Add Don-t-add-dist-to-release-if-it-is-already-there.patch and modify Add-digest-list-plugin.patch

2020-07-24 00:06:48 +02:00 · 2020-07-24 00:06:48 +02:00 · 4423f52830
commit 4423f52830
parent e3018fd4d0
3 changed files with 241 additions and 220 deletions
--- a/Add-digest-list-plugin.patch
+++ b/Add-digest-list-plugin.patch
@ -1,13 +1,15 @@
-From fa0b33ce1ff569ab55b46cdbcc47f2da6db3fb1a Mon Sep 17 00:00:00 2001
+From c3b5c61440a40b4a159e050e25f4b3736f7d0343 Mon Sep 17 00:00:00 2001
 From: Roberto Sassu <roberto.sassu@huawei.com>
 Date: Wed, 26 Feb 2020 15:54:24 +0100
-Subject: [PATCH 2/2] Add digest list plugin
+Subject: [PATCH 2/3] Add digest list plugin
 ---
 macros.in             |   1 +
 plugins/Makefile.am   |   4 +
- plugins/digest_list.c | 534 ++++++++++++++++++++++++++++++++++++++++++
+ plugins/digest_list.c | 495 ++++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 539 insertions(+)
+ rpmio/digest.h        |   1 +
 rpmio/rpmpgp.c        |   3 +
 5 files changed, 504 insertions(+)
 create mode 100644 plugins/digest_list.c
 diff --git a/macros.in b/macros.in
@ -36,18 +38,21 @@ index d4ef039ed..07aa3585b 100644
 +plugins_LTLIBRARIES += digest_list.la
 diff --git a/plugins/digest_list.c b/plugins/digest_list.c
 new file mode 100644
-index 000000000..62aae06dd
+index 000000000..227ce141e
 --- /dev/null
 +++ b/plugins/digest_list.c
-@@ -0,0 +1,534 @@
+@@ -0,0 +1,495 @@
 +#include "system.h"
 +#include "errno.h"
 +
 +#include <rpm/rpmlog.h>
 +#include <rpm/rpmts.h>
 +#include <rpm/header.h>
 +#include <rpmio/digest.h>
 +#include <rpmio/rpmpgp.h>
 +#include <rpm/rpmfileutil.h>
 +#include "lib/rpmplugin.h"
 +#include <netinet/in.h>
 +#include <sys/stat.h>
 +#include <openssl/sha.h>
 +#include <sys/xattr.h>
@ -63,7 +68,6 @@ index 000000000..62aae06dd
 +#define DIGEST_LIST_COUNT IMA_DIR "/digests_count"
 +#define DIGEST_LIST_DEFAULT_PATH "/etc/ima/digest_lists"
 +#define RPM_PARSER "/usr/libexec/rpm_parser"
 +#define WRITE_RPM_PGP_SIG "/usr/bin/write_rpm_pgp_sig"
 +
 +#define DIGEST_LIST_OP_ADD 0
 +#define DIGEST_LIST_OP_DEL 1
@ -90,24 +94,14 @@ index 000000000..62aae06dd
 +	HASH_ALGO__LAST
 +};
 +
-+enum pgp_hash_algo {
+#define PGPHASHALGO__LAST PGPHASHALGO_SHA224 + 1
-+	PGP_HASH_MD5                    = 1,
+enum hash_algo pgp_algo_mapping[PGPHASHALGO__LAST] = {
-+	PGP_HASH_SHA1                   = 2,
+	[PGPHASHALGO_MD5] = HASH_ALGO_MD5,
-+	PGP_HASH_RIPE_MD_160            = 3,
+	[PGPHASHALGO_SHA1] = HASH_ALGO_SHA1,
-+	PGP_HASH_SHA256                 = 8,
+	[PGPHASHALGO_SHA224] = HASH_ALGO_SHA224,
-+	PGP_HASH_SHA384                 = 9,
+	[PGPHASHALGO_SHA256] = HASH_ALGO_SHA256,
-+	PGP_HASH_SHA512                 = 10,
+	[PGPHASHALGO_SHA384] = HASH_ALGO_SHA384,
-+	PGP_HASH_SHA224                 = 11,
+	[PGPHASHALGO_SHA512] = HASH_ALGO_SHA512,
 +	PGP_HASH__LAST
 +};
 +
 +enum hash_algo pgp_algo_mapping[PGP_HASH__LAST] = {
 +	[PGP_HASH_MD5] = HASH_ALGO_MD5,
 +	[PGP_HASH_SHA1] = HASH_ALGO_SHA1,
 +	[PGP_HASH_SHA224] = HASH_ALGO_SHA224,
 +	[PGP_HASH_SHA256] = HASH_ALGO_SHA256,
 +	[PGP_HASH_SHA384] = HASH_ALGO_SHA384,
 +	[PGP_HASH_SHA512] = HASH_ALGO_SHA512,
 +};
 +
 +/* from integrity.h */
@ -135,19 +129,21 @@ index 000000000..62aae06dd
 +	uint8_t sig[0];		/* signature payload */
 +} __attribute__((packed));
 +
 +static int disable_plugin;
 +
 +static int upload_digest_list(char *path, int type, int digest_list_signed)
 +{
 +	size_t size;
 +	char buf[21];
 +	const char *ima_path = DIGEST_LIST_DATA_PATH;
 +	struct stat st;
 +	pid_t pid;
 +	int ret = 0, fd;
 +
 +	if (type == TR_REMOVED)
 +		ima_path = DIGEST_LIST_DATA_DEL_PATH;
 +
 +	if (stat(ima_path, &st) == -1)
 +		return 0;
 +
 +	/* First determine if kernel interface can accept new digest lists */
 +	fd = open(DIGEST_LIST_COUNT, O_RDONLY);
 +	if (fd < 0) {
@ -215,93 +211,6 @@ index 000000000..62aae06dd
 +	return ret;
 +}
 +
 +static int add_ima_xattr(const char *path, int algo,
 +			 const unsigned char *digest, int digest_len)
 +{
 +	struct evm_ima_xattr_data ima_xattr;
 +	int ret;
 +
 +	ima_xattr.type = IMA_XATTR_DIGEST_NG;
 +	ima_xattr.digest[0] = pgp_algo_mapping[algo];
 +	memcpy(&ima_xattr.digest[1], digest, digest_len);
 +
 +	ret = lsetxattr(path, XATTR_NAME_IMA, (uint8_t *)&ima_xattr,
 +			digest_len + 2, 0);
 +	if (ret < 0)
 +		rpmlog(RPMLOG_ERR, "digest_list: could not apply security.ima "
 +		       "on '%s': %s\n", path, strerror(errno));
 +	else
 +		rpmlog(RPMLOG_DEBUG, "digest_list: security.ima successfully "
 +		       "applied on '%s'\n", path);
 +	return ret;
 +}
 +
 +static int add_evm_digest_list_xattr(const char *path, int algo)
 +{
 +	struct signature_v2_hdr hdr;
 +	int ret;
 +
 +	hdr.type = EVM_IMA_XATTR_DIGEST_LIST,
 +	hdr.version = 2;
 +	hdr.hash_algo = pgp_algo_mapping[algo];
 +
 +	ret = lsetxattr(path, XATTR_NAME_EVM, (uint8_t *)&hdr,
 +			offsetof(struct signature_v2_hdr, keyid), 0);
 +	if (ret < 0)
 +		rpmlog(RPMLOG_ERR, "digest_list: could not apply security.evm "
 +		       "on '%s': %s\n", path, strerror(errno));
 +	else
 +		rpmlog(RPMLOG_DEBUG, "digest_list: security.evm successfully "
 +		       "applied on '%s'\n", path);
 +	return ret;
 +}
 +
 +static int add_evm_xattr(char *path, char *path_sig)
 +{
 +	unsigned char sig[2048];
 +	size_t sig_len;
 +	struct stat st;
 +	int ret, fd;
 +
 +	if (stat(path_sig, &st) == -1)
 +		return -EACCES;
 +
 +	if (st.st_size > sizeof(sig)) {
 +		rpmlog(RPMLOG_ERR, "digest_list: signature in %s too big\n",
 +		       path);
 +		return -ENOMEM;
 +	}
 +
 +	fd = open(path_sig, O_RDONLY);
 +	if (fd < 0) {
 +		rpmlog(RPMLOG_ERR, "digest_list: could not open '%s': %s\n",
 +		       path_sig, strerror(errno));
 +		return -EACCES;
 +	}
 +
 +	sig_len = read(fd, sig, sizeof(sig));
 +	if (sig_len != st.st_size) {
 +		rpmlog(RPMLOG_ERR, "digest_list: could not read '%s': %s\n",
 +		       path_sig, strerror(errno));
 +		ret = -EIO;
 +		goto out;
 +	}
 +
 +	rpmlog(RPMLOG_DEBUG, "digest_list: read signature of %ld bytes from "
 +	       "'%s'\n", sig_len, path_sig);
 +
 +	ret = lsetxattr(path, XATTR_NAME_EVM, sig, sig_len, 0);
 +	if (ret < 0)
 +		rpmlog(RPMLOG_ERR, "digest_list: could not apply security.evm "
 +		       "on '%s': %s\n", path, strerror(errno));
 +	else
 +		rpmlog(RPMLOG_DEBUG, "digest_list: security.evm successfully "
 +		       "applied on '%s'\n", path);
 +out:
 +	close(fd);
 +	return ret;
 +}
 +
 +static int write_rpm_digest_list(rpmte te, char *path)
 +{
 +	FD_t fd;
@ -337,49 +246,164 @@ index 000000000..62aae06dd
 +	return ret;
 +}
 +
-+static int write_rpm_digest_list_sig(rpmte te, char *rpm_path, char *sig_path)
+static int write_rpm_digest_list_ima_xattr(rpmte te, char *path)
 +{
 +	rpmtd signature;
 +	ssize_t written;
 +	uint8_t sig[2048] = { 0 };
 +	pgpDigParams sigp = NULL;
 +	struct signature_v2_hdr *sig_hdr = (struct signature_v2_hdr *)sig;
 +	Header rpm = rpmteHeader(te);
 +	FD_t fd;
-+	pid_t pid;
+	int ret = 0, sig_size, sig_size_rounded;
 +	int ret = 0;
 +
 +	signature = rpmtdNew();
 +	headerGet(rpm, RPMTAG_RSAHEADER, signature, 0);
-+	if (!signature->count)
+	ret = pgpPrtParams(signature->data, signature->count,
-+		goto out;
+			   PGPTAG_SIGNATURE, &sigp);
 +
-+	fd = Fopen(sig_path, "w.ufdio");
+	if (ret) {
 +		ret = -ENOENT;
 +		goto out;
 +	}
 +
 +	fd = Fopen(path, "a.ufdio");
 +	if (fd == NULL || Ferror(fd)) {
 +		ret = -EACCES;
 +		goto out;
 +	}
 +
-+	written = Fwrite(signature->data, sizeof(uint8_t),
+	written = Fwrite(sigp->hash, sizeof(uint8_t),
-+			 signature->count, fd);
+			 sigp->hashlen, fd);
-+	if (written != signature->count || Ferror(fd)) {
+	if (written != sigp->hashlen || Ferror(fd)) {
 +		ret = -EIO;
-+		Fclose(fd);
+		goto out;
-+		goto out_unlink;
+	}
 +
 +	if (sigp->version == 4) {
 +		/* V4 trailer is six octets long (rfc4880) */
 +		uint8_t trailer[6];
 +		uint32_t nb = sigp->hashlen;
 +		nb = htonl(nb);
 +		trailer[0] = sigp->version;
 +		trailer[1] = 0xff;
 +		memcpy(trailer+2, &nb, 4);
 +
 +		written = Fwrite(trailer, sizeof(uint8_t), sizeof(trailer), fd);
 +		if (written != sizeof(trailer) || Ferror(fd)) {
 +			ret = -EIO;
 +			goto out;
 +		}
 +	}
 +
 +	Fclose(fd);
 +
-+	if ((pid = fork()) == 0) {
+	sig_hdr->type = EVM_IMA_XATTR_DIGSIG;
-+		execlp(WRITE_RPM_PGP_SIG, WRITE_RPM_PGP_SIG,
+	sig_hdr->version = 2;
-+		       rpm_path, sig_path, NULL);
+	sig_hdr->hash_algo = pgp_algo_mapping[sigp->hash_algo];
-+		_exit(EXIT_FAILURE);
+	memcpy((void *)&sig_hdr->keyid, sigp->signid + sizeof(uint32_t),
 +	       sizeof(uint32_t));
 +
 +	sig_size = (pgpMpiBits(sigp->data) + 7) >> 3;
 +	if (sizeof(sig_hdr) + sig_size > sizeof(sig)) {
 +		rpmlog(RPMLOG_ERR,
 +		       "digest_list: signature in %s too big\n", path);
 +		ret = -E2BIG;
 +		goto out;
 +	}
 +
-+	waitpid(pid, &ret, 0);
+	sig_size_rounded = ((sig_size + 7) >> 3) * 8;
-+	if (ret != 0)
+	sig_hdr->sig_size = __cpu_to_be16(sig_size_rounded);
-+		rpmlog(RPMLOG_ERR, "digest_list: %s returned %d\n",
+
-+		       WRITE_RPM_PGP_SIG, ret);
+	memcpy(sig_hdr->sig + sig_size_rounded - sig_size,
-+out_unlink:
+	       (uint8_t *)sigp->data + 2, sig_size);
-+	unlink(sig_path);
+
 +	ret = lsetxattr(path, XATTR_NAME_IMA,
 +			sig, sizeof(*sig_hdr) + sig_size_rounded, 0);
 +	if (ret < 0)
 +		rpmlog(RPMLOG_ERR, "digest_list: could not apply security.ima "
 +		       "on '%s': %s\n", path, strerror(errno));
 +	else
 +		rpmlog(RPMLOG_DEBUG, "digest_list: security.ima successfully "
 +		       "applied on '%s'\n", path);
 +out:
 +	pgpDigParamsFree(sigp);
 +	rpmtdFree(signature);
 +	return ret;
 +}
 +
 +static int write_digest_list_ima_xattr(rpmte te, char *path, char *path_sig)
 +{
 +	rpmtd signature;
 +	uint8_t sig[2048] = { 0 };
 +	pgpDigParams sigp = NULL;
 +	struct signature_v2_hdr *sig_hdr = (struct signature_v2_hdr *)sig;
 +	Header rpm = rpmteHeader(te);
 +	FD_t fd;
 +	struct stat st;
 +	int ret = 0, sig_size;
 +
 +	signature = rpmtdNew();
 +	headerGet(rpm, RPMTAG_RSAHEADER, signature, 0);
 +	ret = pgpPrtParams(signature->data, signature->count,
 +			   PGPTAG_SIGNATURE, &sigp);
 +
 +	if (ret) {
 +		ret = -ENOENT;
 +		goto out;
 +	}
 +
 +	sig_hdr->type = EVM_IMA_XATTR_DIGSIG;
 +	sig_hdr->version = 2;
 +	sig_hdr->hash_algo = HASH_ALGO_SHA256;
 +	memcpy((void *)&sig_hdr->keyid, sigp->signid + sizeof(uint32_t),
 +	       sizeof(uint32_t));
 +
 +	if (stat(path_sig, &st) == -1) {
 +		ret = -EACCES;
 +		goto out;
 +	}
 +
 +	if (sizeof(sig_hdr) + st.st_size > sizeof(sig)) {
 +		rpmlog(RPMLOG_ERR, "digest_list: signature in %s too big\n",
 +		       path);
 +		ret = -E2BIG;
 +		goto out;
 +	}
 +
 +	fd = Fopen(path_sig, "r.ufdio");
 +	if (fd < 0) {
 +		rpmlog(RPMLOG_ERR, "digest_list: could not open '%s': %s\n",
 +		       path_sig, strerror(errno));
 +		ret = -EACCES;
 +		goto out;
 +	}
 +
 +	sig_size = Fread(sig_hdr->sig, sizeof(uint8_t), st.st_size, fd);
 +	if (sig_size != st.st_size || Ferror(fd)) {
 +		rpmlog(RPMLOG_ERR, "digest_list: could not read '%s': %s\n",
 +		       path_sig, strerror(errno));
 +		Fclose(fd);
 +		ret = -EIO;
 +		goto out;
 +	}
 +
 +	sig_hdr->sig_size = __cpu_to_be16(sig_size);
 +
 +	rpmlog(RPMLOG_DEBUG,
 +	       "digest_list: read signature of %d bytes from '%s'\n",
 +	       sig_size, path_sig);
 +
 +	ret = lsetxattr(path, XATTR_NAME_IMA,
 +			sig, sizeof(*sig_hdr) + sig_size, 0);
 +	if (ret < 0)
 +		rpmlog(RPMLOG_ERR, "digest_list: could not apply security.ima "
 +		       "on '%s': %s\n", path, strerror(errno));
 +	else
 +		rpmlog(RPMLOG_DEBUG, "digest_list: security.ima successfully "
 +		       "applied on '%s'\n", path);
 +out:
 +	pgpDigParamsFree(sigp);
 +	rpmtdFree(signature);
 +	return ret;
 +}
@ -414,16 +438,8 @@ index 000000000..62aae06dd
 +			 DIGEST_LIST_DEFAULT_PATH, rpmteN(te), rpmteV(te),
 +			 rpmteR(te), rpmteA(te));
 +
-+	if (!stat(path_sig, &st)) {
+	if (!stat(path_sig, &st))
 +		digest_list_signed = 1;
 +	} else {
 +		if (stat(WRITE_RPM_PGP_SIG, &st) == -1 ||
 +		    stat(RPM_PARSER, &st) == -1) {
 +			rpmlog(RPMLOG_DEBUG, "digest_list: "
 +			       "digest-list-tools not installed\n");
 +			goto out;
 +		}
 +	}
 +
 +	if (parser)
 +		snprintf(path, PATH_MAX, "%s/0-parser_list-compact-libexec",
@ -437,16 +453,12 @@ index 000000000..62aae06dd
 +	if (stat(path, &st) == -1)
 +		goto out;
 +
-+	if (!parser && !digest_list_signed) {
+	if (!parser && !digest_list_signed)
 +		snprintf(path, PATH_MAX, "%s/0-metadata_list-rpm-%s-%s-%s.%s",
 +			 DIGEST_LIST_DEFAULT_PATH, rpmteN(te), rpmteV(te),
 +			 rpmteR(te), rpmteA(te));
 +
-+		/* RPM digest lists don't have security.evm */
+	size = lgetxattr(path, XATTR_NAME_IMA, NULL, 0);
 +		size = lgetxattr(path, XATTR_NAME_IMA, NULL, 0);
 +	} else {
 +		size = lgetxattr(path, XATTR_NAME_EVM, NULL, 0);
 +	}
 +
 +	/* Don't upload again if digest list was already processed */
 +	if ((rpmteType(te) == TR_ADDED && size > 0) ||
@ -466,13 +478,14 @@ index 000000000..62aae06dd
 +			}
 +
 +			/* Write RPM header sig to security.ima */
-+			ret = write_rpm_digest_list_sig(te, path, path_sig);
+			ret = write_rpm_digest_list_ima_xattr(te, path);
 +			if (ret < 0) {
 +				ret = RPMRC_FAIL;
 +				goto out;
 +			}
 +		} else {
-+			add_evm_xattr(path, path_sig);
+			ret = write_digest_list_ima_xattr(te, path, path_sig);
 +		}
 +
 +		if (ret < 0) {
 +			ret = RPMRC_FAIL;
 +			goto out;
 +		}
 +	}
 +
@ -501,18 +514,6 @@ index 000000000..62aae06dd
 +
 +static rpmRC digest_list_psm_pre(rpmPlugin plugin, rpmte te)
 +{
 +	struct stat st;
 +
 +	if (disable_plugin)
 +		return RPMRC_OK;
 +
 +	if (stat(DIGEST_LIST_DATA_PATH, &st) == -1) {
 +		rpmlog(RPMLOG_DEBUG, "digest_list: IMA interface '%s' not "
 +		       "found, disabling plugin\n", DIGEST_LIST_DATA_PATH);
 +		disable_plugin = 1;
 +		return RPMRC_OK;
 +	}
 +
 +	process_digest_list(te, 0);
 +	if (!strcmp(rpmteN(te), "digest-list-tools"))
 +		process_digest_list(te, 1);
@ -522,9 +523,6 @@ index 000000000..62aae06dd
 +
 +static rpmRC digest_list_psm_post(rpmPlugin plugin, rpmte te, int res)
 +{
 +	if (disable_plugin)
 +		return RPMRC_OK;
 +
 +	if (res != RPMRC_OK)
 +		return RPMRC_OK;
 +
@ -535,45 +533,50 @@ index 000000000..62aae06dd
 +	return RPMRC_OK;
 +}
 +
 +static rpmRC digest_list_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
 +					  const char *path,
 +					  const char *dest,
 +					  mode_t file_mode, rpmFsmOp op)
 +{
 +	const unsigned char *fdigest = NULL;
 +	size_t len;
 +	int algo;
 +	rpmFileAction action = XFO_ACTION(op);
 +
 +	if (disable_plugin)
 +		return RPMRC_OK;
 +
 +	/* Ignore skipped files and unowned directories */
 +	if (XFA_SKIPPING(action) || (op & FAF_UNOWNED))
 +		goto exit;
 +
 +	/* Ignore non-regular files */
 +	if (!S_ISREG(file_mode))
 +		goto exit;
 +
 +	fdigest = rpmfiFDigest(fi, &algo, &len);
 +	if (!fdigest)
 +		goto exit;
 +
 +	/* Assume that the hash algorithm used by evmctl and RPMs is the same */
 +	add_ima_xattr(path, algo, fdigest, len);
 +	if (strncmp(path, DIGEST_LIST_DEFAULT_PATH,
 +	    sizeof(DIGEST_LIST_DEFAULT_PATH) - 1))
 +		add_evm_digest_list_xattr(path, algo);
 +exit:
 +	return RPMRC_OK;
 +}
 +
 +struct rpmPluginHooks_s digest_list_hooks = {
 +	.psm_pre = digest_list_psm_pre,
 +	.psm_post = digest_list_psm_post,
 +	.fsm_file_prepare = digest_list_fsm_file_prepare,
 +};
 diff --git a/rpmio/digest.h b/rpmio/digest.h
 index 9e0cde3b9..01ca10d92 100644
 --- a/rpmio/digest.h
 +++ b/rpmio/digest.h
@@ -24,6 +24,7 @@ struct pgpDigAlg_s {
 struct pgpDigParams_s {
     char * userid;
     uint8_t * hash;
 +    const uint8_t * data;
     uint8_t tag;
     uint8_t version;		/*!< version number. */
 diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
 index 46cd0f31a..3c6b18b53 100644
 --- a/rpmio/rpmpgp.c
 +++ b/rpmio/rpmpgp.c
@@ -600,6 +600,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
 	}
 	p = ((uint8_t *)v) + sizeof(*v);
 +	_digp->data = p;
 	rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
     }	break;
     case 4:
@@ -658,6 +659,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
 	if (p > (h + hlen))
 	    return 1;
 +	_digp->data = p;
 	rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
     }	break;
     default:
@@ -745,6 +747,7 @@ static int pgpPrtKey(pgpTag tag, const uint8_t *h, size_t hlen,
 	    }
 	    p = ((uint8_t *)v) + sizeof(*v);
 +	    _digp->data = p;
 	    rc = pgpPrtPubkeyParams(v->pubkey_algo, p, h, hlen, _digp);
 	}
     }	break;
 -- 
 2.27.GIT
--- a/Generate-digest-lists.patch
+++ b/Generate-digest-lists.patch
@ -1,14 +1,14 @@
-From 99d243a37d50155bc3e9b4ef8d1457a73016c9c0 Mon Sep 17 00:00:00 2001
+From 4d1801825c754171962050ee9c36c2d69c630ece Mon Sep 17 00:00:00 2001
 From: Roberto Sassu <roberto.sassu@huawei.com>
 Date: Thu, 12 Mar 2020 17:29:55 +0100
-Subject: [PATCH 1/2] Generate digest lists
+Subject: [PATCH 1/3] Generate digest lists
 ---
- build/files.c | 166 +++++++++++++++++++++++++++++++++++++++++++++++---
+ build/files.c | 176 ++++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 159 insertions(+), 7 deletions(-)
+ 1 file changed, 169 insertions(+), 7 deletions(-)
 diff --git a/build/files.c b/build/files.c
-index 6dfd801c8..3dd8f0246 100644
+index 6dfd801c8..ab6938d8c 100644
 --- a/build/files.c
 +++ b/build/files.c
@@ -50,6 +50,7 @@
@ -120,16 +120,18 @@ index 6dfd801c8..3dd8f0246 100644
 {
     size_t plen = strlen(diskPath);
     char buf[plen + 1];
-@@ -1355,6 +1392,8 @@ static rpmRC addFile(FileList fl, const char * diskPath,
+@@ -1355,6 +1392,10 @@ static rpmRC addFile(FileList fl, const char * diskPath,
     gid_t fileGid;
     const char *fileUname;
     const char *fileGname;
 +    char realPath[PATH_MAX];
 +    int digest_list_prefix = 0;
 +    struct stat st;
 +    int exclude = 0;
     rpmRC rc = RPMRC_FAIL; /* assume failure */
     /* Strip trailing slash. The special case of '/' path is handled below. */
-@@ -1390,6 +1429,27 @@ static rpmRC addFile(FileList fl, const char * diskPath,
+@@ -1390,6 +1431,33 @@ static rpmRC addFile(FileList fl, const char * diskPath,
     if (*cpioPath == '\0')
 	cpioPath = "/";
@ -152,12 +154,27 @@ index 6dfd801c8..3dd8f0246 100644
 +	}
 +
 +	cpioPath += sizeof(DIGEST_LIST_DIR) - 1;
 +
 +	snprintf(realPath, sizeof(realPath), "%.*s%s",
 +		 (int)(strlen(digest_list_dir) - sizeof(DIGEST_LIST_DIR) + 1),
 +		 digest_list_dir, cpioPath);
 +	if (!stat(realPath, &st))
 +	    exclude = 1;
 +    }
 +
     /*
      * Unless recursing, we dont have stat() info at hand. Handle the
      * various cases, preserving historical behavior wrt %dev():
-@@ -1547,6 +1607,32 @@ exit:
+@@ -1527,6 +1595,8 @@ static rpmRC addFile(FileList fl, const char * diskPath,
 	}
 	flp->flags = fl->cur.attrFlags;
 +	if (exclude)
 +	    flp->flags |= RPMFILE_EXCLUDE;
 	flp->specdFlags = fl->cur.specdFlags;
 	flp->verifyFlags = fl->cur.verifyFlags;
@@ -1547,6 +1617,32 @@ exit:
     return rc;
 }
@ -190,7 +207,7 @@ index 6dfd801c8..3dd8f0246 100644
 /**
  * Add directory (and all of its files) to the package manifest.
  * @param fl		package file tree walk data
-@@ -2556,6 +2642,58 @@ static void addPackageFileList (struct FileList_s *fl, Package pkg,
+@@ -2556,6 +2652,58 @@ static void addPackageFileList (struct FileList_s *fl, Package pkg,
     argvFree(fileNames);
 }
@ -249,7 +266,7 @@ index 6dfd801c8..3dd8f0246 100644
 static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags,
 				 Package pkg, int didInstall, int test)
 {
-@@ -2569,6 +2707,10 @@ static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags,
+@@ -2569,6 +2717,10 @@ static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags,
 	if (readFilesManifest(spec, pkg, *fp))
 	    return RPMRC_FAIL;
     }
@ -260,7 +277,7 @@ index 6dfd801c8..3dd8f0246 100644
     /* Init the file list structure */
     memset(&fl, 0, sizeof(fl));
-@@ -2630,6 +2772,7 @@ exit:
+@@ -2630,6 +2782,7 @@ exit:
     FileListFree(&fl);
     specialDirFree(specialDoc);
     specialDirFree(specialLic);
@ -268,7 +285,7 @@ index 6dfd801c8..3dd8f0246 100644
     return fl.processingFailed ? RPMRC_FAIL : RPMRC_OK;
 }
-@@ -3092,6 +3235,7 @@ static void addPackageDeps(Package from, Package to, enum rpmTag_e tag)
+@@ -3092,6 +3245,7 @@ static void addPackageDeps(Package from, Package to, enum rpmTag_e tag)
 rpmRC processBinaryFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags,
 			int didInstall, int test)
 {
@ -276,7 +293,7 @@ index 6dfd801c8..3dd8f0246 100644
     Package pkg;
     rpmRC rc = RPMRC_OK;
     char *buildroot;
-@@ -3108,7 +3252,14 @@ rpmRC processBinaryFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags,
+@@ -3108,7 +3262,14 @@ rpmRC processBinaryFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags,
     check_fileList = newStringBuf();
     genSourceRpmName(spec);
     buildroot = rpmGenPath(spec->rootDir, spec->buildRoot, NULL);
@ -292,7 +309,7 @@ index 6dfd801c8..3dd8f0246 100644
     if (rpmExpandNumeric("%{?_debuginfo_subpackages}")) {
 	maindbg = findDebuginfoPackage(spec);
 	if (maindbg) {
-@@ -3214,6 +3365,7 @@ exit:
+@@ -3214,6 +3375,7 @@ exit:
     check_fileList = freeStringBuf(check_fileList);
     _free(buildroot);
     _free(uniquearch);
--- a/rpm.spec
+++ b/rpm.spec
@ -21,6 +21,7 @@ Patch11: bugfix-rpm-4.14.2-wait-once-get-rpmlock-fail.patch
 Patch12: Use-common-error-logic-regardless-of-setexecfilecon-.patch
 Patch13: Generate-digest-lists.patch
 Patch14: Add-digest-list-plugin.patch
 Patch15: Don-t-add-dist-to-release-if-it-is-already-there.patch
 BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel libdb-devel 
 BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel