From 1e84b1265316ca429a41b02cf870e5abc58f1357 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 12 2021 08:21:24 +0000 Subject: import rpm-4.14.3-12.el8 --- diff --git a/SOURCES/0001-Unblock-signals-in-forked-scriptlets.patch b/SOURCES/0001-Unblock-signals-in-forked-scriptlets.patch new file mode 100644 index 0000000..fb1e8d4 --- /dev/null +++ b/SOURCES/0001-Unblock-signals-in-forked-scriptlets.patch @@ -0,0 +1,37 @@ +From cb6aa82dbc10d554f8d234e934ae7c77e39a3ce2 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen +Date: Tue, 12 Jan 2021 13:35:23 +0200 +Subject: [PATCH] Unblock signals in forked scriptlets + +Since commit c5f82d3f6223ebd0c5cc0a07ea60393ae7284929 we've blocked +most signals during transactions, which makes sense to rpm itself but +the signal mask is inherited to childs and carried even across exec(), +so all scriptlets are executing with those signals blocked as well. +Which in turn does not make sense, the scriptlets could run stuff that +actually depends on signal delivery (such as SIGALARM in RhBug:1913765). + +Unblock all signals for forked scriptlet execution (Lua scriptlets are +totally different as they execute in-process for now) +--- + lib/rpmscript.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/rpmscript.c b/lib/rpmscript.c +index 2ae3378f7..c69d29554 100644 +--- a/lib/rpmscript.c ++++ b/lib/rpmscript.c +@@ -152,6 +152,11 @@ static void doScriptExec(ARGV_const_t argv, ARGV_const_t prefixes, + FD_t scriptFd, FD_t out) + { + int xx; ++ sigset_t set; ++ ++ /* Unmask all signals, the scripts may need them */ ++ sigfillset(&set); ++ sigprocmask(SIG_UNBLOCK, &set, NULL); + + /* SIGPIPE is ignored in rpm, reset to default for the scriptlet */ + (void) signal(SIGPIPE, SIG_DFL); +-- +2.29.2 + diff --git a/SOURCES/rpm-4.14.3-ELF-files-strip-when-debuginfo-disabled.patch b/SOURCES/rpm-4.14.3-ELF-files-strip-when-debuginfo-disabled.patch new file mode 100644 index 0000000..05ca170 --- /dev/null +++ b/SOURCES/rpm-4.14.3-ELF-files-strip-when-debuginfo-disabled.patch @@ -0,0 +1,14 @@ +diff -up rpm-4.14.3/scripts/brp-strip.orig rpm-4.14.3/scripts/brp-strip +--- rpm-4.14.3/scripts/brp-strip.orig 2021-02-09 14:43:35.393940550 +0100 ++++ rpm-4.14.3/scripts/brp-strip 2021-02-09 14:43:49.459222054 +0100 +@@ -12,9 +12,8 @@ Darwin*) exit 0 ;; + esac + + # Strip ELF binaries +-for f in `find "$RPM_BUILD_ROOT" -type f \( -perm -0100 -or -perm -0010 -or -perm -0001 \) -exec file {} \; | \ ++for f in `find "$RPM_BUILD_ROOT" -type f -exec file {} \; | \ + grep -v "^${RPM_BUILD_ROOT}/\?usr/lib/debug" | \ +- grep -v ' shared object,' | \ + sed -n -e 's/^\(.*\):[ ]*ELF.*, not stripped.*/\1/p'`; do + $STRIP -g "$f" || : + done diff --git a/SOURCES/rpm-4.14.3-add-fapolicyd-rpm-plugin.patch b/SOURCES/rpm-4.14.3-add-fapolicyd-rpm-plugin.patch new file mode 100644 index 0000000..36a5b19 --- /dev/null +++ b/SOURCES/rpm-4.14.3-add-fapolicyd-rpm-plugin.patch @@ -0,0 +1,342 @@ +From c33faabc2d09b9ad8c80b941b6114c1e4c2be80f Mon Sep 17 00:00:00 2001 +Message-Id: +From: Radovan Sroka +Date: Tue, 27 Oct 2020 16:18:04 +0100 +Subject: [PATCH] Added fapolicyd rpm plugin + +Fapolicyd (File Access Policy Daemon) implements application whitelisting +to decide file access rights. Applications that are known via a reputation +source are allowed access while unknown applications are not. + +The rpm plugin allows us to use rpm database as a source of trust. +We used dnf plugin since the beggining but it only provides notification +when transaction ends. With "integrity checking" requirement we need +a continual addition of files which are installed during the system +update. With fapolicyd rpm plugin we can allow using of recently +added/updated files in scriptlets during rpm transaction. + +The fapolicyd plugin gathers metadata of currently installed files. +It sends the information about files and about ongoing rpm transaction +to the fapolicyd daemon. The information is written to Linux pipe which +is placed in /var/run/fapolicyd/fapolicyd.fifo. + +The data format is "%s %lu %64s\n". [path, size, sha256] + +The fapolicyd rpm plugin can be enabled with "--with-fapolicyd" +configure option. + +Related PRs: +https://github.com/linux-application-whitelisting/fapolicyd/pull/105 +https://github.com/linux-application-whitelisting/fapolicyd/pull/106 + +Signed-off-by: Radovan Sroka +(cherry picked from commit 39595ccee321497dc3b08c7cab8a10304345429c) + +Backported from commit 39595ccee321497dc3b08c7cab8a10304345429c +--- + Makefile.am | 1 + + configure.ac | 8 ++ + doc/Makefile.am | 2 +- + doc/rpm-plugin-fapolicyd.8 | 21 +++++ + macros.in | 1 + + plugins/Makefile.am | 6 ++ + plugins/fapolicyd.c | 189 +++++++++++++++++++++++++++++++++++++ + 7 files changed, 227 insertions(+), 1 deletion(-) + create mode 100644 doc/rpm-plugin-fapolicyd.8 + create mode 100644 plugins/fapolicyd.c + +diff --git a/Makefile.am b/Makefile.am +index 1f20f05b7..8e92f0cde 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -16,6 +16,7 @@ DISTCHECK_CONFIGURE_FLAGS = \ + --with-selinux \ + --with-imaevm \ + --with-crypto=openssl \ ++ --with-fapolicyd \ + --disable-dependency-tracking + + include $(top_srcdir)/rpm.am +diff --git a/configure.ac b/configure.ac +index 3fcb3ff20..3d0e9ef91 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -983,6 +983,14 @@ AS_IF([test "$enable_inhibit_plugin" = yes],[ + ]) + AM_CONDITIONAL(ENABLE_INHIBIT_PLUGIN,[test "$enable_inhibit_plugin" = yes]) + ++#================= ++# Check for fapolicyd support ++AC_ARG_WITH(fapolicyd, ++AS_HELP_STRING([--with-fapolicyd],[build with File Access Policy Daemon support]), ++with_fapolicyd=$withval, ++with_fapolicyd=auto) ++AM_CONDITIONAL(FAPOLICYD,[test "$with_fapolicyd" = yes]) ++ + with_dbus=no + AS_IF([test "$enable_plugins" != no],[ + AS_IF([test "$enable_inhibit_plugin" != no],[ +diff --git a/doc/Makefile.am b/doc/Makefile.am +index d2f520d64..535ad3ec3 100644 +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -9,7 +9,7 @@ EXTRA_DIST += $(man_man1_DATA) + man_man8dir = $(mandir)/man8 + man_man8_DATA = rpm.8 rpm-misc.8 rpmbuild.8 rpmdeps.8 rpmgraph.8 rpm2cpio.8 + man_man8_DATA += rpmdb.8 rpmkeys.8 rpmsign.8 rpmspec.8 +-man_man8_DATA += rpm-plugin-systemd-inhibit.8 ++man_man8_DATA += rpm-plugin-systemd-inhibit.8 rpm-plugin-fapolicyd.8 + EXTRA_DIST += $(man_man8_DATA) + + man_fr_man8dir = $(mandir)/fr/man8 +diff --git a/doc/rpm-plugin-fapolicyd.8 b/doc/rpm-plugin-fapolicyd.8 +new file mode 100644 +index 000000000..fe7a8c78e +--- /dev/null ++++ b/doc/rpm-plugin-fapolicyd.8 +@@ -0,0 +1,21 @@ ++'\" t ++.TH "RPM-FAPOLICYD" "8" "28 Jan 2021" "Red Hat, Inc." ++.SH NAME ++rpm-plugin-fapolicyd \- Fapolicyd plugin for the RPM Package Manager ++ ++.SH Description ++ ++The plugin gathers metadata of currently installed files. It sends the ++information about files and about ongoing rpm transaction to the fapolicyd daemon. ++The information is written to Linux pipe which is placed in ++/var/run/fapolicyd/fapolicyd.fifo. ++ ++.SH Configuration ++ ++There are currently no options for this plugin in particular. See ++.BR rpm-plugins (8) ++on how to control plugins in general. ++ ++.SH SEE ALSO ++.IR fapolicyd (8) ++.IR rpm-plugins (8) +diff --git a/macros.in b/macros.in +index a6069ee4d..2fbda64cc 100644 +--- a/macros.in ++++ b/macros.in +@@ -1173,6 +1173,7 @@ package or when debugging this package.\ + %__transaction_selinux %{__plugindir}/selinux.so + %__transaction_syslog %{__plugindir}/syslog.so + %__transaction_ima %{__plugindir}/ima.so ++%__transaction_fapolicyd %{__plugindir}/fapolicyd.so + %__transaction_prioreset %{__plugindir}/prioreset.so + + #------------------------------------------------------------------------------ +diff --git a/plugins/Makefile.am b/plugins/Makefile.am +index ab4eee34f..cbfb81e19 100644 +--- a/plugins/Makefile.am ++++ b/plugins/Makefile.am +@@ -42,3 +42,9 @@ ima_la_sources = ima.c + ima_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la + plugins_LTLIBRARIES += ima.la + endif ++ ++if FAPOLICYD ++fapolicyd_la_sources = fapolicyd.c ++fapolicyd_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la ++plugins_LTLIBRARIES += fapolicyd.la ++endif +diff --git a/plugins/fapolicyd.c b/plugins/fapolicyd.c +new file mode 100644 +index 000000000..50f50155c +--- /dev/null ++++ b/plugins/fapolicyd.c +@@ -0,0 +1,189 @@ ++#include "system.h" ++ ++#include ++#include ++#include "lib/rpmplugin.h" ++ ++#include ++#include ++#include ++#include ++ ++struct fapolicyd_data { ++ int fd; ++ long changed_files; ++ const char * fifo_path; ++}; ++ ++static struct fapolicyd_data fapolicyd_state = { ++ .fd = -1, ++ .changed_files = 0, ++ .fifo_path = "/run/fapolicyd/fapolicyd.fifo", ++}; ++ ++static rpmRC open_fifo(struct fapolicyd_data* state) ++{ ++ int fd = -1; ++ struct stat s; ++ ++ fd = open(state->fifo_path, O_RDWR); ++ if (fd == -1) { ++ rpmlog(RPMLOG_DEBUG, "Open: %s -> %s\n", state->fifo_path, strerror(errno)); ++ goto bad; ++ } ++ ++ if (stat(state->fifo_path, &s) == -1) { ++ rpmlog(RPMLOG_DEBUG, "Stat: %s -> %s\n", state->fifo_path, strerror(errno)); ++ goto bad; ++ } ++ ++ if (!S_ISFIFO(s.st_mode)) { ++ rpmlog(RPMLOG_DEBUG, "File: %s exists but it is not a pipe!\n", state->fifo_path); ++ goto bad; ++ } ++ ++ /* keep only file's permition bits */ ++ mode_t mode = s.st_mode & ~S_IFMT; ++ ++ /* we require pipe to have 0660 permission */ ++ if (mode != 0660) { ++ rpmlog(RPMLOG_ERR, "File: %s has %o instead of 0660 \n", ++ state->fifo_path, ++ mode ); ++ goto bad; ++ } ++ ++ state->fd = fd; ++ /* considering success */ ++ return RPMRC_OK; ++ ++ bad: ++ if (fd > 0) ++ close(fd); ++ return RPMRC_FAIL; ++} ++ ++static rpmRC write_fifo(struct fapolicyd_data* state, const char * str) ++{ ++ ssize_t len = strlen(str); ++ ssize_t written = 0; ++ ssize_t n = 0; ++ ++ while (written < len) { ++ if ((n = write(state->fd, str + written, len - written)) < 0) { ++ if (errno == EINTR || errno == EAGAIN) ++ continue; ++ rpmlog(RPMLOG_DEBUG, "Write: %s -> %s\n", state->fifo_path, strerror(errno)); ++ goto bad; ++ } ++ written += n; ++ } ++ ++ return RPMRC_OK; ++ ++ bad: ++ return RPMRC_FAIL; ++} ++ ++static rpmRC fapolicyd_init(rpmPlugin plugin, rpmts ts) ++{ ++ if (rpmtsFlags(ts) & (RPMTRANS_FLAG_TEST|RPMTRANS_FLAG_BUILD_PROBS)) ++ goto end; ++ ++ if (!rstreq(rpmtsRootDir(ts), "/")) ++ goto end; ++ ++ (void) open_fifo(&fapolicyd_state); ++ ++ end: ++ return RPMRC_OK; ++} ++ ++static void fapolicyd_cleanup(rpmPlugin plugin) ++{ ++ if (fapolicyd_state.fd > 0) ++ (void) close(fapolicyd_state.fd); ++ ++ fapolicyd_state.fd = -1; ++} ++ ++static rpmRC fapolicyd_tsm_post(rpmPlugin plugin, rpmts ts, int res) ++{ ++ if (rpmtsFlags(ts) & (RPMTRANS_FLAG_TEST|RPMTRANS_FLAG_BUILD_PROBS)) ++ goto end; ++ ++ /* we are ready */ ++ if (fapolicyd_state.fd > 0) { ++ /* send a signal that transaction is over */ ++ (void) write_fifo(&fapolicyd_state, "1\n"); ++ /* flush cache */ ++ (void) write_fifo(&fapolicyd_state, "2\n"); ++ } ++ ++ end: ++ return RPMRC_OK; ++} ++ ++static rpmRC fapolicyd_scriptlet_pre(rpmPlugin plugin, const char *s_name, ++ int type) ++{ ++ if (fapolicyd_state.fd == -1) ++ goto end; ++ ++ if (fapolicyd_state.changed_files > 0) { ++ /* send signal to flush cache */ ++ (void) write_fifo(&fapolicyd_state, "2\n"); ++ ++ /* optimize flushing */ ++ /* flush only when there was an actual change */ ++ fapolicyd_state.changed_files = 0; ++ } ++ ++ end: ++ return RPMRC_OK; ++} ++ ++static rpmRC fapolicyd_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, ++ const char *path, const char *dest, ++ mode_t file_mode, rpmFsmOp op) ++{ ++ /* not ready */ ++ if (fapolicyd_state.fd == -1) ++ goto end; ++ ++ rpmFileAction action = XFO_ACTION(op); ++ ++ /* Ignore skipped files and unowned directories */ ++ if (XFA_SKIPPING(action) || (op & FAF_UNOWNED)) { ++ rpmlog(RPMLOG_DEBUG, "fapolicyd skipping early: path %s dest %s\n", ++ path, dest); ++ goto end; ++ } ++ ++ if (!S_ISREG(rpmfiFMode(fi))) { ++ rpmlog(RPMLOG_DEBUG, "fapolicyd skipping non regular: path %s dest %s\n", ++ path, dest); ++ goto end; ++ } ++ ++ fapolicyd_state.changed_files++; ++ ++ char buffer[4096]; ++ ++ rpm_loff_t size = rpmfiFSize(fi); ++ char * sha = rpmfiFDigestHex(fi, NULL); ++ ++ snprintf(buffer, 4096, "%s %lu %64s\n", dest, size, sha); ++ (void) write_fifo(&fapolicyd_state, buffer); ++ ++ end: ++ return RPMRC_OK; ++} ++ ++struct rpmPluginHooks_s fapolicyd_hooks = { ++ .init = fapolicyd_init, ++ .cleanup = fapolicyd_cleanup, ++ .scriptlet_pre = fapolicyd_scriptlet_pre, ++ .tsm_post = fapolicyd_tsm_post, ++ .fsm_file_prepare = fapolicyd_fsm_file_prepare, ++}; +-- +2.29.2 + diff --git a/SOURCES/rpm-4.14.3-bump-up-the-limit-of-signature-header-to-64MB.patch b/SOURCES/rpm-4.14.3-bump-up-the-limit-of-signature-header-to-64MB.patch new file mode 100644 index 0000000..58606e9 --- /dev/null +++ b/SOURCES/rpm-4.14.3-bump-up-the-limit-of-signature-header-to-64MB.patch @@ -0,0 +1,12 @@ +diff -up rpm-4.14.3/lib/header.c.orig rpm-4.14.3/lib/header.c +--- rpm-4.14.3/lib/header.c.orig 2020-04-28 14:50:11.816399041 +0200 ++++ rpm-4.14.3/lib/header.c 2021-02-03 16:47:23.567245743 +0100 +@@ -1910,7 +1910,7 @@ rpmRC hdrblobRead(FD_t fd, int magic, in + + if (regionTag == RPMTAG_HEADERSIGNATURES) { + il_max = 32; +- dl_max = 8192; ++ dl_max = 64 * 1024 * 1024; + } + + memset(block, 0, sizeof(block)); diff --git a/SOURCES/rpm-4.14.3-fix-ambiguous-diagnostics-on-file-triggers.patch b/SOURCES/rpm-4.14.3-fix-ambiguous-diagnostics-on-file-triggers.patch new file mode 100644 index 0000000..48039c7 --- /dev/null +++ b/SOURCES/rpm-4.14.3-fix-ambiguous-diagnostics-on-file-triggers.patch @@ -0,0 +1,101 @@ +diff -up rpm-4.14.3/lib/rpmscript.c.orig rpm-4.14.3/lib/rpmscript.c +--- rpm-4.14.3/lib/rpmscript.c.orig 2021-02-08 14:07:44.527197946 +0100 ++++ rpm-4.14.3/lib/rpmscript.c 2021-02-08 14:09:05.732749080 +0100 +@@ -46,27 +46,27 @@ struct scriptInfo_s { + }; + + static const struct scriptInfo_s scriptInfo[] = { +- { RPMSCRIPT_PREIN, "%prein", 0, ++ { RPMSCRIPT_PREIN, "prein", 0, + RPMTAG_PREIN, RPMTAG_PREINPROG, RPMTAG_PREINFLAGS }, +- { RPMSCRIPT_PREUN, "%preun", 0, ++ { RPMSCRIPT_PREUN, "preun", 0, + RPMTAG_PREUN, RPMTAG_PREUNPROG, RPMTAG_PREUNFLAGS }, +- { RPMSCRIPT_POSTIN, "%post", 0, ++ { RPMSCRIPT_POSTIN, "post", 0, + RPMTAG_POSTIN, RPMTAG_POSTINPROG, RPMTAG_POSTINFLAGS }, +- { RPMSCRIPT_POSTUN, "%postun", 0, ++ { RPMSCRIPT_POSTUN, "postun", 0, + RPMTAG_POSTUN, RPMTAG_POSTUNPROG, RPMTAG_POSTUNFLAGS }, +- { RPMSCRIPT_PRETRANS, "%pretrans", 0, ++ { RPMSCRIPT_PRETRANS, "pretrans", 0, + RPMTAG_PRETRANS, RPMTAG_PRETRANSPROG, RPMTAG_PRETRANSFLAGS }, +- { RPMSCRIPT_POSTTRANS, "%posttrans", 0, ++ { RPMSCRIPT_POSTTRANS, "posttrans", 0, + RPMTAG_POSTTRANS, RPMTAG_POSTTRANSPROG, RPMTAG_POSTTRANSFLAGS }, +- { RPMSCRIPT_TRIGGERPREIN, "%triggerprein", RPMSENSE_TRIGGERPREIN, ++ { RPMSCRIPT_TRIGGERPREIN, "triggerprein", RPMSENSE_TRIGGERPREIN, + RPMTAG_TRIGGERPREIN, 0, 0 }, +- { RPMSCRIPT_TRIGGERUN, "%triggerun", RPMSENSE_TRIGGERUN, ++ { RPMSCRIPT_TRIGGERUN, "triggerun", RPMSENSE_TRIGGERUN, + RPMTAG_TRIGGERUN, 0, 0 }, +- { RPMSCRIPT_TRIGGERIN, "%triggerin", RPMSENSE_TRIGGERIN, ++ { RPMSCRIPT_TRIGGERIN, "triggerin", RPMSENSE_TRIGGERIN, + RPMTAG_TRIGGERIN, 0, 0 }, +- { RPMSCRIPT_TRIGGERPOSTUN, "%triggerpostun", RPMSENSE_TRIGGERPOSTUN, ++ { RPMSCRIPT_TRIGGERPOSTUN, "triggerpostun", RPMSENSE_TRIGGERPOSTUN, + RPMTAG_TRIGGERPOSTUN, 0, 0 }, +- { RPMSCRIPT_VERIFY, "%verify", 0, ++ { RPMSCRIPT_VERIFY, "verify", 0, + RPMTAG_VERIFYSCRIPT, RPMTAG_VERIFYSCRIPTPROG, RPMTAG_VERIFYSCRIPTFLAGS}, + { 0, "unknown", 0, + RPMTAG_NOT_FOUND, RPMTAG_NOT_FOUND, RPMTAG_NOT_FOUND } +@@ -457,7 +457,7 @@ static const char * tag2sln(rpmTagVal ta + } + + static rpmScript rpmScriptNew(Header h, rpmTagVal tag, const char *body, +- rpmscriptFlags flags) ++ rpmscriptFlags flags, const char *prefix) + { + char *nevra = headerGetAsString(h, RPMTAG_NEVRA); + rpmScript script = xcalloc(1, sizeof(*script)); +@@ -465,7 +465,7 @@ static rpmScript rpmScriptNew(Header h, + script->type = getScriptType(tag); + script->flags = flags; + script->body = (body != NULL) ? xstrdup(body) : NULL; +- rasprintf(&script->descr, "%s(%s)", tag2sln(tag), nevra); ++ rasprintf(&script->descr, "%%%s%s(%s)", prefix, tag2sln(tag), nevra); + + /* macros need to be expanded before possible queryformat */ + if (script->body && (script->flags & RPMSCRIPT_FLAG_EXPAND)) { +@@ -556,6 +556,7 @@ rpmScript rpmScriptFromTriggerTag(Header + rpmScript script = NULL; + struct rpmtd_s tscripts, tprogs, tflags; + headerGetFlags hgflags = HEADERGET_MINMEM; ++ const char *prefix = ""; + + switch (tm) { + case RPMSCRIPT_NORMALTRIGGER: +@@ -567,11 +568,13 @@ rpmScript rpmScriptFromTriggerTag(Header + headerGet(h, RPMTAG_FILETRIGGERSCRIPTS, &tscripts, hgflags); + headerGet(h, RPMTAG_FILETRIGGERSCRIPTPROG, &tprogs, hgflags); + headerGet(h, RPMTAG_FILETRIGGERSCRIPTFLAGS, &tflags, hgflags); ++ prefix = "file"; + break; + case RPMSCRIPT_TRANSFILETRIGGER: + headerGet(h, RPMTAG_TRANSFILETRIGGERSCRIPTS, &tscripts, hgflags); + headerGet(h, RPMTAG_TRANSFILETRIGGERSCRIPTPROG, &tprogs, hgflags); + headerGet(h, RPMTAG_TRANSFILETRIGGERSCRIPTFLAGS, &tflags, hgflags); ++ prefix = "transfile"; + break; + } + +@@ -582,7 +585,8 @@ rpmScript rpmScriptFromTriggerTag(Header + if (rpmtdSetIndex(&tflags, ix) >= 0) + sflags = rpmtdGetNumber(&tflags); + +- script = rpmScriptNew(h, triggerTag, rpmtdGetString(&tscripts), sflags); ++ script = rpmScriptNew(h, triggerTag, ++ rpmtdGetString(&tscripts), sflags, prefix); + + /* hack up a hge-style NULL-terminated array */ + script->args = xmalloc(2 * sizeof(*script->args) + strlen(prog) + 1); +@@ -608,7 +612,7 @@ rpmScript rpmScriptFromTag(Header h, rpm + + script = rpmScriptNew(h, scriptTag, + headerGetString(h, scriptTag), +- headerGetNumber(h, getFlagTag(scriptTag))); ++ headerGetNumber(h, getFlagTag(scriptTag)), ""); + + if (headerGet(h, progTag, &prog, (HEADERGET_ALLOC|HEADERGET_ARGV))) { + script->args = prog.data; diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec index 00927d7..1e663ad 100644 --- a/SPECS/rpm.spec +++ b/SPECS/rpm.spec @@ -30,7 +30,7 @@ %global rpmver 4.14.3 #global snapver rc2 -%global rel 10 +%global rel 12 %global srcver %{version}%{?snapver:-%{snapver}} %global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x} @@ -98,6 +98,11 @@ Patch145: 0001-Always-close-libelf-handle-1313.patch Patch146: 0001-When-doing-the-same-thing-more-than-once-use-a-loop.patch Patch147: 0001-Introduce-patch_nums-and-source_nums-Lua-variables-i.patch Patch148: 0001-Add-limits-to-autopatch-macro.patch +Patch149: rpm-4.14.3-bump-up-the-limit-of-signature-header-to-64MB.patch +Patch150: rpm-4.14.3-add-fapolicyd-rpm-plugin.patch +Patch151: 0001-Unblock-signals-in-forked-scriptlets.patch +Patch152: rpm-4.14.3-fix-ambiguous-diagnostics-on-file-triggers.patch +Patch153: rpm-4.14.3-ELF-files-strip-when-debuginfo-disabled.patch # Python 3 string API sanity Patch500: 0001-In-Python-3-return-all-our-string-data-as-surrogate-.patch @@ -396,6 +401,15 @@ Requires: rpm-libs%{_isa} = %{version}-%{release} Useful on legacy SysV init systems if you run rpm transactions with nice/ionice priorities. Should not be used on systemd systems. +%package plugin-fapolicyd +Summary: Rpm plugin for fapolicyd functionality +Requires: rpm-libs%{_isa} = %{version}-%{release} +Provides: fapolicyd-plugin +Obsoletes: fapolicyd-dnf-plugin + +%description plugin-fapolicyd +%{summary}. + %endif # with plugins %prep @@ -443,6 +457,7 @@ done; %{?with_libimaevm: --with-imaevm} \ %{?with_zstd: --enable-zstd} \ %{?with_lmdb: --enable-lmdb} \ + --with-fapolicyd \ --enable-python \ --with-crypto=openssl \ PYTHON=python3 @@ -597,6 +612,10 @@ make check || cat tests/rpmtests.log %files plugin-prioreset %{_libdir}/rpm-plugins/prioreset.so + +%files plugin-fapolicyd +%{_libdir}/rpm-plugins/fapolicyd.so +%{_mandir}/man8/rpm-plugin-fapolicyd.8* %endif # with plugins %files build-libs @@ -659,6 +678,13 @@ make check || cat tests/rpmtests.log %doc doc/librpm/html/* %changelog +* Tue Feb 09 2021 Michal Domonkos - 4.14.3-12 +- Bump up the limit of signature header to 64MB (#1918777) +- Add fapolicyd plugin (#1923167) +- Unblock signals in forked scriptlets (#1913765) +- Fix ambiguous diagnostics output on file triggers (#1883338) +- Ensure ELF files get stripped when debuginfo is disabled (#1634084) + * Sun Jan 10 2021 Michal Domonkos - 4.14.3-10 - Rebuild for libimaevm soname bump, now for real (#1896046)