Sync from SUSE:ALP:Source:Standard:1.0 mlocate revision 0676acbe53e056248911539904a7fc7a

2024-01-12 13:00:00 +01:00 · 2024-01-12 13:00:00 +01:00 · f22c3d2d2a
commit f22c3d2d2a
10 changed files with 551 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/mlocate-0.26.tar.xz
+++ b/mlocate-0.26.tar.xz
--- a/mlocate.changes
+++ b/mlocate.changes
@ -0,0 +1,281 @@
+-------------------------------------------------------------------
+Mon Jan  8 11:10:30 UTC 2024 - Frederic Crozat <fcrozat@suse.com>
+
+- Drop url from source, fedorahosted.org is no longer running.
+
+-------------------------------------------------------------------
+Fri Mar 17 11:14:00 UTC 2023 - Arjen de Korte <suse+build@de-korte.org>
+
+- Set umask 0022 before running /usr/bin/updatedb (boo#1209409)
+
+-------------------------------------------------------------------
+Fri Feb  3 15:35:01 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
+
+- Remove ProtectKernelModules from systemd unit as it makes files
+  inaccessible that are then not visible for locate (bsc#1207884)
+
+-------------------------------------------------------------------
+Wed Sep 14 13:16:44 UTC 2022 - Peter Simons <psimons@suse.com>
+
+- Pass "--shell=/bin/sh" to "su" when running the "updatedb"
+  command so that we don't depend on the "${RUN_UPDATEDB_AS}"
+  user's login shell. Since that user is "nobody" by default, the
+  login shell will oftentimes be "/bin/false". [jsc#PED-1717]
+
+-------------------------------------------------------------------
+Wed Oct  6 14:16:25 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * mlocate.service
+
+-------------------------------------------------------------------
+Fri Sep 11 16:14:56 UTC 2020 - Hans-Peter Jansen <hpj@urpla.net>
+
+- Require apparmor-abstractions, because apparmor.service fails with
+  "Could not open 'tunables/global'" error otherwise. [bsc#1195144]
+
+-------------------------------------------------------------------
+Tue Dec  4 11:11:51 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
+
+- Reduce amount of emitted %service_* boilerplate.
+
+-------------------------------------------------------------------
+Fri Nov 30 06:27:56 UTC 2018 - erictorres4@protonmail.com
+
+- Add systemd service and timer units [boo#1115408]
+- Add rc symlinks for backwards compatibility
+- Add BuildRequires for systemd-rpm-macros
+- Minor correction to summary, change 'an' to 'a'
+- Add commands for registering systemd unit files in install scripts
+- Update files list to include systemd units
+- Remove dependency on cron
+- Move logic from cron script to systemd service unit
+- Remove all variables except RUN_UPDATEDB_AS from sysconfig.locate
+
+-------------------------------------------------------------------
+Fri Sep  7 13:16:39 UTC 2018 - suse-beta@cboltz.de
+
+- add capability rules to updatedb AppArmor profile to allow running
+  it as root (boo#1089594#c4)
+
+-------------------------------------------------------------------
+Thu May 10 09:13:26 UTC 2018 - tchvatal@suse.com
+
+- Add apparmor profile bsc#1089594
+
+-------------------------------------------------------------------
+Thu Nov 23 13:52:07 UTC 2017 - rbrown@suse.com
+
+- Replace references to /var/adm/fillup-templates with new
+  %_fillupdir macro (boo#1069468)
+
+-------------------------------------------------------------------
+Fri Aug 25 08:20:29 UTC 2017 - tchvatal@suse.com
+
+- Require user nobody wrt bsc#1055634
+
+-------------------------------------------------------------------
+Mon Jul 10 08:45:24 UTC 2017 - tchvatal@suse.com
+
+- We moved locks to /run thus do not rely on symlinks
+
+-------------------------------------------------------------------
+Thu Feb 16 09:53:52 UTC 2017 - tchvatal@suse.com
+
+- Update the umask also in su section where it could be nulled
+  wrt bsc#1019440
+
+-------------------------------------------------------------------
+Mon Aug 29 12:50:37 UTC 2016 - tchvatal@suse.com
+
+- Reduce dependencies a bit
+- Update updatedb.conf wrt bnc#994663
+
+-------------------------------------------------------------------
+Wed Jan 20 10:58:56 UTC 2016 - tchvatal@suse.com
+
+- Cron file updates:
+  - Remove the ac/battery detection that does not work
+  - Exit with 1 when the updatedb is not executable
+
+-------------------------------------------------------------------
+Wed Jan 20 10:53:55 UTC 2016 - tchvatal@suse.com
+
+- Add more mounts to exclude in updatedb.conf
+
+-------------------------------------------------------------------
+Fri Aug 21 07:23:52 UTC 2015 - tchvatal@suse.com
+
+- Specify umask to allow user redefine the value in login.defs
+  bnc#941296
+
+-------------------------------------------------------------------
+Sat Oct 25 17:09:31 UTC 2014 - tchvatal@suse.com
+
+- Remove mention of the locate group that was obsoleted.
+  fixes bnc#902588
+
+-------------------------------------------------------------------
+Wed Jun 11 11:09:08 UTC 2014 - tchvatal@suse.com
+
+- Enable testsuite.
+
+-------------------------------------------------------------------
+Mon May  5 08:04:23 UTC 2014 - tchvatal@suse.com
+
+- Remove some duped fs from PRUNEFS variable.
+
+-------------------------------------------------------------------
+Tue Apr 15 09:52:00 UTC 2014 - tchvatal@suse.com
+
+- Update once more to always hit the same code and to avoid
+  regressions that are hit only under some setup scenarios.
+
+-------------------------------------------------------------------
+Thu Apr  3 11:29:08 UTC 2014 - tchvatal@suse.com
+
+- Fix a bug where empty RUN_UPDATEDB_AS="" caused cron fail with
+  unknown arguments if the compat values were empty.
+
+-------------------------------------------------------------------
+Wed Mar 19 09:09:44 UTC 2014 - tchvatal@suse.com
+
+- Also respect the UPDATEDB_ when not running as root in the
+  cron job.
+
+-------------------------------------------------------------------
+Mon Mar 17 08:44:54 UTC 2014 - tchvatal@suse.com
+
+- Move the UPDATEDB_ variables parsing to cron service to have
+  it working there as the upstream bash config is not exactly
+  shell interpreted. bnc#861955.
+- Sadly this way if user runs updatedb by hand it gets not
+  properly populated, but at least the cron works with backcompat
+  way.
+
+-------------------------------------------------------------------
+Fri Mar 14 08:24:29 UTC 2014 - tchvatal@suse.com
+
+- Include findutils-locate variables in updatedb.conf if user
+  still have them specified. bnc#861955
+  * This ensures we can still load the variables user can specified
+    in the /etc/sysconfig/locate namely UPDATEDB_PRUNEPATHS and
+    UPDATEDB_PRUNEFS
+
+-------------------------------------------------------------------
+Fri Mar 14 08:18:22 UTC 2014 - tchvatal@suse.com
+
+- Cleanup with spec-cleaner.
+
+-------------------------------------------------------------------
+Fri Mar 14 08:17:01 UTC 2014 - tchvatal@suse.com
+
+- Update comments in sysconfig.locate a bit to reflect reality.
+
+-------------------------------------------------------------------
+Tue Oct 29 13:10:50 UTC 2013 - tchvatal@suse.com
+
+- As discussed run updatedb as nobody and do not use the locate
+  group at all. Wrt bnc#847801.
+
+-------------------------------------------------------------------
+Mon Sep  9 18:32:41 UTC 2013 - tchvatal@suse.com
+
+- Recommend the language package.
+
+-------------------------------------------------------------------
+Wed Jun 12 13:40:30 UTC 2013 - tchvatal@suse.com
+
+- Add missing space to description of package.
+
+-------------------------------------------------------------------
+Mon Jun  3 12:09:09 UTC 2013 - tchvatal@suse.com
+
+- Add COPYING to %docs macro as reported by cfarrell.
+
+-------------------------------------------------------------------
+Mon Jun  3 11:41:23 UTC 2013 - cfarrell@suse.com
+
+- license update: GPL-2.0
+  Multiple instances of (c) Red Hat GPL-2.0 licensing
+
+-------------------------------------------------------------------
+Thu May 30 11:29:26 UTC 2013 - tchvatal@suse.com
+
+- Fixup provide/obsolete to really work + cleanup spec
+
+-------------------------------------------------------------------
+Thu May 30 10:49:45 UTC 2013 - tchvatal@suse.com
+
+- More work wrt previous change. Provide/obsolete findutils-locate.
+
+-------------------------------------------------------------------
+Thu May 30 09:26:59 UTC 2013 - tchvatal@suse.com
+
+- Do not use sgid but require user to be in group locate
+  in order to be able to search.
+
+-------------------------------------------------------------------
+Sun Dec  2 11:04:25 UTC 2012 - tchvatal@suse.com
+
+- Whitespace / format the spec a bit.
+
+-------------------------------------------------------------------
+Tue Nov 20 20:54:44 UTC 2012 - tchvatal@suse.com
+
+- Try to shutup the suid error.
+
+-------------------------------------------------------------------
+Tue Nov 20 20:51:58 UTC 2012 - tchvatal@suse.com
+
+- Run the perm stuff only on new enough suse.
+
+-------------------------------------------------------------------
+Tue Nov 20 20:45:46 UTC 2012 - tchvatal@suse.com
+
+- Update the verify to adhere specs.
+
+-------------------------------------------------------------------
+Tue Nov 20 20:42:25 UTC 2012 - tchvatal@suse.com
+
+- Adhere to specs to exit 0 on pre.
+
+-------------------------------------------------------------------
+Tue Nov 20 20:39:51 UTC 2012 - tchvatal@suse.com
+
+- Add buildroot definition to have it on sle
+
+-------------------------------------------------------------------
+Tue Nov 20 20:33:41 UTC 2012 - tchvatal@suse.com
+
+- require pwdutils for pre phase
+
+-------------------------------------------------------------------
+Mon Nov 12 14:29:49 UTC 2012 - tchvatal@suse.com
+
+- silence error about PIE, thanks to darix for suggestions on irc.
+
+-------------------------------------------------------------------
+Mon Nov 12 13:45:07 UTC 2012 - tchvatal@suse.com
+
+- version bump to latest
+
+-------------------------------------------------------------------
+Mon Oct 31 14:56:45 UTC 2011 - prusnak@opensuse.org
+
+- spec cleanup
+
+-------------------------------------------------------------------
+Fri Aug  5 07:57:11 UTC 2011 - tchvatal@novell.com
+
+- Update the docs list
+
+-------------------------------------------------------------------
+Thu Aug  4 20:03:44 UTC 2011 - tchvatal@novell.com
+
+- Punt useless clean section
+
+-------------------------------------------------------------------
+Thu Aug  4 14:37:22 UTC 2011 - tchvatal@novell.com
+
+- Initial version 0.24 of mlocate package
--- a/mlocate.service
+++ b/mlocate.service
@ -0,0 +1,32 @@
+[Unit]
+Description=Update locate database
+Documentation=man:updatedb
+
+[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=read-only
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
+Type=oneshot
+ExecStart=/bin/sh -c \
+          "chown -R ${RUN_UPDATEDB_AS}:root /var/lib/mlocate && \
+          su --shell=/bin/sh ${RUN_UPDATEDB_AS} -c 'umask 0022; /usr/bin/updatedb'"
+
+# Ensure we have proper umask bnc#941296
+UMask=0022
+
+# Alter the priority of the updatedb process
+Nice=19
+IOSchedulingClass=2
+IOSchedulingPriority=7
+
+# Load sysconfig
+EnvironmentFile=/etc/sysconfig/locate
--- a/mlocate.spec
+++ b/mlocate.spec
@ -0,0 +1,135 @@
+#
+# spec file for package mlocate
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+  %define _fillupdir %{_localstatedir}/adm/fillup-templates
+%endif
+Name:           mlocate
+Version:        0.26
+Release:        0
+Summary:        A utility for finding files by name
+License:        GPL-2.0-only
+Group:          System/Monitoring
+URL:            https://pagure.io/mlocate
+Source0:        %{name}-%{version}.tar.xz
+Source1:        updatedb.conf
+Source2:        sysconfig.locate
+# apparmor profile
+Source3:        usr.bin.locate
+Source4:        usr.bin.updatedb
+Source5:        mlocate.timer
+Source6:        mlocate.service
+BuildRequires:  gettext-tools
+BuildRequires:  grep
+BuildRequires:  sed
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  xz
+Requires:       apparmor-abstractions
+Requires(post): %fillup_prereq
+Recommends:     %{name}-lang = %{version}
+Provides:       findutils:%{_bindir}/locate
+# findutils is at version 4.5 so we need newer
+# provides here to get it really obsoleted
+Provides:       findutils-locate = 5.%{version}
+Obsoletes:      findutils-locate < 5.%{version}
+%if 0%{?suse_version} > 1320
+Requires:       user(nobody)
+%endif
+
+%description
+A new locate implementation. The m character
+stands for merging, because updatedb reuses the
+existing database to avoid re-reading most of the
+file system.
+
+%lang_package
+
+%prep
+%setup -q
+
+# do not check for visibilty by default as we go with nobody
+sed -i \
+	-e 's:conf_check_visibility = true:conf_check_visibility = false:g' \
+	src/conf.c
+
+%build
+export CFLAGS="%{optflags} -fPIE"
+export LDFLAGS="-pie"
+%configure \
+	--localstatedir=%{_localstatedir}/lib \
+	--enable-nls \
+	--disable-rpath
+make groupname=nobody %{?_smp_mflags}
+
+%install
+make DESTDIR=%{buildroot} groupname=nobody install
+%find_lang %{name} || echo -n >> %{name}.lang
+# DB file
+mkdir -p %{buildroot}%{_localstatedir}/lib/%{name}
+echo -n >> %{buildroot}%{_localstatedir}/lib/%{name}/%{name}.db
+# Config
+mkdir -p %{buildroot}%{_sysconfdir}
+install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}
+# Sysconfig settings
+install -D -m 644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.locate
+# systemd units
+install -D -m 644 %{SOURCE5} %{buildroot}%{_unitdir}/mlocate.timer
+install -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/mlocate.service
+# rc symlink
+mkdir -p %{buildroot}%{_sbindir}
+ln -s /usr/sbin/service %{buildroot}/%{_sbindir}/rcmlocate
+# apparmor
+install -D -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.locate
+install -D -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.updatedb
+
+%check
+make check %{?_smp_mflags}
+
+%pre
+%service_add_pre mlocate.service mlocate.timer
+
+%post
+%{fillup_only -n locate}
+%service_add_post mlocate.service mlocate.timer
+
+%preun
+%service_del_preun mlocate.service mlocate.timer
+
+%postun
+%service_del_postun mlocate.service mlocate.timer
+
+%files
+%license COPYING
+%doc AUTHORS ChangeLog README NEWS
+%config(noreplace) %{_sysconfdir}/updatedb.conf
+%attr(0755,root,root) %{_bindir}/locate
+%{_bindir}/updatedb
+%{_mandir}/man*/*
+%{_unitdir}/mlocate.timer
+%{_unitdir}/mlocate.service
+%dir %{_localstatedir}/lib/mlocate
+%ghost %{_localstatedir}/lib/mlocate/mlocate.db
+%{_fillupdir}/*
+%dir %{_sysconfdir}/apparmor.d/
+%{_sysconfdir}/apparmor.d/*
+%{_sbindir}/rcmlocate
+
+%files lang -f %{name}.lang
+
+%changelog
--- a/mlocate.timer
+++ b/mlocate.timer
@ -0,0 +1,12 @@
+[Unit]
+Description=Daily locate database update
+Documentation=man:updatedb
+
+[Timer]
+OnCalendar=daily
+AccuracySec=12h
+Unit=mlocate.service
+Persistent=true
+
+[Install]
+WantedBy=timers.target
--- a/sysconfig.locate
+++ b/sysconfig.locate
@ -0,0 +1,18 @@
+## Path:	Applications/Locate
+## Description:	Configuration of updatedb
+#
+# NOTE: These variables only apply to systemd updatedb service only
+# NOTE: For the app-wide settings see /etc/updatedb.conf
+#
+## Type:	string(nobody, root, ...)
+## Default:	nobody
+#
+# updatedb can be run under specified user privileges
+# It runs the "find" command as this user. Some people think this is a
+# security hole if set to 'root' (because some directory information can
+# be read which is normally protected). Others think it is useful to hold
+# all files in the database.
+# So if you want full information in locate db, set RUN_UPDATEDB_AS=root.
+# If you want security use RUN_UPDATEDB_AS=nobody.
+#
+RUN_UPDATEDB_AS=nobody
--- a/updatedb.conf
+++ b/updatedb.conf
@ -0,0 +1,17 @@
+# /etc/updatedb.conf: config file for mlocate
+
+# This file sets variables that are used by updatedb.
+# For more info, see the updatedb.conf(5) manpage.
+
+# Filesystems that are pruned from updatedb database
+PRUNEFS="9p afs anon_inodefs auto autofs bdev binfmt binfmt_misc ceph fuse.ceph cgroup cifs coda configfs cramfs cpuset debugfs devfs devpts devtmps ecryptfs eventpollfs exofs futexfs ftpfs fuse fusectl gfs gfs2 gpfs hostfs hugetlbfs inotifyfs iso9660 jffs2 lustre misc mqueue ncpfs nfs NFS nfs4 nfsd nnpfs ocfs ocfs2 pipefs proc ramfs rpc_pipefs securityfs selinuxfs sfs shfs smbfs sockfs spufs sshfs subfs supermount sysfs tmpfs ubifs udf usbfs vboxsf vperfctrfs"
+
+# Paths which are pruned from updatedb database
+PRUNEPATHS="/tmp /var/tmp /var/cache /var/lock /var/run /var/spool /mnt /cdrom /usr/tmp /proc /media /sys /.snapshots /var/run/media"
+
+# Folder names that are pruned from updatedb database
+PRUNENAMES = ".git .hg .svn .bzr .arch-ids {arch} CVS"
+
+# Skip bind mounts.
+# DISABLED for bnc#994663 and to avoid btrfs subvolume issues
+PRUNE_BIND_MOUNTS="no"
--- a/usr.bin.locate
+++ b/usr.bin.locate
@ -0,0 +1,11 @@
+# Last Modified: Fri Apr 13 22:23:29 2018
+#include <tunables/global>
+
+/usr/bin/locate {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  /usr/bin/locate mr,
+  /var/lib/mlocate/mlocate.db r,
+
+}
--- a/usr.bin.updatedb
+++ b/usr.bin.updatedb
@ -0,0 +1,19 @@
+# Last Modified: Fri Apr 13 21:57:17 2018
+#include <tunables/global>
+
+/usr/bin/updatedb {
+  #include <abstractions/base>
+
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+
+  / r,
+  /**/ r,
+  /etc/updatedb.conf r,
+  /usr/bin/updatedb mr,
+  owner /proc/@{pid}/mounts r,
+  /var/lib/mlocate/mlocate.db rwk,
+  /var/lib/mlocate/mlocate.db.?????? rw,
+
+}