!47 【openEuler-24.03】官方发布的src.rpm中缺少补丁

From: @yue-yuankun 
Reviewed-by: @wangyueliang 
Signed-off-by: @wangyueliang

0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch

@@ -0,0 +1,150 @@
+From a8e53434a529e7d53514a8c44d1cec42f04b0723 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Thu, 21 Mar 2024 10:43:07 -0400
+Subject: [PATCH] Revert "compose: Inject our static tmpfiles.d dropins
+ earlier"
+
+This reverts commit e1e78cf9df902d895a7fce9dc719726c283e9d03.
+
+It breaks idempotency with osbuild.
+
+Closes: https://github.com/coreos/rpm-ostree/issues/4879
+---
+ rust/src/passwd.rs                         |  3 --
+ src/app/rpmostree-compose-builtin-tree.cxx | 40 --------------------
+ src/libpriv/rpmostree-postprocess.cxx      | 44 ++++++++++++++++++++--
+ 3 files changed, 41 insertions(+), 46 deletions(-)
+
+diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
+index 79ee488f..821497d8 100644
+--- a/rust/src/passwd.rs
++++ b/rust/src/passwd.rs
+@@ -106,9 +106,6 @@ pub fn passwd_cleanup(rootfs_dfd: i32) -> Result<()> {
+ /// in /usr/etc at this point), and splitting it into two streams: a new
+ /// /etc/passwd that just contains the root entry, and /usr/lib/passwd which
+ /// contains everything else.
+-///
+-/// Note: the presence of /usr/lib/passwd is used in postprocess_final() to make
+-/// it idempotent. See related comment there.
+ #[context("Migrating 'passwd' to /usr/lib")]
+ pub fn migrate_passwd_except_root(rootfs_dfd: i32) -> CxxResult<()> {
+     static ETCSRC_PATH: &str = "usr/etc/passwd";
+diff --git a/src/app/rpmostree-compose-builtin-tree.cxx b/src/app/rpmostree-compose-builtin-tree.cxx
+index 1f2862f8..63648288 100644
+--- a/src/app/rpmostree-compose-builtin-tree.cxx
++++ b/src/app/rpmostree-compose-builtin-tree.cxx
+@@ -477,46 +477,6 @@ install_packages (RpmOstreeTreeComposeContext *self, gboolean *out_unmodified,
+                                         std::string (previous_ref), opt_unified_core),
+               error);
+ 
+-  /* Assembly will regen the rpm-ostree-autovar.conf tmpfiles.d dropin; let's
+-   * make sure to add our own static dropins before that so that they're taken
+-   * into account when looking for dupes. */
+-  g_print ("Adding rpm-ostree-0-integration.conf\n");
+-
+-  /* This is useful if we're running in an uninstalled configuration, e.g.
+-   * during tests. */
+-  const char *pkglibdir_path = g_getenv ("RPMOSTREE_UNINSTALLED_PKGLIBDIR") ?: PKGLIBDIR;
+-  glnx_autofd int pkglibdir_dfd = -1;
+-  if (!glnx_opendirat (AT_FDCWD, pkglibdir_path, TRUE, &pkglibdir_dfd, error))
+-    return FALSE;
+-
+-  if (!glnx_shutil_mkdir_p_at (rootfs_dfd, "usr/lib/tmpfiles.d", 0755, cancellable, error))
+-    return FALSE;
+-
+-  if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration.conf", NULL, rootfs_dfd,
+-                          "usr/lib/tmpfiles.d/rpm-ostree-0-integration.conf",
+-                          GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
+-                          cancellable, error))
+-    return FALSE;
+-
+-  if ((*self->treefile_rs)->get_opt_usrlocal () == rpmostreecxx::OptUsrLocal::StateOverlay)
+-    {
+-      if (!glnx_file_copy_at (
+-              pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal-compat.conf", NULL, rootfs_dfd,
+-              "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal-compat.conf",
+-              GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
+-              cancellable, error))
+-        return FALSE;
+-    }
+-  else
+-    {
+-      if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal.conf", NULL,
+-                              rootfs_dfd,
+-                              "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal.conf",
+-                              GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
+-                              cancellable, error))
+-        return FALSE;
+-    }
+-
+   if (opt_unified_core)
+     {
+       if (!rpmostree_context_import (self->corectx, cancellable, error))
+diff --git a/src/libpriv/rpmostree-postprocess.cxx b/src/libpriv/rpmostree-postprocess.cxx
+index 9b5cdec7..311de70f 100644
+--- a/src/libpriv/rpmostree-postprocess.cxx
++++ b/src/libpriv/rpmostree-postprocess.cxx
+@@ -368,12 +368,13 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un
+ {
+   GLNX_AUTO_PREFIX_ERROR ("Finalizing rootfs", error);
+ 
+-  /* Use the presence of /usr/lib/passwd as an "idempotence" marker to
++  /* Use installation of the tmpfiles integration as an "idempotence" marker to
+    * avoid doing postprocessing twice, which can happen when mixing `compose
+    * postprocess-root` with `compose commit`.
+    */
+-  const char usr_lib_passwd[] = "usr/lib/password";
+-  if (!glnx_fstatat_allow_noent (rootfs_dfd, usr_lib_passwd, NULL, AT_SYMLINK_NOFOLLOW, error))
++  const char tmpfiles_integration_path[] = "usr/lib/tmpfiles.d/rpm-ostree-0-integration.conf";
++  if (!glnx_fstatat_allow_noent (rootfs_dfd, tmpfiles_integration_path, NULL, AT_SYMLINK_NOFOLLOW,
++                                 error))
+     return FALSE;
+   if (errno == 0)
+     return TRUE;
+@@ -446,6 +447,43 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un
+   if (!rpmostree_rootfs_postprocess_common (rootfs_dfd, cancellable, error))
+     return FALSE;
+ 
++  g_print ("Adding rpm-ostree-0-integration.conf\n");
++  /* This is useful if we're running in an uninstalled configuration, e.g.
++   * during tests. */
++  const char *pkglibdir_path = g_getenv ("RPMOSTREE_UNINSTALLED_PKGLIBDIR") ?: PKGLIBDIR;
++  glnx_autofd int pkglibdir_dfd = -1;
++
++  if (!glnx_opendirat (AT_FDCWD, pkglibdir_path, TRUE, &pkglibdir_dfd, error))
++    return FALSE;
++
++  if (!glnx_shutil_mkdir_p_at (rootfs_dfd, "usr/lib/tmpfiles.d", 0755, cancellable, error))
++    return FALSE;
++
++  if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration.conf", NULL, rootfs_dfd,
++                          tmpfiles_integration_path,
++                          GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
++                          cancellable, error))
++    return FALSE;
++
++  if (treefile.get_opt_usrlocal () == rpmostreecxx::OptUsrLocal::StateOverlay)
++    {
++      if (!glnx_file_copy_at (
++              pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal-compat.conf", NULL, rootfs_dfd,
++              "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal-compat.conf",
++              GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
++              cancellable, error))
++        return FALSE;
++    }
++  else
++    {
++      if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal.conf", NULL,
++                              rootfs_dfd,
++                              "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal.conf",
++                              GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
++                              cancellable, error))
++        return FALSE;
++    }
++
+   /* Handle kernel/initramfs if we're not doing a container */
+   if (!container)
+     {
+-- 
+2.43.0
+

0001-fix-compose-err.patch

@@ -1,5 +1,16 @@
---- rpm-ostree-2022.16/rust/src/scripts.rs	2022-11-19 01:25:53.000000000 +0800
-+++ rpm-ostree-2022.16-new/rust/src/scripts.rs	2023-02-23 10:51:31.000000000 +0800
+From 4f76ecdf729cad9c6ba0cac2bbaff8c140f01220 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 17 Jan 2024 01:30:02 +0800
+Subject: [PATCH 1/4] fix compose err
+
+---
+ rust/src/scripts.rs | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/rust/src/scripts.rs b/rust/src/scripts.rs
+index 078322a..766c82f 100644
+--- a/rust/src/scripts.rs
++++ b/rust/src/scripts.rs
 @@ -16,6 +16,9 @@ use phf::phf_set;
  ///
  /// NOTE FOR GIT history: This list used to live in src/libpriv/rpmostree-script-gperf.gperf
@@ -10,3 +21,6 @@
      "glibc.prein",
      // We take over depmod/dracut etc.  It's `kernel` in C7 and kernel-core in F25+
      // XXX: we should probably change this to instead ignore based on the kernel virtual Provides
+-- 
+2.33.0
+

0001-passwd-create-etc-g-shadow-with-mode-0.patch

@@ -0,0 +1,83 @@
+From fb2d5dd809bf28b600b0531172da3d3dbe270918 Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jonathan@jlebon.com>
+Date: Tue, 19 Mar 2024 15:20:43 -0400
+Subject: [PATCH 1/2] passwd: create `/etc/[g]shadow` with mode 0
+
+Because of how our composes work, we need to manually inject
+passwd-related things before installing packages. A somewhat recent
+regression in that area made it so that the `/etc/shadow` and
+`/etc/gshadow` files were created with default permissions (0644), which
+meant they were world readable.
+
+Fix this by explicitly setting their modes to 0. Ideally, we would rely
+on the canonical permissions set in the `setup` package here, but it's
+tricky to fix that without reworking how we install `setup` and handle
+`passwd` treefile options.
+
+Fixes fdb879c8 ("passwd: sync `etc/{,g}shadow` according to
+`etc/{passwd,group}`").
+
+Fixes #4401
+---
+ rust/src/passwd.rs             | 14 ++++++++++++++
+ tests/compose/libbasic-test.sh |  5 +++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
+index 821497d8..a64f6468 100644
+--- a/rust/src/passwd.rs
++++ b/rust/src/passwd.rs
+@@ -418,6 +418,12 @@ fn write_data_from_treefile(
+     let db = rootfs.open(target_passwd_path).map(BufReader::new)?;
+     let shadow_name = target.shadow_file();
+     let target_shadow_path = format!("{}{}", dest_path, shadow_name);
++    // Ideally these permissions come from `setup`, which is the package
++    // that owns these files:
++    // https://src.fedoraproject.org/rpms/setup/blob/c6f58b338bd3/f/setup.spec#_96
++    // But at this point of the compose, the rootfs is completely empty; we
++    // haven't started unpacking things yet. So we need to hardcode it here.
++    let shadow_perms = cap_std::fs::Permissions::from_mode(0);
+ 
+     match target {
+         PasswdKind::User => {
+@@ -427,6 +433,10 @@ fn write_data_from_treefile(
+                     for user in entries {
+                         writeln!(target_shadow, "{}:*::0:99999:7:::", user.name)?;
+                     }
++                    target_shadow
++                        .get_mut()
++                        .as_file_mut()
++                        .set_permissions(shadow_perms)?;
+                     Ok(())
+                 })
+                 .with_context(|| format!("Writing {target_shadow_path}"))?;
+@@ -438,6 +448,10 @@ fn write_data_from_treefile(
+                     for group in entries {
+                         writeln!(target_shadow, "{}:::", group.name)?;
+                     }
++                    target_shadow
++                        .get_mut()
++                        .as_file_mut()
++                        .set_permissions(shadow_perms)?;
+                     Ok(())
+                 })
+                 .with_context(|| format!("Writing {target_shadow_path}"))?;
+diff --git a/tests/compose/libbasic-test.sh b/tests/compose/libbasic-test.sh
+index 0a751760..3f7c6d8a 100644
+--- a/tests/compose/libbasic-test.sh
++++ b/tests/compose/libbasic-test.sh
+@@ -22,6 +22,11 @@ validate_passwd group
+ ostree --repo=${repo} ls ${treeref} /usr/etc/passwd > passwd.txt
+ assert_file_has_content_literal passwd.txt '00644 '
+ 
++ostree --repo=${repo} ls ${treeref} /usr/etc/shadow > shadow.txt
++assert_file_has_content_literal shadow.txt '00000 '
++ostree --repo=${repo} ls ${treeref} /usr/etc/gshadow > gshadow.txt
++assert_file_has_content_literal gshadow.txt '00000 '
++
+ ostree --repo=${repo} cat ${treeref} /usr/etc/default/useradd > useradd.txt
+ assert_file_has_content_literal useradd.txt HOME=/var/home
+ 
+-- 
+2.44.0
+

0002-unit-chmod-etc-g-shadow-to-0000.patch

@@ -0,0 +1,79 @@
+From 0f7016046b833a55c57f9429cab83d185e1b5147 Mon Sep 17 00:00:00 2001
+From: jbtrystram <jbtrystram@redhat.com>
+Date: Thu, 21 Mar 2024 17:27:21 +0100
+Subject: [PATCH 2/2] unit: chmod /etc/[g]shadow[-] to 0000
+
+fdb879c introduced a regression where /etc/[g]shadow[-] files where
+created with default permissions: 0644
+
+This unit chmods /etc/shadow, /etc/gshadow and backup copies to 0000
+before interactive login is allowed on a system.
+
+This will fix the systems that were deployed with the above issue.
+
+We keep the stamp in /etc to account for the case where a deployment
+with this unit is rolled back. If we used /var, the stamp would have
+stayed but the fix would not be re-applied on the next update.
+---
+ Makefile-daemon.am                            |  1 +
+ packaging/rpm-ostree.spec.in                  |  5 +++++
+ src/daemon/rpm-ostree-fix-shadow-mode.service | 19 +++++++++++++++++++
+ 3 files changed, 25 insertions(+)
+ create mode 100644 src/daemon/rpm-ostree-fix-shadow-mode.service
+
+diff --git a/Makefile-daemon.am b/Makefile-daemon.am
+index 4233d90d..f96f49a9 100644
+--- a/Makefile-daemon.am
++++ b/Makefile-daemon.am
+@@ -60,6 +60,7 @@ systemdunit_service_file_names = \
+ 	rpm-ostreed-automatic.service \
+ 	rpm-ostree-bootstatus.service \
+ 	rpm-ostree-countme.service \
++	rpm-ostree-fix-shadow-mode.service \
+ 	$(NULL)
+ 
+ systemdunit_service_files = $(addprefix $(srcdir)/src/daemon/,$(systemdunit_service_file_names))
+diff --git a/packaging/rpm-ostree.spec.in b/packaging/rpm-ostree.spec.in
+index 8aa9afaa..f734f676 100644
+--- a/packaging/rpm-ostree.spec.in
++++ b/packaging/rpm-ostree.spec.in
+@@ -237,6 +237,11 @@ $PYTHON autofiles.py > files.devel \
+ # Setup rpm-ostree-countme.timer according to presets
+ %post
+ %systemd_post rpm-ostree-countme.timer
++# Only enable on rpm-ostree based systems and manually force unit enablement to
++# explicitly ignore presets for this security fix
++if [ -e /run/ostree-booted ]; then
++    ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service  /usr/lib/systemd/system/multi-user.target.wants/
++fi
+ 
+ %preun
+ %systemd_preun rpm-ostree-countme.timer
+diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
+new file mode 100644
+index 00000000..4aea7462
+--- /dev/null
++++ b/src/daemon/rpm-ostree-fix-shadow-mode.service
+@@ -0,0 +1,19 @@
++[Unit]
++# rpm-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`.
++# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
++Description=Update permissions for /etc/shadow
++Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
++ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp
++ConditionPathExists=/run/ostree-booted
++# Make sure this is started before any unprivileged (interactive) user has access to the system.
++Before=systemd-user-sessions.service
++
++[Service]
++Type=oneshot
++ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow
++ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow-
++ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp
++RemainAfterExit=yes
++
++[Install]
++WantedBy=multi-user.target
+-- 
+2.44.0
+

0003-add-for-support-NestOS-kernel.patch

@@ -1,25 +1,25 @@
-From d28c0e475681a124160c0d423ddccc38ea3c0608 Mon Sep 17 00:00:00 2001
-From: wangyueliang <wangyueliang@kylinos.cn>
-Date: Sun, 17 Sep 2023 18:45:22 +0800
-Subject: [PATCH] add for support NestOS kernel
+From 4807c26a992f43ae62e29274f0c0bc0969d2fed7 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 17 Jan 2024 05:58:25 +0800
+Subject: [PATCH 3/4] add for support NestOS kernel
 
 ---
  rust/src/scripts.rs | 2 ++
  1 file changed, 2 insertions(+)
 
 diff --git a/rust/src/scripts.rs b/rust/src/scripts.rs
-index 078322a..08ac7de 100644
+index f7f6e8f..84c6f0d 100644
 --- a/rust/src/scripts.rs
 +++ b/rust/src/scripts.rs
-@@ -23,6 +23,8 @@ static IGNORED_PKG_SCRIPTS: phf::Set<&'static str> = phf_set! {
-     "kernel-core.posttrans",
-     "kernel-debug-core.posttrans",
-     "kernel-automotive-core.posttrans",
+@@ -43,6 +43,8 @@ static IGNORED_PKG_SCRIPTS: phf::Set<&'static str> = phf_set! {
+     "kernel-64k-modules.posttrans",
+     "kernel-64k-debug-core.posttrans",
+     "kernel-64k-debug-modules.posttrans",
 +    // add for support NestOS kernel
 +    "NestOS-kernel.posttrans",
      // Additionally ignore posttrans scripts for the Oracle Linux `kernel-uek` package
      "kernel-uek.posttrans",
      // Legacy workaround
 -- 
-2.25.1
+2.33.0
 

fix-2022.16-build-error.patch

@@ -1,52 +0,0 @@
-diff -uprN rpm-ostree-2022.16/rust/src/client.rs rpm-ostree-2022.16-new/rust/src/client.rs
---- rpm-ostree-2022.16/rust/src/client.rs	2022-11-19 01:25:53.000000000 +0800
-+++ rpm-ostree-2022.16-new/rust/src/client.rs	2023-02-23 14:54:32.000000000 +0800
-@@ -129,6 +129,7 @@ pub(crate) fn is_src_rpm_arg(arg: &str)
- /// descriptors for the content.
- /// TODO(cxx-rs): This would be slightly more elegant as Result<Option<Vec<i32>>>
- #[context("Handling argument {}", arg)]
-+#[allow(unused_variables)]
- pub(crate) fn client_handle_fd_argument(
-     arg: &str,
-     arch: &str,
-@@ -315,13 +316,15 @@ fn is_yes(s: &str) -> bool {
- 
- /// Prompt for confirmation
- pub(crate) fn confirm() -> CxxResult<bool> {
--    let mut stdout = std::io::stdout().lock();
--    let mut stdin = std::io::stdin().lock();
--    write!(stdout, "Continue? [y/N] ")?;
--    stdout.flush()?;
-+    let stdin = std::io::stdin();
-+    let mut stdin_lock = stdin.lock();
-+    let stdout = std::io::stdout();
-+    let mut stdout_lock = stdout.lock();
-+    write!(stdout_lock, "Continue? [y/N] ")?;
-+    stdout_lock.flush()?;
-     let mut resp = String::new();
--    stdin.read_line(&mut resp)?;
--    Ok(is_yes(resp.as_str().trim()))
-+    stdin_lock.read_line(&mut resp)?;
-+    Ok(is_yes(resp.trim()))
- }
- 
- /// Prompt for confirmation, and return an error if not agreed
-diff -uprN rpm-ostree-2022.16/vendor/phf/.cargo-checksum.json rpm-ostree-2022.16-new/vendor/phf/.cargo-checksum.json
---- rpm-ostree-2022.16/vendor/phf/.cargo-checksum.json	2022-11-19 01:41:00.000000000 +0800
-+++ rpm-ostree-2022.16-new/vendor/phf/.cargo-checksum.json	2023-02-23 09:44:32.000000000 +0800
-@@ -1 +1 @@
--{"files":{"CHANGELOG.md":"0e8c35d9be4ea0740abefdf22aac5a3501bc757c5120a106c0160a83b257d78a","Cargo.toml":"5c19e4ee6611b2da953aafa8311690a82cddcff59b07577eec96da3ca1e5a4cf","README.md":"63e1776e08b52979e4ae92f0ccab6c6b86cf5fe643a986f5c130a504cafd6d28","src/lib.rs":"34c7f3a2dc755bfd8246c422708088bc0acf64c8a33cb7bda10c705c4e6f3812","src/map.rs":"db6df0e2465d51b40640bb85cea28a9daca9ff1b0f57a3316608a55fc11879c5","src/ordered_map.rs":"5f849d7c8bea4322911b81a980a9ce988961ccec4029a2254d54ca68aed8cd45","src/ordered_set.rs":"0ed66947623c8a79b1ad2c206ef5a13af701f95c0f36544ab986c9617e2a24a3","src/set.rs":"065a501930c4667877168b99aeca00007dd222865bafc26451cbc9fdf08ad7e6"},"package":"928c6535de93548188ef63bb7c4036bd415cd8f36ad25af44b9789b2ee72a48c"}
-\ No newline at end of file
-+{"files":{"CHANGELOG.md":"0e8c35d9be4ea0740abefdf22aac5a3501bc757c5120a106c0160a83b257d78a","Cargo.toml":"5d336ed218103113a13c4ab33a87e44d312a3d63dd5f6de7317955870d205f8d","README.md":"63e1776e08b52979e4ae92f0ccab6c6b86cf5fe643a986f5c130a504cafd6d28","src/lib.rs":"34c7f3a2dc755bfd8246c422708088bc0acf64c8a33cb7bda10c705c4e6f3812","src/map.rs":"db6df0e2465d51b40640bb85cea28a9daca9ff1b0f57a3316608a55fc11879c5","src/ordered_map.rs":"5f849d7c8bea4322911b81a980a9ce988961ccec4029a2254d54ca68aed8cd45","src/ordered_set.rs":"0ed66947623c8a79b1ad2c206ef5a13af701f95c0f36544ab986c9617e2a24a3","src/set.rs":"065a501930c4667877168b99aeca00007dd222865bafc26451cbc9fdf08ad7e6"},"package":"928c6535de93548188ef63bb7c4036bd415cd8f36ad25af44b9789b2ee72a48c"}
-\ No newline at end of file
-diff -uprN rpm-ostree-2022.16/vendor/phf/Cargo.toml rpm-ostree-2022.16-new/vendor/phf/Cargo.toml
---- rpm-ostree-2022.16/vendor/phf/Cargo.toml	2022-11-19 01:41:00.000000000 +0800
-+++ rpm-ostree-2022.16-new/vendor/phf/Cargo.toml	2023-02-23 09:40:29.221890304 +0800
-@@ -51,6 +51,6 @@ macros = ["phf_macros"]
- std = ["phf_shared/std"]
- uncased = ["phf_shared/uncased"]
- unicase = [
--    "phf_macros?/unicase",
-+    "phf_macros/unicase",
-     "phf_shared/unicase",
- ]

fix-CVE-2024-2905.patch

@@ -0,0 +1,108 @@
+From beda4a034469d2838114b955eede97591809e915 Mon Sep 17 00:00:00 2001
+From: chendexi <chendexi@kylinos.cn>
+Date: Wed, 10 Apr 2024 16:45:48 +0800
+Subject: [PATCH] fix-CVE-2024-2905
+
+---
+ Makefile-daemon.am                            |  1 +
+ rust/src/passwd.rs                            | 14 ++++++++++++++
+ src/daemon/rpm-ostree-fix-shadow-mode.service | 19 +++++++++++++++++++
+ tests/compose/libbasic-test.sh                |  5 +++++
+ 4 files changed, 39 insertions(+)
+ create mode 100644 src/daemon/rpm-ostree-fix-shadow-mode.service
+
+diff --git a/Makefile-daemon.am b/Makefile-daemon.am
+index 4233d90..da14e71 100644
+--- a/Makefile-daemon.am
++++ b/Makefile-daemon.am
+@@ -60,6 +60,7 @@ systemdunit_service_file_names = \
+ 	rpm-ostreed-automatic.service \
+ 	rpm-ostree-bootstatus.service \
+ 	rpm-ostree-countme.service \
++        rpm-ostree-fix-shadow-mode.service \
+ 	$(NULL)
+ 
+ systemdunit_service_files = $(addprefix $(srcdir)/src/daemon/,$(systemdunit_service_file_names))
+diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
+index 100c29f..08b67f7 100644
+--- a/rust/src/passwd.rs
++++ b/rust/src/passwd.rs
+@@ -420,6 +420,12 @@ fn write_data_from_treefile(
+     let db = rootfs.open(target_passwd_path).map(BufReader::new)?;
+     let shadow_name = target.shadow_file();
+     let target_shadow_path = format!("{}{}", dest_path, shadow_name);
++    // Ideally these permissions come from `setup`, which is the package
++    // that owns these files:
++    // https://src.fedoraproject.org/rpms/setup/blob/c6f58b338bd3/f/setup.spec#_96
++    // But at this point of the compose, the rootfs is completely empty; we
++    // haven't started unpacking things yet. So we need to hardcode it here.
++    let shadow_perms = cap_std::fs::Permissions::from_mode(0);
+ 
+     match target {
+         PasswdKind::User => {
+@@ -429,6 +435,10 @@ fn write_data_from_treefile(
+                     for user in entries {
+                         writeln!(target_shadow, "{}:*::0:99999:7:::", user.name)?;
+                     }
++                    target_shadow
++                        .get_mut()
++                        .as_file_mut()
++                        .set_permissions(shadow_perms)?;
+                     Ok(())
+                 })
+                 .with_context(|| format!("Writing {target_shadow_path}"))?;
+@@ -440,6 +450,10 @@ fn write_data_from_treefile(
+                     for group in entries {
+                         writeln!(target_shadow, "{}:::", group.name)?;
+                     }
++                    target_shadow
++                        .get_mut()
++                        .as_file_mut()
++                        .set_permissions(shadow_perms)?;
+                     Ok(())
+                 })
+                 .with_context(|| format!("Writing {target_shadow_path}"))?;
+diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
+new file mode 100644
+index 0000000..4aea746
+--- /dev/null
++++ b/src/daemon/rpm-ostree-fix-shadow-mode.service
+@@ -0,0 +1,19 @@
++[Unit]
++# rpm-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`.
++# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
++Description=Update permissions for /etc/shadow
++Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
++ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp
++ConditionPathExists=/run/ostree-booted
++# Make sure this is started before any unprivileged (interactive) user has access to the system.
++Before=systemd-user-sessions.service
++
++[Service]
++Type=oneshot
++ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow
++ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow-
++ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp
++RemainAfterExit=yes
++
++[Install]
++WantedBy=multi-user.target
+diff --git a/tests/compose/libbasic-test.sh b/tests/compose/libbasic-test.sh
+index 78ad72b..df790e8 100644
+--- a/tests/compose/libbasic-test.sh
++++ b/tests/compose/libbasic-test.sh
+@@ -22,6 +22,11 @@ validate_passwd group
+ ostree --repo=${repo} ls ${treeref} /usr/etc/passwd > passwd.txt
+ assert_file_has_content_literal passwd.txt '00644 '
+ 
++ostree --repo=${repo} ls ${treeref} /usr/etc/shadow > shadow.txt
++assert_file_has_content_literal shadow.txt '00000 '
++ostree --repo=${repo} ls ${treeref} /usr/etc/gshadow > gshadow.txt
++assert_file_has_content_literal gshadow.txt '00000 '
++
+ ostree --repo=${repo} cat ${treeref} /usr/etc/default/useradd > useradd.txt
+ assert_file_has_content_literal useradd.txt HOME=/var/home
+ 
+-- 
+2.25.1
+

fix-compose-error-for-selinux.patch

@@ -1,30 +0,0 @@
-From 9ef3d30d9b5c6c8dd8fe72d7aaad499fcda6192a Mon Sep 17 00:00:00 2001
-From: wangyueliang <wangyueliang@kylinos.cn>
-Date: Mon, 18 Sep 2023 17:29:08 +0800
-Subject: [PATCH] fix compose error for selinux
-
----
- src/libpriv/rpmostree-postprocess.cxx | 7 -------
- 1 file changed, 7 deletions(-)
-
-diff --git a/src/libpriv/rpmostree-postprocess.cxx b/src/libpriv/rpmostree-postprocess.cxx
-index bfadaa7..668b06e 100644
---- a/src/libpriv/rpmostree-postprocess.cxx
-+++ b/src/libpriv/rpmostree-postprocess.cxx
-@@ -395,13 +395,6 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un
-                     error);
-       }
- 
--      /* Temporary workaround for https://github.com/openshift/os/issues/1036. */
--      {
--        rust::Vec child_argv = { rust::String ("semodule"), rust::String ("-n"),
--                                 rust::String ("--rebuild-if-modules-changed") };
--        ROSCXX_TRY (bubblewrap_run_sync (rootfs_dfd, child_argv, false, (bool)unified_core_mode),
--                    error);
--      }
-     }
- 
-   auto container = treefile.get_container ();
--- 
-2.25.1
-

rpm-ostree.spec

@@ -1,46 +1,137 @@
-%bcond_without rust
-%global __requires_exclude ^libdnf[.]so[.].*$
-%global __provides_exclude_from ^%{_libdir}/%{name}/.*$
+Name:       rpm-ostree
+Version:    2024.4
+Release:    2
+Summary:    Hybrid image/package system
+License:    LGPL-2.0-or-later
+URL:        https://github.com/coreos/rpm-ostree
+Source0:    https://github.com/coreos/rpm-ostree/releases/download/v%{version}/%{name}-%{version}.tar.xz
+#Fix missing patch in rpm-ostree.src.rpm
+Source1:    0001-add-loongarch64-support-not-upstream-modified-files.patch
+Source2:    0002-add-sw_64-support-not-upstream-modified-files.patch
 
-Name:		rpm-ostree
-Version:	2022.16
-Release:	3
-Summary:	Hybrid image/package system
-License:	Apache-2.0 or MIT and GPL-2.0-or-later and LGPL-2.0-or-later
-URL:		https://github.com/coreos/rpm-ostree
-Source0:	https://github.com/coreos/rpm-ostree/releases/download/v%{version}/%{name}-%{version}.tar.xz
-Patch0:         fix-compose-err.patch
-Patch1:         fix-2022.16-build-error.patch
-Patch2:         add-for-support-NestOS-kernel.patch
-Patch3:         fix-compose-error-for-selinux.patch
-%if %{with rust}
+Patch0:     0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch
+Patch1:     0001-passwd-create-etc-g-shadow-with-mode-0.patch
+Patch2:     0002-unit-chmod-etc-g-shadow-to-0000.patch
+Patch3:     0001-fix-compose-err.patch
+Patch4:     0003-add-for-support-NestOS-kernel.patch
 
 %if !%{defined rust_arches}
-%define rust_arches x86_64 i686 armv7hl aarch64 ppc64 ppc64le s390x riscv64
-%endif 
+%define rust_arches x86_64 i686 armv7hl aarch64 ppc64 ppc64le s390x riscv64 loongarch64 sw_64
+%endif
 
 ExclusiveArch: %{rust_arches}
 
-%if %{defined rusttoolset_version}
-BuildRequires: %{rusttoolset_version}-cargo
-%else
-BuildRequires:	 cargo 
+%ifarch loongarch64
+Patch5:  0001-add-loongarch64-support-not-upstream-modified-files.patch
 %endif
 
+%ifarch sw_64
+Patch6:  0002-add-sw_64-support-not-upstream-modified-files.patch
 %endif
 
-BuildRequires:   /usr/bin/python3 autoconf automake libtool git chrpath libattr-devel 
-BuildRequires:   gtk-doc gperf gnome-common /usr/bin/g-ir-scanner ostree-devel cmake
-BuildRequires:   polkit-devel json-glib-devel rpm-devel libarchive-devel systemd-devel 
-BuildRequires:   libcap-devel libcurl-devel librepo-devel expat-devel check-devel 
-BuildRequires:   pkgconfig(libsolv) gcc gcc-c++
-BuildRequires:   chrpath jq glib2-devel sqlite-devel json-c-devel cppunit-devel
-BuildRequires:   libmodulemd-devel libsmartcols-devel gettext gpgme-devel make
+BuildRequires: make
+BuildRequires: rust-packaging
+BuildRequires: cargo
+BuildRequires: rust
 
-Requires:	 ostree bubblewrap fuse 
+# Enable ASAN + UBSAN
+%bcond_with sanitizers
+# Embedded unit tests
+%bcond_with bin_unit_tests
 
-Provides:        rpm-ostree-libs = %{version}-%{release}
-Obsoletes:       rpm-ostree-libs < %{version}-%{release}
+%bcond_with zchunk
+
+# For the autofiles bits below
+BuildRequires: python3-devel
+# We always run autogen.sh
+BuildRequires: autoconf automake libtool git
+# For docs
+BuildRequires: chrpath
+BuildRequires: gtk-doc
+BuildRequires: /usr/bin/g-ir-scanner
+# Core requirements
+# One way to check this: `objdump -p /path/to/rpm-ostree | grep LIBOSTREE` and pick the highest (though that might miss e.g. new struct members)
+BuildRequires: pkgconfig(ostree-1) >= 2023.7
+BuildRequires: pkgconfig(polkit-gobject-1)
+BuildRequires: pkgconfig(json-glib-1.0)
+BuildRequires: pkgconfig(rpm) >= 4.16.0
+BuildRequires: pkgconfig(libarchive)
+BuildRequires: pkgconfig(libsystemd)
+BuildRequires: libcap-devel
+BuildRequires: libattr-devel
+
+# We currently interact directly with librepo (libdnf below also pulls it in,
+# but duplicating to be clear)
+BuildRequires: pkgconfig(librepo)
+
+# Needed by curl-rust
+BuildRequires: pkgconfig(libcurl)
+
+BuildRequires: cmake
+BuildRequires: pkgconfig(expat)
+BuildRequires: pkgconfig(check)
+
+# We use some libsolv types directly too (libdnf below also pulls it in,
+# but duplicating to be clear)
+BuildRequires: pkgconfig(libsolv)
+
+# These are build deps which aren't strictly required in Koji/Brew builds, but
+# are required for git builds. Since they're few and tiny, we just add it here
+# to keep it part of `dnf builddep`.
+BuildRequires: jq
+
+#########################################################################
+#                         libdnf build deps                             #
+#                                                                       #
+# Copy/pasted from libdnf/libdnf.spec. Removed the irrelevant bits like #
+# valgrind, rhsm, swig, python, and sanitizer stuff.                    #
+#########################################################################
+
+%global libsolv_version 0.7.21
+%global libmodulemd_version 2.13.0
+%global librepo_version 1.13.1
+
+BuildRequires:  cmake
+BuildRequires:  gcc
+BuildRequires:  gcc-c++
+BuildRequires:  libsolv-devel >= %{libsolv_version}
+BuildRequires:  pkgconfig(librepo) >= %{librepo_version}
+BuildRequires:  pkgconfig(check)
+BuildRequires:  pkgconfig(gio-unix-2.0) >= 2.50.0
+BuildRequires:  pkgconfig(gtk-doc)
+BuildRequires:  rpm-devel >= 4.16.0
+%if %{with zchunk}
+BuildRequires:  pkgconfig(zck) >= 0.9.11
+%endif
+BuildRequires:  pkgconfig(sqlite3)
+BuildRequires:  pkgconfig(json-c)
+BuildRequires:  pkgconfig(cppunit)
+BuildRequires:  pkgconfig(modulemd-2.0) >= %{libmodulemd_version}
+BuildRequires:  pkgconfig(smartcols)
+BuildRequires:  gettext
+BuildRequires:  gpgme-devel
+
+Requires:       libmodulemd%{?_isa} >= %{libmodulemd_version}
+Requires:       libsolv%{?_isa} >= %{libsolv_version}
+Requires:       librepo%{?_isa} >= %{librepo_version}
+
+#########################################################################
+#                     end of libdnf build deps                          #
+#########################################################################
+
+# For now...see https://github.com/projectatomic/rpm-ostree/pull/637
+# and https://github.com/fedora-infra/fedmsg-atomic-composer/pull/17
+# etc.  We'll drop this dependency at some point in the future when
+# rpm-ostree wraps more of ostree (such as `ostree admin unlock` etc.)
+Requires: ostree
+Requires: bubblewrap
+Requires: fuse
+
+# For container functionality
+# https://github.com/coreos/rpm-ostree/issues/3286
+Requires: skopeo
+
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
 %description
 rpm-ostree is a hybrid image/package system.  It supports
@@ -50,73 +141,127 @@ Additionally, unlike many "pure" image systems, with rpm-ostree
 each client system can layer on additional packages, providing
 a "best of both worlds" approach.
 
-%package         devel
-Summary:         Header files for rpm-ostree
-Requires:        %{name} = %{version}-%{release}
+%package libs
+Summary: Shared library for %{name}
 
-%description     devel
-Header files for rpm-ostree.
+%description libs
+The %{name}-libs package includes the shared library for %{name}.
 
-%package_help
+%package devel
+Summary: Development headers for %{name}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+
+%description devel
+The %{name}-devel package includes the header files for %{name}-libs.
 
 %prep
-%autosetup -n %{name}-%{version} -p1
+%autosetup -Sgit -n %{name}-%{version} -p1
+%if 0%{?__isa_bits} == 32
+sed -ie 's,^lto = true,lto = false,' Cargo.toml
+%endif
 
 %build
-%{?rusttoolset} env NOCONFIGURE=1 ./autogen.sh
-%configure --disable-silent-rules --enable-gtk-doc \
-           %{?with_rust:--enable-rust}
+env NOCONFIGURE=1 ./autogen.sh
+# Since we're hybrid C++/Rust we need to propagate this manually;
+# the %%configure macro today assumes (reasonably) that one is building
+# C/C++ and sets C{,XX}FLAGS
+%if 0%{?build_rustflags:1}
+export RUSTFLAGS="%{build_rustflags}"
+%endif
+%configure --disable-silent-rules --enable-gtk-doc %{?rpmdb_default} %{?with_sanitizers:--enable-sanitizers} %{?with_bin_unit_tests:--enable-bin-unit-tests}
 
-%{?rusttoolset} %make_build
+%make_build
 
 %install
-%{?rusttoolset}  %make_install INSTALL="install -p -c"
-%delete_la 
+%make_install INSTALL="install -p -c"
+find $RPM_BUILD_ROOT -name '*.la' -delete
 
-chrpath -d %{buildroot}%{_libdir}/librpmostree-1.so.1.0.0
-chrpath -d %{buildroot}%{_bindir}/rpm-ostree
+cat > autofiles.py <<EOF
+import os,sys,glob
+os.chdir(os.environ['RPM_BUILD_ROOT'])
+for line in sys.argv[1:]:
+    if line == '':
+        break
+    if line[0] != '/':
+        sys.stdout.write(line + '\n')
+    else:
+        files = glob.glob(line[1:])
+        if len(files) > 0:
+            sys.stderr.write('{0} matched {1} files\n'.format(line, len(files)))
+            sys.stdout.write(line + '\n')
+        else:
+            sys.stderr.write('{0} did not match any files\n'.format(line))
+EOF
+PYTHON=python3
+if ! test -x /usr/bin/python3; then
+    PYTHON=python2
+fi
+$PYTHON autofiles.py > files \
+  '%{_bindir}/*' \
+  '%{_libdir}/%{name}' \
+  '%{_mandir}/man*/*' \
+  '%{_datadir}/dbus-1/system.d/*' \
+  '%{_sysconfdir}/rpm-ostreed.conf' \
+  '%{_prefix}/lib/systemd/system/*' \
+  '%{_libexecdir}/rpm-ostree*' \
+  '%{_libexecdir}/libostree/ext/*' \
+  '%{_datadir}/polkit-1/actions/*.policy' \
+  '%{_datadir}/dbus-1/system-services/*' \
+  '%{_datadir}/bash-completion/completions/*'
 
-mkdir -p %{buildroot}/etc/ld.so.conf.d
-echo "%{_libdir}/%{name}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
+$PYTHON autofiles.py > files.lib \
+  '%{_libdir}/*.so.*' \
+  '%{_libdir}/girepository-1.0/*.typelib'
 
-%ldconfig_scriptlets
+$PYTHON autofiles.py > files.devel \
+  '%{_libdir}/lib*.so' \
+  '%{_includedir}/*' \
+  '%{_datadir}/dbus-1/interfaces/org.projectatomic.rpmostree1.xml' \
+  '%{_libdir}/pkgconfig/*' \
+  '%{_datadir}/gtk-doc/html/*' \
+  '%{_datadir}/gir-1.0/*-1.0.gir'
 
-install -d -m 0755 %{buildroot}/etc/dbus-1/system.d/
-install -pm 0644 src/daemon/org.projectatomic.rpmostree1.conf %{buildroot}/etc/dbus-1/system.d/
+# Setup rpm-ostree-countme.timer according to presets
+%post
+%systemd_post rpm-ostree-countme.timer
+# Only enable on rpm-ostree based systems and manually force unit enablement to
+# explicitly ignore presets for this security fix
+if [ -e /run/ostree-booted ]; then
+    ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service  /usr/lib/systemd/system/multi-user.target.wants/
+fi
 
-%files
-%defattr(-,root,root)
-%doc README.md
-%license COPYING.*
-%{_bindir}/*
-%{_sysconfdir}/dbus-1/system.d/*
-%{_sysconfdir}/rpm-ostreed.conf
-%{_libdir}/*.so.*
-%{_libdir}/rpm-ostree/*
-%{_libdir}/girepository-1.0/*
-%{_libexecdir}/rpm-ostree*
-%{_libexecdir}/libostree/*
-%{_prefix}/lib/systemd/system/*
-%{_datadir}/dbus-1/system-services
-%{_datadir}/polkit-1/actions/*.policy
-%{_datadir}/dbus-1/system.d/org.projectatomic.rpmostree1.conf
-%{_datadir}/bash-completion/completions/rpm-ostree
-%config(noreplace) /etc/ld.so.conf.d/*
+%preun
+%systemd_preun rpm-ostree-countme.timer
 
-%files       devel
-%defattr(-,root,root)
-%{_libdir}/*.so
-%{_includedir}/*
-%{_libdir}/pkgconfig/*
-%{_datadir}/gtk-doc/html/*
-%{_datadir}/gir-1.0/*-1.0.gir
-%{_datadir}/dbus-1/interfaces/org.projectatomic.rpmostree1.xml
+%postun
+%systemd_postun_with_restart rpm-ostree-countme.timer
 
-%files       help
-%defattr(-,root,root)
-%{_mandir}/man*/*
+%files -f files
+%doc COPYING.GPL COPYING.LGPL LICENSE README.md
+
+%files libs -f files.lib
+
+%files devel -f files.devel
 
 %changelog
+* Mon May 27 2024 yueyuankun <yueyuankun@kylinos.cn> - 2024.4-2
+- Fix missing patch in source code package
+
+* Mon Apr 22 2024 lijian <lijian2@kylinos.cn> - 2024.4-1
+- Update to 2024.4
+
+* Wed Apr 10 2024 chendexi <chendexi@kylinos.cn> - 2023.7-2
+- Synchronize upstream spec file modifications
+- Fix CVE-2024-2905
+
+* Wed Feb 21 2024 chendexi <chendexi@kylinos.cn> - 2023.7-1
+- update to 2023.7
+
+* Fri Oct 13 2023 wangyueliang <wangyueliang@kylinos.cn> - 2022.16-4
+- merge feature from branch openEuler-22.03-LTS-SP1：
+- DESC: add loongarch64 and sw_64 support
+- AUTHOR: panchenbo <panchenbo@kylinsec.com.cn>
+
 * Mon Sep 18 2023 wangyueliang <wangyueliang@kylinos.cn> - 2022.16-3
 - fix compose error for selinux.
 - add-for-support-NestOS-kernel.