diff --git a/SOURCES/rpm-4.11.x-provide-audit-events.patch b/SOURCES/rpm-4.11.x-provide-audit-events.patch new file mode 100644 index 0000000..7fc7879 --- /dev/null +++ b/SOURCES/rpm-4.11.x-provide-audit-events.patch @@ -0,0 +1,156 @@ +--- rpm-4.11.3/configure.ac.old 2018-05-25 09:02:29.103209393 +0200 ++++ rpm-4.11.3/configure.ac 2018-05-28 14:46:27.134913783 +0200 +@@ -334,6 +334,22 @@ + AC_SUBST(WITH_POPT_INCLUDE) + AC_SUBST(WITH_POPT_LIB) + ++ ++#================= ++# Check for audit library. ++AC_ARG_WITH(audit, ++AS_HELP_STRING([--with-audit],[log results using Linux Audit]), ++with_audit=$withval, ++with_audit=auto) ++ ++WITH_AUDIT_LIB= ++AS_IF([test "$with_audit" = auto],[ ++ AC_SEARCH_LIBS([audit_open],[audit],[WITH_AUDIT_LIB="$ac_res"], ++ [AC_MSG_ERROR([missing audit library]) ++ ]) ++]) ++AC_SUBST(WITH_AUDIT_LIB) ++ + #================= + # Process --with/without-external-db + AC_ARG_WITH(external_db, [AS_HELP_STRING([--with-external-db],[build against an external Berkeley db])], +--- rpm-4.11.3/lib/Makefile.am.old 2014-09-05 13:51:05.000000000 +0200 ++++ rpm-4.11.3/lib/Makefile.am 2018-05-28 13:24:17.309657132 +0200 +@@ -47,6 +47,7 @@ + @WITH_SELINUX_LIB@ \ + @WITH_CAP_LIB@ \ + @WITH_ACL_LIB@ \ ++ @WITH_AUDIT_LIB@ \ + @LIBINTL@ + + if WITH_LUA +--- rpm-4.11.3/lib/rpmte.c.old 2018-05-25 09:02:29.173209513 +0200 ++++ rpm-4.11.3/lib/rpmte.c 2018-06-18 10:38:02.929670757 +0200 +@@ -3,6 +3,7 @@ + * Routine(s) to handle an "rpmte" transaction element. + */ + #include "system.h" ++#include + + #include + #include /* RPM_MACHTABLE_* */ +@@ -22,6 +23,16 @@ + + #include "debug.h" + ++#ifndef AUDIT_SOFTWARE_UPDATE ++#define AUDIT_SOFTWARE_UPDATE 1138 ++#endif ++ ++RPM_GNUC_INTERNAL ++int auditEnabled = 0; ++ ++RPM_GNUC_INTERNAL ++int auditGpgResult = 0; ++ + /** \ingroup rpmte + * A single package instance to be installed/removed atomically. + */ +@@ -698,7 +709,15 @@ + + switch (rpmteType(te)) { + case TR_ADDED: +- h = rpmteDBInstance(te) ? rpmteDBHeader(te) : rpmteFDHeader(te); ++ if (rpmteDBInstance(te)) { ++ h = rpmteDBHeader(te); ++ } else { ++ if (reload_fi) { ++ auditEnabled = 1; ++ auditGpgResult = 0; ++ } ++ h = rpmteFDHeader(te); ++ } + break; + case TR_REMOVED: + h = rpmteDBHeader(te); +@@ -904,6 +923,41 @@ + return rc; + } + ++/* ++ * Input variables: ++ * te - transaction element ++ * keyEnforcement - gpg key enforcement status: 1 enforced, 0 not enforced ++ * gpgResult - results of gpg signature check: 1 verified, 0 otherwise ++ * result - overall result of installing the rpm: 1 success, 0 failure ++ */ ++static void audit_rpm_install(rpmte te, unsigned int keyEnforcement, ++ unsigned int gpgResult, int result) ++{ ++ int auditFd; ++ char eventTxt[128], *packageField, *dirField; ++ const char *dir; ++ ++ auditFd = audit_open(); ++ if (auditFd < 0) ++ return; ++ ++ packageField = audit_encode_nv_string("sw", te->NEVRA, strlen(te->NEVRA)); ++ dir = rpmtsRootDir(te->ts); ++ dirField = audit_encode_nv_string("root_dir", dir, strlen(dir)); ++ ++ snprintf(eventTxt, sizeof(eventTxt), ++ "%s sw_type=rpm key_enforce=%u gpg_res=%u %s", ++ packageField, keyEnforcement, gpgResult, dirField); ++ audit_log_user_comm_message(auditFd, AUDIT_SOFTWARE_UPDATE, eventTxt, ++ NULL, NULL, NULL, NULL, result); ++ ++ free(packageField); ++ free(dirField); ++ audit_close(auditFd); ++ ++ return; ++} ++ + static rpmRC rpmteRunAllCollections(rpmte te, rpmPluginHook hook) + { + ARGV_const_t colls; +@@ -977,5 +1031,10 @@ + failed = rpmteMarkFailed(te); + } + ++ if (auditEnabled) { ++ audit_rpm_install(te, 0, auditGpgResult, failed ? 0 : 1); ++ auditEnabled = 0; ++ } ++ + return failed; + } +--- rpm-4.11.3/lib/package.c.old 2018-05-25 09:02:29.132209443 +0200 ++++ rpm-4.11.3/lib/package.c 2018-06-15 12:11:58.996022237 +0200 +@@ -25,6 +25,9 @@ + static unsigned int nextkeyid = 0; + static unsigned int * keyids; + ++extern int auditGpgResult; ++extern int auditEnabled; ++ + /** \ingroup header + * Translate and merge legacy signature tags into header. + * @param h header (dest) +@@ -646,7 +649,10 @@ + + /** @todo Implement disable/enable/warn/error/anal policy. */ + rc = rpmVerifySignature(keyring, &sigtd, sig, ctx, &msg); +- ++ ++ if (auditEnabled && (sig != NULL)) ++ auditGpgResult = (rc == 0); ++ + switch (rc) { + case RPMRC_OK: /* Signature is OK. */ + rpmlog(RPMLOG_DEBUG, "%s: %s", fn, msg); diff --git a/SOURCES/rpm-4.12.x-rpmSign-return-value-correction.patch b/SOURCES/rpm-4.12.x-rpmSign-return-value-correction.patch new file mode 100644 index 0000000..7d94f61 --- /dev/null +++ b/SOURCES/rpm-4.12.x-rpmSign-return-value-correction.patch @@ -0,0 +1,10 @@ +--- rpm-4.11.3/sign/rpmgensig.c.old 2014-09-05 13:49:16.000000000 +0200 ++++ rpm-4.11.3/sign/rpmgensig.c 2018-05-03 10:58:37.104522827 +0200 +@@ -506,6 +506,7 @@ + } + goto exit; + } ++ res = -1; + } + + /* Reallocate the signature into one contiguous region. */ diff --git a/SOURCES/rpm-4.13.x-enable_noghost_option.patch b/SOURCES/rpm-4.13.x-enable_noghost_option.patch new file mode 100644 index 0000000..5d1821f --- /dev/null +++ b/SOURCES/rpm-4.13.x-enable_noghost_option.patch @@ -0,0 +1,46 @@ +--- rpm-4.11.3/doc/rpm.8.old 2018-05-25 09:24:59.329885663 +0200 ++++ rpm-4.11.3/doc/rpm.8 2018-05-25 09:25:19.598901802 +0200 +@@ -76,7 +76,7 @@ + [\fB--nodigest\fR] [\fB--nosignature\fR] + [\fB--nolinkto\fR] [\fB--nofiledigest\fR] [\fB--nosize\fR] [\fB--nouser\fR] + [\fB--nogroup\fR] [\fB--nomtime\fR] [\fB--nomode\fR] [\fB--nordev\fR] +- [\fB--nocaps\fR] [\fB--noconfig\fR] ++ [\fB--nocaps\fR] [\fB--noconfig\fR] [\fB--noghost\fR] + + .SS "install-options" + .PP +@@ -683,6 +683,9 @@ + \fB--noconfig\fR + Don't verify config files. + .TP ++\fB--noghost\fR ++Don't display ghost files. ++.TP + \fB--noscripts\fR + Don't execute the \fB%verifyscript\fR scriptlet (if any). + .TP +--- rpm-4.11.3/lib/poptQV.c.old 2018-05-10 12:29:26.716304826 +0200 ++++ rpm-4.11.3/lib/poptQV.c 2018-05-11 14:08:36.389255974 +0200 +@@ -182,7 +182,7 @@ + N_("list files in package"), NULL }, + + /* Duplicate file attr flags from packages into command line options. */ +- { "noghost", '\0', POPT_BIT_CLR|POPT_ARGFLAG_DOC_HIDDEN, ++ { "noghost", '\0', POPT_BIT_SET|POPT_ARGFLAG_DOC_HIDDEN, + &rpmQVKArgs.qva_fflags, RPMFILE_GHOST, + N_("skip %%ghost files"), NULL }, + { "noconfig", '\0', POPT_BIT_SET|POPT_ARGFLAG_DOC_HIDDEN, +--- rpm-4.11.3/lib/verify.c.old 2018-05-10 12:29:26.715304826 +0200 ++++ rpm-4.11.3/lib/verify.c 2018-05-11 14:17:16.474959233 +0200 +@@ -453,6 +453,11 @@ + rpmlog(RPMLOG_NOTICE, "%s\n", buf); + buf = _free(buf); + } ++ ++ /* Filter out missing %ghost/%missingok errors from final result */ ++ if (fileAttrs & (RPMFILE_MISSINGOK|RPMFILE_GHOST)) ++ verifyResult &= ~RPMVERIFY_LSTATFAIL; ++ + } + rpmfiFree(fi); + diff --git a/SOURCES/rpm-4.13.x-fix_find_debuginfo_opts_g.patch b/SOURCES/rpm-4.13.x-fix_find_debuginfo_opts_g.patch new file mode 100644 index 0000000..de72379 --- /dev/null +++ b/SOURCES/rpm-4.13.x-fix_find_debuginfo_opts_g.patch @@ -0,0 +1,28 @@ +--- rpm-4.11.3/scripts/find-debuginfo.sh.old 2018-05-03 09:53:34.098654333 +0200 ++++ rpm-4.11.3/scripts/find-debuginfo.sh 2018-05-03 13:35:32.092303548 +0200 +@@ -9,7 +9,7 @@ + # [[-l filelist]... [-p 'pattern'] -o debuginfo.list] + # [builddir] + # +-# The -g flag says to use strip -g instead of full strip on DSOs. ++# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. + # The --strict-build-id flag says to exit with failure status if + # any ELF binary processed fails to contain a build-id note. + # The -r flag says to use eu-strip --reloc-debug-sections. +@@ -29,7 +29,7 @@ + # All file names in switches are relative to builddir (. if not given). + # + +-# With -g arg, pass it to strip on libraries. ++# With -g arg, pass it to strip on libraries or executables. + strip_g=false + + # with -r arg, pass --reloc-debug-sections to eu-strip. +@@ -130,6 +130,7 @@ + $strip_r && r=--reloc-debug-sections + $strip_g && case "$(file -bi "$2")" in + application/x-sharedlib*) g=-g ;; ++ application/x-executable*) g=-g ;; + esac + eu-strip --remove-comment $r $g -f "$1" "$2" || exit + chmod 444 "$1" || exit diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec index b7518c8..19bad96 100644 --- a/SPECS/rpm.spec +++ b/SPECS/rpm.spec @@ -21,7 +21,7 @@ Summary: The RPM package management system Name: rpm Version: %{rpmver} -Release: %{?snapver:0.%{snapver}.}32%{?dist} +Release: %{?snapver:0.%{snapver}.}35%{?dist} Group: System Environment/Base Url: http://www.rpm.org/ Source0: http://rpm.org/releases/rpm-4.11.x/%{name}-%{srcver}.tar.bz2 @@ -88,6 +88,10 @@ Patch185: rpm-4.13.x-Make-the-stftime-buffer-big-enuff.patch Patch186: rpm-4.11.x-skipattr.patch Patch187: rpm-4.13.x-Implement-noconfig-query.patch Patch188: rpm-4.11.x-weakdep-tags.patch +Patch189: rpm-4.12.x-rpmSign-return-value-correction.patch +Patch190: rpm-4.13.x-fix_find_debuginfo_opts_g.patch +Patch191: rpm-4.13.x-enable_noghost_option.patch +Patch192: rpm-4.11.x-provide-audit-events.patch # Filter soname dependencies by name Patch200: rpm-4.11.x-filter-soname-deps.patch @@ -179,6 +183,7 @@ BuildRequires: xz-devel >= 4.999.8 # Required for systemd-inhibit plugin BuildRequires: dbus-devel %endif +BuildRequires: audit-libs-devel # Only required by sepdebugcrcfix patch BuildRequires: binutils-devel @@ -356,6 +361,10 @@ Requires: rpm-libs%{_isa} = %{version}-%{release} %patch186 -p1 -b .skipattr %patch187 -p1 -b .noconfig-cli %patch188 -p1 -b .weakdep-tags +%patch189 -p1 -b .rpmsign-error +%patch190 -p1 -b .find_debuginfo_opts +%patch191 -p1 -b .noghost +%patch192 -p1 -b .audit-events %patch200 -p1 -b .filter-soname-deps %patch201 -p1 -b .dont-filter-ld64 @@ -618,6 +627,19 @@ exit 0 %doc COPYING doc/librpm/html/* %changelog +* Tue Jun 19 2018 Pavlina Moravcova Varekova - 4.11.3-35 +- Correct "root_dir" output in audit event (#1555326) + +* Fri May 25 2018 Pavlina Moravcova Varekova - 4.11.3-34 +- Adjust --noghost documentation (#1395818) +- Provide audit events on update verification (#1555326) + +* Thu May 10 2018 Pavlina Moravcova Varekova - 4.11.3-33 +- Repair of --noghost option implementation (#1395818) +- Backport fix rpmSign() return value in case of failure (#1419590) +- Backport passing _find_debuginfo_opts -g to eu-strip for executables + (#1540653) + * Mon Nov 13 2017 Panu Matilainen - 4.11.3-32 - Backport weak dependency tag definitions (#1508538)