Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2022-06-24 08:45:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.1548 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keylime" Fri Jun 24 08:45:19 2022 rev:20 rq:984735 version:6.4.1 Changes: -------- --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-06-17 21:22:53.870785896 +0200 +++ /work/SRC/openSUSE:Factory/.keylime.new.1548/keylime.changes 2022-06-24 08:45:34.883157380 +0200 @@ -1,0 +2,13 @@ +Thu Jun 23 14:50:05 UTC 2022 - Alberto Planas Dominguez <apla...@suse.com> + +- Remove user downgrade mechanism from the package (CVE-2022-31250, bsc#1200885) + +------------------------------------------------------------------- +Thu Jun 23 08:49:30 UTC 2022 - Alberto Planas Dominguez <apla...@suse.com> + +- Add logrotate configuration for the services +- Create run directory as non-root user +- Conflict with rust-keylime +- Consolidate in _distconfdir when possible + +------------------------------------------------------------------- New: ---- logrotate.keylime tmpfiles.keylime ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ keylime.spec ++++++ --- /var/tmp/diff_new_pack.iDSLe4/_old 2022-06-24 08:45:35.403157963 +0200 +++ /var/tmp/diff_new_pack.iDSLe4/_new 2022-06-24 08:45:35.407157967 +0200 @@ -16,6 +16,14 @@ # +# Consolidate _distconfdir and _sysconfdir +%if 0%{?_distconfdir:1} + %define _config_norepl %nil +%else + %define _distconfdir %{_sysconfdir} + %define _config_norepl %config(noreplace) +%endif + %global srcname keylime %{?!python_module:%define python_module() python-%{**} python3-%{**}} %define skip_python2 1 @@ -28,6 +36,8 @@ Source0: %{name}-v%{version}.tar.xz Source1: keylime.xml Source2: %{name}-user.conf +Source3: logrotate.%{name} +Source4: tmpfiles.%{name} # PATCH-FIX-OPENSUSE keylime.conf.diff Patch1: keylime.conf.diff BuildRequires: %{python_module setuptools} @@ -55,6 +65,7 @@ Requires: tpm2.0-tools Requires(post): update-alternatives Requires(postun):update-alternatives +Conflicts: rust-keylime BuildArch: noarch %python_subpackages @@ -87,6 +98,7 @@ %package -n %{name}-agent Summary: Keylime agent service Requires: %{name}-config = %{version} +Requires: %{name}-logrotate = %{version} Requires: %{name}-tpm_cert_store = %{version} Requires: python3-%{name} = %{version} Recommends: %{name}-firewalld = %{version} @@ -98,6 +110,7 @@ %package -n %{name}-registrar Summary: Keylime registrar service Requires: %{name}-config = %{version} +Requires: %{name}-logrotate = %{version} Requires: %{name}-tpm_cert_store = %{version} Requires: python3-%{name} = %{version} Recommends: %{name}-firewalld = %{version} @@ -108,6 +121,7 @@ %package -n %{name}-verifier Summary: Keylime verifier service Requires: %{name}-config = %{version} +Requires: %{name}-logrotate = %{version} Requires: %{name}-tpm_cert_store = %{version} Requires: python3-%{name} = %{version} Recommends: %{name}-firewalld = %{version} @@ -115,6 +129,13 @@ %description -n %{name}-verifier Subpackage of %{name} for verifier service. +%package -n %{name}-logrotate +Summary: Logrotate for Keylime servies +Requires: logrotate + +%description -n %{name}-logrotate +Subpacakge of %{name} for logrotate for Keylime services + %prep %autosetup -p1 -n %{name}-v%{version} @@ -140,24 +161,21 @@ %python_expand %fdupes %{buildroot}%{$python_sitelib} -%if 0%{?suse_version} >= 1550 -install -Dpm 600 %{srcname}.conf %{buildroot}%{_prefix}%{_sysconfdir}/%{srcname}.conf -%else -install -Dpm 600 %{srcname}.conf %{buildroot}%{_sysconfdir}/%{srcname}.conf -%endif -install -Dpm 644 ./services/%{srcname}_agent.service %{buildroot}%{_unitdir}/%{srcname}_agent.service -install -Dpm 644 ./services/%{srcname}_agent_secure.mount %{buildroot}%{_unitdir}/var-lib-%{srcname}-secure.mount -install -Dpm 644 ./services/%{srcname}_verifier.service %{buildroot}%{_unitdir}/%{srcname}_verifier.service -install -Dpm 644 ./services/%{srcname}_registrar.service %{buildroot}%{_unitdir}/%{srcname}_registrar.service - -install -D -m 644 %{SOURCE1} %{buildroot}%{_prefix}/lib/firewalld/services/%{srcname}.xml - -mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname} -cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/ -%fdupes %{buildroot}%{_sharedstatedir}/%{srcname}/ - -mkdir -p %{buildroot}%{_sysusersdir} -install -m 0644 %{SOURCE2} %{buildroot}%{_sysusersdir}/ +install -Dpm 0600 %{srcname}.conf %{buildroot}%{_distconfdir}/%{srcname}.conf +install -Dpm 0644 ./services/%{srcname}_agent.service %{buildroot}%{_unitdir}/%{srcname}_agent.service +install -Dpm 0644 ./services/%{srcname}_agent_secure.mount %{buildroot}%{_unitdir}/var-lib-%{srcname}-secure.mount +install -Dpm 0644 ./services/%{srcname}_verifier.service %{buildroot}%{_unitdir}/%{srcname}_verifier.service +install -Dpm 0644 ./services/%{srcname}_registrar.service %{buildroot}%{_unitdir}/%{srcname}_registrar.service + +install -Dpm 0644 %{SOURCE1} %{buildroot}%{_prefix}/lib/firewalld/services/%{srcname}.xml +install -Dpm 0644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}-user.conf +install -Dpm 0644 %{SOURCE3} %{buildroot}%{_distconfdir}/logrotate.d/%{name} +install -Dpm 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/%{name}.conf +install -d %{buildroot}%{_localstatedir}/log/%{name} + +mkdir -p %{buildroot}/%{_localstatedir}/%{srcname} +cp -r ./tpm_cert_store %{buildroot}%{_localstatedir}/%{srcname}/ +%fdupes %{buildroot}%{_localstatedir}/%{srcname}/ # %%check # %%pyunittest -v @@ -190,13 +208,7 @@ %pre -n %{srcname}-tpm_cert_store -f %{srcname}.pre %post -n %{srcname}-tpm_cert_store -# Help the upgrade process when moving to a non-root services -chown -R keylime:tss %{_sharedstatedir}/%{srcname}/ca 2> /dev/null || : -chown -R keylime:tss %{_sharedstatedir}/%{srcname}/secure 2> /dev/null || : -chown -R keylime:tss %{_sharedstatedir}/%{srcname}/cv_ca 2> /dev/null || : -chown keylime:tss %{_sharedstatedir}/%{srcname}/*.sqlite 2> /dev/null || : -chown keylime:tss %{_sharedstatedir}/%{srcname}/*.yml 2> /dev/null || : -chown keylime:tss %{_sysconfdir}/%{srcname}.conf 2> /dev/null || : +%tmpfiles_create %{srcname}.conf %pre -n %{srcname}-verifier %service_add_pre %{srcname}_verifier.service @@ -253,11 +265,7 @@ %{python_sitelib}/* %files -n %{srcname}-config -%if 0%{?suse_version} >= 1550 -%attr (600,keylime,tss) %{_prefix}%{_sysconfdir}/%{srcname}.conf -%else -%config(noreplace) %attr (600,keylime,tss) %{_sysconfdir}/%{srcname}.conf -%endif +%{_config_norepl} %attr (600,keylime,tss) %{_distconfdir}/%{srcname}.conf %files -n %{srcname}-firewalld %dir %{_prefix}/lib/firewalld @@ -265,19 +273,27 @@ %{_prefix}/lib/firewalld/services/%{srcname}.xml %files -n %{srcname}-tpm_cert_store -%dir %attr(0700,keylime,tss) %{_sharedstatedir}/%{srcname} -%dir %{_sharedstatedir}/%{srcname}/tpm_cert_store -%{_sharedstatedir}/%{srcname}/tpm_cert_store/* +%dir %{_localstatedir}/%{srcname}/tpm_cert_store +%{_localstatedir}/%{srcname}/tpm_cert_store/* +# We use this subpackage to store other unrelated things, as far as is +# required by all the services +%dir %attr(0700,keylime,tss) %{_localstatedir}/%{srcname} %{_sysusersdir}/%{srcname}-user.conf +%ghost %dir %attr(0700,keylime,tss) %{_rundir}/%{srcname} +%{_tmpfilesdir}/%{srcname}.conf -%files -n %{srcname}-verifier -%{_unitdir}/%{srcname}_verifier.service +%files -n %{srcname}-agent +%{_unitdir}/%{srcname}_agent.service +%{_unitdir}/var-lib-%{srcname}-secure.mount %files -n %{srcname}-registrar %{_unitdir}/%{srcname}_registrar.service -%files -n %{srcname}-agent -%{_unitdir}/%{srcname}_agent.service -%{_unitdir}/var-lib-%{srcname}-secure.mount +%files -n %{srcname}-verifier +%{_unitdir}/%{srcname}_verifier.service + +%files -n %{srcname}-logrotate +%{_config_norepl} %{_distconfdir}/logrotate.d/%{srcname} +%dir %attr(750,keylime,tss) %{_localstatedir}/log/%{srcname} %changelog ++++++ logrotate.keylime ++++++ /var/log/keylime/*.log { su keylime tss weekly missingok rotate 4 copytruncate minsize 1M } ++++++ tmpfiles.keylime ++++++ d /run/keylime 0700 keylime tss