
+ tests/test-integration | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/test-integration b/tests/test-integration
+index f24900a..d2fd7df 100755
+--- a/tests/test-integration
++++ b/tests/test-integration
+@@ -45,6 +45,8 @@ try:
+ 
+     import dbus
+     import dbusmock
++
++    import configparser
+ except ImportError as e:
+     sys.stderr.write('Skipping integration test due to missing depdendencies: %s\n' % str(e))
+     sys.exit(1)
+@@ -924,7 +926,6 @@ class BoltTest(dbusmock.DBusTestCase):
+         self.polkitd = None
+ 
+     def user_config(self, **kwargs):
+-        import configparser
+         cfg = configparser.ConfigParser()
+         cfg.optionxform = lambda option: option
+ 
+@@ -1017,7 +1018,6 @@ class BoltTest(dbusmock.DBusTestCase):
+         return x[0]
+ 
+     def store_device(self, dev, policy='auto', key=None):
+-        import configparser
+         df = configparser.ConfigParser()
+         df.optionxform = lambda option: option
+ 
+-- 
+2.17.1
+
+From 4ada3a5ce4aa4cfe7e3f0a066c2b9be7281f8930 Mon Sep 17 00:00:00 2001
+From: Christian Kellner <christian@kellner.me>
+Date: Wed, 6 Jun 2018 20:34:56 +0200
+Subject: [PATCH] test: integration: use default python
+
+Instead of explicitly specifying the python version, use the
+default, i.e. /usr/bin/python
+---
+ tests/test-integration | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/test-integration b/tests/test-integration
+index d2fd7df..66fb89f 100755
+--- a/tests/test-integration
++++ b/tests/test-integration
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python3
++#!/usr/bin/python
+ # -*- coding: utf-8 -*-
+ #
+ # bolt integration test suite
+-- 
+2.17.1
+
diff --git a/SOURCES/restricting-capabilities.patch b/SOURCES/restricting-capabilities.patch
new file mode 100644
index 00000000..0374669e
--- /dev/null
+++ b/SOURCES/restricting-capabilities.patch
@@ -0,0 +1,26 @@
+From e962b3260a8baa104b2fc914e8e8974c7b70fcd4 Mon Sep 17 00:00:00 2001
+From: Christian Kellner <christian@kellner.me>
+Date: Fri, 29 Jun 2018 14:03:29 +0300
+Subject: [PATCH] data: tighten sandbox by restricting capabilities
+
+We only need CAP_NET_ADMIN capability for the udev netlink socket
+manipulations. All other capabilities can be dropped, reducing
+the damage that can be done.
+Thanks to Richard Maciel Costa <rcosta@redhat.com> for hi help on
+this.
+---
+ data/bolt.service.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/data/bolt.service.in b/data/bolt.service.in
+index 7cb1dae..5c33d43 100644
+--- a/data/bolt.service.in
++++ b/data/bolt.service.in
+@@ -18,3 +18,4 @@ RestrictAddressFamilies=AF_NETLINK AF_UNIX
+ RestrictRealtime=yes
+ ReadWritePaths=@dbdir@
+ SystemCallFilter=~@mount
++CapabilityBoundingSet=CAP_NET_ADMIN
+-- 
+2.17.1
+
diff --git a/SPECS/bolt.spec b/SPECS/bolt.spec
new file mode 100644
index 00000000..57937590
--- /dev/null
+++ b/SPECS/bolt.spec
@@ -0,0 +1,92 @@
+Name:          bolt
+Version:       0.4
+Release:       3%{?dist}
+Summary:       Thunderbolt device manager
+License:       LGPLv2+
+URL:           https://gitlab.freedesktop.org/bolt/bolt
+Source0:       %{url}/-/archive/%{version}/%{name}-%{version}.tar.bz2
+Patch0:        py2-compat.patch
+Patch1:        restricting-capabilities.patch
+
+BuildRequires: gcc
+BuildRequires: asciidoc
+BuildRequires: meson
+BuildRequires: libudev-devel
+BuildRequires: pkgconfig(gio-2.0)
+BuildRequires: pkgconfig(libudev)
+BuildRequires: pkgconfig(systemd)
+BuildRequires: pkgconfig(libsystemd)
+BuildRequires: polkit-devel
+BuildRequires: systemd
+%{?systemd_requires}
+
+# for the integration test (optional)
+%if 0%{?fedora}
+BuildRequires: pygobject3-devel
+BuildRequires: python3-dbus
+BuildRequires: python3-dbusmock
+BuildRequires: umockdev-devel
+%endif
+
+%description
+bolt is a system daemon to manage thunderbolt 3 devices via a D-BUS
+API.  Thunderbolt 3 features different security modes that require
+devices to be authorized before they can be used. The D-Bus API can be
+used to list devices, enroll them (authorize and store them in the
+local database) and forget them again (remove previously enrolled
+devices). It also emits signals if new devices are connected (or
+removed). During enrollment devices can be set to be automatically
+authorized as soon as they are connected.  A command line tool, called
+boltctl, can be used to control the daemon and perform all the above
+mentioned tasks.
+
+%prep
+%setup -q
+%patch0 -p1
+%patch1 -p1
+
+%build
+%meson -Ddb-path=%{_localstatedir}/lib/boltd
+%meson_build
+
+%check
+%meson_test
+
+%install
+%meson_install
+install -m0755 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/boltd
+
+
+%post
+%systemd_post %{name}.service
+
+%preun
+%systemd_preun %{name}.service
+
+%postun
+%systemd_postun_with_restart %{name}.service
+
+%files
+%license COPYING
+%doc README.md
+%{_bindir}/boltctl
+%{_libexecdir}/boltd
+%{_unitdir}/%{name}.service
+%{_udevrulesdir}/*-%{name}.rules
+%{_sysconfdir}/dbus-1/system.d/org.freedesktop.bolt.conf
+%{_datadir}/dbus-1/interfaces/org.freedesktop.bolt.xml
+%{_datadir}/polkit-1/actions/org.freedesktop.bolt.policy
+%{_datadir}/polkit-1/rules.d/org.freedesktop.bolt.rules
+%{_datadir}/dbus-1/system-services/org.freedesktop.bolt.service
+%{_mandir}/man1/boltctl.1*
+%{_mandir}/man8/boltd.8*
+%dir %{_localstatedir}/lib/boltd
+
+%changelog
+* Wed Jul 18 2018 Christian Kellner <ckellner@redhat.com> - 0.4-3
+- Include patch to tighten sandbox by restricting capabilities
+- Resolves: #1559611
+
+* Wed Jun  6 2018 Christian Kellner <ckellner@redhat.com> - 0.4-2
+- bolt 0.4 upstream release
+- Resolves: #1559611