diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 2edefd8e724..9ffbd881b18 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -11,6 +11,7 @@ Feel free to delete sections of the template which do not apply to your PR, or a - [ ] Any updated packages successfully build (or no packages were changed) - [ ] All package sources are available - [ ] cgmanifest files are up-to-date and sorted (`./cgmanifest.json`, `./toolkit/tools/cgmanifest.json`, `./toolkit/scripts/toolchain/cgmanifest.json`) +- [ ] LICENSE-MAP files are up-to-date (`./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md`, `./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON`) - [ ] All source files have up-to-date hashes in the `*.signatures.json` files - [ ] `sudo make go-tidy-all` and `sudo make go-test-coverage` pass - [ ] Documentation has been updated to match any changes to the build system @@ -45,4 +46,4 @@ NO ###### Test Methodology -- Pipeline build id: xxxx \ No newline at end of file +- Pipeline build id: xxxx diff --git a/.github/workflows/quickstart.yml b/.github/workflows/quickstart.yml new file mode 100644 index 00000000000..33643c2bd07 --- /dev/null +++ b/.github/workflows/quickstart.yml @@ -0,0 +1,80 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# +# Workflow to automatedly verify the quickstart instructions + +name: Verify Quickstart + +on: + workflow_dispatch: + schedule: + - cron: "0 15 * * *" + +jobs: + iso_quickstart: + runs-on: ubuntu-18.04 + + steps: + - name: Checkout + uses: actions/checkout@v2.3.2 + with: + ref: '1.0-stable' + + - name: Set up Go 1.13 + uses: actions/setup-go@v2 + with: + go-version: 1.13 + id: go + + - name: Install Remaining Prerequisites + run: | + # Golang and docker are already installed on the agent + sudo apt-get update + sudo apt -y install make tar wget curl rpm qemu-utils genisoimage pigz + + - name: Configure the Environment + run: | + pushd toolkit + sudo make go-tools REBUILD_TOOLS=y + sudo make input-srpms DOWNLOAD_SRPMS=y + popd + + - name: ISO Quick Start + run: | + pushd toolkit + sudo make iso REBUILD_TOOLS=y REBUILD_PACKAGES=n + popd + + vhdx_quickstart: + runs-on: ubuntu-18.04 + + steps: + - name: Checkout + uses: actions/checkout@v2.3.2 + with: + ref: '1.0-stable' + + - name: Set up Go 1.13 + uses: actions/setup-go@v2 + with: + go-version: 1.13 + id: go + + - name: Install Remaining Prerequisites + run: | + # Golang and docker are already installed on the agent + sudo apt-get update + sudo apt -y install make tar wget curl rpm qemu-utils genisoimage pigz + + - name: Configure Environment + run: | + pushd toolkit + sudo make go-tools REBUILD_TOOLS=y + sudo make input-srpms DOWNLOAD_SRPMS=y + popd + + - name: VHDX Quick Start + run: | + pushd toolkit + sudo make image REBUILD_TOOLS=y REBUILD_PACKAGES=n + popd diff --git a/SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec b/SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec index 4f080461af8..b5863ca549a 100644 --- a/SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec +++ b/SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec @@ -2,7 +2,7 @@ Summary: Signed Linux Kernel for aarch64 systems Name: kernel-signed-aarch64 Version: 5.4.51 -Release: 5%{?dist} +Release: 11%{?dist} License: GPLv2 URL: https://github.com/microsoft/WSL2-Linux-Kernel Group: System Environment/Kernel @@ -67,7 +67,8 @@ echo "initrd of kernel %{uname_r} removed" >&2 %postun if [ ! -e /boot/mariner.cfg ] then - if [ `ls /boot/linux-*.cfg 1> /dev/null 2>&1` ] + ls /boot/linux-*.cfg 1> /dev/null 2>&1 + if [ $? -eq 0 ] then list=`ls -tu /boot/linux-*.cfg | head -n1` test -n "$list" && ln -sf "$list" /boot/mariner.cfg @@ -84,6 +85,18 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} %changelog +* Fri Oct 16 2020 Suresh Babu Chalamalasetty 5.4.51-11 +- Update release number +* Fri Oct 02 2020 Chris Co 5.4.51-10 +- Update release number to match kernel spec +* Fri Oct 02 2020 Chris Co 5.4.51-9 +- Update release number +* Wed Sep 30 2020 Emre Girgin 5.4.51-8 +- Update postun script to deal with removal in case of another installed kernel. +* Fri Sep 25 2020 Suresh Babu Chalamalasetty 5.4.51-7 +- Update release number +* Wed Sep 23 2020 Daniel McIlvaney 5.4.51-6 +- Update release number * Thu Sep 03 2020 Daniel McIlvaney 5.4.51-5 - Update release number * Thu Sep 03 2020 Chris Co 5.4.51-4 @@ -97,4 +110,4 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg * Wed Aug 19 2020 Chris Co 5.4.42-12 - Update release number * Tue Aug 18 2020 Chris Co 5.4.42-11 -- Original version for CBL-Mariner. \ No newline at end of file +- Original version for CBL-Mariner. diff --git a/SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec b/SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec index baf4943e668..d5aa308a4af 100644 --- a/SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec +++ b/SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec @@ -2,7 +2,7 @@ Summary: Signed Linux Kernel for x86_64 systems Name: kernel-signed-x64 Version: 5.4.51 -Release: 5%{?dist} +Release: 11%{?dist} License: GPLv2 URL: https://github.com/microsoft/WSL2-Linux-Kernel Group: System Environment/Kernel @@ -67,7 +67,8 @@ echo "initrd of kernel %{uname_r} removed" >&2 %postun if [ ! -e /boot/mariner.cfg ] then - if [ `ls /boot/linux-*.cfg 1> /dev/null 2>&1` ] + ls /boot/linux-*.cfg 1> /dev/null 2>&1 + if [ $? -eq 0 ] then list=`ls -tu /boot/linux-*.cfg | head -n1` test -n "$list" && ln -sf "$list" /boot/mariner.cfg @@ -84,6 +85,18 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} %changelog +* Fri Oct 16 2020 Suresh Babu Chalamalasetty 5.4.51-11 +- Update release number +* Fri Oct 02 2020 Chris Co 5.4.51-10 +- Update release number to match kernel spec +* Fri Oct 02 2020 Chris Co 5.4.51-9 +- Update release number +* Wed Sep 30 2020 Emre Girgin 5.4.51-8 +- Update postun script to deal with removal in case of another installed kernel. +* Fri Sep 25 2020 Suresh Babu Chalamalasetty 5.4.51-7 +- Update release number +* Wed Sep 23 2020 Daniel McIlvaney 5.4.51-6 +- Update release number * Thu Sep 03 2020 Daniel McIlvaney 5.4.51-5 - Update release number * Thu Sep 03 2020 Chris Co 5.4.51-4 @@ -97,4 +110,4 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg * Wed Aug 19 2020 Chris Co 5.4.42-12 - Update release number * Tue Aug 18 2020 Chris Co 5.4.42-11 -- Original version for CBL-Mariner. \ No newline at end of file +- Original version for CBL-Mariner. diff --git a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md index 0e5e3101d31..b3e19e5f7c2 100644 --- a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md +++ b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md @@ -2,9 +2,8 @@ The CBL-Mariner SPEC files originated from a variety of sources with varying lic | Origin | License | SPECS | |-----------|-----------------------------------|------------| -| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | atf
attr
autoconf213
brotli
byacc
calamares
catch
cpprest
cryptsetup
CUnit
Cython
dnf
dpdk
dwz
docbook5-schemas
dos2unix
ebtables
extra-cmake-modules
gnu-efi
hardening-check
ipmitool
kde-settings
kexec-tools
kf5
kf5-kconfig
kf5-kcoreaddons
kf5-ki18n
kf5-kwidgetsaddons
kpmcore-3.3.0
kyua
leveldb
libatasmart
libburn
libcgroup
libcomps
libdnf
libisoburn
libisofs
libpwquality
libstoragemgmt
lua
lutok
mailcap
mokutil
mozjs60
oath-toolkit
open-vm-tools
openssl
p11-kit
perl
perl-Archive-Zip
perl-Compress-Bzip2
python-google-auth
python-kubernetes
python-pywbem
pkgconf
qt5-qtbase
qt5-qtdeclarative
qt5-qtsvg
qt5-qttools
qt5-rpm-macros
rdma-core
sgml-common
squashfs-tools
websocketpp
words
xmlstarlet
yaml-cpp
yasm
| -| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | azure-iot-sdk-c
azure-iotedge
cloud-hypervisor
dtc
freefont
go-md2man
GSL
libiothsm-std
libuv
lsb-release
mariner-release
mariner-repos
mariner-rpm-macros
pcre2
perl-Test-Warnings
python-cacheutils
python-cherrypy
python-execnet
python-jwt
python-logutils
python-nocasedict
python-pecan
python-remoto
python-repoze-lru
python-routes
python-rsa
python-sphinxcontrib-websupport
python-yamlloader
shim-unsigned-x64
swupdate
vala
zstd
| +| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | CUnit
Cython
atf
attr
autoconf213
babeltrace2
brotli
byacc
calamares
catch
cpprest
cryptsetup
dnf
dpdk
docbook5-schemas
dos2unix
dwz
ebtables
extra-cmake-modules
gnu-efi
hardening-check
ipmitool
kde-settings
kexec-tools
kf5
kf5-kconfig
kf5-kcoreaddons
kf5-ki18n
kf5-kwidgetsaddons
kpmcore-3.3.0
kyua
leveldb
libatasmart
libburn
libcgroup
libcomps
libdnf
libisoburn
libisofs
libpwquality
libstoragemgmt
lua
lutok
mailcap
mokutil
mozjs60
oath-toolkit
open-vm-tools
openssl
p11-kit
perl
perl-Archive-Zip
perl-Compress-Bzip2
pkgconf
python-google-auth
python-kubernetes
python-pywbem
qt5-qtbase
qt5-qtdeclarative
qt5-qtsvg
qt5-qttools
qt5-rpm-macros
rdma-core
sgml-common
squashfs-tools
websocketpp
words
xmlstarlet
yaml-cpp
yasm
zipper | +| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | GSL
auoms
azure-iot-sdk-c
azure-iotedge
azure-storage-cpp
bond
ccache
clamav
cloud-hypervisor
dtc
fluent-bit
freefont
gflags
go-md2man
ivykis
jsonbuilder
libiothsm-std
libuv
libxml++
lsb-release
lttng-consume
mariner-release
mariner-repos
mariner-rpm-macros
mm-common
msgpack
nlohmann-json
omi
pcre2
perl-Test-Warnings
python-cacheutils
python-cherrypy
python-execnet
python-jwt
python-logutils
python-nocasedict
python-pecan
python-remoto
python-repoze-lru
python-routes
python-rsa
python-sphinxcontrib-websupport
python-yamlloader
rocksdb
shim-unsigned-x64
span-lite
swupdate
tinyxml2
toml11
tracelogging
vala
zstd | | OpenMamba | [Openmamba](https://openmamba.org/en/) | bash-completion
| | Package Source | [LGPLv2 License](LICENSE-LGPLv2.md) | ceph
| -| Photon | [Photon License](LICENSE-PHOTON.md) and [Photon Notice](NOTICE.APACHE2).
Also see [LICENSE-EXCEPTIONS.PHOTON](LICENSE-EXCEPTIONS.PHOTON). | acl
alsa-lib
alsa-utils
ansible
ant
ant-contrib
apparmor
apr
apr-util
asciidoc
atftp
audit
autoconf
autoconf-archive
autofs
autogen
automake
babel
bash
bc
bcc
bind
binutils
bison
blktrace
boost
bridge-utils
btrfs-progs
bubblewrap
build-essential
bzip2
c-ares
ca-certificates
cairo
cdrkit
check
chkconfig
chrpath
cifs-utils
clang
cloud-init
cloud-utils-growpart
cmake
cni
core-packages
coreutils
cpio
cppunit
cracklib
crash
crash-gcore-command
createrepo_c
cri-tools
cronie
ctags
curl
cyrus-sasl
dbus
dbus-glib
dejagnu
device-mapper-multipath
dhcp
dialog
diffutils
dkms
dmidecode
dnsmasq
docbook-dtd-xml
docbook-style-xsl
dosfstools
dotnet-runtime-3.1
dotnet-sdk-3.1
dracut
dstat
e2fsprogs
ed
efibootmgr
efivar
elfutils
erlang
etcd
ethtool
expat
expect
fcgi
file
filesystem
findutils
finger
flex
fontconfig
fping
freetype
fuse
gawk
gc
gcc
gdb
gdbm
gettext
git
glib
glib-networking
glibc
glibmm24
gmp
gnome-common
gnupg2
gnuplot
gnutls
gobject-introspection
golang
gperf
gperftools
gpgme
gptfdisk
grep
groff
grub2
grub2-efi-binary-signed-aarch64
grub2-efi-binary-signed-x64
gtest
gtk-doc
guile
gzip
haproxy
harfbuzz
haveged
hdparm
http-parser
httpd
i2c-tools
iana-etc
icu
initramfs
initscripts
inotify-tools
intltool
iotop
iperf3
ipmitool
iproute
ipset
iptables
iputils
ipvsadm
ipxe
irqbalance
itstool
jansson
jna
jq
json-c
json-glib
kbd
keepalived
kernel
kernel-headers
kernel-hyperv
kernel-signed-aarch64
kernel-signed-x64
kexec-tools
keyutils
kmod
krb5
kubernetes
lapack
less
libaio
libarchive
libassuan
libatomic_ops
libcap
libcap-ng
libconfig
libdb
libdnet
libedit
libestr
libev
libevent
libfastjson
libffi
libgcrypt
libgpg-error
libgssglue
libgsystem
libgudev
libjpeg-turbo
libksba
libmbim
libmnl
libmodulemd
libmpc
libmspack
libndp
libnetfilter_conntrack
libnetfilter_cthelper
libnetfilter_cttimeout
libnetfilter_queue
libnfnetlink
libnftnl
libnl3
libnsl2
libpcap
libpipeline
libpng
libpsl
libqmi
librelp
librepo
librsync
libseccomp
libselinux
libsepol
libserf
libsigc++20
libsolv
libsoup
libssh2
libtalloc
libtar
libtasn1
libtiff
libtirpc
libtool
libunistring
libunwind
libusb
libvirt
libwebp
libxml2
libxslt
libyaml
linux-firmware
lldb
lldpad
llvm
lm-sensors
lmdb
log4cpp
logrotate
lshw
lsof
lsscsi
ltrace
lttng-tools
lttng-ust
lua
lvm2
lz4
lzo
m2crypto
m4
make
man-db
man-pages
mariadb
maven
mc
mercurial
meson
mlocate
ModemManager
mpfr
msr-tools
mysql
nano
nasm
ncurses
ndctl
net-snmp
net-tools
nettle
newt
nfs-utils
nghttp2
nginx
ninja-build
nodejs
nodejs
npth
nspr
nss
nss-altfiles
ntp
numactl
numpy
nvme-cli
oniguruma
openipmi
openjdk8
openldap
openscap
openssh
openvswitch
ostree
pam
pango
parted
patch
pciutils
pcre
perl
perl-Canary-Stability
perl-CGI
perl-common-sense
perl-Crypt-SSLeay
perl-DBD-SQLite
perl-DBI
perl-DBIx-Simple
perl-Exporter-Tiny
perl-File-HomeDir
perl-File-Which
perl-IO-Socket-SSL
perl-JSON-Any
perl-JSON-XS
perl-libintl-perl
perl-List-MoreUtils
perl-Module-Build
perl-Module-Install
perl-Module-ScanDeps
perl-Net-SSLeay
perl-NetAddr-IP
perl-Object-Accessor
perl-Path-Class
perl-Try-Tiny
perl-Types-Serialiser
perl-WWW-Curl
perl-XML-Parser
perl-YAML
perl-YAML-Tiny
pgbouncer
pinentry
pixman
pkg-config
polkit
popt
postgresql
powershell
procps-ng
protobuf
protobuf-c
psmisc
pth
pyasn1-modules
pygobject3
pyOpenSSL
PyPAM
pyparsing
pytest
python-appdirs
python-asn1crypto
python-atomicwrites
python-attrs
python-backports-ssl_match_hostname
python-bcrypt
python-boto3
python-botocore
python-certifi
python-cffi
python-chardet
python-configobj
python-constantly
python-coverage
python-cryptography
python-daemon
python-dateutil
python-defusedxml
python-distro
python-docopt
python-docutils
python-ecdsa
python-enum34
python-futures
python-gevent
python-greenlet
python-hyperlink
python-hypothesis
python-idna
python-imagesize
python-incremental
python-iniparse
python-ipaddr
python-ipaddress
python-jinja2
python-jmespath
python-jsonpatch
python-jsonpointer
python-jsonschema
python-lockfile
python-lxml
python-m2r
python-mako
python-markupsafe
python-mistune
python-msgpack
python-netaddr
python-netifaces
python-ntplib
python-oauthlib
python-packaging
python-pam
python-pbr
python-pip
python-ply
python-prettytable
python-psutil
python-psycopg2
python-py
python-pyasn1
python-pycodestyle
python-pycparser
python-pycurl
python-Pygments
python-PyNaCl
python-pyvmomi
python-requests
python-setuptools
python-setuptools_scm
python-simplejson
python-six
python-snowballstemmer
python-sphinx
python-sphinx-theme-alabaster
python-sqlalchemy
python-Twisted
python-typing
python-urllib3
python-vcversioner
python-virtualenv
python-wcwidth
python-webob
python-websocket-client
python-werkzeug
python-zope-interface
python2
python3
pytz
PyYAML
readline
redis
rng-tools
rpcbind
rpcsvc-proto
rpm
rpm-ostree
rrdtool
rsync
rsyslog
ruby
rubygem-bundler
rust
scons
sed
sg3_utils
shadow-utils
slang
snappy
socat
sqlite
sshpass
strace
strongswan
subversion
sudo
swig
syslinux
sysstat
systemd
systemd
systemtap
tar
tboot
tcl
tcpdump
tcp_wrappers
tcsh
tdnf
texinfo
tmux
tpm2-abrmd
tpm2-tools
tpm2-tss
traceroute
tree
trousers
tzdata
unbound
unixODBC
unzip
usbutils
userspace-rcu
utf8proc
util-linux
valgrind
vim
vsftpd
WALinuxAgent
wget
which
wpa_supplicant
xerces-c
xfsprogs
xinetd
xmlsec1
xmlto
xz
zchunk
zeromq
zip
zlib
zsh
| - +| Photon | [Photon License](LICENSE-PHOTON.md) and [Photon Notice](NOTICE.APACHE2).
Also see [LICENSE-EXCEPTIONS.PHOTON](LICENSE-EXCEPTIONS.PHOTON). | ModemManager
PyPAM
PyYAML
WALinuxAgent
acl
alsa-lib
alsa-utils
ansible
ant
ant-contrib
apparmor
apr
apr-util
asciidoc
atftp
audit
autoconf
autoconf-archive
autofs
autogen
automake
babel
bash
bc
bcc
bind
binutils
bison
blktrace
boost
bridge-utils
btrfs-progs
bubblewrap
build-essential
bzip2
c-ares
ca-certificates
cairo
cdrkit
check
chkconfig
chrpath
cifs-utils
clang
cloud-init
cloud-utils-growpart
cmake
cni
core-packages
coreutils
cpio
cppunit
cracklib
crash
crash-gcore-command
createrepo_c
cri-tools
cronie
ctags
curl
cyrus-sasl
cython
dbus
dbus-glib
dejagnu
device-mapper-multipath
dhcp
dialog
diffutils
dkms
dmidecode
dnsmasq
docbook-dtd-xml
docbook-style-xsl
dosfstools
dotnet-runtime-3.1
dotnet-sdk-3.1
dracut
dstat
e2fsprogs
ed
efibootmgr
efivar
elfutils
erlang
etcd
ethtool
expat
expect
fcgi
file
filesystem
findutils
finger
flex
fontconfig
fping
freetype
fuse
gawk
gc
gcc
gdb
gdbm
gettext
git
glib
glib-networking
glibc
glibmm24
gmp
gnome-common
gnupg2
gnuplot
gnutls
gobject-introspection
golang
gperf
gperftools
gpgme
gptfdisk
grep
groff
grub2
grub2-efi-binary-signed-aarch64
grub2-efi-binary-signed-x64
gtest
gtk-doc
guile
gzip
haproxy
harfbuzz
haveged
hdparm
http-parser
httpd
i2c-tools
iana-etc
icu
initramfs
initscripts
inotify-tools
intltool
iotop
iperf3
ipmitool
iproute
ipset
iptables
iputils
ipvsadm
ipxe
irqbalance
itstool
jansson
jna
jq
json-c
json-glib
kbd
keepalived
kernel
kernel-headers
kernel-hyperv
kernel-signed-aarch64
kernel-signed-x64
kexec-tools
keyutils
kmod
krb5
kubernetes
lapack
less
libaio
libarchive
libassuan
libatomic_ops
libcap
libcap-ng
libconfig
libdb
libdnet
libedit
libestr
libev
libevent
libfastjson
libffi
libgcrypt
libgpg-error
libgssglue
libgsystem
libgudev
libjpeg-turbo
libksba
liblogging
libmbim
libmnl
libmodulemd
libmpc
libmspack
libndp
libnetfilter_conntrack
libnetfilter_cthelper
libnetfilter_cttimeout
libnetfilter_queue
libnfnetlink
libnftnl
libnl3
libnsl2
libpcap
libpipeline
libpng
libpsl
libqmi
librelp
librepo
librsync
libseccomp
libselinux
libsepol
libserf
libsigc++20
libsolv
libsoup
libssh2
libtalloc
libtar
libtasn1
libtiff
libtirpc
libtool
libunistring
libunwind
libusb
libvirt
libwebp
libxml2
libxslt
libyaml
linux-firmware
lldb
lldpad
llvm
lm-sensors
lmdb
log4cpp
logrotate
lshw
lsof
lsscsi
ltrace
lttng-tools
lttng-ust
lvm2
lz4
lzo
m2crypto
m4
make
man-db
man-pages
mariadb
maven
mc
mercurial
meson
mlocate
mpfr
msr-tools
mysql
nano
nasm
ncurses
ndctl
net-snmp
net-tools
nettle
newt
nfs-utils
nghttp2
nginx
ninja-build
nodejs
npth
nspr
nss
nss-altfiles
ntp
numactl
numpy
nvme-cli
oniguruma
openipmi
openjdk8
openldap
openscap
openssh
openvswitch
ostree
pam
pango
parted
patch
pciutils
pcre
perl
perl-CGI
perl-Canary-Stability
perl-Crypt-SSLeay
perl-DBD-SQLite
perl-DBI
perl-DBIx-Simple
perl-Exporter-Tiny
perl-File-HomeDir
perl-File-Which
perl-IO-Socket-SSL
perl-JSON-Any
perl-JSON-XS
perl-List-MoreUtils
perl-Module-Build
perl-Module-Install
perl-Module-ScanDeps
perl-Net-SSLeay
perl-NetAddr-IP
perl-Object-Accessor
perl-Path-Class
perl-Try-Tiny
perl-Types-Serialiser
perl-WWW-Curl
perl-XML-Parser
perl-YAML
perl-YAML-Tiny
perl-common-sense
perl-libintl-perl
pgbouncer
pinentry
pixman
polkit
popt
postgresql
powershell
procps-ng
protobuf
protobuf-c
psmisc
pth
pyOpenSSL
pyasn1-modules
pygobject3
pyparsing
pytest
python-PyNaCl
python-Pygments
python-Twisted
python-appdirs
python-asn1crypto
python-atomicwrites
python-attrs
python-backports-ssl_match_hostname
python-bcrypt
python-boto3
python-botocore
python-certifi
python-cffi
python-chardet
python-configobj
python-constantly
python-coverage
python-cryptography
python-daemon
python-dateutil
python-defusedxml
python-distro
python-docopt
python-docutils
python-ecdsa
python-enum34
python-futures
python-gevent
python-greenlet
python-hyperlink
python-hypothesis
python-idna
python-imagesize
python-incremental
python-iniparse
python-ipaddr
python-ipaddress
python-jinja2
python-jmespath
python-jsonpatch
python-jsonpointer
python-jsonschema
python-lockfile
python-lxml
python-m2r
python-mako
python-markupsafe
python-mistune
python-msgpack
python-netaddr
python-netifaces
python-ntplib
python-oauthlib
python-packaging
python-pam
python-pbr
python-pip
python-ply
python-prettytable
python-psutil
python-psycopg2
python-py
python-pyasn1
python-pycodestyle
python-pycparser
python-pycurl
python-pyvmomi
python-requests
python-setuptools
python-setuptools_scm
python-simplejson
python-six
python-snowballstemmer
python-sphinx
python-sphinx-theme-alabaster
python-sqlalchemy
python-typing
python-urllib3
python-vcversioner
python-virtualenv
python-wcwidth
python-webob
python-websocket-client
python-werkzeug
python-zope-interface
python2
python3
pytz
rapidjson
readline
redis
rng-tools
rpcbind
rpcsvc-proto
rpm
rpm-ostree
rrdtool
rsync
rsyslog
ruby
rubygem-bundler
rust
scons
sed
sg3_utils
shadow-utils
slang
snappy
socat
sqlite
sshpass
strace
strongswan
subversion
sudo
swig
syslinux
syslog-ng
sysstat
systemd
systemtap
tar
tboot
tcl
tcp_wrappers
tcpdump
tcsh
tdnf
telegraf
texinfo
tmux
tpm2-abrmd
tpm2-tools
tpm2-tss
traceroute
tree
trousers
tzdata
unbound
unixODBC
unzip
usbutils
userspace-rcu
utf8proc
util-linux
valgrind
vim
vsftpd
wget
which
wpa_supplicant
xerces-c
xfsprogs
xinetd
xmlsec1
xmlto
xz
zchunk
zeromq
zip
zlib
zsh | diff --git a/SPECS/ant/ant.signatures.json b/SPECS/ant/ant.signatures.json index 8fe76e59648..a13edf9c719 100644 --- a/SPECS/ant/ant.signatures.json +++ b/SPECS/ant/ant.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "apache-ant-1.10.8-src.tar.gz": "53d06ed062297366569fe563b77e8187973be1383749181938b597177514d318", + "apache-ant-1.10.9-src.tar.gz": "3f00fe29988ff1af83cb100089bfcbaf5d3e533d42fba3ea4861a982c920e874", "hamcrest-1.3.tgz": "c6428e40d069fff3f99780efaae96c35ebdbf7cbfd475504254ebffcc19620c2", "maven-ant-tasks-2.1.3.tar.gz": "ae5b6548dbb3f0d71865e1be9bffd13ca7bb65a3cb5d89eaee97ea7e70e1f0ba" } diff --git a/SPECS/ant/ant.spec b/SPECS/ant/ant.spec index 415b6a33dc9..3b4a610fb78 100644 --- a/SPECS/ant/ant.spec +++ b/SPECS/ant/ant.spec @@ -1,6 +1,6 @@ Summary: Apache Ant Name: ant -Version: 1.10.8 +Version: 1.10.9 Release: 1%{?dist} License: ASL 2.0 and BSD and W3C URL: https://ant.apache.org @@ -118,6 +118,8 @@ bootstrap/bin/ant -v run-tests %{_bindir}/runant.pl %changelog +* Wed Oct 21 2020 Henry Li - 1.10.9-1 +- Updated to version 1.10.9 to resolve CVE-2020-11979 * Thu May 21 2020 Ruying Chen - 1.10.8-1 - Updated to version 1.10.8 to resolve CVE-2020-1945 * Sat May 09 00:21:39 PST 2020 Nick Samson - 1.10.5-8 diff --git a/SPECS/apparmor/CVE-2016-1585.nopatch b/SPECS/apparmor/CVE-2016-1585.nopatch new file mode 100644 index 00000000000..d389065dce6 --- /dev/null +++ b/SPECS/apparmor/CVE-2016-1585.nopatch @@ -0,0 +1 @@ +# CVE-2016-1585 has no upstream fix. \ No newline at end of file diff --git a/SPECS/apparmor/apparmor.spec b/SPECS/apparmor/apparmor.spec index 324545ca2f4..9a138a11fcb 100644 --- a/SPECS/apparmor/apparmor.spec +++ b/SPECS/apparmor/apparmor.spec @@ -1,15 +1,16 @@ %{!?python3_sitelib: %global python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} Name: apparmor Version: 2.13 -Release: 10%{?dist} +Release: 11%{?dist} Summary: AppArmor is an effective and easy-to-use Linux application security system. License: GNU LGPL v2.1 URL: https://launchpad.net/apparmor Source0: https://launchpad.net/apparmor/2.13/2.13.0/+download/%{name}-%{version}.tar.gz -%define sha1 apparmor=54202cafce24911c45141d66e2d1e037e8aa5746 Patch0: apparmor-set-profiles-complain-mode.patch Patch1: apparmor-service-start-fix.patch Patch2: apparmor-fix-make-check.patch +# CVE-2016-1585 has no upstream fix as of 2020/09/28 +Patch100: CVE-2016-1585.nopatch Vendor: Microsoft Corporation Distribution: Mariner Group: Productivity/Security @@ -354,9 +355,10 @@ make DESTDIR=%{buildroot} install %exclude %{perl_archlib}/perllocal.pod %changelog -* Sat May 09 00:20:37 PST 2020 Nick Samson - 2.13-10 -- Added %%license line automatically - +* Mon Sep 28 2020 Daniel McIlvaney 2.13-11 +- Nopatch CVE-2016-1585 +* Sat May 09 2020 Nick Samson 2.13-10 +- Added %%license line automatically * Tue Apr 28 2020 Emre Girgin 2.13-9 - Renaming Linux-PAM to pam * Tue Sep 03 2019 Mateusz Malisz 2.13-8 diff --git a/SPECS/auoms/auoms.patch b/SPECS/auoms/auoms.patch new file mode 100644 index 00000000000..837997de4a5 --- /dev/null +++ b/SPECS/auoms/auoms.patch @@ -0,0 +1,480 @@ +diff --git a/build/Makefile b/build/Makefile +--- a/build/Makefile 2020-07-14 13:50:43.000000000 -0700 ++++ b/build/Makefile 2020-10-15 11:48:50.361506677 -0700 +@@ -24,8 +24,8 @@ + $(error "ENABLE_DEBUG is not set. Please re-run configure") + endif + +-INTERMEDIATE_DIR=$(BASE_DIR)/intermediate/$(BUILD_CONFIGURATION) +-TARGET_DIR := $(BASE_DIR)/target/$(BUILD_CONFIGURATION) ++INTERMEDIATE_DIR=$(BASE_DIR)/intermediate ++TARGET_DIR := $(BASE_DIR)/target + BUILD_DIR=$(INTERMEDIATE_DIR)/builddir + RELEASE_DIR=$(BUILD_DIR)/release + AUOMS_BIN=$(RELEASE_DIR)/bin/auoms +@@ -78,7 +78,7 @@ + + #-------------------------------------------------------------------------------- + # Build targets +-.PHONY: all clean distclean clean-status kit ++.PHONY: all clean distclean clean-status packages kit + .PHONY: tests test + + all : $(AUOMS_BIN) sepolicy kit +@@ -89,7 +89,7 @@ + + clean-kit : + $(RMDIR) $(BASE_DIR)/target +- $(RMDIR) $(INTERMEDIATE_DIR)/*.{tar,rpm,deb} ++ $(RMDIR) $(INTERMEDIATE_DIR)/*.{tar,rpm} + + distclean : clean + -$(RM) $(BASE_DIR)/build/Makefile.version +@@ -131,7 +131,9 @@ + @echo "========================= Building selinux policy module" + $(MKPATH) $(SEPOLICY_DIR) + $(COPY) $(SEPOLICY_SRC_DIR)/auoms.te $(SEPOLICY_SRC_DIR)/auoms.fc $(SEPOLICY_DIR) +- cd $(SEPOLICY_DIR); make -f /usr/share/selinux/devel/Makefile ++ # Will revert this change once SeLinux is supported in Mariner ++ # cd $(SEPOLICY_DIR); make -f /usr/share/selinux/devel/Makefile ++ touch $(SEPOLICY_DIR)/auoms.pp + else + $(SEPOLICY_DIR)/auoms.pp : $(SEPOLICY_SRC_DIR)/auoms.te $(SEPOLICY_SRC_DIR)/auoms.fc + @echo "========================= Building selinux policy module" +@@ -182,21 +184,28 @@ + # While the "formal build" only builds ULINUX, we may build something else for DEV purposes. + # Assume we ALWAYS build RPM, but only build DPKG if --enable-ulinux is specified in configure. + ++$(TARGET_DIR): ++ mkdir -p $(TARGET_DIR) ++ + ifeq ($(ULINUX),1) + + ifeq ($(CMAKE_BUILD_TYPE),RelWithDebInfo) +-kit : $(TARGET_DIR)/auoms-bundle-test.sh $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).sh $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb ++ ++packages: $(TARGET_DIR) $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).rpm $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm ++ ++kit : $(TARGET_DIR)/auoms-bundle-test.sh $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).sh $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm + + $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm : $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm + $(COPY) $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm + +-$(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb : $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb +- $(COPY) $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb +- + else ++packages: $(TARGET_DIR) $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb + kit : $(TARGET_DIR)/auoms-bundle-test.sh $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).sh + endif + ++$(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).rpm : $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).rpm ++ $(COPY) $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).rpm $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).rpm ++ + $(TARGET_DIR)/auoms-bundle-test.sh : $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).sh + $(COPY) ../installer/bundle/auoms-bundle-test.sh $(TARGET_DIR)/auoms-bundle-test.sh + +@@ -205,13 +214,12 @@ + $(MKPATH) $(TARGET_DIR) + ../installer/bundle/create_bundle.sh $(TARGET_DIR) $(INTERMEDIATE_DIR) $(OUTPUT_PACKAGE_PREFIX).tar + +-$(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).tar : \ +- $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).rpm $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).deb ++$(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).tar : packages + + @echo "========================= Performing Building .tar file" + + # Build the tar file containing both .rpm and .deb packages +- cd $(INTERMEDIATE_DIR); tar cvf $(OUTPUT_PACKAGE_PREFIX).tar $(OUTPUT_PACKAGE_PREFIX).{deb,rpm} ++ cd $(INTERMEDIATE_DIR); tar cvf $(OUTPUT_PACKAGE_PREFIX).tar $(OUTPUT_PACKAGE_PREFIX).rpm + + $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).rpm: $(AUOMS_BIN) sepolicy + @echo "========================= Performing Building RPM package" +@@ -237,32 +245,6 @@ + $(INSTALLER_DATAFILES_RPM) + sudo $(RMDIR) $(STAGING_DIR) + +-$(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).deb: $(AUOMS_BIN) sepolicy +- @echo "========================= Performing Building DEB package" +- $(MKPATH) $(INSTALLER_TMPDIR) +- +- sudo $(RMDIR) $(STAGING_DIR) +- sudo python $(PAL_DIR)/installer/InstallBuilder/installbuilder.py \ +- --BASE_DIR=$(BASE_DIR) \ +- --TARGET_DIR=$(INTERMEDIATE_DIR) \ +- --INTERMEDIATE_DIR=$(INSTALLER_TMPDIR) \ +- --STAGING_DIR=$(STAGING_DIR) \ +- --BUILD_TYPE=$(BUILD_TYPE) \ +- --BUILD_CONFIGURATION=$(BUILD_CONFIGURATION) \ +- --PFARCH=$(PF_ARCH) \ +- --PFDISTRO=$(PF_DISTRO) \ +- --PFMAJOR=$(PF_MAJOR) \ +- --PFMINOR=$(PF_MINOR) \ +- --VERSION=$(AUOMS_BUILDVERSION_MAJOR).$(AUOMS_BUILDVERSION_MINOR).$(AUOMS_BUILDVERSION_PATCH) \ +- --RELEASE=$(AUOMS_BUILDVERSION_BUILDNR) \ +- --VERSION_IDENT="$(AUOMS_BUILDVERSION_DATE) $(AUOMS_BUILDVERSION_STATUS)" \ +- $(DPKG_LOCATION) \ +- --DATAFILE_PATH=$(BASE_DIR)/installer/datafiles \ +- --OUTPUTFILE=$(OUTPUT_PACKAGE_PREFIX) \ +- $(INSTALLER_DATAFILES_DPKG) +- sudo chown --reference=$(BASE_DIR) $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).deb +- sudo $(RMDIR) $(STAGING_DIR) +- + ifeq ($(CMAKE_BUILD_TYPE),RelWithDebInfo) + $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm: $(AUOMS_BIN).debug + @echo "========================= Performing Building RPM package" +@@ -288,39 +270,16 @@ + $(INSTALLER_DATAFILES_RPM) + sudo $(RMDIR) $(STAGING_DIR) + +-$(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb: $(AUOMS_BIN).debug +- @echo "========================= Performing Building DEB package" +- $(MKPATH) $(INSTALLER_TMPDIR) +- +- sudo $(RMDIR) $(STAGING_DIR) +- sudo python $(PAL_DIR)/installer/InstallBuilder/installbuilder.py \ +- --BASE_DIR=$(BASE_DIR) \ +- --TARGET_DIR=$(INTERMEDIATE_DIR) \ +- --INTERMEDIATE_DIR=$(INSTALLER_TMPDIR) \ +- --STAGING_DIR=$(STAGING_DIR) \ +- --BUILD_TYPE=$(BUILD_TYPE) \ +- --BUILD_CONFIGURATION=$(BUILD_CONFIGURATION) \ +- --PFARCH=$(PF_ARCH) \ +- --PFDISTRO=$(PF_DISTRO) \ +- --PFMAJOR=$(PF_MAJOR) \ +- --PFMINOR=$(PF_MINOR) \ +- --VERSION=$(AUOMS_BUILDVERSION_MAJOR).$(AUOMS_BUILDVERSION_MINOR).$(AUOMS_BUILDVERSION_PATCH) \ +- --RELEASE=$(AUOMS_BUILDVERSION_BUILDNR) \ +- --VERSION_IDENT="$(AUOMS_BUILDVERSION_DATE) $(AUOMS_BUILDVERSION_STATUS)" \ +- $(DPKG_LOCATION) \ +- --DATAFILE_PATH=$(BASE_DIR)/installer/datafiles-debug \ +- --OUTPUTFILE=$(OUTPUT_PACKAGE_PREFIX_DEBUG) \ +- $(INSTALLER_DATAFILES_DPKG) +- sudo chown --reference=$(BASE_DIR) $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb +- sudo $(RMDIR) $(STAGING_DIR) + endif + + else + + ifeq ($(CMAKE_BUILD_TYPE),RelWithDebInfo) +-kit : $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).$(PACKAGE_SUFFIX) $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb ++packages : $(TARGET_DIR) $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).$(PACKAGE_SUFFIX) $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm ++kit: packages + else +-kit : $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).$(PACKAGE_SUFFIX) ++packages : $(TARGET_DIR) $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).$(PACKAGE_SUFFIX) ++kit: packages + endif + + $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).$(PACKAGE_SUFFIX) : $(AUOMS_BIN) sepolicy +diff --git a/CollectionMonitor.cpp b/CollectionMonitor.cpp +--- a/CollectionMonitor.cpp 2020-07-14 13:50:43.000000000 -0700 ++++ b/CollectionMonitor.cpp 2020-10-15 14:43:21.914099396 -0700 +@@ -207,15 +207,15 @@ + _builder.CancelEvent(); + return; + } +- if (_builder.AddField("pid", std::to_string(pid), nullptr, field_type_t::UNCLASSIFIED) != 1) { ++ if (_builder.AddField("pid", std::to_string(pid), "", field_type_t::UNCLASSIFIED) != 1) { + _builder.CancelEvent(); + return; + } +- if(_builder.AddField("ppid", std::to_string(ppid), nullptr, field_type_t::UNCLASSIFIED) != 1) { ++ if(_builder.AddField("ppid", std::to_string(ppid), "", field_type_t::UNCLASSIFIED) != 1) { + _builder.CancelEvent(); + return; + } +- if(_builder.AddField("exe", exe, nullptr, field_type_t::UNCLASSIFIED) != 1) { ++ if(_builder.AddField("exe", exe, "", field_type_t::UNCLASSIFIED) != 1) { + _builder.CancelEvent(); + return; + } +diff --git a/Event.cpp b/Event.cpp +--- a/Event.cpp 2020-07-14 13:50:43.000000000 -0700 ++++ b/Event.cpp 2020-10-15 14:44:10.713610363 -0700 +@@ -421,7 +421,7 @@ + size_t name_size = strlen(field_name); + size_t raw_size = strlen(raw_value); + std::string_view interp; +- if (interp_value != nullptr) { ++ if (interp_value != nullptr && strlen(interp_value) != 0) { + interp = std::string_view(interp_value, strlen(interp_value)); + } + +diff --git a/EventTests.cpp b/EventTests.cpp +--- a/EventTests.cpp 2020-07-14 13:50:43.000000000 -0700 ++++ b/EventTests.cpp 2020-10-15 14:44:51.257204228 -0700 +@@ -63,7 +63,7 @@ + if (ret != 1) { + BOOST_FAIL("BeginRecord failed: " + std::to_string(ret)); + } +- ret = builder.AddField("field1", "raw1", nullptr, field_type_t::UNCLASSIFIED); ++ ret = builder.AddField("field1", "raw1", "", field_type_t::UNCLASSIFIED); + if (ret != 1) { + BOOST_FAIL("AddField failed: " + std::to_string(ret)); + } +diff --git a/installer/bundle/create_bundle.sh b/installer/bundle/create_bundle.sh +--- a/installer/bundle/create_bundle.sh 2020-07-14 13:50:43.000000000 -0700 ++++ b/installer/bundle/create_bundle.sh 2020-10-15 11:52:05.299985451 -0700 +@@ -115,27 +115,6 @@ + # Fetch the bundle skeleton file + cp $SOURCE_DIR/$BUNDLE_FILE . + +-# See if we can resolve git references for output +-# (See if we can find the master project) +-TEMP_FILE=/tmp/create_bundle.$$ +- +-# Get the git reference hashes in a file +-( +-cd $SOURCE_DIR/../.. +-echo "Entering 'OMS-Auditd-Plugin'" > $TEMP_FILE +-git rev-parse HEAD >> $TEMP_FILE +-cd ../pal +-echo "Entering 'pal'" >> $TEMP_FILE +-git rev-parse HEAD >> $TEMP_FILE +-) +- +-# Change lines like: "Entering 'pal'\n" to "pal: " +-perl -i -pe "s/Entering '([^\n]*)'\n/\$1: /" $TEMP_FILE +- +-# Grab the reference hashes in a variable +-SOURCE_REFS=`cat $TEMP_FILE` +-rm $TEMP_FILE +- + # Update the bundle file w/the ref hash (much easier with perl since multi-line) + perl -i -pe "s/-- Source code references --/${SOURCE_REFS}/" $BUNDLE_FILE + +diff --git a/Metrics.cpp b/Metrics.cpp +--- a/Metrics.cpp 2020-07-14 13:50:43.000000000 -0700 ++++ b/Metrics.cpp 2020-10-15 14:46:23.976275931 -0700 +@@ -80,47 +80,47 @@ + _builder->CancelEvent(); + return false; + } +- if (_builder->AddField("version", AUOMS_VERSION, nullptr, field_type_t::UNCLASSIFIED) != 1) { ++ if (_builder->AddField("version", AUOMS_VERSION, "", field_type_t::UNCLASSIFIED) != 1) { + _builder->CancelEvent(); + return false; + } +- if (_builder->AddField("StartTime", system_time_to_iso3339(snap.start_time), nullptr, ++ if (_builder->AddField("StartTime", system_time_to_iso3339(snap.start_time), "", + field_type_t::UNCLASSIFIED) != 1) { + _builder->CancelEvent(); + return false; + } +- if (_builder->AddField("EndTime", system_time_to_iso3339(snap.end_time), nullptr, ++ if (_builder->AddField("EndTime", system_time_to_iso3339(snap.end_time), "", + field_type_t::UNCLASSIFIED) != 1) { + _builder->CancelEvent(); + return false; + } +- if (_builder->AddField("Namespace", snap.namespace_name, nullptr, field_type_t::UNCLASSIFIED) != 1) { ++ if (_builder->AddField("Namespace", snap.namespace_name, "", field_type_t::UNCLASSIFIED) != 1) { + _builder->CancelEvent(); + return false; + } +- if (_builder->AddField("Name", snap.name, nullptr, field_type_t::UNCLASSIFIED) != 1) { ++ if (_builder->AddField("Name", snap.name, "", field_type_t::UNCLASSIFIED) != 1) { + _builder->CancelEvent(); + return false; + } +- if (_builder->AddField("SamplePeriod", std::to_string(snap.sample_period), nullptr, ++ if (_builder->AddField("SamplePeriod", std::to_string(snap.sample_period), "", + field_type_t::UNCLASSIFIED) != 1) { + _builder->CancelEvent(); + return false; + } +- if (_builder->AddField("NumSamples", std::to_string(snap.num_samples), nullptr, ++ if (_builder->AddField("NumSamples", std::to_string(snap.num_samples), "", + field_type_t::UNCLASSIFIED) != 1) { + _builder->CancelEvent(); + return false; + } +- if (_builder->AddField("Min", std::to_string(snap.min), nullptr, field_type_t::UNCLASSIFIED) != 1) { ++ if (_builder->AddField("Min", std::to_string(snap.min), "", field_type_t::UNCLASSIFIED) != 1) { + _builder->CancelEvent(); + return false; + } +- if (_builder->AddField("Max", std::to_string(snap.max), nullptr, field_type_t::UNCLASSIFIED) != 1) { ++ if (_builder->AddField("Max", std::to_string(snap.max), "", field_type_t::UNCLASSIFIED) != 1) { + _builder->CancelEvent(); + return false; + } +- if (_builder->AddField("Avg", std::to_string(snap.avg), nullptr, field_type_t::UNCLASSIFIED) != 1) { ++ if (_builder->AddField("Avg", std::to_string(snap.avg), "", field_type_t::UNCLASSIFIED) != 1) { + _builder->CancelEvent(); + return false; + } +diff --git a/OperationalStatus.cpp b/OperationalStatus.cpp +--- a/OperationalStatus.cpp 2020-07-14 13:50:43.000000000 -0700 ++++ b/OperationalStatus.cpp 2020-10-15 14:46:52.727988196 -0700 +@@ -192,12 +192,12 @@ + _builder.CancelEvent(); + return false; + } +- if (_builder.AddField("version", AUOMS_VERSION, nullptr, field_type_t::UNCLASSIFIED) != 1) { ++ if (_builder.AddField("version", AUOMS_VERSION, "", field_type_t::UNCLASSIFIED) != 1) { + _builder.CancelEvent(); + return false; + } + if (!errors.empty()) { +- if (_builder.AddField("errors", errors, nullptr, field_type_t::UNCLASSIFIED) != 1) { ++ if (_builder.AddField("errors", errors, "", field_type_t::UNCLASSIFIED) != 1) { + _builder.CancelEvent(); + return false; + } +diff --git a/OutputInputTests.cpp b/OutputInputTests.cpp +--- a/OutputInputTests.cpp 2020-07-14 13:50:43.000000000 -0700 ++++ b/OutputInputTests.cpp 2020-10-15 14:47:09.019825179 -0700 +@@ -39,7 +39,7 @@ + builder->CancelEvent(); + return false; + } +- if (builder->AddField("seq", std::to_string(seq), nullptr, field_type_t::UNCLASSIFIED) != 1) { ++ if (builder->AddField("seq", std::to_string(seq), "", field_type_t::UNCLASSIFIED) != 1) { + builder->CancelEvent(); + return false; + } +diff --git a/RawEventProcessor.cpp b/RawEventProcessor.cpp +--- a/RawEventProcessor.cpp 2020-07-14 13:50:43.000000000 -0700 ++++ b/RawEventProcessor.cpp 2020-10-15 14:48:34.222972890 -0700 +@@ -567,7 +567,7 @@ + _path_ouid.append(SV_JSON_ARRAY_END); + _path_ogid.append(SV_JSON_ARRAY_END); + +- auto ret = _builder->AddField(SV_PATH_NAME, _path_name, nullptr, field_type_t::UNCLASSIFIED); ++ auto ret = _builder->AddField(SV_PATH_NAME, _path_name, "", field_type_t::UNCLASSIFIED); + if (ret != 1) { + if (ret == Queue::CLOSED) { + throw std::runtime_error("Queue closed"); +@@ -576,7 +576,7 @@ + return false; + } + +- ret = _builder->AddField(SV_PATH_NAMETYPE, _path_nametype, nullptr, field_type_t::UNCLASSIFIED); ++ ret = _builder->AddField(SV_PATH_NAMETYPE, _path_nametype, "", field_type_t::UNCLASSIFIED); + if (ret != 1) { + if (ret == Queue::CLOSED) { + throw std::runtime_error("Queue closed"); +@@ -585,7 +585,7 @@ + return false; + } + +- ret = _builder->AddField(SV_PATH_MODE, _path_mode, nullptr, field_type_t::UNCLASSIFIED); ++ ret = _builder->AddField(SV_PATH_MODE, _path_mode, "", field_type_t::UNCLASSIFIED); + if (ret != 1) { + if (ret == Queue::CLOSED) { + throw std::runtime_error("Queue closed"); +@@ -594,7 +594,7 @@ + return false; + } + +- ret = _builder->AddField(SV_PATH_OUID, _path_ouid, nullptr, field_type_t::UNCLASSIFIED); ++ ret = _builder->AddField(SV_PATH_OUID, _path_ouid, "", field_type_t::UNCLASSIFIED); + if (ret != 1) { + if (ret == Queue::CLOSED) { + throw std::runtime_error("Queue closed"); +@@ -603,7 +603,7 @@ + return false; + } + +- ret = _builder->AddField(SV_PATH_OGID, _path_ogid, nullptr, field_type_t::UNCLASSIFIED); ++ ret = _builder->AddField(SV_PATH_OGID, _path_ogid, "", field_type_t::UNCLASSIFIED); + if (ret != 1) { + if (ret == Queue::CLOSED) { + throw std::runtime_error("Queue closed"); +@@ -626,7 +626,7 @@ + proctitle_field = EventRecordField(); + + _execve_converter.Convert(execve_recs, _cmdline); +- ret = _builder->AddField(SV_CMDLINE, _cmdline, nullptr, field_type_t::UNESCAPED); ++ ret = _builder->AddField(SV_CMDLINE, _cmdline, "", field_type_t::UNESCAPED); + + if (ret != 1) { + if (ret == Queue::CLOSED) { +@@ -657,7 +657,7 @@ + unescape_raw_field(_unescaped_val, proctitle_field.RawValuePtr(), proctitle_field.RawValueSize()); + ExecveConverter::ConvertRawCmdline(_unescaped_val, _cmdline); + +- ret = _builder->AddField(SV_PROCTITLE, _cmdline, nullptr, field_type_t::PROCTITLE); ++ ret = _builder->AddField(SV_PROCTITLE, _cmdline, "", field_type_t::PROCTITLE); + if (ret != 1) { + if (ret == Queue::CLOSED) { + throw std::runtime_error("Queue closed"); +@@ -682,7 +682,7 @@ + for (auto& field: dropped_rec) { + _field_name.assign(SV_DROPPED); + _field_name.append(field.FieldName()); +- ret = _builder->AddField(_field_name, field.RawValue(), nullptr, field_type_t::UNCLASSIFIED); ++ ret = _builder->AddField(_field_name, field.RawValue(), "", field_type_t::UNCLASSIFIED); + if (ret != 1) { + if (ret == Queue::CLOSED) { + throw std::runtime_error("Queue closed"); +@@ -707,7 +707,7 @@ + containerid = p->_containerid; + } + +- ret = _builder->AddField(SV_CONTAINERID, containerid, nullptr, field_type_t::UNCLASSIFIED); ++ ret = _builder->AddField(SV_CONTAINERID, containerid, "", field_type_t::UNCLASSIFIED); + if (ret != 1) { + if (ret == Queue::CLOSED) { + throw std::runtime_error("Queue closed"); +@@ -842,7 +842,7 @@ + } + + bool RawEventProcessor::add_str_field(const std::string_view& name, const std::string_view& val, field_type_t ft) { +- int ret = _builder->AddField(name, val, nullptr, ft); ++ int ret = _builder->AddField(name, val, "", ft); + if (ret != 1) { + if (ret == Queue::CLOSED) { + throw std::runtime_error("Queue closed"); +diff --git a/RawEventRecord.cpp b/RawEventRecord.cpp +--- a/RawEventRecord.cpp 2020-07-14 13:50:43.000000000 -0700 ++++ b/RawEventRecord.cpp 2020-10-15 14:49:06.070654420 -0700 +@@ -176,7 +176,7 @@ + } + + if (!_node.empty()) { +- ret = builder.AddField(SV_NODE, _node, nullptr, field_type_t::UNCLASSIFIED); ++ ret = builder.AddField(SV_NODE, _node, "", field_type_t::UNCLASSIFIED); + if (ret != 1) { + return ret; + } +@@ -185,7 +185,7 @@ + // If record is marked as unparsable, then the text (after the 'audit():' section is included as the only value in + // _record_fields + if (_unparsable) { +- ret = builder.AddField(SV_UNPARSED_TEXT, _record_fields[0], nullptr, field_type_t::UNESCAPED); ++ ret = builder.AddField(SV_UNPARSED_TEXT, _record_fields[0], "", field_type_t::UNESCAPED); + if (ret != 1) { + return ret; + } +@@ -195,9 +195,9 @@ + for (auto f: _record_fields) { + auto idx = f.find_first_of('='); + if (idx == std::string_view::npos) { +- ret = builder.AddField(f, std::string_view(), nullptr, field_type_t::UNCLASSIFIED); ++ ret = builder.AddField(f, std::string_view(), "", field_type_t::UNCLASSIFIED); + } else { +- ret = builder.AddField(f.substr(0, idx), f.substr(idx + 1), nullptr, field_type_t::UNCLASSIFIED); ++ ret = builder.AddField(f.substr(0, idx), f.substr(idx + 1), "", field_type_t::UNCLASSIFIED); + } + if (ret != 1) { + return ret; +diff --git a/TestEventData.h b/TestEventData.h +--- a/TestEventData.h 2020-07-14 13:50:43.000000000 -0700 ++++ b/TestEventData.h 2020-10-15 14:49:48.162233590 -0700 +@@ -33,7 +33,12 @@ + field_type_t _field_type; + + void Write(const std::shared_ptr& builder) { +- builder->AddField(_name, _raw, _interp, _field_type); ++ if (_interp == nullptr) { ++ builder->AddField(_name, _raw, "", _field_type); ++ } ++ else { ++ builder->AddField(_name, _raw, _interp, _field_type); ++ } + } + }; + diff --git a/SPECS/auoms/auoms.signatures.json b/SPECS/auoms/auoms.signatures.json new file mode 100644 index 00000000000..8d45f23d8de --- /dev/null +++ b/SPECS/auoms/auoms.signatures.json @@ -0,0 +1,8 @@ +{ + "Signatures": { + "auoms-2.2.5.tar.gz": "77fb7b561c597a99333d933fa738e184a6070c5f3c37fa09fb5bc8c5faacb0c3", + "msgpack-c-cpp-2.0.0.zip": "9f3860bc014355dbdf6519ffb78d54d120bb8d134dcb4eba35eb5103c1ac3cd1", + "pal-1.6.6-0.tar.gz": "f55a83636ed721ab2a347837b7ed517ece41fd179848995111032ebcd2370405", + "rapidjson-1.0.2.tar.gz": "c3711ed2b3c76a5565ee9f0128bb4ec6753dbcc23450b713842df8f236d08666" + } +} \ No newline at end of file diff --git a/SPECS/auoms/auoms.spec b/SPECS/auoms/auoms.spec new file mode 100644 index 00000000000..55fd11f0693 --- /dev/null +++ b/SPECS/auoms/auoms.spec @@ -0,0 +1,193 @@ +%define debug_package %{nil} + +Summary: Auditd plugin that forwards audit events to OMS Agent for Linux +Name: auoms +Version: 2.2.5 +Release: 2%{?dist} +License: MIT +URL: https://github.com/microsoft/OMS-Auditd-Plugin +#Source0: https://github.com/microsoft/OMS-Auditd-Plugin/archive/v2.2.5-0.tar.gz +Source0: %{name}-%{version}.tar.gz +#Source1: https://github.com/microsoft/pal/archive/v1.6.6-0.tar.gz +Source1: pal-1.6.6-0.tar.gz +#Source2: https://github.com/msgpack/msgpack-c/archive/cpp-2.0.0.zip +Source2: msgpack-c-cpp-2.0.0.zip +#Source3: https://github.com/Tencent/rapidjson/archive/v1.0.2.tar.gz +Source3: rapidjson-1.0.2.tar.gz +Patch0: auoms.patch +Group: Applications/System +Vendor: Microsoft Corporation +Distribution: Mariner + +BuildRequires: unzip +BuildRequires: cmake +BuildRequires: wget +BuildRequires: sudo +BuildRequires: grep +BuildRequires: sed +BuildRequires: bash +BuildRequires: bash-devel +BuildRequires: audit-devel +BuildRequires: boost-devel +BuildRequires: python2 +BuildRequires: python2-devel + +Requires: audit +Requires: sudo +Requires: bash +Requires: sed +Requires: libstdc++ +Requires: perl +Requires: glibc + +%description +OMS Audit data collection daemon + +%prep +tar xf %{SOURCE1} --no-same-owner --one-top-level=pal --strip-components 1 +cp %{SOURCE2} ./ +cp %{SOURCE3} ./ +%setup -q -n OMS-Auditd-Plugin-2.2.5-0 +%patch0 -p1 + +%build +grep AUOMS_BUILDVERSION auoms.version | head -n 4 | cut -d'=' -f2 | tr '\n' '.' | sed 's/.$//' | sed 's/^/#define AUOMS_VERSION "/' > auoms_version.h +sed -i 's/$/"/' auoms_version.h +cp -R /usr/include/boost /usr/local/include/boost +mv /usr/include/boost /usr/include/boost148 +cd build +./configure --enable-ulinux && make clean && make + +%install +install -vdm 755 %{buildroot}%{_sysconfdir}/init.d +install -vdm 755 %{buildroot}%{_sysconfdir}/opt/microsoft/auoms +install -vdm 755 %{buildroot}%{_sysconfdir}/opt/microsoft/auoms/outconf.d +install -vdm 755 %{buildroot}%{_sysconfdir}/opt/microsoft/auoms/rules.d +install -vdm 755 %{buildroot}/opt/microsoft/auoms +install -vdm 755 %{buildroot}/opt/microsoft/auoms/bin +install -vdm 755 %{buildroot}/usr/share/selinux/packages/auoms +install -vdm 750 %{buildroot}/var/opt/microsoft/auoms/data +install -vdm 750 %{buildroot}/var/opt/microsoft/auoms/data/outputs + +install -m 644 intermediate/selinux/* %{buildroot}/usr/share/selinux/packages/auoms +install -m 555 installer/auoms.init %{buildroot}%{_sysconfdir}/init.d/auoms +install -m 644 installer/conf/auoms.conf %{buildroot}%{_sysconfdir}/opt/microsoft/auoms +install -m 644 installer/conf/auomscollect.conf %{buildroot}%{_sysconfdir}/opt/microsoft/auoms +install -m 644 installer/conf/example_output.conf %{buildroot}%{_sysconfdir}/opt/microsoft/auoms +install -m 444 ./LICENSE %{buildroot}/opt/microsoft/auoms +install -m 444 ./THIRD_PARTY_IP_NOTICE %{buildroot}/opt/microsoft/auoms +install -m 444 installer/auoms.service %{buildroot}/opt/microsoft/auoms +install -m 755 intermediate/builddir/release/bin/auomscollect %{buildroot}/opt/microsoft/auoms/bin +install -m 755 intermediate/builddir/release/bin/auoms %{buildroot}/opt/microsoft/auoms/bin +install -m 755 intermediate/builddir/release/bin/auomsctl %{buildroot}/opt/microsoft/auoms/bin + +%clean +rm -rf $RPM_BUILD_ROOT + +%pre +#!/bin/sh + +if [ $1 -gt 1 ] ; then + if [ -e /etc/audisp/plugins.d/auoms.conf ]; then + echo "Pre: found etc/audisp/plugins.d/auoms.conf" + if [ -e /etc/audisp/plugins.d/auoms.conf.auomssave ]; then + rm /etc/audisp/plugins.d/auoms.conf.auomssave + fi + cp -p /etc/audisp/plugins.d/auoms.conf /etc/audisp/plugins.d/auoms.conf.auomssave + fi + if [ -e /etc/audit/plugins.d/auoms.conf ]; then + echo "Pre: found etc/audit/plugins.d/auoms.conf" + if [ -e /etc/audit/plugins.d/auoms.conf.auomssave ]; then + rm /etc/audit/plugins.d/auoms.conf.auomssave + fi + cp -p /etc/audit/plugins.d/auoms.conf /etc/audit/plugins.d/auoms.conf.auomssave + fi +fi + +%preun +#!/bin/sh + +if [ $1 -eq 0 ]; then + /opt/microsoft/auoms/bin/auomsctl disable +fi + +%post +#!/bin/sh + +SERVICEDIR=/opt/microsoft/auoms + +if [ $1 -gt 1 ] ; then + if [ -e /etc/audisp/plugins.d/auoms.conf.auomssave ]; then + echo "Post: found /etc/audisp/plugins.d/auoms.conf" + if [ -e /etc/audisp/plugins.d/auoms.conf ]; then + rm /etc/audisp/plugins.d/auoms.conf + fi + cp -p /etc/audisp/plugins.d/auoms.conf.auomssave /etc/audisp/plugins.d/auoms.conf + fi + if [ -e /etc/audit/plugins.d/auoms.conf.auomssave ]; then + echo "Post: found /etc/audit/plugins.d/auoms.conf" + if [ -e /etc/audit/plugins.d/auoms.conf ]; then + rm /etc/audit/plugins.d/auoms.conf + fi + cp -p /etc/audit/plugins.d/auoms.conf.auomssave /etc/audit/plugins.d/auoms.conf + fi + echo "Post: executing upgrade" + /opt/microsoft/auoms/bin/auomsctl upgrade +fi +for dir in /usr/lib/systemd/system /lib/systemd/system; do + if [ -e $dir ]; then + install -m 644 ${SERVICEDIR}/auoms.service $dir + systemctl enable auoms.service + break + fi +done +sudo /opt/microsoft/auoms/bin/auomsctl enable +rm -f /etc/audisp/plugins.d/auoms.conf.* +rm -f /etc/audit/plugins.d/auoms.conf.* + +%postun +#!/bin/sh + +if [ $1 -eq 0 ]; then + rm -f /etc/audisp/plugins.d/auoms.conf* + rm -f /etc/audit/plugins.d/auoms.conf* + + rm -rf -v /etc/opt/microsoft/auoms + rm -rf -v /var/opt/microsoft/auoms +fi +for dir in /usr/lib/systemd/system /lib/systemd/system; do + if [ -e ${dir}/auoms.service ]; then + systemctl disable auoms.service + rm -f ${dir}/auoms.service + break + fi +done + +%files +%defattr(-,root,root) +/usr/share/selinux/packages/auoms +/usr/share/selinux/packages/auoms/* +%{_sysconfdir}/init.d/auoms +%{_sysconfdir}/opt/microsoft/auoms +%{_sysconfdir}/opt/microsoft/auoms/auoms.conf +%{_sysconfdir}/opt/microsoft/auoms/auomscollect.conf +%{_sysconfdir}/opt/microsoft/auoms/example_output.conf +%{_sysconfdir}/opt/microsoft/auoms/outconf.d +%{_sysconfdir}/opt/microsoft/auoms/rules.d +/opt/microsoft/auoms +%license /opt/microsoft/auoms/LICENSE +%license /opt/microsoft/auoms/THIRD_PARTY_IP_NOTICE +/opt/microsoft/auoms/auoms.service +/opt/microsoft/auoms/bin +/opt/microsoft/auoms/bin/auomscollect +/opt/microsoft/auoms/bin/auoms +/opt/microsoft/auoms/bin/auomsctl +/var/opt/microsoft/auoms +/var/opt/microsoft/auoms/data +/var/opt/microsoft/auoms/data/outputs + +%changelog +* Sat Oct 24 2020 Andrew Phelps 2.2.5-2 +- Fix setup macro +* Thu Oct 22 2020 Andrew Phelps 2.2.5-1 +- Initial CBL-Mariner version. diff --git a/SPECS/azure-storage-cpp/azure-storage-cpp.signatures.json b/SPECS/azure-storage-cpp/azure-storage-cpp.signatures.json new file mode 100644 index 00000000000..f4afc40a9ef --- /dev/null +++ b/SPECS/azure-storage-cpp/azure-storage-cpp.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "azure-storage-cpp-7.3.0.tar.gz" : "d333757a6065ae2d63f8dfac5bf3033fa1e70bd6e518bf7f97e8d256b9154324" + } +} diff --git a/SPECS/azure-storage-cpp/azure-storage-cpp.spec b/SPECS/azure-storage-cpp/azure-storage-cpp.spec new file mode 100644 index 00000000000..d5c3e753526 --- /dev/null +++ b/SPECS/azure-storage-cpp/azure-storage-cpp.spec @@ -0,0 +1,72 @@ +%define _build_id_links none + +Name: azure-storage-cpp +Summary: Azure Storage Client Library for C++ +Version: 7.3.0 +Release: 2%{?dist} +License: ASL 2.0 +URL: https://azure.github.io/azure-storage-cpp/ +Vendor: Microsoft Corporation +Distribution: Mariner +#Source0: https://github.com/Azure/azure-storage-cpp/archive/v%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz + +BuildRequires: util-linux-devel +BuildRequires: openssl-devel +BuildRequires: boost-devel +BuildRequires: libxml2-devel +BuildRequires: cpprest-devel +BuildRequires: cmake + +Requires: openssl +Requires: libxml2 +Requires: cpprest +Requires: util-linux +Requires: boost + +%description +The Azure Storage Client Library for C++ allows you to build applications against Microsoft Azure Storage. + +%package devel +Summary: Development files for %{name} +Requires: %{name} = %{version} +Requires: cpprest-devel + +%description devel +The Azure Storage Client Library for C++ allows you to build applications against Microsoft Azure Storage. + +%prep +%setup -q + +%build +CMAKE_OPTS="\ + -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_INSTALL_PREFIX=%{_prefix} \ +" + +mkdir -pv Microsoft.WindowsAzure.Storage/build +cd Microsoft.WindowsAzure.Storage/build +cmake $CMAKE_OPTS .. +make %{?_smp_mflags} + +%install +cd Microsoft.WindowsAzure.Storage/build +make %{?_smp_mflags} DESTDIR=%{buildroot} install + +%files +%license LICENSE.txt +%doc README.md +%{_libdir}/*.so.* + +%files devel +%{_includedir}/was/* +%{_includedir}/wascore/* +%{_libdir}/libazurestorage.so + +%changelog +* Fri Oct 16 2020 Jonathan Slobodzian 7.3.0-2 +- License Verified. Update Source0 Location. Integrated into Mariner Core. + +* Mon Mar 30 2020 Jonathan Chiu 7.3.0-1 +- Original version for CBL-Mariner. + diff --git a/SPECS/babeltrace2/00-fix-lttng-live-array-access.patch b/SPECS/babeltrace2/00-fix-lttng-live-array-access.patch new file mode 100644 index 00000000000..e1b93e85b17 --- /dev/null +++ b/SPECS/babeltrace2/00-fix-lttng-live-array-access.patch @@ -0,0 +1,23 @@ +diff -Naur babeltrace2-2.0.1/src/plugins/ctf/common/msg-iter/msg-iter.c babeltrace2-2.0.1-copy/src/plugins/ctf/common/msg-iter/msg-iter.c +--- babeltrace2-2.0.1/src/plugins/ctf/common/msg-iter/msg-iter.c 2020-02-28 22:26:47.194726018 -0800 ++++ babeltrace2-2.0.1-copy/src/plugins/ctf/common/msg-iter/msg-iter.c 2020-02-28 22:29:36.318373106 -0800 +@@ -2001,6 +2001,9 @@ + } + + if (G_UNLIKELY(int_fc->storing_index >= 0)) { ++ if ((uint64_t) int_fc->storing_index >= msg_it->stored_values->len) { ++ g_array_set_size(msg_it->stored_values, (uint64_t) int_fc->storing_index + 1); ++ } + g_array_index(msg_it->stored_values, uint64_t, + (uint64_t) int_fc->storing_index) = value; + } +@@ -2090,6 +2093,9 @@ + BT_ASSERT_DBG(int_fc->meaning == CTF_FIELD_CLASS_MEANING_NONE); + + if (G_UNLIKELY(int_fc->storing_index >= 0)) { ++ if ((uint64_t) int_fc->storing_index >= msg_it->stored_values->len) { ++ g_array_set_size(msg_it->stored_values, (uint64_t) int_fc->storing_index + 1); ++ } + g_array_index(msg_it->stored_values, uint64_t, + (uint64_t) int_fc->storing_index) = (uint64_t) value; + } diff --git a/SPECS/babeltrace2/babeltrace2.signatures.json b/SPECS/babeltrace2/babeltrace2.signatures.json new file mode 100644 index 00000000000..9c6a094737b --- /dev/null +++ b/SPECS/babeltrace2/babeltrace2.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "babeltrace2-2.0.1.tar.bz2": "87f0acc134bac8e897f4eb0f5a02cbfffeb94d3bc0396ecb74a6667581988ecf" + } +} \ No newline at end of file diff --git a/SPECS/babeltrace2/babeltrace2.spec b/SPECS/babeltrace2/babeltrace2.spec new file mode 100644 index 00000000000..e5c7b0171b6 --- /dev/null +++ b/SPECS/babeltrace2/babeltrace2.spec @@ -0,0 +1,99 @@ +Summary: A trace manipulation toolkit +Name: babeltrace2 +Version: 2.0.1 +Release: 3%{?dist} +License: MIT AND GPLv2 +Vendor: Microsoft Corporation +Distribution: Mariner +Group: System Environment +URL: https://www.efficios.com/babeltrace +Source0: https://www.efficios.com/files/babeltrace/%{name}-%{version}.tar.bz2 +Patch0: 00-fix-lttng-live-array-access.patch +BuildRequires: elfutils-devel >= 0.154 +BuildRequires: gcc +BuildRequires: glib-devel >= 2.28.0 +Requires: libbabeltrace2%{?_isa} = %{version}-%{release} + +%description +The Babeltrace 2 project offers a library with a C API, Python 3 bindings, and +a command-line tool which makes it very easy for mere mortals to view, +convert, transform, and analyze traces. + +Babeltrace 2 is also the reference parser implementation of the Common Trace +Format (CTF), a very versatile trace format followed by various tracers and +tools such as LTTng and barectf. + +%package -n libbabeltrace2 +Summary: A trace manipulation library +Requires: glib >= 2.28.0 + +%description -n libbabeltrace2 +The libbabeltrace2 package contains a library and plugin system to view, +convert, transform, and analyze traces. + +%package -n libbabeltrace2-devel +Summary: Development files for libbabeltrace2 +Requires: glib >= 2.28.0 +Requires: libbabeltrace2%{?_isa} = %{version}-%{release} + +%description -n libbabeltrace2-devel +The libbabeltrace2-devel package contains the header files and libraries +needed to develop programs that use the libbabeltrace2 trace manipulation +library. + +%prep +%autosetup -p1 + +%build +%configure --disable-static \ + --enable-debug-info \ + --disable-Werror + +%make_build + +%check +make check + +%install +%make_install +find %{buildroot} -type f -name "*.la" -delete -print +# Clean installed doc +rm -fv %{buildroot}%{_docdir}/babeltrace2/* + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%defattr(-,root,root) +%license LICENSE gpl-2.0.txt mit-license.txt +%doc ChangeLog README.adoc +%{_bindir}/babeltrace2 +%{_mandir}/man1/*.1* +%{_mandir}/man7/*.7* + +%files -n libbabeltrace2 +%defattr(-,root,root) +%{_libdir}/*.so.* +%{_libdir}/babeltrace2/plugins/*.so + +%files -n libbabeltrace2-devel +%defattr(-,root,root) +%{_includedir}/* +%{_libdir}/*.so +%{_libdir}/pkgconfig/babeltrace2.pc +%{_libdir}/pkgconfig/babeltrace2-ctf-writer.pc + +%changelog +* Wed Oct 14 2020 Thomas Crain - 2.0.1-3 +- Update Source0 +- License verified + +* Tue Feb 11 2020 Nick Bopp - 2.0.1-2 +- Initial import from Fedora 32 (license: MIT and GPLv2) +- Added runtime dependency on glib2 +- Remove python requirements +- Removed ldconfig_scriptlets +- Fix installed file cleanup + +* Mon Feb 10 2020 Michael Jeanson - 2.0.1-1 +- New upstream release diff --git a/SPECS/bond/bond.signatures.json b/SPECS/bond/bond.signatures.json new file mode 100644 index 00000000000..69002353146 --- /dev/null +++ b/SPECS/bond/bond.signatures.json @@ -0,0 +1,7 @@ +{ + "Signatures": { + "bond-8.0.1.tar.gz": "d22428a40ab158813c6b0d6548a9a4c1304c1873bd4f2f62a0f36c0ba2855a8b", + "gbc-0.11.0.3-aarch64" : "2fa232b3ceb79ff2e002ad06f8da93bd59f81599102f95258b4dadb84d6b847d", + "gbc-0.11.0.3-x86_64": "c64f9db841b8cccad4c8ec0bd724e52d28b51a15af145fe40223cd92d7356d71" + } +} \ No newline at end of file diff --git a/SPECS/bond/bond.spec b/SPECS/bond/bond.spec new file mode 100644 index 00000000000..c460848e38d --- /dev/null +++ b/SPECS/bond/bond.spec @@ -0,0 +1,73 @@ +Name: bond +Summary: Microsoft Bond Library +Version: 8.0.1 +Release: 3%{?dist} +License: MIT +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/microsoft/bond +#Source0: %{url}/archive/%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz +Source1: gbc-0.11.0.3-%{_arch} + +BuildRequires: clang +BuildRequires: cmake +BuildRequires: zlib-devel +BuildRequires: boost-devel +BuildRequires: ncurses-devel +BuildRequires: rapidjson-devel +BuildRequires: gmp-devel + +%description +Bond is an open-source, cross-platform framework for working with schematized data. +It supports cross-language serialization/deserialization and powerful generic mechanisms +for efficiently manipulating data. Bond is broadly used at Microsoft in high scale services. + +%package devel +Summary: Development files for %{name} +Requires: %{name} = %{version} + +%description devel +Development files for %{name} + +%prep +%setup -q + +%build +CMAKE_OPTS="\ + -DBOND_ENABLE_GRPC=FALSE \ + -DBOND_FIND_RAPIDJSON=TRUE \ + -DBOND_SKIP_CORE_TESTS=TRUE \ + -DBOND_SKIP_GBC_TESTS=TRUE \ + -DBOND_GBC_PATH=%{SOURCE1} \ + -DCMAKE_INSTALL_PREFIX=%{_prefix} \ +" + +mkdir -v build +cd build +cmake $CMAKE_OPTS .. +make %{?_smp_mflags} + +%install +cd build +make DESTDIR=%{buildroot} install +chmod 0755 %{buildroot}%{_bindir}/gbc + +%files +%license LICENSE +%doc README.md +%{_bindir}/* + +%files devel +%{_includedir}/%{name}/* +%{_libdir}/%{name}/* + +%changelog +* Mon Oct 19 2020 Pawel Winogrodzki 8.0.1-3 +- License verified. +- Added source URL. +- Added 'Vendor' and 'Distribution' tags. +* Tue May 19 2020 Jonathan Chiu 8.0.1-2 +- Add aarch64 support +* Mon Apr 06 2020 Jonathan Chiu 8.0.1-1 +- Original version for CBL-Mariner. diff --git a/SPECS/bond/gbc-0.11.0.3-aarch64 b/SPECS/bond/gbc-0.11.0.3-aarch64 new file mode 100755 index 00000000000..e9fcad22f49 Binary files /dev/null and b/SPECS/bond/gbc-0.11.0.3-aarch64 differ diff --git a/SPECS/bond/gbc-0.11.0.3-x86_64 b/SPECS/bond/gbc-0.11.0.3-x86_64 new file mode 100755 index 00000000000..f530e9c1b1e Binary files /dev/null and b/SPECS/bond/gbc-0.11.0.3-x86_64 differ diff --git a/SPECS/brotli/brotli.spec b/SPECS/brotli/brotli.spec index 41ec29f4d99..c0bfc04209b 100644 --- a/SPECS/brotli/brotli.spec +++ b/SPECS/brotli/brotli.spec @@ -4,7 +4,7 @@ Name: brotli Version: 1.0.7 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Lossless compression algorithm Group: Applications/File @@ -18,6 +18,9 @@ Distribution: Mariner BuildRequires: cmake BuildRequires: python3-devel BuildRequires: python3-setuptools +%if %{with_check} +BuildRequires: python3-xml +%endif %description Brotli is a generic-purpose lossless compression algorithm that compresses @@ -130,6 +133,9 @@ python3 setup.py test %changelog +* Tue Oct 20 2020 Andrew Phelps 1.0.7-8 +- Fix check test + * Mon Dec 9 2019 Emre Girgin 1.0.7-7 - Initial CBL-Mariner import from Fedora 31 (license: MIT). diff --git a/SPECS/ca-certificates/ca-certificates.signatures.json b/SPECS/ca-certificates/ca-certificates.signatures.json index aade17289a9..ec15c7d3890 100644 --- a/SPECS/ca-certificates/ca-certificates.signatures.json +++ b/SPECS/ca-certificates/ca-certificates.signatures.json @@ -17,7 +17,7 @@ "certdata.microsoft.txt": "d647ba9622bd973b2a2cb5114825a8ff6016ba3a5499a6a7cccdc1d07af25fdb", "certdata.txt": "cc6408bd4be7fbfb8699bdb40ccb7f6de5780d681d87785ea362646e4dad5e8e", "certdata2pem.py": "0be02cecc27a6e55e1cad1783033b147f502b26f9fb1bb5a53e7a43bbcb68fa0", - "nssckbi.h": "4019b4b68df6b89b22d350ffea652707864ee995b399de2f876c6d52d41f11ac", + "nssckbi.h": "9d916fe1586259d94632f186a736449e8344b8a18f7ac97253f13efc764d77ea", "pem2bundle.sh": "79012e7fabf560c3b950349e500770a314006e5b330621a50147eeda11c633ea", "trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "update-ca-trust": "0c0c0600587db7f59ba5e399666152ea6de6059f37408f3946c43438d607efdd", diff --git a/SPECS/ca-certificates/ca-certificates.spec b/SPECS/ca-certificates/ca-certificates.spec index 1f0845d1dcc..a134d7fa513 100644 --- a/SPECS/ca-certificates/ca-certificates.spec +++ b/SPECS/ca-certificates/ca-certificates.spec @@ -74,7 +74,7 @@ Name: ca-certificates # (but these files might have not yet been released). Version: 20200720 -Release: 7%{?dist} +Release: 9%{?dist} License: MPLv2.0 URL: https://hg.mozilla.org Group: System Environment/Security @@ -198,7 +198,7 @@ cp -p %{SOURCE20} . %convert_certdata %{SOURCE0} %convert_certdata %{SOURCE21} -%convert_certdata %{SOURCE22} +%convert_certdata %{SOURCE23} #manpage cp %{SOURCE10} %{name}/update-ca-trust.8.txt @@ -250,7 +250,7 @@ install -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{catrustdir}/ca-legacy.conf %install_bundles %{SOURCE21} %{p11_format_base_bundle} %{legacy_default_base_bundle} %{legacy_disable_base_bundle} # Microsoft certs -%install_bundles %{SOURCE22} %{p11_format_microsoft_bundle} %{legacy_default_microsoft_bundle} %{legacy_disable_microsoft_bundle} +%install_bundles %{SOURCE23} %{p11_format_microsoft_bundle} %{legacy_default_microsoft_bundle} %{legacy_disable_microsoft_bundle} # TODO: consider to dynamically create the update-ca-trust script from within # this .spec file, in order to have the output file+directory names at once place only. @@ -425,42 +425,48 @@ rm -f %{pkidir}/tls/certs/*.{0,pem} %{_bindir}/bundle2pem.sh %changelog -* Mon Sep 13 2020 Pawel Winogrodzki - 2020.7.20-7 +* Wed Oct 21 2020 Pawel Winogrodzki - 20200720-9 +- Switching to the correct source for the Microsoft bundle. + +* Mon Sep 13 2020 Pawel Winogrodzki - 20200720-8 +- Aligning 'nssckbi.h' with the used 'certdata.txt' version for the Mozilla bundle. + +* Mon Sep 13 2020 Pawel Winogrodzki - 20200720-7 - Removing unused 'Requires*'. -* Wed Sep 09 2020 Pawel Winogrodzki - 2020.7.20-6 +* Wed Sep 09 2020 Pawel Winogrodzki - 20200720-6 - Adding 2 Microsoft-trusted, intermediate CAs into 'ca-certificates-base'. -* Mon Aug 24 2020 Pawel Winogrodzki - 2020.7.20-5 +* Mon Aug 24 2020 Pawel Winogrodzki - 20200720-5 - Adding 'ca-certificates-legacy' to support apps, which only work with a single cert per *.pem file. Adding a new 'ca-certificates-microsoft' subpackage with CAs trusted through the Microsoft Trusted Root Program. Converting common steps into parametrized macros. -* Tue Aug 11 2020 Pawel Winogrodzki - 2020.7.20-4 +* Tue Aug 11 2020 Pawel Winogrodzki - 20200720-4 - Updating base certificates to current intermediate CAs. - Re-assigning ownership of legacy bundles from '*-shared' to subpackages creating them. - Removing commented lines. -* Fri Jul 31 2020 Pawel Winogrodzki - 2020.7.20-3 +* Fri Jul 31 2020 Pawel Winogrodzki - 20200720-3 - Changing base certificates to trust packages.microsoft.com. -* Fri Jul 31 2020 Pawel Winogrodzki - 2020.7.20-2 +* Fri Jul 31 2020 Pawel Winogrodzki - 20200720-2 - Removed redundant 'ca-bundle.trust.p11-kit' certs bundle. - Removed unnecessary pre-install step. - Moved license and config to 'ca-certificates-shared' subpackage to guarantee these to be always present regardless of the installed certificates bundle. -* Thu Jul 23 2020 Pawel Winogrodzki - 2020.7.20-1 +* Thu Jul 23 2020 Pawel Winogrodzki - 20200720-1 - Updating certdata.txt to Mozilla version from 2020/07/20. -* Thu Jul 23 2020 Pawel Winogrodzki - 2020.4.28-4 +* Thu Jul 23 2020 Pawel Winogrodzki - 20200428-4 - Fixing installation of 'ca-certificates-base` subpackage by making shared files and directory structure a 'Requires' for all certificate packages. - Updating '%%uninstall_clean_up' macro to use pk11kit tooling. - Reordering (Build)Requires to increase clarity. -* Tue May 26 2020 Paul Monson - 2020.4.28-3 +* Tue May 26 2020 Paul Monson - 20200428-3 - Initial CBL-Mariner import from Fedora 27 (license: MIT). - License verified. - Updated Mozilla certdata.txt to latest version from the "FIREFOX_76_0_RELEASE" release. diff --git a/SPECS/ca-certificates/nssckbi.h b/SPECS/ca-certificates/nssckbi.h index ed02913c3f2..ace248f4b73 100644 --- a/SPECS/ca-certificates/nssckbi.h +++ b/SPECS/ca-certificates/nssckbi.h @@ -46,8 +46,8 @@ * It's recommend to switch back to 0 after having reached version 98/99. */ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 40 -#define NSS_BUILTINS_LIBRARY_VERSION "2.40" +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 42 +#define NSS_BUILTINS_LIBRARY_VERSION "2.42" /* These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 diff --git a/SPECS/ccache/ccache.signatures.json b/SPECS/ccache/ccache.signatures.json new file mode 100644 index 00000000000..7079a5ca229 --- /dev/null +++ b/SPECS/ccache/ccache.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "ccache-3.6.tar.gz" : "a3f2b91a2353b65a863c5901251efe48060ecdebec46b5eaec8ea8e092b9e871" + } +} diff --git a/SPECS/ccache/ccache.spec b/SPECS/ccache/ccache.spec new file mode 100644 index 00000000000..487d46dad5f --- /dev/null +++ b/SPECS/ccache/ccache.spec @@ -0,0 +1,38 @@ +Name: ccache +Summary: Compiler Cache +Version: 3.6 +Release: 2%{?dist} +License: BeOpen and BSD and GPLv3+ and (Patrick Powell's and Holger Weiss' license) and Public Domain and Python and zlib +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://ccache.dev +Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz + +BuildRequires: make + +%description +Ccache (or “ccache”) is a compiler cache. It speeds up recompilation by caching previous +compilations and detecting when the same compilation is being done again. + +%prep +%setup -q + +%build +%configure +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} + +%files +%license LICENSE.adoc +%doc README.md +%{_mandir}/* +%{_bindir}/ccache + +%changelog +* Mon Oct 19 2020 Pawel Winogrodzki 3.6-2 +- License verified. +- Added 'Vendor' and 'Distribution' tags. +* Mon Mar 30 2020 Jonathan Chiu 3.6-1 +- Original version for CBL-Mariner. diff --git a/SPECS/chrony/chrony.spec b/SPECS/chrony/chrony.spec index feee0a5e905..dfde8c7d8af 100644 --- a/SPECS/chrony/chrony.spec +++ b/SPECS/chrony/chrony.spec @@ -4,7 +4,7 @@ Name: chrony Version: 3.5.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server Vendor: Microsoft Corporation Distribution: Mariner @@ -77,13 +77,17 @@ sed -e 's|^pool.*|server time.windows.com|' \ -e 's|#\(keyfile\)|\1|' \ < examples/chrony.conf.example2 > chrony.conf +# use the example chrony-wait service, but comment out the line adding +# chrony-wait as a boot dependency +sed -i '/WantedBy=multi-user.target/s/^/#/g' examples/chrony-wait.service + cat >> chrony.conf << EOF # Setting larger 'maxdistance' to tolerate time.windows.com delay maxdistance 16.0 EOF -touch -r examples/chrony.conf.example2 chrony.conf +touch -r examples/chrony.conf.example2 examples/chrony-wait.service chrony.conf # regenerate the file from getdate.y rm -f getdate.c @@ -191,6 +195,9 @@ systemctl start chronyd.service %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Oct 01 2020 Thomas Crain - 3.5.1-2 +- Remove chrony-wait service as a boot dependency + * Tue Sep 01 2020 Mateusz Malisz - 3.5.1-1 - Update version to 3.5.1 - Remove gpg signature check diff --git a/SPECS/cifs-utils/CVE-2020-14342-fix.patch b/SPECS/cifs-utils/CVE-2020-14342-fix.patch new file mode 100644 index 00000000000..c0eb7a12d47 --- /dev/null +++ b/SPECS/cifs-utils/CVE-2020-14342-fix.patch @@ -0,0 +1,37 @@ +From f7e13c34bc2f820ff124f1425c5d92dbdaa2e8da Mon Sep 17 00:00:00 2001 +From: Leandro Pereira +Date: Thu, 1 Oct 2020 15:51:32 -0700 +Subject: [PATCH] CVE-2020-13342: Do not rely on $PATH to find + systemd-ask-password + +The execlp() call will look at the $PATH environment variable to +determine which binary to execute; if a binary naemd +"systemd-ask-password" is present, that will be called with the same +privileges as "mount.cifs", which could be elevated as that might be +executed under sudo or the executable might be SUID root. Moreover, +this could be used to exfiltrate the password if somebody has access to +the environment. + +This patch makes the call using /usr/bin/systemd-ask-password directly. + +Signed-off-by: Leandro Pereira +--- + mount.cifs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index 4feb397..af0a796 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -1669,7 +1669,8 @@ static int get_passwd_by_systemd(const char *prompt, char *input, int capacity) + if (pid == 0) { + close(fd[0]); + dup2(fd[1], STDOUT_FILENO); +- if (execlp("systemd-ask-password", "systemd-ask-password", prompt, NULL) == -1) { ++ if (execlp("/usr/bin/systemd-ask-password", ++ "/usr/bin/systemd-ask-password", prompt, NULL) == -1) { + fprintf(stderr, "Failed to execute systemd-ask-password: %s\n", + strerror(errno)); + } +-- +1.8.3.1 diff --git a/SPECS/cifs-utils/CVE-2020-14342.patch b/SPECS/cifs-utils/CVE-2020-14342.patch new file mode 100644 index 00000000000..57784627630 --- /dev/null +++ b/SPECS/cifs-utils/CVE-2020-14342.patch @@ -0,0 +1,121 @@ +diff -Naur cifs-utils-6.8.orig/mount.cifs.c cifs-utils-6.8.mod/mount.cifs.c +--- cifs-utils-6.8.orig/mount.cifs.c 2020-09-30 17:26:48.250924409 -0700 ++++ cifs-utils-6.8.mod/mount.cifs.c 2020-09-30 17:27:19.002733900 -0700 +@@ -1646,6 +1646,73 @@ + return 0; + } + ++#ifdef ENABLE_SYSTEMD ++static int get_passwd_by_systemd(const char *prompt, char *input, int capacity) ++{ ++ int fd[2]; ++ pid_t pid; ++ int offs = 0; ++ int rc = 1; ++ ++ if (pipe(fd) == -1) { ++ fprintf(stderr, "Failed to create pipe: %s\n", strerror(errno)); ++ return 1; ++ } ++ ++ pid = fork(); ++ if (pid == -1) { ++ fprintf(stderr, "Unable to fork: %s\n", strerror(errno)); ++ close(fd[0]); ++ close(fd[1]); ++ return 1; ++ } ++ if (pid == 0) { ++ close(fd[0]); ++ dup2(fd[1], STDOUT_FILENO); ++ if (execlp("systemd-ask-password", "systemd-ask-password", prompt, NULL) == -1) { ++ fprintf(stderr, "Failed to execute systemd-ask-password: %s\n", ++ strerror(errno)); ++ } ++ exit(1); ++ } ++ ++ close(fd[1]); ++ for (;;) { ++ if (offs+1 >= capacity) { ++ fprintf(stderr, "Password too long.\n"); ++ kill(pid, SIGTERM); ++ rc = 1; ++ break; ++ } ++ rc = read(fd[0], input + offs, capacity - offs); ++ if (rc == -1) { ++ fprintf(stderr, "Failed to read from pipe: %s\n", strerror(errno)); ++ rc = 1; ++ break; ++ } ++ if (!rc) ++ break; ++ offs += rc; ++ input[offs] = '\0'; ++ } ++ if (wait(&rc) == -1) { ++ fprintf(stderr, "Failed to wait child: %s\n", strerror(errno)); ++ rc = 1; ++ goto out; ++ } ++ if (!WIFEXITED(rc) || WEXITSTATUS(rc)) { ++ rc = 1; ++ goto out; ++ } ++ ++ rc = 0; ++ ++out: ++ close(fd[0]); ++ return rc; ++} ++#endif ++ + /* + * If systemd is running and systemd-ask-password -- + * is available, then use that else fallback on getpass(..) +@@ -1659,35 +1726,22 @@ + int is_systemd_running; + struct stat a, b; + ++ memset(input, 0, capacity); ++ + /* We simply test whether the systemd cgroup hierarchy is + * mounted */ + is_systemd_running = (lstat("/sys/fs/cgroup", &a) == 0) + && (lstat("/sys/fs/cgroup/systemd", &b) == 0) + && (a.st_dev != b.st_dev); + +- if (is_systemd_running) { +- char *cmd, *ret; +- FILE *ask_pass_fp = NULL; +- +- cmd = ret = NULL; +- if (asprintf(&cmd, "systemd-ask-password \"%s\"", prompt) >= 0) { +- ask_pass_fp = popen (cmd, "re"); +- free (cmd); +- } +- +- if (ask_pass_fp) { +- ret = fgets(input, capacity, ask_pass_fp); +- pclose(ask_pass_fp); +- } +- +- if (ret) { +- int len = strlen(input); +- if (input[len - 1] == '\n') +- input[len - 1] = '\0'; +- return input; +- } ++ if (is_systemd_running && !get_passwd_by_systemd(prompt, input, capacity)) { ++ int len = strlen(input); ++ if (input[len - 1] == '\n') ++ input[len - 1] = '\0'; ++ return input; + } + #endif ++ memset(input, 0, capacity); + + /* + * Falling back to getpass(..) diff --git a/SPECS/cifs-utils/cifs-utils.spec b/SPECS/cifs-utils/cifs-utils.spec index b6563974bcc..b9711a83738 100755 --- a/SPECS/cifs-utils/cifs-utils.spec +++ b/SPECS/cifs-utils/cifs-utils.spec @@ -1,12 +1,16 @@ Summary: cifs client utils Name: cifs-utils Version: 6.8 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv3 URL: http://wiki.samba.org/index.php/LinuxCIFS_utils Group: Applications/Nfs-utils-client Source0: https://ftp.samba.org/pub/linux-cifs/cifs-utils/cifs-utils-%{version}.tar.bz2 -%define sha1 cifs-utils=3440625e73a2e8ea58c63c61b46a61f5b7f95bac + +Patch0: CVE-2020-14342.patch +Patch1: CVE-2020-14342-fix.patch + + Vendor: Microsoft Corporation Distribution: Mariner BuildRequires: libcap-ng-devel @@ -26,7 +30,7 @@ Requires: cifs-utils = %{version}-%{release} Provides header files needed for Cifs-Utils development. %prep -%setup -q +%autosetup %build autoreconf -fiv &&./configure --prefix=%{_prefix} @@ -48,9 +52,10 @@ make %{?_smp_mflags} check %{_includedir}/cifsidmap.h %changelog -* Sat May 09 00:20:52 PST 2020 Nick Samson - 6.8-3 -- Added %%license line automatically - +* Wed Sep 30 2020 Henry Beberman 6.8-4 +- Add patch for CVE-2020-14342 +* Sat May 09 2020 Nick Samson 6.8-3 +- Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 6.8-2 - Initial CBL-Mariner import from Photon (license: Apache2). * Fri Sep 07 2017 Ajay Kaher 6.8-1 diff --git a/SPECS/clamav/clamav.signatures.json b/SPECS/clamav/clamav.signatures.json new file mode 100644 index 00000000000..1e5420d890d --- /dev/null +++ b/SPECS/clamav/clamav.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "clamav-0.101.2.tar.gz": "0a12ebdf6ff7a74c0bde2bdc2b55cae33449e6dd953ec90824a9e01291277634" + } +} \ No newline at end of file diff --git a/SPECS/clamav/clamav.spec b/SPECS/clamav/clamav.spec new file mode 100644 index 00000000000..6ba7e9f22ff --- /dev/null +++ b/SPECS/clamav/clamav.spec @@ -0,0 +1,77 @@ +%{!?python2_sitelib: %global python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} +%{!?python3_sitelib: %global python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} + +Summary: Open source antivirus engine +Name: clamav +Version: 0.101.2 +Release: 3%{?dist} +License: ASL 2.0 and BSD and bzip2-1.0.4 and GPLv2 and LGPLv2+ and MIT and Public Domain and UnRar +Group: System Environment/Security +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://www.clamav.net +Source0: %{url}/downloads/production/%{name}-%{version}.tar.gz + +BuildRequires: libtool +BuildRequires: zlib-devel +# Workaround for coreutils missing requirement flex +BuildRequires: flex-devel +# Required to produce systemd files +BuildRequires: systemd-devel +BuildRequires: openssl-devel +Requires: zlib +Requires: openssl + +%description +ClamAV® is an open source (GPL) anti-virus engine used in a variety of situations +including email scanning, web scanning, and end point security. It provides a number +of utilities including a flexible and scalable multi-threaded daemon, a command +line scanner and an advanced tool for automatic database updates. + +%prep +%setup -q + +%build +%configure + +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} + +%check +make %{?_smp_mflags} check + +%post +/sbin/ldconfig + +%postun +/sbin/ldconfig + +%files +%defattr(-,root,root) +%license COPYING COPYING.bzip2 COPYING.file COPYING.getopt COPYING.LGPL COPYING.llvm COPYING.lzma COPYING.pcre COPYING.regex COPYING.unrar COPYING.YARA COPYING.zlib +%{_bindir}/* +%{_sysconfdir}/*.sample +%{_includedir}/*.h +%{_libdir}/*.la +%{_libdir}/*.so +%{_libdir}/*.so.* +%{_libdir}/pkgconfig/*.pc +/lib/systemd/* +%{_sbindir}/* +%{_mandir}/man1/* +%{_mandir}/man5/* +%{_mandir}/man8/* + + +%changelog +* Mon Oct 19 2020 Pawel Winogrodzki 0.101.2-3 +- License verified. +- Added %%license macro. +- Switching to using the %%configure macro. +- Extended package's summary and description. +* Wed Oct 02 2019 Mateusz Malisz 0.101.2-2 +- Fix vendor and distribution. Add systemd files to the list. +* Thu Jul 25 2019 Chad Zawistowski 0.101.2-1 +- Initial CBL-Mariner import from Azure. diff --git a/SPECS/cloud-init-vmware-guestinfo/cloud-init-vmware-guestinfo.signatures.json b/SPECS/cloud-init-vmware-guestinfo/cloud-init-vmware-guestinfo.signatures.json new file mode 100644 index 00000000000..2ae9210b1a8 --- /dev/null +++ b/SPECS/cloud-init-vmware-guestinfo/cloud-init-vmware-guestinfo.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "cloud-init-vmware-guestinfo-1.3.1.tar.gz": "1f6c74b75d3697d62f0b5b8613e0d66bc06b2fd962f9b7c827c459d8c72505b9" + } +} \ No newline at end of file diff --git a/SPECS/cloud-init-vmware-guestinfo/cloud-init-vmware-guestinfo.spec b/SPECS/cloud-init-vmware-guestinfo/cloud-init-vmware-guestinfo.spec new file mode 100644 index 00000000000..9b99799d0b4 --- /dev/null +++ b/SPECS/cloud-init-vmware-guestinfo/cloud-init-vmware-guestinfo.spec @@ -0,0 +1,43 @@ +%{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} +Name: cloud-init-vmware-guestinfo +Version: 1.3.1 +Release: 2%{?dist} +Summary: A cloud-init datasource for VMware +Group: System/Management +License: ASL 2.0 +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/vmware/cloud-init-vmware-guestinfo + +#Source0: https://github.com/vmware/%{name}/archive/v%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz +BuildRequires: python3 +Requires: cloud-init +BuildArch: noarch + +%description +Provides a cloud-init datasource for pulling meta, user, +and vendor data from VMware vSphere's GuestInfo interface. + +%prep +%setup -q + +%build + +%install +install -dm 0755 %{buildroot}%{_sysconfdir}/cloud/cloud.cfg.d +install -m 0644 99-DataSourceVMwareGuestInfo.cfg %{buildroot}%{_sysconfdir}/cloud/cloud.cfg.d/99-DataSourceVMwareGuestInfo.cfg +install -dm 0755 %{buildroot}%{python3_sitelib}/cloudinit/sources/ +install -m 0644 DataSourceVMwareGuestInfo.py %{buildroot}%{python3_sitelib}/cloudinit/sources/DataSourceVMwareGuestInfo.py + +%files +%license LICENSE +%config %{_sysconfdir}/cloud/cloud.cfg.d/99-DataSourceVMwareGuestInfo.cfg +%{python3_sitelib}/cloudinit/sources/DataSourceVMwareGuestInfo.py + +%changelog +* Mon Oct 12 2020 Pawel Winogrodzki 1.3.1-2 +- Adding a missing %%{?dist} tag. +* Thu Sep 17 2020 Mateusz Malisz 1.3.1-1 +- Original version for CBL-Mariner. +- License Verified diff --git a/SPECS/curl/curl.spec b/SPECS/curl/curl.spec index 3ec9bf9d984..ad18b140a10 100644 --- a/SPECS/curl/curl.spec +++ b/SPECS/curl/curl.spec @@ -1,7 +1,7 @@ Summary: An URL retrieval utility and library Name: curl Version: 7.68.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT URL: http://curl.haxx.se Group: System Environment/NetworkingLibraries @@ -49,7 +49,7 @@ This package contains minimal set of shared curl libraries. --with-ssl \ --with-gssapi \ --with-libssh2 \ - --with-ca-bundle=/etc/pki/tls/certs/ca-bundle.crt \ + --with-ca-bundle=/etc/pki/tls/certs/ca-bundle.trust.crt \ --with-ca-path=/etc/ssl/certs make %{?_smp_mflags} @@ -89,6 +89,8 @@ rm -rf %{buildroot}/* %{_libdir}/libcurl.so.* %changelog +* Wed Oct 07 2020 Pawel Winogrodzki 7.68.0-3 +- Updating certificate bundle path to include full set of trust information. * Mon Sep 28 2020 Ruying Chen 7.68.0-2 - Add explicit provides for libcurl and libcurl-devel * Tue Aug 11 2020 Pawel Winogrodzki 7.68.0-1 diff --git a/SPECS/ed/CVE-2015-2987.nopatch b/SPECS/ed/CVE-2015-2987.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/ed/ed.spec b/SPECS/ed/ed.spec index adf6907e92a..c79fe3dbc16 100644 --- a/SPECS/ed/ed.spec +++ b/SPECS/ed/ed.spec @@ -1,7 +1,7 @@ Summary: Ed - A line-oriented text editor Name: ed Version: 1.14.2 -Release: 7%{?dist} +Release: 8%{?dist} URL: https://www.gnu.org/software/ed/ License: GPLv3 Group: Applications/System @@ -10,11 +10,15 @@ Distribution: Mariner # Official source under https://ftp.gnu.org/gnu/ed/ed-1.14.2.tar.lz. # We don't have lzip to decompress it. Source0: https://src.fedoraproject.org/repo/pkgs/%{name}/%{name}-%{version}.tar.xz/sha512/de838a6df785c7dc80f4b5ba84330bbe743983fd81218321d4ab84c4c3688fdafb4c005502f3228f0bfa2b6bcf342d64d9523ab73ee440b4f305a033f567cbc2/%{name}-%{version}.tar.xz + +# CVE-2015-2987 applies to a different program named ED +Patch0: CVE-2015-2987.nopatch + %description Ed - A line-oriented text editor %prep -%setup -q +%autosetup -p1 %build ./configure \ @@ -42,6 +46,9 @@ make %{?_smp_mflags} check %{_mandir}/man1/* %changelog +* Wed Oct 14 2020 Henry Beberman 1.14.2-8 +- Nopatch CVE-2015-2987. Applies to a different program named ed. +- Switch setup to autosetup * Wed Aug 05 2020 Andrew Phelps 1.14.2-7 - Remove conflicting 'dir' file from _infodir * Sat May 09 2020 Nick Samson 1.14.2-6 diff --git a/SPECS/fluent-bit/fluent-bit.signatures.json b/SPECS/fluent-bit/fluent-bit.signatures.json new file mode 100644 index 00000000000..6221a462e6e --- /dev/null +++ b/SPECS/fluent-bit/fluent-bit.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "fluent-bit-1.4.1.tar.gz" : "f5e2e10133d2a266e508db9d95e425108a1a7e43ca713bedd0d9005d962b0cff" + } +} diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec new file mode 100644 index 00000000000..3fc69496b49 --- /dev/null +++ b/SPECS/fluent-bit/fluent-bit.spec @@ -0,0 +1,58 @@ +%define _build_id_links none + +Name: fluent-bit +Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX +Version: 1.4.1 +Release: 2%{?dist} +License: ASL 2.0 +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://fluentbit.io +#Source0: https://github.com/fluent/%{name}/archive/v%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz + +BuildRequires: cmake + +%description +Fluent Bit is a fast Log Processor and Forwarder for Linux, Embedded Linux, MacOS and BSD +family operating systems. It's part of the Fluentd Ecosystem and a CNCF sub-project. + +%package devel +Summary: Development files for %{name} +Requires: %{name} = %{version} + +%description devel +Development files for %{name} + +%prep +%setup -q + +%build +cd build +cmake -DCMAKE_INSTALL_PREFIX=%{_prefix} .. +make %{?_smp_mflags} + +%install +cd build +make install DESTDIR=%{buildroot} + +%files +%license LICENSE +%doc README.md +%exclude /usr/src/debug +/lib/systemd/system/fluent-bit.service +%{_bindir}/* +/usr/etc/fluent-bit/* + +%files devel +%{_includedir}/* +/usr/lib64/*.so + +%changelog +* Mon Oct 19 2020 Pawel Winogrodzki 1.4.1-2 +- License verified. +- Fixed source URL. +- Added 'Vendor' and 'Distribution' tags. +* Mon Mar 30 2020 Jonathan Chiu 1.4.1-1 +- Original version for CBL-Mariner. + diff --git a/SPECS/fontconfig/fontconfig.signatures.json b/SPECS/fontconfig/fontconfig.signatures.json index 10455f0631e..59d938630df 100644 --- a/SPECS/fontconfig/fontconfig.signatures.json +++ b/SPECS/fontconfig/fontconfig.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "fontconfig-2.13.1.tar.gz": "9f0d852b39d75fc655f9f53850eb32555394f36104a044bb2b2fc9e66dbbfa7f" + "fontconfig-2.13.91.tar.gz": "19e5b1bc9d013a52063a44e1307629711f0bfef35b9aca16f9c793971e2eb1e5" } } \ No newline at end of file diff --git a/SPECS/fontconfig/fontconfig.spec b/SPECS/fontconfig/fontconfig.spec index a39faca9d4a..77f590bea95 100644 --- a/SPECS/fontconfig/fontconfig.spec +++ b/SPECS/fontconfig/fontconfig.spec @@ -1,26 +1,27 @@ -Summary: library for configuring and customizing font access. -Name: fontconfig -Version: 2.13.1 -Release: 4%{?dist} -License: BSD/GPL -URL: https://www.freedesktop.org/wiki/Software/fontconfig/ -Group: System Environment/Libraries +Summary: library for configuring and customizing font access. +Name: fontconfig +Version: 2.13.91 +Release: 1%{?dist} +License: BSD/GPL +URL: https://www.freedesktop.org/wiki/Software/fontconfig/ +Group: System Environment/Libraries Vendor: Microsoft Corporation Distribution: Mariner -Source0: https://www.freedesktop.org/software/fontconfig/release/%{name}-%{version}.tar.gz -BuildRequires: freetype-devel -BuildRequires: libxml2 -BuildRequires: expat-devel -BuildRequires: gperf -Provides: pkgconfig(fontconfig) +Source0: https://www.freedesktop.org/software/fontconfig/release/%{name}-%{version}.tar.gz +BuildRequires: freetype-devel +BuildRequires: libxml2 +BuildRequires: expat-devel +BuildRequires: gperf +Provides: pkgconfig(fontconfig) + %description Fontconfig can discover new fonts when installed automatically, removing a common source of configuration problems, perform font name substitution, so that appropriate alternative fonts can be selected if fonts are missing, identify the set of fonts required to completely cover a set of languages. -%package devel -Summary: Header and development files -Requires: %{name} = %{version}-%{release} -Requires: expat-devel -%description devel +%package devel +Summary: Header and development files +Requires: %{name} = %{version}-%{release} +Requires: expat-devel +%description devel It contains the libraries and header files to create applications %prep @@ -28,10 +29,11 @@ It contains the libraries and header files to create applications %build %configure \ - --sysconfdir=/etc \ - --localstatedir=/var \ - --docdir=/usr/share/doc/%{name}-%{version} \ - --disable-static + --sysconfdir=/etc \ + --localstatedir=/var \ + --docdir=/usr/share/doc/%{name}-%{version} \ + --disable-static + make %{?_smp_mflags} %install @@ -66,19 +68,20 @@ make -k check %{_mandir}/man3/* %changelog -* Sat May 09 00:20:59 PST 2020 Nick Samson - 2.13.1-4 +* Mon Oct 5 2020 Mateusz Malisz - 2.13.91-1 +- Update to 2.13.91 +* Sat May 9 2020 Nick Samson - 2.13.1-4 - Added %%license line automatically - -* Fri Apr 17 2020 Nicolas Ontiveros 2.13.1-3 -- Rename freetype2-devel to freetype-devel. -- Remove sha1 hash. -* Tue Sep 03 2019 Mateusz Malisz 2.13.1-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Wed Sep 12 2018 Sujay G 2.13.1-1 -- Bump version to 2.13.1 -* Thu Aug 03 2017 Chang Lee 2.12.1-3 -- Add a patch for run-test. This issue was introduced by freetype 2.7.1 -* Fri Apr 14 2017 Alexey Makhalov 2.12.1-2 -- Requires expat-devel -* Fri Nov 11 2016 Dheeraj Shetty 2.12.1-1 -- Initial version +* Fri Apr 17 2020 Nicolas Ontiveros 2.13.1-3 +- Rename freetype2-devel to freetype-devel. +- Remove sha1 hash. +* Tue Sep 03 2019 Mateusz Malisz 2.13.1-2 +- Initial CBL-Mariner import from Photon (license: Apache2). +* Wed Sep 12 2018 Sujay G 2.13.1-1 +- Bump version to 2.13.1 +* Thu Aug 03 2017 Chang Lee 2.12.1-3 +- Add a patch for run-test. This issue was introduced by freetype 2.7.1 +* Fri Apr 14 2017 Alexey Makhalov 2.12.1-2 +- Requires expat-devel +* Fri Nov 11 2016 Dheeraj Shetty 2.12.1-1 +- Initial version diff --git a/SPECS/gflags/gflags.signatures.json b/SPECS/gflags/gflags.signatures.json new file mode 100644 index 00000000000..19b9d618ccd --- /dev/null +++ b/SPECS/gflags/gflags.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "gflags-2.2.2.tar.gz": "34af2f15cf7367513b352bdcd2493ab14ce43692d2dcd9dfc499492966c64dcf" + } +} diff --git a/SPECS/gflags/gflags.spec b/SPECS/gflags/gflags.spec new file mode 100644 index 00000000000..52e8c53c10d --- /dev/null +++ b/SPECS/gflags/gflags.spec @@ -0,0 +1,65 @@ +Name: gflags +Summary: The gflags package contains a C++ library that implements commandline flags processing. +Version: 2.2.2 +Release: 3%{?dist} +License: BSD +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://gflags.github.io/gflags/ +#Source0: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz + +BuildRequires: cmake +BuildRequires: build-essential + +%description +The gflags package contains a C++ library that implements commandline flags processing. +It includes built-in support for standard types such as string and the ability to define +flags in the source file in which they are used. + +%package devel +Summary: Development files for %{name} +Requires: %{name} = %{version} + +%description devel +Development files for %{name} + +%prep +%setup -q + +%build +mkdir build +cd build +%cmake -DBUILD_SHARED_LIBS=ON .. +make %{?_smp_mflags} + +%install +cd build +make install DESTDIR=%{buildroot} + +# Remove unused files +rm %{buildroot}/root/.cmake/packages/gflags/* + +%files +%doc README.md +%license COPYING.txt +%{_bindir}/* +%{_libdir}/*.so* + +%files devel +%{_includedir}/* +%{_libdir}/cmake/%{name} +%{_libdir}/*.so +%{_libdir}/pkgconfig/gflags.pc + +%changelog +* Thu Oct 08 2020 Pawel Winogrodzki 2.2.2-3 +- License verified. +- Added %%license macro. +- Added debug package. +- Fixed extra file exclude. +- Fixed 'Source0' URL. +* Fri Jun 05 2020 Jonathan Chiu 2.2.2-2 +- Exclude extra files +* Thu Apr 09 2020 Jonathan Chiu 2.2.2-1 +- Original version for CBL-Mariner. diff --git a/SPECS/git/git.spec b/SPECS/git/git.spec index ae1563b3832..8a56e2ed2bd 100644 --- a/SPECS/git/git.spec +++ b/SPECS/git/git.spec @@ -1,7 +1,7 @@ Summary: Fast distributed version control system Name: git Version: 2.23.3 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 URL: https://git-scm.com/ Group: System Environment/Programming @@ -57,10 +57,7 @@ install -m 0644 contrib/completion/git-completion.bash %{buildroot}/usr/share/ba %{_fixperms} %{buildroot}/* %check -# git expect nonroot user to run tests -chmod g+w . -R -useradd test -G root -m -sudo -u test make %{?_smp_mflags} test +make %{?_smp_mflags} test %post if [ $1 -eq 1 ];then @@ -92,6 +89,8 @@ rm -rf %{buildroot}/* %defattr(-,root,root) %changelog +* Mon Oct 19 2020 Andrew Phelps 2.23.3-3 +- Fix check test * Mon Oct 12 2020 Joe Schmitt 2.23.3-2 - Use new perl package names. - Provide git-core. diff --git a/SPECS/gnutls/CVE-2020-24659.patch b/SPECS/gnutls/CVE-2020-24659.patch new file mode 100644 index 00000000000..1fc56035b07 --- /dev/null +++ b/SPECS/gnutls/CVE-2020-24659.patch @@ -0,0 +1,97 @@ +diff --git a/fuzz/gnutls_client_fuzzer.in/00ea40761ce11e769f1817a04b3d3f7dcc0ab4571cf0df3b67ab7e1005e9e7a8 b/fuzz/gnutls_client_fuzzer.in/00ea40761ce11e769f1817a04b3d3f7dcc0ab4571cf0df3b67ab7e1005e9e7a8 +new file mode 100644 +index 0000000000000000000000000000000000000000..73a2d97ba20483dc4f8c7766a043cb737e27c942 +Binary files /dev/null and b/fuzz/gnutls_client_fuzzer.in/00ea40761ce11e769f1817a04b3d3f7dcc0ab4571cf0df3b67ab7e1005e9e7a8 differ +diff --git a/fuzz/gnutls_psk_client_fuzzer.in/b16434290b77e13d7a983d1da801fb3c6d1f7f846f227721e221adea08aa319c b/fuzz/gnutls_psk_client_fuzzer.in/b16434290b77e13d7a983d1da801fb3c6d1f7f846f227721e221adea08aa319c +new file mode 100644 +index 0000000000000000000000000000000000000000..7ebb883f4d4c3401f32834f3bcc725d2404996f5 +Binary files /dev/null and b/fuzz/gnutls_psk_client_fuzzer.in/b16434290b77e13d7a983d1da801fb3c6d1f7f846f227721e221adea08aa319c differ +diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h +index bb6c19713851e1f59f98237b587deb86429ad0e0..31cec5c0cddbe2562d726368bebc5bba224f534c 100644 +--- a/lib/gnutls_int.h ++++ b/lib/gnutls_int.h +@@ -1370,6 +1370,7 @@ typedef struct { + #define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */ + #define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */ + #define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */ ++#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */ + + /* The hsk_flags are for use within the ongoing handshake; + * they are reset to zero prior to handshake start by gnutls_handshake. */ +diff --git a/lib/handshake.c b/lib/handshake.c +index b40f84b3d972057be1c2dccdbc2f4fc4ab2948a8..ce2d160e2077c6d971de58e63ec86b9b035af853 100644 +--- a/lib/handshake.c ++++ b/lib/handshake.c +@@ -2061,6 +2061,8 @@ read_server_hello(gnutls_session_t session, + if (ret < 0) + return gnutls_assert_val(ret); + ++ session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED; ++ + return 0; + } + +@@ -2585,16 +2587,42 @@ int gnutls_rehandshake(gnutls_session_t session) + return 0; + } + ++/* This function checks whether the error code should be treated fatal ++ * or not, and also does the necessary state transition. In ++ * particular, in the case of a rehandshake abort it resets the ++ * handshake's internal state. ++ */ + inline static int + _gnutls_abort_handshake(gnutls_session_t session, int ret) + { +- if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) && +- (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION)) +- || ret == GNUTLS_E_GOT_APPLICATION_DATA) +- return 0; ++ switch (ret) { ++ case GNUTLS_E_WARNING_ALERT_RECEIVED: ++ if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) { ++ /* The server always toleretes a "no_renegotiation" alert. */ ++ if (session->security_parameters.entity == GNUTLS_SERVER) { ++ STATE = STATE0; ++ return ret; ++ } ++ ++ /* The client should tolerete a "no_renegotiation" alert only if: ++ * - the initial handshake has completed, or ++ * - a Server Hello is not yet received ++ */ ++ if (session->internals.initial_negotiation_completed || ++ !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) { ++ STATE = STATE0; ++ return ret; ++ } + +- /* this doesn't matter */ +- return GNUTLS_E_INTERNAL_ERROR; ++ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET); ++ } ++ return ret; ++ case GNUTLS_E_GOT_APPLICATION_DATA: ++ STATE = STATE0; ++ return ret; ++ default: ++ return ret; ++ } + } + + +@@ -2756,13 +2784,7 @@ int gnutls_handshake(gnutls_session_t session) + } + + if (ret < 0) { +- /* In the case of a rehandshake abort +- * we should reset the handshake's internal state. +- */ +- if (_gnutls_abort_handshake(session, ret) == 0) +- STATE = STATE0; +- +- return ret; ++ return _gnutls_abort_handshake(session, ret); + } + + /* clear handshake buffer */ diff --git a/SPECS/gnutls/gnutls.spec b/SPECS/gnutls/gnutls.spec index 419793c211d..25b90338815 100644 --- a/SPECS/gnutls/gnutls.spec +++ b/SPECS/gnutls/gnutls.spec @@ -1,7 +1,7 @@ Summary: The GnuTLS Transport Layer Security Library Name: gnutls Version: 3.6.14 -Release: 1%{?dist} +Release: 3%{?dist} License: GPLv3+ and LGPLv2+ URL: https://www.gnutls.org Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz @@ -22,6 +22,8 @@ Requires: gmp Requires: guile Requires: gc +Patch0: CVE-2020-24659.patch + %description GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. It is aimed to be portable and efficient with focus on security and interoperability. @@ -36,7 +38,8 @@ The package contains libraries and header files for developing applications that use gnutls. %prep -%setup -q +%autosetup -p1 + %build %configure \ @@ -44,7 +47,7 @@ developing applications that use gnutls. --disable-openssl-compatibility \ --with-included-unistring \ --with-system-priority-file=%{_sysconfdir}/gnutls/default-priorities \ - --with-default-trust-store-file=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \ + --with-default-trust-store-file=%{_sysconfdir}/pki/tls/certs/ca-bundle.trust.crt \ --with-default-trust-store-dir=%{_sysconfdir}/ssl/certs make %{?_smp_mflags} @@ -88,6 +91,11 @@ make %{?_smp_mflags} check %{_mandir}/man3/* %changelog +* Wed Oct 21 2020 Henry Beberman 3.6.14-3 +- Apply patch for CVE-2020-24659 from upstream. +- Switch setup to autosetup. +* Wed Oct 07 2020 Pawel Winogrodzki 3.6.14-2 +- Updating certificate bundle path to include full set of trust information. * Fri Aug 21 2020 Andrew Phelps 3.6.14-1 - Update to version 3.6.14 for CVE-2020-13777 * Sat May 09 2020 Nick Samson 3.6.8-3 diff --git a/SPECS/golang/golang-1.13.signatures.json b/SPECS/golang/golang-1.13.signatures.json index ab727fb728d..2033c5cc29e 100644 --- a/SPECS/golang/golang-1.13.signatures.json +++ b/SPECS/golang/golang-1.13.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "go1.13.11.src.tar.gz": "89ed1abce25ad003521c125d6583c93c1280de200ad221f961085200a6c00679", + "go1.13.15.src.tar.gz": "5fb43171046cf8784325e67913d55f88a683435071eef8e9da1aa8a1588fcf5d", "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52" } } \ No newline at end of file diff --git a/SPECS/golang/golang-1.13.spec b/SPECS/golang/golang-1.13.spec index cb0170e7d61..431a5c5fd05 100644 --- a/SPECS/golang/golang-1.13.spec +++ b/SPECS/golang/golang-1.13.spec @@ -14,7 +14,7 @@ Summary: Go Name: golang -Version: 1.13.11 +Version: 1.13.15 Release: 1%{?dist} License: BSD URL: https://golang.org @@ -124,9 +124,11 @@ rm -rf %{buildroot}/* %{_bindir}/* %changelog +* Tue Sep 08 2020 Nicolas Ontiveros 1.13.15-1 +- Updated to version 1.13.15, which fixes CVE-2020-14039 and CVE-2020-16845. * Sun May 24 2020 Mateusz Malisz 1.13.11-1 - Updated to version 1.13.11 -* Sat May 09 2020 Nick Samson - 1.12.5-7 +* Sat May 09 2020 Nick Samson 1.12.5-7 - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 1.12.5-6 - Renaming go to golang diff --git a/SPECS/groff/CVE-2000-0803.nopatch b/SPECS/groff/CVE-2000-0803.nopatch new file mode 100644 index 00000000000..7f4a0896c7b --- /dev/null +++ b/SPECS/groff/CVE-2000-0803.nopatch @@ -0,0 +1 @@ +# No patch has been made available for CVE-2000-0803 \ No newline at end of file diff --git a/SPECS/groff/groff.spec b/SPECS/groff/groff.spec index bce9d7cafaa..ccfd7ed77aa 100644 --- a/SPECS/groff/groff.spec +++ b/SPECS/groff/groff.spec @@ -1,25 +1,27 @@ -Summary: Programs for processing and formatting text -Name: groff -Version: 1.22.3 -Release: 5%{?dist} -License: GPLv3+ -URL: http://www.gnu.org/software/groff -Group: Applications/Text +Summary: Programs for processing and formatting text +Name: groff +Version: 1.22.3 +Release: 6%{?dist} +License: GPLv3+ +URL: http://www.gnu.org/software/groff +Group: Applications/Text Vendor: Microsoft Corporation Distribution: Mariner -Source0: http://ftp.gnu.org/gnu/groff/%{name}-%{version}.tar.gz -%define sha1 groff=61a6808ea1ef715df9fa8e9b424e1f6b9fa8c091 -Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) -Requires: perl-DBI -Requires: perl-DBIx-Simple -Requires: perl-DBD-SQLite -Requires: perl-File-HomeDir +Source0: http://ftp.gnu.org/gnu/groff/%{name}-%{version}.tar.gz +# No patch has been made available for CVE-2000-0803 +Patch0: CVE-2000-0803.nopatch -Provides: perl(oop_fh.pl) = %{version}-%{release} -Provides: perl(main_subs.pl) = %{version}-%{release} -Provides: perl(man.pl) = %{version}-%{release} -Provides: perl(subs.pl) = %{version}-%{release} -Provides: groff-base = %{version}-%{release} +Provides: perl(oop_fh.pl) = %{version}-%{release} +Provides: perl(main_subs.pl) = %{version}-%{release} +Provides: perl(man.pl) = %{version}-%{release} +Provides: perl(subs.pl) = %{version}-%{release} +Provides: groff-base = %{version}-%{release} + +Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) +Requires: perl-DBI +Requires: perl-DBIx-Simple +Requires: perl-DBD-SQLite +Requires: perl-File-HomeDir %description The Groff package contains programs for processing @@ -28,8 +30,8 @@ and formatting text. %setup -q %build PAGE=letter ./configure \ - --prefix=%{_prefix} \ - --with-grofferdir=%{_datadir}/%{name}/%{version}/groffer + --prefix=%{_prefix} \ + --with-grofferdir=%{_datadir}/%{name}/%{version}/groffer make %install install -vdm 755 %{_defaultdocdir}/%{name}-1.22/pdf @@ -45,17 +47,20 @@ rm -rf %{buildroot}%{_infodir} %{_defaultdocdir}/%{name}-%{version}/* %{_datarootdir}/%{name}/* %{_mandir}/*/* + %changelog -* Mon Oct 12 2020 Joe Schmitt 1.22.3-5 +* Mon Oct 12 2020 Joe Schmitt 1.22.3-6 - Use new perl package names. - Provide groff-base. +* Mon Sep 28 2020 Daniel McIlvaney 1.22.3-5 +- Nopatch CVE-2000-0803.nopatch * Sat May 09 2020 Nick Samson 1.22.3-4 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.22.3-3 - Initial CBL-Mariner import from Photon (license: Apache2). -* Tue May 24 2016 Priyesh Padmavilasom 1.22.3-2 -- GA - Bump release of all rpms +* Tue May 24 2016 Priyesh Padmavilasom 1.22.3-2 +- GA - Bump release of all rpms * Tue Feb 23 2016 Xiaolin Li 1.22.3-1 - Updated to version 1.22.3 -* Wed Nov 5 2014 Divya Thaluru 1.22.2-1 -- Initial build. First version +* Wed Nov 5 2014 Divya Thaluru 1.22.2-1 +- Initial build. First version diff --git a/SPECS/gzip/gzip.spec b/SPECS/gzip/gzip.spec index c068e38222e..610540ff608 100644 --- a/SPECS/gzip/gzip.spec +++ b/SPECS/gzip/gzip.spec @@ -51,4 +51,4 @@ make %{?_smp_mflags} check * Tue May 24 2016 Priyesh Padmavilasom 1.6-2 - GA - Bump release of all rpms * Wed Nov 5 2014 Divya Thaluru 1.6-1 -- Initial build. First version +- Initial build. First version \ No newline at end of file diff --git a/SPECS/httpd/CVE-1999-0236.nopatch b/SPECS/httpd/CVE-1999-0236.nopatch new file mode 100644 index 00000000000..6203cad9936 --- /dev/null +++ b/SPECS/httpd/CVE-1999-0236.nopatch @@ -0,0 +1 @@ +# CVE-1999-0236 must be mitigated by the user. See "Server Side Includes" on https://httpd.apache.org/docs/2.4/misc/security_tips.html \ No newline at end of file diff --git a/SPECS/httpd/CVE-1999-1412.nopatch b/SPECS/httpd/CVE-1999-1412.nopatch new file mode 100644 index 00000000000..72ff0709300 --- /dev/null +++ b/SPECS/httpd/CVE-1999-1412.nopatch @@ -0,0 +1 @@ +# CVE-1999-1412 applies only to MacOS X \ No newline at end of file diff --git a/SPECS/httpd/CVE-2007-0086.nopatch b/SPECS/httpd/CVE-2007-0086.nopatch new file mode 100644 index 00000000000..07fd829297b --- /dev/null +++ b/SPECS/httpd/CVE-2007-0086.nopatch @@ -0,0 +1,9 @@ +# CVE-2007-0086 has been disputed to be an actual vulnerability. Official Red Hat statement from 1st of November 2007: + + "Red Hat does not consider this issue to be a security vulnerability. The pottential attacker has to send acknowledgement + packets periodically to make server generate traffic. Exactly the same effect could be achieved by simply downloading the file. + The statement that setting the TCP window size to arbitrarily high value would permit the attacker to disconnect and stop + sending ACKs is false, because Red Hat Enterprise Linux limits the size of the TCP send buffer to 4MB by default." + +In case of CBL-Mariner the default max TCP send buffer size is set to 4 MBs as well. +The configuration is available under '/proc/sys/net/ipv4/tcp_wmem'. \ No newline at end of file diff --git a/SPECS/httpd/httpd.spec b/SPECS/httpd/httpd.spec index 16a0ff832c0..4602395e33b 100644 --- a/SPECS/httpd/httpd.spec +++ b/SPECS/httpd/httpd.spec @@ -1,7 +1,7 @@ Summary: The Apache HTTP Server Name: httpd Version: 2.4.46 -Release: 1%{?dist} +Release: 3%{?dist} License: ASL 2.0 URL: https://httpd.apache.org/ Group: Applications/System @@ -11,6 +11,13 @@ Source0: https://archive.apache.org/dist/%{name}/%{name}-%{version}.tar.b Patch0: httpd-blfs_layout-1.patch Patch1: httpd-uncomment-ServerName.patch +# CVE-1999-0236 must be mitigated by the user. See "Server Side Includes" at https://httpd.apache.org/docs/2.4/misc/security_tips.html +Patch100: CVE-1999-0236.nopatch +# CVE-1999-1412 applies only to MacOS X +Patch101: CVE-1999-1412.nopatch +# CVE-2007-0086 has been disputed to not be a vulnerability since 2007 due to default system configurations securing against it. +Patch102: CVE-2007-0086.nopatch + BuildRequires: openssl BuildRequires: openssl-devel BuildRequires: pcre-devel @@ -185,17 +192,18 @@ fi %{_bindir}/dbmmanage %changelog -* Tue Aug 18 2020 Pawel Winogrodzki 2.4.46-1 -- Updated to 2.4.46 to resolve CVE-2020-11984. - -* Tue May 19 2020 Ruying Chen 2.4.43-1 -- Updated to 2.4.43 to resolve the following CVEs -- CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097 -- CVE-2019-10098, CVE-2020-1927, CVE-2020-1934 - -* Sat May 09 00:20:57 PST 2020 Nick Samson - 2.4.39-4 -- Added %%license line automatically - +* Tue Oct 06 2020 Pawel Winogrodzki 2.4.46-3 +- Mark CVE-2007-0086 as nopatch +* Mon Sep 28 2020 Daniel McIlvaney 2.4.46-2 +- Mark CVE-1999-0236 CVE-1999-1412 as nopatch +* Tue Aug 18 2020 Pawel Winogrodzki 2.4.46-1 +- Updated to 2.4.46 to resolve CVE-2020-11984. +* Tue May 19 2020 Ruying Chen 2.4.43-1 +- Updated to 2.4.43 to resolve the following CVEs +- CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097 +- CVE-2019-10098, CVE-2020-1927, CVE-2020-1934 +* Sat May 09 2020 Nick Samson 2.4.39-4 +- Added %%license line automatically * Tue Apr 07 2020 Pawel Winogrodzki 2.4.39-3 - Updated and verified 'Source0', 'Patch0' and 'URL' tags. - License verified. diff --git a/SPECS/initramfs/initramfs.spec b/SPECS/initramfs/initramfs.spec index 3a57a816eb8..ef2bad36be6 100644 --- a/SPECS/initramfs/initramfs.spec +++ b/SPECS/initramfs/initramfs.spec @@ -1,7 +1,7 @@ Summary: initramfs Name: initramfs Version: 2.0 -Release: 5%{?dist} +Release: 6%{?dist} Source0: fscks.conf License: Apache License Group: System Environment/Base @@ -66,6 +66,22 @@ mkdir -p %{_localstatedir}/lib/rpm-state/initramfs \ touch %{_localstatedir}/lib/rpm-state/initramfs/regenerate \ echo "initramfs (re)generation" %* >&2 +# kdump currently uses the host system's initrd when enrolling a crash kernel +# and initrd. There is a limitation where the kdump initrd must be generated +# with dracut in "host-only" mode. +# +# The -k option forces "host-only" initrd build for the specified kernel version. +# The -q option suppresses verbose output +# +# If mkinitrd is called without and parameters, it will +# default to invoking dracut in "host-mode" mode on every kernel version it can +# find in /boot. +# +# If mkinitrd is called with and parameters, it will +# default to invoking dracut in "generic host" mode to create an initrd. +# +# So in order to be compatible with kdump, we need to make sure to add the -k +# option when invoking mkinitrd with an explicit and %define file_trigger_action() \ cat > /dev/null \ if [ -f %{_localstatedir}/lib/rpm-state/initramfs/regenerate ]; then \ @@ -74,7 +90,7 @@ if [ -f %{_localstatedir}/lib/rpm-state/initramfs/regenerate ]; then \ elif [ -d %{_localstatedir}/lib/rpm-state/initramfs/pending ]; then \ for k in `ls %{_localstatedir}/lib/rpm-state/initramfs/pending/`; do \ echo "(re)generate initramfs for $k," %* >&2 \ - mkinitrd -q /boot/initrd.img-$k $k \ + mkinitrd -q /boot/initrd.img-$k $k -k \ done; \ fi \ %removal_action @@ -111,6 +127,8 @@ echo "initramfs" %{version}-%{release} "postun" >&2 %dir %{_localstatedir}/lib/initramfs/kernel %changelog +* Thu Oct 01 2020 Chris Co 2.0-6 +- Update file-triggered initrd generation to workaround kdump initrd limitations * Tue Sep 03 2019 Mateusz Malisz 2.0-5 - Initial CBL-Mariner import from Photon (license: Apache2). * Mon Aug 27 2018 Dheeraj Shetty 2.0-4 diff --git a/SPECS/ivykis/ivykis.signatures.json b/SPECS/ivykis/ivykis.signatures.json new file mode 100644 index 00000000000..717a1c772a1 --- /dev/null +++ b/SPECS/ivykis/ivykis.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "ivykis-0.42.4.tar.gz" : "1ce0341648daedd6d5408e8512bf3999d9aa4f1c1d1432f5eeb37436c9dbecdd" + } +} diff --git a/SPECS/ivykis/ivykis.spec b/SPECS/ivykis/ivykis.spec new file mode 100644 index 00000000000..0f3509a14e3 --- /dev/null +++ b/SPECS/ivykis/ivykis.spec @@ -0,0 +1,48 @@ +Name: ivykis +Summary: Library for asynchronous I/O readiness notification +Version: 0.42.4 +Release: 2%{?dist} +License: LGPLv2+ +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/buytenh/ivykis +#Source0: %{url}/archive/v%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz + +%description +Ivykis is a library for asynchronous I/O readiness notification. + +%package devel +Summary: Development files for %{name} +Requires: %{name} = %{version} + +%description devel +Development files for %{name} + +%prep +%setup -q + +%build +%configure +make %{?_smp_mflags} + +%install +make DESTDIR=%{buildroot} install + +%files +%license COPYING +%{_libdir}/*.so.* +%{_mandir}/man3/*.3.gz + +%files devel +%{_libdir}/{*.a,*.la,*.so} +%{_libdir}/pkgconfig/%{name}.pc +%{_includedir}/* + +%changelog +* Mon Oct 19 2020 Pawel Winogrodzki 0.42.4-2 +- License verified. +- Added source URL. +- Added 'URL', 'Vendor', and 'Distribution' tags. +* Mon Apr 13 2020 Jonathan Chiu 0.42.4-1 +- Original version for CBL-Mariner. diff --git a/SPECS/jsonbuilder/jsonbuilder.signatures.json b/SPECS/jsonbuilder/jsonbuilder.signatures.json new file mode 100644 index 00000000000..db9d196090b --- /dev/null +++ b/SPECS/jsonbuilder/jsonbuilder.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "jsonbuilder-0.2.1.tar.gz": "185010e7e4de00040d0245cd03d3a638698eabadd3b0e4f0591ad9f0f41d5158" + } +} \ No newline at end of file diff --git a/SPECS/jsonbuilder/jsonbuilder.spec b/SPECS/jsonbuilder/jsonbuilder.spec new file mode 100644 index 00000000000..14f03249481 --- /dev/null +++ b/SPECS/jsonbuilder/jsonbuilder.spec @@ -0,0 +1,68 @@ +Summary: Modern C++ library for an efficient container for building JSON objects +Name: jsonbuilder +Version: 0.2.1 +Release: 2%{?dist} +License: MIT +Vendor: Microsoft Corporation +Distribution: Mariner +Group: System Environment +URL: https://github.com/microsoft/jsonbuilder +#Source0: https://github.com/microsoft/%{name}/archive/v%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz +BuildRequires: catch-devel +BuildRequires: cmake +BuildRequires: gcc +BuildRequires: util-linux-devel + +%description +JsonBuilder is a small C++ library for building a space-efficient binary representation of structured data and, +when ready, rendering it to JSON. The library offers STL-like syntax for adding and finding data as well as STL-like +iterators for efficiently tracking location. + +%package devel +Summary: Development files for jsonbuilder +Group: System Environment/Libraries +Requires: jsonbuilder = %{version}-%{release} + +%description devel +This package contains the headers and symlinks for using jsonbuilder from libraries and applications. + +%prep +%setup -q + +%build +mkdir build && cd build +%cmake .. +%make_build + +%check +make test -C build + +%install +%make_install -C build + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%defattr(-,root,root) +%license LICENSE +%doc README.md +%{_libdir}/libjsonbuilder.so.* + +%files devel +%defattr(-,root,root) +%{_libdir}/libjsonbuilder.so +%{_libdir}/cmake/jsonbuilder +%{_includedir}/jsonbuilder + +%changelog +* Wed Oct 07 2020 Thomas Crain - 0.2.1-2 +- Updated #Source0 URL +- Verified License field and %%license macro + +* Fri Aug 28 2020 Francisco Huelsz Prince - 0.2.1-1 +- Update to v0.2.1 + +* Wed Feb 12 2020 Nick Bopp - 0.2-1 +- Original version for CBL-Mariner. diff --git a/SPECS/kernel-hyperv/kernel-hyperv.spec b/SPECS/kernel-hyperv/kernel-hyperv.spec index 93c450b800f..a8e56f1591c 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.spec +++ b/SPECS/kernel-hyperv/kernel-hyperv.spec @@ -2,7 +2,7 @@ Summary: Linux Kernel optimized for Hyper-V Name: kernel-hyperv Version: 5.4.51 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2 URL: https://github.com/microsoft/WSL2-Linux-Kernel Group: System Environment/Kernel @@ -202,7 +202,8 @@ echo "initrd of kernel %{uname_r} removed" >&2 %postun if [ ! -e /boot/mariner.cfg ] then - if [ `ls /boot/linux-*.cfg 1> /dev/null 2>&1` ] + ls /boot/linux-*.cfg 1> /dev/null 2>&1 + if [ $? -eq 0 ] then list=`ls -tu /boot/linux-*.cfg | head -n1` test -n "$list" && ln -sf "$list" /boot/mariner.cfg @@ -257,6 +258,8 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_libdir}/perf/include/bpf/* %changelog +* Wed Sep 30 2020 Emre Girgin 5.4.51-4 +- Update postun script to deal with removal in case of another installed kernel. * Thu Sep 03 2020 Daniel McIlvaney 5.4.51-3 - Add code to check for missing config flags in the checked in configs * Tue Sep 01 2020 Chris Co 5.4.51-2 diff --git a/SPECS/kernel/CVE-2010-3865.nopatch b/SPECS/kernel/CVE-2010-3865.nopatch new file mode 100644 index 00000000000..d765b441a21 --- /dev/null +++ b/SPECS/kernel/CVE-2010-3865.nopatch @@ -0,0 +1,3 @@ +CVE-2010-3865 - Already patched in 5.4.51 stable kernel +Upstream commit - 1b1f693d7ad6d193862dcb1118540a030c5e761f +Same commit id in stable branch \ No newline at end of file diff --git a/SPECS/kernel/CVE-2020-10757.nopatch b/SPECS/kernel/CVE-2020-10757.nopatch new file mode 100644 index 00000000000..917369d177e --- /dev/null +++ b/SPECS/kernel/CVE-2020-10757.nopatch @@ -0,0 +1,3 @@ +CVE-2020-10757 - Already patched in 5.4.51 stable kernel +Upstream commit - 5bfea2d9b17f1034a68147a8b03b9789af5700f9 +Stable commit - 5a047df0b5fce377df37de75380321d1c8ca07a0 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2020-11668.nopatch b/SPECS/kernel/CVE-2020-11668.nopatch new file mode 100644 index 00000000000..c9f9f4769f0 --- /dev/null +++ b/SPECS/kernel/CVE-2020-11668.nopatch @@ -0,0 +1,3 @@ +CVE-2020-11668 - Already patched in 5.4.51 stable kernel +Upstream commit - a246b4d547708f33ff4d4b9a7a5dbac741dc89d8 +Stable commit - cb595cb0a1e8e07213337f063cd39a3e80fc43a0 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2020-12653.nopatch b/SPECS/kernel/CVE-2020-12653.nopatch new file mode 100644 index 00000000000..d072485c9ed --- /dev/null +++ b/SPECS/kernel/CVE-2020-12653.nopatch @@ -0,0 +1,3 @@ +CVE-2020-12653 - Already patched in 5.4.51 stable kernel +Upstream commit - b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d +Stable commit - 3c822e1f31186767d6b7261c3c066f01907ecfca \ No newline at end of file diff --git a/SPECS/kernel/CVE-2020-12654.nopatch b/SPECS/kernel/CVE-2020-12654.nopatch new file mode 100644 index 00000000000..610702f8be2 --- /dev/null +++ b/SPECS/kernel/CVE-2020-12654.nopatch @@ -0,0 +1,3 @@ +CVE-2020-12654 - Already patched in 5.4.51 stable kernel +Upstream commit - 3a9b153c5591548612c3955c9600a98150c81875 +Stable commit - c5b071e3f44d1125694ad4dcf1234fb9a78d0be6 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2020-12657.nopatch b/SPECS/kernel/CVE-2020-12657.nopatch new file mode 100644 index 00000000000..96fe4f98b67 --- /dev/null +++ b/SPECS/kernel/CVE-2020-12657.nopatch @@ -0,0 +1,3 @@ +CVE-2020-12657 - Already patched in 5.4.51 stable kernel +Upstream commit - 2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9 +Stable commit - b2ae36d220eddd88f9a1264176e3104d988f72fe \ No newline at end of file diff --git a/SPECS/kernel/CVE-2020-24394.nopatch b/SPECS/kernel/CVE-2020-24394.nopatch new file mode 100644 index 00000000000..846d3e9e0b3 --- /dev/null +++ b/SPECS/kernel/CVE-2020-24394.nopatch @@ -0,0 +1,3 @@ +CVE-2020-24394 - Already patched in 5.4.51 stable kernel +Upstream commit - 22cf8419f1319ff87ec759d0ebdff4cbafaee832 +Stable commit - c506f985d8d151383559c0760bb1ef7466e218d4 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2020-8428.nopatch b/SPECS/kernel/CVE-2020-8428.nopatch new file mode 100644 index 00000000000..164fbde8da6 --- /dev/null +++ b/SPECS/kernel/CVE-2020-8428.nopatch @@ -0,0 +1,3 @@ +CVE-2020-8428 - Already patched in 5.4.51 stable kernel +Upstream commit - d0cb50185ae942b03c4327be322055d622dc79f6 +Stable commit - 454759886d0b463213fad0f1c733469e2c501ab9 \ No newline at end of file diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 51efec84edd..fa30fe05070 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -974,6 +974,7 @@ CONFIG_UNIX_SCM=y CONFIG_UNIX_DIAG=m # CONFIG_TLS is not set CONFIG_XFRM=y +CONFIG_XFRM_OFFLOAD=y CONFIG_XFRM_ALGO=m CONFIG_XFRM_USER=m # CONFIG_XFRM_INTERFACE is not set @@ -1013,7 +1014,7 @@ CONFIG_NET_UDP_TUNNEL=m # CONFIG_NET_FOU_IP_TUNNELS is not set CONFIG_INET_AH=m CONFIG_INET_ESP=m -# CONFIG_INET_ESP_OFFLOAD is not set +CONFIG_INET_ESP_OFFLOAD=m CONFIG_INET_IPCOMP=m CONFIG_INET_XFRM_TUNNEL=m CONFIG_INET_TUNNEL=m @@ -1045,7 +1046,7 @@ CONFIG_IPV6_ROUTE_INFO=y CONFIG_IPV6_OPTIMISTIC_DAD=y CONFIG_INET6_AH=m CONFIG_INET6_ESP=m -# CONFIG_INET6_ESP_OFFLOAD is not set +CONFIG_INET6_ESP_OFFLOAD=m CONFIG_INET6_IPCOMP=m CONFIG_IPV6_MIP6=m # CONFIG_IPV6_ILA is not set @@ -1546,7 +1547,7 @@ CONFIG_NET_MPLS_GSO=m # CONFIG_MPLS_ROUTING is not set CONFIG_NET_NSH=m # CONFIG_HSR is not set -# CONFIG_NET_SWITCHDEV is not set +CONFIG_NET_SWITCHDEV=y CONFIG_NET_L3_MASTER_DEV=y # CONFIG_NET_NCSI is not set CONFIG_RPS=y @@ -2424,7 +2425,9 @@ CONFIG_IXGBE=m CONFIG_IXGBE_HWMON=y CONFIG_IXGBE_DCA=y CONFIG_IXGBE_DCB=y +CONFIG_IXGBE_IPSEC=y CONFIG_IXGBEVF=m +CONFIG_IXGBEVF_IPSEC=y CONFIG_I40E=m CONFIG_I40E_DCB=y CONFIG_IAVF=m @@ -2447,15 +2450,29 @@ CONFIG_MLX4_CORE=m CONFIG_MLX4_DEBUG=y # CONFIG_MLX4_CORE_GEN2 is not set CONFIG_MLX5_CORE=m -# CONFIG_MLX5_FPGA is not set +CONFIG_MLX5_ACCEL=y +CONFIG_MLX5_FPGA=y CONFIG_MLX5_CORE_EN=y CONFIG_MLX5_EN_ARFS=y CONFIG_MLX5_EN_RXNFC=y CONFIG_MLX5_MPFS=y +CONFIG_MLX5_ESWITCH=y CONFIG_MLX5_CORE_EN_DCB=y CONFIG_MLX5_CORE_IPOIB=y -# CONFIG_MLXSW_CORE is not set -# CONFIG_MLXFW is not set +CONFIG_MLX5_FPGA_IPSEC=y +CONFIG_MLX5_EN_IPSEC=y +CONFIG_MLX5_SW_STEERING=y +CONFIG_MLXSW_CORE=m +CONFIG_MLXSW_CORE_HWMON=y +CONFIG_MLXSW_CORE_THERMAL=y +CONFIG_MLXSW_PCI=m +CONFIG_MLXSW_I2C=m +CONFIG_MLXSW_SWITCHIB=m +CONFIG_MLXSW_SWITCHX2=m +CONFIG_MLXSW_SPECTRUM=m +CONFIG_MLXSW_SPECTRUM_DCB=y +CONFIG_MLXSW_MINIMAL=m +CONFIG_MLXFW=m # CONFIG_NET_VENDOR_MICREL is not set CONFIG_NET_VENDOR_MICROCHIP=y # CONFIG_LAN743X is not set @@ -2496,6 +2513,7 @@ CONFIG_8139TOO_8129=y CONFIG_R8169=m CONFIG_NET_VENDOR_RENESAS=y CONFIG_NET_VENDOR_ROCKER=y +CONFIG_ROCKER=m CONFIG_NET_VENDOR_SAMSUNG=y # CONFIG_SXGBE_ETH is not set # CONFIG_NET_VENDOR_SEEQ is not set @@ -2957,7 +2975,7 @@ CONFIG_IPMI_SI=m # CONFIG_IPMI_SSIF is not set CONFIG_IPMI_WATCHDOG=m CONFIG_IPMI_POWEROFF=m -CONFIG_HW_RANDOM=m +CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_TIMERIOMEM=m CONFIG_HW_RANDOM_INTEL=m CONFIG_HW_RANDOM_AMD=m @@ -2972,10 +2990,10 @@ CONFIG_HPET=y CONFIG_HPET_MMAP=y CONFIG_HPET_MMAP_DEFAULT=y CONFIG_HANGCHECK_TIMER=m -CONFIG_TCG_TPM=m +CONFIG_TCG_TPM=y CONFIG_HW_RANDOM_TPM=y -CONFIG_TCG_TIS_CORE=m -CONFIG_TCG_TIS=m +CONFIG_TCG_TIS_CORE=y +CONFIG_TCG_TIS=y CONFIG_TCG_TIS_I2C_ATMEL=m CONFIG_TCG_TIS_I2C_INFINEON=m CONFIG_TCG_TIS_I2C_NUVOTON=m @@ -2983,7 +3001,7 @@ CONFIG_TCG_NSC=m CONFIG_TCG_ATMEL=m CONFIG_TCG_INFINEON=m CONFIG_TCG_XEN=m -CONFIG_TCG_CRB=m +CONFIG_TCG_CRB=y # CONFIG_TCG_VTPM_PROXY is not set # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TELCLOCK is not set @@ -5141,7 +5159,7 @@ CONFIG_MXM_WMI=m # CONFIG_INTEL_PMC_IPC is not set # CONFIG_SURFACE_PRO3_BUTTON is not set CONFIG_INTEL_PUNIT_IPC=m -# CONFIG_MLX_PLATFORM is not set +CONFIG_MLX_PLATFORM=m # CONFIG_INTEL_TURBO_MAX_3 is not set # CONFIG_I2C_MULTI_INSTANTIATE is not set # CONFIG_INTEL_ATOMISP2_PM is not set @@ -6027,7 +6045,22 @@ CONFIG_SECURITY_SAFESETID=y CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set CONFIG_INTEGRITY_AUDIT=y -# CONFIG_IMA is not set +CONFIG_IMA=y +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_LSM_RULES=y +# CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_NG_TEMPLATE is not set +CONFIG_IMA_SIG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig" +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y +# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set +CONFIG_IMA_DEFAULT_HASH="sha256" +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y +CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y # CONFIG_EVM is not set # CONFIG_DEFAULT_SECURITY_SELINUX is not set # CONFIG_DEFAULT_SECURITY_SMACK is not set @@ -6106,7 +6139,7 @@ CONFIG_CRYPTO_ENGINE=m # Public-key cryptography # CONFIG_CRYPTO_RSA=y -# CONFIG_CRYPTO_DH is not set +CONFIG_CRYPTO_DH=m CONFIG_CRYPTO_ECC=m CONFIG_CRYPTO_ECDH=m # CONFIG_CRYPTO_ECRDSA is not set @@ -6144,7 +6177,7 @@ CONFIG_CRYPTO_ESSIV=m # Hash modes # CONFIG_CRYPTO_CMAC=m -CONFIG_CRYPTO_HMAC=m +CONFIG_CRYPTO_HMAC=y # CONFIG_CRYPTO_XCBC is not set # CONFIG_CRYPTO_VMAC is not set @@ -6253,12 +6286,13 @@ CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_DEV_ATMEL_ECC is not set # CONFIG_CRYPTO_DEV_ATMEL_SHA204A is not set # CONFIG_CRYPTO_DEV_CCP is not set -# CONFIG_CRYPTO_DEV_QAT_DH895xCC is not set -# CONFIG_CRYPTO_DEV_QAT_C3XXX is not set -# CONFIG_CRYPTO_DEV_QAT_C62X is not set -# CONFIG_CRYPTO_DEV_QAT_DH895xCCVF is not set -# CONFIG_CRYPTO_DEV_QAT_C3XXXVF is not set -# CONFIG_CRYPTO_DEV_QAT_C62XVF is not set +CONFIG_CRYPTO_DEV_QAT=m +CONFIG_CRYPTO_DEV_QAT_DH895xCC=m +CONFIG_CRYPTO_DEV_QAT_C3XXX=m +CONFIG_CRYPTO_DEV_QAT_C62X=m +CONFIG_CRYPTO_DEV_QAT_DH895xCCVF=m +CONFIG_CRYPTO_DEV_QAT_C3XXXVF=m +CONFIG_CRYPTO_DEV_QAT_C62XVF=m # CONFIG_CRYPTO_DEV_NITROX_CNN55XX is not set # CONFIG_CRYPTO_DEV_CHELSIO is not set CONFIG_CRYPTO_DEV_VIRTIO=m @@ -6393,6 +6427,8 @@ CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y CONFIG_ARCH_HAS_UACCESS_MCSAFE=y CONFIG_ARCH_STACKWALK=y CONFIG_SBITMAP=y +CONFIG_PARMAN=m +CONFIG_OBJAGG=m # CONFIG_STRING_SELFTEST is not set # end of Library routines @@ -6613,6 +6649,7 @@ CONFIG_RUNTIME_TESTING_MENU=y # CONFIG_TEST_RHASHTABLE is not set # CONFIG_TEST_HASH is not set # CONFIG_TEST_IDA is not set +# CONFIG_TEST_PARMAN is not set # CONFIG_TEST_LKM is not set # CONFIG_TEST_VMALLOC is not set # CONFIG_TEST_USER_COPY is not set @@ -6625,6 +6662,7 @@ CONFIG_RUNTIME_TESTING_MENU=y # CONFIG_TEST_STATIC_KEYS is not set # CONFIG_TEST_KMOD is not set # CONFIG_TEST_MEMCAT_P is not set +# CONFIG_TEST_OBJAGG is not set # CONFIG_TEST_STACKINIT is not set # CONFIG_TEST_MEMINIT is not set CONFIG_MEMTEST=y diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index eefbd298a30..078b4dbebc3 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -2879,7 +2879,7 @@ CONFIG_IPMI_SI=m CONFIG_IPMI_WATCHDOG=m CONFIG_IPMI_POWEROFF=m # CONFIG_IPMB_DEVICE_INTERFACE is not set -CONFIG_HW_RANDOM=m +CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_TIMERIOMEM=m CONFIG_HW_RANDOM_BCM2835=m CONFIG_HW_RANDOM_IPROC_RNG200=m @@ -2894,10 +2894,10 @@ CONFIG_HW_RANDOM_CAVIUM=m # CONFIG_APPLICOM is not set CONFIG_RAW_DRIVER=m CONFIG_MAX_RAW_DEVS=8192 -CONFIG_TCG_TPM=m +CONFIG_TCG_TPM=y CONFIG_HW_RANDOM_TPM=y -CONFIG_TCG_TIS_CORE=m -CONFIG_TCG_TIS=m +CONFIG_TCG_TIS_CORE=y +CONFIG_TCG_TIS=y CONFIG_TCG_TIS_SPI=m CONFIG_TCG_TIS_I2C_ATMEL=m CONFIG_TCG_TIS_I2C_INFINEON=m @@ -2905,7 +2905,7 @@ CONFIG_TCG_TIS_I2C_NUVOTON=m CONFIG_TCG_ATMEL=m CONFIG_TCG_INFINEON=m CONFIG_TCG_XEN=m -# CONFIG_TCG_CRB is not set +CONFIG_TCG_CRB=y # CONFIG_TCG_VTPM_PROXY is not set # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set @@ -6290,7 +6290,23 @@ CONFIG_SECURITY_SAFESETID=y CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set CONFIG_INTEGRITY_AUDIT=y -# CONFIG_IMA is not set +CONFIG_IMA=y +# CONFIG_IMA_KEXEC is not set +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_LSM_RULES=y +# CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_NG_TEMPLATE is not set +CONFIG_IMA_SIG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig" +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y +# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set +CONFIG_IMA_DEFAULT_HASH="sha256" +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y +CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y # CONFIG_EVM is not set # CONFIG_DEFAULT_SECURITY_SELINUX is not set # CONFIG_DEFAULT_SECURITY_SMACK is not set @@ -6399,7 +6415,7 @@ CONFIG_CRYPTO_ESSIV=m # Hash modes # CONFIG_CRYPTO_CMAC=m -CONFIG_CRYPTO_HMAC=m +CONFIG_CRYPTO_HMAC=y # CONFIG_CRYPTO_XCBC is not set # CONFIG_CRYPTO_VMAC is not set @@ -6420,8 +6436,8 @@ CONFIG_CRYPTO_MD5=y # CONFIG_CRYPTO_RMD256 is not set # CONFIG_CRYPTO_RMD320 is not set CONFIG_CRYPTO_SHA1=y -CONFIG_CRYPTO_LIB_SHA256=m -CONFIG_CRYPTO_SHA256=m +CONFIG_CRYPTO_LIB_SHA256=y +CONFIG_CRYPTO_SHA256=y CONFIG_CRYPTO_SHA512=y # CONFIG_CRYPTO_SHA3 is not set # CONFIG_CRYPTO_SM3 is not set diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 27d2b2b9ee1..7de9927d3b6 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { - "config": "cb99faaac82f05b84539e4b99633b5a444de5b2db01ed37946afa0360d1f94f0", - "config_aarch64": "98bcf0f9c9fa02e11ad255ae352461b8ef7d53daf02c707a8a9b53f9bfb32db3", + "config": "b8c9e2a875e4e6655fdbeb626088529fd1cef401b8f67a481fc301d2a3a026c5", + "config_aarch64": "3057cf5c5f04b57c4d69f9783d4809de217fb46a4278694c19f6c3ffd81249c5", "linux-msft-5.4.51.tar.gz": "3bcd6b09e952fac4f708614658b508ce80c8e25c04780b6b44a481b1479a08e7" } } \ No newline at end of file diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 73988d2cea1..c98e151795d 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -2,7 +2,7 @@ Summary: Linux Kernel Name: kernel Version: 5.4.51 -Release: 6%{?dist} +Release: 12%{?dist} License: GPLv2 URL: https://github.com/microsoft/WSL2-Linux-Kernel Group: System Environment/Kernel @@ -35,6 +35,14 @@ Patch1011: CVE-2020-8648.nopatch Patch1012: CVE-2020-8649.nopatch Patch1013: CVE-2020-9383.nopatch Patch1014: CVE-2020-11725.nopatch +Patch1015: CVE-2020-10757.nopatch +Patch1016: CVE-2020-12653.nopatch +Patch1017: CVE-2020-12657.nopatch +Patch1018: CVE-2010-3865.nopatch +Patch1019: CVE-2020-11668.nopatch +Patch1020: CVE-2020-12654.nopatch +Patch1021: CVE-2020-24394.nopatch +Patch1022: CVE-2020-8428.nopatch BuildRequires: bc BuildRequires: diffutils @@ -264,7 +272,8 @@ echo "initrd of kernel %{uname_r} removed" >&2 %postun if [ ! -e /boot/mariner.cfg ] then - if [ `ls /boot/linux-*.cfg 1> /dev/null 2>&1` ] + ls /boot/linux-*.cfg 1> /dev/null 2>&1 + if [ $? -eq 0 ] then list=`ls -tu /boot/linux-*.cfg | head -n1` test -n "$list" && ln -sf "$list" /boot/mariner.cfg @@ -337,8 +346,21 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_libdir}/perf/include/bpf/* %changelog -* Thu Sep 24 2020 Emre Girgin 5.4.51-6 +* Fri Oct 16 2020 Suresh Babu Chalamalasetty 5.4.51-12 +- Enable QAT kernel configs +* Fri Oct 02 2020 Chris Co 5.4.51-11 +- Address CVE-2020-10757, CVE-2020-12653, CVE-2020-12657, CVE-2010-3865, +- CVE-2020-11668, CVE-2020-12654, CVE-2020-24394, CVE-2020-8428 +* Fri Oct 02 2020 Chris Co 5.4.51-10 +- Fix aarch64 build error +* Wed Sep 30 2020 Emre Girgin 5.4.51-9 +- Update postun script to deal with removal in case of another installed kernel. +* Fri Sep 25 2020 Suresh Babu Chalamalasetty 5.4.51-8 +- Enable Mellanox kernel configs +* Thu Sep 24 2020 Emre Girgin 5.4.51-7 - Replace the misuse of the 'archdir' and `arch` shell variables. +* Wed Sep 23 2020 Daniel McIlvaney 5.4.51-6 +- Enable CONFIG_IMA (measurement only) and associated configs * Thu Sep 03 2020 Daniel McIlvaney 5.4.51-5 - Add code to check for missing config flags in the checked in configs * Thu Sep 03 2020 Chris Co 5.4.51-4 diff --git a/SPECS/krb5/krb5.spec b/SPECS/krb5/krb5.spec index c52dd316e07..6eccdde74e1 100644 --- a/SPECS/krb5/krb5.spec +++ b/SPECS/krb5/krb5.spec @@ -12,6 +12,7 @@ Requires: openssl Requires: e2fsprogs-libs BuildRequires: openssl-devel BuildRequires: e2fsprogs-devel + Provides: pkgconfig(mit-krb5) Provides: pkgconfig(mit-krb5-gssapi) %description diff --git a/SPECS/libcap-ng/libcap-ng.spec b/SPECS/libcap-ng/libcap-ng.spec index 53773f77f20..936a65a0e97 100644 --- a/SPECS/libcap-ng/libcap-ng.spec +++ b/SPECS/libcap-ng/libcap-ng.spec @@ -4,7 +4,7 @@ Summary: POSIX capability Library Name: libcap-ng Version: 0.7.9 -Release: 2%{?dist} +Release: 3%{?dist} License: LGPLv2+ Group: System Environment/Libraries URL: http://people.redhat.com/sgrubb/libcap-ng @@ -61,8 +61,7 @@ make DESTDIR=%{buildroot} install find %{buildroot} -name '*.la' -delete %check -chown -Rv nobody . -sudo -u nobody -s /bin/bash -c "PATH=$PATH make -k check" +make check %post -p /sbin/ldconfig %postun -p /sbin/ldconfig @@ -90,6 +89,8 @@ sudo -u nobody -s /bin/bash -c "PATH=$PATH make -k check" %{_libdir}/*.a %changelog +* Mon Oct 19 2020 Andrew Phelps 0.7.9-3 +- Fix check test * Sat May 09 2020 Nick Samson 0.7.9-2 - Initial CBL-Mariner import from Photon (license: Apache2). - Added %%license line automatically diff --git a/SPECS/libestr/libestr.spec b/SPECS/libestr/libestr.spec index a7c4e8406e4..e0dcc6a8a1d 100644 --- a/SPECS/libestr/libestr.spec +++ b/SPECS/libestr/libestr.spec @@ -1,21 +1,22 @@ -Summary: String handling essentials library -Name: libestr -Version: 0.1.10 -Release: 4%{?dist} -License: LGPLv2+ -URL: http://libestr.adiscon.com/ -Source0: http://libestr.adiscon.com/files/download/%{name}-%{version}.tar.gz -%define sha1 libestr=35cc717f5ae737a28140dd1472e13ce2ec317c6c -Group: System Environment/Base +Summary: String handling essentials library +Name: libestr +Version: 0.1.10 +Release: 5%{?dist} +License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner +Group: System Environment/Base +URL: https://libestr.adiscon.com/ +Source0: http://%{name}.adiscon.com/files/download/%{name}-%{version}.tar.gz +BuildRequires: gcc + %description This package compiles the string handling essentials library used by the Rsyslog daemon. %package devel -Summary: Development libraries for string handling -Requires: libestr +Summary: Development libraries for string handling +Requires: libestr %description devel The package contains libraries and header files for @@ -23,33 +24,45 @@ developing applications that use libestr. %prep %setup -q + %build -./configure \ - --prefix=%{_prefix} +%configure make %{?_smp_mflags} + %install make DESTDIR=%{buildroot} install +find %{buildroot} -type f -name "*.la" -delete -print + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig -%post -p /sbin/ldconfig -%postun -p /sbin/ldconfig %files %defattr(-,root,root) %license COPYING %{_libdir}/*.so.* %{_libdir}/*.a -%{_libdir}/*.la + %files devel %defattr(-,root,root) %{_includedir}/* %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc + %changelog -* Sat May 09 00:21:00 PST 2020 Nick Samson - 0.1.10-4 +* Mon Oct 12 2020 Thomas Crain - 0.1.10-5 +- Remove %%sha1 line +- Lint to Mariner style +- Remove *.la files +- License verified. + +* Sat May 09 2020 Nick Samson - 0.1.10-4 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 0.1.10-3 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Tue May 24 2016 Priyesh Padmavilasom 0.1.10-2 -- GA - Bump release of all rpms -* Wed Jun 17 2015 Divya Thaluru 0.1.10-1 -- Initial build. First version +* Tue Sep 03 2019 Mateusz Malisz - 0.1.10-3 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Tue May 24 2016 Priyesh Padmavilasom - 0.1.10-2 +- GA - Bump release of all rpms + +* Wed Jun 17 2015 Divya Thaluru - 0.1.10-1 +- Initial build. First version diff --git a/SPECS/libffi/libffi.spec b/SPECS/libffi/libffi.spec index ee8cf94b7fa..4de226afd8c 100644 --- a/SPECS/libffi/libffi.spec +++ b/SPECS/libffi/libffi.spec @@ -1,13 +1,13 @@ Summary: A portable, high level programming interface to various calling conventions Name: libffi Version: 3.2.1 -Release: 10%{?dist} +Release: 12%{?dist} License: BSD URL: http://sourceware.org/libffi/ Group: System Environment/GeneralLibraries Vendor: Microsoft Corporation Distribution: Mariner -Source0: ftp://sourceware.org/pub/libffi/%{name}-%{version}.tar.gz +Source0: https://gcc.gnu.org/pub/libffi/%{name}-%{version}.tar.gz Provides: pkgconfig(libffi) #%if %{with_check} #BuildRequires: dejagnu @@ -29,17 +29,18 @@ It contains the libraries and header files to create applications %build sed -e '/^includesdir/ s:$(libdir)/@PACKAGE_NAME@-@PACKAGE_VERSION@/include:$(includedir):' \ - -i include/Makefile.in && + -i include/Makefile.in +# Fix .so files getting placed in $(libdir)/../lib64/ +sed -e 's:$(DESTDIR)$(toolexeclibdir):$(DESTDIR)$(libdir):g' \ + -i Makefile.in + sed -e '/^includedir/ s:${libdir}/@PACKAGE_NAME@-@PACKAGE_VERSION@/include:@includedir@:' \ -e 's/^Cflags: -I${includedir}/Cflags:/' \ - -i libffi.pc.in && -./configure \ - CFLAGS="%{optflags}" \ - CXXFLAGS="%{optflags}" \ - --prefix=%{_prefix} \ - --bindir=%{_bindir} \ - --libdir=%{_libdir} \ - --disable-static + -i libffi.pc.in + +%configure \ + --disable-static + make %{?_smp_mflags} %install [ %{buildroot} != "/"] && rm -rf %{buildroot}/* @@ -76,6 +77,11 @@ rm -rf %{buildroot}/* %{_mandir}/man3/* %changelog +* Thu Oct 15 2020 Andrew Phelps 3.2.1-12 +- Update Source0 to use more reliable https URL instead of ftp +* Fri Sep 18 2020 Mateusz Malisz 3.2.1-11 +- Fix normal libffi build by replacing destination for .so files from $(toolexeclibdir) to $(libdir) +- Replace ./configure and manual options with %%configure macro * Tue Jul 07 2020 Henry Beberman 3.2.1-10 - Comment out dejagnu dependency and check to prevent a rebuild. * Wed May 13 2020 Nick Samson 3.2.1-9 diff --git a/SPECS/liblogging/liblogging.signatures.json b/SPECS/liblogging/liblogging.signatures.json new file mode 100644 index 00000000000..2bd7205f457 --- /dev/null +++ b/SPECS/liblogging/liblogging.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "liblogging-1.0.6.tar.gz": "338c6174e5c8652eaa34f956be3451f7491a4416ab489aef63151f802b00bf93" + } +} \ No newline at end of file diff --git a/SPECS/liblogging/liblogging.spec b/SPECS/liblogging/liblogging.spec new file mode 100644 index 00000000000..50969d8b15a --- /dev/null +++ b/SPECS/liblogging/liblogging.spec @@ -0,0 +1,78 @@ +Summary: Logging Libraries +Name: liblogging +Version: 1.0.6 +Release: 3%{?dist} +License: BSD +Vendor: Microsoft Corporation +Distribution: Mariner +Group: System Environment/Libraries +URL: http://www.liblogging.org/ +Source0: https://download.rsyslog.com/%{name}/%{name}-%{version}.tar.gz +BuildRequires: gcc + +%description +liblogging (the upstream project) is a collection of several components. +Namely: stdlog, journalemu, rfc3195. +The stdlog component of liblogging can be viewed as an enhanced version of the +syslog(3) API. It retains the easy semantics, but makes the API more +sophisticated "behind the scenes" with better support for multiple threads +and flexibility for different log destinations (e.g. syslog and systemd +journal). + +%package devel +Summary: Development libraries and header files for liblogging +Requires: liblogging + +%description devel +The package contains libraries and header files for +developing applications that use liblogging. + +%prep +%setup -q + +%build +%configure --disable-journal +make %{?_smp_mflags} + +%install +make DESTDIR=%{buildroot} install +find %{buildroot} -type f -name "*.la" -delete -print + +%check +make %{?_smp_mflags} check + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%defattr(-,root,root) +%license COPYING +%{_bindir}/* +%{_libdir}/*.so.* +%{_mandir}/man1/* +%{_mandir}/man3/* +%{_libdir}/*.a + +%files devel +%defattr(-,root,root) +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc +%{_includedir}/liblogging/*.h + +%changelog +* Mon Oct 12 2020 Thomas Crain - 1.0.6-3 +- Remove .la files +- Lint to Mariner style +- License verified, %%license added + +* Tue Sep 03 2019 Mateusz Malisz - 1.0.6-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Tue Apr 11 2017 Harish Udaiya Kumar - 1.0.6-1 +- Updated to version 1.0.6 + +* Tue May 24 2016 Priyesh Padmavilasom - 1.0.5-2 +- GA - Bump release of all rpms + +* Wed Jun 17 2015 Divya Thaluru - 1.0.5-1 +- Initial build. First version diff --git a/SPECS/libxml++/libxml++.signatures.json b/SPECS/libxml++/libxml++.signatures.json new file mode 100644 index 00000000000..6f5edae29b9 --- /dev/null +++ b/SPECS/libxml++/libxml++.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "libxml++-3.2.0.tar.xz": "b786fae7fd7820d356698069a787d107995c3efcbef50d8f4efd3766ab768e4f" + } +} \ No newline at end of file diff --git a/SPECS/libxml++/libxml++.spec b/SPECS/libxml++/libxml++.spec new file mode 100644 index 00000000000..40a360c1283 --- /dev/null +++ b/SPECS/libxml++/libxml++.spec @@ -0,0 +1,73 @@ +Summary: libxml++ +Name: libxml++ +Version: 3.2.0 +Release: 3%{?dist} +License: LGPLv2+ +Vendor: Microsoft Corporation +Distribution: Mariner +URL: http://libxmlplusplus.sourceforge.net/ +Source0: https://ftp.gnome.org/pub/GNOME/sources/%{name}/3.2/%{name}-%{version}.tar.xz +BuildRequires: glibmm24-devel +BuildRequires: libxml2-devel +BuildRequires: mm-common +BuildRequires: pkg-config +Requires: glibmm24 +Requires: libxml2 + +%description +This library provides a C++ interface to XML files. It uses libxml2 to access +the XML files, and in order to configure libxml++ you must have both libxml2 and +pkg-config installed. + +%package doc +Summary: Documentation for %{name} +Group: Documentation/Other +Requires: %{name} = %{version} + +%description doc +Documentation for %{name} + +%package devel +Summary: Development files for %{name} +Requires: %{name} = %{version} + +%description devel +This library provides a C++ interface to XML files. + +%prep +%setup -q + +%build +./autogen.sh +%configure +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} +find %{buildroot} -type f -name "*.la" -delete -print + +%files +%license COPYING +%doc README +%{_libdir}/*.so.* + +%files devel +%{_includedir}/* +%{_libdir}/libxml++-3.0/* +%{_libdir}/*.so +%{_libdir}/pkgconfig/* + +%files doc +%{_docdir}/* +%{_datadir}/devhelp/* + +%changelog +* Mon Oct 12 2020 Thomas Crain - 3.2.0-3 +- Remove .la files +- License verified + +* Fri Jun 05 2020 Jonathan Chiu - 3.2.0-2 +- Update dependency names + +* Mon Mar 30 2020 Jonathan Chiu - 3.2.0-1 +- Original version for CBL-Mariner diff --git a/SPECS/lttng-consume/lttng-consume.signatures.json b/SPECS/lttng-consume/lttng-consume.signatures.json new file mode 100644 index 00000000000..7302690dadb --- /dev/null +++ b/SPECS/lttng-consume/lttng-consume.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "lttng-consume-0.2.tar.gz": "c2d56990a28b59439e8bb14be2e342e285c1a3b66b20a21e96271ed886bdfeaa" + } +} \ No newline at end of file diff --git a/SPECS/lttng-consume/lttng-consume.spec b/SPECS/lttng-consume/lttng-consume.spec new file mode 100644 index 00000000000..79dad4be01b --- /dev/null +++ b/SPECS/lttng-consume/lttng-consume.spec @@ -0,0 +1,70 @@ +Summary: Modern C++ library for realtime consumption of LTTNG events +Name: lttng-consume +Version: 0.2 +Release: 3%{?dist} +License: MIT +Vendor: Microsoft Corporation +Distribution: Mariner +Group: System Environment +URL: https://github.com/microsoft/lttng-consume +#Source0: https://github.com/microsoft/%{name}/archive/v%{version}.tar.gz +Source0: lttng-consume-%{version}.tar.gz +BuildRequires: catch-devel +BuildRequires: cmake +BuildRequires: gcc +BuildRequires: jsonbuilder-devel +BuildRequires: libbabeltrace2-devel +# 'lttng' tool needed for tests to run +BuildRequires: lttng-tools +BuildRequires: lttng-ust-devel +BuildRequires: tracelogging-devel + +%description +The lttng-consume project produces JsonBuilder structures from a realtime +LTTNG session. + +%package devel +Summary: Development files for lttng-consume +Group: System Environment/Libraries +Requires: lttng-consume = %{version}-%{release} + +%description devel +This package contains the headers and symlinks for applications and libraries to +use lttng-consume. + +%prep +%setup -q + +%build +mkdir build && cd build +%cmake .. +%make_build + +%install +%make_install -C build + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%defattr(-,root,root) +%doc README.md +%license LICENSE +%{_libdir}/liblttng-consume.so.* + +%files devel +%defattr(-,root,root) +%{_libdir}/liblttng-consume.so +%{_libdir}/cmake/lttng-consume +%{_includedir}/lttng-consume + +%changelog +* Wed Oct 07 2020 Thomas Crain - 0.2-3 +- Add #Source0 URL +- Verified License field and %%license macro + +* Tue Apr 07 2020 Daniel McIlvaney - 0.2-2 +- Require lttng-ust packages. + +* Wed Feb 12 2020 Nick Bopp - 0.2-1 +- Original version for CBL-Mariner. diff --git a/SPECS/lua/CVE-2019-6706-use-after-free-lua_upvaluejoin.patch b/SPECS/lua/CVE-2019-6706-use-after-free-lua_upvaluejoin.patch index a7aaf9c9a27..f53b353da22 100644 --- a/SPECS/lua/CVE-2019-6706-use-after-free-lua_upvaluejoin.patch +++ b/SPECS/lua/CVE-2019-6706-use-after-free-lua_upvaluejoin.patch @@ -1,22 +1,22 @@ ---- a/src/lapi.c -+++ b/src/lapi.c -@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State * - - LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1, - int fidx2, int n2) { -- LClosure *f1; -- UpVal **up1 = getupvalref(L, fidx1, n1, &f1); -+ UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */ - UpVal **up2 = getupvalref(L, fidx2, n2, NULL); -+ if (*up1 == *up2) return; /* Already joined */ -+ (*up2)->refcount++; -+ if (upisopen(*up2)) (*up2)->u.open.touched = 1; -+ luaC_upvalbarrier(L, *up2); - luaC_upvdeccount(L, *up1); - *up1 = *up2; -- (*up1)->refcount++; -- if (upisopen(*up1)) (*up1)->u.open.touched = 1; -- luaC_upvalbarrier(L, *up1); - } - - +--- a/src/lapi.c ++++ b/src/lapi.c +@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State * + + LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1, + int fidx2, int n2) { +- LClosure *f1; +- UpVal **up1 = getupvalref(L, fidx1, n1, &f1); ++ UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */ + UpVal **up2 = getupvalref(L, fidx2, n2, NULL); ++ if (*up1 == *up2) return; /* Already joined */ ++ (*up2)->refcount++; ++ if (upisopen(*up2)) (*up2)->u.open.touched = 1; ++ luaC_upvalbarrier(L, *up2); + luaC_upvdeccount(L, *up1); + *up1 = *up2; +- (*up1)->refcount++; +- if (upisopen(*up1)) (*up1)->u.open.touched = 1; +- luaC_upvalbarrier(L, *up1); + } + + \ No newline at end of file diff --git a/SPECS/lua/CVE-2020-15888.patch b/SPECS/lua/CVE-2020-15888.patch new file mode 100644 index 00000000000..eb8a6af2ebb --- /dev/null +++ b/SPECS/lua/CVE-2020-15888.patch @@ -0,0 +1,34 @@ +From 6298903e35217ab69c279056f925fb72900ce0b7 Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy +Date: Mon, 6 Jul 2020 12:11:54 -0300 +Subject: [PATCH] Keep minimum size when shrinking a stack + +When shrinking a stack (during GC), do not make it smaller than the +initial stack size. +--- + src/ldo.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/ldo.c b/ldo.c +index c563b1d9..a89ac010 100644 +--- a/src/ldo.c ++++ b/src/ldo.c +@@ -220,7 +220,7 @@ static int stackinuse (lua_State *L) { + + void luaD_shrinkstack (lua_State *L) { + int inuse = stackinuse(L); +- int goodsize = inuse + (inuse / 8) + 2*EXTRA_STACK; ++ int goodsize = inuse + BASIC_STACK_SIZE; + if (goodsize > LUAI_MAXSTACK) + goodsize = LUAI_MAXSTACK; /* respect stack limit */ + if (L->stacksize > LUAI_MAXSTACK) /* had been handling stack overflow? */ +@@ -229,8 +229,7 @@ void luaD_shrinkstack (lua_State *L) { + luaE_shrinkCI(L); /* shrink list */ + /* if thread is currently not handling a stack overflow and its + good size is smaller than current size, shrink its stack */ +- if (inuse <= (LUAI_MAXSTACK - EXTRA_STACK) && +- goodsize < L->stacksize) ++ if (inuse <= (LUAI_MAXSTACK - EXTRA_STACK) && goodsize < L->stacksize) + luaD_reallocstack(L, goodsize); + else /* don't change stack */ + condmovestack(L,{},{}); /* (change only for debugging) */ diff --git a/SPECS/lua/CVE-2020-15889.nopatch b/SPECS/lua/CVE-2020-15889.nopatch new file mode 100644 index 00000000000..650866c7522 --- /dev/null +++ b/SPECS/lua/CVE-2020-15889.nopatch @@ -0,0 +1,3 @@ +# CVE-2020-15889 is in the Lua generational garbage collection code, which is new to 5.4.0. 5.3.5 is not affected. +# NOTE: Patches needed if updating to 5.4: +# - 127e7a6c8942b362aa3c6627f44d660a4fb75312 \ No newline at end of file diff --git a/SPECS/lua/CVE-2020-24342.nopatch b/SPECS/lua/CVE-2020-24342.nopatch new file mode 100644 index 00000000000..13c9a983442 --- /dev/null +++ b/SPECS/lua/CVE-2020-24342.nopatch @@ -0,0 +1,3 @@ +# CVE-2020-24342 appears to not affect 5.3.5 (no repro of exploit) +# NOTE: Patches needed if updating to 5.4: +# - 34affe7a63fc5d842580a9f23616d057e17dfe27 \ No newline at end of file diff --git a/SPECS/lua/lua-5.3.4-shared_library-1.patch b/SPECS/lua/lua-5.3.4-shared_library-1.patch new file mode 100755 index 00000000000..857fddc6cbd --- /dev/null +++ b/SPECS/lua/lua-5.3.4-shared_library-1.patch @@ -0,0 +1,61 @@ +Submitted By: Igor Živković +Date: 2013-06-19 +Initial Package Version: 5.2.2 +Upstream Status: Rejected +Origin: Arch Linux packages repository +Description: Adds the compilation of a shared library. + +diff -Naur lua-5.3.0.orig/Makefile lua-5.3.0/Makefile +--- lua-5.3.0.orig/Makefile 2014-10-30 00:14:41.000000000 +0100 ++++ lua-5.3.0/Makefile 2015-01-19 22:14:09.822290828 +0100 +@@ -52,7 +52,7 @@ + all: $(PLAT) + + $(PLATS) clean: +- cd src && $(MAKE) $@ ++ cd src && $(MAKE) $@ V=$(V) R=$(R) + + test: dummy + src/lua -v +diff -Naur lua-5.3.0.orig/src/Makefile lua-5.3.0/src/Makefile +--- lua-5.3.0.orig/src/Makefile 2015-01-05 17:04:52.000000000 +0100 ++++ lua-5.3.0/src/Makefile 2015-01-19 22:14:52.559378543 +0100 +@@ -7,7 +7,7 @@ + PLAT= none + + CC= gcc -std=gnu99 +-CFLAGS= -O2 -Wall -Wextra -DLUA_COMPAT_5_2 $(SYSCFLAGS) $(MYCFLAGS) ++CFLAGS= -fPIC -O2 -Wall -Wextra -DLUA_COMPAT_5_2 $(SYSCFLAGS) $(MYCFLAGS) + LDFLAGS= $(SYSLDFLAGS) $(MYLDFLAGS) + LIBS= -lm $(SYSLIBS) $(MYLIBS) + +@@ -29,6 +29,7 @@ + PLATS= aix bsd c89 freebsd generic linux macosx mingw posix solaris + + LUA_A= liblua.a ++LUA_SO= liblua.so + CORE_O= lapi.o lcode.o lctype.o ldebug.o ldo.o ldump.o lfunc.o lgc.o llex.o \ + lmem.o lobject.o lopcodes.o lparser.o lstate.o lstring.o ltable.o \ + ltm.o lundump.o lvm.o lzio.o +@@ -43,7 +44,7 @@ + LUAC_O= luac.o + + ALL_O= $(BASE_O) $(LUA_O) $(LUAC_O) +-ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T) ++ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T) $(LUA_SO) + ALL_A= $(LUA_A) + + # Targets start here. +@@ -59,6 +60,12 @@ + $(AR) $@ $(BASE_O) + $(RANLIB) $@ + ++$(LUA_SO): $(CORE_O) $(LIB_O) ++ $(CC) -shared -ldl -Wl,-soname,$(LUA_SO).$(V) -o $@.$(R) $? -lm $(MYLDFLAGS) ++ ln -sf $(LUA_SO).$(R) $(LUA_SO).$(V) ++ ln -sf $(LUA_SO).$(R) $(LUA_SO) ++ ++ + $(LUA_T): $(LUA_O) $(LUA_A) + $(CC) -o $@ $(LDFLAGS) $(LUA_O) $(LUA_A) $(LIBS) + diff --git a/SPECS/lua/lua.spec b/SPECS/lua/lua.spec index 479d52e82ae..86733b540ad 100644 --- a/SPECS/lua/lua.spec +++ b/SPECS/lua/lua.spec @@ -8,14 +8,14 @@ Name: lua Version: %{major_version}.5 -Release: 9%{?dist} +Release: 11%{?dist} Summary: Powerful light-weight programming language License: MIT URL: https://www.lua.org/ Group: Development/Tools Vendor: Microsoft Corporation Distribution: Mariner -Source0: http://www.lua.org/ftp/lua-%{version}.tar.gz +Source0: https://www.lua.org/ftp/%{name}-%{version}.tar.gz # copied from doc/readme.html on 2014-07-18 Source1: mit.txt Source2: http://www.lua.org/tests/lua-%{test_version}-tests.tar.gz @@ -23,12 +23,27 @@ Source2: http://www.lua.org/tests/lua-%{test_version}-tests.tar.gz Source3: luaconf.h # rpm-macro Source1000: macros.lua + Patch0: %{name}-5.3.0-autotoolize.patch Patch1: %{name}-5.3.0-idsize.patch Patch2: %{name}-5.2.2-configure-linux.patch Patch3: %{name}-5.3.0-configure-compat-module.patch -# Fixes CVE-2019-6706 +# From http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tt7685575.html Patch4: CVE-2019-6706-use-after-free-lua_upvaluejoin.patch +Patch5: lua-5.3.4-shared_library-1.patch +# CVE-2020-15888 patch taken from Open Embedded's Lua meta layer https://github.com/openembedded/meta-openembedded/blob/master/meta-oe/recipes-devtools/lua/lua/CVE-2020-15888.patch +# NOTE: Upstream patches needed if updating to 5.4: +# - eb41999461b6f428186c55abd95f4ce1a76217d5 +# - 6298903e35217ab69c279056f925fb72900ce0b7 +Patch6: CVE-2020-15888.patch +# CVE-2020-15889 is in the Lua generational garbage collection code, which is new to 5.4.0. 5.3.5 is not affected. +# NOTE: Patches needed if updating to 5.4: +# - 127e7a6c8942b362aa3c6627f44d660a4fb75312 +Patch7: CVE-2020-15889.nopatch +# CVE-2020-24342 appears to not affect 5.3.5 (no repro of exploit) +# NOTE: Patches needed if updating to 5.4: +# - 34affe7a63fc5d842580a9f23616d057e17dfe27 +Patch8: CVE-2020-24342.nopatch BuildRequires: automake autoconf libtool readline-devel ncurses-devel Requires: lua-libs = %{version}-%{release} @@ -75,6 +90,9 @@ mv src/luaconf.h src/luaconf.h.template.in %patch2 -p1 -z .configure-linux %patch3 -p1 -z .configure-compat-all %patch4 -p1 -b .CVE-2019-6706 +%patch5 -p1 +%patch6 -p1 +sed -i 's/CFLAGS= -fPIC -O2 /CFLAGS+= -fPIC -O2 -DLUA_COMPAT_MODULE /' src/Makefile # Put proper version in configure.ac, patch0 hardcodes 5.3.0 sed -i 's|5.3.0|%{version}|g' configure.ac autoreconf -ifv @@ -152,6 +170,13 @@ install -Dpm 0644 %{SOURCE1000} $RPM_BUILD_ROOT/%{macrosdir}/macros.lua %changelog +* Thu Oct 01 2020 Daniel McIlvaney 5.3.5-11 +- Nopatch CVE-2020-24342 +- Apply patch for CVE-2020-15888 from Open Embedded + +* Mon Sep 28 2020 Daniel McIlvaney 5.3.5-10 +- Nopatch CVE-2020-15889 since it only affects 5.4.0 + * Mon Sep 28 2020 Joe Schmitt - 5.3.5-9 - Update URL to https. - License verified. diff --git a/SPECS/make/make.spec b/SPECS/make/make.spec index 710b81702f6..c58e659c6d1 100644 --- a/SPECS/make/make.spec +++ b/SPECS/make/make.spec @@ -1,14 +1,13 @@ -Summary: Program for compiling packages -Name: make -Version: 4.2.1 -Release: 4%{?dist} -License: GPLv3+ -URL: http://www.gnu.org/software/make -Group: Development/Tools +Summary: Program for compiling packages +Name: make +Version: 4.2.1 +Release: 5%{?dist} +License: GPLv3+ +URL: http://www.gnu.org/software/make +Group: Development/Tools Vendor: Microsoft Corporation Distribution: Mariner -Source0: http://ftp.gnu.org/gnu/make/%{name}-%{version}.tar.bz2 -%define sha1 make=7d9d11eb36cfb752da1fb11bb3e521d2a3cc8830 +Source0: http://ftp.gnu.org/gnu/make/%{name}-%{version}.tar.bz2 %description The Make package contains a program for compiling packages. @@ -20,8 +19,8 @@ The Make package contains a program for compiling packages. sed -i '211,217 d; 219,229 d; 232 d' glob/glob.c ./configure \ - --prefix=%{_prefix} \ - --disable-silent-rules + --prefix=%{_prefix} \ + --disable-silent-rules make %{?_smp_mflags} %install @@ -31,6 +30,7 @@ rm -rf %{buildroot}%{_infodir} %find_lang %{name} %check +export PERL_USE_UNSAFE_INC=1 make %{?_smp_mflags} check %files -f %{name}.lang @@ -41,11 +41,12 @@ make %{?_smp_mflags} check %{_mandir}/*/* %changelog -* Sat May 09 00:21:04 PST 2020 Nick Samson - 4.2.1-4 +* Mon Oct 19 2020 Andrew Phelps 4.2.1-5 +- Fix check test +* Sat May 09 2020 Nick Samson 4.2.1-4 - Added %%license line automatically - -* Tue Sep 03 2019 Mateusz Malisz 4.2.1-3 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 4.2.1-3 +- Initial CBL-Mariner import from Photon (license: Apache2). * Sun Sep 09 2018 Alexey Makhalov 4.2.1-2 - Fix compilation issue against glibc-2.27 * Fri Mar 31 2017 Michelle Wang 4.2.1-1 @@ -54,9 +55,9 @@ make %{?_smp_mflags} check - Modified check * Tue May 24 2016 Priyesh Padmavilasom 4.1-3 - GA - Bump release of all rpms -* Tue May 10 2016 Kumar Kaushik 4.1-2 +* Tue May 10 2016 Kumar Kaushik 4.1-2 - Fix for segfaults in chroot env. -* Tue Jan 12 2016 Anish Swaminathan 4.1-1 +* Tue Jan 12 2016 Anish Swaminathan 4.1-1 - Update version. * Wed Nov 5 2014 Divya Thaluru 4.0-1 - Initial build. First version diff --git a/SPECS/mariner-release/mariner-release.spec b/SPECS/mariner-release/mariner-release.spec index ea70fe9aa50..bd8ecebfdfb 100644 --- a/SPECS/mariner-release/mariner-release.spec +++ b/SPECS/mariner-release/mariner-release.spec @@ -1,7 +1,7 @@ Summary: CBL-Mariner release files Name: mariner-release Version: 1.0 -Release: 9%{?dist} +Release: 10%{?dist} License: MIT Group: System Environment/Base URL: https://aka.ms/cbl-mariner @@ -67,6 +67,8 @@ rm -rf $RPM_BUILD_ROOT %config(noreplace) /etc/issue.net %changelog +* Sat Oct 24 2020 Jon Slobodzian - 1.0-10 +- Updating version for October update * Fri Sep 04 2020 Mateusz Malisz - 1.0-9 - Remove empty %%post section, dropping dependency on /bin/sh * Tue Aug 24 2020 Jon Slobodzian - 1.0-8 diff --git a/SPECS/mariner-repos/mariner-preview.repo b/SPECS/mariner-repos/mariner-preview.repo new file mode 100755 index 00000000000..67d6673c138 --- /dev/null +++ b/SPECS/mariner-repos/mariner-preview.repo @@ -0,0 +1,9 @@ +[mariner-preview] +name=CBL-Mariner Official Preview $releasever $basearch +baseurl=https://packages.microsoft.com/cbl-mariner/$releasever/preview/update/$basearch/rpms +gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY file:///etc/pki/rpm-gpg/MICROSOFT-METADATA-GPG-KEY +gpgcheck=1 +repo_gpgcheck=1 +enabled=1 +skip_if_unavailable=True +sslverify=1 diff --git a/SPECS/mariner-repos/mariner-repos.signatures.json b/SPECS/mariner-repos/mariner-repos.signatures.json index 08456c98983..456d8662e06 100644 --- a/SPECS/mariner-repos/mariner-repos.signatures.json +++ b/SPECS/mariner-repos/mariner-repos.signatures.json @@ -3,6 +3,7 @@ "MICROSOFT-RPM-GPG-KEY": "1092f37ec429e58bf9c7f898df17c3c32eb2ce3c4c037afb8ffe2d2b42e16e89", "MICROSOFT-METADATA-GPG-KEY": "1824ecffeda90cfe4178a99bddde450f09fd40e8faf4f0124fba16ea79998c4c", "mariner-official-base.repo": "af485f85c5c856536c6ec2f73f0afd1d9c424396fce1c9ae6f40745a5f41503d", - "mariner-official-update.repo": "d80ed87ba6cf1e535131a9a68499b832dc87fc9add29cbae0f6cc76ebc36fbf3" + "mariner-official-update.repo": "d80ed87ba6cf1e535131a9a68499b832dc87fc9add29cbae0f6cc76ebc36fbf3", + "mariner-preview.repo": "7b5731bce3d0c81647144822a886a01912e325db10f7519e105b5224a25f1568" } } diff --git a/SPECS/mariner-repos/mariner-repos.spec b/SPECS/mariner-repos/mariner-repos.spec index 6f11555ed35..e35e74b077c 100644 --- a/SPECS/mariner-repos/mariner-repos.spec +++ b/SPECS/mariner-repos/mariner-repos.spec @@ -1,17 +1,18 @@ Summary: CBL-Mariner repo files, gpg keys Name: mariner-repos Version: 1.0 -Release: 9%{?dist} +Release: 11%{?dist} License: Apache License Group: System Environment/Base URL: https://aka.ms/mariner +Vendor: Microsoft Corporation +Distribution: Mariner Source0: MICROSOFT-RPM-GPG-KEY Source1: MICROSOFT-METADATA-GPG-KEY Source2: mariner-official-base.repo Source3: mariner-official-update.repo -Vendor: Microsoft Corporation -Distribution: mariner -Provides: mariner-repos +Source4: mariner-preview.repo + Requires(post): gpgme Requires(post): rpm Requires(preun): gpgme @@ -21,11 +22,20 @@ BuildArch: noarch %description CBL-Mariner repo files and gpg keys +%package preview +Summary: CBL-Mariner preview repo file. +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description preview +%{summary} + %install rm -rf $RPM_BUILD_ROOT install -d -m 755 $RPM_BUILD_ROOT/etc/yum.repos.d install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/etc/yum.repos.d install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/yum.repos.d +install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/etc/yum.repos.d install -d -m 755 $RPM_BUILD_ROOT/etc/pki/rpm-gpg install -m 644 %{SOURCE0} $RPM_BUILD_ROOT/etc/pki/rpm-gpg @@ -34,7 +44,7 @@ install -m 644 %{SOURCE1} $RPM_BUILD_ROOT/etc/pki/rpm-gpg %clean rm -rf $RPM_BUILD_ROOT -%post +%posttrans gpg --import /etc/pki/rpm-gpg/MICROSOFT-METADATA-GPG-KEY gpg --import /etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY @@ -52,7 +62,16 @@ gpg --batch --yes --delete-keys 2BC94FFF7015A5F28F1537AD0CD9FED33135CE90 %config(noreplace) /etc/yum.repos.d/mariner-official-base.repo %config(noreplace) /etc/yum.repos.d/mariner-official-update.repo +%files preview +%defattr(-,root,root,-) +%config(noreplace) /etc/yum.repos.d/mariner-preview.repo + %changelog +* Thu Oct 01 2020 Emre Girgin - 1.0-11 +- Change %%post scriptlet to %%posttrans in order to ensure it runs after %%postun during an upgrade. +* Mon Sep 28 2020 Pawel Winogrodzki 1.0-10 +- Adding configuration to access the preview repository. +- Removing redundant 'Provides'. * Tue Aug 11 2020 Saravanan Somasundaram - 1.0-9 - Enable GPG Check and Import * Mon Aug 10 2020 Saravanan Somasundaram - 1.0-8 diff --git a/SPECS/mm-common/mm-common.signatures.json b/SPECS/mm-common/mm-common.signatures.json new file mode 100644 index 00000000000..42e6850a045 --- /dev/null +++ b/SPECS/mm-common/mm-common.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "mm-common-1.0.0.tar.xz": "b97d9b041e5952486cab620b44ab09f6013a478f43b6699ae899b8a4da189cd4" + } +} diff --git a/SPECS/mm-common/mm-common.spec b/SPECS/mm-common/mm-common.spec new file mode 100644 index 00000000000..8aef660bf91 --- /dev/null +++ b/SPECS/mm-common/mm-common.spec @@ -0,0 +1,52 @@ +Summary: mm-common module +Name: mm-common +Version: 1.0.0 +Release: 3%{?dist} +License: LGPLv2+ +Vendor: Microsoft Corporation +Distribution: Mariner +Group: Development/Libraries/C and C++ +URL: https://gtkmm.org +Source0: https://ftp.gnome.org/pub/GNOME/sources/%{name}/1.0/%{name}-%{version}.tar.xz +%define debug_package %{nil} +BuildRequires: pkg-config +BuildArch: noarch + +%description +The mm-common module provides the build infrastructure and utilities +shared among the GNOME C++ binding libraries. It is only a required +dependency for building the C++ bindings from the gnome.org version +control repository. + +%prep +%setup -q + +%build +./autogen.sh +%configure +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} + +%files +%license COPYING +%doc README +%{_bindir}/* +%{_datadir}/%{name}/* +%{_datadir}/pkgconfig/* +%{_datadir}/aclocal/* +%{_docdir}/%{name}/* +%{_mandir}/* + +%changelog +* Mon Oct 12 2020 Thomas Crain - 1.0.0-3 +- Update Source0 (removes need for libstdc++.tag file) +- Lint for Mariner style +- License verified + +* Tue Jun 09 2020 Jonathan Chiu - 1.0.0-2 +- Include libstdc++.tag in source files so package can be built offline + +* Mon Mar 30 2020 Jonathan Chiu - 1.0.0-1 +- Original version for CBL-Mariner diff --git a/SPECS/msgpack/msgpack.signatures.json b/SPECS/msgpack/msgpack.signatures.json new file mode 100644 index 00000000000..12e242ee9ad --- /dev/null +++ b/SPECS/msgpack/msgpack.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "msgpack-c-cpp-3.2.1.tar.gz" : "464f46744a6be778626d11452c4db3c2d09461080c6db42e358e21af19d542f6" + } +} diff --git a/SPECS/msgpack/msgpack.spec b/SPECS/msgpack/msgpack.spec new file mode 100644 index 00000000000..75c26e905af --- /dev/null +++ b/SPECS/msgpack/msgpack.spec @@ -0,0 +1,58 @@ +Summary: MessagePack implementation for C and C++ +Name: msgpack +Version: 3.2.1 +Release: 2%{?dist} +License: Boost +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://msgpack.org +#Source0: https://github.com/%{name}/%{name}-c/archive/cpp-%{version}.tar.gz +Source0: %{name}-c-cpp-%{version}.tar.gz +%define _build_id_links none +BuildRequires: boost-devel +BuildRequires: cmake +BuildRequires: gcc + +%description +MessagePack is an efficient binary serialization format, +which lets you exchange data among multiple languages like JSON, +except that it's faster and smaller. + +%package devel +Summary: Development files for %{name} +Requires: %{name} = %{version} + +%description devel +Development files for %{name} + +%prep +%setup -q -n %{name}-c-cpp-%{version} + +%build +mkdir build +cd build +cmake -DCMAKE_INSTALL_PREFIX=%{_prefix} .. +make %{?_smp_mflags} + +%install +cd build +make install DESTDIR=%{buildroot} + +%files +%license COPYING LICENSE_1_0.txt NOTICE +%{_libdir}/*.so.* + +%files devel +%{_includedir}/* +%{_libdir}/cmake/* +%{_libdir}/pkgconfig/msgpack.pc +%{_libdir}/*.so +%{_libdir}/*.a + +%changelog +* Mon Oct 12 2020 Thomas Crain - 3.2.1-2 +- License verified and %%license added +- Update Source0 + +* Mon Mar 30 2020 Jonathan Chiu - 3.2.1-1 +- Original version for CBL-Mariner diff --git a/SPECS/nlohmann-json/nlohmann-json.signatures.json b/SPECS/nlohmann-json/nlohmann-json.signatures.json new file mode 100644 index 00000000000..15d650a0f80 --- /dev/null +++ b/SPECS/nlohmann-json/nlohmann-json.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "nlohmann-json-3.6.1.tar.gz": "80c45b090e40bf3d7a7f2a6e9f36206d3ff710acfa8d8cc1f8c763bb3075e22e" + } +} \ No newline at end of file diff --git a/SPECS/nlohmann-json/nlohmann-json.spec b/SPECS/nlohmann-json/nlohmann-json.spec new file mode 100644 index 00000000000..402bb7f5488 --- /dev/null +++ b/SPECS/nlohmann-json/nlohmann-json.spec @@ -0,0 +1,55 @@ +Summary: Modern C++11 JSON library +Name: nlohmann-json +Version: 3.6.1 +Release: 2%{?dist} +License: MIT +Vendor: Microsoft Corporation +Distribution: Mariner +Group: System Environment +URL: https://github.com/nlohmann/json +#Source0: https://github.com/nlohmann/json/archive/v%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz +%global debug_package %{nil} +BuildRequires: cmake +BuildRequires: gcc + +%description +A modern C++ JSON library. + +%package devel +Summary: Development files for %{name} + +%description devel +Development files for %{name} + +%prep +%setup -q -n json-%{version} + +%build +mkdir build && cd build +%cmake .. +%make_build + +%check +make test -C build + +%install +%make_install -C build + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files devel +%defattr(-,root,root) +%license LICENSE.MIT +%doc README.md +%{_includedir}/nlohmann +%{_libdir}/cmake/nlohmann_json + +%changelog +* Mon Oct 12 2020 Thomas Crain - 3.6.1-2 +- Update Source0 +- License verified + +* Tue Feb 11 2020 Nick Bopp - 3.6.1-1 +- Original version for CBL-Mariner. diff --git a/SPECS/omi/buildtool.patch b/SPECS/omi/buildtool.patch new file mode 100644 index 00000000000..6fac4b4cfdc --- /dev/null +++ b/SPECS/omi/buildtool.patch @@ -0,0 +1,153 @@ +diff --git a/Unix/buildtool b/Unix/buildtool +--- a/Unix/buildtool 2020-09-29 10:33:36.055821162 -0700 ++++ b/Unix/buildtool 2020-09-29 11:24:05.121922456 -0700 +@@ -274,9 +274,9 @@ + distro=`lsb_release -i | awk -F":" '{ print $2 }'` + distro_version=`lsb_release -r | awk -F":" '{ print $2 }'` + ;; +- arm*:Linux:*) ++ aarch64*:Linux:*) + os=LINUX +- arch=ARM ++ arch=AARCH64 + compiler=GNU + distro=`lsb_release -i | awk -F":" '{ print $2 }'` + distro_version=`lsb_release -r | awk -F":" '{ print $2 }'` +@@ -293,7 +293,7 @@ + + case "$platform" in + +- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU) ++ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU) + compiler_version=`gcc --version | awk -F" " 'match($0, /[0-9]*\.[0-9]*\.[0-9]*/){ if (match($0, /[0-9]*\.[0-9]*\.[0-9]*/, m)) print m[0] }'` + compiler_major_version=`echo $compiler_version | awk -F'.' '{ print $1}'` + compiler_minor_version=`echo $compiler_version | awk -F'.' '{ print $2}'` +@@ -573,7 +573,7 @@ + + case "$platform" in + +- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU) ++ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU) + echo gcc + ;; + MONTAVISTA_IX86_GNU) +@@ -614,7 +614,7 @@ + fi + + case "$platform" in +- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU) ++ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU) + echo g++ + ;; + MONTAVISTA_IX86_GNU) +@@ -689,7 +689,7 @@ + LINUX_IX86_GNU|LINUX_X86_64_GNU) + echo size + ;; +- LINUX_ARM_GNU) ++ LINUX_AARCH64_GNU) + echo size + ;; + MONTAVISTA_IX86_GNU) +@@ -778,7 +778,7 @@ + r="$r -g" + + case "$platform" in +- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|MONTAVISTA_IX86_GNU|NETBSD_IX86_GNU|LINUX_ARM_GNU) ++ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|MONTAVISTA_IX86_GNU|NETBSD_IX86_GNU|LINUX_AARCH64_GNU) + if test $cxx_opt ; then + r="$r -std=gnu++98" + fi +@@ -974,7 +974,7 @@ + r="" + + case "$platform" in +- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU) ++ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU) + r="$r -shared" + test -n "$libpath_opt" && r="$r -Wl,-rpath=$libpath_opt" + ;; +@@ -1098,7 +1098,7 @@ + r="" + + case "$platform" in +- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU) ++ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU) + test -n "$libpath_opt" && r="$r -Wl,-rpath=$libpath_opt" + ;; + MONTAVISTA_IX86_GNU) +@@ -1181,7 +1181,7 @@ + r="" + + case "$platform" in +- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU) ++ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU) + r="gcc -M" + ;; + MONTAVISTA_IX86_GNU) +@@ -1225,7 +1225,7 @@ + r="" + + case "$platform" in +- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU) ++ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU) + r="-lpthread -ldl -lpam" + ;; + MONTAVISTA_IX86_GNU) +@@ -1273,7 +1273,7 @@ + args="$arg2 $arg3 $arg4 $arg5 $arg6 $arg7 $arg8 $arg9" + + case "$platform" in +- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU) ++ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU) + for path in $args + do + r="$r -Wl,-rpath=$path" +@@ -1360,7 +1360,7 @@ + r="" + + case "$platform" in +- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU) ++ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU) + ;; + MONTAVISTA_IX86_GNU) + ;; +@@ -1441,7 +1441,7 @@ + fi + + case "$platform" in +- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU) ++ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU) + echo "lib$arg2.so" + ;; + MONTAVISTA_IX86_GNU) +@@ -1485,7 +1485,7 @@ + fi + + case "$platform" in +- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU) ++ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU) + echo "so" + ;; + MONTAVISTA_IX86_GNU) +@@ -1577,7 +1577,7 @@ + + if [ -z "$libdir" ]; then + case "$platform" in +- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU) ++ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU) + if [ -f "/usr/lib/libssl.so" ]; then + libdir=/usr/lib + fi +diff --git a/Unix/pal/palcommon.h b/Unix/pal/palcommon.h +--- a/Unix/pal/palcommon.h 2020-09-29 10:33:36.091821099 -0700 ++++ b/Unix/pal/palcommon.h 2020-09-29 11:23:09.370299157 -0700 +@@ -930,7 +930,7 @@ + } + + +-#elif defined(CONFIG_ARCH_SPARC) || defined(CONFIG_ARCH_ARM) ++#elif defined(CONFIG_ARCH_SPARC) || defined(CONFIG_ARCH_AARCH64) + + /* Sparc only does big endian */ + diff --git a/SPECS/omi/omi.signatures.json b/SPECS/omi/omi.signatures.json new file mode 100644 index 00000000000..29cd57283d3 --- /dev/null +++ b/SPECS/omi/omi.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "omi-1.6.6.tar.gz": "f1ae4534c5d6ae1d7331a8c6c2db2e745a52575dfab40575e836da146c2c06e9" + } +} diff --git a/SPECS/omi/omi.spec b/SPECS/omi/omi.spec new file mode 100644 index 00000000000..ac314c544dc --- /dev/null +++ b/SPECS/omi/omi.spec @@ -0,0 +1,86 @@ +%define debug_package %{nil} + +Name: omi +Version: 1.6.6 +Release: 1%{?dist} +Summary: Open Management Infrastructure +Group: Productivity/Security +License: MIT +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/microsoft/omi +#Source0: https://github.com/microsoft/%{name}/archive/v%{version}-0.tar.gz +Source0: %{name}-%{version}.tar.gz +Patch0: buildtool.patch +BuildRequires: pam-devel +BuildRequires: sudo +BuildRequires: unzip +BuildRequires: which +BuildRequires: krb5-devel +BuildRequires: e2fsprogs-devel + + +%description +Open Management Infrastructure (OMI) is an open source project to +further the development of a production quality implementation of +the DMTF CIM/WBEM standards. + + +%prep +%setup -n %{name}-%{version}-0 +%patch0 -p1 + + +%build +cd Unix +chmod 7777 * +./configure --enable-microsoft +make + +%install +cd Unix +make install + +install -vdm 755 %{buildroot}/opt/omi +install -vdm 775 %{buildroot}/opt/omi/lib +install -vdm 755 %{buildroot}/usr/include/micxx +install -vdm 755 %{buildroot}/usr/include/omiclient +install -vdm 755 %{buildroot}/usr/include/pal +install -vdm 755 %{buildroot}/usr/include/nits +install -vdm 755 %{buildroot}/usr/include/nits/base +install -vdm 755 %{buildroot}/usr/include/linux + +install -m 755 output/lib/libmicxx.so %{buildroot}/opt/omi/lib/ +install -m 755 output/lib/libomiclient.so %{buildroot}/opt/omi/lib/ +install -m 755 output/lib/libmi.so %{buildroot}/opt/omi/lib/ +install -m 755 output/lib/libomiidentify.so %{buildroot}/opt/omi/lib/ + +install -m 644 micxx/* %{buildroot}/usr/include/micxx +install -m 644 omiclient/client.h %{buildroot}/usr/include/omiclient +install -m 644 omiclient/*.h output/include/config.h common/*.h %{buildroot}/usr/include/ +install -m 644 pal/*.h %{buildroot}/usr/include/pal +install -m 644 nits/base/nits.h %{buildroot}/usr/include/nits/base +install -m 644 common/linux/sal.h %{buildroot}/usr/include/linux/ + +sudo sed -i -e 's/\"..\/..\/common\/linux\/sal.h"//g' %{buildroot}/usr/include/pal/palcommon.h + + +%files +%defattr(-,root,root) +/opt/omi/lib/libmicxx.so +/opt/omi/lib/libomiclient.so +/opt/omi/lib/libmi.so +/opt/omi/lib/libomiidentify.so +/usr/include/micxx/* +/usr/include/omiclient/client.h +/usr/include/* +/usr/include/pal/*.h +/usr/include/nits/base/nits.h +/usr/include/linux/sal.h + + +%changelog +* Thu Oct 22 2020 Nick Samson 1.6.6-1 +- Updated source and version +* Mon Sep 28 2020 Henry Li 1.0.8-1 +- Add runtime required rpm diff --git a/SPECS/oniguruma/CVE-2020-26159.patch b/SPECS/oniguruma/CVE-2020-26159.patch new file mode 100644 index 00000000000..71a8adadb6b --- /dev/null +++ b/SPECS/oniguruma/CVE-2020-26159.patch @@ -0,0 +1,22 @@ +From cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0 Mon Sep 17 00:00:00 2001 +From: "K.Kosako" +Date: Mon, 21 Sep 2020 12:58:29 +0900 +Subject: [PATCH] #207: Out-of-bounds write + +--- + src/regcomp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/regcomp.c b/src/regcomp.c +index f6494b6d..a0a68561 100644 +--- a/src/regcomp.c ++++ b/src/regcomp.c +@@ -6257,7 +6257,7 @@ concat_opt_exact_str(OptStr* to, UChar* s, UChar* end, OnigEncoding enc) + + for (i = to->len, p = s; p < end && i < OPT_EXACT_MAXLEN; ) { + len = enclen(enc, p); +- if (i + len > OPT_EXACT_MAXLEN) break; ++ if (i + len >= OPT_EXACT_MAXLEN) break; + for (j = 0; j < len && p < end; j++) + to->s[i++] = *p++; + } diff --git a/SPECS/oniguruma/oniguruma.spec b/SPECS/oniguruma/oniguruma.spec index 33e4981f8cb..d395818bd64 100644 --- a/SPECS/oniguruma/oniguruma.spec +++ b/SPECS/oniguruma/oniguruma.spec @@ -1,6 +1,6 @@ Name: oniguruma Version: 6.9.5 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Summary: Regular expressions library Group: System Environment/Libraries @@ -8,6 +8,8 @@ Vendor: Microsoft Corporation Distribution: Mariner URL: https://github.com/kkos/oniguruma/ Source0: https://github.com/kkos/oniguruma/releases/download/v%{version}/onig-%{version}.tar.gz +# https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0.patch +Patch0: CVE-2020-26159.patch %description Oniguruma is a regular expressions library. @@ -24,7 +26,8 @@ Requires: oniguruma = %{version}-%{release} Development files for libonig %prep -%setup -q -n onig-%{version} +%autosetup -n onig-%{version} -p1 + %build %configure \ @@ -62,6 +65,8 @@ make check %{_libdir}/pkgconfig/%{name}.pc %changelog +* Thu Oct 15 2020 Emre Girgin 6.9.5-2 +- Fix CVE-2020-26159. * Tue May 19 2020 Andrew Phelps 6.9.5-1 - Upgrade to 6.9.5. * Wed Apr 22 2020 Emre Girgin 6.9.0-4 diff --git a/SPECS/openssh/CVE-2019-16905.patch b/SPECS/openssh/CVE-2019-16905.patch new file mode 100644 index 00000000000..4cc12586ad5 --- /dev/null +++ b/SPECS/openssh/CVE-2019-16905.patch @@ -0,0 +1,12 @@ +--- ./sshkey-xmss-orig.c 2020-10-19 13:08:05.657397679 -0700 ++++ ./sshkey-xmss.c 2020-10-19 13:07:42.953419382 -0700 +@@ -977,7 +977,8 @@ + goto out; + } + /* check that an appropriate amount of auth data is present */ +- if (sshbuf_len(encoded) < encrypted_len + authlen) { ++ if (sshbuf_len(encoded) < authlen || ++ sshbuf_len(encoded) - authlen < encrypted_len) { + r = SSH_ERR_INVALID_FORMAT; + goto out; + } diff --git a/SPECS/openssh/openssh.spec b/SPECS/openssh/openssh.spec index f2c684429b4..f6f65fefe3a 100644 --- a/SPECS/openssh/openssh.spec +++ b/SPECS/openssh/openssh.spec @@ -1,7 +1,7 @@ Summary: Free version of the SSH connectivity tools Name: openssh Version: 8.0p1 -Release: 8%{?dist} +Release: 9%{?dist} License: BSD URL: https://www.openssh.com/ Group: System Environment/Security @@ -13,6 +13,7 @@ Source1: http://www.linuxfromscratch.org/blfs/downloads/stable-systemd/bl Source2: sshd.service Source3: sshd-keygen.service Patch0: blfs_systemd_fixes.patch +Patch1: CVE-2019-16905.patch BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: krb5-devel @@ -49,6 +50,7 @@ This provides the ssh server daemons, utilities, configuration and service files %setup -q tar xf %{SOURCE1} --no-same-owner %patch0 -p0 +%patch1 -p0 %build %configure \ --sysconfdir=/etc/ssh \ @@ -171,6 +173,8 @@ rm -rf %{buildroot}/* %{_mandir}/man8/ssh-pkcs11-helper.8.gz %changelog +* Mon Oct 19 2020 Andrew Phelps 8.0p1-9 +- Add patch for CVE-2019-16905 * Wed Sep 02 2020 Jim Perrin 8.0p1-8 - Add wants=sshd-keygen.service to sshd.service for easier service starting * Thu Jun 04 2020 Chris Co 8.0p1-7 diff --git a/SPECS/pugixml/pugixml.signatures.json b/SPECS/pugixml/pugixml.signatures.json new file mode 100644 index 00000000000..efc847fbbf8 --- /dev/null +++ b/SPECS/pugixml/pugixml.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "pugixml-1.10.tar.gz": "10f1f0a32b559ca8435d95855928d990cfbb9796e339efb638080c897728174c" + } +} \ No newline at end of file diff --git a/SPECS/pugixml/pugixml.spec b/SPECS/pugixml/pugixml.spec new file mode 100644 index 00000000000..79b448d8219 --- /dev/null +++ b/SPECS/pugixml/pugixml.spec @@ -0,0 +1,141 @@ +Summary: A light-weight C++ XML processing library +Name: pugixml +Version: 1.10 +Release: 2%{?dist} +License: MIT +Vendor: Microsoft Corporation +Distribution: Mariner +Group: System Environment +URL: https://pugixml.org +#Source0: https://github.com/zeux/%{name}/archive/v%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz +BuildRequires: cmake +BuildRequires: gcc + +%description +pugixml is a light-weight C++ XML processing library. +It features: +- DOM-like interface with rich traversal/modification capabilities +- Extremely fast non-validating XML parser which constructs the DOM tree from + an XML file/buffer +- XPath 1.0 implementation for complex data-driven tree queries +- Full Unicode support with Unicode interface variants and automatic encoding + conversions + +%package devel +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +Development files for package %{name} + +%prep +%setup -q + +%build +mkdir build && cd build +%cmake .. -DBUILD_TESTS:BOOL=ON +%make_build + +%check +make check -C build + +%install +%make_install -C build + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%defattr(-,root,root) +%license LICENSE.md +%doc readme.txt +%{_libdir}/libpugixml.so.* + +%files devel +%defattr(-,root,root) +%{_includedir}/pugiconfig.hpp +%{_includedir}/pugixml.hpp +%{_libdir}/libpugixml.so +%{_libdir}/cmake/pugixml +%{_libdir}/pkgconfig/pugixml.pc + +%changelog +* Mon Oct 12 2020 Thomas Crain - 1.10-2 +- License verified +- Update Source0 + +* Wed Feb 12 2020 Nick Bopp - 1.10-1 +- Initial import from Fedora 32 (license: MIT) +- Update to 1.10 + +* Fri Jul 26 2019 Fedora Release Engineering - 1.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sat Feb 02 2019 Fedora Release Engineering - 1.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 1.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Apr 06 2018 Richard Shaw - 1.9-1 +- Update to 1.9. + +* Fri Feb 09 2018 Fedora Release Engineering - 1.8-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 1.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Nov 24 2016 Richard Shaw - 1.8-1 +- Update to latest upstream release. + +* Tue Sep 27 2016 Richard Shaw - 1.7-3 +- Add build flags for c++11 for mkvtoolnix. + +* Thu Feb 04 2016 Fedora Release Engineering - 1.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Oct 19 2015 Richard Shaw - 1.7-1 +- Update to latest upstream release. + +* Thu Jun 18 2015 Fedora Release Engineering - 1.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Apr 11 2015 Richard Shaw - 1.6-1 +- Update to latest upstream release. + +* Tue Feb 3 2015 Richard Shaw - 1.5-1 +- Update to latest upstream release. + +* Wed Sep 03 2014 Orion Poplawski - 1.4-1 +- Update to 1.4 +- Split documentation out into -doc sub-package +- Add cmake export information + +* Sun Aug 17 2014 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sun Aug 04 2013 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 14 2013 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sat Jul 21 2012 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sat Jan 14 2012 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Jan 05 2012 Richard Shaw - 1.0-2 +- Rebuild for GCC 4.7.0. + +* Fri Jul 08 2011 Richard Shaw - 1.0-1 +- Initial Release diff --git a/SPECS/python-certifi/python-certifi.spec b/SPECS/python-certifi/python-certifi.spec index cefc4488c59..623957e12ad 100644 --- a/SPECS/python-certifi/python-certifi.spec +++ b/SPECS/python-certifi/python-certifi.spec @@ -4,7 +4,7 @@ Summary: Python package for providing Mozilla's CA Bundle Name: python-certifi Version: 2018.10.15 -Release: 4%{?dist} +Release: 5%{?dist} URL: https://github.com/certifi License: MPL-2.0 Group: Development/Languages/Python @@ -17,6 +17,7 @@ BuildRequires: python2-devel BuildRequires: python-setuptools %if %{with_check} BuildRequires: pytest +BuildRequires: python3-xml %endif BuildArch: noarch @@ -64,6 +65,8 @@ python3 setup.py test %{python3_sitelib}/* %changelog +* Tue Oct 20 2020 Andrew Phelps 2018.10.15-5 +- Fix check test * Sat May 09 00:20:57 PST 2020 Nick Samson 2018.10.15-4 - Added %%license line automatically * Wed May 06 2020 Pawel Winogrodzki 2018.10.15-3 diff --git a/SPECS/qemu-kvm/CVE-2015-7504.nopatch b/SPECS/qemu-kvm/CVE-2015-7504.nopatch new file mode 100644 index 00000000000..a4242bf6b56 --- /dev/null +++ b/SPECS/qemu-kvm/CVE-2015-7504.nopatch @@ -0,0 +1 @@ +# CVE-2015-7504 was fixed in 2.5.0, but the CVE database was not updated. (837f21aacf5a714c23ddaadbbc5212f9b661e3f7) \ No newline at end of file diff --git a/SPECS/qemu-kvm/CVE-2016-7161.nopatch b/SPECS/qemu-kvm/CVE-2016-7161.nopatch new file mode 100644 index 00000000000..b9e0ecbbc28 --- /dev/null +++ b/SPECS/qemu-kvm/CVE-2016-7161.nopatch @@ -0,0 +1 @@ +# CVE-2016-7161 was fixed in 2.7.0, but the CVE database was not updated. (a0d1cbdacff5df4ded16b753b38fdd9da6092968) \ No newline at end of file diff --git a/SPECS/qemu-kvm/CVE-2017-14167.nopatch b/SPECS/qemu-kvm/CVE-2017-14167.nopatch new file mode 100644 index 00000000000..68d9f5ae58f --- /dev/null +++ b/SPECS/qemu-kvm/CVE-2017-14167.nopatch @@ -0,0 +1 @@ +# CVE-2017-14167 was fixed in 2.11.0, but the CVE database was not updated. (ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb) \ No newline at end of file diff --git a/SPECS/qemu-kvm/CVE-2017-5931.nopatch b/SPECS/qemu-kvm/CVE-2017-5931.nopatch new file mode 100644 index 00000000000..f705f04ae37 --- /dev/null +++ b/SPECS/qemu-kvm/CVE-2017-5931.nopatch @@ -0,0 +1 @@ +# CVE-2017-5931 was fixed in 2.9.0, but the CVE database was not updated. (a08aaff811fb194950f79711d2afe5a892ae03a4) \ No newline at end of file diff --git a/SPECS/qemu-kvm/qemu-kvm.spec b/SPECS/qemu-kvm/qemu-kvm.spec index 9bac4327fab..6becd32182b 100644 --- a/SPECS/qemu-kvm/qemu-kvm.spec +++ b/SPECS/qemu-kvm/qemu-kvm.spec @@ -1,25 +1,33 @@ -Summary: QEMU is a machine emulator and virtualizer -Name: qemu-kvm -Version: 4.2.0 -Release: 11%{?dist} -License: GPLv2 and GPLv2+ and CC-BY and BSD -Group: Development/Tools -URL: https://www.qemu.org/ -Source0: https://download.qemu.org/qemu-%{version}.tar.xz -Source1: 65-kvm.rules +Summary: QEMU is a machine emulator and virtualizer +Name: qemu-kvm +Version: 4.2.0 +Release: 13%{?dist} +License: GPLv2 and GPLv2+ and CC-BY and BSD +Group: Development/Tools +URL: https://www.qemu.org/ +Vendor: Microsoft Corporation +Distribution: Mariner +Source0: https://download.qemu.org/qemu-%{version}.tar.xz +Source1: 65-kvm.rules # https://git.qemu.org/?p=qemu.git;a=commit;h=8ffb7265af64ec81748335ec8f20e7ab542c3850 -Patch0: CVE-2020-11102.patch +Patch0: CVE-2020-11102.patch # This vulnerability is in libslirp source code. And qemu is exposed to it when configured with libslirp. # Since Mariner does not have libslirp, it is not applicable. -Patch1: CVE-2020-7039.nopatch -Patch2: CVE-2020-1711.patch -Patch3: CVE-2020-7211.patch -Patch4: CVE-2019-20175.patch -Patch5: CVE-2020-13659.patch -Patch6: CVE-2020-16092.patch -Patch7: CVE-2020-15863.patch -Vendor: Microsoft Corporation -Distribution: Mariner +Patch1: CVE-2020-7039.nopatch +Patch2: CVE-2020-1711.patch +Patch3: CVE-2020-7211.patch +Patch4: CVE-2019-20175.patch +Patch5: CVE-2020-13659.patch +Patch6: CVE-2020-16092.patch +Patch7: CVE-2020-15863.patch +# CVE-2016-7161 was fixed in 2.7.0, but the CVE database was not updated. (a0d1cbdacff5df4ded16b753b38fdd9da6092968) +Patch8: CVE-2016-7161.nopatch +# CVE-2015-7504 was fixed in 2.5.0, but the CVE database was not updated. (837f21aacf5a714c23ddaadbbc5212f9b661e3f7) +Patch9: CVE-2015-7504.nopatch +# CVE-2017-5931 was fixed in 2.9.0, but the CVE database was not updated. (a08aaff811fb194950f79711d2afe5a892ae03a4) +Patch10: CVE-2017-5931.nopatch +# CVE-2017-14167 was fixed in 2.11.0, but the CVE database was not updated. (ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb) +Patch11: CVE-2017-14167.nopatch BuildRequires: python3-devel BuildRequires: glib-devel @@ -114,6 +122,12 @@ chmod 755 %{buildroot}%{_bindir}/qemu %{_bindir}/qemu-nbd %changelog +* Tue Sep 29 2020 Daniel McIlvaney 4.2.0-13 +- Nopatch CVE-2015-7504, it was fixed in 2.5.0 +- Nopatch CVE-2017-5931, it was fixed in 2.9.0 +- Nopatch CVE-2017-14167, it was fixed in 2.11.0 +* Mon Sep 28 2020 Daniel McIlvaney 4.2.0-12 +- Nopatch CVE-2016-7161, it was fixed in 2.7 * Mon Sep 14 2020 Nicolas Guibourge 4.2.0-11 - Add patch for CVE-2020-15863 * Wed Sep 02 2020 Nicolas Ontiveros 4.2.0-10 diff --git a/SPECS/rapidjson/0000-Supress-implicit-fallthrough-in-GCC.patch b/SPECS/rapidjson/0000-Supress-implicit-fallthrough-in-GCC.patch new file mode 100644 index 00000000000..9edd31cec79 --- /dev/null +++ b/SPECS/rapidjson/0000-Supress-implicit-fallthrough-in-GCC.patch @@ -0,0 +1,23 @@ +From fe19b7b6016d446722621fb407738209d1a911e8 Mon Sep 17 00:00:00 2001 +From: Harry Wong +Date: Thu, 4 May 2017 10:08:48 +0800 +Subject: [PATCH] Supress implicit fallthrough in GCC + +--- + include/rapidjson/internal/regex.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/rapidjson/internal/regex.h b/include/rapidjson/internal/regex.h +index 1369ea2..6d110bd 100644 +--- a/include/rapidjson/internal/regex.h ++++ b/include/rapidjson/internal/regex.h +@@ -29,6 +29,7 @@ RAPIDJSON_DIAG_OFF(implicit-fallthrough) + #ifdef __GNUC__ + RAPIDJSON_DIAG_PUSH + RAPIDJSON_DIAG_OFF(effc++) ++RAPIDJSON_DIAG_OFF(implicit-fallthrough) + #endif + + #ifdef _MSC_VER +-- +2.7.4 diff --git a/SPECS/rapidjson/0001-Onley-apply-to-GCC-7.patch b/SPECS/rapidjson/0001-Onley-apply-to-GCC-7.patch new file mode 100644 index 00000000000..c65315a828b --- /dev/null +++ b/SPECS/rapidjson/0001-Onley-apply-to-GCC-7.patch @@ -0,0 +1,26 @@ +From cba45fe9de6923b858edb0780e257b7257aa4f7b Mon Sep 17 00:00:00 2001 +From: Harry Wong +Date: Thu, 4 May 2017 10:32:45 +0800 +Subject: [PATCH] Onley apply to GCC 7 + +--- + include/rapidjson/internal/regex.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/rapidjson/internal/regex.h b/include/rapidjson/internal/regex.h +index 6d110bd..e1a2faa 100644 +--- a/include/rapidjson/internal/regex.h ++++ b/include/rapidjson/internal/regex.h +@@ -29,8 +29,10 @@ RAPIDJSON_DIAG_OFF(implicit-fallthrough) + #ifdef __GNUC__ + RAPIDJSON_DIAG_PUSH + RAPIDJSON_DIAG_OFF(effc++) ++#if __GNUC__ >= 7 + RAPIDJSON_DIAG_OFF(implicit-fallthrough) + #endif ++#endif + + #ifdef _MSC_VER + RAPIDJSON_DIAG_PUSH +-- +2.7.4 diff --git a/SPECS/rapidjson/0002-Correct-object-copying-in-document_h.patch b/SPECS/rapidjson/0002-Correct-object-copying-in-document_h.patch new file mode 100644 index 00000000000..a8711424319 --- /dev/null +++ b/SPECS/rapidjson/0002-Correct-object-copying-in-document_h.patch @@ -0,0 +1,50 @@ +diff --git a/include/rapidjson/document.h b/include/rapidjson/document.h +index e3e20dfb..95aa8999 100644 +--- a/include/rapidjson/document.h ++++ b/include/rapidjson/document.h +@@ -22,6 +22,7 @@ + #include "internal/strfunc.h" + #include "memorystream.h" + #include "encodedstream.h" ++#include + #include // placement new + #include + +@@ -69,6 +70,7 @@ class GenericDocument; + */ + template + struct GenericMember { ++ GenericMember() {} + GenericValue name; //!< name of member (must be a string) + GenericValue value; //!< value of member. + }; +@@ -1934,9 +1936,11 @@ private: + void SetArrayRaw(GenericValue* values, SizeType count, Allocator& allocator) { + data_.f.flags = kArrayFlag; + if (count) { +- GenericValue* e = static_cast(allocator.Malloc(count * sizeof(GenericValue))); +- SetElementsPointer(e); +- std::memcpy(e, values, count * sizeof(GenericValue)); ++ auto arr = static_cast(allocator.Malloc(count * sizeof(GenericValue))); ++ for (SizeType idx = 0; idx < count; ++idx) ++ new (arr + idx) GenericValue; ++ SetElementsPointer(arr); ++ std::copy_n(values, count, arr); + } + else + SetElementsPointer(0); +@@ -1947,9 +1951,11 @@ private: + void SetObjectRaw(Member* members, SizeType count, Allocator& allocator) { + data_.f.flags = kObjectFlag; + if (count) { +- Member* m = static_cast(allocator.Malloc(count * sizeof(Member))); +- SetMembersPointer(m); +- std::memcpy(m, members, count * sizeof(Member)); ++ auto arr = static_cast(allocator.Malloc(count * sizeof(Member))); ++ for (SizeType idx = 0; idx < count; ++idx) ++ new (arr + idx) Member; ++ SetMembersPointer(arr); ++ std::copy_n(members, count, arr); + } + else + SetMembersPointer(0); diff --git a/SPECS/rapidjson/rapidjson.signatures.json b/SPECS/rapidjson/rapidjson.signatures.json new file mode 100644 index 00000000000..ac85ae21875 --- /dev/null +++ b/SPECS/rapidjson/rapidjson.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "rapidjson-1.1.0.tar.gz" : "bf7ced29704a1e696fbccf2a2b4ea068e7774fa37f6d7dd4039d0787f8bed98e" + } +} diff --git a/SPECS/rapidjson/rapidjson.spec b/SPECS/rapidjson/rapidjson.spec new file mode 100644 index 00000000000..12d24dbb903 --- /dev/null +++ b/SPECS/rapidjson/rapidjson.spec @@ -0,0 +1,72 @@ +Summary: A fast JSON parser/generator for C++ with both SAX/DOM style API +Name: rapidjson +Version: 1.1.0 +Release: 6%{?dist} +License: BSD and JSON and MIT +Vendor: Microsoft Corporation +Distribution: Mariner +Group: Development/Tools +URL: https://github.com/Tencent/rapidjson +Source0: https://github.com/Tencent/%{name}/archive/%{name}-%{version}.tar.gz +Patch0: 0000-Supress-implicit-fallthrough-in-GCC.patch +Patch1: 0001-Onley-apply-to-GCC-7.patch +Patch2: 0002-Correct-object-copying-in-document_h.patch +%global debug_package %{nil} +BuildRequires: cmake +BuildRequires: gcc + +%description +RapidJSON is a JSON parser and generator for C++. It was inspired by RapidXml. + +%package devel +Summary: Fast JSON parser and generator for C++ +Group: Development/Libraries/C and C++ +Provides: %{name} = %{version}-%{release} + +%description devel +RapidJSON is a header-only JSON parser and generator for C++. +This package contains development headers and examples. + +%prep +%autosetup -p 1 + +%build +mkdir build && cd build +cmake -DCMAKE_INSTALL_PREFIX:PATH=%{_prefix} -DBUILD_SHARED_LIBS=ON .. +make %{?_smp_mflags} + +%install +cd build +make DESTDIR=%{buildroot} install + +%check +make test + +%files devel +%defattr(-,root,root) +%license license.txt +%dir %{_libdir}/cmake/RapidJSON +%{_libdir}/cmake/RapidJSON/* +%{_libdir}/pkgconfig/*.pc +%{_includedir} +%{_datadir} + +%changelog +* Mon Oct 12 2020 Thomas Crain - 1.1.0-6 +- Update Source0 +- Licenses verified, added %%license macro + +* Fri May 08 2020 Jonathan Chiu - 1.1.0-5 +- Fix build failure with gcc 9 + +* Tue Sep 03 2019 Mateusz Malisz - 1.1.0-4 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Mon Nov 19 2018 Vasavi Sirnapalli - 1.1.0-3 +- Fix makecheck + +* Wed Aug 08 2018 Srivatsa S. Bhat - 1.1.0-2 +- Fix build failure with gcc 7.3 + +* Fri Jun 09 2017 Harish Udaiya Kumar - 1.1.0-1 +- Initial build. First version diff --git a/SPECS/rocksdb/rocksdb.signatures.json b/SPECS/rocksdb/rocksdb.signatures.json new file mode 100644 index 00000000000..701e208941e --- /dev/null +++ b/SPECS/rocksdb/rocksdb.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "rocksdb-6.7.3.tar.gz" : "c4d1397b58e4801b5fd7c3dd9175e6ae84541119cbebb739fe17d998f1829e81" + } +} diff --git a/SPECS/rocksdb/rocksdb.spec b/SPECS/rocksdb/rocksdb.spec new file mode 100644 index 00000000000..e05c4ba42e0 --- /dev/null +++ b/SPECS/rocksdb/rocksdb.spec @@ -0,0 +1,67 @@ +%define _build_id_links none + +Name: rocksdb +Summary: A library that provides an embeddable, persistent key-value store for fast storage. +Version: 6.7.3 +Release: 2%{?dist} +License: GPLv2+ and ASL 2.0 and BSD +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://rocksdb.org +#Source0: https://github.com/facebook/%{name}/archive/v%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz + +BuildRequires: cmake +BuildRequires: build-essential +BuildRequires: gflags-devel + +%description +RocksDB is developed and maintained by Facebook Database Engineering Team. It is built on +earlier work on LevelDB by Sanjay Ghemawat (sanjay@google.com) and Jeff Dean (jeff@google.com) + +This code is a library that forms the core building block for a fast key-value server, +especially suited for storing data on flash drives. It has a Log-Structured-Merge-Database +(LSM) design with flexible tradeoffs between Write-Amplification-Factor (WAF), +Read-Amplification-Factor (RAF) and Space-Amplification-Factor (SAF). It has multi-threaded +compactions, making it especially suitable for storing multiple terabytes of data in a single +database. + +%package devel +Summary: Development files for %{name} +Requires: %{name} = %{version} + +%description devel +Development files for %{name} + +%prep +%setup -q + +%build +mkdir build +cd build +%cmake -DPORTABLE=1 .. +make %{?_smp_mflags} + +%install +cd build +make install DESTDIR=%{buildroot} + +%files +%license COPYING +%license LICENSE.Apache +%license LICENSE.leveldb +%doc README.md +%{_libdir}/*.so.* + +%files devel +%{_includedir}/rocksdb +%{_libdir}/{*.so,*.a} +%{_libdir}/cmake/rocksdb +/usr/src/debug/* + +%changelog +* Thu Oct 08 2020 Pawel Winogrodzki 6.7.3-2 +- Fixed 'Source0' URL. +- License verified. +* Mon Mar 30 2020 Jonathan Chiu 6.7.3-1 +- Original version for CBL-Mariner. diff --git a/SPECS/ruby/ruby.signatures.json b/SPECS/ruby/ruby.signatures.json index e5159015a95..23d561aed19 100644 --- a/SPECS/ruby/ruby.signatures.json +++ b/SPECS/ruby/ruby.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "ruby-2.6.3.tar.xz": "11a83f85c03d3f0fc9b8a9b6cad1b2674f26c5aaa43ba858d4b0fcc2b54171e1" + "ruby-2.6.6.tar.xz": "5db187882b7ac34016cd48d7032e197f07e4968f406b0690e20193b9b424841f" } } \ No newline at end of file diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec index 028e6ae06eb..8fbb4e49624 100644 --- a/SPECS/ruby/ruby.spec +++ b/SPECS/ruby/ruby.spec @@ -1,7 +1,7 @@ Summary: Ruby Name: ruby -Version: 2.6.3 -Release: 3%{?dist} +Version: 2.6.6 +Release: 1%{?dist} License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD URL: https://www.ruby-lang.org/en/ Group: System Environment/Security @@ -53,6 +53,8 @@ rm -rf %{buildroot}/* %{_mandir}/man5/* %changelog +* Thu Oct 15 2020 Emre Girgin 2.6.6-1 +- Upgrade to 2.6.6 to resolve CVEs. * Sat May 09 00:20:42 PST 2020 Nick Samson - 2.6.3-3 - Added %%license line automatically * Wed May 06 2020 Pawel Winogrodzki 2.6.3-2 diff --git a/SPECS/span-lite/span-lite.signatures.json b/SPECS/span-lite/span-lite.signatures.json new file mode 100644 index 00000000000..db20ad715df --- /dev/null +++ b/SPECS/span-lite/span-lite.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "span-lite-0.7.0.tar.gz": "e95a9b281b46eb2b44257c6c4ec218c1741144c1167644896e29fd6aed9bbcf4" + } +} \ No newline at end of file diff --git a/SPECS/span-lite/span-lite.spec b/SPECS/span-lite/span-lite.spec new file mode 100644 index 00000000000..c5bf55aa63c --- /dev/null +++ b/SPECS/span-lite/span-lite.spec @@ -0,0 +1,58 @@ +%global debug_package %{nil} + +Summary: A single-file header-only version of a C++20-like span for C++98, C++11 and later +Name: span-lite +Version: 0.7.0 +Release: 2%{?dist} +License: Boost +URL: https://github.com/martinmoene/span-lite +Group: System Environment +Vendor: Microsoft Corporation +Distribution: Mariner +#Source0: %{url}/archive/v%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz + +BuildRequires: cmake +BuildRequires: gcc + +%description +A single-file header-only version of a C++20-like span for C++98, C++11 and later. + +%package devel +Summary: Development files for %{name} + +%description devel +Development files for %{name} + +%prep +%setup + +%build +mkdir build && cd build +%cmake .. +%make_build + +%check +make test -C build + +%install +%make_install -C build + +%clean +rm -rf %{buildroot}/* + +%files devel +%defattr(-,root,root) +%doc README.md +%license LICENSE.txt +%{_includedir}/nonstd/span.hpp +%{_libdir}/cmake/span-lite + +%changelog +* Thu Oct 15 2020 Pawel Winogrodzki 0.7.0-2 +- License verified. +- Added source URL. +* Wed Aug 26 2020 Paco Huelsz Prince 0.7.0-1 +- Update to version 0.7.0. +* Tue Feb 11 2020 Nick Bopp 0.6.0-1 +- Original version for CBL-Mariner. diff --git a/SPECS/sqlite/CVE-2015-3717.nopatch b/SPECS/sqlite/CVE-2015-3717.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/sqlite/sqlite.spec b/SPECS/sqlite/sqlite.spec index b0073dc9357..40d9efcd453 100644 --- a/SPECS/sqlite/sqlite.spec +++ b/SPECS/sqlite/sqlite.spec @@ -2,13 +2,15 @@ Summary: A portable, high level programming interface to various calling conventions Name: sqlite Version: 3.32.3 -Release: 1%{?dist} +Release: 2%{?dist} License: Public Domain URL: https://www.sqlite.org Group: System Environment/GeneralLibraries Vendor: Microsoft Corporation Distribution: Mariner Source0: https://www.sqlite.org/2020/%{name}-autoconf-%{sourcever}.tar.gz +# CVE-2015-3717 applies to versions shipped in iOS and OS X +Patch0: CVE-2015-3717.nopatch Obsoletes: sqlite-autoconf Requires: sqlite-libs = %{version}-%{release} Provides: sqlite3 @@ -35,7 +37,7 @@ Obsoletes: sqlite-autoconf The sqlite3 library. %prep -%setup -q -n %{name}-autoconf-%{sourcever} +%autosetup -p1 -n %{name}-autoconf-%{sourcever} %build %configure \ @@ -89,6 +91,8 @@ rm -rf %{buildroot}/* %{_libdir}/libsqlite3.so.0.8.6 %changelog +* Thu Oct 22 2020 Ruying Chen 3.32.3-2 +- Nopatch CVE-2015-3717. Applies to versions shipped in iOS and OS X. * Tue Jul 07 2020 Joe Schmitt 3.32.3-1 - Update to version 3.32.3 to fix CVE-2020-15358. - Update URL to use https. diff --git a/SPECS/strongswan/0001-Extending-timeout-for-test-cases-with-multiple-read-.patch b/SPECS/strongswan/0001-Extending-timeout-for-test-cases-with-multiple-read-.patch new file mode 100644 index 00000000000..69049e5b8c6 --- /dev/null +++ b/SPECS/strongswan/0001-Extending-timeout-for-test-cases-with-multiple-read-.patch @@ -0,0 +1,24 @@ +From 7c38995d360d4abf2d919fd08428f5cb2c1b015e Mon Sep 17 00:00:00 2001 +From: Pawel +Date: Mon, 5 Oct 2020 06:34:43 -0700 +Subject: [PATCH] Extending timeout for test cases with multiple read/writes. + +--- + src/libstrongswan/tests/suites/test_settings.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libstrongswan/tests/suites/test_settings.c b/src/libstrongswan/tests/suites/test_settings.c +index e060960..df3b4ef 100644 +--- a/src/libstrongswan/tests/suites/test_settings.c ++++ b/src/libstrongswan/tests/suites/test_settings.c +@@ -1731,6 +1731,7 @@ Suite *settings_suite_create() + suite_add_tcase(s, tc); + + tc = tcase_create("valid/invalid data"); ++ tcase_set_timeout(tc, 10); + tcase_add_checked_fixture(tc, setup_base_config, teardown_config); + tcase_add_test(tc, test_valid); + tcase_add_test(tc, test_invalid); +-- +2.17.1 + diff --git a/SPECS/strongswan/strongswan.spec b/SPECS/strongswan/strongswan.spec index 82120bce889..a5b78a525c1 100644 --- a/SPECS/strongswan/strongswan.spec +++ b/SPECS/strongswan/strongswan.spec @@ -1,23 +1,24 @@ -Summary: The OpenSource IPsec-based VPN Solution -Name: strongswan -Version: 5.7.2 -Release: 2%{?dist} -License: GPLv2+ -URL: https://www.strongswan.org/ -Group: System Environment/Security +Summary: The OpenSource IPsec-based VPN Solution +Name: strongswan +Version: 5.7.2 +Release: 3%{?dist} +License: GPLv2+ +URL: https://www.strongswan.org/ +Group: System Environment/Security Vendor: Microsoft Corporation Distribution: Mariner -Source0: https://download.strongswan.org/%{name}-%{version}.tar.bz2 -BuildRequires: autoconf -BuildRequires: gmp-devel -Patch0: strongswan-fix-make-check.patch +Source0: https://download.strongswan.org/%{name}-%{version}.tar.bz2 + +BuildRequires: autoconf +BuildRequires: gmp-devel +Patch0: strongswan-fix-make-check.patch +Patch1: 0001-Extending-timeout-for-test-cases-with-multiple-read-.patch %description strongSwan is a complete IPsec implementation for Linux 2.6, 3.x, and 4.x kernels. %prep -%setup -q -%patch0 -p1 +%autosetup -p1 %build %configure @@ -51,9 +52,11 @@ rm -rf %{buildroot}/* %{_datadir}/strongswan/* %changelog -* Sat May 09 00:20:42 PST 2020 Nick Samson - 5.7.2-2 -- Added %%license line automatically - +* Mon Oct 05 2020 Pawel Winogrodzki 5.7.2-3 +- Adding a patch to extend the timeout for the ''valid/invalid data' test case. +- Switching to %%autosetup. +* Sat May 09 2020 Nick Samson 5.7.2-2 +- Added %%license line automatically * Wed Mar 18 2020 Henry Beberman 5.7.2-1 - Update to 5.7.2. Remove CVE patch fixed in 5.7.0. License verified. * Tue Sep 03 2019 Mateusz Malisz 5.6.3-4 diff --git a/SPECS/syslog-ng/60-syslog-ng-journald.conf b/SPECS/syslog-ng/60-syslog-ng-journald.conf new file mode 100644 index 00000000000..29a7331b3c7 --- /dev/null +++ b/SPECS/syslog-ng/60-syslog-ng-journald.conf @@ -0,0 +1,2 @@ +[Journal] +ForwardToSyslog=yes diff --git a/SPECS/syslog-ng/syslog-ng.service b/SPECS/syslog-ng/syslog-ng.service new file mode 100644 index 00000000000..3d561533f57 --- /dev/null +++ b/SPECS/syslog-ng/syslog-ng.service @@ -0,0 +1,16 @@ +[Unit] +Description=System Logger Daemon +Documentation=man:syslog-ng(8) + +[Service] +Type=notify +ExecStart=/usr/sbin/syslog-ng -F $SYSLOGNG_OPTS +ExecReload=/bin/kill -HUP $MAINPID +EnvironmentFile=-/etc/default/syslog-ng +EnvironmentFile=-/etc/sysconfig/syslog-ng +StandardOutput=journal +StandardError=journal +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/SPECS/syslog-ng/syslog-ng.signatures.json b/SPECS/syslog-ng/syslog-ng.signatures.json new file mode 100755 index 00000000000..59164ff11f8 --- /dev/null +++ b/SPECS/syslog-ng/syslog-ng.signatures.json @@ -0,0 +1,7 @@ +{ + "Signatures": { + "60-syslog-ng-journald.conf" : "c4c875396276951b491e799e9cdb5a090b2ca82a754967c7f310888373e51c40", + "syslog-ng-3.23.1.tar.gz" : "fb36cfc1982831f74143b77a924ee79714745b5e2b3ff59d086d09a77d0acd38", + "syslog-ng.service" : "8cdd00693233eef334bc943efdce634008911796681c8fc3454346a3bb0111b2" + } +} diff --git a/SPECS/syslog-ng/syslog-ng.spec b/SPECS/syslog-ng/syslog-ng.spec new file mode 100644 index 00000000000..1be24355044 --- /dev/null +++ b/SPECS/syslog-ng/syslog-ng.spec @@ -0,0 +1,239 @@ +%{!?python2_sitelib: %global python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} +%{!?python3_sitelib: %global python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} +Summary: Next generation system logger facilty +Name: syslog-ng +Version: 3.23.1 +Release: 2%{?dist} +License: BSD and GPLv2+ and LGPLv2+ +URL: https://syslog-ng.org/ +Group: System Environment/Daemons +Vendor: Microsoft Corporation +Distribution: Mariner + +Source0: https://github.com/balabit/%{name}/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz +Source1: 60-syslog-ng-journald.conf +Source2: syslog-ng.service + +Requires: glib +Requires: json-glib +Requires: json-c +Requires: systemd + +BuildRequires: glib-devel +BuildRequires: json-glib-devel +BuildRequires: json-c-devel +BuildRequires: systemd-devel +BuildRequires: python2-devel +BuildRequires: python2 +BuildRequires: python2-libs +BuildRequires: python3 +BuildRequires: python3-devel +BuildRequires: python3-libs +%if %{with_check} +BuildRequires: curl-devel +%endif +Obsoletes: eventlog + +%description + The syslog-ng application is a flexible and highly scalable + system logging tool. It is often used to manage log messages and implement + centralized logging, where the aim is to collect the log messages of several + devices to a single, central log server. + +%package -n python2-syslog-ng +Summary: python2-syslog-ng +Requires: python2 +Requires: python2-libs + +%description -n python2-syslog-ng +Python 2 version. + +%package -n python3-syslog-ng +Summary: python3-syslog-ng +Requires: python3 +Requires: python3-libs + +%description -n python3-syslog-ng +Python 3 version. + +%package devel +Summary: Header and development files for syslog-ng +Requires: %{name} = %{version}-%{release} +%description devel + syslog-ng-devel package contains header files, pkfconfig files, and libraries + needed to build applications using syslog-ng APIs. + +%prep +%setup -q +rm -rf ../p3dir +cp -a . ../p3dir +%build + +%configure \ + CFLAGS="%{optflags}" \ + CXXFLAGS="%{optflags}" \ + --disable-silent-rules \ + --sysconfdir=/etc/syslog-ng \ + --enable-systemd \ + --with-systemdsystemunitdir=%{_libdir}/systemd/system \ + --enable-json=yes \ + --with-jsonc=system \ + --disable-java \ + --disable-redis \ + --with-python=2 \ + PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/ +make %{?_smp_mflags} + +pushd ../p3dir +%configure \ + CFLAGS="%{optflags}" \ + CXXFLAGS="%{optflags}" \ + --disable-silent-rules \ + --sysconfdir=/etc/syslog-ng \ + --enable-systemd \ + --with-systemdsystemunitdir=%{_libdir}/systemd/system \ + --enable-json=yes \ + --with-jsonc=system \ + --disable-java \ + --disable-redis \ + --with-python=3 \ + PYTHON=/bin/python3 \ + PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/ +make %{?_smp_mflags} + +popd + +%install +[ %{buildroot} != "/"] && rm -rf %{buildroot}/* +make DESTDIR=%{buildroot} install +find %{buildroot} -name "*.la" -exec rm -f {} \; +rm %{buildroot}/%{_libdir}/systemd/system/syslog-ng@.service +rm -rf %{buildroot}/%{_infodir} +install -vd %{buildroot}%{_sysconfdir}/systemd/journald.conf.d/ +install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/systemd/journald.conf.d/ +install -p -m 644 %{SOURCE2} %{buildroot}%{_libdir}/systemd/system/ +%{_fixperms} %{buildroot}/* + +pushd ../p3dir +make DESTDIR=%{buildroot} install +rm %{buildroot}/%{_libdir}/systemd/system/syslog-ng@.service +rm -rf %{buildroot}/%{_infodir} +sed -i 's/eventlog//g' %{buildroot}%{_libdir}/pkgconfig/syslog-ng.pc +find %{buildroot} -name "*.la" -exec rm -f {} \; +popd + +install -vdm755 %{buildroot}%{_libdir}/systemd/system-preset +echo "disable syslog-ng.service" > %{buildroot}%{_libdir}/systemd/system-preset/50-syslog-ng.preset + +%check +easy_install_2=$(ls /usr/bin |grep easy_install |grep 2) +$easy_install_2 unittest2 +$easy_install_2 nose +$easy_install_2 ply +$easy_install_2 pep8 +make %{?_smp_mflags} check +pushd ../p3dir +easy_install_3=$(ls /usr/bin |grep easy_install |grep 3) +$easy_install_3 unittest2 +$easy_install_3 nose +$easy_install_3 ply +$easy_install_3 pep8 +make %{?_smp_mflags} check +popd + +%post +if [ $1 -eq 1 ] ; then + mkdir -p /usr/var/ +fi +%systemd_post syslog-ng.service + +%preun +%systemd_preun syslog-ng.service + +%postun +%systemd_postun_with_restart syslog-ng.service + +%clean +rm -rf %{buildroot}/* + +%files +%defattr(-,root,root) +%license COPYING GPL.txt LGPL.txt +%config(noreplace) %{_sysconfdir}/syslog-ng/syslog-ng.conf +%config(noreplace) %{_sysconfdir}/syslog-ng/scl.conf +%{_sysconfdir}/systemd/journald.conf.d/* +%{_libdir}/systemd/system/syslog-ng.service +%{_libdir}/systemd/system-preset/50-syslog-ng.preset +/usr/bin/* +/usr/sbin/syslog-ng +/usr/sbin/syslog-ng-ctl +/usr/sbin/syslog-ng-debun +%{_libdir}/libsyslog-ng-*.so.* +%{_libdir}/libevtlog-*.so.* +%{_libdir}/libloggen_helper* +%{_libdir}/libloggen_plugin* +%{_libdir}/libsecret-storage* +%{_libdir}/%{name}/loggen/* +%{_libdir}/syslog-ng/lib*.so +/usr/share/syslog-ng/* + +%files -n python2-syslog-ng +%defattr(-,root,root) +%{_libdir}/syslog-ng/python/* + +%files -n python3-syslog-ng +%defattr(-,root,root,-) +%{_libdir}/syslog-ng/python/* + +%files devel +%defattr(-,root,root) +%{_includedir}/syslog-ng/* +%{_libdir}/libsyslog-ng.so +%{_libdir}/libevtlog.so +%{_libdir}/libsyslog-ng-native-connector.a +%{_libdir}/pkgconfig/* + +%changelog +* Tue Oct 13 2020 Pawel Winogrodzki 3.23.1-2 +- Added the %%license macro. +- License verified. +* Wed Mar 18 2020 Henry Beberman 3.23.1-1 +- Update to 3.23.1. License fixed. +* Tue Sep 03 2019 Mateusz Malisz 3.17.2-2 +- Initial CBL-Mariner import from Photon (license: Apache2). +* Wed Oct 10 2018 Ankit Jain 3.17.2-1 +- Update to version 3.17.2 +* Mon Sep 11 2017 Dheeraj Shetty 3.11.1-3 +- Obsolete eventlog. +* Mon Sep 04 2017 Dheeraj Shetty 3.11.1-2 +- Use old service file. +* Fri Aug 18 2017 Dheeraj Shetty 3.11.1-1 +- Update to version 3.11.1 +* Thu Jun 29 2017 Divya Thaluru 3.9.1-3 +- Disabled syslog-ng service by default +* Thu May 18 2017 Xiaolin Li 3.9.1-2 +- Move python2 requires to python2 subpackage and added python3 binding. +* Tue Apr 11 2017 Vinay Kulkarni 3.9.1-1 +- Update to version 3.9.1 +* Tue Oct 04 2016 ChangLee 3.6.4-6 +- Modified %check +* Thu May 26 2016 Divya Thaluru 3.6.4-5 +- Fixed logic to restart the active services after upgrade +* Tue May 24 2016 Priyesh Padmavilasom 3.6.4-4 +- GA - Bump release of all rpms +* Wed May 4 2016 Priyesh Padmavilasom 3.6.4-3 +- Fix for upgrade issues +* Wed Feb 17 2016 Anish Swaminathan 3.6.4-2 +- Add journald conf file. +* Wed Jan 20 2016 Anish Swaminathan 3.6.4-1 +- Upgrade version. +* Tue Jan 12 2016 Anish Swaminathan 3.6.2-5 +- Change config file attributes. +* Wed Dec 09 2015 Mahmoud Bassiouny 3.6.2-4 +- Moving files from devel rpm to the main package. +* Wed Aug 05 2015 Kumar Kaushik 3.6.2-3 +- Adding preun section. +* Sat Jul 18 2015 Vinay Kulkarni 3.6.2-2 +- Split headers and unshared libs over to devel package. +* Thu Jun 4 2015 Vinay Kulkarni 3.6.2-1 +- Add syslog-ng support to photon. diff --git a/SPECS/systemd/100-portabled-allow-to-detach-an-image-with-a-unit-in-li.patch b/SPECS/systemd/100-portabled-allow-to-detach-an-image-with-a-unit-in-li.patch new file mode 100644 index 00000000000..6bf30e87622 --- /dev/null +++ b/SPECS/systemd/100-portabled-allow-to-detach-an-image-with-a-unit-in-li.patch @@ -0,0 +1,32 @@ +From 992a2e98add398e4c081489d747cd62332ed7e2b Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 4 Oct 2019 14:45:41 +0100 +Subject: [PATCH] portabled: allow to detach an image with a unit in + linked-runtime state + +This is necessary when a directory was attached with +--copy=symlink, otherwise detach will always fail. + +Fixed #13725 + +(cherry picked from commit c3d809ef72db616391a1a2b738eae137f9024e3f) +--- + src/portable/portable.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/portable/portable.c b/src/portable/portable.c +index eb5daf3b0e..5fd14c70b6 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -1185,7 +1185,7 @@ int portable_detach( + r = unit_file_lookup_state(UNIT_FILE_SYSTEM, &paths, de->d_name, &state); + if (r < 0) + return log_debug_errno(r, "Failed to determine unit file state of '%s': %m", de->d_name); +- if (!IN_SET(state, UNIT_FILE_STATIC, UNIT_FILE_DISABLED, UNIT_FILE_LINKED, UNIT_FILE_RUNTIME)) ++ if (!IN_SET(state, UNIT_FILE_STATIC, UNIT_FILE_DISABLED, UNIT_FILE_LINKED, UNIT_FILE_RUNTIME, UNIT_FILE_LINKED_RUNTIME)) + return sd_bus_error_setf(error, BUS_ERROR_UNIT_EXISTS, "Unit file '%s' is in state '%s', can't detach.", de->d_name, unit_file_state_to_string(state)); + + r = unit_file_is_active(bus, de->d_name, error); +-- +2.20.1 + diff --git a/SPECS/systemd/101-Portabled-fix-inspect-on-image-attached-as-directory.patch b/SPECS/systemd/101-Portabled-fix-inspect-on-image-attached-as-directory.patch new file mode 100644 index 00000000000..86dc2f28f1e --- /dev/null +++ b/SPECS/systemd/101-Portabled-fix-inspect-on-image-attached-as-directory.patch @@ -0,0 +1,44 @@ +From 1d2d0c4bece89adbbc32abb2f38c0efd9080e1d7 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 22 Jan 2020 15:56:24 +0000 +Subject: [PATCH] Portabled: fix inspect on image attached as directory + +When a portable image is attached as a directory, inspect will fail +as the directory will be symlinked under [/run|/etc]/portables and +chase_symlinks will try to open the resolved link to the full +absolute path of the image under [/run|/etc]/portables/. + +(eg: /run/portables/test/home/user/test/etc/os-release) + +Resolve the symlink beforehand to fix the issue. + +Fixes #14634 + +(cherry picked from commit a409d1f5c6ba21ce9f7b113da69b98072f77ca16) +--- + src/portable/portable.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/portable/portable.c b/src/portable/portable.c +index 3491723aa1..ea6dc51a30 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -373,8 +373,14 @@ static int portable_extract_by_path( + if (r == -EISDIR) { + /* We can't turn this into a loop-back block device, and this returns EISDIR? Then this is a directory + * tree and not a raw device. It's easy then. */ ++ /* Resolve the link to the directory tree. If it's a symlink, chase_symlink of path + "/etc/os-release" ++ * as called by open_os_release will fail (see: #14634). */ ++ _cleanup_free_ char *path_resolve = NULL; + +- r = extract_now(path, matches, -1, &os_release, &unit_files); ++ r = chase_symlinks(path, "/", CHASE_PREFIX_ROOT, &path_resolve); ++ if (r < 0) ++ return log_debug_errno(r, "Failed to resolve image directory path %s: %m", path); ++ r = extract_now(path_resolve, matches, -1, &os_release, &unit_files); + if (r < 0) + return r; + +-- +2.20.1 + diff --git a/SPECS/systemd/102-portablectl-add-now-and-enable-to-attach-detach.patch b/SPECS/systemd/102-portablectl-add-now-and-enable-to-attach-detach.patch new file mode 100644 index 00000000000..6e8f48a5a60 --- /dev/null +++ b/SPECS/systemd/102-portablectl-add-now-and-enable-to-attach-detach.patch @@ -0,0 +1,365 @@ +From 3da654d9e508002c66d7d66cd1444a971e6c1aff Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 23 Jan 2020 16:50:15 +0000 +Subject: [PATCH 2/3] portablectl: add --now and --enable to attach/detach + +Add shortcuts to enable and start, or disable and stop, portable +services with a single portablectl command. +Allow to pass a filter on detach, as it's necessary to call +GetImageMetadata to get the unit names associated with an image. + +Fixes #10232 +--- + man/portablectl.xml | 20 ++- + shell-completion/bash/portablectl | 2 +- + src/portable/portablectl.c | 205 +++++++++++++++++++++++++++++- + 3 files changed, 223 insertions(+), 4 deletions(-) + +diff --git a/man/portablectl.xml b/man/portablectl.xml +index 0926991cbe..5078087e70 100644 +--- a/man/portablectl.xml ++++ b/man/portablectl.xml +@@ -123,6 +123,18 @@ + contents of the image. + + ++ ++ ++ ++ Immediately enable/disable the portable service after attach/detach. ++ ++ ++ ++ ++ ++ Immediately start/stop the portable service after attach/before detach. ++ ++ + + + +@@ -202,11 +214,14 @@ + By default, after the unit files are attached the service manager's configuration is reloaded, except + when is specified (see above). This ensures that the new units made available to + the service manager are seen by it. ++ ++ If and/or are passed, the portable service(s) are ++ immediately started and/or enabled after attaching the image. + + + + +- detach IMAGE ++ detach IMAGE [PREFIX…] + + Detaches a portable service image from the host. This undoes the operations executed by the + attach command above, and removes the unit file copies, drop-ins and image symlink +@@ -214,6 +229,9 @@ + component of it (i.e. the file or directory name itself, not the path to it) is used for finding matching unit + files. This is a convencience feature to allow all arguments passed as attach also to + detach. ++ ++ If and/or are passed, prefix(es) are also necessary so ++ that the associated units can be stopped and/or disabled before detaching the image. + + + +diff --git a/shell-completion/bash/portablectl b/shell-completion/bash/portablectl +index 22455d2c1e..a9511b6ce7 100644 +--- a/shell-completion/bash/portablectl ++++ b/shell-completion/bash/portablectl +@@ -35,7 +35,7 @@ _portablectl() { + local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} + local -A OPTS=( + [STANDALONE]='-q --quiet --runtime --no-reload --cat --no-pager --no-legend +- --no-ask-password -h --help --version' ++ --no-ask-password -h --help --version --enable --now' + [ARG]='-p --profile --copy -H --host -M --machine' + ) + +diff --git a/src/portable/portablectl.c b/src/portable/portablectl.c +index b4895e6380..8ec9540786 100644 +--- a/src/portable/portablectl.c ++++ b/src/portable/portablectl.c +@@ -7,6 +7,7 @@ + + #include "alloc-util.h" + #include "bus-error.h" ++#include "bus-unit-util.h" + #include "bus-util.h" + #include "def.h" + #include "dirent-util.h" +@@ -36,6 +37,8 @@ static bool arg_reload = true; + static bool arg_cat = false; + static BusTransport arg_transport = BUS_TRANSPORT_LOCAL; + static char *arg_host = NULL; ++static bool arg_enable = false; ++static bool arg_now = false; + + static int determine_image(const char *image, bool permit_non_existing, char **ret) { + int r; +@@ -389,6 +392,90 @@ static int print_changes(sd_bus_message *m) { + return 0; + } + ++static int maybe_enable_disable(sd_bus *bus, const char *path, bool enable) { ++ _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL, *reply = NULL; ++ _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; ++ _cleanup_strv_free_ char **names = NULL; ++ UnitFileChange *changes = NULL; ++ size_t n_changes = 0; ++ int r; ++ ++ if (!arg_enable) ++ return 0; ++ ++ names = strv_new(path, NULL); ++ ++ r = sd_bus_message_new_method_call( ++ bus, ++ &m, ++ "org.freedesktop.systemd1", ++ "/org/freedesktop/systemd1", ++ "org.freedesktop.systemd1.Manager", ++ enable ? "EnableUnitFiles" : "DisableUnitFiles"); ++ if (r < 0) ++ return bus_log_create_error(r); ++ ++ r = sd_bus_message_append_strv(m, names); ++ if (r < 0) ++ return bus_log_create_error(r); ++ ++ r = sd_bus_message_append(m, "b", arg_runtime); ++ if (r < 0) ++ return bus_log_create_error(r); ++ ++ if (enable) { ++ r = sd_bus_message_append(m, "b", false); ++ if (r < 0) ++ return bus_log_create_error(r); ++ } ++ ++ r = sd_bus_call(bus, m, 0, &error, &reply); ++ if (r < 0) ++ return log_error_errno(r, "Failed to %s the portable service %s: %s", ++ enable ? "enable" : "disable", path, bus_error_message(&error, r)); ++ ++ if (enable) { ++ r = sd_bus_message_skip(reply, "b"); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ } ++ (void) bus_deserialize_and_dump_unit_file_changes(reply, arg_quiet, &changes, &n_changes); ++ ++ return 0; ++} ++ ++static int maybe_start_stop(sd_bus *bus, const char *path, bool start) { ++ _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; ++ _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; ++ char *name = (char *)basename(path), *job = NULL; ++ int r; ++ ++ if (!arg_now) ++ return 0; ++ ++ r = sd_bus_call_method( ++ bus, ++ "org.freedesktop.systemd1", ++ "/org/freedesktop/systemd1", ++ "org.freedesktop.systemd1.Manager", ++ start ? "StartUnit" : "StopUnit", ++ &error, ++ &reply, ++ "ss", name, "replace"); ++ if (r < 0) ++ return log_error_errno(r, "Failed to %s the portable service %s: %s", ++ start ? "start" : "stop", path, bus_error_message(&error, r)); ++ ++ r = sd_bus_message_read(reply, "o", &job); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ if (!arg_quiet) ++ log_info("Queued %s to %s portable service %s.", job, start ? "start" : "stop", name); ++ ++ return 0; ++} ++ + static int attach_image(int argc, char *argv[], void *userdata) { + _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL, *reply = NULL; + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; +@@ -440,6 +527,35 @@ static int attach_image(int argc, char *argv[], void *userdata) { + (void) maybe_reload(&bus); + + print_changes(reply); ++ ++ if (arg_enable || arg_now) { ++ r = sd_bus_message_rewind(reply, 1); ++ if (r < 0) ++ return r; ++ r = sd_bus_message_enter_container(reply, 'a', "(sss)"); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ for (;;) { ++ char *type, *path, *source; ++ ++ r = sd_bus_message_read(reply, "(sss)", &type, &path, &source); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ if (r == 0) ++ break; ++ ++ if ((streq(type, "symlink") || streq(type, "copy")) && endswith(path, ".service")) { ++ (void) maybe_enable_disable(bus, path, true); ++ (void) maybe_start_stop(bus, path, true); ++ } ++ } ++ ++ r = sd_bus_message_exit_container(reply); ++ if (r < 0) ++ return r; ++ } ++ + return 0; + } + +@@ -460,6 +576,74 @@ static int detach_image(int argc, char *argv[], void *userdata) { + + (void) polkit_agent_open_if_enabled(arg_transport, arg_ask_password); + ++ if (arg_now || arg_enable) { ++ _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL; ++ _cleanup_strv_free_ char **matches = NULL; ++ ++ r = determine_matches(argv[1], argv + 2, true, &matches); ++ if (r < 0) ++ return r; ++ ++ r = sd_bus_message_new_method_call( ++ bus, ++ &m, ++ "org.freedesktop.portable1", ++ "/org/freedesktop/portable1", ++ "org.freedesktop.portable1.Manager", ++ "GetImageMetadata"); ++ if (r < 0) ++ return bus_log_create_error(r); ++ ++ r = sd_bus_message_append(m, "s", image); ++ if (r < 0) ++ return bus_log_create_error(r); ++ ++ r = sd_bus_message_append_strv(m, matches); ++ if (r < 0) ++ return bus_log_create_error(r); ++ ++ r = sd_bus_call(bus, m, 0, &error, &reply); ++ if (r < 0) ++ return log_error_errno(r, "Failed to inspect image metadata: %s", bus_error_message(&error, r)); ++ ++ r = sd_bus_message_skip(reply, "say"); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ r = sd_bus_message_enter_container(reply, 'a', "{say}"); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ for (;;) { ++ const char *name; ++ ++ r = sd_bus_message_enter_container(reply, 'e', "say"); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ if (r == 0) ++ break; ++ ++ r = sd_bus_message_read(reply, "s", &name); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ r = sd_bus_message_skip(reply, "ay"); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ r = sd_bus_message_exit_container(reply); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ (void) maybe_start_stop(bus, name, false); ++ (void) maybe_enable_disable(bus, name, false); ++ } ++ ++ r = sd_bus_message_exit_container(reply); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ } ++ + r = sd_bus_call_method( + bus, + "org.freedesktop.portable1", +@@ -792,11 +976,16 @@ static int help(int argc, char *argv[], void *userdata) { + " --no-reload Don't reload the system and service manager\n" + " --cat When inspecting include unit and os-release file\n" + " contents\n\n" ++ " --enable Immediately enable/disable the portable service\n" ++ " after attach/detach\n" ++ " --now Immediately start/stop the portable service after\n" ++ " attach/before detach\n" + "Commands:\n" + " list List available portable service images\n" + " attach NAME|PATH [PREFIX...]\n" + " Attach the specified portable service image\n" +- " detach NAME|PATH Detach the specified portable service image\n" ++ " detach NAME|PATH [PREFIX...]\n" ++ " Detach the specified portable service image\n" + " inspect NAME|PATH [PREFIX...]\n" + " Show details of specified portable service image\n" + " is-attached NAME|PATH Query if portable service image is attached\n" +@@ -819,6 +1008,8 @@ static int parse_argv(int argc, char *argv[]) { + ARG_RUNTIME, + ARG_NO_RELOAD, + ARG_CAT, ++ ARG_ENABLE, ++ ARG_NOW, + }; + + static const struct option options[] = { +@@ -835,6 +1026,8 @@ static int parse_argv(int argc, char *argv[]) { + { "runtime", no_argument, NULL, ARG_RUNTIME }, + { "no-reload", no_argument, NULL, ARG_NO_RELOAD }, + { "cat", no_argument, NULL, ARG_CAT }, ++ { "enable", no_argument, NULL, ARG_ENABLE }, ++ { "now", no_argument, NULL, ARG_NOW }, + {} + }; + +@@ -924,6 +1117,14 @@ static int parse_argv(int argc, char *argv[]) { + arg_cat = true; + break; + ++ case ARG_ENABLE: ++ arg_enable = true; ++ break; ++ ++ case ARG_NOW: ++ arg_now = true; ++ break; ++ + case '?': + return -EINVAL; + +@@ -941,7 +1142,7 @@ int main(int argc, char *argv[]) { + { "help", VERB_ANY, VERB_ANY, 0, help }, + { "list", VERB_ANY, 1, VERB_DEFAULT, list_images }, + { "attach", 2, VERB_ANY, 0, attach_image }, +- { "detach", 2, 2, 0, detach_image }, ++ { "detach", 2, VERB_ANY, 0, detach_image }, + { "inspect", 2, VERB_ANY, 0, inspect_image }, + { "is-attached", 2, 2, 0, is_image_attached }, + { "read-only", 2, 3, 0, read_only_image }, +-- +2.20.1 + diff --git a/SPECS/systemd/103-core-allow-portablectl-to-load-new-services-without-.patch b/SPECS/systemd/103-core-allow-portablectl-to-load-new-services-without-.patch new file mode 100644 index 00000000000..0f425571f7d --- /dev/null +++ b/SPECS/systemd/103-core-allow-portablectl-to-load-new-services-without-.patch @@ -0,0 +1,96 @@ +From bcaae81db2f4eae735c32527632a43920cee536c Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 23 Jan 2020 16:51:35 +0000 +Subject: [PATCH 3/3] core: allow portablectl to load new services without + daemon-reload + +When using portable services at medium scale on an arm64 8 core board, +by attaching, daemon-reloading and starting each one in a row, at about +40 services the system starts to croak, everything hangs and times out: +sometimes portablectl times out while trying to contact portabled, +sometimes portabled times out while trying to contact systemd, and +sometimes both happen at the same time. + +On arm64 qemu the limit is even lower, about 5 services are enough. +A daemon-reload takes between 30 seconds and a minute there, and it's +a heavy operation that stalls the manager in the meanwhile. + +Given portable services are most likely leaves, allow to start them +(and only them, by checking that the unit path is in system.attached) +without a daemon-reload. + +The same arm64 board with this change shows no issues anymore, tested +with up to 100 portable services. +--- + src/core/manager.c | 24 +++++++++++++++++++----- + src/portable/portablectl.c | 5 ++++- + 2 files changed, 23 insertions(+), 6 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index a4b0b432c4..61e9fb6689 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -1910,6 +1910,13 @@ int manager_load_unit_prepare( + if (!name) + name = basename(path); + ++ /* We might have been given a full path as a name by portablectl attach. */ ++ if (!path && is_path(name) && ++ (startswith(name, "/etc/systemd/system/") || startswith(name, "/run/systemd/system/"))) { ++ path = name; ++ name = basename(path); ++ } ++ + t = unit_name_to_type(name); + + if (t == _UNIT_TYPE_INVALID || !unit_name_is_valid(name, UNIT_NAME_PLAIN|UNIT_NAME_INSTANCE)) { +@@ -1922,13 +1929,20 @@ int manager_load_unit_prepare( + ret = manager_get_unit(m, name); + if (ret) { + *_ret = ret; +- return 1; ++ /* If the unit is already known (eg: referenced by a target) but ++ * it's not loaded yet, and we were given a path where to find it, set ++ * the state as STUB so that the unit_add_to_*_queue calls load it. */ ++ if (ret->load_state == UNIT_NOT_FOUND && path && ++ (startswith(path, "/etc/systemd/system/") || startswith(path, "/run/systemd/system/"))) ++ ret->load_state = UNIT_STUB; ++ else ++ return 1; ++ } else { ++ ret = cleanup_ret = unit_new(m, unit_vtable[t]->object_size); ++ if (!ret) ++ return -ENOMEM; + } + +- ret = cleanup_ret = unit_new(m, unit_vtable[t]->object_size); +- if (!ret) +- return -ENOMEM; +- + if (path) { + ret->fragment_path = strdup(path); + if (!ret->fragment_path) +diff --git a/src/portable/portablectl.c b/src/portable/portablectl.c +index 8ec9540786..b182fdbe0d 100644 +--- a/src/portable/portablectl.c ++++ b/src/portable/portablectl.c +@@ -447,12 +447,15 @@ static int maybe_enable_disable(sd_bus *bus, const char *path, bool enable) { + static int maybe_start_stop(sd_bus *bus, const char *path, bool start) { + _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; +- char *name = (char *)basename(path), *job = NULL; ++ char *name = (char *)path, *job = NULL; + int r; + + if (!arg_now) + return 0; + ++ if (arg_reload) ++ name = basename(path); ++ + r = sd_bus_call_method( + bus, + "org.freedesktop.systemd1", +-- +2.20.1 + diff --git a/SPECS/systemd/104-portablectl-block-when-stopping-a-unit-on-detach-now.patch b/SPECS/systemd/104-portablectl-block-when-stopping-a-unit-on-detach-now.patch new file mode 100644 index 00000000000..cf202fb5eeb --- /dev/null +++ b/SPECS/systemd/104-portablectl-block-when-stopping-a-unit-on-detach-now.patch @@ -0,0 +1,104 @@ +From fbcf95ece423431911a0c6f10a0136f752c308fe Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 12 Feb 2020 17:27:43 +0000 +Subject: [PATCH] portablectl: block when stopping a unit on detach (--now) + +If portablectl detach --now is used, there's a possible race condition +where the unit is not stopped in time before the detach is attempted, +which causes it to fail. +Add a DBUS call to block after starting/stopping if --now is passed, +and add a --no-block parameter to skip it optionally when starting, +since it is not necessary in that case for correct functioning. +--- + src/portable/portablectl.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/src/portable/portablectl.c b/src/portable/portablectl.c +index f15ee6145b..a48e022ea6 100644 +--- a/src/portable/portablectl.c ++++ b/src/portable/portablectl.c +@@ -39,6 +39,7 @@ static BusTransport arg_transport = BUS_TRANSPORT_LOCAL; + static char *arg_host = NULL; + static bool arg_enable = false; + static bool arg_now = false; ++static bool arg_no_block = false; + + static int determine_image(const char *image, bool permit_non_existing, char **ret) { + int r; +@@ -447,6 +448,7 @@ static int maybe_enable_disable(sd_bus *bus, const char *path, bool enable) { + } + + static int maybe_start_stop(sd_bus *bus, const char *path, bool start) { ++ _cleanup_(bus_wait_for_jobs_freep) BusWaitForJobs *wait = NULL; + _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + char *name = (char *)path, *job = NULL; +@@ -458,6 +460,12 @@ static int maybe_start_stop(sd_bus *bus, const char *path, bool start) { + if (arg_reload) + name = basename(path); + ++ if (!arg_no_block || !start) { ++ r = bus_wait_for_jobs_new(bus, &wait); ++ if (r < 0) ++ return log_error_errno(r, "Could not watch jobs: %m"); ++ } ++ + r = sd_bus_call_method( + bus, + "org.freedesktop.systemd1", +@@ -478,6 +486,17 @@ static int maybe_start_stop(sd_bus *bus, const char *path, bool start) { + if (!arg_quiet) + log_info("Queued %s to %s portable service %s.", job, start ? "start" : "stop", name); + ++ /* Stopping must always block or the detach will fail if the unit is still running */ ++ if (!arg_no_block || !start) { ++ r = bus_wait_for_jobs_add(wait, job); ++ if (r < 0) ++ return log_error_errno(r, "Failed to watch %s job for %s %s: %m", ++ job, start ? "starting" : "stopping", name); ++ r = bus_wait_for_jobs(wait, arg_quiet, NULL); ++ if (r < 0) ++ return r; ++ } ++ + return 0; + } + +@@ -1005,6 +1024,7 @@ static int help(int argc, char *argv[], void *userdata) { + " after attach/detach\n" + " --now Immediately start/stop the portable service after\n" + " attach/before detach\n" ++ " --no-block Don't block waiting for attach --now to complete\n" + "Commands:\n" + " list List available portable service images\n" + " attach NAME|PATH [PREFIX...]\n" +@@ -1035,6 +1055,7 @@ static int parse_argv(int argc, char *argv[]) { + ARG_CAT, + ARG_ENABLE, + ARG_NOW, ++ ARG_NO_BLOCK, + }; + + static const struct option options[] = { +@@ -1053,6 +1074,7 @@ static int parse_argv(int argc, char *argv[]) { + { "cat", no_argument, NULL, ARG_CAT }, + { "enable", no_argument, NULL, ARG_ENABLE }, + { "now", no_argument, NULL, ARG_NOW }, ++ { "no-block", no_argument, NULL, ARG_NO_BLOCK }, + {} + }; + +@@ -1150,6 +1172,10 @@ static int parse_argv(int argc, char *argv[]) { + arg_now = true; + break; + ++ case ARG_NO_BLOCK: ++ arg_no_block = true; ++ break; ++ + case '?': + return -EINVAL; + +-- +2.20.1 + diff --git a/SPECS/systemd/105-portablectl-use-replace-unload-when-stopping-a-servi.patch b/SPECS/systemd/105-portablectl-use-replace-unload-when-stopping-a-servi.patch new file mode 100644 index 00000000000..1e85675fc1e --- /dev/null +++ b/SPECS/systemd/105-portablectl-use-replace-unload-when-stopping-a-servi.patch @@ -0,0 +1,33 @@ +From f3454e10bd598aeee71692340f52009d03a73099 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 13 May 2020 19:10:06 +0100 +Subject: [PATCH 2/2] portablectl: use replace-unload when stopping a service + with --no-reload + +Once an image is detached, the service is no longer able to run. +Without a daemon-reload, if the unit is still loaded, a subsequent +attach will fail as the unit already exists. +Ensure it is always unloaded even without daemon-reload if --no-reload +is passed on the command line by using the new stop job mode. + +(cherry picked from commit f15aa996977d3f52e0071a983456071de30d0018) +--- + src/portable/portablectl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/portable/portablectl.c b/src/portable/portablectl.c +index fc83823cf8..0eec6d5a09 100644 +--- a/src/portable/portablectl.c ++++ b/src/portable/portablectl.c +@@ -472,7 +472,7 @@ static int maybe_start_stop(sd_bus *bus, const char *path, bool start) { + start ? "StartUnit" : "StopUnit", + &error, + &reply, +- "ss", name, "replace"); ++ "ss", name, !start && !arg_reload ? "replace-unload" : "replace"); + if (r < 0) + return log_error_errno(r, "Failed to %s the portable service %s: %s", + start ? "start" : "stop", path, bus_error_message(&error, r)); +-- +2.20.1 + diff --git a/SPECS/systemd/106-portabled-implement-container-host-os-release-interf.patch b/SPECS/systemd/106-portabled-implement-container-host-os-release-interf.patch new file mode 100644 index 00000000000..9328a2cbfc7 --- /dev/null +++ b/SPECS/systemd/106-portabled-implement-container-host-os-release-interf.patch @@ -0,0 +1,25 @@ +From 69beed2bb629639a9b52410a2b35247bc4c296e1 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 22 May 2020 16:56:37 +0100 +Subject: [PATCH] portabled: implement container host os-release interface + +(cherry picked from commit 73083ca238d8d537e2713378271a316fc6afa350) +--- + src/portable/portable.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/portable/portable.c b/src/portable/portable.c +index b305949c24..d3258e1fc0 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -722,6 +722,7 @@ static int install_chroot_dropin( + "[Service]\n", + IN_SET(type, IMAGE_DIRECTORY, IMAGE_SUBVOLUME) ? "RootDirectory=" : "RootImage=", image_path, "\n" + "Environment=PORTABLE=", basename(image_path), "\n" ++ "BindReadOnlyPaths=/usr/lib/os-release:/run/host/os-release\n" + "LogExtraFields=PORTABLE=", basename(image_path), "\n", + NULL)) + +-- +2.20.1 + diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec index d37d36550ba..795793355ea 100644 --- a/SPECS/systemd/systemd.spec +++ b/SPECS/systemd/systemd.spec @@ -1,7 +1,7 @@ Summary: Systemd-239 Name: systemd Version: 239 -Release: 31%{?dist} +Release: 32%{?dist} License: LGPLv2+ and GPLv2+ and MIT URL: https://www.freedesktop.org/wiki/Software/systemd/ Group: System Environment/Security @@ -36,6 +36,15 @@ Patch15: https://github.com/systemd/systemd/commit/8f6b442a78d0b485f044 # Furthermore, strict mode DoT is not supported before v243. Patch16: CVE-2018-21029.nopatch +#Portablectl patches for --now --enable and --no-block flags support +Patch100: 100-portabled-allow-to-detach-an-image-with-a-unit-in-li.patch +Patch101: 101-Portabled-fix-inspect-on-image-attached-as-directory.patch +Patch102: 102-portablectl-add-now-and-enable-to-attach-detach.patch +Patch103: 103-core-allow-portablectl-to-load-new-services-without-.patch +Patch104: 104-portablectl-block-when-stopping-a-unit-on-detach-now.patch +Patch105: 105-portablectl-use-replace-unload-when-stopping-a-servi.patch +Patch106: 106-portabled-implement-container-host-os-release-interf.patch + Obsoletes: systemd-bootstrap Requires: pam Requires: libcap @@ -108,6 +117,15 @@ EOF %patch14 -p1 %patch15 -p1 +# Portablectl patches +%patch100 -p1 +%patch101 -p1 +%patch102 -p1 +%patch103 -p1 +%patch104 -p1 +%patch105 -p1 +%patch106 -p1 + sed -i "s#\#DefaultTasksMax=512#DefaultTasksMax=infinity#g" src/core/system.conf.in %build @@ -271,6 +289,8 @@ rm -rf %{buildroot}/* %files lang -f %{name}.lang %changelog +* Wed Sep 23 2020 Suresh Babu Chalamalasetty 239-32 +- Portablectl patches for --now --enable and --no-block flags support * Mon Aug 24 2020 Leandro Pereira 239-31 - Use time.windows.com as the default NTP server in timesyncd. * Tue Aug 11 2020 Mateusz Malisz 239-30 diff --git a/SPECS/telegraf/add-extra-metrics.patch b/SPECS/telegraf/add-extra-metrics.patch new file mode 100644 index 00000000000..ec6f5733a6c --- /dev/null +++ b/SPECS/telegraf/add-extra-metrics.patch @@ -0,0 +1,31 @@ +diff --git a/plugins/inputs/procstat/process.go b/plugins/inputs/procstat/process.go +index 042929f0..cf4f5185 100644 +--- a/plugins/inputs/procstat/process.go ++++ b/plugins/inputs/procstat/process.go +@@ -26,6 +26,7 @@ type Process interface { + RlimitUsage(bool) ([]process.RlimitStat, error) + Username() (string, error) + CreateTime() (int64, error) ++ MemoryMaps(bool) (*[]process.MemoryMapsStat, error) + } + + type PIDFinder interface { +diff --git a/plugins/inputs/procstat/procstat.go b/plugins/inputs/procstat/procstat.go +index 8e56e4bf..bf2d5503 100644 +--- a/plugins/inputs/procstat/procstat.go ++++ b/plugins/inputs/procstat/procstat.go +@@ -250,6 +250,14 @@ func (p *Procstat) addMetric(proc Process, acc telegraf.Accumulator) { + fields[prefix+"memory_locked"] = mem.Locked + } + ++ memMaps, err := proc.MemoryMaps(true) ++ if err == nil { ++ fields[prefix+"memory_maps_shared_dirty"] = (*memMaps)[0].SharedDirty ++ fields[prefix+"memory_maps_shared_clean"] = (*memMaps)[0].SharedClean ++ fields[prefix+"memory_maps_private_dirty"] = (*memMaps)[0].PrivateDirty ++ fields[prefix+"memory_maps_private_clean"] = (*memMaps)[0].PrivateClean ++ } ++ + mem_perc, err := proc.MemoryPercent() + if err == nil { + fields[prefix+"memory_usage"] = mem_perc diff --git a/SPECS/telegraf/telegraf-vendor-1.14.5.tar.gz b/SPECS/telegraf/telegraf-vendor-1.14.5.tar.gz new file mode 100644 index 00000000000..066aab7fe45 Binary files /dev/null and b/SPECS/telegraf/telegraf-vendor-1.14.5.tar.gz differ diff --git a/SPECS/telegraf/telegraf.signatures.json b/SPECS/telegraf/telegraf.signatures.json new file mode 100755 index 00000000000..20f51ccb688 --- /dev/null +++ b/SPECS/telegraf/telegraf.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "telegraf-1.14.5.tar.gz" : "66a02a8d9afe5621bb65297f74b9f2d62fbe28415771ac1dea0a13950642684c", + "telegraf-vendor-1.14.5.tar.gz" : "b6da69abb1d73f4ed782082b744189fe364fb59a1310c7a58e9d2144442b9a6e" + } +} diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec new file mode 100644 index 00000000000..ca89a05b47f --- /dev/null +++ b/SPECS/telegraf/telegraf.spec @@ -0,0 +1,99 @@ +Summary: agent for collecting, processing, aggregating, and writing metrics. +Name: telegraf +Version: 1.14.5 +Release: 4%{?dist} +License: MIT +Group: Development/Tools +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/influxdata/telegraf + +#Source0: %{url}/archive/v%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz +Source1: %{name}-vendor-%{version}.tar.gz + +Patch0: add-extra-metrics.patch + +BuildRequires: golang +BuildRequires: systemd-devel + +Requires: systemd +Requires: logrotate +Requires: procps-ng +Requires: shadow-utils +Requires(pre): /usr/sbin/useradd +Requires(pre): /usr/sbin/groupadd +Requires(postun): /usr/sbin/userdel +Requires(postun): /usr/sbin/groupdel + +%description +Telegraf is an agent written in Go for collecting, processing, aggregating, and writing metrics. + +Design goals are to have a minimal memory footprint with a plugin system so that developers in +the community can easily add support for collecting metrics from well known services (like Hadoop, +Postgres, or Redis) and third party APIs (like Mailchimp, AWS CloudWatch, or Google Analytics). + +%prep +%autosetup -p1 +tar -xf %{SOURCE1} + +%build +go build -mod=vendor ./cmd/telegraf + +%install +mkdir -pv %{buildroot}%{_sysconfdir}/%{name}/%{name}.d +install -m 755 -D %{name} %{buildroot}%{_bindir}/%{name} +install -m 755 -D scripts/%{name}.service %{buildroot}%{_unitdir}/%{name}.service +install -m 755 -D etc/logrotate.d/%{name} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} +install -m 755 -D etc/telegraf.conf %{buildroot}%{_sysconfdir}/%{name}/telegraf.conf + +%clean +rm -rf %{buildroot}/* + +%pre +getent group telegraf >/dev/null || groupadd -r telegraf +getent passwd telegraf >/dev/null || useradd -c "Telegraf" -d %{_localstatedir}/lib/%{name} -g %{name} \ + -s /sbin/nologin -M -r %{name} + +%post +chown -R telegraf:telegraf /etc/telegraf +%systemd_post %{name}.service +systemctl daemon-reload + +%preun +%systemd_preun %{name}.service + +%postun +if [ $1 -eq 0 ] ; then + getent passwd telegraf >/dev/null && userdel telegraf + getent group telegraf >/dev/null && groupdel telegraf +fi +%systemd_postun_with_restart %{name}.service + +%files +%defattr(-,root,root) +%config(noreplace) %{_sysconfdir}/%{name}/telegraf.conf +%license LICENSE +%{_bindir}/telegraf +%{_unitdir}/telegraf.service +%{_sysconfdir}/logrotate.d/%{name} +%dir %{_sysconfdir}/%{name}/telegraf.d + +%changelog +* Thu Oct 15 2020 Pawel Winogrodzki 1.14.5-4 +- License verified. +- Added %%license macro. +- Fixed source URL. +- Switched to %%autosetup. +* Fri Aug 21 2020 Suresh Babu Chalamalasetty 1.14.5-3 +- Add runtime required procps-ng and shadow-utils +* Tue Jul 14 2020 Jonathan Chiu 1.14.5-1 +- Update to version 1.14.5 +* Tue Sep 03 2019 Mateusz Malisz 1.7.4-2 +- Initial CBL-Mariner import from Photon (license: Apache2). +* Fri Sep 07 2018 Michelle Wang 1.7.4-1 +- Update version to 1.7.4 and its plugin version to 1.4.0. +* Mon Sep 18 2017 Alexey Makhalov 1.3.4-2 +- Remove shadow from requires and use explicit tools for post actions +* Tue Jul 18 2017 Dheeraj Shetty 1.3.4-1 +- first version diff --git a/SPECS/tinyxml2/tinyxml2.signatures.json b/SPECS/tinyxml2/tinyxml2.signatures.json new file mode 100644 index 00000000000..1591682a7ab --- /dev/null +++ b/SPECS/tinyxml2/tinyxml2.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "tinyxml2-7.1.0.tar.gz" : "68ebd396a4220d5a9b5a621c6e9c66349c5cfdf5efaea3f16e3bb92e45f4e2a3" + } +} diff --git a/SPECS/tinyxml2/tinyxml2.spec b/SPECS/tinyxml2/tinyxml2.spec new file mode 100644 index 00000000000..ccbe6706675 --- /dev/null +++ b/SPECS/tinyxml2/tinyxml2.spec @@ -0,0 +1,62 @@ +Name: tinyxml2 +Summary: Simple, small, efficient, C++ XML parser that can be easily integrated into other programs. +Version: 7.1.0 +Release: 1%{?dist} +License: zlib +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/leethomason/tinyxml2/ + +#Source0: https://github.com/leethomason/%{name}/archive/%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz + +BuildRequires: cmake +BuildRequires: build-essential + +%description +TinyXML2 is a simple, small, efficient, C++ XML parser that can be easily integrated into other programs. + +%package devel +Summary: Development files for %{name} +Requires: %{name} = %{version} + +%description devel +Development files for %{name} + +%prep +%setup -q + +%build +mkdir build +cd build +cmake \ + -DCMAKE_INSTALL_PREFIX=%{_prefix} \ + -DBUILD_SHARED_LIBS=ON \ + .. +make %{?_smp_mflags} + +%install +cd build +make install DESTDIR=%{buildroot} + +%files +%doc readme.md +%license LICENSE.txt +/usr/lib64/*.so.* + +%files devel +%{_includedir}/* +/usr/lib64/cmake/tinyxml2 +/usr/lib64/*.so +/usr/lib64/pkgconfig/tinyxml2.pc + +%changelog +* Wed Oct 14 2020 Pawel Winogrodzki 7.1.0-1 +- Updated to version 7.1.0. +- Enabled building *-debuginfo package. +- Added 'Vendor' and 'Distribution' tags. +- Added teh %%license macro. +- Updated 'URL' and 'Source0' tags. +- License verified. +* Thu Apr 09 2020 Jonathan Chiu 7.0.1-1 +- Original version for CBL-Mariner. diff --git a/SPECS/toml11/toml11.signatures.json b/SPECS/toml11/toml11.signatures.json new file mode 100644 index 00000000000..84a539636ce --- /dev/null +++ b/SPECS/toml11/toml11.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "toml11-3.3.0.tar.gz": "b29995475922fae3095445219d36733ef18976abdc85685d0804ee3ea04f09c0" + } +} \ No newline at end of file diff --git a/SPECS/toml11/toml11.spec b/SPECS/toml11/toml11.spec new file mode 100644 index 00000000000..427ce809cd4 --- /dev/null +++ b/SPECS/toml11/toml11.spec @@ -0,0 +1,69 @@ +# Header-only library, so no debug package +%global debug_package %{nil} + +Summary: toml11 - header-only C++11 TOML parser/generator +Name: toml11 +Version: 3.3.0 +Release: 2%{?dist} +License: MIT +URL: https://github.com/ToruNiina/toml11 +Group: System Environment +Vendor: Microsoft Corporation +Distribution: Mariner + +#Source0: https://github.com/ToruNiina/%{name}/archive/v%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz + +BuildRequires: cmake +BuildRequires: gcc +BuildRequires: boost-devel + +%description +A modern C++ toml library. + +%package devel +Summary: Development files for %{name} + +%description devel +Development files for %{name} + +%prep +%setup + +# Remove tests which require boost 1.67 +sed -E -e '/test_get|test_get_or|test_find|test_find_or/d' \ + -i tests/CMakeLists.txt + +# Remove tests which rely on external toml file database +sed -E -e '/test_parse_file|test_serialize_file|test_parse_unicode/d' \ + -i tests/CMakeLists.txt + +%build +mkdir build && cd build +%cmake .. +%make_build + +%check +make test -C build + +%install +%make_install -C build + +%clean +rm -rf %{buildroot}/* + +%files devel +%defattr(-,root,root) +%doc README.md +%license LICENSE +%{_includedir}/toml +%{_includedir}/toml.hpp +%{_libdir}/cmake/toml11 + +%changelog +* Wed Oct 14 2020 Pawel Winogrodzki 3.3.0-2 +- License verified. +- Fixed 'URL' tag. +- Added source URL. +* Tue Feb 11 2020 Nick Bopp 3.3.0-1 +- Original version for CBL-Mariner. \ No newline at end of file diff --git a/SPECS/tpm2-abrmd/tpm2-abrmd.signatures.json b/SPECS/tpm2-abrmd/tpm2-abrmd.signatures.json index da5a6a080f2..489b1e0bf35 100644 --- a/SPECS/tpm2-abrmd/tpm2-abrmd.signatures.json +++ b/SPECS/tpm2-abrmd/tpm2-abrmd.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "tpm2-abrmd-2.1.1.tar.gz": "29a55a9e4bc57e4d93acda12cde77bbf332f1dbe99a393ddddd5ede4efc7079a" + "tpm2-abrmd-2.3.3.tar.gz": "1e587808c6739079d59f124d9c1a0058f8d34dd84f1f656c946667fa0a181c48" } } \ No newline at end of file diff --git a/SPECS/tpm2-abrmd/tpm2-abrmd.spec b/SPECS/tpm2-abrmd/tpm2-abrmd.spec index 88575917e0f..bb61870ba6f 100644 --- a/SPECS/tpm2-abrmd/tpm2-abrmd.spec +++ b/SPECS/tpm2-abrmd/tpm2-abrmd.spec @@ -1,16 +1,16 @@ -Summary: TPM2 Access Broker & Resource Management Daemon implementing the TCG spec -Name: tpm2-abrmd -Version: 2.1.1 -Release: 2%{?dist} -License: BSD 2-Clause +Summary: TPM2 Access Broker & Resource Management Daemon implementing the TCG spec +Name: tpm2-abrmd +Version: 2.3.3 +Release: 1%{?dist} +License: BSD 2-Clause URL: https://github.com/tpm2-software/tpm2-abrmd/releases/ Source0: https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/%{name}-%{version}.tar.gz -Group: System Environment/Security +Group: System Environment/Security Vendor: Microsoft Corporation Distribution: Mariner -BuildRequires: which dbus-devel glib-devel tpm2-tss-devel -Requires: dbus glib tpm2-tss +BuildRequires: which dbus-devel glib-devel tpm2-tss-devel +Requires: dbus glib tpm2-tss %description TPM2 Access Broker & Resource Management Daemon implementing the TCG spec @@ -58,9 +58,10 @@ make DESTDIR=%{buildroot} install %{_mandir}/man7 %changelog -* Sat May 09 00:21:38 PST 2020 Nick Samson - 2.1.1-2 -- Added %%license line automatically - +* Sun Sep 27 2020 Daniel McIlvaney 2.3.3-1 +- Update to 2.3.3 to solve incompatibility with tpm2-tss 2.4.0 +* Sat May 09 2020 Nick Samson 2.1.1-2 +- Added %%license line automatically * Wed Mar 18 2020 Henry Beberman 2.1.1-1 - Update to 2.1.1. Fix URL. Fix Source0 URL. License verified. * Tue Sep 03 2019 Mateusz Malisz 2.1.0-2 diff --git a/SPECS/tpm2-tools/tpm2-tools.signatures.json b/SPECS/tpm2-tools/tpm2-tools.signatures.json index 9b2fb8031d0..5fdd57a610a 100644 --- a/SPECS/tpm2-tools/tpm2-tools.signatures.json +++ b/SPECS/tpm2-tools/tpm2-tools.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "tpm2-tools-3.1.4.tar.gz": "2f515200e9a7958ee13015150f7958c8a332eb071c2564c33f81ebe32c4f6033" + "tpm2-tools-4.2.tar.gz": "1baaccd8bd663e9dd70cf6d8f99f16897ea32b9106860967ebb259d81954f904" } } \ No newline at end of file diff --git a/SPECS/tpm2-tools/tpm2-tools.spec b/SPECS/tpm2-tools/tpm2-tools.spec index 44a1d2966c5..9bd32b9e23a 100644 --- a/SPECS/tpm2-tools/tpm2-tools.spec +++ b/SPECS/tpm2-tools/tpm2-tools.spec @@ -1,15 +1,19 @@ -Summary: The source repository for the TPM (Trusted Platform Module) 2 tools -Name: tpm2-tools -Version: 3.1.4 -Release: 2%{?dist} -License: BSD 2-Clause -URL: https://github.com/tpm2-software/tpm2-tools -Group: System Environment/Security +Summary: The source repository for the TPM (Trusted Platform Module) 2 tools +Name: tpm2-tools +Version: 4.2 +Release: 1%{?dist} +License: BSD 3-Clause +URL: https://github.com/tpm2-software/tpm2-tools +Group: System Environment/Security Vendor: Microsoft Corporation Distribution: Mariner -Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz -BuildRequires: openssl-devel curl-devel tpm2-tss-devel -Requires: openssl curl tpm2-tss +Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz +BuildRequires: openssl-devel +BuildRequires: curl-devel +BuildRequires: tpm2-tss-devel >= 2.3.0 +Requires: openssl curl +Requires: tpm2-tss >= 2.3.0 +Requires: /bin/awk %description The source repository for the TPM (Trusted Platform Module) 2 tools @@ -26,14 +30,17 @@ make DESTDIR=%{buildroot} install %files %defattr(-,root,root) -%license LICENSE +%license doc/LICENSE %{_bindir}/* %{_mandir}/man1 +%{_datarootdir}/bash-completion/completions/tpm2_* +%{_datarootdir}/bash-completion/completions/tss2_* %changelog -* Sat May 09 00:21:43 PST 2020 Nick Samson - 3.1.4-2 -- Added %%license line automatically - +* Tue Aug 25 2020 Daniel McIlvaney 4.2-1 +- Update to 4.2. +* Sat May 09 2020 Nick Samson 3.1.4-2 +- Added %%license line automatically * Fri Mar 13 2020 Paul Monson 3.1.4-1 - Update to version 3.1.4. * Tue Sep 03 2019 Mateusz Malisz 3.1.3-2 diff --git a/SPECS/tpm2-tss/tpm2-tss.signatures.json b/SPECS/tpm2-tss/tpm2-tss.signatures.json index 8d9f51ad624..b64d516da7f 100644 --- a/SPECS/tpm2-tss/tpm2-tss.signatures.json +++ b/SPECS/tpm2-tss/tpm2-tss.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "tpm2-tss-2.2.0.tar.gz": "c9131eaf3a22affaad58688915957e855d23608eb1c007c0f1e00681f3e32583" + "tpm2-tss-2.4.0.tar.gz": "81c548a73adf584a5ad306b5d4318140b298e724510e5883277fea4df9652e87" } } \ No newline at end of file diff --git a/SPECS/tpm2-tss/tpm2-tss.spec b/SPECS/tpm2-tss/tpm2-tss.spec index 8b98dc8b406..1412e2c031e 100644 --- a/SPECS/tpm2-tss/tpm2-tss.spec +++ b/SPECS/tpm2-tss/tpm2-tss.spec @@ -1,7 +1,7 @@ Summary: OSS implementation of the TCG TPM2 Software Stack (TSS2) Name: tpm2-tss -Version: 2.2.0 -Release: 4%{?dist} +Version: 2.4.0 +Release: 1%{?dist} License: BSD URL: https://github.com/tpm2-software/tpm2-tss Group: System Environment/Security @@ -9,7 +9,9 @@ Vendor: Microsoft Corporation Distribution: Mariner Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz BuildRequires: openssl-devel +BuildRequires: json-c-devel Requires: openssl +Requires: json-c Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd Requires(postun): /usr/sbin/userdel /usr/sbin/groupdel %description @@ -64,7 +66,10 @@ fi %defattr(-,root,root) %license LICENSE %{_sysconfdir}/udev/rules.d/tpm-udev.rules +%{_sysconfdir}/tmpfiles.d/tpm2-tss-fapi.conf +%{_sysconfdir}/tpm2-tss/* %{_libdir}/*.so.0.0.0 +%exclude %{_sysconfdir}/sysusers.d/tpm2-tss.conf %files devel %defattr(-,root,root) @@ -77,9 +82,10 @@ fi %{_mandir}/man7 %changelog -* Sat May 09 00:21:09 PST 2020 Nick Samson - 2.2.0-4 -- Added %%license line automatically - +* Tue Aug 25 2020 Daniel McIlvaney 2.4.0-1 +- Update to 2.4.0. +* Sat May 09 2020 Nick Samson - 2.2.0-4 +- Added %%license line automatically * Fri Apr 10 2020 Nick Samson 2.2.0-3 - Updated Source0. Removed %%define sha1. Updated license abbreviation and validated license. * Tue Sep 03 2019 Mateusz Malisz 2.2.0-2 diff --git a/SPECS/tracelogging/tracelogging.signatures.json b/SPECS/tracelogging/tracelogging.signatures.json new file mode 100644 index 00000000000..53952de0d25 --- /dev/null +++ b/SPECS/tracelogging/tracelogging.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "tracelogging-0.2.tar.gz": "8c77ffe696e31d640b2de599b937e7797e64a2b49f98eae55e0b6a514efb1002" + } +} \ No newline at end of file diff --git a/SPECS/tracelogging/tracelogging.spec b/SPECS/tracelogging/tracelogging.spec new file mode 100644 index 00000000000..39b4ad22beb --- /dev/null +++ b/SPECS/tracelogging/tracelogging.spec @@ -0,0 +1,76 @@ +Summary: tracelogging one-line structure logging API on top of LTTNG +Name: tracelogging +Version: 0.2 +Release: 2%{?dist} +License: MIT +URL: https://github.com/microsoft/tracelogging +Group: System Environment +Vendor: Microsoft Corporation +Distribution: Mariner + +#Source0: https://github.com/microsoft/%{name}/archive/v%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz + +BuildRequires: catch-devel +BuildRequires: cmake +BuildRequires: gcc +BuildRequires: lttng-ust-devel + +%if %{with_check} +BuildRequires: catch-devel +%endif + +%description +The tracelogging for LTTNG project enables structured event emission through +LTTNG via the same set of macros that are supported by the publicly +available tracelogging for ETW project in the Windows SDK. + +%package devel +Summary: Development files for tracelogging +License: MIT +Group: System Environment/Libraries +Requires: tracelogging = %{version}-%{release} + +%description devel +This package contains the headers and symlinks for instrumenting +applications and libraries with tracelogging. + +%prep +%setup + +%build +mkdir build && cd build +%cmake .. +%make_build + +%check +make test -C build + +%install +%make_install -C build + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%clean +rm -rf %{buildroot}/* + +%files +%defattr(-,root,root) +%doc README.md +%license LICENSE +%{_libdir}/liblttngh.so.* + +%files devel +%defattr(-,root,root) +%{_includedir}/lttngh +%{_includedir}/tracelogging +%{_libdir}/liblttngh.so +%{_libdir}/cmake/tracelogging + +%changelog +* Wed Oct 14 2020 Pawel Winogrodzki 0.2-2 +- Added source URL. +- License verified. +* Tue Feb 11 2020 Nick Bopp 0.2-1 +- Original version for CBL-Mariner. \ No newline at end of file diff --git a/SPECS/unbound/CVE-2020-12662.patch b/SPECS/unbound/CVE-2020-12662.patch new file mode 100644 index 00000000000..c3631bba876 --- /dev/null +++ b/SPECS/unbound/CVE-2020-12662.patch @@ -0,0 +1,947 @@ +diff --git a/iterator/iter_delegpt.c b/iterator/iter_delegpt.c +index f88b3e11..9a672b0a 100644 +--- a/iterator/iter_delegpt.c ++++ b/iterator/iter_delegpt.c +@@ -84,7 +84,7 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region) + } + for(a = dp->target_list; a; a = a->next_target) { + if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen, +- a->bogus, a->lame, a->tls_auth_name)) ++ a->bogus, a->lame, a->tls_auth_name, NULL)) + return NULL; + } + return copy; +@@ -161,7 +161,7 @@ delegpt_find_addr(struct delegpt* dp, struct sockaddr_storage* addr, + int + delegpt_add_target(struct delegpt* dp, struct regional* region, + uint8_t* name, size_t namelen, struct sockaddr_storage* addr, +- socklen_t addrlen, uint8_t bogus, uint8_t lame) ++ socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions) + { + struct delegpt_ns* ns = delegpt_find_ns(dp, name, namelen); + log_assert(!dp->dp_type_mlc); +@@ -176,13 +176,14 @@ delegpt_add_target(struct delegpt* dp, struct regional* region, + if(ns->got4 && ns->got6) + ns->resolved = 1; + } +- return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, NULL); ++ return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, NULL, ++ additions); + } + + int + delegpt_add_addr(struct delegpt* dp, struct regional* region, + struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus, +- uint8_t lame, char* tls_auth_name) ++ uint8_t lame, char* tls_auth_name, int* additions) + { + struct delegpt_addr* a; + log_assert(!dp->dp_type_mlc); +@@ -194,6 +195,8 @@ delegpt_add_addr(struct delegpt* dp, struct regional* region, + a->lame = 0; + return 1; + } ++ if(additions) ++ *additions = 1; + + a = (struct delegpt_addr*)regional_alloc(region, + sizeof(struct delegpt_addr)); +@@ -382,10 +385,10 @@ delegpt_from_message(struct dns_msg* msg, struct regional* region) + continue; + + if(ntohs(s->rk.type) == LDNS_RR_TYPE_A) { +- if(!delegpt_add_rrset_A(dp, region, s, 0)) ++ if(!delegpt_add_rrset_A(dp, region, s, 0, NULL)) + return NULL; + } else if(ntohs(s->rk.type) == LDNS_RR_TYPE_AAAA) { +- if(!delegpt_add_rrset_AAAA(dp, region, s, 0)) ++ if(!delegpt_add_rrset_AAAA(dp, region, s, 0, NULL)) + return NULL; + } + } +@@ -416,7 +419,7 @@ delegpt_rrset_add_ns(struct delegpt* dp, struct regional* region, + + int + delegpt_add_rrset_A(struct delegpt* dp, struct regional* region, +- struct ub_packed_rrset_key* ak, uint8_t lame) ++ struct ub_packed_rrset_key* ak, uint8_t lame, int* additions) + { + struct packed_rrset_data* d=(struct packed_rrset_data*)ak->entry.data; + size_t i; +@@ -432,7 +435,7 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region, + memmove(&sa.sin_addr, d->rr_data[i]+2, INET_SIZE); + if(!delegpt_add_target(dp, region, ak->rk.dname, + ak->rk.dname_len, (struct sockaddr_storage*)&sa, +- len, (d->security==sec_status_bogus), lame)) ++ len, (d->security==sec_status_bogus), lame, additions)) + return 0; + } + return 1; +@@ -440,7 +443,7 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region, + + int + delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region, +- struct ub_packed_rrset_key* ak, uint8_t lame) ++ struct ub_packed_rrset_key* ak, uint8_t lame, int* additions) + { + struct packed_rrset_data* d=(struct packed_rrset_data*)ak->entry.data; + size_t i; +@@ -456,7 +459,7 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region, + memmove(&sa.sin6_addr, d->rr_data[i]+2, INET6_SIZE); + if(!delegpt_add_target(dp, region, ak->rk.dname, + ak->rk.dname_len, (struct sockaddr_storage*)&sa, +- len, (d->security==sec_status_bogus), lame)) ++ len, (d->security==sec_status_bogus), lame, additions)) + return 0; + } + return 1; +@@ -464,20 +467,33 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region, + + int + delegpt_add_rrset(struct delegpt* dp, struct regional* region, +- struct ub_packed_rrset_key* rrset, uint8_t lame) ++ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions) + { + if(!rrset) + return 1; + if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_NS) + return delegpt_rrset_add_ns(dp, region, rrset, lame); + else if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_A) +- return delegpt_add_rrset_A(dp, region, rrset, lame); ++ return delegpt_add_rrset_A(dp, region, rrset, lame, additions); + else if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_AAAA) +- return delegpt_add_rrset_AAAA(dp, region, rrset, lame); ++ return delegpt_add_rrset_AAAA(dp, region, rrset, lame, ++ additions); + log_warn("Unknown rrset type added to delegpt"); + return 1; + } + ++void delegpt_mark_neg(struct delegpt_ns* ns, uint16_t qtype) ++{ ++ if(ns) { ++ if(qtype == LDNS_RR_TYPE_A) ++ ns->got4 = 2; ++ else if(qtype == LDNS_RR_TYPE_AAAA) ++ ns->got6 = 2; ++ if(ns->got4 && ns->got6) ++ ns->resolved = 1; ++ } ++} ++ + void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg) + { + struct reply_info* rep = (struct reply_info*)msg->entry.data; +@@ -487,14 +503,7 @@ void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg) + if(FLAGS_GET_RCODE(rep->flags) != 0 || rep->an_numrrsets == 0) { + struct delegpt_ns* ns = delegpt_find_ns(dp, msg->key.qname, + msg->key.qname_len); +- if(ns) { +- if(msg->key.qtype == LDNS_RR_TYPE_A) +- ns->got4 = 1; +- else if(msg->key.qtype == LDNS_RR_TYPE_AAAA) +- ns->got6 = 1; +- if(ns->got4 && ns->got6) +- ns->resolved = 1; +- } ++ delegpt_mark_neg(ns, msg->key.qtype); + } + } + +diff --git a/iterator/iter_delegpt.h b/iterator/iter_delegpt.h +index 6c088264..138eb6e1 100644 +--- a/iterator/iter_delegpt.h ++++ b/iterator/iter_delegpt.h +@@ -106,9 +106,10 @@ struct delegpt_ns { + * and marked true if got4 and got6 are both true. + */ + int resolved; +- /** if the ipv4 address is in the delegpt */ ++ /** if the ipv4 address is in the delegpt, 0=not, 1=yes 2=negative, ++ * negative means it was done, but no content. */ + uint8_t got4; +- /** if the ipv6 address is in the delegpt */ ++ /** if the ipv6 address is in the delegpt, 0=not, 1=yes 2=negative */ + uint8_t got6; + /** + * If the name is parent-side only and thus dispreferred. +@@ -215,11 +216,12 @@ int delegpt_rrset_add_ns(struct delegpt* dp, struct regional* regional, + * @param addrlen: the length of addr. + * @param bogus: security status for the address, pass true if bogus. + * @param lame: address is lame. ++ * @param additions: will be set to 1 if a new address is added + * @return false on error. + */ + int delegpt_add_target(struct delegpt* dp, struct regional* regional, + uint8_t* name, size_t namelen, struct sockaddr_storage* addr, +- socklen_t addrlen, uint8_t bogus, uint8_t lame); ++ socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions); + + /** + * Add A RRset to delegpt. +@@ -227,10 +229,11 @@ int delegpt_add_target(struct delegpt* dp, struct regional* regional, + * @param regional: where to allocate the info. + * @param rrset: RRset A to add. + * @param lame: rrset is lame, disprefer it. ++ * @param additions: will be set to 1 if a new address is added + * @return 0 on alloc error. + */ + int delegpt_add_rrset_A(struct delegpt* dp, struct regional* regional, +- struct ub_packed_rrset_key* rrset, uint8_t lame); ++ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions); + + /** + * Add AAAA RRset to delegpt. +@@ -238,10 +241,11 @@ int delegpt_add_rrset_A(struct delegpt* dp, struct regional* regional, + * @param regional: where to allocate the info. + * @param rrset: RRset AAAA to add. + * @param lame: rrset is lame, disprefer it. ++ * @param additions: will be set to 1 if a new address is added + * @return 0 on alloc error. + */ + int delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* regional, +- struct ub_packed_rrset_key* rrset, uint8_t lame); ++ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions); + + /** + * Add any RRset to delegpt. +@@ -250,10 +254,11 @@ int delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* regional, + * @param regional: where to allocate the info. + * @param rrset: RRset to add, NS, A, AAAA. + * @param lame: rrset is lame, disprefer it. ++ * @param additions: will be set to 1 if a new address is added + * @return 0 on alloc error. + */ + int delegpt_add_rrset(struct delegpt* dp, struct regional* regional, +- struct ub_packed_rrset_key* rrset, uint8_t lame); ++ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions); + + /** + * Add address to the delegation point. No servername is associated or checked. +@@ -264,11 +269,12 @@ int delegpt_add_rrset(struct delegpt* dp, struct regional* regional, + * @param bogus: if address is bogus. + * @param lame: if address is lame. + * @param tls_auth_name: TLS authentication name (or NULL). ++ * @param additions: will be set to 1 if a new address is added + * @return false on error. + */ + int delegpt_add_addr(struct delegpt* dp, struct regional* regional, + struct sockaddr_storage* addr, socklen_t addrlen, +- uint8_t bogus, uint8_t lame, char* tls_auth_name); ++ uint8_t bogus, uint8_t lame, char* tls_auth_name, int* additions); + + /** + * Find NS record in name list of delegation point. +@@ -341,6 +347,14 @@ size_t delegpt_count_targets(struct delegpt* dp); + struct delegpt* delegpt_from_message(struct dns_msg* msg, + struct regional* regional); + ++/** ++ * Mark negative return in delegation point for specific nameserver. ++ * sets the got4 or got6 to negative, updates the ns->resolved. ++ * @param ns: the nameserver in the delegpt. ++ * @param qtype: A or AAAA (host order). ++ */ ++void delegpt_mark_neg(struct delegpt_ns* ns, uint16_t qtype); ++ + /** + * Add negative message to delegation point. + * @param dp: delegation point. +diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c +index cceec3d5..aae934dd 100644 +--- a/iterator/iter_scrub.c ++++ b/iterator/iter_scrub.c +@@ -185,8 +185,9 @@ mark_additional_rrset(sldns_buffer* pkt, struct msg_parse* msg, + /** Get target name of a CNAME */ + static int + parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname, +- size_t* snamelen) ++ size_t* snamelen, sldns_buffer* pkt) + { ++ size_t oldpos, dlen; + if(rrset->rr_count != 1) { + struct rr_parse* sig; + verbose(VERB_ALGO, "Found CNAME rrset with " +@@ -204,6 +205,19 @@ parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname, + *sname = rrset->rr_first->ttl_data + sizeof(uint32_t) + + sizeof(uint16_t); /* skip ttl, rdatalen */ + *snamelen = rrset->rr_first->size - sizeof(uint16_t); ++ ++ if(rrset->rr_first->outside_packet) { ++ if(!dname_valid(*sname, *snamelen)) ++ return 0; ++ return 1; ++ } ++ oldpos = sldns_buffer_position(pkt); ++ sldns_buffer_set_position(pkt, (size_t)(*sname - sldns_buffer_begin(pkt))); ++ dlen = pkt_dname_len(pkt); ++ sldns_buffer_set_position(pkt, oldpos); ++ if(dlen == 0) ++ return 0; /* parse fail on the rdata name */ ++ *snamelen = dlen; + return 1; + } + +@@ -215,7 +229,7 @@ synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset, + /* we already know that sname is a strict subdomain of DNAME owner */ + uint8_t* dtarg = NULL; + size_t dtarglen; +- if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen)) ++ if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen, pkt)) + return 0; + if(qnamelen <= dname_rrset->dname_len) + return 0; +@@ -388,7 +402,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, + /* check next cname */ + uint8_t* t = NULL; + size_t tlen = 0; +- if(!parse_get_cname_target(nx, &t, &tlen)) ++ if(!parse_get_cname_target(nx, &t, &tlen, pkt)) + return 0; + if(dname_pkt_compare(pkt, alias, t) == 0) { + /* it's OK and better capitalized */ +@@ -439,7 +453,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, + size_t tlen = 0; + if(synth_cname(sname, snamelen, nx, alias, + &aliaslen, pkt) && +- parse_get_cname_target(rrset, &t, &tlen) && ++ parse_get_cname_target(rrset, &t, &tlen, pkt) && + dname_pkt_compare(pkt, alias, t) == 0) { + /* the synthesized CNAME equals the + * current CNAME. This CNAME is the +@@ -460,7 +474,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, + } + + /* move to next name in CNAME chain */ +- if(!parse_get_cname_target(rrset, &sname, &snamelen)) ++ if(!parse_get_cname_target(rrset, &sname, &snamelen, pkt)) + return 0; + prev = rrset; + rrset = rrset->rrset_all_next; +diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c +index 2ab55ceb..3c14de86 100644 +--- a/iterator/iter_utils.c ++++ b/iterator/iter_utils.c +@@ -1142,7 +1142,7 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env, + log_rrset_key(VERB_ALGO, "found parent-side", akey); + ns->done_pside4 = 1; + /* a negative-cache-element has no addresses it adds */ +- if(!delegpt_add_rrset_A(dp, region, akey, 1)) ++ if(!delegpt_add_rrset_A(dp, region, akey, 1, NULL)) + log_err("malloc failure in lookup_parent_glue"); + lock_rw_unlock(&akey->entry.lock); + } +@@ -1154,7 +1154,7 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env, + log_rrset_key(VERB_ALGO, "found parent-side", akey); + ns->done_pside6 = 1; + /* a negative-cache-element has no addresses it adds */ +- if(!delegpt_add_rrset_AAAA(dp, region, akey, 1)) ++ if(!delegpt_add_rrset_AAAA(dp, region, akey, 1, NULL)) + log_err("malloc failure in lookup_parent_glue"); + lock_rw_unlock(&akey->entry.lock); + } +diff --git a/iterator/iterator.c b/iterator/iterator.c +index 1e0113a8..9d36660c 100644 +--- a/iterator/iterator.c ++++ b/iterator/iterator.c +@@ -72,6 +72,8 @@ + /* in msec */ + int UNKNOWN_SERVER_NICENESS = 376; + ++static void target_count_increase_nx(struct iter_qstate* iq, int num); ++ + int + iter_init(struct module_env* env, int id) + { +@@ -150,6 +152,7 @@ iter_new(struct module_qstate* qstate, int id) + iq->sent_count = 0; + iq->ratelimit_ok = 0; + iq->target_count = NULL; ++ iq->dp_target_count = 0; + iq->wait_priming_stub = 0; + iq->refetch_glue = 0; + iq->dnssec_expected = 0; +@@ -221,6 +224,7 @@ final_state(struct iter_qstate* iq) + static void + error_supers(struct module_qstate* qstate, int id, struct module_qstate* super) + { ++ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id]; + struct iter_qstate* super_iq = (struct iter_qstate*)super->minfo[id]; + + if(qstate->qinfo.qtype == LDNS_RR_TYPE_A || +@@ -246,7 +250,11 @@ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super) + super->region, super_iq->dp)) + log_err("out of memory adding missing"); + } ++ delegpt_mark_neg(dpns, qstate->qinfo.qtype); + dpns->resolved = 1; /* mark as failed */ ++ if((dpns->got4 == 2 || !ie->supports_ipv4) && ++ (dpns->got6 == 2 || !ie->supports_ipv6)) ++ target_count_increase_nx(super_iq, 1); + } + if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS) { + /* prime failed to get delegation */ +@@ -621,7 +629,7 @@ static void + target_count_create(struct iter_qstate* iq) + { + if(!iq->target_count) { +- iq->target_count = (int*)calloc(2, sizeof(int)); ++ iq->target_count = (int*)calloc(3, sizeof(int)); + /* if calloc fails we simply do not track this number */ + if(iq->target_count) + iq->target_count[0] = 1; +@@ -634,6 +642,15 @@ target_count_increase(struct iter_qstate* iq, int num) + target_count_create(iq); + if(iq->target_count) + iq->target_count[1] += num; ++ iq->dp_target_count++; ++} ++ ++static void ++target_count_increase_nx(struct iter_qstate* iq, int num) ++{ ++ target_count_create(iq); ++ if(iq->target_count) ++ iq->target_count[2] += num; + } + + /** +@@ -656,13 +673,15 @@ target_count_increase(struct iter_qstate* iq, int num) + * @param subq_ret: if newly allocated, the subquerystate, or NULL if it does + * not need initialisation. + * @param v: if true, validation is done on the subquery. ++ * @param detached: true if this qstate should not attach to the subquery + * @return false on error (malloc). + */ + static int + generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype, + uint16_t qclass, struct module_qstate* qstate, int id, + struct iter_qstate* iq, enum iter_state initial_state, +- enum iter_state finalstate, struct module_qstate** subq_ret, int v) ++ enum iter_state finalstate, struct module_qstate** subq_ret, int v, ++ int detached) + { + struct module_qstate* subq = NULL; + struct iter_qstate* subiq = NULL; +@@ -689,11 +708,23 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype, + valrec = 1; + } + +- /* attach subquery, lookup existing or make a new one */ +- fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub)); +- if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime, valrec, +- &subq)) { +- return 0; ++ if(detached) { ++ struct mesh_state* sub = NULL; ++ fptr_ok(fptr_whitelist_modenv_add_sub( ++ qstate->env->add_sub)); ++ if(!(*qstate->env->add_sub)(qstate, &qinf, ++ qflags, prime, valrec, &subq, &sub)){ ++ return 0; ++ } ++ } ++ else { ++ /* attach subquery, lookup existing or make a new one */ ++ fptr_ok(fptr_whitelist_modenv_attach_sub( ++ qstate->env->attach_sub)); ++ if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime, ++ valrec, &subq)) { ++ return 0; ++ } + } + *subq_ret = subq; + if(subq) { +@@ -716,6 +747,7 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype, + subiq->target_count = iq->target_count; + if(iq->target_count) + iq->target_count[0] ++; /* extra reference */ ++ subiq->dp_target_count = 0; + subiq->num_current_queries = 0; + subiq->depth = iq->depth+1; + outbound_list_init(&subiq->outlist); +@@ -759,7 +791,7 @@ prime_root(struct module_qstate* qstate, struct iter_qstate* iq, int id, + * the normal INIT state logic (which would cause an infloop). */ + if(!generate_sub_request((uint8_t*)"\000", 1, LDNS_RR_TYPE_NS, + qclass, qstate, id, iq, QUERYTARGETS_STATE, PRIME_RESP_STATE, +- &subq, 0)) { ++ &subq, 0, 0)) { + verbose(VERB_ALGO, "could not prime root"); + return 0; + } +@@ -850,7 +882,7 @@ prime_stub(struct module_qstate* qstate, struct iter_qstate* iq, int id, + * redundant INIT state processing. */ + if(!generate_sub_request(stub_dp->name, stub_dp->namelen, + LDNS_RR_TYPE_NS, qclass, qstate, id, iq, +- QUERYTARGETS_STATE, PRIME_RESP_STATE, &subq, 0)) { ++ QUERYTARGETS_STATE, PRIME_RESP_STATE, &subq, 0, 0)) { + verbose(VERB_ALGO, "could not prime stub"); + errinf(qstate, "could not generate lookup for stub prime"); + (void)error_response(qstate, id, LDNS_RCODE_SERVFAIL); +@@ -1025,7 +1057,7 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq, + if(!generate_sub_request(s->rk.dname, s->rk.dname_len, + ntohs(s->rk.type), ntohs(s->rk.rrset_class), + qstate, id, iq, +- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) { ++ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) { + verbose(VERB_ALGO, "could not generate addr check"); + return; + } +@@ -1069,7 +1101,7 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id) + iq->dp->name, LDNS_RR_TYPE_NS, iq->qchase.qclass); + if(!generate_sub_request(iq->dp->name, iq->dp->namelen, + LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq, +- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) { ++ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) { + verbose(VERB_ALGO, "could not generate ns check"); + return; + } +@@ -1126,7 +1158,7 @@ generate_dnskey_prefetch(struct module_qstate* qstate, + iq->dp->name, LDNS_RR_TYPE_DNSKEY, iq->qchase.qclass); + if(!generate_sub_request(iq->dp->name, iq->dp->namelen, + LDNS_RR_TYPE_DNSKEY, iq->qchase.qclass, qstate, id, iq, +- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0)) { ++ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0)) { + /* we'll be slower, but it'll work */ + verbose(VERB_ALGO, "could not generate dnskey prefetch"); + return; +@@ -1315,6 +1347,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq, + iq->refetch_glue = 0; + iq->query_restart_count++; + iq->sent_count = 0; ++ iq->dp_target_count = 0; + sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region); + if(qstate->env->cfg->qname_minimisation) + iq->minimisation_state = INIT_MINIMISE_STATE; +@@ -1693,7 +1726,7 @@ generate_parentside_target_query(struct module_qstate* qstate, + { + struct module_qstate* subq; + if(!generate_sub_request(name, namelen, qtype, qclass, qstate, +- id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0)) ++ id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0)) + return 0; + if(subq) { + struct iter_qstate* subiq = +@@ -1744,7 +1777,7 @@ generate_target_query(struct module_qstate* qstate, struct iter_qstate* iq, + { + struct module_qstate* subq; + if(!generate_sub_request(name, namelen, qtype, qclass, qstate, +- id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0)) ++ id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0)) + return 0; + log_nametypeclass(VERB_QUERY, "new target", name, qtype, qclass); + return 1; +@@ -1783,6 +1816,14 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq, + "number of glue fetches %d", s, iq->target_count[1]); + return 0; + } ++ if(iq->dp_target_count > MAX_DP_TARGET_COUNT) { ++ char s[LDNS_MAX_DOMAINLEN+1]; ++ dname_str(qstate->qinfo.qname, s); ++ verbose(VERB_QUERY, "request %s has exceeded the maximum " ++ "number of glue fetches %d to a single delegation point", ++ s, iq->dp_target_count); ++ return 0; ++ } + + iter_mark_cycle_targets(qstate, iq->dp); + missing = (int)delegpt_count_missing_targets(iq->dp); +@@ -1896,7 +1937,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq, + for(a = p->target_list; a; a=a->next_target) { + (void)delegpt_add_addr(iq->dp, qstate->region, + &a->addr, a->addrlen, a->bogus, +- a->lame, a->tls_auth_name); ++ a->lame, a->tls_auth_name, NULL); + } + } + iq->dp->has_parent_side_NS = 1; +@@ -1913,6 +1954,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq, + iq->refetch_glue = 1; + iq->query_restart_count++; + iq->sent_count = 0; ++ iq->dp_target_count = 0; + if(qstate->env->cfg->qname_minimisation) + iq->minimisation_state = INIT_MINIMISE_STATE; + return next_state(iq, INIT_REQUEST_STATE); +@@ -2078,7 +2120,7 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id) + iq->dsns_point, LDNS_RR_TYPE_NS, iq->qchase.qclass); + if(!generate_sub_request(iq->dsns_point, iq->dsns_point_len, + LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq, +- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0)) { ++ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0)) { + errinf_dname(qstate, "for DS query parent-child nameserver search, could not generate NS lookup for", iq->dsns_point); + return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL); + } +@@ -2136,6 +2178,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, + errinf(qstate, "exceeded the maximum number of sends"); + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } ++ if(iq->target_count && iq->target_count[2] > MAX_TARGET_NX) { ++ verbose(VERB_QUERY, "request has exceeded the maximum " ++ " number of nxdomain nameserver lookups with %d", ++ iq->target_count[2]); ++ errinf(qstate, "exceeded the maximum nameserver nxdomains"); ++ return error_response(qstate, id, LDNS_RCODE_SERVFAIL); ++ } + + /* Make sure we have a delegation point, otherwise priming failed + * or another failure occurred */ +@@ -2240,12 +2289,41 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, + iq->qinfo_out.qtype, iq->qinfo_out.qclass, + qstate->query_flags, qstate->region, + qstate->env->scratch, 0); +- if(msg && msg->rep->an_numrrsets == 0 +- && FLAGS_GET_RCODE(msg->rep->flags) == ++ if(msg && FLAGS_GET_RCODE(msg->rep->flags) == + LDNS_RCODE_NOERROR) + /* no need to send query if it is already +- * cached as NOERROR/NODATA */ ++ * cached as NOERROR */ + return 1; ++ if(msg && FLAGS_GET_RCODE(msg->rep->flags) == ++ LDNS_RCODE_NXDOMAIN && ++ qstate->env->need_to_validate && ++ qstate->env->cfg->harden_below_nxdomain) { ++ if(msg->rep->security == sec_status_secure) { ++ iq->response = msg; ++ return final_state(iq); ++ } ++ if(msg->rep->security == sec_status_unchecked) { ++ struct module_qstate* subq = NULL; ++ if(!generate_sub_request( ++ iq->qinfo_out.qname, ++ iq->qinfo_out.qname_len, ++ iq->qinfo_out.qtype, ++ iq->qinfo_out.qclass, ++ qstate, id, iq, ++ INIT_REQUEST_STATE, ++ FINISHED_STATE, &subq, 1, 1)) ++ verbose(VERB_ALGO, ++ "could not validate NXDOMAIN " ++ "response"); ++ } ++ } ++ if(msg && FLAGS_GET_RCODE(msg->rep->flags) == ++ LDNS_RCODE_NXDOMAIN) { ++ /* return and add a label in the next ++ * minimisation iteration. ++ */ ++ return 1; ++ } + } + } + if(iq->minimisation_state == SKIP_MINIMISE_STATE) { +@@ -2321,6 +2399,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, + * generated query will immediately be discarded due to depth and + * that servfail is cached, which is not good as opportunism goes. */ + if(iq->depth < ie->max_dependency_depth ++ && iq->num_target_queries == 0 ++ && (!iq->target_count || iq->target_count[2]==0) + && iq->sent_count < TARGET_FETCH_STOP) { + tf_policy = ie->target_fetch_policy[iq->depth]; + } +@@ -2366,6 +2446,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, + iq->num_current_queries++; /* RespState decrements it*/ + iq->referral_count++; /* make sure we don't loop */ + iq->sent_count = 0; ++ iq->dp_target_count = 0; + iq->state = QUERY_RESP_STATE; + return 1; + } +@@ -2453,6 +2534,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, + iq->num_current_queries++; /* RespState decrements it*/ + iq->referral_count++; /* make sure we don't loop */ + iq->sent_count = 0; ++ iq->dp_target_count = 0; + iq->state = QUERY_RESP_STATE; + return 1; + } +@@ -2747,7 +2829,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, + /* Make subrequest to validate intermediate + * NXDOMAIN if harden-below-nxdomain is + * enabled. */ +- if(qstate->env->cfg->harden_below_nxdomain) { ++ if(qstate->env->cfg->harden_below_nxdomain && ++ qstate->env->need_to_validate) { + struct module_qstate* subq = NULL; + log_query_info(VERB_QUERY, + "schedule NXDOMAIN validation:", +@@ -2759,16 +2842,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, + iq->response->qinfo.qclass, + qstate, id, iq, + INIT_REQUEST_STATE, +- FINISHED_STATE, &subq, 1)) ++ FINISHED_STATE, &subq, 1, 1)) + verbose(VERB_ALGO, + "could not validate NXDOMAIN " + "response"); +- outbound_list_clear(&iq->outlist); +- iq->num_current_queries = 0; +- fptr_ok(fptr_whitelist_modenv_detach_subs( +- qstate->env->detach_subs)); +- (*qstate->env->detach_subs)(qstate); +- iq->num_target_queries = 0; + } + } + return next_state(iq, QUERYTARGETS_STATE); +@@ -2852,6 +2929,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, + /* Count this as a referral. */ + iq->referral_count++; + iq->sent_count = 0; ++ iq->dp_target_count = 0; + /* see if the next dp is a trust anchor, or a DS was sent + * along, indicating dnssec is expected for next zone */ + iq->dnssec_expected = iter_indicates_dnssec(qstate->env, +@@ -2928,6 +3006,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, + iq->dsns_point = NULL; + iq->auth_zone_response = 0; + iq->sent_count = 0; ++ iq->dp_target_count = 0; + if(iq->minimisation_state != MINIMISE_STATE) + /* Only count as query restart when it is not an extra + * query as result of qname minimisation. */ +@@ -3120,7 +3199,7 @@ processPrimeResponse(struct module_qstate* qstate, int id) + if(!generate_sub_request(qstate->qinfo.qname, + qstate->qinfo.qname_len, qstate->qinfo.qtype, + qstate->qinfo.qclass, qstate, id, iq, +- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) { ++ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) { + verbose(VERB_ALGO, "could not generate prime check"); + } + generate_a_aaaa_check(qstate, iq, id); +@@ -3148,6 +3227,7 @@ static void + processTargetResponse(struct module_qstate* qstate, int id, + struct module_qstate* forq) + { ++ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id]; + struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id]; + struct iter_qstate* foriq = (struct iter_qstate*)forq->minfo[id]; + struct ub_packed_rrset_key* rrset; +@@ -3185,7 +3265,7 @@ processTargetResponse(struct module_qstate* qstate, int id, + log_rrset_key(VERB_ALGO, "add parentside glue to dp", + iq->pside_glue); + if(!delegpt_add_rrset(foriq->dp, forq->region, +- iq->pside_glue, 1)) ++ iq->pside_glue, 1, NULL)) + log_err("out of memory adding pside glue"); + } + +@@ -3196,6 +3276,7 @@ processTargetResponse(struct module_qstate* qstate, int id, + * response type was ANSWER. */ + rrset = reply_find_answer_rrset(&iq->qchase, qstate->return_msg->rep); + if(rrset) { ++ int additions = 0; + /* if CNAMEs have been followed - add new NS to delegpt. */ + /* BTW. RFC 1918 says NS should not have got CNAMEs. Robust. */ + if(!delegpt_find_ns(foriq->dp, rrset->rk.dname, +@@ -3207,13 +3288,23 @@ processTargetResponse(struct module_qstate* qstate, int id, + } + /* if dpns->lame then set the address(es) lame too */ + if(!delegpt_add_rrset(foriq->dp, forq->region, rrset, +- dpns->lame)) ++ dpns->lame, &additions)) + log_err("out of memory adding targets"); ++ if(!additions) { ++ /* no new addresses, increase the nxns counter, like ++ * this could be a list of wildcards with no new ++ * addresses */ ++ target_count_increase_nx(foriq, 1); ++ } + verbose(VERB_ALGO, "added target response"); + delegpt_log(VERB_ALGO, foriq->dp); + } else { + verbose(VERB_ALGO, "iterator TargetResponse failed"); ++ delegpt_mark_neg(dpns, qstate->qinfo.qtype); + dpns->resolved = 1; /* fail the target */ ++ if((dpns->got4 == 2 || !ie->supports_ipv4) && ++ (dpns->got6 == 2 || !ie->supports_ipv6)) ++ target_count_increase_nx(foriq, 1); + } + } + +@@ -3387,7 +3478,7 @@ processCollectClass(struct module_qstate* qstate, int id) + qstate->qinfo.qname_len, qstate->qinfo.qtype, + c, qstate, id, iq, INIT_REQUEST_STATE, + FINISHED_STATE, &subq, +- (int)!(qstate->query_flags&BIT_CD))) { ++ (int)!(qstate->query_flags&BIT_CD), 0)) { + errinf(qstate, "could not generate class ANY" + " lookup query"); + return error_response(qstate, id, +diff --git a/iterator/iterator.h b/iterator/iterator.h +index a2f1b570..53dcab3b 100644 +--- a/iterator/iterator.h ++++ b/iterator/iterator.h +@@ -55,6 +55,11 @@ struct rbtree_type; + + /** max number of targets spawned for a query and its subqueries */ + #define MAX_TARGET_COUNT 64 ++/** max number of target lookups per qstate, per delegation point */ ++#define MAX_DP_TARGET_COUNT 16 ++/** max number of nxdomains allowed for target lookups for a query and ++ * its subqueries */ ++#define MAX_TARGET_NX 5 + /** max number of query restarts. Determines max number of CNAME chain. */ + #define MAX_RESTART_COUNT 8 + /** max number of referrals. Makes sure resolver does not run away */ +@@ -305,9 +310,14 @@ struct iter_qstate { + int sent_count; + + /** number of target queries spawned in [1], for this query and its +- * subqueries, the malloced-array is shared, [0] refcount. */ ++ * subqueries, the malloced-array is shared, [0] refcount. ++ * in [2] the number of nxdomains is counted. */ + int* target_count; + ++ /** number of target lookups per delegation point. Reset to 0 after ++ * receiving referral answer. Not shared with subqueries. */ ++ int dp_target_count; ++ + /** if true, already tested for ratelimiting and passed the test */ + int ratelimit_ok; + +diff --git a/services/cache/dns.c b/services/cache/dns.c +index 2a5bca4a..7b6e142c 100644 +--- a/services/cache/dns.c ++++ b/services/cache/dns.c +@@ -273,7 +273,7 @@ find_add_addrs(struct module_env* env, uint16_t qclass, + akey = rrset_cache_lookup(env->rrset_cache, ns->name, + ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0); + if(akey) { +- if(!delegpt_add_rrset_A(dp, region, akey, 0)) { ++ if(!delegpt_add_rrset_A(dp, region, akey, 0, NULL)) { + lock_rw_unlock(&akey->entry.lock); + return 0; + } +@@ -293,7 +293,7 @@ find_add_addrs(struct module_env* env, uint16_t qclass, + akey = rrset_cache_lookup(env->rrset_cache, ns->name, + ns->namelen, LDNS_RR_TYPE_AAAA, qclass, 0, now, 0); + if(akey) { +- if(!delegpt_add_rrset_AAAA(dp, region, akey, 0)) { ++ if(!delegpt_add_rrset_AAAA(dp, region, akey, 0, NULL)) { + lock_rw_unlock(&akey->entry.lock); + return 0; + } +@@ -327,7 +327,8 @@ cache_fill_missing(struct module_env* env, uint16_t qclass, + akey = rrset_cache_lookup(env->rrset_cache, ns->name, + ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0); + if(akey) { +- if(!delegpt_add_rrset_A(dp, region, akey, ns->lame)) { ++ if(!delegpt_add_rrset_A(dp, region, akey, ns->lame, ++ NULL)) { + lock_rw_unlock(&akey->entry.lock); + return 0; + } +@@ -347,7 +348,8 @@ cache_fill_missing(struct module_env* env, uint16_t qclass, + akey = rrset_cache_lookup(env->rrset_cache, ns->name, + ns->namelen, LDNS_RR_TYPE_AAAA, qclass, 0, now, 0); + if(akey) { +- if(!delegpt_add_rrset_AAAA(dp, region, akey, ns->lame)) { ++ if(!delegpt_add_rrset_AAAA(dp, region, akey, ns->lame, ++ NULL)) { + lock_rw_unlock(&akey->entry.lock); + return 0; + } +diff --git a/util/data/dname.c b/util/data/dname.c +index c8f09ddb..76b2ec7d 100644 +--- a/util/data/dname.c ++++ b/util/data/dname.c +@@ -233,17 +233,28 @@ int + dname_pkt_compare(sldns_buffer* pkt, uint8_t* d1, uint8_t* d2) + { + uint8_t len1, len2; ++ int count1 = 0, count2 = 0; + log_assert(pkt && d1 && d2); + len1 = *d1++; + len2 = *d2++; + while( len1 != 0 || len2 != 0 ) { + /* resolve ptrs */ + if(LABEL_IS_PTR(len1)) { ++ if((size_t)PTR_OFFSET(len1, *d1) ++ >= sldns_buffer_limit(pkt)) ++ return -1; ++ if(count1++ > MAX_COMPRESS_PTRS) ++ return -1; + d1 = sldns_buffer_at(pkt, PTR_OFFSET(len1, *d1)); + len1 = *d1++; + continue; + } + if(LABEL_IS_PTR(len2)) { ++ if((size_t)PTR_OFFSET(len2, *d2) ++ >= sldns_buffer_limit(pkt)) ++ return 1; ++ if(count2++ > MAX_COMPRESS_PTRS) ++ return 1; + d2 = sldns_buffer_at(pkt, PTR_OFFSET(len2, *d2)); + len2 = *d2++; + continue; +@@ -302,12 +313,18 @@ dname_pkt_hash(sldns_buffer* pkt, uint8_t* dname, hashvalue_type h) + uint8_t labuf[LDNS_MAX_LABELLEN+1]; + uint8_t lablen; + int i; ++ int count = 0; + + /* preserve case of query, make hash label by label */ + lablen = *dname++; + while(lablen) { + if(LABEL_IS_PTR(lablen)) { + /* follow pointer */ ++ if((size_t)PTR_OFFSET(lablen, *dname) ++ >= sldns_buffer_limit(pkt)) ++ return h; ++ if(count++ > MAX_COMPRESS_PTRS) ++ return h; + dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname)); + lablen = *dname++; + continue; +@@ -341,6 +358,9 @@ void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname) + return; + } + /* follow pointer */ ++ if((size_t)PTR_OFFSET(lablen, *dname) ++ >= sldns_buffer_limit(pkt)) ++ return; + dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname)); + lablen = *dname++; + continue; +@@ -369,6 +389,7 @@ void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname) + void dname_print(FILE* out, struct sldns_buffer* pkt, uint8_t* dname) + { + uint8_t lablen; ++ int count = 0; + if(!out) out = stdout; + if(!dname) return; + +@@ -382,6 +403,15 @@ void dname_print(FILE* out, struct sldns_buffer* pkt, uint8_t* dname) + fputs("??compressionptr??", out); + return; + } ++ if((size_t)PTR_OFFSET(lablen, *dname) ++ >= sldns_buffer_limit(pkt)) { ++ fputs("??compressionptr??", out); ++ return; ++ } ++ if(count++ > MAX_COMPRESS_PTRS) { ++ fputs("??compressionptr??", out); ++ return; ++ } + dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname)); + lablen = *dname++; + continue; +diff --git a/util/data/msgparse.c b/util/data/msgparse.c +index fb312370..7c32618a 100644 +--- a/util/data/msgparse.c ++++ b/util/data/msgparse.c +@@ -55,7 +55,11 @@ smart_compare(sldns_buffer* pkt, uint8_t* dnow, + { + if(LABEL_IS_PTR(*dnow)) { + /* ptr points to a previous dname */ +- uint8_t* p = sldns_buffer_at(pkt, PTR_OFFSET(dnow[0], dnow[1])); ++ uint8_t* p; ++ if((size_t)PTR_OFFSET(dnow[0], dnow[1]) ++ >= sldns_buffer_limit(pkt)) ++ return -1; ++ p = sldns_buffer_at(pkt, PTR_OFFSET(dnow[0], dnow[1])); + if( p == dprfirst || p == dprlast ) + return 0; + /* prev dname is also a ptr, both ptrs are the same. */ diff --git a/SPECS/unbound/CVE-2020-12663.nopatch b/SPECS/unbound/CVE-2020-12663.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/unbound/unbound.spec b/SPECS/unbound/unbound.spec index c1df78bb2d2..13db1fa4884 100644 --- a/SPECS/unbound/unbound.spec +++ b/SPECS/unbound/unbound.spec @@ -1,7 +1,7 @@ Summary: unbound dns server Name: unbound Version: 1.10.0 -Release: 2%{?dist} +Release: 3%{?dist} Group: System/Servers Vendor: Microsoft Corporation License: BSD @@ -11,6 +11,10 @@ URL: https://nlnetlabs.nl/projects/unbound/about/ Source0: %{name}-release-%{version}.tar.gz Source1: %{name}.service +# CVE-2020-12662.patch also fixes CVE-2020-12663 +Patch0: CVE-2020-12662.patch +Patch1: CVE-2020-12663.nopatch + BuildRequires: systemd BuildRequires: expat-devel @@ -37,6 +41,7 @@ unbound dns server docs %prep %setup -q -n %{name}-release-%{version} +%patch0 -p1 %build ./configure \ @@ -87,6 +92,8 @@ rm -rf %{buildroot}/* %{_mandir}/* %changelog +* Tue Oct 20 2020 Joe Schmitt 1.10.0-3 +- Fix CVE-2020-12662 and CVE-2020-12663. * Sat May 09 2020 Nick Samson 1.10.0-2 - Added %%license line automatically * Fri May 01 2020 Pawel Winogrodzki 1.10.0-1 diff --git a/SPECS/unzip/CVE-2008-0888.nopatch b/SPECS/unzip/CVE-2008-0888.nopatch new file mode 100644 index 00000000000..b504f8f1801 --- /dev/null +++ b/SPECS/unzip/CVE-2008-0888.nopatch @@ -0,0 +1 @@ +# Upstream has fixed CVE-2008-0888 in 6.0 \ No newline at end of file diff --git a/SPECS/unzip/unzip.spec b/SPECS/unzip/unzip.spec index e79bbdcfafc..9c41e85de47 100644 --- a/SPECS/unzip/unzip.spec +++ b/SPECS/unzip/unzip.spec @@ -1,7 +1,7 @@ Summary: Unzip-6.0 Name: unzip Version: 6.0 -Release: 15%{?dist} +Release: 16%{?dist} License: BSD URL: http://infozip.sourceforge.net/UnZip.html Source0: https://downloads.sourceforge.net/infozip/unzip60.tar.gz @@ -27,6 +27,8 @@ Patch12: unzip-zipbomb-manpage.patch Patch13: CVE-2015-7697.patch # Fixes CVE-2018-1000035 Patch14: unzip-6.0-cve-2018-1000035-heap-based-overflow.patch +# Upstream has fixed CVE-2008-0888 in 6.0 +Patch15: CVE-2008-0888.nopatch %description The UnZip package contains ZIP extraction utilities. These are useful @@ -84,6 +86,8 @@ make %{?_smp_mflags} check %{_bindir}/* %changelog +* Mon Sep 28 2020 Daniel McIlvaney 6.0-16 +- Nopatch CVE-2008-0888, fixed in 6.0 * Thu Jul 09 2020 Daniel McIlvaney 6.0-15 - Add patch for CVE-2018-1000035 from Fedora 6.0-47 package * Thu May 13 2020 Henry Beberman - 6.0-14 diff --git a/SPECS/vim/CVE-2019-12735.patch b/SPECS/vim/CVE-2019-12735.patch new file mode 100644 index 00000000000..83c6cbc0b48 --- /dev/null +++ b/SPECS/vim/CVE-2019-12735.patch @@ -0,0 +1,47 @@ +diff --git a/src/getchar.c b/src/getchar.c +index cc8b344e1..53f3a76be 100644 +--- a/src/getchar.c ++++ b/src/getchar.c +@@ -1442,6 +1442,12 @@ openscript( + EMSG(_(e_nesting)); + return; + } ++ ++ // Disallow sourcing a file in the sandbox, the commands would be executed ++ // later, possibly outside of the sandbox. ++ if (check_secure()) ++ return; ++ + #ifdef FEAT_EVAL + if (ignore_script) + /* Not reading from script, also don't open one. Warning message? */ +diff --git a/src/testdir/test_source_utf8.vim b/src/testdir/test_source_utf8.vim +index c29c2ec1f..f13906242 100644 +--- a/src/testdir/test_source_utf8.vim ++++ b/src/testdir/test_source_utf8.vim +@@ -61,3 +61,12 @@ func Test_source_ctrl_v() + unmap __4 + unmap __5 + endfunc ++ ++func Test_source_sandbox() ++ new ++ call writefile(["Ohello\"], 'Xsourcehello') ++ source! Xsourcehello | echo ++ call assert_equal('hello', getline(1)) ++ call assert_fails('sandbox source! Xsourcehello', 'E48:') ++ bwipe! ++endfunc +diff --git a/src/version.c b/src/version.c +index dce4643c2..c6e64ea76 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -794,6 +794,8 @@ static char *(features[]) = + + static int included_patches[] = + { /* Add new patch number below this line */ ++/**/ ++ 1365, + /**/ + 388, + /**/ diff --git a/SPECS/vim/vim.spec b/SPECS/vim/vim.spec index cf2c83c98f4..4e0eaeb3c95 100644 --- a/SPECS/vim/vim.spec +++ b/SPECS/vim/vim.spec @@ -3,7 +3,7 @@ Summary: Text editor Name: vim Version: 8.1.0388 -Release: 6%{?dist} +Release: 7%{?dist} License: Vim URL: https://www.vim.org Group: Applications/Editors @@ -11,6 +11,11 @@ Vendor: Microsoft Corporation Distribution: Mariner #Source0: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz Source0: %{name}-%{version}.tar.gz +# Based on: +# https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040.patch +# Had some modifications for patch to apply cleanly. +Patch0: CVE-2019-12735.patch + BuildRequires: ncurses-devel %description @@ -26,7 +31,7 @@ Conflicts: toybox The vim extra package contains a extra files for powerful text editor. %prep -%setup -q +%autosetup -p1 echo '#define SYS_VIMRC_FILE "/etc/vimrc"' >> src/feature.h %build @@ -184,6 +189,8 @@ fi %{_bindir}/vimdiff %changelog +* Thu Oct 15 2020 Emre Girgin 8.1.0388-7 +- Fix CVE-2019-12735. * Mon Jun 01 2020 Pawel Winogrodzki 8.1.0388-6 - Adding a license reference. * Mon Apr 13 2020 Eric Li 8.1.0388-5 diff --git a/SPECS/wget/wget.spec b/SPECS/wget/wget.spec index 4e66f79f04b..423af80818b 100644 --- a/SPECS/wget/wget.spec +++ b/SPECS/wget/wget.spec @@ -1,7 +1,7 @@ Summary: A network utility to retrieve files from the Web Name: wget Version: 1.20.3 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv3+ URL: https://www.gnu.org/software/wget/wget.html Group: System Environment/NetworkingPrograms @@ -40,7 +40,7 @@ make DESTDIR=%{buildroot} install install -vdm 755 %{buildroot}/etc cat >> %{buildroot}/etc/wgetrc <<-EOF # default root certs location - ca_certificate=/etc/pki/tls/certs/ca-bundle.crt + ca_certificate=/etc/pki/tls/certs/ca-bundle.trust.crt ca_directory = /etc/ssl/certs EOF rm -rf %{buildroot}/%{_infodir} @@ -62,6 +62,8 @@ rm -rf %{buildroot}/* %{_mandir}/man1/* %changelog +* Wed Oct 07 2020 Pawel Winogrodzki 1.20.3-2 +- Updating certificate bundle path to include full set of trust information. * Mon Jun 08 2020 Joe Schmitt 1.20.3-1 - Update to version 1.20.3 to resolve CVE-2019-5953. - Use https for URL. diff --git a/SPECS/zipper/minizip.tar.gz b/SPECS/zipper/minizip.tar.gz new file mode 100644 index 00000000000..2aa3af61bf0 Binary files /dev/null and b/SPECS/zipper/minizip.tar.gz differ diff --git a/SPECS/zipper/zipper.signatures.json b/SPECS/zipper/zipper.signatures.json new file mode 100644 index 00000000000..cd26351e047 --- /dev/null +++ b/SPECS/zipper/zipper.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "zipper-1.0.1.tar.gz": "f181eae749428cf72dd94ea66f887982794c831652bd35b928cdac87bdd38ac0", + "minizip.tar.gz": "e8f5e597db260876975591e899a8ffd325d3749978b46967850c286cde9f2c1c" + } +} \ No newline at end of file diff --git a/SPECS/zipper/zipper.spec b/SPECS/zipper/zipper.spec new file mode 100644 index 00000000000..b66340b17ac --- /dev/null +++ b/SPECS/zipper/zipper.spec @@ -0,0 +1,119 @@ +Name: zipper +Summary: C++ wrapper around minizip compression library +Version: 1.0.1 +Release: 2%{?dist} +URL: https://github.com/sebastiandev/zipper +Group: Applications/File +Vendor: Microsoft Corporation +Distribution: Mariner +# zlib licenses comes from minizip/ source code +License: MIT and zlib + +#Source0: https://github.com/sebastiandev/%{name}/archive/v%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz +# The 1.0.1 version requires the 'minizip' sources from the following commit: https://github.com/sebastiandev/minizip/tree/0b46a2b4ca317b80bc53594688883f7188ac4d08 +Source1: minizip.tar.gz + +BuildRequires: cmake +BuildRequires: gcc +BuildRequires: zlib-devel + +Provides: bundled(minizip) = 1.2.8 + +%description +Zipper's goal is to bring the power and simplicity of minizip to a more +object oriented/c++ user friendly library. +It was born out of the necessiyty of a compression library that would be +reliable, simple and flexible. +By flexibility I mean supporting all kinds of inputs and outputs, +but specifically been able to compress into memory instead of being +restricted to file compression only, and using data from memory instead +of just files as well. + +Features: +- Create zip in memory +- Allow files, vector and generic streams as input to zip +- File mappings for replacing strategies (overwrite if exists or use alternative name from mapping) +- Password protected zip +- Multi platform + +%package devel +Summary: Development files of %{name} + +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +This package provides header files, shared and static library files of %{name}. + +%prep +%setup -q + +# Fix library destination +sed -e 's|DESTINATION lib|DESTINATION %{_lib}|g' -i CMakeLists.txt + +# Extract 'minizip' sources dependency +tar -xf %{SOURCE1} + +# Fix permissions +find minizip -name '*.c' -exec chmod 0644 '{}' \; + +%build +mkdir build && cd build +export CXXFLAGS="%{optflags} -Wl,--as-needed" +%cmake .. \ + -Wno-cpp \ + -DBUILD_SHARED_VERSION:BOOL=ON \ + -DBUILD_STATIC_VERSION:BOOL=ON \ + -DBUILD_TEST:BOOL=ON +%make_build + +%install +%make_install -C build +# Tests still want the static library, but we're not going to package it. +rm %{buildroot}%{_libdir}/libZipper-static.a + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%check +make test -C build + +%files +%defattr(-,root,root) +%doc README.md VERSION.txt +%license LICENSE.md minizip/LICENSE +%{_libdir}/libZipper.so.* + +%files devel +%defattr(-,root,root) +%{_libdir}/libZipper.so +%{_includedir}/zipper/ + +%changelog +* Wed Oct 14 2020 Pawel Winogrodzki 1.0.1-2 +- Added source URL. +- Switching to published GitHub source from the custom-made one. +- Added a separate minizip.tar.gz source. +- License verified. + +* Fri Feb 14 2020 Nick Bopp - 1.0.1-1 +- Initial CBL-Mariner import from Fedora 31 (license: MIT). +- Update to 1.0.1 + +* Sat Jul 27 2019 Fedora Release Engineering - 0.9.1-6.20170831giteee877a +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 0.9.1-5.20170831giteee877a +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Jul 14 2018 Fedora Release Engineering - 0.9.1-4.20170831giteee877a +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu May 03 2018 Antonio Trande - 0.9.1-3.20170831giteee877a +- Rebuild for batched updates + +* Sun Apr 29 2018 Antonio Trande - 0.9.1-2.20170831giteee877a +- Specify bundled code's license and version + +* Thu Apr 19 2018 Antonio Trande - 0.9.1-1.20170831giteee877a +- First package diff --git a/cgmanifest.json b/cgmanifest.json index fd034e8d1e2..11b8b74280e 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -45,8 +45,8 @@ "type": "other", "other": { "name": "ant", - "version": "1.10.8", - "downloadUrl": "https://archive.apache.org/dist/ant/source/apache-ant-1.10.8-src.tar.gz" + "version": "1.10.9", + "downloadUrl": "https://archive.apache.org/dist/ant/source/apache-ant-1.10.9-src.tar.gz" } } }, @@ -140,6 +140,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "auoms", + "version": "2.2.5", + "downloadUrl": "https://github.com/microsoft/OMS-Auditd-Plugin/archive/v2.2.5-0.tar.gz" + } + } + }, { "component": { "type": "other", @@ -220,6 +230,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "azure-storage-cpp", + "version": "7.3.0", + "downloadUrl": "https://github.com/Azure/azure-storage-cpp/archive/v7.3.0.tar.gz" + } + } + }, { "component": { "type": "other", @@ -230,6 +250,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "babeltrace2", + "version": "2.0.1", + "downloadUrl": "https://www.efficios.com/files/babeltrace/babeltrace2-2.0.1.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -310,6 +340,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "bond", + "version": "8.0.1", + "downloadUrl": "https://github.com/microsoft/bond/archive/8.0.1.tar.gz" + } + } + }, { "component": { "type": "other", @@ -420,6 +460,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "ccache", + "version": "3.6", + "downloadUrl": "https://github.com/ccache/ccache/releases/download/v3.6/ccache-3.6.tar.gz" + } + } + }, { "component": { "type": "other", @@ -490,6 +540,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "clamav", + "version": "0.101.2", + "downloadUrl": "https://www.clamav.net/downloads/production/clamav-0.101.2.tar.gz" + } + } + }, { "component": { "type": "other", @@ -520,6 +580,17 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "cloud-init-vmware-guestinfo", + "version": "1.3.1", + "downloadUrl": "https://github.com/vmware/cloud-init-vmware-guestinfo/archive/v1.3.1.tar.gz" + } + } + }, + { "component": { "type": "other", @@ -686,7 +757,7 @@ "other": { "name": "curl", "version": "7.68.0", - "downloadUrl": "http://curl.haxx.se/download/curl-7.66.0.tar.gz" + "downloadUrl": "http://curl.haxx.se/download/curl-7.68.0.tar.gz" } } }, @@ -1110,13 +1181,23 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "fluent-bit", + "version": "1.4.1", + "downloadUrl": "https://github.com/fluent/fluent-bit/archive/v1.4.1.tar.gz" + } + } + }, { "component": { "type": "other", "other": { "name": "fontconfig", - "version": "2.13.1", - "downloadUrl": "https://www.freedesktop.org/software/fontconfig/release/fontconfig-2.13.1.tar.gz" + "version": "2.13.91", + "downloadUrl": "https://www.freedesktop.org/software/fontconfig/release/fontconfig-2.13.91.tar.gz" } } }, @@ -1220,6 +1301,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "gflags", + "version": "2.2.2", + "downloadUrl": "https://github.com/gflags/gflags/archive/v2.2.2.tar.gz" + } + } + }, { "component": { "type": "other", @@ -1345,8 +1436,8 @@ "type": "other", "other": { "name": "golang", - "version": "1.13.11", - "downloadUrl": "https://dl.google.com/go/go1.13.11.src.tar.gz" + "version": "1.13.15", + "downloadUrl": "https://dl.google.com/go/go1.13.15.src.tar.gz" } } }, @@ -1730,6 +1821,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "ivykis", + "version": "0.42.4", + "downloadUrl": "https://github.com/buytenh/ivykis/archive/v0.42.4.tar.gz" + } + } + }, { "component": { "type": "other", @@ -1770,6 +1871,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "jsonbuilder", + "version": "0.2.1", + "downloadUrl": "https://github.com/microsoft/jsonbuilder/archive/v0.2.1.tar.gz" + } + } + }, { "component": { "type": "other", @@ -1780,6 +1891,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "jsonbuilder", + "version": "0.2.1", + "downloadUrl": "https://github.com/microsoft/jsonbuilder/archive/v0.2.1.tar.gz" + } + } + }, { "component": { "type": "other", @@ -2176,7 +2297,7 @@ "other": { "name": "libffi", "version": "3.2.1", - "downloadUrl": "ftp://sourceware.org/pub/libffi/libffi-3.2.1.tar.gz" + "downloadUrl": "https://gcc.gnu.org/pub/libffi/libffi-3.2.1.tar.gz" } } }, @@ -2280,6 +2401,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "liblogging", + "version": "1.0.6", + "downloadUrl": "http://download.rsyslog.com/liblogging/liblogging-1.0.6.tar.gz" + } + } + }, { "component": { "type": "other", @@ -2720,6 +2851,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "libxml++", + "version": "3.2.0", + "downloadUrl": "http://ftp.gnome.org/pub/GNOME/sources/libxml++/3.2/libxml++-3.2.0.tar.xz" + } + } + }, { "component": { "type": "other", @@ -2870,6 +3011,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "lttng-consume", + "version": "0.2", + "downloadUrl": "https://github.com/microsoft/lttng-consume/archive/v0.2.tar.gz" + } + } + }, { "component": { "type": "other", @@ -3070,6 +3221,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "mm-common", + "version": "1.0.0", + "downloadUrl": "http://ftp.gnome.org/pub/GNOME/sources/mm-common/1.0/mm-common-1.0.0.tar.xz" + } + } + }, { "component": { "type": "other", @@ -3160,6 +3321,26 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "msgpack", + "version": "2.0.0", + "downloadUrl": "https://github.com/msgpack/msgpack-c/archive/cpp-2.0.0.zip" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "msgpack", + "version": "3.2.1", + "downloadUrl": "https://github.com/msgpack/msgpack-c/archive/cpp-3.2.1.tar.gz" + } + } + }, { "component": { "type": "other", @@ -3300,6 +3481,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "nlohmann-json", + "version": "3.6.1", + "downloadUrl": "https://github.com/nlohmann/json/archive/v3.6.1.tar.gz" + } + } + }, { "component": { "type": "other", @@ -3400,6 +3591,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "omi", + "version": "1.6.6", + "downloadUrl": "https://github.com/microsoft/omi/archive/v1.6.6-0.tar.gz" + } + } + }, { "component": { "type": "other", @@ -3520,6 +3721,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "pal", + "version": "1.6.6", + "downloadUrl": "https://github.com/microsoft/pal/archive/v1.6.6-0.tar.gz" + } + } + }, { "component": { "type": "other", @@ -4050,6 +4261,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "pugixml", + "version": "1.10", + "downloadUrl": "https://github.com/zeux/pugixml/archive/v1.10.tar.gz" + } + } + }, { "component": { "type": "other", @@ -5200,6 +5421,26 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "rapidjson", + "version": "1.0.2", + "downloadUrl": "https://github.com/Tencent/rapidjson/archive/v1.0.2.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "rapidjson", + "version": "1.1.0", + "downloadUrl": "https://github.com/Tencent/rapidjson/archive/v1.1.0.tar.gz" + } + } + }, { "component": { "type": "other", @@ -5230,6 +5471,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "rocksdb", + "version": "6.7.3", + "downloadUrl": "https://github.com/facebook/rocksdb/archive/v6.7.3.tar.gz" + } + } + }, { "component": { "type": "other", @@ -5325,8 +5576,8 @@ "type": "other", "other": { "name": "ruby", - "version": "2.6.3", - "downloadUrl": "https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.3.tar.xz" + "version": "2.6.6", + "downloadUrl": "https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.6.tar.xz" } } }, @@ -5440,6 +5691,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "span-lite", + "version": "0.7.0", + "downloadUrl": "https://github.com/martinmoene/span-lite/archive/v0.7.0.tar.gz" + } + } + }, { "component": { "type": "other", @@ -5540,6 +5801,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "syslog-ng", + "version": "3.23.1", + "downloadUrl": "https://github.com/balabit/syslog-ng/releases/download/syslog-ng-3.23.1/syslog-ng-3.23.1.tar.gz" + } + } + }, { "component": { "type": "other", @@ -5660,6 +5931,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "telegraf", + "version": "1.14.5", + "downloadUrl": "https://github.com/influxdata/telegraf/archive/v1.14.5.tar.gz" + } + } + }, { "component": { "type": "other", @@ -5670,6 +5951,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "tinyxml2", + "version": "7.1.0", + "downloadUrl": "https://github.com/leethomason/tinyxml2/archive/7.1.0.tar.gz" + } + } + }, { "component": { "type": "other", @@ -5680,13 +5971,23 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "toml11", + "version": "3.3.0", + "downloadUrl": "https://github.com/ToruNiina/toml11/archive/v3.3.0.tar.gz" + } + } + }, { "component": { "type": "other", "other": { "name": "tpm2-abrmd", - "version": "2.1.1", - "downloadUrl": "https://github.com/tpm2-software/tpm2-abrmd/releases/download/2.1.1/tpm2-abrmd-2.1.1.tar.gz" + "version": "2.3.3", + "downloadUrl": "https://github.com/tpm2-software/tpm2-abrmd/releases/download/2.3.3/tpm2-abrmd-2.3.3.tar.gz" } } }, @@ -5695,8 +5996,8 @@ "type": "other", "other": { "name": "tpm2-tools", - "version": "3.1.4", - "downloadUrl": "https://github.com/tpm2-software/tpm2-tools/releases/download/3.1.4/tpm2-tools-3.1.4.tar.gz" + "version": "4.2", + "downloadUrl": "https://github.com/tpm2-software/tpm2-tools/releases/download/4.2/tpm2-tools-4.2.tar.gz" } } }, @@ -5705,8 +6006,18 @@ "type": "other", "other": { "name": "tpm2-tss", - "version": "2.2.0", - "downloadUrl": "https://github.com/tpm2-software/tpm2-tss/releases/download/2.2.0/tpm2-tss-2.2.0.tar.gz" + "version": "2.4.0", + "downloadUrl": "https://github.com/tpm2-software/tpm2-tss/releases/download/2.4.0/tpm2-tss-2.4.0.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "tracelogging", + "version": "0.2", + "downloadUrl": "https://github.com/microsoft/tracelogging/archive/v0.2.tar.gz" } } }, @@ -6020,6 +6331,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "zipper", + "version": "1.0.1", + "downloadUrl": "https://github.com/sebastiandev/zipper/archive/v1.0.1.tar.gz" + } + } + }, { "component": { "type": "other", diff --git a/toolkit/.gitignore b/toolkit/.gitignore index 466e24805a9..24ebb460623 100644 --- a/toolkit/.gitignore +++ b/toolkit/.gitignore @@ -1 +1,8 @@ -out/ \ No newline at end of file +out/ + +# Temporary toolchain build files that are left behind after a failed build. +scripts/toolchain/container/.bashrc +scripts/toolchain/container/Awt_build_headless_only.patch +scripts/toolchain/container/check-system-ca-certs.patch +scripts/toolchain/container/texinfo-perl-fix.patch +scripts/toolchain/container/toolchain-local-wget-list diff --git a/toolkit/Makefile b/toolkit/Makefile index 330e5ac5962..783094aea66 100644 --- a/toolkit/Makefile +++ b/toolkit/Makefile @@ -26,6 +26,7 @@ DOWNLOAD_SRPMS ?= n REBUILD_TOOLS ?= n RUN_CHECK ?= n USE_UPDATE_REPO ?= y +USE_PREVIEW_REPO ?= n DISABLE_UPSTREAM_REPOS ?= n TOOLCHAIN_CONTAINER_ARCHIVE ?= TOOLCHAIN_ARCHIVE ?= @@ -85,11 +86,21 @@ toolchain_rpms_dir := $(CACHED_RPMS_DIR)/cache/ endif # External source server -SOURCE_URL ?= -PACKAGE_URL ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/$(build_arch)/rpms -PACKAGE_UPDATE_URL ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/update/$(build_arch)/rpms -SRPM_URL ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/srpms -SRPM_UPDATE_URL ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/update/srpms +SOURCE_URL ?= + +PACKAGE_URL_LIST ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/$(build_arch)/rpms +SRPM_URL_LIST ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/srpms + +ifeq ($(USE_UPDATE_REPO),y) +PACKAGE_URL_LIST += https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/update/$(build_arch)/rpms +SRPM_URL_LIST += https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/update/srpms +endif + +ifeq ($(USE_PREVIEW_REPO),y) +PACKAGE_URL_LIST += https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/preview/$(build_arch)/rpms +SRPM_URL_LIST += https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/preview/srpms +endif + REPO_LIST ?= CA_CERT ?= TLS_CERT ?= @@ -98,6 +109,10 @@ TLS_KEY ?= # Build defines DIST_TAG ?= .cm1 BUILD_NUMBER ?= $(shell git rev-parse --short HEAD) +# an empty BUILD_NUMBER breaks the build later on +ifeq ($(BUILD_NUMBER),) + BUILD_NUMBER = non-git +endif RELEASE_MAJOR_ID ?= 1.0 # use minor ID defined in file (if exist) otherwise define it # note this file must be single line diff --git a/toolkit/docs/building/building.md b/toolkit/docs/building/building.md index f4189e25a10..a6564f24463 100644 --- a/toolkit/docs/building/building.md +++ b/toolkit/docs/building/building.md @@ -1,89 +1,92 @@ -Building -=== +# Building + - [Building](#building) -- [Quick Start](#quick-start) - - [Prerequisites](#prerequisites) - - [Configure the Environment](#configure-the-environment) - - [ISO Quick Start](#iso-quick-start) - - [VHDX Quick Start](#vhdx-quick-start) - - [Build from Sources Quick Start](#build-from-sources-quick-start) -- [Further Reading](#further-reading) - - [Building in Stages](#building-in-stages) - - [1) Bootstrap Toolchain](#1-bootstrap-toolchain) - - [Full toolchain Bootstrap From Sources](#full-toolchain-bootstrap-from-sources) - - [2) Build All Packages](#2-build-all-packages) - - [3) Build Images](#3-build-images) - - [ISOs](#isos) - - [Packages](#packages) - - [Working on Packages](#working-on-packages) - - [DOWNLOAD_SRPMS](#download_srpms) - - [Force Rebuilds](#force-rebuilds) - - [Ignoring Packages](#ignoring-packages) - - [Source Hashes](#source-hashes) -- [Keys, Certs, and Remote Sources](#keys-certs-and-remote-sources) - - [Sources](#sources) - - [Authentication](#authentication) -- [Building Everything From Scratch](#building-everything-from-scratch) - - [Bootstrapping the Toolchain and Building Everything from Scratch](#bootstrapping-the-toolchain-and-building-everything-from-scratch) - - [Local Build Variables](#local-build-variables) - - [URLS and Repos](#urls-and-repos) - - [`SOURCE_URL=...`](#source_url) - - [`PACKAGE_URL=...`](#package_url) - - [`PACKAGE_UPDATE_URL=...`](#package_update_url) - - [`SRPM_URL=...`](#srpm_url) - - [`SRPM_UPDATE_URL=...`](#srpm_update_url) - - [`REPO_LIST=...`](#repo_list) - - [Build Enable/Disable Flags](#build-enabledisable-flags) - - [`REBUILD_TOOLCHAIN=...`](#rebuild_toolchain) - - [`REBUILD_TOOLCHAIN=`**`n`**:*(default)*](#rebuild_toolchainndefault) - - [`REBUILD_TOOLCHAIN=`**`y`**:](#rebuild_toolchainy) - - [`DOWNLOAD_SRPMS=...`](#download_srpms) - - [`DOWNLOAD_SRPMS=`**`n`**:*(default)*](#download_srpmsndefault) - - [`DOWNLOAD_SRPMS=`**`y`**:](#download_srpmsy) - - [`USE_UPDATE_REPO=...`](#use_update_repo) - - [`USE_UPDATE_REPO=`**`y`**:*(default)*](#use_update_repoydefault) - - [`USE_UPDATE_REPO=`**`n`**:](#use_update_repon) - - [`DISABLE_UPSTREAM_REPOS=...`](#disable_upstream_repos) - - [`DISABLE_UPSTREAM_REPOS=`**`n`**:*(default)*](#disable_upstream_reposndefault) - - [`DISABLE_UPSTREAM_REPOS=`**`y`**:](#disable_upstream_reposy) - - [`REBUILD_PACKAGES=...`](#rebuild_packages) - - [`REBUILD_PACKAGES=`**`y`**:*(default)*](#rebuild_packagesydefault) - - [NOTE:](#note-1) - - [`REBUILD_PACKAGES=`**`n`**:](#rebuild_packagesn) - - [NOTE:](#note-2) - - [`REBUILD_TOOLS=...`](#rebuild_tools) - - [`REBUILD_TOOLS=`**`n`**:*(default)*](#rebuild_toolsndefault) - - [`REBUILD_TOOLS=`**`y`**:](#rebuild_toolsy) -- [All Build Targets](#all-build-targets) -- [Reproducing a Build](#reproducing-a-build) + - [Quick Start](#quick-start) + - [Prerequisites](#prerequisites) + - [Configure the Environment](#configure-the-environment) + - [ISO Quick Start](#iso-quick-start) + - [VHDX Quick Start](#vhdx-quick-start) + - [Build from Sources Quick Start](#build-from-sources-quick-start) + - [Further Reading](#further-reading) + - [Building in Stages](#building-in-stages) + - [1) Bootstrap Toolchain](#1-bootstrap-toolchain) + - [Full toolchain Bootstrap From Sources](#full-toolchain-bootstrap-from-sources) + - [2) Build All Packages](#2-build-all-packages) + - [3) Build Images](#3-build-images) + - [ISOs](#isos) + - [Packages](#packages) + - [Working on Packages](#working-on-packages) + - [DOWNLOAD_SRPMS](#download_srpms) + - [Force Rebuilds](#force-rebuilds) + - [Source Hashes](#source-hashes) + - [Keys, Certs, and Remote Sources](#keys-certs-and-remote-sources) + - [Sources](#sources) + - [Authentication](#authentication) + - [Building Everything From Scratch](#building-everything-from-scratch) + - [Bootstrapping the Toolchain and Building Everything from Scratch](#bootstrapping-the-toolchain-and-building-everything-from-scratch) + - [Local Build Variables](#local-build-variables) + - [URLS and Repos](#urls-and-repos) + - [`SOURCE_URL=...`](#source_url) + - [`PACKAGE_URL_LIST=...`](#package_url_list) + - [`SRPM_URL_LIST=...`](#srpm_url_list) + - [`REPO_LIST=...`](#repo_list) + - [Build Enable/Disable Flags](#build-enabledisable-flags) + - [`REBUILD_TOOLCHAIN=...`](#rebuild_toolchain) + - [`REBUILD_TOOLCHAIN=`**`n`** *(default)*](#rebuild_toolchainn-default) + - [`REBUILD_TOOLCHAIN=`**`y`**](#rebuild_toolchainy) + - [`DOWNLOAD_SRPMS=...`](#download_srpms-1) + - [`DOWNLOAD_SRPMS=`**`n`** *(default)*](#download_srpmsn-default) + - [`DOWNLOAD_SRPMS=`**`y`**](#download_srpmsy) + - [`USE_UPDATE_REPO=...`](#use_update_repo) + - [`USE_UPDATE_REPO=`**`y`** *(default)*](#use_update_repoy-default) + - [`USE_UPDATE_REPO=`**`n`**](#use_update_repon) + - [`USE_PREVIEW_REPO=...`](#use_preview_repo) + - [`USE_PREVIEW_REPO=`**`n`** *(default)*](#use_preview_repon-default) + - [`USE_PREVIEW_REPO=`**`y`**](#use_preview_repoy) + - [`DISABLE_UPSTREAM_REPOS=...`](#disable_upstream_repos) + - [`DISABLE_UPSTREAM_REPOS=`**`n`** *(default)*](#disable_upstream_reposn-default) + - [`DISABLE_UPSTREAM_REPOS=`**`y`**](#disable_upstream_reposy) + - [`REBUILD_PACKAGES=...`](#rebuild_packages) + - [`REBUILD_PACKAGES=`**`y`** *(default)*](#rebuild_packagesy-default) + - [`REBUILD_PACKAGES=`**`n`**](#rebuild_packagesn) + - [`REBUILD_TOOLS=...`](#rebuild_tools) + - [`REBUILD_TOOLS=`**`n`** *(default)*](#rebuild_toolsn-default) + - [`REBUILD_TOOLS=`**`y`**](#rebuild_toolsy) + - [All Build Targets](#all-build-targets) + - [Reproducing a Build](#reproducing-a-build) - [Build Summaries](#build-summaries) - [Building From Summaries](#building-from-summaries) - [Reproducing a Package Build](#reproducing-a-package-build) - [Reproducing an Image Build](#reproducing-an-image-build) - [Reproducing an ISO Build](#reproducing-an-iso-build) - [All Build Variables](#all-build-variables) - - [Targets](#targets) - - [Rebuild vs. Download](#rebuild-vs-download) - - [Remote Connections](#remote-connections) - - [Misc Build](#misc-build) - - [Reproducing a Build](#reproducing-a-build-1) - - [Directory Customization](#directory-customization) - - [Build Details](#build-details) - + - [Targets](#targets) + - [Rebuild vs. Download](#rebuild-vs-download) + - [Remote Connections](#remote-connections) + - [Misc Build](#misc-build) + - [Reproducing Builds](#reproducing-builds) + - [Directory Customization](#directory-customization) + - [Build Details](#build-details) +## Quick Start -Quick Start -=== +### Prerequisites -## Prerequisites Install prerequisites [here](prerequisites.md). -## Configure the Environment +### Configure the Environment + By default all build commands are executed from inside the `./toolkit` folder. A few one-time steps can be run now (they will re-run automatically later if needed) Remote files are generally only available for release branches. + +**IMPORTANT:** HEAD of many branches is not guaranteed to build successfully. To avoid build issues it is recommended to check out the `[BRANCH-NAME]-stable` tag. + +Example: to safely build the `1.0` branch check out the `1.0-stable` tag. + + ```bash # Get the source code git clone https://github.com/microsoft/CBL-Mariner.git @@ -98,54 +101,69 @@ sudo make go-tools REBUILD_TOOLS=y # Get the package sources sudo make input-srpms DOWNLOAD_SRPMS=y ``` + **NOTE: All subsequent commands are assumed to be executed from inside the toolkit directory.** -## ISO Quick Start +### ISO Quick Start + ```bash # Build an ISO version of ./imageconfigs/core-efi.json entirely from downloaded, pre-built packages sudo make iso REBUILD_TOOLS=y REBUILD_PACKAGES=n ``` -## VHDX Quick Start +### VHDX Quick Start + ```bash # Build a VHDX of ./imageconfigs/core-efi.json entirely from downloaded, pre-built packages sudo make image REBUILD_TOOLS=y REBUILD_PACKAGES=n ``` -## Build from Sources Quick Start +### Build from Sources Quick Start + This is a **much slower** process which will download and compile sources rather than use pre-compiled packages. + ```bash # Build an image without downloading pre-compiled packages sudo make image REBUILD_TOOLS=y REBUILD_TOOLCHAIN=y DOWNLOAD_SRPMS=y -j$(nproc) ``` -# Further Reading -## Building in Stages +## Further Reading + +### Building in Stages + This section runs through a build one step at a time, briefly explaining the purpose. `Make` will generally automate this flow if given a target, however it can be useful for debugging. -### 1) Bootstrap Toolchain + +#### 1) Bootstrap Toolchain + A set of bootstrapped toolchain packages (gcc etc.) are used to build CBL-Mariner packages and images. ```bash # Download the pre-built toolchain packages (REBUILD_TOOLCHAIN=n is the default value) sudo make toolchain REBUILD_TOOLS=y + # Move the downloaded bootstrap packages to the general RPM out folder sudo make copy-toolchain-rpms ``` + NOTE: A full list of targets and options to `make` is available [here](#all-build-targets) and [here](#all-build-variables). -#### Full toolchain Bootstrap From Sources +##### Full toolchain Bootstrap From Sources + If you want to build **everything** from scratch, including the bootstrapping process, run: + ```bash cd ~/git/CBL-Mariner/toolkit + # Do a FULL bootstrap + rebuild from sources instead (much slower) # Add REBUILD_TOOLCHAIN=y to any subsequent command to ensure locally built toolchain packages are used sudo make toolchain REBUILD_TOOLS=y REBUILD_TOOLCHAIN=y DOWNLOAD_SRPMS=y ``` + This will download the source files (SRPMs) from the package sever, and build them locally. See the detailed section on building from scratch [here](#building-everything-from-scratch) +#### 2) Build All Packages -### 2) Build All Packages (**this step may be omitted if desired**) Once the toolchain is bootstrapped, packages can be built with the toolchain. @@ -157,6 +175,7 @@ However, to manually build **all** packages you can clear the configuration with Large parts of the build are parallelized. Enable this by setting the `-j` flag for `make` to the number of parallel jobs to allow. (Recommend setting this value to the number of logical cores available on your system, or less) **NOTE: If you are building your toolchain packages from source, add `REBUILD_TOOLCHAIN=y`** + ```bash # Build ALL packages FOR AMD64 sudo make build-packages -j$(nproc) CONFIG_FILE= DOWNLOAD_SRPMS=y REBUILD_TOOLS=y @@ -166,10 +185,12 @@ sudo make build-packages -j$(nproc) CONFIG_FILE= DOWNLOAD_SRPMS=y REBUILD_TOOLS= sudo make build-packages -j$(nproc) CONFIG_FILE= DOWNLOAD_SRPMS=y REBUILD_TOOLS=y ``` -### 3) Build Images +#### 3) Build Images + Different images can be produced from the build system. All images are generated in the `out/images` folder. **NOTE: If you are building your toolchain packages from source, add `REBUILD_TOOLCHAIN=y`** + ```bash # To build a Mariner VHD Image (VHD folder: ../out/images/core-legacy) sudo make image CONFIG_FILE=./imageconfigs/core-legacy.json REBUILD_TOOLS=y DOWNLOAD_SRPMS=y @@ -184,95 +205,114 @@ sudo make iso CONFIG_FILE=./imageconfigs/full.json REBUILD_TOOLS=y DOWNLOAD_SRPM sudo make image CONFIG_FILE=./imageconfigs/core-container.json REBUILD_TOOLS=y DOWNLOAD_SRPMS=y ``` -## ISOs +### ISOs + ISO installers can be built with: + ```bash # Build out/images/developer_iso/*.iso from remote components sudo make iso -j$(nproc) CONFIG_FILE=./resources/imageconfigs/developer_iso/developer_iso.json ``` + To create an unattended ISO installer (no interactive UI) use `UNATTENDED_INSTALLER=y`: -````bash + +```bash # Build out/images/developer_iso/*.iso from remote components with unattended installer sudo make iso -j$(nproc) CONFIG_FILE=./resources/imageconfigs/developer_iso/developer_iso.json UNATTENDED_INSTALLER=y -```` +``` + NOTE: ISOs require additional packaging and build steps (such as the creation of a separate `initrd` installer image used to install the final image to disk). -## Packages +### Packages + The toolkit can download packages from remote RPM repositories, or build them locally. By default any `*.spec` files found in `SPECS_DIR="./SPECS"` will be built locally. Dependencies will be downloaded as needed. Only those packages needed to build the current config will be built (`core-efi.json` by default). An additional space separated list of packages may be added using the `PACKAGE_BUILD_LIST=` variable. Build all local packages needed for the default `core-efi.json`: + ```bash sudo make build-packages -j$(nproc) ``` Build only two packages along with their prerequisites (note `CONFIG_FILE` is explicitly cleared, not specifying it will use the default `core-efi.json` config): + ```bash sudo make build-packages PACKAGE_BUILD_LIST="vim nano" CONFIG_FILE= -j$(nproc) ``` Build packages from a custom SPECS dir: + ```bash sudo make build-packages SPECS_DIR="/my/packages/SPECS" -j$(nproc) ``` -### Working on Packages +#### Working on Packages + The build system will attempt to minimize rebuilds, but sometimes it is useful to force packages to rebuild, or ignore missing packages. Say you want to iterate on the `nano` package, but the `ncurses-devel` package is broken (`ncurses-devel` is a dependency of `nano`)... -#### DOWNLOAD_SRPMS +##### DOWNLOAD_SRPMS + When `DOWNLOAD_SRPMS=y` is set, the local sources and spec files will not be used, and changes will not be reflected in the final packages. -#### Force Rebuilds +##### Force Rebuilds + Adding `PACKAGE_REBUILD_LIST="nano"` will tell the build system to always rebuild `nano.spec` even if it thinks the rpm file is up to date. -#### Source Hashes +##### Source Hashes + The build system also enforces hash checking for sources when packaging SRPMs. For a given `*.spec` file a hash of each source is recorded in `*.signatures.json`. The build system will attempt to find a source which matches the recorded hash. If you change a source the signature file can be updated by setting `SRPM_FILE_SIGNATURE_HANDLING=update`. + ```bash # Just update the intermediate SRPMs and their source signatures by using the input-srpms target sudo make input-srpms SRPM_FILE_SIGNATURE_HANDLING=update ``` -Keys, Certs, and Remote Sources -=== -## Sources +## Keys, Certs, and Remote Sources + +### Sources + The build system pulls files two ways: + - Downloading files directly. - Using the `tdnf` package management tool running inside a chroot. Direct file downloads are by default pulled from: + ```makefile SOURCE_URL ?= -PACKAGE_URL ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/$(build_arch)/rpms -PACKAGE_UPDATE_URL ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/update/$(build_arch)/rpms -SRPM_URL ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/srpms -SRPM_UPDATE_URL ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/update/srpms +PACKAGE_URL_LIST ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/$(build_arch)/rpms +SRPM_URL_LIST ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/srpms ``` + While `tdnf` uses a list of repo files: + ```makefile REPO_LIST ?= ``` + The `REPO_LIST` variable supports multiple repo files, and they are prioritized in the order they appear in the list. -The CBL-Mariner base repo is implicitly provided, and an optional update repo is available by setting `USE_UPDATE_REPO=y`. If `$(DISABLE_UPSTREAM_REPOS)` is set to `y`, any repo that is accessed through the network is disabled. +The CBL-Mariner base repo is implicitly provided, an optional update repo is available by setting `USE_UPDATE_REPO=y` and an optional preview repo is available by setting `USE_PREVIEW_REPO=y`. If `$(DISABLE_UPSTREAM_REPOS)` is set to `y`, any repo that is accessed through the network is disabled. + +### Authentication -## Authentication If supplying custom endpoints for source/SRPM/package servers, accessing these resources may require keys and certificates. The keys and certificates can be set using: + ```bash sudo make image CA_CERT=/path/to/rootca.crt TLS_CERT=/path/to/user.crt TLS_KEY=/path/to/user.key ``` -Building Everything From Scratch -=== +## Building Everything From Scratch **NOTE: Source files must be made available for all packages. They can be placed manually in the corresponding SPEC/\* folders, `SOURCE_URL=` may be provided, or DOWNLOAD_SRPMS=y may be used to use pre-packages sources** The build system can operate without using pre-built components if desired. There are several variables which enable/disable build components and sources of data. They are listed here along with their default values: + ```makefile -SOURCE_URL ?= -PACKAGE_URL ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/$(build_arch)/rpms -PACKAGE_UPDATE_URL ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/update/$(build_arch)/rpms -SRPM_URL ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/srpms -SRPM_UPDATE_URL ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/update/srpms +SOURCE_URL ?= +PACKAGE_URL_LIST ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/$(build_arch)/rpms +SRPM_URL_LIST ?= https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/srpms REPO_LIST ?= ``` + ```makefile DOWNLOAD_SRPMS ?= n REBUILD_TOOLCHAIN ?= n @@ -283,86 +323,122 @@ DISABLE_UPSTREAM_REPOS ?= n TOOLCHAIN_ARCHIVE ?= PACKAGE_ARCHIVE ?= ``` + See [Local Build Variables](#local-build-variables) for details on what each variable does. -## Bootstrapping the Toolchain and Building Everything from Scratch +### Bootstrapping the Toolchain and Building Everything from Scratch + This command will build all components locally, including all toolchain packages using a two stage bootstrap process. No sources will be pulled remotely **(Unless a package build explicitly attempts to do so within its `*.spec` file)**. Just the toolchain build will take several hours, building `core-efi.json` may take the better part of a day. + ```bash # Rebuild just the Go tools sudo make go-tools REBUILD_TOOLS=y # Bootstrap just the toolchain using publicly available sources via wget (or from SOURCE_URL if set), # then rebuild the toolchain properly using the provided sources - # NOTE: Source files must made available via one of: # - `SOURCE_URL=` -# - DOWNLOAD_SRPMS=y (will download pre-packages sources from SRPM_URL=... and SRPM_UPDATE_URL=...) +# - DOWNLOAD_SRPMS=y (will download pre-packages sources from SRPM_URL_LIST=...) # - manually placing the correct sources in each /SPECS/* package folder # (SRPM_FILE_SIGNATURE_HANDLING=update must be used if the new sources files to not match the existing hashes) -sudo make toolchain PACKAGE_URL="" PACKAGE_UPDATE_URL="" REPO_LIST="" DISABLE_UPSTREAM_REPOS=y REBUILD_TOOLCHAIN=y REBUILD_TOOLS=y +sudo make toolchain PACKAGE_URL_LIST="" REPO_LIST="" DISABLE_UPSTREAM_REPOS=y REBUILD_TOOLCHAIN=y REBUILD_TOOLS=y ``` + ```bash # Complete rebuild of all tool, package, and image files from source. - # NOTE: Source files must made available via one of: # - `SOURCE_URL=` -# - DOWNLOAD_SRPMS=y (will download pre-packages sources from SRPM_URL=... and SRPM_UPDATE_URL=...) +# - DOWNLOAD_SRPMS=y (will download pre-packages sources from SRPM_URL_LIST=...) # - manually placing the correct sources in each /SPECS/* package folder # (SRPM_FILE_SIGNATURE_HANDLING=update must be used if the new sources files to not match the existing hashes) -sudo make image PACKAGE_URL="" PACKAGE_UPDATE_URL="" REPO_LIST="" DISABLE_UPSTREAM_REPOS=y REBUILD_TOOLCHAIN=y REBUILD_PACKAGES=y REBUILD_TOOLS=y +sudo make image PACKAGE_URL_LIST="" REPO_LIST="" DISABLE_UPSTREAM_REPOS=y REBUILD_TOOLCHAIN=y REBUILD_PACKAGES=y REBUILD_TOOLS=y ``` -## Local Build Variables +### Local Build Variables + +#### URLS and Repos -### URLS and Repos The build can be configured to prioritize local builds but still use the remote sources if needed. For example: If a locally defined `*.spec` file has build dependencies which are not satisfied locally. If that is not desired all remote sources can be disabled by clearing the following variable: -### `SOURCE_URL=...` + +#### `SOURCE_URL=...` + > URL to download unavailable source files from when creating `*.src.rpm` files prior to build. -### `PACKAGE_URL=...` -> URL to download RPM packages from, used to populate the toolchain packages if they are missing. -### `PACKAGE_UPDATE_URL=...` -> URL to download RPM packages from if not found under `$(PACKAGE_URL)` and `$(USE_UPDATE_REPO)` is set to `y`, used to populate the toolchain packages if they are missing. -### `SRPM_URL=...` -> URL to download packed SRPM packages from prior to build if `$(DOWNLOAD_SRPMS)` is set to `y`. -### `SRPM_UPDATE_URL=...` -> URL to download updated versions of packed SRPM packages from prior to build if `$(DOWNLOAD_SRPMS)` is set to `y`. -### `REPO_LIST=...` + +#### `PACKAGE_URL_LIST=...` + +> Space seperated list of URLs to download toolchain RPM packages from, used to populate the toolchain packages if `$(REBUILD_TOOLCHAIN)` is set to `y`. + +#### `SRPM_URL_LIST=...` + +> Space seperated list of URLs to download packed SRPM packages from prior to build if `$(DOWNLOAD_SRPMS)` is set to `y`. + +#### `REPO_LIST=...` + > List of RPM repositories to pull packages from. These packages are used to satisfy dependencies during the build process, and to compose a final image. Locally available packages are always prioritized. The repos are prioritized based on the order they appear in the list: Repos earlier in the list are higher priority. -### Build Enable/Disable Flags +#### Build Enable/Disable Flags + +#### `REBUILD_TOOLCHAIN=...` + +##### `REBUILD_TOOLCHAIN=`**`n`** *(default)* + +> Use pre-existing toolchain packages from another source. If `TOOLCHAIN_ARCHIVE=my_toolchain.tar.gz` is also set the build system will extract the required packages from that archive. If `TOOLCHAIN_ARCHIVE` is not set the build system will download the required toolchain packages from `$(PACKAGE_URL_LIST)`. + +##### `REBUILD_TOOLCHAIN=`**`y`** -### `REBUILD_TOOLCHAIN=...` -#### `REBUILD_TOOLCHAIN=`**`n`**:*(default)* -> Use pre-existing toolchain packages from another source. If `TOOLCHAIN_ARCHIVE=my_toolchain.tar.gz` is also set the build system will extract the required packages from that archive. If `TOOLCHAIN_ARCHIVE` is not set the build system will download the required toolchain packages from `$(PACKAGE_URL)` and `$(PACKAGE_UPDATE_URL)`. -#### `REBUILD_TOOLCHAIN=`**`y`**: > Bootstrap the toolchain from the host environment in a docker container. The toolchain consists of those packages which are required to build all other packages (*gcc, tdnf, etc*) -### `DOWNLOAD_SRPMS=...` -#### `DOWNLOAD_SRPMS=`**`n`**:*(default)* +#### `DOWNLOAD_SRPMS=...` + +##### `DOWNLOAD_SRPMS=`**`n`** *(default)* + > Pack SRPMs to be built from local SPECs. Will retrieve sources from the SPEC's folder if available, and will download missing sources from `$(SOURCE_URL)`. -#### `DOWNLOAD_SRPMS=`**`y`**: + +##### `DOWNLOAD_SRPMS=`**`y`** + > Download official pre-packed SRPMs from `$(SRPM_URL)`. Use this option if `$(SOURCE_URL)` is not available. -### `USE_UPDATE_REPO=...` -#### `USE_UPDATE_REPO=`**`y`**:*(default)* +#### `USE_UPDATE_REPO=...` + +##### `USE_UPDATE_REPO=`**`y`** *(default)* + > Pull missing packages from the upstream update repository in addition to the base repository. -#### `USE_UPDATE_REPO=`**`n`**: -> Only pull missing packages from the upstream base repository. -### `DISABLE_UPSTREAM_REPOS=...` -#### `DISABLE_UPSTREAM_REPOS=`**`n`**:*(default)* +##### `USE_UPDATE_REPO=`**`n`** + +> Do not pull missing packages from the upstream update repository. + +#### `USE_PREVIEW_REPO=...` + +##### `USE_PREVIEW_REPO=`**`n`** *(default)* + +> Do not pull missing packages from the upstream preview repository. + +##### `USE_PREVIEW_REPO=`**`y`** + +> Pull missing packages from the upstream preview repository in addition to the base repository. + +#### `DISABLE_UPSTREAM_REPOS=...` + +##### `DISABLE_UPSTREAM_REPOS=`**`n`** *(default)* + > Pull packages from all set repositories, including external ones accessed through the network. -#### `DISABLE_UPSTREAM_REPOS=`**`y`**: -> Only pull missing packages from local repositories. This does not affect hydrating the toolchain from `$(PACKAGE_URL)` and `$(PACKAGE_UPDATE_URL)`. -### `REBUILD_PACKAGES=...` -#### `REBUILD_PACKAGES=`**`y`**:*(default)* +##### `DISABLE_UPSTREAM_REPOS=`**`y`** + +> Only pull missing packages from local repositories. This does not affect hydrating the toolchain from `$(PACKAGE_URL_LIST)`. + +#### `REBUILD_PACKAGES=...` + +##### `REBUILD_PACKAGES=`**`y`** *(default)* + > Parse all local `*.spec` files, and build them if needed. > A package will be built +> > - If: > - it is present in `CONFIG_FILE=config.json` > - or it is listed in `PACKAGE_BUILD_LIST="..."` @@ -372,30 +448,40 @@ If that is not desired all remote sources can be disabled by clearing the follow > - the corresponding *.rpm files are missing > - or the *.rpm files are out of date (based on version numbers) -#### NOTE: +**NOTE:** + The `*.spec` files are converted to `*.src.rpm` files which bundle the spec files with their source files. If the build tools are not able to find valid source files **which match the SHA1 hash recorded in `*.signatures.json`** then they will attempt to locate the source files from `$(SOURCE_URL)` and download them. -#### `REBUILD_PACKAGES=`**`n`**: +##### `REBUILD_PACKAGES=`**`n`** + > Do not attempt to build any local specs, always download the packages via `tdnf` from the internet if they are missing. -#### NOTE: + +**NOTE:** + It is possible to hydrate the local `*.rpm` files with a one-time manual operation: + ```bash # Create ./out/rpms.tar.gz from the *.rpm files locally available: sudo make compress-rpms ``` + ```bash # Extract all rpms present in rpms.tar.gz into a build environment: sudo make hydrate-rpms PACKAGE_ARCHIVE=./rpms.tar.gz ``` -### `REBUILD_TOOLS=...` -#### `REBUILD_TOOLS=`**`n`**:*(default)* +#### `REBUILD_TOOLS=...` + +##### `REBUILD_TOOLS=`**`n`** *(default)* + > Use pre-compiled go binaries, likely provided as part of an SDK. The binaries are expected to be found in `$(TOOL_BINS_DIR)` -#### `REBUILD_TOOLS=`**`y`**: + +##### `REBUILD_TOOLS=`**`y`** + > Build the go tools from source as needed. -All Build Targets -=== +## All Build Targets + These are the useful build targets: | Target | Description |:---------------------------------|:--- @@ -430,11 +516,12 @@ These are the useful build targets: | validate-image-config | Validate the selected image config. | workplan | Create the package build workplan. -Reproducing a Build -=== +## Reproducing a Build + By default the build system will pull the highest possible version of external packages when building. However, there may be circumstances when you wish to reproduce a build using the exact same external package versions as before, even if newer versions are available. -#### Build Summaries +### Build Summaries + The build system supports this behavior through summary files, a JSON representation of packages consumed during a build. By referencing these summary files, the build system can consume the exact same version of external packages later on. Since the summary files are regenerated every build, if you wish to reproduce a build, you should save the summary files to another location for future use. @@ -445,8 +532,10 @@ Since the summary files are regenerated every build, if you wish to reproduce a | Image Build | `$(IMAGEGEN_DIR)/{imagename}/image_deps.json` | Generated every image build. Can be saved and used later with the `$(IMAGE_CACHE_SUMMARY)` variable to reproduce an image build. | Initrd Build | `$(IMAGEGEN_DIR)/iso_initrd/image_deps.json` | Generated every initrd and ISO build. Can be saved and used later with the `$(INITRD_CACHE_SUMMARY)` variable to reproduce an initrd build. -#### Building From Summaries -To reproduce a build, there are four constraints +### Building From Summaries + +To reproduce a build, there are four constraints: + 1. The local SPEC files must be the same. That is, you cannot reproduce a build having modified any of the local SPEC files since when the summary files were generated. 2. What is being built must be the same. That is, if the summary files were generated from an image build then the reproduced build must be building the exact same image configuration. 3. The toolkit version must be the same. That is, if the summary files were generated from a `1.0` toolkit, then the reproduced build must be done using the `1.0` toolkit. @@ -454,36 +543,46 @@ To reproduce a build, there are four constraints If the above constraints are met then a build can be reproduced from summary files. -###### Reproducing a Package Build +### Reproducing a Package Build + To reproduce a package build, run the same make invocation as before, but set: + - `PACKAGE_CACHE_SUMMARY=` to the path of the package build summary file. -###### Reproducing an Image Build +### Reproducing an Image Build + To reproduce an image build, run the same make invocation as before, but set: + - `PACKAGE_CACHE_SUMMARY=` to the path of the package build summary file. - `IMAGE_CACHE_SUMMMARY=` to the path of the image build summary file. -###### Reproducing an ISO Build +### Reproducing an ISO Build + To reproduce an ISO build, run the same make invocation as before, but set: + - `PACKAGE_CACHE_SUMMARY=` to the path of the package build summary file. - `IMAGE_CACHE_SUMMMARY=` to the path of the image build summary file. - `INITRD_CACHE_SUMMMARY=` to the path of the initrd build summary file. ## All Build Variables + --- -#### Targets + +### Targets + | Variable | Default | Description |:------------------------------|:-------------------------------------------------------------------------------------------------------|:--- | CONFIG_FILE | `$(RESOURCES_DIR)`/imageconfigs/core-efi/core-efi.json | Image config file to build -| CONFIG_BASE_DIR | `$(dir $(CONFIG_FILE)) ` | Base directory to search for image files in (see [image_config.md](../images/image_config.md)) -| TERMINAL_ISO_INSTALLER | n | Use a command line ISO installer instead of the GUI installer +| CONFIG_BASE_DIR | `$(dir $(CONFIG_FILE))` | Base directory to search for image files in (see [image_config.md](../images/image_config.md)) | UNATTENDED_INSTALLER | | Create unattended ISO installer if set. Overrides all other installer options. | PACKAGE_BUILD_LIST | | Additional packages to build. The package will be skipped if the build system thinks it is already up-to-date. | PACKAGE_REBUILD_LIST | | Always rebuild this package, even if it is up-to-date. Base package name, will match all virtual packages produced as well. | SSH_KEY_FILE | | Use with `make meta-user-data` to add the ssh key from this file into `user-data`. --- -#### Rebuild vs. Download + +### Rebuild vs. Download + | Variable | Default | Description |:------------------------------|:-------------------------------------------------------------------------------------------------------|:--- | REBUILD_TOOLCHAIN | n | Bootstrap the toolchain packages locally or download them? @@ -493,25 +592,27 @@ To reproduce an ISO build, run the same make invocation as before, but set: | PACKAGE_ARCHIVE | | Use with `make hydrate-rpms` to populate a set of rpms from an archive. | DOWNLOAD_SRPMS | n | Pack SRPMs from local SPECs or download published ones? | USE_UPDATE_REPO | y | Pull missing packages from the upstream update repository in addition to the base repository? -| DISABLE_UPSTREAM_REPOS | n | Only pull missing packages from local repositories? This does not affect hydrating the toolchain from `$(PACKAGE_URL)` and `$(PACKAGE_UPDATE_URL)`. - +| USE_PREVIEW_REPO | n | Pull missing packages from the upstream preview repository in addition to the base repository? +| DISABLE_UPSTREAM_REPOS | n | Only pull missing packages from local repositories? This does not affect hydrating the toolchain from `$(PACKAGE_URL_LIST)`. --- -#### Remote Connections + +### Remote Connections + | Variable | Default | Description |:------------------------------|:---------------------------------------------------------------------------------------------------------|:--- -| SOURCE_URL | | URL to request package sources from -| SRPM_URL | https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/srpms | URL to request packed SRPMs from if `$(DOWNLOAD_SRPMS)` is set to `y` -| SRPM_UPDATE_URL | https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/update/srpms | URL to request updated versions of packed SRPMs from if `$(DOWNLOAD_SRPMS)` is set to `y` -| PACKAGE_URL | https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/$(build_arch)/rpms | URL to request full toolchain packages from -| PACKAGE_UPDATE_URL | https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/update/$(build_arch)/rpms | URL to request full toolchain packages from if not found under `$(PACKAGE_URL)` and `$(USE_UPDATE_REPO)` is set to `y` +| SOURCE_URL | | URL to request package sources from +| SRPM_URL_LIST | `https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/srpms` | Space seperated list of URLs to request packed SRPMs from if `$(DOWNLOAD_SRPMS)` is set to `y` +| PACKAGE_URL_LIST | `https://packages.microsoft.com/cbl-mariner/$(RELEASE_MAJOR_ID)/prod/base/$(build_arch)/rpms` | Space seperated list of URLs to download toolchain RPM packages from, used to populate the toolchain packages if `$(REBUILD_TOOLCHAIN)` is set to `y`. | REPO_LIST | | Space separated list of repo files for tdnf to pull packages form | CA_CERT | | CA cert to access the above resources | TLS_CERT | | TLS cert to access the above resources | TLS_KEY | | TLS key to access the above resources --- -#### Misc Build + +### Misc Build + | Variable | Default | Description |:------------------------------|:-------------------------------------------------------------------------------------------------------|:--- | LOG_LEVEL | info | Console log level for go tools (`panic, fatal, error, warn, info, debug, trace`) @@ -526,7 +627,9 @@ To reproduce an ISO build, run the same make invocation as before, but set: | CONCURRENT_PACKAGE_BUILDS | 0 | The maximum number of concurrent package builds that are allowed at once. If set to 0 this defaults to the number of logical CPUs. --- -#### Reproducing a Build + +### Reproducing Builds + | Variable | Default | Description |:------------------------------|:-------------------------------------------------------------------------------------------------------|:--- | PACKAGE_CACHE_SUMMARY | | Path to a summary json file that describes what the package RPM cache should contain. @@ -534,7 +637,9 @@ To reproduce an ISO build, run the same make invocation as before, but set: | INITRD_CACHE_SUMMARY | | Path to a summary json file that describes what the initrd RPM cache should contain. --- -#### Directory Customization + +### Directory Customization + | Variable | Default | Description |:------------------------------|:-------------------------------------------------------------------------------------------------------|:--- | toolkit_root | `$(abspath $(dir $(lastword $(MAKEFILE_LIST))))` | **Calculated automatically and cannot be overwritten.** Location of toolkit (`./toolkit/`). Used to set the default directories @@ -565,7 +670,9 @@ To reproduce an ISO build, run the same make invocation as before, but set: | IMAGES_DIR | `$(OUT_DIR)`/images | Directory to place images in --- -#### Build Details + +### Build Details + | Variable | Default | Description |:------------------------------|:-------------------------------------------------------------------------------------------------------|:--- | DIST_TAG | Version dependent, refer to [Makefile](../../Makefile) | Distribution tag to customize packages with diff --git a/toolkit/docs/building/prerequisites.md b/toolkit/docs/building/prerequisites.md index b69842e4981..a4442288999 100644 --- a/toolkit/docs/building/prerequisites.md +++ b/toolkit/docs/building/prerequisites.md @@ -1,8 +1,10 @@ # Build Requirements ---- -### Requirements were validated on `Ubuntu 18.04`. + +## Requirements were validated on `Ubuntu 18.04` + Requirements for building images with a toolkit: + ```bash # Add a backports repo in order to install the latest version of Go. sudo add-apt-repository ppa:longsleep/golang-backports diff --git a/toolkit/docs/formats/imageconfig.md b/toolkit/docs/formats/imageconfig.md index 73ace0cd0a4..325b4f194b6 100644 --- a/toolkit/docs/formats/imageconfig.md +++ b/toolkit/docs/formats/imageconfig.md @@ -141,6 +141,23 @@ A sample KernelOptions specifying a default kernel and a specialized kernel for }, ``` +### KernelCommandLine + +KernelCommandLine is an optional key which allows additional parameters to be passed to the kernel when it is launched from Grub. + +ImaPolicy is a list of Integrity Measurement Architecture (IMA) policies to enable, they may be any combination of `tcb`, `appraise_tcb`, `secure_boot`. + +ExtraCommandLine is a string which will be appended to the end of the kernel command line and may contain any additional parameters desired. The `` ` `` character is reserved and may not be used. + +A sample KernelCommandLine enabling a basic IMA mode and passing two additional parameters: + +``` json +"KernelCommandLine": { + "ImaPolicy": ["tcb"], + "ExtraCommandLine": "my_first_param=foo my_second_param=\"bar baz\"" +}, +``` + # Sample image configuration A sample image configuration, producing a VHDX disk image: @@ -200,6 +217,10 @@ A sample image configuration, producing a VHDX disk image: "KernelOptions": { "default": "kernel" }, + "KernelCommandLine": { + "ImaPolicy": ["tcb"], + "ExtraCommandLine": "my_first_param=foo my_second_param=\"bar baz\"" + }, "Hostname": "cbl-mariner" } ] diff --git a/toolkit/docs/how_it_works/3_package_building.md b/toolkit/docs/how_it_works/3_package_building.md index c5e6d012a3e..f123cd2bb12 100644 --- a/toolkit/docs/how_it_works/3_package_building.md +++ b/toolkit/docs/how_it_works/3_package_building.md @@ -161,7 +161,7 @@ The `grapher` tool automatically adds an "ALL" goal node to the graph which link ### Stage 2: Graphpkgfetcher The `graphpkgfetcher` tool's job is to resolve unresolved remote nodes. Unresolved nodes occur when a local package has `Requires` or `BuildRequires` which are not available from another local package. -The tool uses the `worker_chroot` (see [Chroot Worker](1_initial_prep.md#chroot_worker)) to locate packages. The worker will search in five locations: 1) the local chroot environment, 2) already build RPMs in `./../out/RPMS/`, 3) the upstream base repository 4) the upstream update repository if `$(USE_UPDATE_REPO)` is set to `y` 5) any remote repo listed in `REPO_LIST ?=`. If `$(DISABLE_UPSTREAM_REPOS)` is set to `y`, any repo that is accessed through the network is disabled. +The tool uses the `worker_chroot` (see [Chroot Worker](1_initial_prep.md#chroot_worker)) to locate packages. The worker will search in six locations: 1) the local chroot environment, 2) already build RPMs in `./../out/RPMS/`, 3) the upstream base repository 4) the upstream update repository if `$(USE_UPDATE_REPO)` is set to `y` 5) the upstream preview repository if `$(USE_PREVIEW_REPO)` is set to `y` 6) any remote repo listed in `REPO_LIST ?=`. If `$(DISABLE_UPSTREAM_REPOS)` is set to `y`, any repo that is accessed through the network is disabled. The worker will run the `tdnf` command to search for each missing package. `tdnf` will prioritize local packages over pulling them from a remote location. diff --git a/toolkit/imageconfigs/full.json b/toolkit/imageconfigs/full.json index 9ea8c3affa9..6d223a026ec 100644 --- a/toolkit/imageconfigs/full.json +++ b/toolkit/imageconfigs/full.json @@ -9,8 +9,7 @@ "packagelists/core-packages-image.json" ], "KernelOptions": { - "default": "kernel", - "hyperv": "kernel-hyperv" + "default": "kernel" } }, { @@ -21,8 +20,7 @@ "packagelists/core-packages-image.json" ], "KernelOptions": { - "default": "kernel", - "hyperv": "kernel-hyperv" + "default": "kernel" } }, { @@ -32,8 +30,7 @@ "packagelists/core-packages-image.json" ], "KernelOptions": { - "default": "kernel", - "hyperv": "kernel-hyperv" + "default": "kernel" } } ] diff --git a/toolkit/resources/assets/grub2/grub.cfg b/toolkit/resources/assets/grub2/grub.cfg index 19407c001a4..4a39bf25aae 100644 --- a/toolkit/resources/assets/grub2/grub.cfg +++ b/toolkit/resources/assets/grub2/grub.cfg @@ -11,7 +11,7 @@ fi set rootdevice={{.RootPartition}} menuentry "CBL-Mariner" { - linux /boot/$mariner_linux {{.LuksUUID}} {{.LVM}} rd.auto=1 root=$rootdevice $mariner_cmdline $systemd_cmdline + linux /boot/$mariner_linux {{.LuksUUID}} {{.LVM}} {{.IMAPolicy}} rd.auto=1 root=$rootdevice $mariner_cmdline $systemd_cmdline {{.ExtraCommandLine}} if [ -f /boot/$mariner_initrd ]; then initrd /boot/$mariner_initrd fi diff --git a/toolkit/resources/manifests/package/macros.override b/toolkit/resources/manifests/package/macros.override index 21284ab77e9..6edbf44e541 100644 --- a/toolkit/resources/manifests/package/macros.override +++ b/toolkit/resources/manifests/package/macros.override @@ -18,6 +18,7 @@ %skip_check_python2 1 %skip_check_bash 1 %skip_check_gtk_doc 1 +%skip_check_vim 1 # Chmods /dev/null to 600 breaking many non-root applications. %skip_check_zstd 1 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index f76f3c4b253..1b0f6f2438e 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -61,8 +61,8 @@ findutils-4.6.0-7.cm1.aarch64.rpm findutils-lang-4.6.0-7.cm1.aarch64.rpm gettext-0.21-1.cm1.aarch64.rpm gzip-1.9-4.cm1.aarch64.rpm -make-4.2.1-4.cm1.aarch64.rpm -mariner-release-1.0-9.cm1.noarch.rpm +make-4.2.1-5.cm1.aarch64.rpm +mariner-release-1.0-10.cm1.noarch.rpm patch-2.7.6-7.cm1.aarch64.rpm util-linux-2.32.1-4.cm1.aarch64.rpm util-linux-devel-2.32.1-4.cm1.aarch64.rpm @@ -84,9 +84,9 @@ popt-devel-1.16-7.cm1.aarch64.rpm popt-lang-1.16-7.cm1.aarch64.rpm nspr-4.21-2.cm1.aarch64.rpm nspr-devel-4.21-2.cm1.aarch64.rpm -sqlite-3.32.3-1.cm1.aarch64.rpm -sqlite-devel-3.32.3-1.cm1.aarch64.rpm -sqlite-libs-3.32.3-1.cm1.aarch64.rpm +sqlite-3.32.3-2.cm1.aarch64.rpm +sqlite-devel-3.32.3-2.cm1.aarch64.rpm +sqlite-libs-3.32.3-2.cm1.aarch64.rpm nss-3.44-3.cm1.aarch64.rpm nss-devel-3.44-3.cm1.aarch64.rpm nss-libs-3.44-3.cm1.aarch64.rpm @@ -188,9 +188,9 @@ libsolv-0.7.7-4.cm1.aarch64.rpm libsolv-devel-0.7.7-4.cm1.aarch64.rpm libssh2-1.9.0-1.cm1.aarch64.rpm libssh2-devel-1.9.0-1.cm1.aarch64.rpm -curl-7.68.0-2.cm1.aarch64.rpm -curl-devel-7.68.0-2.cm1.aarch64.rpm -curl-libs-7.68.0-2.cm1.aarch64.rpm +curl-7.68.0-3.cm1.aarch64.rpm +curl-devel-7.68.0-3.cm1.aarch64.rpm +curl-libs-7.68.0-3.cm1.aarch64.rpm tdnf-2.1.0-4.cm1.aarch64.rpm tdnf-cli-libs-2.1.0-4.cm1.aarch64.rpm tdnf-devel-2.1.0-4.cm1.aarch64.rpm @@ -203,8 +203,8 @@ libltdl-2.4.6-6.cm1.aarch64.rpm libltdl-devel-2.4.6-6.cm1.aarch64.rpm pcre-libs-8.42-4.cm1.aarch64.rpm krb5-1.17-3.cm1.aarch64.rpm -lua-5.3.5-9.cm1.aarch64.rpm -lua-libs-5.3.5-9.cm1.aarch64.rpm +lua-5.3.5-11.cm1.aarch64.rpm +lua-libs-5.3.5-11.cm1.aarch64.rpm mariner-rpm-macros-1.0-8.cm1.noarch.rpm mariner-python-macros-1.0-8.cm1.noarch.rpm mariner-check-macros-1.0-8.cm1.noarch.rpm @@ -216,17 +216,18 @@ npth-1.6-3.cm1.aarch64.rpm pinentry-1.1.0-3.cm1.aarch64.rpm gnupg2-2.2.20-4.cm1.aarch64.rpm gpgme-1.13.1-5.cm1.aarch64.rpm -mariner-repos-1.0-9.cm1.noarch.rpm -libffi-3.2.1-10.cm1.aarch64.rpm -libffi-devel-3.2.1-10.cm1.aarch64.rpm +mariner-repos-1.0-11.cm1.noarch.rpm +mariner-repos-preview-1.0-11.cm1.noarch.rpm +libffi-3.2.1-12.cm1.aarch64.rpm +libffi-devel-3.2.1-12.cm1.aarch64.rpm libtasn1-4.14-2.cm1.aarch64.rpm p11-kit-0.23.16.1-2.cm1.aarch64.rpm p11-kit-trust-0.23.16.1-2.cm1.aarch64.rpm -ca-certificates-shared-20200720-7.cm1.noarch.rpm -ca-certificates-tools-20200720-7.cm1.noarch.rpm -ca-certificates-base-20200720-7.cm1.noarch.rpm +ca-certificates-shared-20200720-9.cm1.noarch.rpm +ca-certificates-tools-20200720-9.cm1.noarch.rpm +ca-certificates-base-20200720-9.cm1.noarch.rpm dwz-0.13-4.cm1.aarch64.rpm -unzip-6.0-15.cm1.aarch64.rpm +unzip-6.0-16.cm1.aarch64.rpm python2-2.7.18-3.cm1.aarch64.rpm python2-devel-2.7.18-3.cm1.aarch64.rpm python2-libs-2.7.18-3.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 3774d50c73a..d93ac46d059 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -61,8 +61,8 @@ findutils-4.6.0-7.cm1.x86_64.rpm findutils-lang-4.6.0-7.cm1.x86_64.rpm gettext-0.21-1.cm1.x86_64.rpm gzip-1.9-4.cm1.x86_64.rpm -make-4.2.1-4.cm1.x86_64.rpm -mariner-release-1.0-9.cm1.noarch.rpm +make-4.2.1-5.cm1.x86_64.rpm +mariner-release-1.0-10.cm1.noarch.rpm patch-2.7.6-7.cm1.x86_64.rpm util-linux-2.32.1-4.cm1.x86_64.rpm util-linux-devel-2.32.1-4.cm1.x86_64.rpm @@ -84,9 +84,9 @@ popt-devel-1.16-7.cm1.x86_64.rpm popt-lang-1.16-7.cm1.x86_64.rpm nspr-4.21-2.cm1.x86_64.rpm nspr-devel-4.21-2.cm1.x86_64.rpm -sqlite-3.32.3-1.cm1.x86_64.rpm -sqlite-devel-3.32.3-1.cm1.x86_64.rpm -sqlite-libs-3.32.3-1.cm1.x86_64.rpm +sqlite-3.32.3-2.cm1.x86_64.rpm +sqlite-devel-3.32.3-2.cm1.x86_64.rpm +sqlite-libs-3.32.3-2.cm1.x86_64.rpm nss-3.44-3.cm1.x86_64.rpm nss-devel-3.44-3.cm1.x86_64.rpm nss-libs-3.44-3.cm1.x86_64.rpm @@ -188,9 +188,9 @@ libsolv-0.7.7-4.cm1.x86_64.rpm libsolv-devel-0.7.7-4.cm1.x86_64.rpm libssh2-1.9.0-1.cm1.x86_64.rpm libssh2-devel-1.9.0-1.cm1.x86_64.rpm -curl-7.68.0-2.cm1.x86_64.rpm -curl-devel-7.68.0-2.cm1.x86_64.rpm -curl-libs-7.68.0-2.cm1.x86_64.rpm +curl-7.68.0-3.cm1.x86_64.rpm +curl-devel-7.68.0-3.cm1.x86_64.rpm +curl-libs-7.68.0-3.cm1.x86_64.rpm tdnf-2.1.0-4.cm1.x86_64.rpm tdnf-cli-libs-2.1.0-4.cm1.x86_64.rpm tdnf-devel-2.1.0-4.cm1.x86_64.rpm @@ -203,8 +203,8 @@ libltdl-2.4.6-6.cm1.x86_64.rpm libltdl-devel-2.4.6-6.cm1.x86_64.rpm pcre-libs-8.42-4.cm1.x86_64.rpm krb5-1.17-3.cm1.x86_64.rpm -lua-5.3.5-9.cm1.x86_64.rpm -lua-libs-5.3.5-9.cm1.x86_64.rpm +lua-5.3.5-11.cm1.x86_64.rpm +lua-libs-5.3.5-11.cm1.x86_64.rpm mariner-rpm-macros-1.0-8.cm1.noarch.rpm mariner-python-macros-1.0-8.cm1.noarch.rpm mariner-check-macros-1.0-8.cm1.noarch.rpm @@ -216,17 +216,18 @@ npth-1.6-3.cm1.x86_64.rpm pinentry-1.1.0-3.cm1.x86_64.rpm gnupg2-2.2.20-4.cm1.x86_64.rpm gpgme-1.13.1-5.cm1.x86_64.rpm -mariner-repos-1.0-9.cm1.noarch.rpm -libffi-3.2.1-10.cm1.x86_64.rpm -libffi-devel-3.2.1-10.cm1.x86_64.rpm +mariner-repos-1.0-11.cm1.noarch.rpm +mariner-repos-preview-1.0-11.cm1.noarch.rpm +libffi-3.2.1-12.cm1.x86_64.rpm +libffi-devel-3.2.1-12.cm1.x86_64.rpm libtasn1-4.14-2.cm1.x86_64.rpm p11-kit-0.23.16.1-2.cm1.x86_64.rpm p11-kit-trust-0.23.16.1-2.cm1.x86_64.rpm -ca-certificates-shared-20200720-7.cm1.noarch.rpm -ca-certificates-tools-20200720-7.cm1.noarch.rpm -ca-certificates-base-20200720-7.cm1.noarch.rpm +ca-certificates-shared-20200720-9.cm1.noarch.rpm +ca-certificates-tools-20200720-9.cm1.noarch.rpm +ca-certificates-base-20200720-9.cm1.noarch.rpm dwz-0.13-4.cm1.x86_64.rpm -unzip-6.0-15.cm1.x86_64.rpm +unzip-6.0-16.cm1.x86_64.rpm python2-2.7.18-3.cm1.x86_64.rpm python2-devel-2.7.18-3.cm1.x86_64.rpm python2-libs-2.7.18-3.cm1.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index ca9eddac775..56cba8a38c4 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -17,12 +17,12 @@ bzip2-1.0.6-15.cm1.aarch64.rpm bzip2-debuginfo-1.0.6-15.cm1.aarch64.rpm bzip2-devel-1.0.6-15.cm1.aarch64.rpm bzip2-libs-1.0.6-15.cm1.aarch64.rpm -ca-certificates-20200720-7.cm1.noarch.rpm -ca-certificates-base-20200720-7.cm1.noarch.rpm -ca-certificates-legacy-20200720-7.cm1.noarch.rpm -ca-certificates-microsoft-20200720-7.cm1.noarch.rpm -ca-certificates-shared-20200720-7.cm1.noarch.rpm -ca-certificates-tools-20200720-7.cm1.noarch.rpm +ca-certificates-20200720-9.cm1.noarch.rpm +ca-certificates-base-20200720-9.cm1.noarch.rpm +ca-certificates-legacy-20200720-9.cm1.noarch.rpm +ca-certificates-microsoft-20200720-9.cm1.noarch.rpm +ca-certificates-shared-20200720-9.cm1.noarch.rpm +ca-certificates-tools-20200720-9.cm1.noarch.rpm check-0.12.0-5.cm1.aarch64.rpm check-debuginfo-0.12.0-5.cm1.aarch64.rpm cmake-3.17.3-3.cm1.aarch64.rpm @@ -47,10 +47,10 @@ cryptsetup-debuginfo-2.3.3-2.cm1.aarch64.rpm cryptsetup-devel-2.3.3-2.cm1.aarch64.rpm cryptsetup-libs-2.3.3-2.cm1.aarch64.rpm cryptsetup-reencrypt-2.3.3-2.cm1.aarch64.rpm -curl-7.68.0-2.cm1.aarch64.rpm -curl-debuginfo-7.68.0-2.cm1.aarch64.rpm -curl-devel-7.68.0-2.cm1.aarch64.rpm -curl-libs-7.68.0-2.cm1.aarch64.rpm +curl-7.68.0-3.cm1.aarch64.rpm +curl-debuginfo-7.68.0-3.cm1.aarch64.rpm +curl-devel-7.68.0-3.cm1.aarch64.rpm +curl-libs-7.68.0-3.cm1.aarch64.rpm device-mapper-2.03.05-5.cm1.aarch64.rpm device-mapper-devel-2.03.05-5.cm1.aarch64.rpm device-mapper-event-2.03.05-5.cm1.aarch64.rpm @@ -91,9 +91,9 @@ findutils-lang-4.6.0-7.cm1.aarch64.rpm flex-2.6.4-6.cm1.aarch64.rpm flex-debuginfo-2.6.4-6.cm1.aarch64.rpm flex-devel-2.6.4-6.cm1.aarch64.rpm -fontconfig-2.13.1-4.cm1.aarch64.rpm -fontconfig-debuginfo-2.13.1-4.cm1.aarch64.rpm -fontconfig-devel-2.13.1-4.cm1.aarch64.rpm +fontconfig-2.13.91-1.cm1.aarch64.rpm +fontconfig-debuginfo-2.13.91-1.cm1.aarch64.rpm +fontconfig-devel-2.13.91-1.cm1.aarch64.rpm freetype-2.9.1-4.cm1.aarch64.rpm freetype-debuginfo-2.9.1-4.cm1.aarch64.rpm freetype-devel-2.9.1-4.cm1.aarch64.rpm @@ -174,9 +174,9 @@ libdb-5.3.28-4.cm1.aarch64.rpm libdb-debuginfo-5.3.28-4.cm1.aarch64.rpm libdb-devel-5.3.28-4.cm1.aarch64.rpm libdb-docs-5.3.28-4.cm1.aarch64.rpm -libffi-3.2.1-10.cm1.aarch64.rpm -libffi-debuginfo-3.2.1-10.cm1.aarch64.rpm -libffi-devel-3.2.1-10.cm1.aarch64.rpm +libffi-3.2.1-12.cm1.aarch64.rpm +libffi-debuginfo-3.2.1-12.cm1.aarch64.rpm +libffi-devel-3.2.1-12.cm1.aarch64.rpm libgcc-9.1.0-8.cm1.aarch64.rpm libgcc-atomic-9.1.0-8.cm1.aarch64.rpm libgcc-devel-9.1.0-8.cm1.aarch64.rpm @@ -233,23 +233,24 @@ libxml2-python-2.9.10-2.cm1.aarch64.rpm libxslt-1.1.34-2.cm1.aarch64.rpm libxslt-debuginfo-1.1.34-2.cm1.aarch64.rpm libxslt-devel-1.1.34-2.cm1.aarch64.rpm -lua-5.3.5-9.cm1.aarch64.rpm -lua-debuginfo-5.3.5-9.cm1.aarch64.rpm -lua-devel-5.3.5-9.cm1.aarch64.rpm -lua-libs-5.3.5-9.cm1.aarch64.rpm -lua-static-5.3.5-9.cm1.aarch64.rpm +lua-5.3.5-11.cm1.aarch64.rpm +lua-debuginfo-5.3.5-11.cm1.aarch64.rpm +lua-devel-5.3.5-11.cm1.aarch64.rpm +lua-libs-5.3.5-11.cm1.aarch64.rpm +lua-static-5.3.5-11.cm1.aarch64.rpm lvm2-2.03.05-5.cm1.aarch64.rpm lvm2-debuginfo-2.03.05-5.cm1.aarch64.rpm lvm2-devel-2.03.05-5.cm1.aarch64.rpm lvm2-libs-2.03.05-5.cm1.aarch64.rpm m4-1.4.18-4.cm1.aarch64.rpm m4-debuginfo-1.4.18-4.cm1.aarch64.rpm -make-4.2.1-4.cm1.aarch64.rpm -make-debuginfo-4.2.1-4.cm1.aarch64.rpm +make-4.2.1-5.cm1.aarch64.rpm +make-debuginfo-4.2.1-5.cm1.aarch64.rpm mariner-check-macros-1.0-8.cm1.noarch.rpm mariner-python-macros-1.0-8.cm1.noarch.rpm -mariner-release-1.0-9.cm1.noarch.rpm -mariner-repos-1.0-9.cm1.noarch.rpm +mariner-release-1.0-10.cm1.noarch.rpm +mariner-repos-1.0-11.cm1.noarch.rpm +mariner-repos-preview-1.0-11.cm1.noarch.rpm mariner-rpm-macros-1.0-8.cm1.noarch.rpm meson-0.49.2-1.cm1.noarch.rpm mpfr-4.0.1-3.cm1.aarch64.rpm @@ -557,19 +558,19 @@ sed-debuginfo-4.5-3.cm1.aarch64.rpm sed-lang-4.5-3.cm1.aarch64.rpm shadow-utils-4.6-8.cm1.aarch64.rpm shadow-utils-debuginfo-4.6-8.cm1.aarch64.rpm -sqlite-3.32.3-1.cm1.aarch64.rpm -sqlite-debuginfo-3.32.3-1.cm1.aarch64.rpm -sqlite-devel-3.32.3-1.cm1.aarch64.rpm -sqlite-libs-3.32.3-1.cm1.aarch64.rpm +sqlite-3.32.3-2.cm1.aarch64.rpm +sqlite-debuginfo-3.32.3-2.cm1.aarch64.rpm +sqlite-devel-3.32.3-2.cm1.aarch64.rpm +sqlite-libs-3.32.3-2.cm1.aarch64.rpm swig-3.0.12-4.cm1.aarch64.rpm swig-debuginfo-3.0.12-4.cm1.aarch64.rpm -systemd-239-31.cm1.aarch64.rpm +systemd-239-32.cm1.aarch64.rpm systemd-bootstrap-239-29.cm1.aarch64.rpm systemd-bootstrap-debuginfo-239-29.cm1.aarch64.rpm systemd-bootstrap-devel-239-29.cm1.aarch64.rpm -systemd-debuginfo-239-31.cm1.aarch64.rpm -systemd-devel-239-31.cm1.aarch64.rpm -systemd-lang-239-31.cm1.aarch64.rpm +systemd-debuginfo-239-32.cm1.aarch64.rpm +systemd-devel-239-32.cm1.aarch64.rpm +systemd-lang-239-32.cm1.aarch64.rpm tar-1.32-2.cm1.aarch64.rpm tar-debuginfo-1.32-2.cm1.aarch64.rpm tdnf-2.1.0-4.cm1.aarch64.rpm @@ -580,16 +581,16 @@ tdnf-plugin-repogpgcheck-2.1.0-4.cm1.aarch64.rpm tdnf-python-2.1.0-4.cm1.aarch64.rpm texinfo-6.5-8.cm1.aarch64.rpm texinfo-debuginfo-6.5-8.cm1.aarch64.rpm -unzip-6.0-15.cm1.aarch64.rpm -unzip-debuginfo-6.0-15.cm1.aarch64.rpm +unzip-6.0-16.cm1.aarch64.rpm +unzip-debuginfo-6.0-16.cm1.aarch64.rpm util-linux-2.32.1-4.cm1.aarch64.rpm util-linux-debuginfo-2.32.1-4.cm1.aarch64.rpm util-linux-devel-2.32.1-4.cm1.aarch64.rpm util-linux-lang-2.32.1-4.cm1.aarch64.rpm util-linux-libs-2.32.1-4.cm1.aarch64.rpm veritysetup-2.3.3-2.cm1.aarch64.rpm -wget-1.20.3-1.cm1.aarch64.rpm -wget-debuginfo-1.20.3-1.cm1.aarch64.rpm +wget-1.20.3-2.cm1.aarch64.rpm +wget-debuginfo-1.20.3-2.cm1.aarch64.rpm which-2.21-7.cm1.aarch64.rpm which-debuginfo-2.21-7.cm1.aarch64.rpm xz-5.2.4-4.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 73b277b1bed..9011b47ae26 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -17,12 +17,12 @@ bzip2-1.0.6-15.cm1.x86_64.rpm bzip2-debuginfo-1.0.6-15.cm1.x86_64.rpm bzip2-devel-1.0.6-15.cm1.x86_64.rpm bzip2-libs-1.0.6-15.cm1.x86_64.rpm -ca-certificates-20200720-7.cm1.noarch.rpm -ca-certificates-base-20200720-7.cm1.noarch.rpm -ca-certificates-legacy-20200720-7.cm1.noarch.rpm -ca-certificates-microsoft-20200720-7.cm1.noarch.rpm -ca-certificates-shared-20200720-7.cm1.noarch.rpm -ca-certificates-tools-20200720-7.cm1.noarch.rpm +ca-certificates-20200720-9.cm1.noarch.rpm +ca-certificates-base-20200720-9.cm1.noarch.rpm +ca-certificates-legacy-20200720-9.cm1.noarch.rpm +ca-certificates-microsoft-20200720-9.cm1.noarch.rpm +ca-certificates-shared-20200720-9.cm1.noarch.rpm +ca-certificates-tools-20200720-9.cm1.noarch.rpm check-0.12.0-5.cm1.x86_64.rpm check-debuginfo-0.12.0-5.cm1.x86_64.rpm cmake-3.17.3-3.cm1.x86_64.rpm @@ -47,10 +47,10 @@ cryptsetup-debuginfo-2.3.3-2.cm1.x86_64.rpm cryptsetup-devel-2.3.3-2.cm1.x86_64.rpm cryptsetup-libs-2.3.3-2.cm1.x86_64.rpm cryptsetup-reencrypt-2.3.3-2.cm1.x86_64.rpm -curl-7.68.0-2.cm1.x86_64.rpm -curl-debuginfo-7.68.0-2.cm1.x86_64.rpm -curl-devel-7.68.0-2.cm1.x86_64.rpm -curl-libs-7.68.0-2.cm1.x86_64.rpm +curl-7.68.0-3.cm1.x86_64.rpm +curl-debuginfo-7.68.0-3.cm1.x86_64.rpm +curl-devel-7.68.0-3.cm1.x86_64.rpm +curl-libs-7.68.0-3.cm1.x86_64.rpm device-mapper-2.03.05-5.cm1.x86_64.rpm device-mapper-devel-2.03.05-5.cm1.x86_64.rpm device-mapper-event-2.03.05-5.cm1.x86_64.rpm @@ -91,9 +91,9 @@ findutils-lang-4.6.0-7.cm1.x86_64.rpm flex-2.6.4-6.cm1.x86_64.rpm flex-debuginfo-2.6.4-6.cm1.x86_64.rpm flex-devel-2.6.4-6.cm1.x86_64.rpm -fontconfig-2.13.1-4.cm1.x86_64.rpm -fontconfig-debuginfo-2.13.1-4.cm1.x86_64.rpm -fontconfig-devel-2.13.1-4.cm1.x86_64.rpm +fontconfig-2.13.91-1.cm1.x86_64.rpm +fontconfig-debuginfo-2.13.91-1.cm1.x86_64.rpm +fontconfig-devel-2.13.91-1.cm1.x86_64.rpm freetype-2.9.1-4.cm1.x86_64.rpm freetype-debuginfo-2.9.1-4.cm1.x86_64.rpm freetype-devel-2.9.1-4.cm1.x86_64.rpm @@ -174,9 +174,9 @@ libdb-5.3.28-4.cm1.x86_64.rpm libdb-debuginfo-5.3.28-4.cm1.x86_64.rpm libdb-devel-5.3.28-4.cm1.x86_64.rpm libdb-docs-5.3.28-4.cm1.x86_64.rpm -libffi-3.2.1-10.cm1.x86_64.rpm -libffi-debuginfo-3.2.1-10.cm1.x86_64.rpm -libffi-devel-3.2.1-10.cm1.x86_64.rpm +libffi-3.2.1-12.cm1.x86_64.rpm +libffi-debuginfo-3.2.1-12.cm1.x86_64.rpm +libffi-devel-3.2.1-12.cm1.x86_64.rpm libgcc-9.1.0-8.cm1.x86_64.rpm libgcc-atomic-9.1.0-8.cm1.x86_64.rpm libgcc-devel-9.1.0-8.cm1.x86_64.rpm @@ -233,23 +233,24 @@ libxml2-python-2.9.10-2.cm1.x86_64.rpm libxslt-1.1.34-2.cm1.x86_64.rpm libxslt-debuginfo-1.1.34-2.cm1.x86_64.rpm libxslt-devel-1.1.34-2.cm1.x86_64.rpm -lua-5.3.5-9.cm1.x86_64.rpm -lua-debuginfo-5.3.5-9.cm1.x86_64.rpm -lua-devel-5.3.5-9.cm1.x86_64.rpm -lua-libs-5.3.5-9.cm1.x86_64.rpm -lua-static-5.3.5-9.cm1.x86_64.rpm +lua-5.3.5-11.cm1.x86_64.rpm +lua-debuginfo-5.3.5-11.cm1.x86_64.rpm +lua-devel-5.3.5-11.cm1.x86_64.rpm +lua-libs-5.3.5-11.cm1.x86_64.rpm +lua-static-5.3.5-11.cm1.x86_64.rpm lvm2-2.03.05-5.cm1.x86_64.rpm lvm2-debuginfo-2.03.05-5.cm1.x86_64.rpm lvm2-devel-2.03.05-5.cm1.x86_64.rpm lvm2-libs-2.03.05-5.cm1.x86_64.rpm m4-1.4.18-4.cm1.x86_64.rpm m4-debuginfo-1.4.18-4.cm1.x86_64.rpm -make-4.2.1-4.cm1.x86_64.rpm -make-debuginfo-4.2.1-4.cm1.x86_64.rpm +make-4.2.1-5.cm1.x86_64.rpm +make-debuginfo-4.2.1-5.cm1.x86_64.rpm mariner-check-macros-1.0-8.cm1.noarch.rpm mariner-python-macros-1.0-8.cm1.noarch.rpm -mariner-release-1.0-9.cm1.noarch.rpm -mariner-repos-1.0-9.cm1.noarch.rpm +mariner-release-1.0-10.cm1.noarch.rpm +mariner-repos-1.0-11.cm1.noarch.rpm +mariner-repos-preview-1.0-11.cm1.noarch.rpm mariner-rpm-macros-1.0-8.cm1.noarch.rpm meson-0.49.2-1.cm1.noarch.rpm mpfr-4.0.1-3.cm1.x86_64.rpm @@ -557,19 +558,19 @@ sed-debuginfo-4.5-3.cm1.x86_64.rpm sed-lang-4.5-3.cm1.x86_64.rpm shadow-utils-4.6-8.cm1.x86_64.rpm shadow-utils-debuginfo-4.6-8.cm1.x86_64.rpm -sqlite-3.32.3-1.cm1.x86_64.rpm -sqlite-debuginfo-3.32.3-1.cm1.x86_64.rpm -sqlite-devel-3.32.3-1.cm1.x86_64.rpm -sqlite-libs-3.32.3-1.cm1.x86_64.rpm +sqlite-3.32.3-2.cm1.x86_64.rpm +sqlite-debuginfo-3.32.3-2.cm1.x86_64.rpm +sqlite-devel-3.32.3-2.cm1.x86_64.rpm +sqlite-libs-3.32.3-2.cm1.x86_64.rpm swig-3.0.12-4.cm1.x86_64.rpm swig-debuginfo-3.0.12-4.cm1.x86_64.rpm -systemd-239-31.cm1.x86_64.rpm +systemd-239-32.cm1.x86_64.rpm systemd-bootstrap-239-29.cm1.x86_64.rpm systemd-bootstrap-debuginfo-239-29.cm1.x86_64.rpm systemd-bootstrap-devel-239-29.cm1.x86_64.rpm -systemd-debuginfo-239-31.cm1.x86_64.rpm -systemd-devel-239-31.cm1.x86_64.rpm -systemd-lang-239-31.cm1.x86_64.rpm +systemd-debuginfo-239-32.cm1.x86_64.rpm +systemd-devel-239-32.cm1.x86_64.rpm +systemd-lang-239-32.cm1.x86_64.rpm tar-1.32-2.cm1.x86_64.rpm tar-debuginfo-1.32-2.cm1.x86_64.rpm tdnf-2.1.0-4.cm1.x86_64.rpm @@ -580,16 +581,16 @@ tdnf-plugin-repogpgcheck-2.1.0-4.cm1.x86_64.rpm tdnf-python-2.1.0-4.cm1.x86_64.rpm texinfo-6.5-8.cm1.x86_64.rpm texinfo-debuginfo-6.5-8.cm1.x86_64.rpm -unzip-6.0-15.cm1.x86_64.rpm -unzip-debuginfo-6.0-15.cm1.x86_64.rpm +unzip-6.0-16.cm1.x86_64.rpm +unzip-debuginfo-6.0-16.cm1.x86_64.rpm util-linux-2.32.1-4.cm1.x86_64.rpm util-linux-debuginfo-2.32.1-4.cm1.x86_64.rpm util-linux-devel-2.32.1-4.cm1.x86_64.rpm util-linux-lang-2.32.1-4.cm1.x86_64.rpm util-linux-libs-2.32.1-4.cm1.x86_64.rpm veritysetup-2.3.3-2.cm1.x86_64.rpm -wget-1.20.3-1.cm1.x86_64.rpm -wget-debuginfo-1.20.3-1.cm1.x86_64.rpm +wget-1.20.3-2.cm1.x86_64.rpm +wget-debuginfo-1.20.3-2.cm1.x86_64.rpm which-2.21-7.cm1.x86_64.rpm which-debuginfo-2.21-7.cm1.x86_64.rpm xz-5.2.4-4.cm1.x86_64.rpm diff --git a/toolkit/scripts/imggen.mk b/toolkit/scripts/imggen.mk index fdc9475a165..5fbd8f75b7b 100644 --- a/toolkit/scripts/imggen.mk +++ b/toolkit/scripts/imggen.mk @@ -68,17 +68,19 @@ $(STATUS_FLAGS_DIR)/validate-image-config%.flag: $(go-imageconfigvalidator) $(de touch $@ +imagepkgfetcher_extra_flags := ifeq ($(DISABLE_UPSTREAM_REPOS),y) -imagepkgfetcher_disable_upstream_repos_flag := --disable-upstream-repos -else -imagepkgfetcher_disable_upstream_repos_flag := +imagepkgfetcher_extra_flags += --disable-upstream-repos endif ifeq ($(USE_UPDATE_REPO),y) -imagepkgfetcher_update_repo_flag := --use-update-repo -else -imagepkgfetcher_update_repo_flag := +imagepkgfetcher_extra_flags += --use-update-repo endif + +ifeq ($(USE_PREVIEW_REPO),y) +imagepkgfetcher_extra_flags += --use-preview-repo +endif + $(image_package_cache_summary): $(go-imagepkgfetcher) $(chroot_worker) $(imggen_local_repo) $(depend_REPO_LIST) $(REPO_LIST) $(depend_CONFIG_FILE) $(CONFIG_FILE) $(validate-config) $(packagelist_files) $(RPMS_DIR) $(imggen_rpms) $(if $(CONFIG_FILE),,$(error Must set CONFIG_FILE=)) $(go-imagepkgfetcher) \ @@ -92,8 +94,7 @@ $(image_package_cache_summary): $(go-imagepkgfetcher) $(chroot_worker) $(imggen_ --tls-cert=$(TLS_CERT) \ --tls-key=$(TLS_KEY) \ $(foreach repo, $(imagefetcher_local_repo) $(imagefetcher_cloned_repo) $(REPO_LIST),--repo-file="$(repo)" ) \ - $(imagepkgfetcher_update_repo_flag) \ - $(imagepkgfetcher_disable_upstream_repos_flag) \ + $(imagepkgfetcher_extra_flags) \ --input-summary-file=$(IMAGE_CACHE_SUMMARY) \ --output-summary-file=$@ \ --output-dir=$(local_and_external_rpm_cache) diff --git a/toolkit/scripts/pkggen.mk b/toolkit/scripts/pkggen.mk index 7716fef05a8..2cf6d33c74a 100644 --- a/toolkit/scripts/pkggen.mk +++ b/toolkit/scripts/pkggen.mk @@ -80,18 +80,6 @@ $(graph_file): $(specs_file) $(go-grapher) $(logging_command) \ --output $@ -ifeq ($(DISABLE_UPSTREAM_REPOS),y) -graphpkgfetcher_disable_upstream_repos_flag := --disable-upstream-repos -else -graphpkgfetcher_disable_upstream_repos_flag := -endif - -ifeq ($(USE_UPDATE_REPO),y) -graphpkgfetcher_update_repo_flag := --use-update-repo -else -graphpkgfetcher_update_repo_flag := -endif - # We want to detect changes in the RPM cache, but we are not responsible for directly rebuilding any missing files. $(CACHED_RPMS_DIR)/%: ; @@ -104,6 +92,20 @@ ifneq ($(CONFIG_FILE),) $(cached_file): $(validate-pkggen-config) endif +graphpkgfetcher_extra_flags := + +ifeq ($(DISABLE_UPSTREAM_REPOS),y) +graphpkgfetcher_extra_flags += --disable-upstream-repos +endif + +ifeq ($(USE_UPDATE_REPO),y) +graphpkgfetcher_extra_flags += --use-update-repo +endif + +ifeq ($(USE_PREVIEW_REPO),y) +graphpkgfetcher_extra_flags += --use-preview-repo +endif + $(cached_file): $(graph_file) $(go-graphpkgfetcher) $(chroot_worker) $(pkggen_local_repo) $(depend_REPO_LIST) $(REPO_LIST) $(shell find $(CACHED_RPMS_DIR)/) $(pkggen_rpms) mkdir -p $(CACHED_RPMS_DIR)/cache && \ $(go-graphpkgfetcher) \ @@ -115,8 +117,7 @@ $(cached_file): $(graph_file) $(go-graphpkgfetcher) $(chroot_worker) $(pkggen_lo --tls-cert=$(TLS_CERT) \ --tls-key=$(TLS_KEY) \ $(foreach repo, $(pkggen_local_repo) $(graphpkgfetcher_cloned_repo) $(REPO_LIST),--repo-file=$(repo) ) \ - $(graphpkgfetcher_update_repo_flag) \ - $(graphpkgfetcher_disable_upstream_repos_flag) \ + $(graphpkgfetcher_extra_flags) \ $(logging_command) \ --input-summary-file=$(PACKAGE_CACHE_SUMMARY) \ --output-summary-file=$(PKGBUILD_DIR)/graph_external_deps.json \ diff --git a/toolkit/scripts/srpm_pack.mk b/toolkit/scripts/srpm_pack.mk index 39fe95acef3..4dac3f37ce8 100644 --- a/toolkit/scripts/srpm_pack.mk +++ b/toolkit/scripts/srpm_pack.mk @@ -41,13 +41,11 @@ $(BUILD_SRPMS_DIR): $(STATUS_FLAGS_DIR)/build_srpms.flag @echo Finished updating $@ ifeq ($(DOWNLOAD_SRPMS),y) -srpm_download_urls := $(SRPM_URL) $(SRPM_UPDATE_URL) - $(STATUS_FLAGS_DIR)/build_srpms.flag: $(local_specs) $(local_spec_dirs) $(SPECS_DIR) for spec in $(local_specs); do \ spec_file=$${spec} && \ srpm_file=$$(rpmspec -q $${spec_file} --srpm --define='with_check 1' --define='dist $(DIST_TAG)' --queryformat %{NAME}-%{VERSION}-%{RELEASE}.src.rpm) && \ - for url in $(srpm_download_urls); do \ + for url in $(SRPM_URL_LIST); do \ wget $${url}/$${srpm_file} \ -O $(BUILD_SRPMS_DIR)/$${srpm_file} \ --no-verbose \ diff --git a/toolkit/scripts/toolchain.mk b/toolkit/scripts/toolchain.mk index bfde21df227..1cd245c4872 100644 --- a/toolkit/scripts/toolchain.mk +++ b/toolkit/scripts/toolchain.mk @@ -196,15 +196,10 @@ $(toolchain_rpms): $(toolchain_manifest) $(toolchain_local_temp) touch $@ else # Download from online package server -ifeq ($(USE_UPDATE_REPO),y) -toolchain_package_urls := $(PACKAGE_URL) $(PACKAGE_UPDATE_URL) -else -toolchain_package_urls := $(PACKAGE_URL) -endif $(toolchain_rpms): mkdir -p $(dir $@) && \ cd $(dir $@) && \ - for url in $(toolchain_package_urls); do \ + for url in $(PACKAGE_URL_LIST); do \ wget $${url}/$(notdir $@) \ --no-verbose \ $(if $(TLS_CERT),--certificate=$(TLS_CERT)) \ diff --git a/toolkit/scripts/toolchain/container/toolchain-remote-wget-list b/toolkit/scripts/toolchain/container/toolchain-remote-wget-list index 36593580ff6..13b9cf8bafd 100644 --- a/toolkit/scripts/toolchain/container/toolchain-remote-wget-list +++ b/toolkit/scripts/toolchain/container/toolchain-remote-wget-list @@ -10,7 +10,7 @@ https://github.com/westes/flex/releases/download/v2.6.4/flex-2.6.4.tar.gz http://ftp.gnu.org/gnu/gdbm/gdbm-1.18.1.tar.gz http://ftp.gnu.org/gnu/gmp/gmp-6.1.2.tar.xz http://ftp.gnu.org/gnu/gperf/gperf-3.1.tar.gz -ftp://sourceware.org/pub/libffi/libffi-3.2.1.tar.gz +https://gcc.gnu.org/pub/libffi/libffi-3.2.1.tar.gz http://ftp.gnu.org/gnu/libtool/libtool-2.4.6.tar.xz http://ftp.gnu.org/gnu/m4/m4-1.4.18.tar.xz http://ftp.gnu.org/gnu/make/make-4.2.1.tar.gz diff --git a/toolkit/scripts/toolchain/create_toolchain_in_container.sh b/toolkit/scripts/toolchain/create_toolchain_in_container.sh index aec2ef8aa2c..51d098710cb 100755 --- a/toolkit/scripts/toolchain/create_toolchain_in_container.sh +++ b/toolkit/scripts/toolchain/create_toolchain_in_container.sh @@ -65,5 +65,6 @@ rm -vf ./container/texinfo-perl-fix.patch rm -vf ./container/Awt_build_headless_only.patch rm -vf ./container/check-system-ca-certs.patch rm -vf ./container/.bashrc +rm -vf ./container/toolchain-local-wget-list -echo Raw toolchain build complete \ No newline at end of file +echo Raw toolchain build complete diff --git a/toolkit/scripts/toolkit.mk b/toolkit/scripts/toolkit.mk index 10dde28398f..ce7aafd11dd 100644 --- a/toolkit/scripts/toolkit.mk +++ b/toolkit/scripts/toolkit.mk @@ -13,10 +13,12 @@ toolkit_component_extra_files = \ $(toolkit_root)/.gitignore # Outputs -toolkit_archive = $(OUT_DIR)/toolkit-$(RELEASE_VERSION).tar.gz +toolkit_version = $(RELEASE_VERSION)-$(build_arch) +toolkit_archive = $(OUT_DIR)/toolkit-$(toolkit_version).tar.gz toolkit_remove_archive = $(OUT_DIR)/toolkit-*.tar.gz toolkit_build_dir = $(BUILD_DIR)/toolkit toolkit_tools_dir = $(toolkit_build_dir)/tools/toolkit_bins +toolkit_release_file = $(toolkit_build_dir)/version.txt .PHONY: package-toolkit clean-package-toolkit @@ -32,5 +34,6 @@ package-toolkit: go-tools cp -r $(toolkit_root)/* $(toolkit_build_dir) && \ cp $(toolkit_component_extra_files) $(toolkit_build_dir) && \ cp $(go_tool_targets) $(toolkit_tools_dir) && \ + echo "$(toolkit_version)" > $(toolkit_release_file) && \ rm -rf $(toolkit_build_dir)/out && \ tar -I $(ARCHIVE_TOOL) -cvp -f $(toolkit_archive) -C $(toolkit_build_dir)/.. $(notdir $(toolkit_build_dir)) diff --git a/toolkit/tools/graphpkgfetcher/graphpkgfetcher.go b/toolkit/tools/graphpkgfetcher/graphpkgfetcher.go index b4fc383875a..f3568b0d8b1 100644 --- a/toolkit/tools/graphpkgfetcher/graphpkgfetcher.go +++ b/toolkit/tools/graphpkgfetcher/graphpkgfetcher.go @@ -32,6 +32,7 @@ var ( workertar = app.Flag("tdnf-worker", "Full path to worker_chroot.tar.gz").Required().ExistingFile() repoFiles = app.Flag("repo-file", "Full path to a repo file").Required().ExistingFiles() useUpdateRepo = app.Flag("use-update-repo", "Pull packages from the upstream update repo").Bool() + usePreviewRepo = app.Flag("use-preview-repo", "Pull packages from the upstream preview repo").Bool() disableUpstreamRepos = app.Flag("disable-upstream-repos", "Disables pulling packages from upstream repos").Bool() tlsClientCert = app.Flag("tls-cert", "TLS client certificate to use when downloading files.").String() @@ -86,7 +87,7 @@ func hasUnresolvedNodes(graph *pkggraph.PkgGraph) bool { func resolveGraphNodes(dependencyGraph *pkggraph.PkgGraph, inputSummaryFile, outputSummaryFile string, disableUpstreamRepos bool) (err error) { // Create the worker environment cloner := rpmrepocloner.New() - err = cloner.Initialize(*outDir, *tmpDir, *workertar, *existingRpmDir, *useUpdateRepo, *repoFiles) + err = cloner.Initialize(*outDir, *tmpDir, *workertar, *existingRpmDir, *useUpdateRepo, *usePreviewRepo, *repoFiles) if err != nil { logger.Log.Errorf("Failed to initialize RPM repo cloner. Error: %s", err) return diff --git a/toolkit/tools/imagegen/configuration/imapolicy.go b/toolkit/tools/imagegen/configuration/imapolicy.go new file mode 100644 index 00000000000..da4d072700d --- /dev/null +++ b/toolkit/tools/imagegen/configuration/imapolicy.go @@ -0,0 +1,67 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +// Parser for the image builder's configuration schemas. + +package configuration + +import ( + "encoding/json" + "fmt" +) + +// ImaPolicy sets the ima_policy kernel command line option +type ImaPolicy string + +const ( + // ImaPolicyTcb selects the tcb IMA policy + ImaPolicyTcb ImaPolicy = "tcb" + // ImaPolicyAppraiseTcb selects the appraise_tcb IMA policy + ImaPolicyAppraiseTcb ImaPolicy = "appraise_tcb" + // ImaPolicySecureBoot selects the secure_boot IMA policy + ImaPolicySecureBoot ImaPolicy = "secure_boot" + // ImaPolicyNone selects no IMA policy + ImaPolicyNone ImaPolicy = "" +) + +func (i ImaPolicy) String() string { + return fmt.Sprint(string(i)) +} + +// GetValidImaPolicies returns a list of all the supported +// disk partition types +func (i *ImaPolicy) GetValidImaPolicies() (types []ImaPolicy) { + return []ImaPolicy{ + ImaPolicyTcb, + ImaPolicyAppraiseTcb, + ImaPolicySecureBoot, + ImaPolicyNone, + } +} + +// IsValid returns an error if the ImaPolicy is not valid +func (i *ImaPolicy) IsValid() (err error) { + for _, valid := range i.GetValidImaPolicies() { + if *i == valid { + return + } + } + return fmt.Errorf("invalid value for ImaPolicy (%s)", i) +} + +// UnmarshalJSON Unmarshals an ImaPolicy entry +func (i *ImaPolicy) UnmarshalJSON(b []byte) (err error) { + // Use an intermediate type which will use the default JSON unmarshal implementation + type IntermediateTypeImaPolicy ImaPolicy + err = json.Unmarshal(b, (*IntermediateTypeImaPolicy)(i)) + if err != nil { + return fmt.Errorf("failed to parse [ImaPolicy]: %w", err) + } + + // Now validate the resulting unmarshaled object + err = i.IsValid() + if err != nil { + return fmt.Errorf("failed to parse [ImaPolicy]: %w", err) + } + return +} diff --git a/toolkit/tools/imagegen/configuration/imapolicy_test.go b/toolkit/tools/imagegen/configuration/imapolicy_test.go new file mode 100644 index 00000000000..2e569b61b1d --- /dev/null +++ b/toolkit/tools/imagegen/configuration/imapolicy_test.go @@ -0,0 +1,78 @@ +// Copyright Microsoft Corporation. +// Licensed under the MIT License. + +package configuration + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +// TestMain found in configuration_test.go. + +var ( + validImaPolicies = []ImaPolicy{ + ImaPolicy("tcb"), + ImaPolicy("appraise_tcb"), + ImaPolicy("secure_boot"), + ImaPolicy(""), + } + invalidImaPolicy = ImaPolicy("not_a_policy") + validImaJSON = `"tcb"` + invalidImaJSON = `1234` +) + +func TestShouldSucceedValidImaPoliciesMatch_ImaPolicy(t *testing.T) { + var ima ImaPolicy + assert.Equal(t, len(validImaPolicies), len(ima.GetValidImaPolicies())) + + for _, imaPolicy := range validImaPolicies { + found := false + for _, validImaPolicy := range ima.GetValidImaPolicies() { + if imaPolicy == validImaPolicy { + found = true + } + } + assert.True(t, found) + } +} + +func TestShouldSucceedParsingValidPolicies_ImaPolicy(t *testing.T) { + for _, validPolicy := range validImaPolicies { + var checkedPolicy ImaPolicy + + assert.NoError(t, validPolicy.IsValid()) + err := remarshalJSON(validPolicy, &checkedPolicy) + assert.NoError(t, err) + assert.Equal(t, validPolicy, checkedPolicy) + } +} + +func TestShouldFailParsingInvalidPolicy_ImaPolicy(t *testing.T) { + var checkedPolicy ImaPolicy + + err := invalidImaPolicy.IsValid() + assert.Error(t, err) + assert.Equal(t, "invalid value for ImaPolicy (not_a_policy)", err.Error()) + + err = remarshalJSON(invalidImaPolicy, &checkedPolicy) + assert.Error(t, err) + assert.Equal(t, "failed to parse [ImaPolicy]: invalid value for ImaPolicy (not_a_policy)", err.Error()) +} + +func TestShouldSucceedParsingValidJSON_ImaPolicy(t *testing.T) { + var checkedPolicy ImaPolicy + + err := marshalJSONString(validImaJSON, &checkedPolicy) + assert.NoError(t, err) + assert.Equal(t, validImaPolicies[0], checkedPolicy) +} + +func TestShouldFailParsingInvalidJSON_ImaPolicy(t *testing.T) { + var checkedPolicy ImaPolicy + + err := marshalJSONString(invalidImaJSON, &checkedPolicy) + assert.Error(t, err) + assert.Equal(t, "failed to parse [ImaPolicy]: json: cannot unmarshal number into Go value of type configuration.IntermediateTypeImaPolicy", err.Error()) +} diff --git a/toolkit/tools/imagegen/configuration/kernelcommandline.go b/toolkit/tools/imagegen/configuration/kernelcommandline.go new file mode 100644 index 00000000000..e3462542931 --- /dev/null +++ b/toolkit/tools/imagegen/configuration/kernelcommandline.go @@ -0,0 +1,61 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +// Parser for the image builder's configuration schemas. + +package configuration + +import ( + "encoding/json" + "fmt" + "strings" +) + +// KernelCommandLine holds extra command line parameters which can be +// added to the grub config file. +// - ImaPolicy: A list of IMA policies which will be used together +// - ExtraCommandLine: Arbitrary parameters which will be appended to the +// end of the kernel command line +type KernelCommandLine struct { + ImaPolicy []ImaPolicy `json:"ImaPolicy"` + ExtraCommandLine string `json:"ExtraCommandLine"` +} + +// GetSedDelimeter returns the delimeter which should be used with sed +// to find/replace the command line strings. +func (k *KernelCommandLine) GetSedDelimeter() (delimeter string) { + return "`" +} + +// IsValid returns an error if the KernelCommandLine is not valid +func (k *KernelCommandLine) IsValid() (err error) { + for _, ima := range k.ImaPolicy { + if err = ima.IsValid(); err != nil { + return + } + } + + // A character needs to be set aside for use as the sed delimiter, make sure it isn't included in the provided string + if strings.Contains(k.ExtraCommandLine, k.GetSedDelimeter()) { + return fmt.Errorf("ExtraCommandLine contains character %s which is reserved for use by sed", k.GetSedDelimeter()) + } + + return +} + +// UnmarshalJSON Unmarshals a KernelCommandLine entry +func (k *KernelCommandLine) UnmarshalJSON(b []byte) (err error) { + // Use an intermediate type which will use the default JSON unmarshal implementation + type IntermediateTypeKernelCommandLine KernelCommandLine + err = json.Unmarshal(b, (*IntermediateTypeKernelCommandLine)(k)) + if err != nil { + return fmt.Errorf("failed to parse [KernelCommandLine]: %w", err) + } + + // Now validate the resulting unmarshaled object + err = k.IsValid() + if err != nil { + return fmt.Errorf("failed to parse [KernelCommandLine]: %w", err) + } + return +} diff --git a/toolkit/tools/imagegen/configuration/kernelcommandline_test.go b/toolkit/tools/imagegen/configuration/kernelcommandline_test.go new file mode 100644 index 00000000000..e6d85dc5964 --- /dev/null +++ b/toolkit/tools/imagegen/configuration/kernelcommandline_test.go @@ -0,0 +1,112 @@ +// Copyright Microsoft Corporation. +// Licensed under the MIT License. + +package configuration + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +//TestMain found in configuration_test.go. + +var ( + validCommandLine KernelCommandLine = KernelCommandLine{ + ImaPolicy: []ImaPolicy{ + ImaPolicyTcb, + }, + ExtraCommandLine: "param1=value param2=\"value2 value3\"", + } + invalidExtraCommandLine = "invalid=`delim`" + validExtraComandLineJSON = `{"ImaPolicy": ["tcb"], "ExtraCommandLine": "param1=value param2=\"value2 value3\""}` + invalidExtraComandLineJSON1 = `{"ImaPolicy": [ "not-an-ima-policy" ]}` + invalidExtraComandLineJSON2 = `{"ExtraCommandLine": "` + invalidExtraCommandLine + `"}` +) + +func TestShouldSucceedParsingDefaultCommandLine_KernelCommandLine(t *testing.T) { + var checkedCommandline KernelCommandLine + err := marshalJSONString("{}", &checkedCommandline) + assert.NoError(t, err) + assert.Equal(t, KernelCommandLine{}, checkedCommandline) +} + +func TestShouldSucceedParseValidCommandLine_KernelCommandLine(t *testing.T) { + var checkedCommandline KernelCommandLine + + assert.NoError(t, validCommandLine.IsValid()) + err := remarshalJSON(validCommandLine, &checkedCommandline) + assert.NoError(t, err) + assert.Equal(t, validCommandLine, checkedCommandline) +} + +func TestShouldSucceedParsingMultipleIma_KernelCommandLine(t *testing.T) { + var checkedCommandline KernelCommandLine + multipleImaCommandLine := validCommandLine + multipleImaCommandLine.ImaPolicy = append(multipleImaCommandLine.ImaPolicy, ImaPolicyAppraiseTcb) + + assert.NoError(t, multipleImaCommandLine.IsValid()) + err := remarshalJSON(multipleImaCommandLine, &checkedCommandline) + assert.NoError(t, err) + assert.Equal(t, multipleImaCommandLine, checkedCommandline) +} + +func TestShouldSucceedParsesNoIma_KernelCommandLine(t *testing.T) { + var checkedCommandline KernelCommandLine + nilImaCommandLine := validCommandLine + nilImaCommandLine.ImaPolicy = nil + + assert.NoError(t, nilImaCommandLine.IsValid()) + err := remarshalJSON(nilImaCommandLine, &checkedCommandline) + assert.NoError(t, err) + assert.Equal(t, nilImaCommandLine, checkedCommandline) +} + +func TestShouldFailParsingMixedValidInvalidIma_KernelCommandLine(t *testing.T) { + var checkedCommandline KernelCommandLine + multipleImaCommandLine := validCommandLine + multipleImaCommandLine.ImaPolicy = append(multipleImaCommandLine.ImaPolicy, invalidImaPolicy) + + err := multipleImaCommandLine.IsValid() + assert.Error(t, err) + assert.Equal(t, "invalid value for ImaPolicy (not_a_policy)", err.Error()) + + err = remarshalJSON(multipleImaCommandLine, &checkedCommandline) + assert.Error(t, err) + assert.Equal(t, "failed to parse [KernelCommandLine]: failed to parse [ImaPolicy]: invalid value for ImaPolicy (not_a_policy)", err.Error()) +} + +func TestShouldFailWrongSedDelimeter_KernelCommandLine(t *testing.T) { + var checkedCommandline KernelCommandLine + invalidSedExtraCommandLine := validCommandLine + invalidSedExtraCommandLine.ExtraCommandLine = invalidExtraCommandLine + + err := invalidSedExtraCommandLine.IsValid() + assert.Error(t, err) + assert.Equal(t, "ExtraCommandLine contains character ` which is reserved for use by sed", err.Error()) + + err = remarshalJSON(invalidSedExtraCommandLine, &checkedCommandline) + assert.Error(t, err) + assert.Equal(t, "failed to parse [KernelCommandLine]: ExtraCommandLine contains character ` which is reserved for use by sed", err.Error()) +} + +func TestShouldSucceedParsingValidJSON_KernelCommandLine(t *testing.T) { + var checkedCommandline KernelCommandLine + + err := marshalJSONString(validExtraComandLineJSON, &checkedCommandline) + assert.NoError(t, err) + assert.Equal(t, validCommandLine, checkedCommandline) +} + +func TestShouldFailParsingInvalidJSON_KernelCommandLine(t *testing.T) { + var checkedCommandline KernelCommandLine + + err := marshalJSONString(invalidExtraComandLineJSON1, &checkedCommandline) + assert.Error(t, err) + assert.Equal(t, "failed to parse [KernelCommandLine]: failed to parse [ImaPolicy]: invalid value for ImaPolicy (not-an-ima-policy)", err.Error()) + + checkedCommandline = KernelCommandLine{} + err = marshalJSONString(invalidExtraComandLineJSON2, &checkedCommandline) + assert.Error(t, err) + assert.Equal(t, "failed to parse [KernelCommandLine]: ExtraCommandLine contains character ` which is reserved for use by sed", err.Error()) +} diff --git a/toolkit/tools/imagegen/configuration/systemconfig.go b/toolkit/tools/imagegen/configuration/systemconfig.go index 8e459269769..c31476fd4e1 100644 --- a/toolkit/tools/imagegen/configuration/systemconfig.go +++ b/toolkit/tools/imagegen/configuration/systemconfig.go @@ -19,6 +19,7 @@ type SystemConfig struct { Name string `json:"Name"` PackageLists []string `json:"PackageLists"` KernelOptions map[string]string `json:"KernelOptions"` + KernelCommandLine KernelCommandLine `json:"KernelCommandLine"` AdditionalFiles map[string]string `json:"AdditionalFiles"` PartitionSettings []PartitionSetting `json:"PartitionSettings"` PostInstallScripts []PostInstallScript `json:"PostInstallScripts"` @@ -67,6 +68,10 @@ func (s *SystemConfig) IsValid() (err error) { // } } + if err = s.KernelCommandLine.IsValid(); err != nil { + return fmt.Errorf("invalid [KernelCommandLine]: %w", err) + } + //Validate PartitionSettings //Validate PostInstallScripts //Validate Groups diff --git a/toolkit/tools/imagegen/configuration/systemconfig_test.go b/toolkit/tools/imagegen/configuration/systemconfig_test.go index f7d415820b4..183c8b9e1bf 100644 --- a/toolkit/tools/imagegen/configuration/systemconfig_test.go +++ b/toolkit/tools/imagegen/configuration/systemconfig_test.go @@ -106,6 +106,21 @@ func TestShouldSucceedParsingMissingDefaultKernelForRootfs_SystemConfig(t *testi assert.Equal(t, rootfsNoKernelConfig, checkedSystemConfig) } +func TestShouldFailParsingBadKernelCommandLine_SystemConfig(t *testing.T) { + var checkedSystemConfig SystemConfig + + badKernelCommandConfig := validSystemConfig + badKernelCommandConfig.KernelCommandLine = KernelCommandLine{ExtraCommandLine: invalidExtraCommandLine} + + err := badKernelCommandConfig.IsValid() + assert.Error(t, err) + assert.Equal(t, "invalid [KernelCommandLine]: ExtraCommandLine contains character ` which is reserved for use by sed", err.Error()) + + err = remarshalJSON(badKernelCommandConfig, &checkedSystemConfig) + assert.Error(t, err) + assert.Equal(t, "failed to parse [SystemConfig]: failed to parse [KernelCommandLine]: ExtraCommandLine contains character ` which is reserved for use by sed", err.Error()) +} + func TestShouldFailToParseInvalidJSON_SystemConfig(t *testing.T) { var checkedSystemConfig SystemConfig diff --git a/toolkit/tools/imagegen/installutils/installutils.go b/toolkit/tools/imagegen/installutils/installutils.go index eac6af18b67..de50102a6d5 100644 --- a/toolkit/tools/imagegen/installutils/installutils.go +++ b/toolkit/tools/imagegen/installutils/installutils.go @@ -499,24 +499,23 @@ func calculateTotalPackages(packages []string, installRoot string) (totalPackage return } +// addMachineID creates the /etc/machine-id file in the installChroot func addMachineID(installChroot *safechroot.Chroot) (err error) { + // From https://www.freedesktop.org/software/systemd/man/machine-id.html: + // For operating system images which are created once and used on multiple + // machines, for example for containers or in the cloud, /etc/machine-id + // should be an empty file in the generic file system image. An ID will be + // generated during boot and saved to this file if possible. + const ( - squashErrors = false - setupProgram = "/bin/systemd-machine-id-setup" + machineIDFile = "/etc/machine-id" + machineIDFilePerms = 0644 ) - // Check if systemd-machine-id-setup is present before invoking it, - // some images will not use systemd (such as a container) - exists, _ := file.PathExists(filepath.Join(installChroot.RootDir(), setupProgram)) - if !exists { - logger.Log.Debugf("'%s' not found inside chroot '%s', skipping adding machine ID", setupProgram, installChroot.RootDir()) - return - } - ReportAction("Configuring machine id") err = installChroot.UnsafeRun(func() error { - return shell.ExecuteLive(squashErrors, setupProgram) + return file.Create(machineIDFile, machineIDFilePerms) }) return } @@ -686,9 +685,10 @@ func addEntryToCrypttab(installRoot string, devicePath string, encryptedRoot dis // - rootDevice holds the root partition // - bootUUID is the UUID for the boot partition // - encryptedRoot holds the encrypted root information if encrypted root is enabled +// - kernelCommandLine contains additional kernel parameters which may be optionally set // Note: this boot partition could be different than the boot partition specified in the bootloader. // This boot partition specifically indicates where to find the kernel, config files, and initrd -func InstallGrubCfg(installRoot, rootDevice, bootUUID string, encryptedRoot diskutils.EncryptedRootDevice) (err error) { +func InstallGrubCfg(installRoot, rootDevice, bootUUID string, encryptedRoot diskutils.EncryptedRootDevice, kernelCommandLine configuration.KernelCommandLine) (err error) { const ( assetGrubcfgFile = "/installer/grub2/grub.cfg" grubCfgFile = "boot/grub2/grub.cfg" @@ -729,6 +729,20 @@ func InstallGrubCfg(installRoot, rootDevice, bootUUID string, encryptedRoot disk return } + // Configure IMA policy + err = setGrubCfgIMA(installGrubCfgFile, kernelCommandLine) + if err != nil { + logger.Log.Warnf("Failed to set ima_policy in grub.cfg: %v", err) + return + } + + // Append any additional command line parameters + err = setGrubCfgAdditionalCmdLine(installGrubCfgFile, kernelCommandLine) + if err != nil { + logger.Log.Warnf("Failed to append extra command line parameterse in grub.cfg: %v", err) + return + } + return } @@ -787,16 +801,28 @@ func addGroups(installChroot *safechroot.Chroot, groups []configuration.Group) ( } func addUsers(installChroot *safechroot.Chroot, users []configuration.User) (err error) { + const ( + squashErrors = false + ) + + rootUserAdded := false + for _, user := range users { logger.Log.Infof("Adding user (%s)", user.Name) ReportActionf("Adding user: %s", user.Name) - var homeDir string + var ( + homeDir string + isRoot bool + ) - homeDir, err = createUserWithPassword(installChroot, user) + homeDir, isRoot, err = createUserWithPassword(installChroot, user) if err != nil { return } + if isRoot { + rootUserAdded = true + } err = configureUserGroupMembership(installChroot, user) if err != nil { @@ -814,10 +840,17 @@ func addUsers(installChroot *safechroot.Chroot, users []configuration.User) (err } } + // If no root entry was specified in the config file, never expire the root password + if !rootUserAdded { + logger.Log.Debugf("No root user entry found in config file. Setting root password to never expire.") + err = installChroot.UnsafeRun(func() error { + return shell.ExecuteLive(squashErrors, "chage", "-M", "-1", "root") + }) + } return } -func createUserWithPassword(installChroot *safechroot.Chroot, user configuration.User) (homeDir string, err error) { +func createUserWithPassword(installChroot *safechroot.Chroot, user configuration.User) (homeDir string, isRoot bool, err error) { const ( squashErrors = false rootHomeDir = "/root" @@ -869,6 +902,7 @@ func createUserWithPassword(installChroot *safechroot.Chroot, user configuration // Update shadow file err = updateUserPassword(installChroot.RootDir(), user.Name, hashedPassword) + isRoot = true } else { homeDir = filepath.Join(userHomeDirPrefix, user.Name) @@ -1286,19 +1320,55 @@ func runPostInstallScripts(installChroot *safechroot.Chroot, config configuratio return } +func setGrubCfgAdditionalCmdLine(grubPath string, kernelCommandline configuration.KernelCommandLine) (err error) { + const ( + extraPattern = "{{.ExtraCommandLine}}" + ) + + logger.Log.Debugf("Adding ExtraCommandLine('%s') to %s", kernelCommandline.ExtraCommandLine, grubPath) + err = sed(extraPattern, kernelCommandline.ExtraCommandLine, kernelCommandline.GetSedDelimeter(), grubPath) + if err != nil { + logger.Log.Warnf("Failed to append extra paramters to grub.cfg: %v", err) + } + + return +} + +func setGrubCfgIMA(grubPath string, kernelCommandline configuration.KernelCommandLine) (err error) { + const ( + imaPrefix = "ima_policy=" + imaPattern = "{{.IMAPolicy}}" + ) + + var ima string + + for _, policy := range kernelCommandline.ImaPolicy { + ima += fmt.Sprintf("%v%v ", imaPrefix, policy) + } + + logger.Log.Debugf("Adding ImaPolicy('%s') to %s", ima, grubPath) + err = sed(imaPattern, ima, kernelCommandline.GetSedDelimeter(), grubPath) + if err != nil { + logger.Log.Warnf("Failed to set grub.cfg's IMA setting: %v", err) + } + + return +} + func setGrubCfgLVM(grubPath, luksUUID string) (err error) { const ( - lvmPrefix = "rd.lvm.lv=" - lvmPattern = "{{.LVM}}" - sedDelimiter = "@" + lvmPrefix = "rd.lvm.lv=" + lvmPattern = "{{.LVM}}" ) + var cmdline configuration.KernelCommandLine var lvm string if luksUUID != "" { lvm = fmt.Sprintf("%v%v", lvmPrefix, diskutils.GetEncryptedRootVolPath()) } - err = sed(lvmPattern, lvm, sedDelimiter, grubPath) + logger.Log.Debugf("Adding lvm('%s') to %s", lvm, grubPath) + err = sed(lvmPattern, lvm, cmdline.GetSedDelimeter(), grubPath) if err != nil { logger.Log.Warnf("Failed to set grub.cfg's LVM setting: %v", err) } @@ -1310,14 +1380,17 @@ func setGrubCfgLuksUUID(grubPath, uuid string) (err error) { const ( luksUUIDPrefix = "luks.uuid=" luksUUIDPattern = "{{.LuksUUID}}" - sedDelimiter = "/" ) - var luksUUID string + var ( + cmdline configuration.KernelCommandLine + luksUUID string + ) if uuid != "" { luksUUID = fmt.Sprintf("%v%v", luksUUIDPrefix, uuid) } - err = sed(luksUUIDPattern, luksUUID, sedDelimiter, grubPath) + logger.Log.Debugf("Adding luks('%s') to %s", luksUUID, grubPath) + err = sed(luksUUIDPattern, luksUUID, cmdline.GetSedDelimeter(), grubPath) if err != nil { logger.Log.Warnf("Failed to set grub.cfg's luksUUID: %v", err) return @@ -1329,10 +1402,11 @@ func setGrubCfgLuksUUID(grubPath, uuid string) (err error) { func setGrubCfgBootUUID(bootUUID, grubPath string) (err error) { const ( bootUUIDPattern = "{{.BootUUID}}" - sedDelimiter = "/" ) + var cmdline configuration.KernelCommandLine - err = sed(bootUUIDPattern, bootUUID, sedDelimiter, grubPath) + logger.Log.Debugf("Adding UUID('%s') to %s", bootUUID, grubPath) + err = sed(bootUUIDPattern, bootUUID, cmdline.GetSedDelimeter(), grubPath) if err != nil { logger.Log.Warnf("Failed to set grub.cfg's bootUUID: %v", err) return @@ -1343,12 +1417,13 @@ func setGrubCfgBootUUID(bootUUID, grubPath string) (err error) { func setGrubCfgEncryptedVolume(grubPath string) (err error) { const ( encryptedVolPattern = "{{.EncryptedVolume}}" - sedDelimiter = "@" lvmPrefix = "lvm/" ) + var cmdline configuration.KernelCommandLine encryptedVol := fmt.Sprintf("%v%v%v%v", "(", lvmPrefix, diskutils.GetEncryptedRootVol(), ")") - err = sed(encryptedVolPattern, encryptedVol, sedDelimiter, grubPath) + logger.Log.Debugf("Adding EncryptedVolume('%s') to %s", encryptedVol, grubPath) + err = sed(encryptedVolPattern, encryptedVol, cmdline.GetSedDelimeter(), grubPath) if err != nil { logger.Log.Warnf("Failed to grub.cfg's encryptedVolume: %v", err) return @@ -1359,14 +1434,15 @@ func setGrubCfgEncryptedVolume(grubPath string) (err error) { func setGrubCfgRootDevice(rootDevice, grubPath, luksUUID string) (err error) { const ( rootDevicePattern = "{{.RootPartition}}" - sedDelimiter = "@" ) + var cmdline configuration.KernelCommandLine if luksUUID != "" { rootDevice = diskutils.GetEncryptedRootVolMapping() } - err = sed(rootDevicePattern, rootDevice, sedDelimiter, grubPath) + logger.Log.Debugf("Adding RootDevice('%s') to %s", rootDevice, grubPath) + err = sed(rootDevicePattern, rootDevice, cmdline.GetSedDelimeter(), grubPath) if err != nil { logger.Log.Warnf("Failed to set grub.cfg's rootDevice: %v", err) return diff --git a/toolkit/tools/imagepkgfetcher/imagepkgfetcher.go b/toolkit/tools/imagepkgfetcher/imagepkgfetcher.go index a6c48a18cd4..470cebd964f 100644 --- a/toolkit/tools/imagepkgfetcher/imagepkgfetcher.go +++ b/toolkit/tools/imagepkgfetcher/imagepkgfetcher.go @@ -32,6 +32,7 @@ var ( workertar = app.Flag("tdnf-worker", "Full path to worker_chroot.tar.gz").Required().ExistingFile() repoFiles = app.Flag("repo-file", "Full path to a repo file").Required().ExistingFiles() useUpdateRepo = app.Flag("use-update-repo", "Pull packages from the upstream update repo").Bool() + usePreviewRepo = app.Flag("use-preview-repo", "Pull packages from the upstream preview repo").Bool() disableUpstreamRepos = app.Flag("disable-upstream-repos", "Disables pulling packages from upstream repos").Bool() tlsClientCert = app.Flag("tls-cert", "TLS client certificate to use when downloading files.").String() @@ -57,7 +58,7 @@ func main() { } cloner := rpmrepocloner.New() - err := cloner.Initialize(*outDir, *tmpDir, *workertar, *existingRpmDir, *useUpdateRepo, *repoFiles) + err := cloner.Initialize(*outDir, *tmpDir, *workertar, *existingRpmDir, *useUpdateRepo, *usePreviewRepo, *repoFiles) if err != nil { logger.Log.Panicf("Failed to initialize RPM repo cloner. Error: %s", err) } diff --git a/toolkit/tools/imager/imager.go b/toolkit/tools/imager/imager.go index 631214fa8e5..70e672b089d 100644 --- a/toolkit/tools/imager/imager.go +++ b/toolkit/tools/imager/imager.go @@ -503,7 +503,7 @@ func configureDiskBootloader(systemConfig configuration.SystemConfig, installChr rootDevice = fmt.Sprintf("PARTUUID=%v", partUUID) } - err = installutils.InstallGrubCfg(installChroot.RootDir(), rootDevice, bootUUID, encryptedRoot) + err = installutils.InstallGrubCfg(installChroot.RootDir(), rootDevice, bootUUID, encryptedRoot, systemConfig.KernelCommandLine) if err != nil { err = fmt.Errorf("failed to install main grub config file: %s", err) return diff --git a/toolkit/tools/internal/file/file.go b/toolkit/tools/internal/file/file.go index cb530e6f1f3..15d6dde3f9f 100644 --- a/toolkit/tools/internal/file/file.go +++ b/toolkit/tools/internal/file/file.go @@ -101,6 +101,18 @@ func ReadLines(path string) (lines []string, err error) { return lines, scanner.Err() } +// Create creates a new file with the provided Unix permissions +func Create(dst string, perm os.FileMode) (err error) { + logger.Log.Debugf("Creating (%s) with mode (%v)", dst, perm) + + dstFile, err := os.OpenFile(dst, os.O_CREATE|os.O_EXCL, perm) + if err != nil { + return + } + defer dstFile.Close() + return +} + // Write writes a string to the file dst. func Write(data string, dst string) (err error) { logger.Log.Debugf("Writing to (%s)", dst) diff --git a/toolkit/tools/internal/packagerepo/repocloner/repocloner.go b/toolkit/tools/internal/packagerepo/repocloner/repocloner.go index 6bb33a6ead6..3f6880c2ece 100644 --- a/toolkit/tools/internal/packagerepo/repocloner/repocloner.go +++ b/toolkit/tools/internal/packagerepo/repocloner/repocloner.go @@ -24,7 +24,7 @@ type RepoPackage struct { // It is capable of generate a local repository consisting of a set of request packages // and their dependencies. type RepoCloner interface { - Initialize(destinationDir, tmpDir, workerTar, existingRpmsDir string, useUpdateRepo bool, repoDefinitions []string) error + Initialize(destinationDir, tmpDir, workerTar, existingRpmsDir string, useUpdateRepo, usePreviewRepo bool, repoDefinitions []string) error AddNetworkFiles(tlsClientCert, tlsClientKey string) error Clone(cloneDeps bool, packagesToClone ...*pkgjson.PackageVer) error WhatProvides(pkgVer *pkgjson.PackageVer) (packageName string, err error) diff --git a/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go b/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go index e070e397184..679b8a60f2a 100644 --- a/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go +++ b/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go @@ -25,7 +25,9 @@ const ( chrootDownloadDir = "/outputrpms" leaveChrootFilesOnDisk = false updateRepoID = "mariner-official-update" + previewRepoID = "mariner-preview" fetcherRepoID = "fetcher-cloned-repo" + cacheRepoDir = "/upstream-cached-rpms" ) var ( @@ -47,9 +49,10 @@ const ( // RpmRepoCloner represents an RPM repository cloner. type RpmRepoCloner struct { - chroot *safechroot.Chroot - useUpdateRepo bool - cloneDir string + chroot *safechroot.Chroot + useUpdateRepo bool + usePreviewRepo bool + cloneDir string } // New creates a new RpmRepoCloner @@ -63,8 +66,9 @@ func New() *RpmRepoCloner { // - workerTar is the path to the worker tar used to seed the chroot // - existingRpmsDir is the directory with prebuilt RPMs // - useUpdateRepo if set, the upstream update repository will be used. +// - usePreviewRepo if set, the upstream preview repository will be used. // - repoDefinitions is a list of repo files to use when cloning RPMs -func (r *RpmRepoCloner) Initialize(destinationDir, tmpDir, workerTar, existingRpmsDir string, useUpdateRepo bool, repoDefinitions []string) (err error) { +func (r *RpmRepoCloner) Initialize(destinationDir, tmpDir, workerTar, existingRpmsDir string, useUpdateRepo, usePreviewRepo bool, repoDefinitions []string) (err error) { const ( isExistingDir = false @@ -79,8 +83,13 @@ func (r *RpmRepoCloner) Initialize(destinationDir, tmpDir, workerTar, existingRp ) r.useUpdateRepo = useUpdateRepo - if !useUpdateRepo { - logger.Log.Warnf("Disabling update repo") + if useUpdateRepo { + logger.Log.Info("Enabling update repo") + } + + r.usePreviewRepo = usePreviewRepo + if usePreviewRepo { + logger.Log.Info("Enabling preview repo") } // Ensure that if initialization fails, the chroot is closed @@ -283,6 +292,7 @@ func (r *RpmRepoCloner) WhatProvides(pkgVer *pkgjson.PackageVer) (packageName st } err = r.chroot.Run(func() (err error) { + stdout, stderr, err := shell.Execute("tdnf", args...) logger.Log.Debugf("tdnf search for provide '%s':\n%s", pkgVer.Name, stdout) @@ -319,14 +329,31 @@ func (r *RpmRepoCloner) WhatProvides(pkgVer *pkgjson.PackageVer) (packageName st // ConvertDownloadedPackagesIntoRepo initializes the downloaded RPMs into an RPM repository. func (r *RpmRepoCloner) ConvertDownloadedPackagesIntoRepo() (err error) { - fullRpmDownloadDir := buildpipeline.GetRpmsDir(r.chroot.RootDir(), chrootDownloadDir) + srcDir := filepath.Join(r.chroot.RootDir(), chrootDownloadDir) + repoDir := srcDir - err = rpmrepomanager.OrganizePackagesByArch(fullRpmDownloadDir, fullRpmDownloadDir) + if !buildpipeline.IsRegularBuild() { + // Docker based build don't use overlay so repo folder + // must be explicitely set to the RPMs cache folder + repoDir = filepath.Join(r.chroot.RootDir(), cacheRepoDir) + } + + err = rpmrepomanager.OrganizePackagesByArch(srcDir, repoDir) if err != nil { return } err = r.initializeMountedChrootRepo(chrootDownloadDir) + if err != nil { + return + } + + if !buildpipeline.IsRegularBuild() { + // Docker based build don't use overlay so cache repo + // must be explicitely initialized + err = r.initializeMountedChrootRepo(cacheRepoDir) + } + return } @@ -415,6 +442,10 @@ func (r *RpmRepoCloner) clonePackage(baseArgs []string, enabledRepoOrder ...stri args = append(args, fmt.Sprintf("--disablerepo=%s", updateRepoID)) } + if !r.usePreviewRepo { + args = append(args, fmt.Sprintf("--disablerepo=%s", previewRepoID)) + } + var ( stdout string stderr string