diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ec1812a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/osbuild-18.tar.gz diff --git a/.osbuild.metadata b/.osbuild.metadata new file mode 100644 index 0000000..ca68f10 --- /dev/null +++ b/.osbuild.metadata @@ -0,0 +1 @@ +9bf4e1ce90639dcefba530df762de397f8e39bd6 SOURCES/osbuild-18.tar.gz diff --git a/SOURCES/no-floats-in-sources.patch b/SOURCES/no-floats-in-sources.patch new file mode 100644 index 0000000..61ce923 --- /dev/null +++ b/SOURCES/no-floats-in-sources.patch @@ -0,0 +1,53 @@ +From 7b0db90c76c6b0de6a4d481e63450e8f0d1a1d9d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Budai?= +Date: Thu, 25 Jun 2020 09:56:30 +0200 +Subject: [PATCH] sources/files: do not pass floats to --max-time + +curl uses strtod from the C standard library to convert the --max-time's value +from string to double. However, this is what strtod expects: + +nonempty sequence of decimal digits optionally containing decimal-point +character (as determined by the current C locale) + +Yeah, unfortunately, the decimal-point character is determined by the current +C locale. For example, Czech and German locale uses a comma as the +decimal-point character. + +For reasons I don't fully understand, Python thinks it's running on en_US +locale, even though LC_NUMERIC is set to cs_CZ, so it uses a full stop as the +decimal-point character when converting float to string. However, as written +before, curl fails to parse this because it expects comma. + +The fix I chose is simple: Use math.ceil, so only an integer can be passed to +curl. Why ceil? Because --max-time == 0 sounds fishy. math.ceil should return +an integer (and it does in Python 3.8) but the documentation is not 100% clear +on this topic, so let's be paranoid and also convert it to int after the +ceiling. +--- + sources/org.osbuild.files | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sources/org.osbuild.files b/sources/org.osbuild.files +index 42ff6ca..13ce9b8 100755 +--- a/sources/org.osbuild.files ++++ b/sources/org.osbuild.files +@@ -17,6 +17,7 @@ import concurrent.futures + import glob + import itertools + import json ++import math + import os + import subprocess + import sys +@@ -102,7 +103,7 @@ def fetch(url, checksum, directory): + curl_command = [ + "curl", + "--silent", +- "--max-time", f"{300 - elapsed_time}", ++ "--max-time", f"{int(math.ceil(300 - elapsed_time))}", + "--connect-timeout", "60", + "--fail", + "--location", +-- +2.26.2 + diff --git a/SOURCES/selinux-allow-nnp-and-nosuid-transitions.patch b/SOURCES/selinux-allow-nnp-and-nosuid-transitions.patch new file mode 100644 index 0000000..cda2234 --- /dev/null +++ b/SOURCES/selinux-allow-nnp-and-nosuid-transitions.patch @@ -0,0 +1,82 @@ +From 3c556c3386ffc2e4f722d90a723d9e97e9b72a66 Mon Sep 17 00:00:00 2001 +From: Christian Kellner +Date: Sun, 9 Aug 2020 13:09:06 +0200 +Subject: [PATCH] selinux: allow nnp and nosuid transitions + +Allow osbuild_t to no_new_privs (nnp) and nosuid domain transition +into setfiles_mac_t and install_t. nnp is a inheritable per-thread +flag (PR_SET_NO_NEW_PRIVS, see prctl(2)), whereby a promise is made +by execve(2) to not grant any new privileges that could not have +been done without the execv call. This is on contrast to what can +be done via SELinux rules, i.e. in our case `setfiles_mac_t` and +`install_t` can set arbitrary SELinux labels, but `osbuild_t` +itself can not; but `osbuild_t` enables the transitioning of +`setfiles_mac_t` for the `setfiles` binary via execve(2) from a +process with `osbuild_t`. Related, the nosuid mount flag, prevents +the suid, sgid bits to be interpreted and thus are in the same +spirit as nnp, i.e. no new privs during execve(2). + +Thus SELinux domain transitions stand in contrast with nnp and +nosuid transitions, and have therefore been de-coupled. See also +the corresponding kernel patch at [1] for more information. + +bubblewrap (bwrap) in contrast to `systemd-nspawn` always sets the +nnp flag, as well as the nosuid option for all bind-mounts. Since +we no use bwrap to contain processes we need to allow the nnp and +nosuid transitions from `osbuild_t` to `setfiles_mac_t` and +`install_t`. + +[1] https://patchwork.kernel.org/patch/9841441/ +--- + selinux/osbuild.if | 19 +++++++++++++++++++ + selinux/osbuild.te | 2 ++ + 2 files changed, 21 insertions(+) + +diff --git a/selinux/osbuild.if b/selinux/osbuild.if +index 815c691..48d099f 100644 +--- a/selinux/osbuild.if ++++ b/selinux/osbuild.if +@@ -93,3 +93,22 @@ interface(`osbuild_role',` + ps_process_pattern($2, osbuild_t) + allow $2 osbuild_t:process { signull signal sigkill }; + ') ++ ++######################################## ++## ++## osbuild nnp / nosuid transitions to domain ++## ++## ++## ++## Domain to be allowed to transition into. ++## ++## ++# ++interface(`osbuild_nnp_nosuid_trans',` ++ gen_require(` ++ type osbuild_t; ++ class process2 { nnp_transition nosuid_transition }; ++ ') ++ ++ allow osbuild_t $1:process2 {nnp_transition nosuid_transition}; ++') +diff --git a/selinux/osbuild.te b/selinux/osbuild.te +index 1a5f98d..e4a0c7d 100644 +--- a/selinux/osbuild.te ++++ b/selinux/osbuild.te +@@ -31,6 +31,7 @@ unconfined_domain(osbuild_t) + # execute setfiles in the setfiles_mac domain + # when in the osbuild_t domain + seutil_domtrans_setfiles_mac(osbuild_t) ++osbuild_nnp_nosuid_trans(setfiles_mac_t) + + # Allow sysadm and unconfined to run osbuild + optional_policy(` +@@ -63,4 +64,5 @@ optional_policy(` + # allow transitioning to install_t (for ostree) + optional_policy(` + anaconda_domtrans_install(osbuild_t) ++ osbuild_nnp_nosuid_trans(install_t) + ') +-- +2.26.2 + diff --git a/SPECS/osbuild.spec b/SPECS/osbuild.spec new file mode 100644 index 0000000..aef3b68 --- /dev/null +++ b/SPECS/osbuild.spec @@ -0,0 +1,248 @@ +%global forgeurl https://github.com/osbuild/osbuild +%global selinuxtype targeted + +Version: 18 + +%forgemeta + +%global pypi_name osbuild +%global pkgdir %{_prefix}/lib/%{pypi_name} + +Name: %{pypi_name} +Release: 3%{?dist} +License: ASL 2.0 + +URL: %{forgeurl} + +Source0: %{forgesource} +Patch0: no-floats-in-sources.patch +Patch1: selinux-allow-nnp-and-nosuid-transitions.patch +BuildArch: noarch +Summary: A build system for OS images + +BuildRequires: make +BuildRequires: python3-devel +BuildRequires: python3-docutils + +Requires: bash +Requires: coreutils +Requires: curl +Requires: dnf +Requires: e2fsprogs +Requires: glibc +Requires: policycoreutils +Requires: qemu-img +Requires: systemd +Requires: systemd-container +Requires: tar +Requires: util-linux +Requires: python3-%{pypi_name} = %{version}-%{release} +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) + +# Turn off dependency generators for assemblers, runners and stages. +# They run in a container, so there's no reason to generate dependencies +# from them. As of 2020-03-25 this filters out python3.6 dependency generated +# by rhel runner. +%global __requires_exclude_from ^%{pkgdir}/(assemblers|runners|stages)/.*$ + +%{?python_enable_dependency_generator} + +%description +A build system for OS images + +%package -n python3-%{pypi_name} +Summary: %{summary} +%{?python_provide:%python_provide python3-%{pypi_name}} + +%description -n python3-%{pypi_name} +A build system for OS images + +%package ostree +Summary: OSTree support +Requires: %{name} = %{version}-%{release} +Requires: ostree +Requires: rpm-ostree + +%description ostree +Contains the necessary stages, assembler and source +to build OSTree based images. + +%package selinux +Summary: SELinux policies +Requires: %{name} = %{version}-%{release} +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +Contains the necessary SELinux policies that allows +osbuild to use labels unknown to the host inside the +containers it uses to build OS artifacts. + +%prep +%forgesetup +%patch0 -p1 +%patch1 -p1 + +%build +%py3_build +make man + +# SELinux +make -f /usr/share/selinux/devel/Makefile osbuild.pp +bzip2 -9 osbuild.pp + +%pre +%selinux_relabel_pre -s %{selinuxtype} + +%install +%py3_install + +mkdir -p %{buildroot}%{pkgdir}/stages +install -p -m 0755 $(find stages -type f) %{buildroot}%{pkgdir}/stages/ + +mkdir -p %{buildroot}%{pkgdir}/assemblers +install -p -m 0755 $(find assemblers -type f) %{buildroot}%{pkgdir}/assemblers/ + +mkdir -p %{buildroot}%{pkgdir}/runners +install -p -m 0755 $(find runners -type f -or -type l) %{buildroot}%{pkgdir}/runners + +mkdir -p %{buildroot}%{pkgdir}/sources +install -p -m 0755 $(find sources -type f) %{buildroot}%{pkgdir}/sources + +# mount point for bind mounting the osbuild library +mkdir -p %{buildroot}%{pkgdir}/osbuild + +# schemata +mkdir -p %{buildroot}%{_datadir}/osbuild/schemas +install -p -m 0755 $(find schemas/*.json) %{buildroot}%{_datadir}/osbuild/schemas +ln -s %{_datadir}/osbuild/schemas %{buildroot}%{pkgdir}/schemas + +# documentation +mkdir -p %{buildroot}%{_mandir}/man1 +mkdir -p %{buildroot}%{_mandir}/man5 +install -p -m 0644 -t %{buildroot}%{_mandir}/man1/ docs/*.1 +install -p -m 0644 -t %{buildroot}%{_mandir}/man5/ docs/*.5 + +# SELinux +install -D -m 644 -t %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} %{name}.pp.bz2 +install -D -m 644 -t %{buildroot}%{_mandir}/man8 selinux/%{name}_selinux.8 + +%check +exit 0 +# We have some integration tests, but those require running a VM, so that would +# be an overkill for RPM check script. + +%files +%license LICENSE +%{_bindir}/osbuild +%{_mandir}/man1/%{name}.1* +%{_mandir}/man5/%{name}-manifest.5* +%{_datadir}/osbuild/schemas +%{pkgdir} +# the following files are in the ostree sub-package +%exclude %{pkgdir}/assemblers/org.osbuild.ostree.commit +%exclude %{pkgdir}/sources/org.osbuild.ostree +%exclude %{pkgdir}/stages/org.osbuild.ostree +%exclude %{pkgdir}/stages/org.osbuild.rpm-ostree + +%files -n python3-%{pypi_name} +%license LICENSE +%doc README.md NEWS.md +%{python3_sitelib}/%{pypi_name}-*.egg-info/ +%{python3_sitelib}/%{pypi_name}/ + +%files ostree +%{pkgdir}/assemblers/org.osbuild.ostree.commit +%{pkgdir}/sources/org.osbuild.ostree +%{pkgdir}/stages/org.osbuild.ostree +%{pkgdir}/stages/org.osbuild.rpm-ostree + +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%{_mandir}/man8/%{name}_selinux.8.* +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + + +%changelog +* Thu Aug 13 2020 Christian Kellner - 18-3 +- Add patch to allow nnp and nosuid domain transitions + https://github.com/osbuild/osbuild/pull/495 + +* Fri Jun 26 2020 Christian Kellner - 18-2 +- Add patch to not pass floats to curl in the files source + https://github.com/osbuild/osbuild/pull/459 + +* Tue Jun 23 2020 Christian Kellner - 18-1 +- Upstream release 18 +- All RHEL runners now use platform-python. + +* Wed Jun 10 2020 Christian Kellner - 17-1 +- Upstream release 17 +- Add custom SELinux policy that lets osbuild set labels inside + the build root that are unknown to the host. + +* Thu Jun 4 2020 Christian Kellner - 16-1 +- Upstream release 16 +- Drop sources-fix-break-when-secrets-is-None.patch included in + osbuild-16. + +* Tue May 26 2020 Christian Kellner - 15-2 +- Add a patch to allow org.osbuild.files source in the new format + but without actually containing the secrets key. + Taken from merged PR: https://github.com/osbuild/osbuild/pull/416 + +* Thu May 21 2020 Christian Kellner - 15-1 +- New upstream release 15 +- Drop draft4-validator.json patch, included in osbuild-15 + +* Wed May 13 2020 Christian Kellner - 14-2 +- Add draft4-validator.json patch + python3-jsonschema in RHEL currently has version 2.6.0 which + has support validating up to and including draft4 of jsonschema. + See https://github.com/osbuild/osbuild/pull/394 + +* Wed May 13 2020 Christian Kellner - 14-1 +- Upstream release 14 +- Install schemata to /osbuild/schemas and include a + symlink to it in /usr/lib/osbuild/schemas +- The directories /usr/lib/osbuild/{assemblers, stages}/osbuild + got removed. Changes to osbuild made them obsolete. + +* Wed Apr 15 2020 Christian Kellner - 12-1 +- Sync with Fedora and use upstream release 12 +- Specify the exact version in the 'python3-osbuild' requirement + to avoid the library and the main binary being out of sync. +- osbuild-ostree sub-package with the necessary bits to create + OSTree based images +- Turn off dependency generator for internal components +- Add NEWS.md file with the release notes and man pages + +* Mon Dec 16 2019 Lars Karlitski - 7-1 +- New upstream release + +* Sun Dec 1 2019 Tom Gundersen - 6-2 +- New upstream release + +* Thu Oct 24 2019 Lars Karlitski - 3-2 +- add gating infra and tests + +* Mon Aug 19 2019 Miro HronĨok - 1-3 +- Rebuilt for Python 3.8 + +* Mon Jul 29 2019 Martin Sehnoutka - 1-2 +- update upstream URL to the new Github organization + +* Wed Jul 17 2019 Martin Sehnoutka - 1-1 +- Initial package