packages/rpm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add Don-t-add-dist-to-release-if-it-is-already-there.patch and modify Add-digest-list-plugin.patch

Browse Source
This commit is contained in:
Roberto Sassu 2020-07-24 00:06:48 +02:00
parent e3018fd4d0
commit 4423f52830
3 changed files with 241 additions and 220 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

415
Add-digest-list-plugin.patch
View File

@ -1,13 +1,15 @@
From fa0b33ce1ff569ab55b46cdbcc47f2da6db3fb1a Mon Sep 17 00:00:00 2001
From c3b5c61440a40b4a159e050e25f4b3736f7d0343 Mon Sep 17 00:00:00 2001
From: Roberto Sassu <roberto.sassu@huawei.com>
Date: Wed, 26 Feb 2020 15:54:24 +0100
Subject: [PATCH 2/2] Add digest list plugin
Subject: [PATCH 2/3] Add digest list plugin
---
macros.in | 1 +
plugins/Makefile.am | 4 +
plugins/digest_list.c | 534 ++++++++++++++++++++++++++++++++++++++++++
3 files changed, 539 insertions(+)
plugins/digest_list.c | 495 ++++++++++++++++++++++++++++++++++++++++++
rpmio/digest.h | 1 +
rpmio/rpmpgp.c | 3 +
5 files changed, 504 insertions(+)
create mode 100644 plugins/digest_list.c
diff --git a/macros.in b/macros.in
@ -36,18 +38,21 @@ index d4ef039ed..07aa3585b 100644
+plugins_LTLIBRARIES += digest_list.la
diff --git a/plugins/digest_list.c b/plugins/digest_list.c
new file mode 100644
index 000000000..62aae06dd
index 000000000..227ce141e
--- /dev/null
+++ b/plugins/digest_list.c
@@ -0,0 +1,534 @@
@@ -0,0 +1,495 @@
+#include "system.h"
+#include "errno.h"
+
+#include <rpm/rpmlog.h>
+#include <rpm/rpmts.h>
+#include <rpm/header.h>
+#include <rpmio/digest.h>
+#include <rpmio/rpmpgp.h>
+#include <rpm/rpmfileutil.h>
+#include "lib/rpmplugin.h"
+#include <netinet/in.h>
+#include <sys/stat.h>
+#include <openssl/sha.h>
+#include <sys/xattr.h>
@ -63,7 +68,6 @@ index 000000000..62aae06dd
+#define DIGEST_LIST_COUNT IMA_DIR "/digests_count"
+#define DIGEST_LIST_DEFAULT_PATH "/etc/ima/digest_lists"
+#define RPM_PARSER "/usr/libexec/rpm_parser"
+#define WRITE_RPM_PGP_SIG "/usr/bin/write_rpm_pgp_sig"
+
+#define DIGEST_LIST_OP_ADD 0
+#define DIGEST_LIST_OP_DEL 1
@ -90,24 +94,14 @@ index 000000000..62aae06dd
+ HASH_ALGO__LAST
+};
+
+enum pgp_hash_algo {
+ PGP_HASH_MD5 = 1,
+ PGP_HASH_SHA1 = 2,
+ PGP_HASH_RIPE_MD_160 = 3,
+ PGP_HASH_SHA256 = 8,
+ PGP_HASH_SHA384 = 9,
+ PGP_HASH_SHA512 = 10,
+ PGP_HASH_SHA224 = 11,
+ PGP_HASH__LAST
+};
+
+enum hash_algo pgp_algo_mapping[PGP_HASH__LAST] = {
+ [PGP_HASH_MD5] = HASH_ALGO_MD5,
+ [PGP_HASH_SHA1] = HASH_ALGO_SHA1,
+ [PGP_HASH_SHA224] = HASH_ALGO_SHA224,
+ [PGP_HASH_SHA256] = HASH_ALGO_SHA256,
+ [PGP_HASH_SHA384] = HASH_ALGO_SHA384,
+ [PGP_HASH_SHA512] = HASH_ALGO_SHA512,
+#define PGPHASHALGO__LAST PGPHASHALGO_SHA224 + 1
+enum hash_algo pgp_algo_mapping[PGPHASHALGO__LAST] = {
+ [PGPHASHALGO_MD5] = HASH_ALGO_MD5,
+ [PGPHASHALGO_SHA1] = HASH_ALGO_SHA1,
+ [PGPHASHALGO_SHA224] = HASH_ALGO_SHA224,
+ [PGPHASHALGO_SHA256] = HASH_ALGO_SHA256,
+ [PGPHASHALGO_SHA384] = HASH_ALGO_SHA384,
+ [PGPHASHALGO_SHA512] = HASH_ALGO_SHA512,
+};
+
+/* from integrity.h */
@ -135,19 +129,21 @@ index 000000000..62aae06dd
+ uint8_t sig[0]; /* signature payload */
+} __attribute__((packed));
+
+static int disable_plugin;
+
+static int upload_digest_list(char *path, int type, int digest_list_signed)
+{
+ size_t size;
+ char buf[21];
+ const char *ima_path = DIGEST_LIST_DATA_PATH;
+ struct stat st;
+ pid_t pid;
+ int ret = 0, fd;
+
+ if (type == TR_REMOVED)
+ ima_path = DIGEST_LIST_DATA_DEL_PATH;
+
+ if (stat(ima_path, &st) == -1)
+ return 0;
+
+ /* First determine if kernel interface can accept new digest lists */
+ fd = open(DIGEST_LIST_COUNT, O_RDONLY);
+ if (fd < 0) {
@ -215,93 +211,6 @@ index 000000000..62aae06dd
+ return ret;
+}
+
+static int add_ima_xattr(const char *path, int algo,
+ const unsigned char *digest, int digest_len)
+{
+ struct evm_ima_xattr_data ima_xattr;
+ int ret;
+
+ ima_xattr.type = IMA_XATTR_DIGEST_NG;
+ ima_xattr.digest[0] = pgp_algo_mapping[algo];
+ memcpy(&ima_xattr.digest[1], digest, digest_len);
+
+ ret = lsetxattr(path, XATTR_NAME_IMA, (uint8_t *)&ima_xattr,
+ digest_len + 2, 0);
+ if (ret < 0)
+ rpmlog(RPMLOG_ERR, "digest_list: could not apply security.ima "
+ "on '%s': %s\n", path, strerror(errno));
+ else
+ rpmlog(RPMLOG_DEBUG, "digest_list: security.ima successfully "
+ "applied on '%s'\n", path);
+ return ret;
+}
+
+static int add_evm_digest_list_xattr(const char *path, int algo)
+{
+ struct signature_v2_hdr hdr;
+ int ret;
+
+ hdr.type = EVM_IMA_XATTR_DIGEST_LIST,
+ hdr.version = 2;
+ hdr.hash_algo = pgp_algo_mapping[algo];
+
+ ret = lsetxattr(path, XATTR_NAME_EVM, (uint8_t *)&hdr,
+ offsetof(struct signature_v2_hdr, keyid), 0);
+ if (ret < 0)
+ rpmlog(RPMLOG_ERR, "digest_list: could not apply security.evm "
+ "on '%s': %s\n", path, strerror(errno));
+ else
+ rpmlog(RPMLOG_DEBUG, "digest_list: security.evm successfully "
+ "applied on '%s'\n", path);
+ return ret;
+}
+
+static int add_evm_xattr(char *path, char *path_sig)
+{
+ unsigned char sig[2048];
+ size_t sig_len;
+ struct stat st;
+ int ret, fd;
+
+ if (stat(path_sig, &st) == -1)
+ return -EACCES;
+
+ if (st.st_size > sizeof(sig)) {
+ rpmlog(RPMLOG_ERR, "digest_list: signature in %s too big\n",
+ path);
+ return -ENOMEM;
+ }
+
+ fd = open(path_sig, O_RDONLY);
+ if (fd < 0) {
+ rpmlog(RPMLOG_ERR, "digest_list: could not open '%s': %s\n",
+ path_sig, strerror(errno));
+ return -EACCES;
+ }
+
+ sig_len = read(fd, sig, sizeof(sig));
+ if (sig_len != st.st_size) {
+ rpmlog(RPMLOG_ERR, "digest_list: could not read '%s': %s\n",
+ path_sig, strerror(errno));
+ ret = -EIO;
+ goto out;
+ }
+
+ rpmlog(RPMLOG_DEBUG, "digest_list: read signature of %ld bytes from "
+ "'%s'\n", sig_len, path_sig);
+
+ ret = lsetxattr(path, XATTR_NAME_EVM, sig, sig_len, 0);
+ if (ret < 0)
+ rpmlog(RPMLOG_ERR, "digest_list: could not apply security.evm "
+ "on '%s': %s\n", path, strerror(errno));
+ else
+ rpmlog(RPMLOG_DEBUG, "digest_list: security.evm successfully "
+ "applied on '%s'\n", path);
+out:
+ close(fd);
+ return ret;
+}
+
+static int write_rpm_digest_list(rpmte te, char *path)
+{
+ FD_t fd;
@ -337,49 +246,164 @@ index 000000000..62aae06dd
+ return ret;
+}
+
+static int write_rpm_digest_list_sig(rpmte te, char *rpm_path, char *sig_path)
+static int write_rpm_digest_list_ima_xattr(rpmte te, char *path)
+{
+ rpmtd signature;
+ ssize_t written;
+ uint8_t sig[2048] = { 0 };
+ pgpDigParams sigp = NULL;
+ struct signature_v2_hdr *sig_hdr = (struct signature_v2_hdr *)sig;
+ Header rpm = rpmteHeader(te);
+ FD_t fd;
+ pid_t pid;
+ int ret = 0;
+ int ret = 0, sig_size, sig_size_rounded;
+
+ signature = rpmtdNew();
+ headerGet(rpm, RPMTAG_RSAHEADER, signature, 0);
+ if (!signature->count)
+ goto out;
+ ret = pgpPrtParams(signature->data, signature->count,
+ PGPTAG_SIGNATURE, &sigp);
+
+ fd = Fopen(sig_path, "w.ufdio");
+ if (ret) {
+ ret = -ENOENT;
+ goto out;
+ }
+
+ fd = Fopen(path, "a.ufdio");
+ if (fd == NULL || Ferror(fd)) {
+ ret = -EACCES;
+ goto out;
+ }
+
+ written = Fwrite(signature->data, sizeof(uint8_t),
+ signature->count, fd);
+ if (written != signature->count || Ferror(fd)) {
+ written = Fwrite(sigp->hash, sizeof(uint8_t),
+ sigp->hashlen, fd);
+ if (written != sigp->hashlen || Ferror(fd)) {
+ ret = -EIO;
+ Fclose(fd);
+ goto out_unlink;
+ goto out;
+ }
+
+ if (sigp->version == 4) {
+ /* V4 trailer is six octets long (rfc4880) */
+ uint8_t trailer[6];
+ uint32_t nb = sigp->hashlen;
+ nb = htonl(nb);
+ trailer[0] = sigp->version;
+ trailer[1] = 0xff;
+ memcpy(trailer+2, &nb, 4);
+
+ written = Fwrite(trailer, sizeof(uint8_t), sizeof(trailer), fd);
+ if (written != sizeof(trailer) || Ferror(fd)) {
+ ret = -EIO;
+ goto out;
+ }
+ }
+
+ Fclose(fd);
+
+ if ((pid = fork()) == 0) {
+ execlp(WRITE_RPM_PGP_SIG, WRITE_RPM_PGP_SIG,
+ rpm_path, sig_path, NULL);
+ _exit(EXIT_FAILURE);
+ sig_hdr->type = EVM_IMA_XATTR_DIGSIG;
+ sig_hdr->version = 2;
+ sig_hdr->hash_algo = pgp_algo_mapping[sigp->hash_algo];
+ memcpy((void *)&sig_hdr->keyid, sigp->signid + sizeof(uint32_t),
+ sizeof(uint32_t));
+
+ sig_size = (pgpMpiBits(sigp->data) + 7) >> 3;
+ if (sizeof(sig_hdr) + sig_size > sizeof(sig)) {
+ rpmlog(RPMLOG_ERR,
+ "digest_list: signature in %s too big\n", path);
+ ret = -E2BIG;
+ goto out;
+ }
+
+ waitpid(pid, &ret, 0);
+ if (ret != 0)
+ rpmlog(RPMLOG_ERR, "digest_list: %s returned %d\n",
+ WRITE_RPM_PGP_SIG, ret);
+out_unlink:
+ unlink(sig_path);
+ sig_size_rounded = ((sig_size + 7) >> 3) * 8;
+ sig_hdr->sig_size = __cpu_to_be16(sig_size_rounded);
+
+ memcpy(sig_hdr->sig + sig_size_rounded - sig_size,
+ (uint8_t *)sigp->data + 2, sig_size);
+
+ ret = lsetxattr(path, XATTR_NAME_IMA,
+ sig, sizeof(*sig_hdr) + sig_size_rounded, 0);
+ if (ret < 0)
+ rpmlog(RPMLOG_ERR, "digest_list: could not apply security.ima "
+ "on '%s': %s\n", path, strerror(errno));
+ else
+ rpmlog(RPMLOG_DEBUG, "digest_list: security.ima successfully "
+ "applied on '%s'\n", path);
+out:
+ pgpDigParamsFree(sigp);
+ rpmtdFree(signature);
+ return ret;
+}
+
+static int write_digest_list_ima_xattr(rpmte te, char *path, char *path_sig)
+{
+ rpmtd signature;
+ uint8_t sig[2048] = { 0 };
+ pgpDigParams sigp = NULL;
+ struct signature_v2_hdr *sig_hdr = (struct signature_v2_hdr *)sig;
+ Header rpm = rpmteHeader(te);
+ FD_t fd;
+ struct stat st;
+ int ret = 0, sig_size;
+
+ signature = rpmtdNew();
+ headerGet(rpm, RPMTAG_RSAHEADER, signature, 0);
+ ret = pgpPrtParams(signature->data, signature->count,
+ PGPTAG_SIGNATURE, &sigp);
+
+ if (ret) {
+ ret = -ENOENT;
+ goto out;
+ }
+
+ sig_hdr->type = EVM_IMA_XATTR_DIGSIG;
+ sig_hdr->version = 2;
+ sig_hdr->hash_algo = HASH_ALGO_SHA256;
+ memcpy((void *)&sig_hdr->keyid, sigp->signid + sizeof(uint32_t),
+ sizeof(uint32_t));
+
+ if (stat(path_sig, &st) == -1) {
+ ret = -EACCES;
+ goto out;
+ }
+
+ if (sizeof(sig_hdr) + st.st_size > sizeof(sig)) {
+ rpmlog(RPMLOG_ERR, "digest_list: signature in %s too big\n",
+ path);
+ ret = -E2BIG;
+ goto out;
+ }
+
+ fd = Fopen(path_sig, "r.ufdio");
+ if (fd < 0) {
+ rpmlog(RPMLOG_ERR, "digest_list: could not open '%s': %s\n",
+ path_sig, strerror(errno));
+ ret = -EACCES;
+ goto out;
+ }
+
+ sig_size = Fread(sig_hdr->sig, sizeof(uint8_t), st.st_size, fd);
+ if (sig_size != st.st_size || Ferror(fd)) {
+ rpmlog(RPMLOG_ERR, "digest_list: could not read '%s': %s\n",
+ path_sig, strerror(errno));
+ Fclose(fd);
+ ret = -EIO;
+ goto out;
+ }
+
+ sig_hdr->sig_size = __cpu_to_be16(sig_size);
+
+ rpmlog(RPMLOG_DEBUG,
+ "digest_list: read signature of %d bytes from '%s'\n",
+ sig_size, path_sig);
+
+ ret = lsetxattr(path, XATTR_NAME_IMA,
+ sig, sizeof(*sig_hdr) + sig_size, 0);
+ if (ret < 0)
+ rpmlog(RPMLOG_ERR, "digest_list: could not apply security.ima "
+ "on '%s': %s\n", path, strerror(errno));
+ else
+ rpmlog(RPMLOG_DEBUG, "digest_list: security.ima successfully "
+ "applied on '%s'\n", path);
+out:
+ pgpDigParamsFree(sigp);
+ rpmtdFree(signature);
+ return ret;
+}
@ -414,16 +438,8 @@ index 000000000..62aae06dd
+ DIGEST_LIST_DEFAULT_PATH, rpmteN(te), rpmteV(te),
+ rpmteR(te), rpmteA(te));
+
+ if (!stat(path_sig, &st)) {
+ if (!stat(path_sig, &st))
+ digest_list_signed = 1;
+ } else {
+ if (stat(WRITE_RPM_PGP_SIG, &st) == -1 ||
+ stat(RPM_PARSER, &st) == -1) {
+ rpmlog(RPMLOG_DEBUG, "digest_list: "
+ "digest-list-tools not installed\n");
+ goto out;
+ }
+ }
+
+ if (parser)
+ snprintf(path, PATH_MAX, "%s/0-parser_list-compact-libexec",
@ -437,16 +453,12 @@ index 000000000..62aae06dd
+ if (stat(path, &st) == -1)
+ goto out;
+
+ if (!parser && !digest_list_signed) {
+ if (!parser && !digest_list_signed)
+ snprintf(path, PATH_MAX, "%s/0-metadata_list-rpm-%s-%s-%s.%s",
+ DIGEST_LIST_DEFAULT_PATH, rpmteN(te), rpmteV(te),
+ rpmteR(te), rpmteA(te));
+
+ /* RPM digest lists don't have security.evm */
+ size = lgetxattr(path, XATTR_NAME_IMA, NULL, 0);
+ } else {
+ size = lgetxattr(path, XATTR_NAME_EVM, NULL, 0);
+ }
+ size = lgetxattr(path, XATTR_NAME_IMA, NULL, 0);
+
+ /* Don't upload again if digest list was already processed */
+ if ((rpmteType(te) == TR_ADDED && size > 0) ||
@ -466,13 +478,14 @@ index 000000000..62aae06dd
+ }
+
+ /* Write RPM header sig to security.ima */
+ ret = write_rpm_digest_list_sig(te, path, path_sig);
+ if (ret < 0) {
+ ret = RPMRC_FAIL;
+ goto out;
+ }
+ ret = write_rpm_digest_list_ima_xattr(te, path);
+ } else {
+ add_evm_xattr(path, path_sig);
+ ret = write_digest_list_ima_xattr(te, path, path_sig);
+ }
+
+ if (ret < 0) {
+ ret = RPMRC_FAIL;
+ goto out;
+ }
+ }
+
@ -501,18 +514,6 @@ index 000000000..62aae06dd
+
+static rpmRC digest_list_psm_pre(rpmPlugin plugin, rpmte te)
+{
+ struct stat st;
+
+ if (disable_plugin)
+ return RPMRC_OK;
+
+ if (stat(DIGEST_LIST_DATA_PATH, &st) == -1) {
+ rpmlog(RPMLOG_DEBUG, "digest_list: IMA interface '%s' not "
+ "found, disabling plugin\n", DIGEST_LIST_DATA_PATH);
+ disable_plugin = 1;
+ return RPMRC_OK;
+ }
+
+ process_digest_list(te, 0);
+ if (!strcmp(rpmteN(te), "digest-list-tools"))
+ process_digest_list(te, 1);
@ -522,9 +523,6 @@ index 000000000..62aae06dd
+
+static rpmRC digest_list_psm_post(rpmPlugin plugin, rpmte te, int res)
+{
+ if (disable_plugin)
+ return RPMRC_OK;
+
+ if (res != RPMRC_OK)
+ return RPMRC_OK;
+
@ -535,45 +533,50 @@ index 000000000..62aae06dd
+ return RPMRC_OK;
+}
+
+static rpmRC digest_list_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
+ const char *path,
+ const char *dest,
+ mode_t file_mode, rpmFsmOp op)
+{
+ const unsigned char *fdigest = NULL;
+ size_t len;
+ int algo;
+ rpmFileAction action = XFO_ACTION(op);
+
+ if (disable_plugin)
+ return RPMRC_OK;
+
+ /* Ignore skipped files and unowned directories */
+ if (XFA_SKIPPING(action) || (op & FAF_UNOWNED))
+ goto exit;
+
+ /* Ignore non-regular files */
+ if (!S_ISREG(file_mode))
+ goto exit;
+
+ fdigest = rpmfiFDigest(fi, &algo, &len);
+ if (!fdigest)
+ goto exit;
+
+ /* Assume that the hash algorithm used by evmctl and RPMs is the same */
+ add_ima_xattr(path, algo, fdigest, len);
+ if (strncmp(path, DIGEST_LIST_DEFAULT_PATH,
+ sizeof(DIGEST_LIST_DEFAULT_PATH) - 1))
+ add_evm_digest_list_xattr(path, algo);
+exit:
+ return RPMRC_OK;
+}
+
+struct rpmPluginHooks_s digest_list_hooks = {
+ .psm_pre = digest_list_psm_pre,
+ .psm_post = digest_list_psm_post,
+ .fsm_file_prepare = digest_list_fsm_file_prepare,
+};
diff --git a/rpmio/digest.h b/rpmio/digest.h
index 9e0cde3b9..01ca10d92 100644
--- a/rpmio/digest.h
+++ b/rpmio/digest.h
@@ -24,6 +24,7 @@ struct pgpDigAlg_s {
struct pgpDigParams_s {
char * userid;
uint8_t * hash;
+ const uint8_t * data;
uint8_t tag;
uint8_t version; /*!< version number. */
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
index 46cd0f31a..3c6b18b53 100644
--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
@@ -600,6 +600,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
}
p = ((uint8_t *)v) + sizeof(*v);
+ _digp->data = p;
rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
} break;
case 4:
@@ -658,6 +659,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
if (p > (h + hlen))
return 1;
+ _digp->data = p;
rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
} break;
default:
@@ -745,6 +747,7 @@ static int pgpPrtKey(pgpTag tag, const uint8_t *h, size_t hlen,
}
p = ((uint8_t *)v) + sizeof(*v);
+ _digp->data = p;
rc = pgpPrtPubkeyParams(v->pubkey_algo, p, h, hlen, _digp);
}
} break;
--
2.27.GIT

45
Generate-digest-lists.patch
View File

@ -1,14 +1,14 @@
From 99d243a37d50155bc3e9b4ef8d1457a73016c9c0 Mon Sep 17 00:00:00 2001
From 4d1801825c754171962050ee9c36c2d69c630ece Mon Sep 17 00:00:00 2001
From: Roberto Sassu <roberto.sassu@huawei.com>
Date: Thu, 12 Mar 2020 17:29:55 +0100
Subject: [PATCH 1/2] Generate digest lists
Subject: [PATCH 1/3] Generate digest lists
---
build/files.c | 166 +++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 159 insertions(+), 7 deletions(-)
build/files.c | 176 ++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 169 insertions(+), 7 deletions(-)
diff --git a/build/files.c b/build/files.c
index 6dfd801c8..3dd8f0246 100644
index 6dfd801c8..ab6938d8c 100644
--- a/build/files.c
+++ b/build/files.c
@@ -50,6 +50,7 @@
@ -120,16 +120,18 @@ index 6dfd801c8..3dd8f0246 100644
{
size_t plen = strlen(diskPath);
char buf[plen + 1];
@@ -1355,6 +1392,8 @@ static rpmRC addFile(FileList fl, const char * diskPath,
@@ -1355,6 +1392,10 @@ static rpmRC addFile(FileList fl, const char * diskPath,
gid_t fileGid;
const char *fileUname;
const char *fileGname;
+ char realPath[PATH_MAX];
+ int digest_list_prefix = 0;
+ struct stat st;
+ int exclude = 0;
rpmRC rc = RPMRC_FAIL; /* assume failure */
/* Strip trailing slash. The special case of '/' path is handled below. */
@@ -1390,6 +1429,27 @@ static rpmRC addFile(FileList fl, const char * diskPath,
@@ -1390,6 +1431,33 @@ static rpmRC addFile(FileList fl, const char * diskPath,
if (*cpioPath == '\0')
cpioPath = "/";
@ -152,12 +154,27 @@ index 6dfd801c8..3dd8f0246 100644
+ }
+
+ cpioPath += sizeof(DIGEST_LIST_DIR) - 1;
+
+ snprintf(realPath, sizeof(realPath), "%.*s%s",
+ (int)(strlen(digest_list_dir) - sizeof(DIGEST_LIST_DIR) + 1),
+ digest_list_dir, cpioPath);
+ if (!stat(realPath, &st))
+ exclude = 1;
+ }
+
/*
* Unless recursing, we dont have stat() info at hand. Handle the
* various cases, preserving historical behavior wrt %dev():
@@ -1547,6 +1607,32 @@ exit:
@@ -1527,6 +1595,8 @@ static rpmRC addFile(FileList fl, const char * diskPath,
}
flp->flags = fl->cur.attrFlags;
+ if (exclude)
+ flp->flags |= RPMFILE_EXCLUDE;
flp->specdFlags = fl->cur.specdFlags;
flp->verifyFlags = fl->cur.verifyFlags;
@@ -1547,6 +1617,32 @@ exit:
return rc;
}
@ -190,7 +207,7 @@ index 6dfd801c8..3dd8f0246 100644
/**
* Add directory (and all of its files) to the package manifest.
* @param fl package file tree walk data
@@ -2556,6 +2642,58 @@ static void addPackageFileList (struct FileList_s *fl, Package pkg,
@@ -2556,6 +2652,58 @@ static void addPackageFileList (struct FileList_s *fl, Package pkg,
argvFree(fileNames);
}
@ -249,7 +266,7 @@ index 6dfd801c8..3dd8f0246 100644
static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags,
Package pkg, int didInstall, int test)
{
@@ -2569,6 +2707,10 @@ static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags,
@@ -2569,6 +2717,10 @@ static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags,
if (readFilesManifest(spec, pkg, *fp))
return RPMRC_FAIL;
}
@ -260,7 +277,7 @@ index 6dfd801c8..3dd8f0246 100644
/* Init the file list structure */
memset(&fl, 0, sizeof(fl));
@@ -2630,6 +2772,7 @@ exit:
@@ -2630,6 +2782,7 @@ exit:
FileListFree(&fl);
specialDirFree(specialDoc);
specialDirFree(specialLic);
@ -268,7 +285,7 @@ index 6dfd801c8..3dd8f0246 100644
return fl.processingFailed ? RPMRC_FAIL : RPMRC_OK;
}
@@ -3092,6 +3235,7 @@ static void addPackageDeps(Package from, Package to, enum rpmTag_e tag)
@@ -3092,6 +3245,7 @@ static void addPackageDeps(Package from, Package to, enum rpmTag_e tag)
rpmRC processBinaryFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags,
int didInstall, int test)
{
@ -276,7 +293,7 @@ index 6dfd801c8..3dd8f0246 100644
Package pkg;
rpmRC rc = RPMRC_OK;
char *buildroot;
@@ -3108,7 +3252,14 @@ rpmRC processBinaryFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags,
@@ -3108,7 +3262,14 @@ rpmRC processBinaryFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags,
check_fileList = newStringBuf();
genSourceRpmName(spec);
buildroot = rpmGenPath(spec->rootDir, spec->buildRoot, NULL);
@ -292,7 +309,7 @@ index 6dfd801c8..3dd8f0246 100644
if (rpmExpandNumeric("%{?_debuginfo_subpackages}")) {
maindbg = findDebuginfoPackage(spec);
if (maindbg) {
@@ -3214,6 +3365,7 @@ exit:
@@ -3214,6 +3375,7 @@ exit:
check_fileList = freeStringBuf(check_fileList);
_free(buildroot);
_free(uniquearch);

1
rpm.spec
View File

@ -21,6 +21,7 @@ Patch11: bugfix-rpm-4.14.2-wait-once-get-rpmlock-fail.patch
Patch12: Use-common-error-logic-regardless-of-setexecfilecon-.patch
Patch13: Generate-digest-lists.patch
Patch14: Add-digest-list-plugin.patch
Patch15: Don-t-add-dist-to-release-if-it-is-already-there.patch
BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel libdb-devel
BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel