packages/cockpit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!19 升级到上游的发布版本:254

Browse Source 
From: @reganhe_xx 
Reviewed-by: @dwl301 
Signed-off-by: @dwl301
This commit is contained in:
openeuler-ci-bot 2022-03-02 03:10:25 +00:00 committed by Gitee
commit 77543712d1
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
6 changed files with 55 additions and 420 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
CVE-2019-3804.patch
View File

@ -1,64 +0,0 @@
From c51f6177576d7e12614c64d316cf0b67addd17c9 Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Thu, 13 Dec 2018 15:12:44 +0100
Subject: [PATCH] ws: Fix bug parsing invalid base64 headers
The len parameter to g_base64_decode_inplace() is a inout
parameter, and needs to be initialized. Lets just use
the simpler g_base64_decode() function. This fixes a segfault.
Closes #10819
---
src/ws/cockpitauth.c | 13 ++++++++-----
src/ws/test-auth.c | 6 ++++++
2 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c
index 474e13c..963f7a7 100644
--- a/src/ws/cockpitauth.c
+++ b/src/ws/cockpitauth.c
@@ -1159,16 +1159,19 @@ cockpit_auth_class_init (CockpitAuthClass *klass)
cockpit_authorize_logger (authorize_logger, 0);
}
-static char *
+static gchar *
base64_decode_string (const char *enc)
{
+ gchar *dec;
+ gsize len;
+
if (enc == NULL)
return NULL;
- char *dec = g_strdup (enc);
- gsize len;
- g_base64_decode_inplace (dec, &len);
- dec[len] = '\0';
+ dec = (gchar *)g_base64_decode (enc, &len);
+ if (dec)
+ dec[len] = '\0';
+
return dec;
}
diff --git a/src/ws/test-auth.c b/src/ws/test-auth.c
index 6f84b01..57d9462 100644
--- a/src/ws/test-auth.c
+++ b/src/ws/test-auth.c
@@ -286,6 +286,12 @@ test_headers_bad (Test *test,
if (cockpit_auth_check_cookie (test->auth, "/cockpit", headers))
g_assert_not_reached ();
+ /* Bad encoding */
+ g_hash_table_remove_all (headers);
+ g_hash_table_insert (headers, g_strdup ("Cookie"), g_strdup ("cockpit=d"));
+ if (cockpit_auth_check_cookie (test->auth, "/cockpit", headers))
+ g_assert_not_reached ();
+
g_hash_table_destroy (headers);
}
--
2.19.1

184
backport-0001-CVE-2021-3660.patch
View File

@ -1,184 +0,0 @@
From b0b57c8093f180fa7d67fdd4efa2f1a13e296930 Mon Sep 17 00:00:00 2001
From: Martin Pitt <mpitt@redhat.com>
Date: Tue, 14 Sep 2021 11:03:32 +0200
Subject: [PATCH] bridge: Robust JSON object comparison in test-httpstream.c
Comparing the received control message JSON against the expected value
in string form has always been brittle: It assumes a
predictable/reproducible GLib dictionary serialization. This will break
across different GLib versions once we add a new static header.
So change the tests to compare the control message with
`cockpit_assert_json_eq()` (which will do parsing and deep object
comparison) instead of plain string comparison. Introduce a new
assert_channel_response() helper for this.
Conflict:NA
Reference:https://github.com/cockpit-project/cockpit/pull/16348/commits/b0b57c8093f180fa7d67fdd4efa2f1a13e296930
---
src/bridge/test-httpstream.c | 69 ++++++++++++++++++++----------------
1 file changed, 38 insertions(+), 31 deletions(-)
diff --git a/src/bridge/test-httpstream.c b/src/bridge/test-httpstream.c
index 53cd7bf..47af9ea 100644
--- a/src/bridge/test-httpstream.c
+++ b/src/bridge/test-httpstream.c
@@ -30,6 +30,9 @@
#include <string.h>
+/* JSON dict snippet for headers that are present in every request */
+#define STATIC_HEADERS "\"Cross-Origin-Resource-Policy\":\"same-origin\",\"Referrer-Policy\":\"no-referrer\",\"X-Content-Type-Options\":\"nosniff\",\"X-DNS-Prefetch-Control\":\"off\""
+
static void
on_closed_set_flag (CockpitChannel *channel,
const gchar *problem,
@@ -64,6 +67,24 @@ non_local_ip (void)
return str;
}
+/* Compare subsequent "{ control JSON }" and "body" channel messages against expected values. */
+static void
+assert_channel_response (MockTransport *transport,
+ const gchar *channel_id,
+ const gchar *expected_control,
+ const gchar *expected_body)
+{
+ GBytes *data;
+
+ data = mock_transport_pop_channel (transport, channel_id);
+ JsonNode *node = cockpit_json_parse (g_bytes_get_data (data, NULL), -1, NULL);
+ cockpit_assert_json_eq (json_node_get_object (node), expected_control);
+ json_node_unref (node);
+
+ data = mock_transport_pop_channel (transport, channel_id);
+ cockpit_assert_bytes_eq (data, expected_body, -1);
+}
+
static void
setup_general (TestGeneral *tt,
gconstpointer host_fixture)
@@ -116,8 +137,6 @@ test_host_header (TestGeneral *tt,
JsonObject *options;
const gchar *control;
gboolean closed;
- GBytes *data;
- guint count;
if (tt->host == NULL)
{
@@ -154,11 +173,9 @@ test_host_header (TestGeneral *tt,
g_signal_connect (channel, "closed", G_CALLBACK (on_closed_set_flag), &closed);
while (!closed)
g_main_context_iteration (NULL, TRUE);
-
- data = mock_transport_combine_output (tt->transport, "444", &count);
- cockpit_assert_bytes_eq (data, "{\"status\":200,\"reason\":\"OK\",\"headers\":{\"X-DNS-Prefetch-Control\":\"off\",\"Referrer-Policy\":\"no-referrer\"}}Da Da Da", -1);
- g_assert_cmpuint (count, ==, 2);
- g_bytes_unref (data);
+ assert_channel_response (tt->transport, "444",
+ "{\"status\":200,\"reason\":\"OK\",\"headers\":{" STATIC_HEADERS "}}",
+ "Da Da Da");
}
static gboolean
@@ -340,11 +357,8 @@ test_http_chunked (void)
TestResult *tr = g_slice_new (TestResult);
GBytes *bytes = NULL;
- GBytes *data = NULL;
const gchar *control;
- gchar *expected = g_strdup_printf ("{\"status\":200,\"reason\":\"OK\",\"headers\":{\"X-DNS-Prefetch-Control\":\"off\",\"Referrer-Policy\":\"no-referrer\"}}%0*d", MAGIC_NUMBER, 0);
- guint count;
guint port;
web_server = cockpit_web_server_new (NULL, 0, NULL, NULL, NULL);
@@ -387,12 +401,11 @@ test_http_chunked (void)
g_main_context_iteration (NULL, TRUE);
g_assert_cmpstr (tr->problem, ==, NULL);
- data = mock_transport_combine_output (transport, "444", &count);
- cockpit_assert_bytes_eq (data, expected, -1);
- g_assert_cmpuint (count, ==, 2);
+ g_autofree gchar *expected_body = g_strdup_printf ("%0*d", MAGIC_NUMBER, 0);
- g_bytes_unref (data);
- g_free (expected);
+ assert_channel_response (transport, "444",
+ "{\"status\":200,\"reason\":\"OK\",\"headers\":{" STATIC_HEADERS "}}",
+ expected_body);
g_object_unref (transport);
g_object_add_weak_pointer (G_OBJECT (channel), (gpointer *)&channel);
@@ -509,7 +522,6 @@ test_tls_basic (TestTls *test,
JsonObject *options;
const gchar *control;
GBytes *bytes;
- GBytes *data;
options = json_object_new ();
json_object_set_int_member (options, "port", test->port);
@@ -537,10 +549,9 @@ test_tls_basic (TestTls *test,
while (closed == FALSE)
g_main_context_iteration (NULL, TRUE);
- data = mock_transport_combine_output (test->transport, "444", NULL);
- cockpit_assert_bytes_eq (data, "{\"status\":200,\"reason\":\"OK\",\"headers\":{\"X-DNS-Prefetch-Control\":\"off\",\"Referrer-Policy\":\"no-referrer\"}}Oh Marmalaade!", -1);
-
- g_bytes_unref (data);
+ assert_channel_response (test->transport, "444",
+ "{\"status\":200,\"reason\":\"OK\",\"headers\":{" STATIC_HEADERS "}}",
+ "Oh Marmalaade!");
g_object_add_weak_pointer (G_OBJECT (channel), (gpointer *)&channel);
g_object_unref (channel);
@@ -668,7 +679,6 @@ test_tls_certificate (TestTls *test,
GTlsCertificate *cert;
const gchar *control;
GBytes *bytes;
- GBytes *data;
tls = cockpit_json_parse_object (json, -1, &error);
g_assert_no_error (error);
@@ -699,10 +709,9 @@ test_tls_certificate (TestTls *test,
while (closed == FALSE)
g_main_context_iteration (NULL, TRUE);
- data = mock_transport_combine_output (test->transport, "444", NULL);
- cockpit_assert_bytes_eq (data, "{\"status\":200,\"reason\":\"OK\",\"headers\":{\"X-DNS-Prefetch-Control\":\"off\",\"Referrer-Policy\":\"no-referrer\"}}Oh Marmalaade!", -1);
-
- g_bytes_unref (data);
+ assert_channel_response (test->transport, "444",
+ "{\"status\":200,\"reason\":\"OK\",\"headers\":{" STATIC_HEADERS "}}",
+ "Oh Marmalaade!");
g_assert (test->peer != NULL);
@@ -733,7 +742,6 @@ test_tls_authority_good (TestTls *test,
GError *error = NULL;
const gchar *control;
GBytes *bytes;
- GBytes *data;
tls = cockpit_json_parse_object (json, -1, &error);
g_assert_no_error (error);
@@ -763,11 +771,10 @@ test_tls_authority_good (TestTls *test,
while (closed == FALSE)
g_main_context_iteration (NULL, TRUE);
-
- data = mock_transport_combine_output (test->transport, "444", NULL);
- cockpit_assert_bytes_eq (data, "{\"status\":200,\"reason\":\"OK\",\"headers\":{\"X-DNS-Prefetch-Control\":\"off\",\"Referrer-Policy\":\"no-referrer\"}}Oh Marmalaade!", -1);
-
- g_bytes_unref (data);
+
+ assert_channel_response (test->transport, "444",
+ "{\"status\":200,\"reason\":\"OK\",\"headers\":{" STATIC_HEADERS "}}",
+ "Oh Marmalaade!");
g_object_add_weak_pointer (G_OBJECT (channel), (gpointer *)&channel);
g_object_unref (channel);
--
2.27.0

142
backport-0002-CVE-2021-3660.patch
View File

@ -1,142 +0,0 @@
From 25a8a5c6e47268933b9b4433a9590ccfd9c04c83 Mon Sep 17 00:00:00 2001
From: Martin Pitt <mpitt@redhat.com>
Date: Tue, 14 Sep 2021 09:02:33 +0200
Subject: [PATCH] common: Restrict frame embedding to same origin
Declare `X-Frame-Options: sameorigin` [1] so that cockpit frames can
only be embedded into pages coming from the same origin. This is similar
to setting CORP in commit 2b38b8de92f9a (which applies to `<script>`,
`<img>`, etc.).
The main use case for embedding is to run cockpit-ws behind a reverse
proxy, while also serving other pages. Cross-origin embedding is
discouraged these days to prevent "clickjacking".
Cross-origin embedding already did not work in most cases: Frames would
always just show the login page. However, this looks confusing and is
unclean. With X-Frame-Options, the browser instead shows an explanatory
error page.
Mention the same origin requirement in the embedding documentation.
Fixes #16122
https://bugzilla.redhat.com/show_bug.cgi?id=1980688
CVE-2021-3660
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Conflict:NA
Reference:https://github.com/cockpit-project/cockpit/pull/16342/commits/25a8a5c6e47268933b9b4433a9590ccfd9c04c83
---
doc/guide/embedding.xml | 4 +++-
src/bridge/test-httpstream.c | 2 +-
src/bridge/test-packages.c | 3 +++
src/common/cockpitwebresponse.c | 6 ++++++
src/common/test-webresponse.c | 3 +++
src/ws/test-channelresponse.c | 3 +++
6 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/doc/guide/embedding.xml b/doc/guide/embedding.xml
index 99b30dc..7fe8aa9 100644
--- a/doc/guide/embedding.xml
+++ b/doc/guide/embedding.xml
@@ -5,7 +5,9 @@
<title>Embedding and Integrating Cockpit</title>
<para>Cockpit can be embedded in other web applications either as a whole or specific
- Cockpit components can be integrated.</para>
+ Cockpit components can be integrated. Due to frame security policy restrictions,
+ this only works if Cockpit and the web application have the <emphasis>same origin</emphasis>;
+ this is commonly achieved by running both from a common reverse proxy.</para>
<section id="embedding-full">
<title>Embedding the Cockpit Interface</title>
diff --git a/src/bridge/test-httpstream.c b/src/bridge/test-httpstream.c
index 47af9ea..6844f72 100644
--- a/src/bridge/test-httpstream.c
+++ b/src/bridge/test-httpstream.c
@@ -31,7 +31,7 @@
#include <string.h>
/* JSON dict snippet for headers that are present in every request */
-#define STATIC_HEADERS "\"Cross-Origin-Resource-Policy\":\"same-origin\",\"Referrer-Policy\":\"no-referrer\",\"X-Content-Type-Options\":\"nosniff\",\"X-DNS-Prefetch-Control\":\"off\""
+#define STATIC_HEADERS "\"Cross-Origin-Resource-Policy\":\"same-origin\",\"Referrer-Policy\":\"no-referrer\",\"X-Content-Type-Options\":\"nosniff\",\"X-DNS-Prefetch-Control\":\"off\",\"X-Frame-Options\":\"sameorigin\""
static void
on_closed_set_flag (CockpitChannel *channel,
diff --git a/src/bridge/test-packages.c b/src/bridge/test-packages.c
index 769c51c..b96a3b4 100644
--- a/src/bridge/test-packages.c
+++ b/src/bridge/test-packages.c
@@ -45,6 +45,9 @@
#define CHECKSUM_RELOAD_UPDATED "0d1c0b7c6133cc7c3956197fd8a76bef68b158bd78beac75cfa80b75c36aa827"
#define CHECKSUM_CSP "25cab69451c3667cb9ed33f006fc7003c248f1029dae4a763bbadb0c4cafaf8d"
+/* JSON dict snippet for headers that are present in every request */
+#define STATIC_HEADERS "\"X-DNS-Prefetch-Control\":\"off\",\"Referrer-Policy\":\"no-referrer\",\"X-Content-Type-Options\":\"nosniff\",\"Cross-Origin-Resource-Policy\": \"same-origin\",\"X-Frame-Options\": \"sameorigin\""
+
extern const gchar **cockpit_bridge_data_dirs;
extern const gchar *cockpit_bridge_local_address;
extern gint cockpit_bridge_packages_port;
diff --git a/src/common/cockpitwebresponse.c b/src/common/cockpitwebresponse.c
index 0e757f3..ddf1911 100644
--- a/src/common/cockpitwebresponse.c
+++ b/src/common/cockpitwebresponse.c
@@ -735,6 +735,7 @@ enum {
HEADER_CACHE_CONTROL = 1 << 3,
HEADER_DNS_PREFETCH_CONTROL = 1 << 4,
HEADER_REFERRER_POLICY = 1 << 5,
+ HEADER_X_FRAME_OPTIONS = 1 << 8,
};
static GString *
@@ -773,6 +774,8 @@ append_header (GString *string,
return HEADER_DNS_PREFETCH_CONTROL;
if (g_ascii_strcasecmp ("Referrer-Policy", name) == 0)
return HEADER_REFERRER_POLICY;
+ if (g_ascii_strcasecmp ("X-Frame-Options", name) == 0)
+ return HEADER_X_FRAME_OPTIONS;
else if (g_ascii_strcasecmp ("Connection", name) == 0)
g_critical ("Don't set Connection header manually. This is a programmer error.");
return 0;
@@ -875,6 +878,9 @@ finish_headers (CockpitWebResponse *self,
g_string_append (string, "X-DNS-Prefetch-Control: off\r\n");
if ((seen & HEADER_REFERRER_POLICY) == 0)
g_string_append (string, "Referrer-Policy: no-referrer\r\n");
+ /* This is the counterpart for iframe embedding, line of defence against clickjacking */
+ if ((seen & HEADER_X_FRAME_OPTIONS) == 0)
+ g_string_append (string, "X-Frame-Options: sameorigin\r\n");
g_string_append (string, "\r\n");
return g_string_free_to_bytes (string);
diff --git a/src/common/test-webresponse.c b/src/common/test-webresponse.c
index ab59c13..a797f2b 100644
--- a/src/common/test-webresponse.c
+++ b/src/common/test-webresponse.c
@@ -34,6 +34,9 @@
#include <stdlib.h>
#include <string.h>
+/* headers that are present in every request */
+#define STATIC_HEADERS "X-DNS-Prefetch-Control: off\r\nReferrer-Policy: no-referrer\r\nX-Content-Type-Options: nosniff\r\nCross-Origin-Resource-Policy: same-origin\r\nX-Frame-Options: sameorigin\r\n\r\n"
+
static gchar *srcdir;
typedef struct {
diff --git a/src/ws/test-channelresponse.c b/src/ws/test-channelresponse.c
index 86c0fff..763913b 100644
--- a/src/ws/test-channelresponse.c
+++ b/src/ws/test-channelresponse.c
@@ -51,6 +51,9 @@
#define PASSWORD "this is the password"
+/* headers that are present in every request */
+#define STATIC_HEADERS "X-Content-Type-Options: nosniff\r\nX-DNS-Prefetch-Control: off\r\nReferrer-Policy: no-referrer\r\nCross-Origin-Resource-Policy: same-origin\r\nX-Frame-Options: sameorigin\r\n"
+
typedef struct {
CockpitWebService *service;
GIOStream *io;
--
2.27.0

BIN
cockpit-178.tar.xz
View File

Binary file not shown.

BIN
cockpit-254.tar.xz Normal file
View File

Binary file not shown.

85
cockpit.spec
View File

@ -1,27 +1,25 @@
%bcond_with pcp
%global __requires_exclude_from ^%{_libexecdir}/cockpit-client$
%bcond_with pcp
Name: cockpit
Version: 178
Release: 12
Version: 254
Release: 1
Summary: A easy-to-use, integrated, glanceable, and open web-based interface for Linux servers
License: LGPLv2+
URL: https://cockpit-project.org/
Source0: https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz
Patch6000: CVE-2019-3804.patch
Patch6001: backport-0001-CVE-2021-3660.patch
Patch6002: backport-0002-CVE-2021-3660.patch
BuildRequires: gcc
BuildRequires: pkgconfig(gio-unix-2.0) pkgconfig(json-glib-1.0) pkgconfig(polkit-agent-1) >= 0.105 pam-devel
BuildRequires: autoconf automake python3 intltool libssh-devel >= 0.7.1 openssl-devel zlib-devel krb5-devel
BuildRequires: libxslt-devel docbook-style-xsl glib-networking sed glib2-devel >= 2.37.4
BuildRequires: systemd-devel krb5-server xmlto
BuildRequires: libxslt-devel docbook-style-xsl glib-networking sed glib2-devel >= 2.50.0
BuildRequires: systemd-devel krb5-server xmlto gnutls-devel >= 3.6.0
%if %{with pcp}
BuildRequires: pcp-libs-devel
BuildRequires: pcp-libs-devel
%endif
Requires: glib-networking shadow-utils grep libpwquality coreutils NetworkManager kexec-tools openssl glib2 >= 2.37.4
Requires: glib-networking shadow-utils grep libpwquality coreutils NetworkManager kexec-tools openssl glib2 >= 2.50.0
Requires: python3 python3-dbus systemd udisks2 >= 2.6 libvirt libvirt-client PackageKit
Provides: %{name}-networkmanager %{name}-selinux %{name}-sosreport %{name}-dashboard = %{version}-%{release}
@ -84,7 +82,8 @@ man help files.
%autosetup -n %{name}-%{version} -p1
%build
%configure --disable-silent-rules --with-cockpit-user=cockpit-ws --with-selinux-config-type=etc_t\
%configure --disable-silent-rules --with-cockpit-user=cockpit-ws --with-selinux-config-type=etc_t \
--with-cockpit-ws-instance-user=cockpit-wsinstance \
--with-appstream-data-packages='[ "appstream-data" ]' --with-nfs-client-package='"nfs-utils"' --with-vdo-package='"vdo"' \
%if %{without pcp}
--disable-pcp
@ -108,16 +107,29 @@ echo '{ "linguas": null }' > %{buildroot}%{_datadir}/cockpit/shell/override.json
%find_lang %{name}
tar -C %{buildroot}/usr/src/debug%{_datadir}/%{name}/playground -cf - . | tar -C %{buildroot}%{_datadir}/%{name}/playground -xf -
%pre
getent group cockpit-ws >/dev/null || groupadd -r cockpit-ws
getent passwd cockpit-ws >/dev/null || useradd -r -g cockpit-ws -d / -s /sbin/nologin -c "User for cockpit-ws" cockpit-ws
getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance
getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d / -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance
%post
%systemd_post cockpit.socket
test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
if [ ! -f "%{_sysconfdir}/%{name}/ws-certs.d/0-self-signed.key" ]; then
# The certificate is not available when upgrading from an older version and needs to be recreated
%{__rm} -f %{_sysconfdir}/%{name}/ws-certs.d/{0-self-signed.cert,0-self-signed-ca.pem}
fi
%tmpfiles_create cockpit-tempfiles.conf
%systemd_post cockpit.socket cockpit.service
# cannot use systemctl because it might be out of sync with reality
test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
# check for deprecated PAM config
if grep --color=auto pam_cockpit_cert %{_sysconfdir}/pam.d/cockpit; then
echo '**** WARNING:'
echo '**** WARNING: pam_cockpit_cert is a no-op and will be removed in a'
echo '**** WARNING: future release; remove it from your /etc/pam.d/cockpit.'
echo '**** WARNING:'
fi
%if %{with pcp}
%post pcp
@ -125,7 +137,7 @@ test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
%endif
%preun
%systemd_preun cockpit.socket
%systemd_preun cockpit.socket cockpit.service
%postun
%systemd_postun_with_restart cockpit.socket
@ -135,31 +147,39 @@ test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
%if %{without pcp}
%exclude %{_datadir}/cockpit/pcp/*
%endif
%exclude %{_prefix}/lib/firewalld/services/cockpit.xml
%exclude %{_datadir}/%{name}/{subscriptions,docker,kubernetes}
%exclude %{_datadir}/pixmaps/cockpit-sosreport.png
%exclude %{_libexecdir}/{cockpit-kube-auth,cockpit-kube-launch,cockpit-stub}
%exclude %{_metainfodir}/{org.cockpit-project.cockpit-sosreport.metainfo.xml,org.cockpit-project.cockpit-kdump.metainfo.xml,org.cockpit-project.cockpit-selinux.metainfo.xml}
%exclude %{_metainfodir}/{org.cockpit-project.cockpit-storaged.metainfo.xml}
%doc AUTHORS COPYING README.md
%dir %{_sysconfdir}/cockpit
%config(noreplace) %{_sysconfdir}/cockpit/ws-certs.d
%config(noreplace) %{_sysconfdir}/pam.d/cockpit
%config %{_sysconfdir}/issue.d/cockpit.issue
%config %{_sysconfdir}/motd.d/cockpit
%{_datadir}/metainfo/cockpit.appdata.xml
%{_datadir}/applications/cockpit.desktop
%{_datadir}/pixmaps/cockpit.png
%{_datadir}/%{name}/motd/{update-motd,inactive.motd}
%{_datadir}/%{name}/{static,branding}
%{_datadir}/%{name}/{base1,ssh,dashboard,realmd,tuned,shell,systemd,users,kdump,sosreport,storaged,networkmanager,packagekit,apps,machines,ovirt,selinux}/*
%{_datadir}/%{name}/{base1,ssh,dashboard,realmd,tuned,shell,systemd,users,metrics,kdump,sosreport,storaged,networkmanager,packagekit,apps,machines,ovirt,selinux}/*
%{_unitdir}/{cockpit.service,cockpit-motd.service,cockpit.socket}
%{_unitdir}/cockpit-wsinstance-http-redirect.service
%{_unitdir}/cockpit-wsinstance-http-redirect.socket
%{_unitdir}/cockpit-wsinstance-http.service
%{_unitdir}/cockpit-wsinstance-http.socket
%{_unitdir}/cockpit-wsinstance-https-factory.socket
%{_unitdir}/cockpit-wsinstance-https-factory@.service
%{_unitdir}/cockpit-wsinstance-https@.service
%{_unitdir}/cockpit-wsinstance-https@.socket
%{_unitdir}/system-cockpithttps.slice
%{_sysconfdir}/%{name}/machines.d
%{_prefix}/lib/tmpfiles.d/cockpit-tempfiles.conf
%attr(0775,-,wheel) %{_localstatedir}/lib/cockpit
%{_libdir}/security/pam_ssh_add.so
%{_libexecdir}/{cockpit-askpass,cockpit-ws,cockpit-ssh}
%attr(4750,root,cockpit-ws) %{_libexecdir}/cockpit-session
%{_sbindir}/remotectl
%{_libdir}/security/pam_cockpit_cert.so
%{_libexecdir}/{cockpit-askpass,cockpit-ws,cockpit-ssh,cockpit-wsinstance-factory,cockpit-tls,cockpit-client}
%{_libexecdir}/{cockpit-client.ui,cockpit-desktop,cockpit-certificate-ensure,cockpit-certificate-helper}
%attr(4750, root, cockpit-wsinstance) %{_libexecdir}/cockpit-session
%{_bindir}/cockpit-bridge
%{_datadir}/polkit-1/actions/org.cockpit-project.cockpit-bridge.policy
%if %{with pcp}
%files pcp
@ -169,18 +189,23 @@ test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
%endif
%files devel
%config(noreplace) %{_sysconfdir}/cockpit/cockpit.conf
%{_datadir}/cockpit/playground
%{_prefix}/lib/cockpit-test-assets
%files help
%{_docdir}/cockpit
%exclude %{_docdir}/cockpit/{AUTHORS,COPYING,README.md}
%doc %{_mandir}/man1/{cockpit.1.gz,cockpit-bridge.1.gz}
%doc %{_mandir}/man1/{cockpit.1.gz,cockpit-bridge.1.gz,cockpit-desktop.1.gz}
%doc %{_mandir}/man5/cockpit.conf.5.gz
%doc %{_mandir}/man8/{cockpit-ws.8.gz,remotectl.8.gz,pam_ssh_add.8.gz}
%doc %{_mandir}/man8/{cockpit-ws.8.gz,remotectl.8.gz,pam_ssh_add.8.gz,cockpit-tls.8.gz}
%changelog
* Tue Mar 01 2022 herengui <herengui@uniontech.com> - 254-1
- Type:NA
- ID:NA
- SUG:NA
- DESC:Update to upstream 264 release
* Fri Sep 24 2021 wangkerong <wangkerong@huawei.com> - 178-12
- Type:CVE
- Id:CVE-2021-3660
@ -190,7 +215,7 @@ test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
* Sat Sep 4 2021 hanhui <hanhui15@huawei.com> - 178-11
- strip binary file
* Thu Jul 20 2021 liuyumeng <liuyumeng5@huawei.com> - 178-10
* Tue Jul 20 2021 liuyumeng <liuyumeng5@huawei.com> - 178-10
- delete gdb in buildrequires
* Wed May 26 2021 liuyumeng <liuyumeng5@huawei.com> - 178-9