diff --git a/SOURCES/rhbz1212658.patch b/SOURCES/rhbz1212658.patch new file mode 100644 index 0000000..0a72fc8 --- /dev/null +++ b/SOURCES/rhbz1212658.patch @@ -0,0 +1,120 @@ +commit 985408d2120252fc68bd8afd0e5425ccf1d75dda +Author: Qiao Nuohan +Date: Tue Apr 7 10:06:33 2015 -0500 + + Fix failure of signing modules on XFS. + + * stap-serverd.cxx (mok_dir_valid_p): Call stat() if readdir() returns + 'DT_UNKNOWN'. Certain filesystems like XFS don't implement returning the + file type. + +diff --git a/stap-serverd.cxx b/stap-serverd.cxx +index 40b3c39..de71f10 100644 +--- a/stap-serverd.cxx ++++ b/stap-serverd.cxx +@@ -370,13 +370,28 @@ mok_dir_valid_p (string mok_fingerprint, bool verbose) + struct dirent *direntp; + while ((direntp = readdir (dirp)) != NULL) + { +- if (! priv_found && direntp->d_type == DT_REG ++ bool reg_file = false; ++ ++ if (direntp->d_type == DT_REG) ++ reg_file = true; ++ else if (direntp->d_type == DT_UNKNOWN) ++ { ++ struct stat tmpstat; ++ ++ // If the filesystem doesn't support d_type, we'll have to ++ // call stat(). ++ stat((mok_dir + "/" + direntp->d_name).c_str (), &tmpstat); ++ if (S_ISREG(tmpstat.st_mode)) ++ reg_file = true; ++ } ++ ++ if (! priv_found && reg_file + && strcmp (direntp->d_name, MOK_PRIVATE_CERT_NAME) == 0) + { + priv_found = true; + continue; + } +- if (! cert_found && direntp->d_type == DT_REG ++ if (! cert_found && reg_file + && strcmp (direntp->d_name, MOK_PUBLIC_CERT_NAME) == 0) + { + cert_found = true; + +commit 112095a21f6c18424f7d1f9540d395778e8f79dd +Author: Qiao Nuohan +Date: Tue Apr 7 10:33:09 2015 -0500 + + Fix another d_type problem on XFS. + + * stap-serverd.cxx (get_server_mok_fingerprints): Call stat() if readdir() + returns 'DT_UNKNOWN'. Certain filesystems like XFS don't implement + returning the file type. + +diff --git a/stap-serverd.cxx b/stap-serverd.cxx +index de71f10..eeb32cf 100644 +--- a/stap-serverd.cxx ++++ b/stap-serverd.cxx +@@ -473,7 +473,19 @@ get_server_mok_fingerprints(vector &mok_fingerprints, bool verbose, + { + // We're only interested in directories (of key files). + if (direntp->d_type != DT_DIR) +- continue; ++ { ++ if (direntp->d_type == DT_UNKNOWN) ++ { ++ // If the filesystem doesn't support d_type, we'll have to ++ // call stat(). ++ struct stat tmpstat; ++ stat((mok_path + "/" + direntp->d_name).c_str (), &tmpstat); ++ if (!S_ISDIR(tmpstat.st_mode)) ++ continue; ++ } ++ else ++ continue; ++ } + + // We've got a directory. If the directory name isn't in the right + // format for a MOK fingerprint, skip it. +commit ed64d10fb7def700729cf553c8463f0882f1134a +Author: David Smith +Date: Thu Apr 30 12:56:12 2015 -0500 + + Fix PR18361 by supporting RHEL7's 'securelevel' feature. + + * session.cxx (modules_must_be_signed): Check the + '/sys/kernel/security/securelevel' file for the value '1'. If so, + modules must be signed. + +diff --git a/session.cxx b/session.cxx +index 3753445..0475d29 100644 +--- a/session.cxx ++++ b/session.cxx +@@ -2441,16 +2441,24 @@ systemtap_session::parse_stap_color(const std::string& type) + * This routine parses /sys/module/module/parameters/sig_enforce to + * figure out if signatures are enforced on modules. Note that if the + * file doesn't exist, we don't really care and return false. ++ * ++ * On certain kernels (RHEL7), we also have to check ++ * /sys/kernel/security/securelevel. + */ + bool + systemtap_session::modules_must_be_signed() + { + ifstream statm("/sys/module/module/parameters/sig_enforce"); ++ ifstream securelevel("/sys/kernel/security/securelevel"); + char status = 'N'; + + statm >> status; + if (status == 'Y') + return true; ++ ++ securelevel >> status; ++ if (status == '1') ++ return true; + return false; + } + diff --git a/SPECS/systemtap.spec b/SPECS/systemtap.spec index 50eb89e..b789d05 100644 --- a/SPECS/systemtap.spec +++ b/SPECS/systemtap.spec @@ -64,7 +64,7 @@ Name: systemtap Version: 2.6 -Release: 8%{?dist} +Release: 10%{?dist} # for version, see also configure.ac #Patch1: reserved for elfutils (see below) @@ -76,6 +76,7 @@ Patch6: rhbz1119335.patch Patch7: rhbz1127591.patch Patch8: rhbz1167652.patch Patch9: rhbz1171823.patch +Patch10: rhbz1212658.patch # Packaging abstract: @@ -414,6 +415,7 @@ cd .. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 %build @@ -1045,6 +1047,12 @@ done # http://sourceware.org/systemtap/wiki/SystemTapReleases %changelog +* Thu Apr 30 2015 Frank Ch. Eigler - 2.6-10 +- append upstream PR18361 to xfs & signing patch, to catch up with kernel change + +* Tue Apr 28 2015 Frank Ch. Eigler - 2.6-9 +- rhbz1216230=rhbz1212658 (xfs & signing) + * Wed Dec 10 2014 Frank Ch. Eigler - 2.6-8 - rhbz1171823 (nfsd svc_fh access)