-
Notifications
You must be signed in to change notification settings - Fork 573
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
packaging/opensuse: sync with downstream packaging #14472
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
From df6efd9173ae24067ff8328b5dd272f0fc0e1bbf Mon Sep 17 00:00:00 2001 | ||
Message-ID: <df6efd9173ae24067ff8328b5dd272f0fc0e1bbf.1725537228.git.maciej.borzecki@canonical.com> | ||
From: Maciej Borzecki <[email protected]> | ||
Date: Thu, 5 Sep 2024 13:53:20 +0200 | ||
Subject: [PATCH] packaging/snapd.mk: drop randomized build ID generation | ||
|
||
Signed-off-by: Maciej Borzecki <[email protected]> | ||
--- | ||
packaging/snapd.mk | 6 +++--- | ||
1 file changed, 3 insertions(+), 3 deletions(-) | ||
|
||
diff --git a/packaging/snapd.mk b/packaging/snapd.mk | ||
index fac68c7ad1429e9e420454a2d3af56408c5d799e..a9e90dc1900c0074f69ff7003f06505541950d8f 100644 | ||
--- a/packaging/snapd.mk | ||
+++ b/packaging/snapd.mk | ||
@@ -72,7 +72,7 @@ $(builddir)/snap: GO_TAGS += nomanagers | ||
$(builddir)/snap $(builddir)/snap-seccomp $(builddir)/snapd-apparmor: | ||
go build -o $@ $(if $(GO_TAGS),-tags "$(GO_TAGS)") \ | ||
-buildmode=pie \ | ||
- -ldflags="-B 0x$$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') $(EXTRA_GO_LDFLAGS)" \ | ||
+ -ldflags="$(EXTRA_GO_LDFLAGS)" \ | ||
-mod=vendor \ | ||
$(EXTRA_GO_BUILD_FLAGS) \ | ||
$(import_path)/cmd/$(notdir $@) | ||
@@ -91,10 +91,10 @@ $(builddir)/snap-update-ns $(builddir)/snap-exec $(builddir)/snapctl: | ||
|
||
# XXX see the note about build ID in rule for building 'snap' | ||
# Snapd can be built with test keys. This is only used by the internal test | ||
-# suite to add test assertions. Do not enable this in distribution packages. | ||
+# suite to addqg test assertions. Do not enable this in distribution packages. | ||
$(builddir)/snapd: | ||
go build -o $@ -buildmode=pie \ | ||
- -ldflags="-B 0x$$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') $(EXTRA_GO_LDFLAGS)" \ | ||
+ -ldflags="$(EXTRA_GO_LDFLAGS)" \ | ||
-mod=vendor \ | ||
$(if $(GO_TAGS),-tags "$(GO_TAGS)") \ | ||
$(EXTRA_GO_BUILD_FLAGS) \ | ||
-- | ||
2.46.0 | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
From 09a3cc7aad771621d849d792281538658331f550 Mon Sep 17 00:00:00 2001 | ||
Message-ID: <09a3cc7aad771621d849d792281538658331f550.1725538054.git.maciej.borzecki@canonical.com> | ||
From: Maciej Borzecki <[email protected]> | ||
Date: Thu, 5 Sep 2024 14:06:50 +0200 | ||
Subject: [PATCH] Build position-independent binaries per hardening policy | ||
|
||
This is only supported on some architectures and only wth recent glibc (where rcrt1.o is present). | ||
|
||
Signed-off-by: Maciej Borzecki <[email protected]> | ||
--- | ||
cmd/Makefile.am | 4 ++-- | ||
packaging/snapd.mk | 4 ++-- | ||
2 files changed, 4 insertions(+), 4 deletions(-) | ||
|
||
diff --git a/cmd/Makefile.am b/cmd/Makefile.am | ||
index b316a8733ca7ce6c552955fb051bbb3a2dad7685..89c85b3485958d90a2df1c25aa59d5ef361c6514 100644 | ||
--- a/cmd/Makefile.am | ||
+++ b/cmd/Makefile.am | ||
@@ -523,7 +523,7 @@ snap_gdb_shim_snap_gdb_shim_SOURCES = \ | ||
snap-gdb-shim/snap-gdb-shim.c | ||
|
||
snap_gdb_shim_snap_gdb_shim_LDADD = libsnap-confine-private.a | ||
-snap_gdb_shim_snap_gdb_shim_LDFLAGS = -static | ||
+snap_gdb_shim_snap_gdb_shim_LDFLAGS = -static-pie | ||
|
||
## | ||
## snap-gdbserver-shim | ||
@@ -535,7 +535,7 @@ snap_gdb_shim_snap_gdbserver_shim_SOURCES = \ | ||
snap-gdb-shim/snap-gdbserver-shim.c | ||
|
||
snap_gdb_shim_snap_gdbserver_shim_LDADD = libsnap-confine-private.a | ||
-snap_gdb_shim_snap_gdbserver_shim_LDFLAGS = -static | ||
+snap_gdb_shim_snap_gdbserver_shim_LDFLAGS = -static-pie | ||
|
||
## | ||
## snapd-generator | ||
diff --git a/packaging/snapd.mk b/packaging/snapd.mk | ||
index a9e90dc1900c0074f69ff7003f06505541950d8f..ee8f79d766a658074ae62f83c55af5f54a70dade 100644 | ||
--- a/packaging/snapd.mk | ||
+++ b/packaging/snapd.mk | ||
@@ -83,9 +83,9 @@ $(builddir)/snap $(builddir)/snap-seccomp $(builddir)/snapd-apparmor: | ||
$(builddir)/snap-update-ns $(builddir)/snap-exec $(builddir)/snapctl: | ||
# Explicit request to use an external linker, otherwise extldflags may not be | ||
# used | ||
- go build -o $@ -buildmode=default -mod=vendor \ | ||
+ go build -o $@ -buildmode=pie -mod=vendor \ | ||
$(if $(GO_TAGS),-tags "$(GO_TAGS)") \ | ||
- -ldflags '-linkmode external -extldflags "-static" $(EXTRA_GO_LDFLAGS)' \ | ||
+ -ldflags '-linkmode external -extldflags "-static-pie" $(EXTRA_GO_LDFLAGS)' \ | ||
$(EXTRA_GO_BUILD_FLAGS) \ | ||
$(import_path)/cmd/$(notdir $@) | ||
|
||
-- | ||
2.46.0 | ||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -14,6 +14,8 @@ | |||||
|
||||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/ | ||||||
|
||||||
%define _missing_build_ids_terminate_build 1 | ||||||
|
||||||
# takes an absolute path with slashes and turns it into an AppArmor profile path | ||||||
%define as_apparmor_path() %(echo "%1" | tr / . | cut -c2-) | ||||||
|
||||||
|
@@ -80,6 +82,13 @@ | |||||
%global with_multilib 1 | ||||||
%endif | ||||||
|
||||||
%ifarch %arm | ||||||
# libsnap-confine-private/unit-tests fails on ARM under valgrind | ||||||
%bcond_with valgrind | ||||||
%else | ||||||
%bcond_without valgrind | ||||||
%endif | ||||||
|
||||||
|
||||||
Name: snapd | ||||||
Version: 2.65.1 | ||||||
|
@@ -90,45 +99,42 @@ Group: System/Packages | |||||
Url: https://%{import_path} | ||||||
Source0: https://github.com/snapcore/snapd/releases/download/%{version}/%{name}_%{version}.vendor.tar.xz | ||||||
Source1: snapd-rpmlintrc | ||||||
Patch0: 0001-packaging-snapd.mk-drop-randomized-build-ID-generati.patch | ||||||
|
||||||
Source100: pie.patch | ||||||
BuildRequires: autoconf | ||||||
BuildRequires: autoconf-archive | ||||||
BuildRequires: automake | ||||||
# /usr/libexec/snapd/snap-mgmt: line 46: /etc/os-release: No such file or directory | ||||||
BuildRequires: distribution-release | ||||||
BuildRequires: fakeroot | ||||||
BuildRequires: glib2-devel | ||||||
BuildRequires: glibc-devel-static | ||||||
BuildRequires: go >= 1.18 | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Curious: does this mean we actually build with 1.18 on openSUSE (given that there are likely many versions in the archive?) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We're building with the default one, which varies between releases, eg. for TW it's 1.22 atm, but for 15.6 I believe it's 1.21. |
||||||
BuildRequires: gpg2 | ||||||
BuildRequires: indent | ||||||
BuildRequires: libcap-devel | ||||||
BuildRequires: libseccomp-devel | ||||||
BuildRequires: libtool | ||||||
BuildRequires: libudev-devel | ||||||
BuildRequires: libuuid-devel | ||||||
BuildRequires: make | ||||||
BuildRequires: openssh | ||||||
BuildRequires: pkg-config | ||||||
BuildRequires: openssh-common | ||||||
BuildRequires: python3-docutils | ||||||
BuildRequires: squashfs | ||||||
# Due to: rpm -q --whatprovides /usr/share/pkgconfig/systemd.pc | ||||||
BuildRequires: systemd | ||||||
BuildRequires: pkgconfig(glib-2.0) | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is nice! |
||||||
BuildRequires: pkgconfig(libseccomp) | ||||||
BuildRequires: pkgconfig(libudev) | ||||||
BuildRequires: pkgconfig(systemd) | ||||||
BuildRequires: pkgconfig(udev) | ||||||
BuildRequires: systemd-rpm-macros | ||||||
BuildRequires: timezone | ||||||
BuildRequires: udev | ||||||
%if %{with valgrind} | ||||||
BuildRequires: valgrind | ||||||
%endif | ||||||
BuildRequires: xfsprogs-devel | ||||||
BuildRequires: xz | ||||||
%ifarch x86_64 | ||||||
%ifarch x86_64 %x86_64 | ||||||
# This is needed for seccomp tests | ||||||
BuildRequires: glibc-devel-32bit | ||||||
BuildRequires: glibc-devel-static-32bit | ||||||
BuildRequires: gcc-32bit | ||||||
%endif | ||||||
BuildRequires: ca-certificates | ||||||
BuildRequires: ca-certificates-mozilla | ||||||
|
||||||
%if %{with apparmor} | ||||||
BuildRequires: libapparmor-devel | ||||||
BuildRequires: pkgconfig(libapparmor) | ||||||
BuildRequires: apparmor-rpm-macros | ||||||
BuildRequires: apparmor-parser | ||||||
%endif | ||||||
|
||||||
PreReq: permissions | ||||||
|
@@ -139,7 +145,6 @@ Requires: apparmor-parser | |||||
Requires: apparmor-profiles | ||||||
%endif | ||||||
Requires: gpg2 | ||||||
Requires: openssh | ||||||
Requires: squashfs | ||||||
Requires: system-user-daemon | ||||||
|
||||||
|
@@ -180,6 +185,12 @@ tar -axf %{_sourcedir}/%{name}_%{version}.vendor.tar.xz --strip-components=1 -C | |||||
pushd %{indigo_srcdir} | ||||||
# Add patch0 -p1 ... as appropriate here. | ||||||
%autopatch -p1 | ||||||
|
||||||
#PIE static binaries are not supported on all architectures. We detect the availability of the runtime object here, and GCC's support for such binaries. | ||||||
if test -e %{_libdir}/rcrt1.o && cc -static-pie -xc /dev/null -o /dev/null -S; then | ||||||
patch -p1 < %SOURCE100 | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What is There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. see |
||||||
fi | ||||||
|
||||||
popd | ||||||
|
||||||
# Generate snapd.defines.mk, this file is included by snapd.mk. It contains a | ||||||
|
@@ -204,8 +215,9 @@ with_core_bits = 0 | |||||
with_alt_snap_mount_dir = %{!?with_alt_snap_mount_dir:0}%{?with_alt_snap_mount_dir:1} | ||||||
with_apparmor = %{with apparmor} | ||||||
with_testkeys = %{with_testkeys} | ||||||
# Disable DWARF and symbol table | ||||||
EXTRA_GO_LDFLAGS = -w -s | ||||||
EXTRA_GO_BUILD_FLAGS = -v -x | ||||||
# fix broken debuginfo bsc#1215402 | ||||||
EXTRA_GO_LDFLAGS = -compressdwarf=false | ||||||
__DEFINES__ | ||||||
|
||||||
# Set the version that is compiled into the various executables/ | ||||||
|
@@ -219,23 +231,16 @@ if [ "$(pkg-config --variable=systemdsystemgeneratordir systemd)" != "%{_systemd | |||||
exit 1 | ||||||
fi | ||||||
|
||||||
%build | ||||||
|
||||||
# Enable hardening; Also see https://bugzilla.redhat.com/show_bug.cgi?id=1343892 | ||||||
CFLAGS="$RPM_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now" | ||||||
CXXFLAGS="$RPM_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now" | ||||||
LDFLAGS="" | ||||||
|
||||||
# On openSUSE Leap 15 or more recent build position independent executables. | ||||||
# For a helpful guide about the versions and macros used below, please see: | ||||||
# https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto | ||||||
%if 0%{?suse_version} >= 1500 | ||||||
CFLAGS="$CFLAGS -fPIE" | ||||||
CXXFLAGS="$CXXFLAGS -fPIE" | ||||||
LDFLAGS="$LDFLAGS -pie" | ||||||
%endif | ||||||
export CFLAGS="$RPM_OPT_FLAGS -fpie" | ||||||
export CXXFLAGS="$RPM_OPT_FLAGS -fpie" | ||||||
export LDFLAGS="%{?build_ldflags} -zrelro -znow" | ||||||
|
||||||
export CFLAGS | ||||||
export CXXFLAGS | ||||||
export LDFLAGS | ||||||
export CGO_CFLAGS="$CFLAGS" | ||||||
export CGO_CXXFLAGS="$CXXFLAGS" | ||||||
export CGO_LDFLAGS="$LDFLAGS" | ||||||
|
||||||
# Generate autotools build system files. | ||||||
pushd %{indigo_srcdir}/cmd | ||||||
|
@@ -252,7 +257,6 @@ autoreconf -i -f | |||||
|
||||||
popd | ||||||
|
||||||
%build | ||||||
%make_build -C %{indigo_srcdir}/cmd | ||||||
# Use the common packaging helper for building. | ||||||
# | ||||||
|
@@ -263,12 +267,29 @@ popd | |||||
all | ||||||
|
||||||
%check | ||||||
for binary in snap-exec snap-update-ns snapctl; do | ||||||
ldd $binary 2>&1 | grep 'not a dynamic executable' | ||||||
#These binaries execute inside the mount namespace thus they must be built statically | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Nitpick, add a space:
Suggested change
|
||||||
pushd %{buildroot}/%{_libexecdir}/snapd/ | ||||||
for binary in snap-exec snap-update-ns snapctl snap-gdb{,server}-shim; do | ||||||
ldd $binary 2>&1 | grep 'statically linked\|not a dynamic executable' | ||||||
done | ||||||
|
||||||
if test -e %{_libdir}/rcrt1.o && cc -static-pie -xc /dev/null -o /dev/null -S; then | ||||||
for binary in snap-exec snap-update-ns snapctl snap-gdb{,server}-shim; do | ||||||
file $binary | grep -F pie | ||||||
done | ||||||
fi | ||||||
popd | ||||||
|
||||||
export CFLAGS="$RPM_OPT_FLAGS -fpie" | ||||||
export CXXFLAGS="$RPM_OPT_FLAGS -fpie" | ||||||
export LDFLAGS="%{?build_ldflags} -zrelro -znow" | ||||||
export CGO_CFLAGS="$CFLAGS" | ||||||
export CGO_CXXFLAGS="$CXXFLAGS" | ||||||
export CGO_LDFLAGS="$LDFLAGS" | ||||||
|
||||||
%make_build -C %{indigo_srcdir}/cmd check | ||||||
# Use the common packaging helper for testing. | ||||||
export SNAPD_SKIP_SLOW_TESTS=1 | ||||||
%make_build -C %{indigo_srcdir} -f %{indigo_srcdir}/packaging/snapd.mk \ | ||||||
GOPATH=%{indigo_gopath}:$GOPATH SNAPD_DEFINES_DIR=%{_builddir} \ | ||||||
check | ||||||
|
@@ -297,8 +318,8 @@ chmod 755 %{buildroot}%{_localstatedir}/lib/snapd/void | |||||
# once snap-confine is added to the permissions package. This is done following | ||||||
# the recommendations on | ||||||
# https://en.opensuse.org/openSUSE:Package_security_guidelines | ||||||
install -m 644 -D %{indigo_srcdir}/packaging/opensuse/permissions %{buildroot}%{_sysconfdir}/permissions.d/snapd | ||||||
install -m 644 -D %{indigo_srcdir}/packaging/opensuse/permissions.paranoid %{buildroot}%{_sysconfdir}/permissions.d/snapd.paranoid | ||||||
install -pm 644 -D %{indigo_srcdir}/packaging/opensuse/permissions %{buildroot}%{_sysconfdir}/permissions.d/snapd | ||||||
install -pm 644 -D %{indigo_srcdir}/packaging/opensuse/permissions.paranoid %{buildroot}%{_sysconfdir}/permissions.d/snapd.paranoid | ||||||
|
||||||
# See https://en.opensuse.org/openSUSE:Packaging_checks#suse-missing-rclink for details | ||||||
install -d %{buildroot}%{_sbindir} | ||||||
|
@@ -308,18 +329,22 @@ ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd.seeded | |||||
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd.apparmor | ||||||
%endif | ||||||
|
||||||
# Install Polkit configuration. | ||||||
# TODO: This should be handled by data makefile. | ||||||
install -pm 644 -D %{indigo_srcdir}/data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I just removed a bunch of this in Debian so I'm surprised this is here. Are not using the data makefiles? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I just removed a bunch of this in Debian so I'm surprised this is here. Are not using the data makefiles? |
||||||
|
||||||
# Install the "info" data file with snapd version | ||||||
# TODO: This should be handled by data makefile. | ||||||
install -m 644 -D %{indigo_srcdir}/data/info %{buildroot}%{_libexecdir}/snapd/info | ||||||
install -pm 644 -D %{indigo_srcdir}/data/info %{buildroot}%{_libexecdir}/snapd/info | ||||||
|
||||||
# Install bash completion for "snap" | ||||||
# TODO: This should be handled by data makefile. | ||||||
install -m 644 -D %{indigo_srcdir}/data/completion/bash/snap %{buildroot}%{_datadir}/bash-completion/completions/snap | ||||||
install -m 644 -D %{indigo_srcdir}/data/completion/bash/complete.sh %{buildroot}%{_libexecdir}/snapd | ||||||
install -m 644 -D %{indigo_srcdir}/data/completion/bash/etelpmoc.sh %{buildroot}%{_libexecdir}/snapd | ||||||
install -pm 644 -D %{indigo_srcdir}/data/completion/bash/snap %{buildroot}%{_datadir}/bash-completion/completions/snap | ||||||
install -pm 644 -D %{indigo_srcdir}/data/completion/bash/complete.sh %{buildroot}%{_libexecdir}/snapd | ||||||
install -pm 644 -D %{indigo_srcdir}/data/completion/bash/etelpmoc.sh %{buildroot}%{_libexecdir}/snapd | ||||||
# Install zsh completion for "snap" | ||||||
install -d -p %{buildroot}%{_datadir}/zsh/site-functions | ||||||
install -m 644 -D %{indigo_srcdir}/data/completion/zsh/_snap %{buildroot}%{_datadir}/zsh/site-functions/_snap | ||||||
install -pm 644 -D %{indigo_srcdir}/data/completion/zsh/_snap %{buildroot}%{_datadir}/zsh/site-functions/_snap | ||||||
|
||||||
%verifyscript | ||||||
%verify_permissions -e %{_libexecdir}/snapd/snap-confine | ||||||
|
@@ -384,6 +409,7 @@ fi | |||||
%dir %{_datadir}/dbus-1/system.d | ||||||
%dir %{_datadir}/polkit-1 | ||||||
%dir %{_datadir}/polkit-1/actions | ||||||
%dir %{_datadir}/snapd | ||||||
%dir %{_environmentdir} | ||||||
%dir %{_libexecdir}/snapd | ||||||
%dir %{_localstatedir}/cache/snapd | ||||||
|
@@ -401,7 +427,6 @@ fi | |||||
%dir %{_sharedstatedir}/snapd/desktop | ||||||
%dir %{_sharedstatedir}/snapd/desktop/applications | ||||||
%dir %{_sharedstatedir}/snapd/device | ||||||
%dir %{_sharedstatedir}/snapd/environment | ||||||
%dir %{_sharedstatedir}/snapd/hostfs | ||||||
%dir %{_sharedstatedir}/snapd/inhibit | ||||||
%dir %{_sharedstatedir}/snapd/lib | ||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want to apply this patch upstream as well?