diff --git a/Add-digest-list-plugin.patch b/Add-digest-list-plugin.patch index f19c9aa..cba3807 100644 --- a/Add-digest-list-plugin.patch +++ b/Add-digest-list-plugin.patch @@ -1,13 +1,15 @@ -From fa0b33ce1ff569ab55b46cdbcc47f2da6db3fb1a Mon Sep 17 00:00:00 2001 +From c3b5c61440a40b4a159e050e25f4b3736f7d0343 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Wed, 26 Feb 2020 15:54:24 +0100 -Subject: [PATCH 2/2] Add digest list plugin +Subject: [PATCH 2/3] Add digest list plugin --- macros.in | 1 + plugins/Makefile.am | 4 + - plugins/digest_list.c | 534 ++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 539 insertions(+) + plugins/digest_list.c | 495 ++++++++++++++++++++++++++++++++++++++++++ + rpmio/digest.h | 1 + + rpmio/rpmpgp.c | 3 + + 5 files changed, 504 insertions(+) create mode 100644 plugins/digest_list.c diff --git a/macros.in b/macros.in @@ -36,18 +38,21 @@ index d4ef039ed..07aa3585b 100644 +plugins_LTLIBRARIES += digest_list.la diff --git a/plugins/digest_list.c b/plugins/digest_list.c new file mode 100644 -index 000000000..62aae06dd +index 000000000..227ce141e --- /dev/null +++ b/plugins/digest_list.c -@@ -0,0 +1,534 @@ +@@ -0,0 +1,495 @@ +#include "system.h" +#include "errno.h" + +#include +#include +#include ++#include ++#include +#include +#include "lib/rpmplugin.h" ++#include +#include +#include +#include @@ -63,7 +68,6 @@ index 000000000..62aae06dd +#define DIGEST_LIST_COUNT IMA_DIR "/digests_count" +#define DIGEST_LIST_DEFAULT_PATH "/etc/ima/digest_lists" +#define RPM_PARSER "/usr/libexec/rpm_parser" -+#define WRITE_RPM_PGP_SIG "/usr/bin/write_rpm_pgp_sig" + +#define DIGEST_LIST_OP_ADD 0 +#define DIGEST_LIST_OP_DEL 1 @@ -90,24 +94,14 @@ index 000000000..62aae06dd + HASH_ALGO__LAST +}; + -+enum pgp_hash_algo { -+ PGP_HASH_MD5 = 1, -+ PGP_HASH_SHA1 = 2, -+ PGP_HASH_RIPE_MD_160 = 3, -+ PGP_HASH_SHA256 = 8, -+ PGP_HASH_SHA384 = 9, -+ PGP_HASH_SHA512 = 10, -+ PGP_HASH_SHA224 = 11, -+ PGP_HASH__LAST -+}; -+ -+enum hash_algo pgp_algo_mapping[PGP_HASH__LAST] = { -+ [PGP_HASH_MD5] = HASH_ALGO_MD5, -+ [PGP_HASH_SHA1] = HASH_ALGO_SHA1, -+ [PGP_HASH_SHA224] = HASH_ALGO_SHA224, -+ [PGP_HASH_SHA256] = HASH_ALGO_SHA256, -+ [PGP_HASH_SHA384] = HASH_ALGO_SHA384, -+ [PGP_HASH_SHA512] = HASH_ALGO_SHA512, ++#define PGPHASHALGO__LAST PGPHASHALGO_SHA224 + 1 ++enum hash_algo pgp_algo_mapping[PGPHASHALGO__LAST] = { ++ [PGPHASHALGO_MD5] = HASH_ALGO_MD5, ++ [PGPHASHALGO_SHA1] = HASH_ALGO_SHA1, ++ [PGPHASHALGO_SHA224] = HASH_ALGO_SHA224, ++ [PGPHASHALGO_SHA256] = HASH_ALGO_SHA256, ++ [PGPHASHALGO_SHA384] = HASH_ALGO_SHA384, ++ [PGPHASHALGO_SHA512] = HASH_ALGO_SHA512, +}; + +/* from integrity.h */ @@ -135,19 +129,21 @@ index 000000000..62aae06dd + uint8_t sig[0]; /* signature payload */ +} __attribute__((packed)); + -+static int disable_plugin; -+ +static int upload_digest_list(char *path, int type, int digest_list_signed) +{ + size_t size; + char buf[21]; + const char *ima_path = DIGEST_LIST_DATA_PATH; ++ struct stat st; + pid_t pid; + int ret = 0, fd; + + if (type == TR_REMOVED) + ima_path = DIGEST_LIST_DATA_DEL_PATH; + ++ if (stat(ima_path, &st) == -1) ++ return 0; ++ + /* First determine if kernel interface can accept new digest lists */ + fd = open(DIGEST_LIST_COUNT, O_RDONLY); + if (fd < 0) { @@ -215,93 +211,6 @@ index 000000000..62aae06dd + return ret; +} + -+static int add_ima_xattr(const char *path, int algo, -+ const unsigned char *digest, int digest_len) -+{ -+ struct evm_ima_xattr_data ima_xattr; -+ int ret; -+ -+ ima_xattr.type = IMA_XATTR_DIGEST_NG; -+ ima_xattr.digest[0] = pgp_algo_mapping[algo]; -+ memcpy(&ima_xattr.digest[1], digest, digest_len); -+ -+ ret = lsetxattr(path, XATTR_NAME_IMA, (uint8_t *)&ima_xattr, -+ digest_len + 2, 0); -+ if (ret < 0) -+ rpmlog(RPMLOG_ERR, "digest_list: could not apply security.ima " -+ "on '%s': %s\n", path, strerror(errno)); -+ else -+ rpmlog(RPMLOG_DEBUG, "digest_list: security.ima successfully " -+ "applied on '%s'\n", path); -+ return ret; -+} -+ -+static int add_evm_digest_list_xattr(const char *path, int algo) -+{ -+ struct signature_v2_hdr hdr; -+ int ret; -+ -+ hdr.type = EVM_IMA_XATTR_DIGEST_LIST, -+ hdr.version = 2; -+ hdr.hash_algo = pgp_algo_mapping[algo]; -+ -+ ret = lsetxattr(path, XATTR_NAME_EVM, (uint8_t *)&hdr, -+ offsetof(struct signature_v2_hdr, keyid), 0); -+ if (ret < 0) -+ rpmlog(RPMLOG_ERR, "digest_list: could not apply security.evm " -+ "on '%s': %s\n", path, strerror(errno)); -+ else -+ rpmlog(RPMLOG_DEBUG, "digest_list: security.evm successfully " -+ "applied on '%s'\n", path); -+ return ret; -+} -+ -+static int add_evm_xattr(char *path, char *path_sig) -+{ -+ unsigned char sig[2048]; -+ size_t sig_len; -+ struct stat st; -+ int ret, fd; -+ -+ if (stat(path_sig, &st) == -1) -+ return -EACCES; -+ -+ if (st.st_size > sizeof(sig)) { -+ rpmlog(RPMLOG_ERR, "digest_list: signature in %s too big\n", -+ path); -+ return -ENOMEM; -+ } -+ -+ fd = open(path_sig, O_RDONLY); -+ if (fd < 0) { -+ rpmlog(RPMLOG_ERR, "digest_list: could not open '%s': %s\n", -+ path_sig, strerror(errno)); -+ return -EACCES; -+ } -+ -+ sig_len = read(fd, sig, sizeof(sig)); -+ if (sig_len != st.st_size) { -+ rpmlog(RPMLOG_ERR, "digest_list: could not read '%s': %s\n", -+ path_sig, strerror(errno)); -+ ret = -EIO; -+ goto out; -+ } -+ -+ rpmlog(RPMLOG_DEBUG, "digest_list: read signature of %ld bytes from " -+ "'%s'\n", sig_len, path_sig); -+ -+ ret = lsetxattr(path, XATTR_NAME_EVM, sig, sig_len, 0); -+ if (ret < 0) -+ rpmlog(RPMLOG_ERR, "digest_list: could not apply security.evm " -+ "on '%s': %s\n", path, strerror(errno)); -+ else -+ rpmlog(RPMLOG_DEBUG, "digest_list: security.evm successfully " -+ "applied on '%s'\n", path); -+out: -+ close(fd); -+ return ret; -+} -+ +static int write_rpm_digest_list(rpmte te, char *path) +{ + FD_t fd; @@ -337,49 +246,164 @@ index 000000000..62aae06dd + return ret; +} + -+static int write_rpm_digest_list_sig(rpmte te, char *rpm_path, char *sig_path) ++static int write_rpm_digest_list_ima_xattr(rpmte te, char *path) +{ + rpmtd signature; + ssize_t written; ++ uint8_t sig[2048] = { 0 }; ++ pgpDigParams sigp = NULL; ++ struct signature_v2_hdr *sig_hdr = (struct signature_v2_hdr *)sig; + Header rpm = rpmteHeader(te); + FD_t fd; -+ pid_t pid; -+ int ret = 0; ++ int ret = 0, sig_size, sig_size_rounded; + + signature = rpmtdNew(); + headerGet(rpm, RPMTAG_RSAHEADER, signature, 0); -+ if (!signature->count) -+ goto out; ++ ret = pgpPrtParams(signature->data, signature->count, ++ PGPTAG_SIGNATURE, &sigp); + -+ fd = Fopen(sig_path, "w.ufdio"); ++ if (ret) { ++ ret = -ENOENT; ++ goto out; ++ } ++ ++ fd = Fopen(path, "a.ufdio"); + if (fd == NULL || Ferror(fd)) { + ret = -EACCES; + goto out; + } + -+ written = Fwrite(signature->data, sizeof(uint8_t), -+ signature->count, fd); -+ if (written != signature->count || Ferror(fd)) { ++ written = Fwrite(sigp->hash, sizeof(uint8_t), ++ sigp->hashlen, fd); ++ if (written != sigp->hashlen || Ferror(fd)) { + ret = -EIO; -+ Fclose(fd); -+ goto out_unlink; ++ goto out; ++ } ++ ++ if (sigp->version == 4) { ++ /* V4 trailer is six octets long (rfc4880) */ ++ uint8_t trailer[6]; ++ uint32_t nb = sigp->hashlen; ++ nb = htonl(nb); ++ trailer[0] = sigp->version; ++ trailer[1] = 0xff; ++ memcpy(trailer+2, &nb, 4); ++ ++ written = Fwrite(trailer, sizeof(uint8_t), sizeof(trailer), fd); ++ if (written != sizeof(trailer) || Ferror(fd)) { ++ ret = -EIO; ++ goto out; ++ } + } + + Fclose(fd); + -+ if ((pid = fork()) == 0) { -+ execlp(WRITE_RPM_PGP_SIG, WRITE_RPM_PGP_SIG, -+ rpm_path, sig_path, NULL); -+ _exit(EXIT_FAILURE); ++ sig_hdr->type = EVM_IMA_XATTR_DIGSIG; ++ sig_hdr->version = 2; ++ sig_hdr->hash_algo = pgp_algo_mapping[sigp->hash_algo]; ++ memcpy((void *)&sig_hdr->keyid, sigp->signid + sizeof(uint32_t), ++ sizeof(uint32_t)); ++ ++ sig_size = (pgpMpiBits(sigp->data) + 7) >> 3; ++ if (sizeof(sig_hdr) + sig_size > sizeof(sig)) { ++ rpmlog(RPMLOG_ERR, ++ "digest_list: signature in %s too big\n", path); ++ ret = -E2BIG; ++ goto out; + } + -+ waitpid(pid, &ret, 0); -+ if (ret != 0) -+ rpmlog(RPMLOG_ERR, "digest_list: %s returned %d\n", -+ WRITE_RPM_PGP_SIG, ret); -+out_unlink: -+ unlink(sig_path); ++ sig_size_rounded = ((sig_size + 7) >> 3) * 8; ++ sig_hdr->sig_size = __cpu_to_be16(sig_size_rounded); ++ ++ memcpy(sig_hdr->sig + sig_size_rounded - sig_size, ++ (uint8_t *)sigp->data + 2, sig_size); ++ ++ ret = lsetxattr(path, XATTR_NAME_IMA, ++ sig, sizeof(*sig_hdr) + sig_size_rounded, 0); ++ if (ret < 0) ++ rpmlog(RPMLOG_ERR, "digest_list: could not apply security.ima " ++ "on '%s': %s\n", path, strerror(errno)); ++ else ++ rpmlog(RPMLOG_DEBUG, "digest_list: security.ima successfully " ++ "applied on '%s'\n", path); +out: ++ pgpDigParamsFree(sigp); ++ rpmtdFree(signature); ++ return ret; ++} ++ ++static int write_digest_list_ima_xattr(rpmte te, char *path, char *path_sig) ++{ ++ rpmtd signature; ++ uint8_t sig[2048] = { 0 }; ++ pgpDigParams sigp = NULL; ++ struct signature_v2_hdr *sig_hdr = (struct signature_v2_hdr *)sig; ++ Header rpm = rpmteHeader(te); ++ FD_t fd; ++ struct stat st; ++ int ret = 0, sig_size; ++ ++ signature = rpmtdNew(); ++ headerGet(rpm, RPMTAG_RSAHEADER, signature, 0); ++ ret = pgpPrtParams(signature->data, signature->count, ++ PGPTAG_SIGNATURE, &sigp); ++ ++ if (ret) { ++ ret = -ENOENT; ++ goto out; ++ } ++ ++ sig_hdr->type = EVM_IMA_XATTR_DIGSIG; ++ sig_hdr->version = 2; ++ sig_hdr->hash_algo = HASH_ALGO_SHA256; ++ memcpy((void *)&sig_hdr->keyid, sigp->signid + sizeof(uint32_t), ++ sizeof(uint32_t)); ++ ++ if (stat(path_sig, &st) == -1) { ++ ret = -EACCES; ++ goto out; ++ } ++ ++ if (sizeof(sig_hdr) + st.st_size > sizeof(sig)) { ++ rpmlog(RPMLOG_ERR, "digest_list: signature in %s too big\n", ++ path); ++ ret = -E2BIG; ++ goto out; ++ } ++ ++ fd = Fopen(path_sig, "r.ufdio"); ++ if (fd < 0) { ++ rpmlog(RPMLOG_ERR, "digest_list: could not open '%s': %s\n", ++ path_sig, strerror(errno)); ++ ret = -EACCES; ++ goto out; ++ } ++ ++ sig_size = Fread(sig_hdr->sig, sizeof(uint8_t), st.st_size, fd); ++ if (sig_size != st.st_size || Ferror(fd)) { ++ rpmlog(RPMLOG_ERR, "digest_list: could not read '%s': %s\n", ++ path_sig, strerror(errno)); ++ Fclose(fd); ++ ret = -EIO; ++ goto out; ++ } ++ ++ sig_hdr->sig_size = __cpu_to_be16(sig_size); ++ ++ rpmlog(RPMLOG_DEBUG, ++ "digest_list: read signature of %d bytes from '%s'\n", ++ sig_size, path_sig); ++ ++ ret = lsetxattr(path, XATTR_NAME_IMA, ++ sig, sizeof(*sig_hdr) + sig_size, 0); ++ if (ret < 0) ++ rpmlog(RPMLOG_ERR, "digest_list: could not apply security.ima " ++ "on '%s': %s\n", path, strerror(errno)); ++ else ++ rpmlog(RPMLOG_DEBUG, "digest_list: security.ima successfully " ++ "applied on '%s'\n", path); ++out: ++ pgpDigParamsFree(sigp); + rpmtdFree(signature); + return ret; +} @@ -414,16 +438,8 @@ index 000000000..62aae06dd + DIGEST_LIST_DEFAULT_PATH, rpmteN(te), rpmteV(te), + rpmteR(te), rpmteA(te)); + -+ if (!stat(path_sig, &st)) { ++ if (!stat(path_sig, &st)) + digest_list_signed = 1; -+ } else { -+ if (stat(WRITE_RPM_PGP_SIG, &st) == -1 || -+ stat(RPM_PARSER, &st) == -1) { -+ rpmlog(RPMLOG_DEBUG, "digest_list: " -+ "digest-list-tools not installed\n"); -+ goto out; -+ } -+ } + + if (parser) + snprintf(path, PATH_MAX, "%s/0-parser_list-compact-libexec", @@ -437,16 +453,12 @@ index 000000000..62aae06dd + if (stat(path, &st) == -1) + goto out; + -+ if (!parser && !digest_list_signed) { ++ if (!parser && !digest_list_signed) + snprintf(path, PATH_MAX, "%s/0-metadata_list-rpm-%s-%s-%s.%s", + DIGEST_LIST_DEFAULT_PATH, rpmteN(te), rpmteV(te), + rpmteR(te), rpmteA(te)); + -+ /* RPM digest lists don't have security.evm */ -+ size = lgetxattr(path, XATTR_NAME_IMA, NULL, 0); -+ } else { -+ size = lgetxattr(path, XATTR_NAME_EVM, NULL, 0); -+ } ++ size = lgetxattr(path, XATTR_NAME_IMA, NULL, 0); + + /* Don't upload again if digest list was already processed */ + if ((rpmteType(te) == TR_ADDED && size > 0) || @@ -466,13 +478,14 @@ index 000000000..62aae06dd + } + + /* Write RPM header sig to security.ima */ -+ ret = write_rpm_digest_list_sig(te, path, path_sig); -+ if (ret < 0) { -+ ret = RPMRC_FAIL; -+ goto out; -+ } ++ ret = write_rpm_digest_list_ima_xattr(te, path); + } else { -+ add_evm_xattr(path, path_sig); ++ ret = write_digest_list_ima_xattr(te, path, path_sig); ++ } ++ ++ if (ret < 0) { ++ ret = RPMRC_FAIL; ++ goto out; + } + } + @@ -501,18 +514,6 @@ index 000000000..62aae06dd + +static rpmRC digest_list_psm_pre(rpmPlugin plugin, rpmte te) +{ -+ struct stat st; -+ -+ if (disable_plugin) -+ return RPMRC_OK; -+ -+ if (stat(DIGEST_LIST_DATA_PATH, &st) == -1) { -+ rpmlog(RPMLOG_DEBUG, "digest_list: IMA interface '%s' not " -+ "found, disabling plugin\n", DIGEST_LIST_DATA_PATH); -+ disable_plugin = 1; -+ return RPMRC_OK; -+ } -+ + process_digest_list(te, 0); + if (!strcmp(rpmteN(te), "digest-list-tools")) + process_digest_list(te, 1); @@ -522,9 +523,6 @@ index 000000000..62aae06dd + +static rpmRC digest_list_psm_post(rpmPlugin plugin, rpmte te, int res) +{ -+ if (disable_plugin) -+ return RPMRC_OK; -+ + if (res != RPMRC_OK) + return RPMRC_OK; + @@ -535,45 +533,50 @@ index 000000000..62aae06dd + return RPMRC_OK; +} + -+static rpmRC digest_list_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, -+ const char *path, -+ const char *dest, -+ mode_t file_mode, rpmFsmOp op) -+{ -+ const unsigned char *fdigest = NULL; -+ size_t len; -+ int algo; -+ rpmFileAction action = XFO_ACTION(op); -+ -+ if (disable_plugin) -+ return RPMRC_OK; -+ -+ /* Ignore skipped files and unowned directories */ -+ if (XFA_SKIPPING(action) || (op & FAF_UNOWNED)) -+ goto exit; -+ -+ /* Ignore non-regular files */ -+ if (!S_ISREG(file_mode)) -+ goto exit; -+ -+ fdigest = rpmfiFDigest(fi, &algo, &len); -+ if (!fdigest) -+ goto exit; -+ -+ /* Assume that the hash algorithm used by evmctl and RPMs is the same */ -+ add_ima_xattr(path, algo, fdigest, len); -+ if (strncmp(path, DIGEST_LIST_DEFAULT_PATH, -+ sizeof(DIGEST_LIST_DEFAULT_PATH) - 1)) -+ add_evm_digest_list_xattr(path, algo); -+exit: -+ return RPMRC_OK; -+} -+ +struct rpmPluginHooks_s digest_list_hooks = { + .psm_pre = digest_list_psm_pre, + .psm_post = digest_list_psm_post, -+ .fsm_file_prepare = digest_list_fsm_file_prepare, +}; +diff --git a/rpmio/digest.h b/rpmio/digest.h +index 9e0cde3b9..01ca10d92 100644 +--- a/rpmio/digest.h ++++ b/rpmio/digest.h +@@ -24,6 +24,7 @@ struct pgpDigAlg_s { + struct pgpDigParams_s { + char * userid; + uint8_t * hash; ++ const uint8_t * data; + uint8_t tag; + + uint8_t version; /*!< version number. */ +diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c +index 46cd0f31a..3c6b18b53 100644 +--- a/rpmio/rpmpgp.c ++++ b/rpmio/rpmpgp.c +@@ -600,6 +600,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen, + } + + p = ((uint8_t *)v) + sizeof(*v); ++ _digp->data = p; + rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp); + } break; + case 4: +@@ -658,6 +659,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen, + if (p > (h + hlen)) + return 1; + ++ _digp->data = p; + rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp); + } break; + default: +@@ -745,6 +747,7 @@ static int pgpPrtKey(pgpTag tag, const uint8_t *h, size_t hlen, + } + + p = ((uint8_t *)v) + sizeof(*v); ++ _digp->data = p; + rc = pgpPrtPubkeyParams(v->pubkey_algo, p, h, hlen, _digp); + } + } break; -- 2.27.GIT diff --git a/Generate-digest-lists.patch b/Generate-digest-lists.patch index 9cb7d1a..cc74351 100644 --- a/Generate-digest-lists.patch +++ b/Generate-digest-lists.patch @@ -1,14 +1,14 @@ -From 99d243a37d50155bc3e9b4ef8d1457a73016c9c0 Mon Sep 17 00:00:00 2001 +From 4d1801825c754171962050ee9c36c2d69c630ece Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Thu, 12 Mar 2020 17:29:55 +0100 -Subject: [PATCH 1/2] Generate digest lists +Subject: [PATCH 1/3] Generate digest lists --- - build/files.c | 166 +++++++++++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 159 insertions(+), 7 deletions(-) + build/files.c | 176 ++++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 169 insertions(+), 7 deletions(-) diff --git a/build/files.c b/build/files.c -index 6dfd801c8..3dd8f0246 100644 +index 6dfd801c8..ab6938d8c 100644 --- a/build/files.c +++ b/build/files.c @@ -50,6 +50,7 @@ @@ -120,16 +120,18 @@ index 6dfd801c8..3dd8f0246 100644 { size_t plen = strlen(diskPath); char buf[plen + 1]; -@@ -1355,6 +1392,8 @@ static rpmRC addFile(FileList fl, const char * diskPath, +@@ -1355,6 +1392,10 @@ static rpmRC addFile(FileList fl, const char * diskPath, gid_t fileGid; const char *fileUname; const char *fileGname; + char realPath[PATH_MAX]; + int digest_list_prefix = 0; ++ struct stat st; ++ int exclude = 0; rpmRC rc = RPMRC_FAIL; /* assume failure */ /* Strip trailing slash. The special case of '/' path is handled below. */ -@@ -1390,6 +1429,27 @@ static rpmRC addFile(FileList fl, const char * diskPath, +@@ -1390,6 +1431,33 @@ static rpmRC addFile(FileList fl, const char * diskPath, if (*cpioPath == '\0') cpioPath = "/"; @@ -152,12 +154,27 @@ index 6dfd801c8..3dd8f0246 100644 + } + + cpioPath += sizeof(DIGEST_LIST_DIR) - 1; ++ ++ snprintf(realPath, sizeof(realPath), "%.*s%s", ++ (int)(strlen(digest_list_dir) - sizeof(DIGEST_LIST_DIR) + 1), ++ digest_list_dir, cpioPath); ++ if (!stat(realPath, &st)) ++ exclude = 1; + } + /* * Unless recursing, we dont have stat() info at hand. Handle the * various cases, preserving historical behavior wrt %dev(): -@@ -1547,6 +1607,32 @@ exit: +@@ -1527,6 +1595,8 @@ static rpmRC addFile(FileList fl, const char * diskPath, + } + + flp->flags = fl->cur.attrFlags; ++ if (exclude) ++ flp->flags |= RPMFILE_EXCLUDE; + flp->specdFlags = fl->cur.specdFlags; + flp->verifyFlags = fl->cur.verifyFlags; + +@@ -1547,6 +1617,32 @@ exit: return rc; } @@ -190,7 +207,7 @@ index 6dfd801c8..3dd8f0246 100644 /** * Add directory (and all of its files) to the package manifest. * @param fl package file tree walk data -@@ -2556,6 +2642,58 @@ static void addPackageFileList (struct FileList_s *fl, Package pkg, +@@ -2556,6 +2652,58 @@ static void addPackageFileList (struct FileList_s *fl, Package pkg, argvFree(fileNames); } @@ -249,7 +266,7 @@ index 6dfd801c8..3dd8f0246 100644 static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, Package pkg, int didInstall, int test) { -@@ -2569,6 +2707,10 @@ static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, +@@ -2569,6 +2717,10 @@ static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, if (readFilesManifest(spec, pkg, *fp)) return RPMRC_FAIL; } @@ -260,7 +277,7 @@ index 6dfd801c8..3dd8f0246 100644 /* Init the file list structure */ memset(&fl, 0, sizeof(fl)); -@@ -2630,6 +2772,7 @@ exit: +@@ -2630,6 +2782,7 @@ exit: FileListFree(&fl); specialDirFree(specialDoc); specialDirFree(specialLic); @@ -268,7 +285,7 @@ index 6dfd801c8..3dd8f0246 100644 return fl.processingFailed ? RPMRC_FAIL : RPMRC_OK; } -@@ -3092,6 +3235,7 @@ static void addPackageDeps(Package from, Package to, enum rpmTag_e tag) +@@ -3092,6 +3245,7 @@ static void addPackageDeps(Package from, Package to, enum rpmTag_e tag) rpmRC processBinaryFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, int didInstall, int test) { @@ -276,7 +293,7 @@ index 6dfd801c8..3dd8f0246 100644 Package pkg; rpmRC rc = RPMRC_OK; char *buildroot; -@@ -3108,7 +3252,14 @@ rpmRC processBinaryFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, +@@ -3108,7 +3262,14 @@ rpmRC processBinaryFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, check_fileList = newStringBuf(); genSourceRpmName(spec); buildroot = rpmGenPath(spec->rootDir, spec->buildRoot, NULL); @@ -292,7 +309,7 @@ index 6dfd801c8..3dd8f0246 100644 if (rpmExpandNumeric("%{?_debuginfo_subpackages}")) { maindbg = findDebuginfoPackage(spec); if (maindbg) { -@@ -3214,6 +3365,7 @@ exit: +@@ -3214,6 +3375,7 @@ exit: check_fileList = freeStringBuf(check_fileList); _free(buildroot); _free(uniquearch); diff --git a/rpm.spec b/rpm.spec index e658f88..59d5562 100644 --- a/rpm.spec +++ b/rpm.spec @@ -21,6 +21,7 @@ Patch11: bugfix-rpm-4.14.2-wait-once-get-rpmlock-fail.patch Patch12: Use-common-error-logic-regardless-of-setexecfilecon-.patch Patch13: Generate-digest-lists.patch Patch14: Add-digest-list-plugin.patch +Patch15: Don-t-add-dist-to-release-if-it-is-already-there.patch BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel libdb-devel BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel