From 8a6c640ec42ddf0cde3ee26fbcf31156cc181960deae28b4059ccba18300476a Mon Sep 17 00:00:00 2001 From: Luna D Dragon Date: Fri, 13 Dec 2024 13:14:51 +0530 Subject: [PATCH] build without checking for pidfd_getpid on Leap 15.6 --- cockpit.spec | 2 + drop_pidfd_getpid_check.patch | 69 +++++++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 drop_pidfd_getpid_check.patch diff --git a/cockpit.spec b/cockpit.spec index 3c70bd0..03de4d2 100644 --- a/cockpit.spec +++ b/cockpit.spec @@ -73,6 +73,7 @@ Patch107: 0006-totp-motd.patch Patch103: 0004-leap-gnu18-removal.patch Patch104: selinux_libdir.patch Patch105: fix-libexecdir.patch +Patch106: drop_pidfd_getpid_check.patch Patch201: remove_rh_links.patch @@ -228,6 +229,7 @@ BuildRequires: python3-tox-current-env %patch -P 103 -p1 %patch -P 104 -p1 %patch -P 105 -p1 +%patch -P 106 -p1 %endif %patch -P 201 -p1 diff --git a/drop_pidfd_getpid_check.patch b/drop_pidfd_getpid_check.patch new file mode 100644 index 0000000..6f90729 --- /dev/null +++ b/drop_pidfd_getpid_check.patch @@ -0,0 +1,69 @@ +diff --git a/configure.ac b/configure.ac +index 7b593a925..6010e8d6e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -40,7 +40,6 @@ AC_CHECK_TOOL(AR, ar) + + AC_CHECK_FUNCS( + closefrom +- pidfd_getpid + ) + + AM_SILENT_RULES([yes]) +diff --git a/src/session/client-certificate.c b/src/session/client-certificate.c +index 18c8b1e4e..6acca2596 100644 +--- a/src/session/client-certificate.c ++++ b/src/session/client-certificate.c +@@ -177,52 +177,8 @@ get_ws_proc_fd_pid_time (int unix_fd) + static int + get_ws_proc_fd (int unix_fd) + { +-#if defined(SO_PEERPIDFD) && defined(HAVE_PIDFD_GETPID) +- int pidfd = -1; +- socklen_t socklen = sizeof pidfd; +- /* this is always the pidfd for the process that started the communication, it cannot be recycled */ +- if (getsockopt (unix_fd, SOL_SOCKET, SO_PEERPIDFD, &pidfd, &socklen) < 0) +- { +- if (errno == ENOPROTOOPT) +- { +- debug ("SO_PEERPIDFD not supported: %m, falling back to pid/time check"); +- return get_ws_proc_fd_pid_time (unix_fd); +- } +- +- warn ("Failed to get peer pidfd"); +- exit_init_problem ("access-denied", "Failed to get peer pidfd"); +- } +- /* this is an inout parameter, be extra suspicious; this really Should Not Happen™, so bomb out */ +- if (socklen != sizeof pidfd) +- errx (EX, "SO_PEERPIDFD returned too small result"); +- +- /* get pid for pidfd; from here on this is racy and could suffer from PID recycling */ +- pid_t pid = pidfd_getpid (pidfd); +- if (pid < 0) +- { +- /* be *very* strict here. This could theoretically ENOSYS if glibc has pidfd_getpid() but the kernel doesn't +- * support it; but err on the side of denying access rather than falling back */ +- warn ("Failed to get pid from pidfd"); +- exit_init_problem ("access-denied", "Failed to get pid from pidfd"); +- } +- +- debug ("pid from ws peer pidfd: %i", (int) pid); +- int ws_proc_dirfd = open_proc_pid (pid); +- +- /* check that the pid is still valid to guard against recycling */ +- if (pidfd_getpid (pidfd) != pid) +- { +- warn ("original pid %i is not valid any more", (int) pid); +- exit_init_problem ("access-denied", "Failed to get cockpit-ws pid"); +- } +- +- close (pidfd); +- return ws_proc_dirfd; +- +-#else + debug ("not built with pidfd support, falling back to pid/time check"); + return get_ws_proc_fd_pid_time (unix_fd); +-#endif + } + + /* valid_256_bit_hex_string: