From 50d583a50780efb261a5e5433a018bf7407d53808c1591eb450a3f317489b43c Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Mon, 22 Feb 2021 18:54:31 +0000 Subject: [PATCH] Accepting request 871162 from home:adkorte - Don't daemonize freshclam, but use a systemd timer instead to trigger updates + timer.freshclam % service.freshclam % clamav-conf.patch - Remove obsolete patch (replaced by SOURCE_DATE_EPOCH) - clamav-disable-timestamps.patch - Cleanup spec * use pkgconfig() to resolve BuildRequires where upstream uses it * rework creating vscan user (new system-user in Tumbleweed) * remove obsolete configure option --disable-zlib-vcheck OBS-URL: https://build.opensuse.org/request/show/871162 OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=218 --- clamav-ck_assert_msg.patch | 22 ++++ clamav-conf.patch | 35 +----- clamav-disable-timestamps.patch | 85 -------------- clamav-rpmlintrc | 1 + clamav.changes | 15 +++ clamav.spec | 196 +++++++++++++++++--------------- service.freshclam | 7 +- system-user-vscan.conf | 3 + timer.freshclam | 9 ++ 9 files changed, 156 insertions(+), 217 deletions(-) create mode 100644 clamav-ck_assert_msg.patch delete mode 100644 clamav-disable-timestamps.patch create mode 100644 system-user-vscan.conf create mode 100644 timer.freshclam diff --git a/clamav-ck_assert_msg.patch b/clamav-ck_assert_msg.patch new file mode 100644 index 0000000..29554cd --- /dev/null +++ b/clamav-ck_assert_msg.patch @@ -0,0 +1,22 @@ +From 58d199cbe00e8a5ef5858ffc7991a346b9f3469e Mon Sep 17 00:00:00 2001 +From: Orion Poplawski +Date: Thu, 17 Sep 2020 22:26:04 -0600 +Subject: [PATCH] Fix ck_assert_msg() call + +--- + unit_tests/check_jsnorm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/unit_tests/check_jsnorm.c b/unit_tests/check_jsnorm.c +index 5067a21a55..64f6bf8b37 100644 +--- a/unit_tests/check_jsnorm.c ++++ b/unit_tests/check_jsnorm.c +@@ -247,7 +247,7 @@ static void tokenizer_test(const char *in, const char *expected, int split) + fd = open(filename, O_RDONLY); + if (fd < 0) { + jstest_teardown(); +- ck_assert_msg("failed to open output file: %s", filename); ++ ck_assert_msg(0, "failed to open output file: %s", filename); + } + + diff_file_mem(fd, expected, len); diff --git a/clamav-conf.patch b/clamav-conf.patch index 9d3cd3e..9b131ca 100644 --- a/clamav-conf.patch +++ b/clamav-conf.patch @@ -113,24 +113,6 @@ # Sets the group ownership on the unix socket. # Default: disabled (the primary group of the user running clamd) -@@ -106,7 +102,7 @@ Example - - # TCP port address. - # Default: no --#TCPSocket 3310 -+TCPSocket 3310 - - # TCP address. - # By default we bind to INADDR_ANY, probably not wise. -@@ -114,7 +110,7 @@ Example - # from the outside world. This option can be specified multiple - # times if you want to listen on multiple IPs. IPv6 is now supported. - # Default: no --#TCPAddr 127.0.0.1 -+TCPAddr 127.0.0.1 - - # Maximum length the queue of pending connections may grow to. - # Default: 200 @@ -204,7 +200,7 @@ Example # Run as another user (clamd must be started by root for this option to work) @@ -156,27 +138,12 @@ # Path to the database directory. # WARNING: It must match clamd.conf's directive! # Default: hardcoded (depends on installation options) -@@ -35,12 +31,12 @@ Example - - # Use system logger (can work together with UpdateLogFile). - # Default: no --#LogSyslog yes -+LogSyslog yes - - # Specify the type of syslog messages - please refer to 'man syslog' - # for facility names. - # Default: LOG_LOCAL6 --#LogFacility LOG_MAIL -+LogFacility LOG_MAIL - - # Enable log rotation. Always enabled when LogFileMaxSize is enabled. - # Default: no @@ -48,12 +44,12 @@ Example # It is recommended that the directory where this file is stored is # also owned by root to keep other users from tampering with it. # Default: disabled -#PidFile /var/run/freshclam.pid -+PidFile /run/clamav/freshclam.pid ++#PidFile /run/clamav/freshclam.pid # By default when started freshclam drops privileges and switches to the # "clamav" user. This directive allows you to change the database owner. diff --git a/clamav-disable-timestamps.patch b/clamav-disable-timestamps.patch deleted file mode 100644 index 847ea86..0000000 --- a/clamav-disable-timestamps.patch +++ /dev/null @@ -1,85 +0,0 @@ -Index: libclamav/tomsfastmath/misc/fp_ident.c -=================================================================== ---- libclamav/tomsfastmath/misc/fp_ident.c.orig -+++ libclamav/tomsfastmath/misc/fp_ident.c -@@ -15,7 +15,11 @@ const char *fp_ident(void) - - memset(buf, 0, sizeof(buf)); - snprintf(buf, sizeof(buf)-1, --"TomsFastMath (%s)\n" -+#if (ENABLE_TIMESTAMPS == 1) -+ "TomsFastMath (%s)\n" -+#else -+ "TomsFastMath\n" -+#endif - "\n" - "Sizeofs\n" - "\tfp_digit = %llu\n" -@@ -70,7 +74,11 @@ const char *fp_ident(void) - #ifdef TFM_HUGE - " TFM_HUGE " - #endif -+#if (ENABLE_TIMESTAMPS == 1) - "\n", __DATE__, (long long unsigned)sizeof(fp_digit), (long long unsigned)sizeof(fp_word), FP_MAX_SIZE); -+#else -+ "\n", (long long unsigned)sizeof(fp_digit), (long long unsigned)sizeof(fp_word), FP_MAX_SIZE); -+#endif - - if (sizeof(fp_digit) == sizeof(fp_word)) { - strncat(buf, "WARNING: sizeof(fp_digit) == sizeof(fp_word), this build is likely to not work properly.\n", -Index: configure -=================================================================== ---- configure.orig -+++ configure -@@ -814,6 +814,7 @@ FGREP - LIBFRESHCLAM_VERSION - LIBCLAMAV_VERSION_NUM - LIBCLAMAV_VERSION -+ENABLE_TIMESTAMPS - PACKAGE_VERSION_NUM - ac_ct_AR - AR -@@ -924,6 +925,7 @@ ac_user_opts=' - enable_mmap_for_cross_compiling - enable_dependency_tracking - enable_silent_rules -+enable_timestamps - enable_static - enable_shared - with_pic -@@ -1644,6 +1646,8 @@ Optional Features: - --enable-silent-rules less verbose build output (undo: "make V=1") - --disable-silent-rules verbose build output (undo: "make V=0") - --enable-static[=PKGS] build static libraries [default=no] -+ --enable-timestamps Enable embedding timestamp information in build -+ (default is YES) - --enable-shared[=PKGS] build shared libraries [default=yes] - --enable-fast-install[=PKGS] - optimize for fast installation [default=yes] -@@ -5927,6 +5931,26 @@ $as_echo "$ac_cv_safe_to_define___extens - - - $as_echo "#define PACKAGE PACKAGE_NAME" >>confdefs.h -+# Check whether --enable-timestamps was given. -+if test "${enable_timestamps+set}" = set; then : -+ enableval=$enable_timestamps; -+else -+ enableval=default -+fi -+ -+case "$enableval" in -+ yes) ENABLE_TIMESTAMPS=1 -+ ;; -+ no) ENABLE_TIMESTAMPS=0 -+ ;; -+ default) ENABLE_TIMESTAMPS=1 -+ ;; -+ *) as_fn_error $? "Invalid setting for --enable-timestamps. Use \"yes\" or \"no\"" "$LINENO" 5 ;; -+esac -+ -+cat >>confdefs.h <<_ACEOF -+#define ENABLE_TIMESTAMPS $ENABLE_TIMESTAMPS -+_ACEOF - - - VERSION="0.103.1" diff --git a/clamav-rpmlintrc b/clamav-rpmlintrc index dd42f83..563eeb3 100644 --- a/clamav-rpmlintrc +++ b/clamav-rpmlintrc @@ -1,3 +1,4 @@ addFilter("non-standard-uid.*") addFilter("devel-file-in-non-devel-package.*") addFilter("obsolete-not-provided") +addFilter("systemd-service-without-service_.* freshclam.service") diff --git a/clamav.changes b/clamav.changes index cac2ae7..1b33905 100644 --- a/clamav.changes +++ b/clamav.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Tue Feb 9 16:00:25 UTC 2021 - Arjen de Korte + +- Don't daemonize freshclam, but use a systemd timer instead to + trigger updates + + timer.freshclam + % service.freshclam + % clamav-conf.patch +- Remove obsolete patch (replaced by SOURCE_DATE_EPOCH) + - clamav-disable-timestamps.patch +- Cleanup spec + * use pkgconfig() to resolve BuildRequires where upstream uses it + * rework creating vscan user (new system-user in Tumbleweed) + * remove obsolete configure option --disable-zlib-vcheck + ------------------------------------------------------------------- Sat Feb 6 11:20:37 UTC 2021 - Arjen de Korte diff --git a/clamav.spec b/clamav.spec index 77237a1..13e20e9 100644 --- a/clamav.spec +++ b/clamav.spec @@ -16,8 +16,8 @@ # -%define clamav_check --enable-check -%bcond_with clammspack +%bcond_with clammspack +%bcond_with valgrind Name: clamav Version: 0.103.1 Release: 0 @@ -25,40 +25,35 @@ Summary: Antivirus Toolkit License: GPL-2.0-only Group: Productivity/Security URL: http://www.clamav.net -Source0: http://www.clamav.net/downloads/production/%name-%version.tar.gz -Source1: http://www.clamav.net/downloads/production/%name-%version.tar.gz.sig +Source0: http://www.clamav.net/downloads/production/%{name}-%{version}.tar.gz +Source1: http://www.clamav.net/downloads/production/%{name}-%{version}.tar.gz.sig Source4: clamav-rpmlintrc Source6: clamav-tmpfiles.conf Source7: service.clamd Source8: service.freshclam Source9: service.clamav-milter +Source10: timer.freshclam Source11: clamav.keyring +Source65: system-user-vscan.conf Patch1: clamav-conf.patch -Patch4: clamav-disable-timestamps.patch Patch5: clamav-obsolete-config.patch Patch6: clamav-disable-yara.patch Patch12: clamav-fips.patch +Patch13: clamav-ck_assert_msg.patch BuildRequires: autoconf BuildRequires: automake -BuildRequires: bc -BuildRequires: check-devel BuildRequires: gcc-c++ BuildRequires: libbz2-devel BuildRequires: libcurl-devel >= 7.45 BuildRequires: libjson-c-devel -BuildRequires: libopenssl-devel +BuildRequires: libopenssl-devel >= 1.0.2 BuildRequires: libtool BuildRequires: libxml2-devel -BuildRequires: ncurses-devel -BuildRequires: pcre2-devel -BuildRequires: pkgconfig -BuildRequires: pwdutils -BuildRequires: sed BuildRequires: sendmail-devel -BuildRequires: systemd-rpm-macros -#BuildRequires: valgrind -BuildRequires: zlib-devel -BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(check) +BuildRequires: pkgconfig(libpcre2-8) >= 10.30 +BuildRequires: pkgconfig(ncurses) +BuildRequires: pkgconfig(zlib) # # Workaround to keep "make check" from using an existing libclamav # instead of the just built one. This should rather be fixed @@ -66,19 +61,23 @@ BuildRequires: pkgconfig(libsystemd) # of the test binaries. # #!BuildIgnore: clamav -Requires(pre): %_bindir/awk -Requires(pre): %_sbindir/groupadd -Requires(pre): %_sbindir/useradd -Requires(pre): %_sbindir/usermod -Requires(pre): /bin/sed -Requires(pre): /bin/tar Obsoletes: clamav-db < 0.88.3 -Provides: clamav-nodb = %version -Obsoletes: clamav-nodb <= 0.98.4 -%systemd_ordering +Provides: clamav-nodb = %{version} +Obsoletes: clamav-nodb < %{version} %if %{without clammspack} -BuildRequires: libmspack-devel +BuildRequires: pkgconfig(libmspack) %endif +%if %{with valgrind} +BuildRequires: valgrind +%endif +%if 0%{?suse_version} > 1500 +Requires(pre): group(vscan) +Requires(pre): user(vscan) +%else +BuildRequires: sysuser-tools +%sysusers_requires +%endif +%{?systemd_ordering} %description ClamAV is an antivirus engine designed for detecting trojans, @@ -117,8 +116,8 @@ viruses, malware and other malicious threats. %package devel Summary: Development files for libclamav, an antivirus engine Group: Development/Libraries/C and C++ -Requires: libclamav9 = %version -Requires: libfreshclam2 = %version +Requires: libclamav9 = %{version} +Requires: libfreshclam2 = %{version} %description devel ClamAV is an antivirus engine designed for detecting trojans, @@ -130,18 +129,22 @@ that want to make use of libclamav. %prep %setup -q %patch1 -%patch4 %patch5 %patch6 %patch12 +%patch13 -p1 %build +%if 0%{?suse_version} <= 1500 +# Create vscan user +%sysusers_generate_pre %{SOURCE65} vscan +%endif CFLAGS="-fstack-protector" CXXFLAGS="-fstack-protector" export CFLAGS="%optflags $CFLAGS -fPIE -fno-strict-aliasing" export CXXFLAGS="%optflags $CXXFLAGS -fPIE -fno-strict-aliasing -std=gnu++98" export LDFLAGS="-pie" -%if "%_lib" == "lib64" +%if "%{_lib}" == "lib64" # tomsfastmath needs this for correct operation on 64-bit platforms CFLAGS="$CFLAGS -DFP_64BIT" %endif @@ -152,10 +155,8 @@ CFLAGS="$CFLAGS -DFP_64BIT" --with-user=vscan \ --with-group=vscan \ --enable-milter \ - %clamav_check \ + --enable-check \ --enable-clamdtop \ - --disable-zlib-vcheck \ - --disable-timestamps \ --disable-yara \ %if %{without clammspack} --with-system-libmspack @@ -165,104 +166,113 @@ CFLAGS="$CFLAGS -DFP_64BIT" %install %make_install -install -d -m755 %buildroot%{_localstatedir}/lib/clamav -install -d -m755 %buildroot/%_tmpfilesdir -install -m644 %SOURCE6 %buildroot%_tmpfilesdir/clamav.conf -mkdir -p %buildroot%{_localstatedir}/spool/amavis -mkdir -p -m 0755 %buildroot/run/clamav -find %buildroot -type f -name "*.la" -delete -print +install -d -m755 %{buildroot}%{_localstatedir}/lib/clamav +install -d -m755 %{buildroot}%{_tmpfilesdir} +install -m644 %SOURCE6 %{buildroot}%{_tmpfilesdir}/clamav.conf +%if 0%{?suse_version} <= 1500 +mkdir -p %{buildroot}%{_localstatedir}/spool/amavis +%endif +mkdir -p -m 0755 %{buildroot}/run/clamav +find %{buildroot} -type f -name "*.la" -delete -print # libclammspack is not meant to be linked against by anything but # libclamav -rm -f %buildroot%_libdir/pkgconfig/libclammspack.pc -rm -f %buildroot%_libdir/libclammspack.so +rm -f %{buildroot}%{_libdir}/pkgconfig/libclammspack.pc +rm -f %{buildroot}%{_libdir}/libclammspack.so # fix the new config file names -pushd %buildroot%_sysconfdir -mv clamd.conf.sample clamd.conf -mv clamav-milter.conf.sample clamav-milter.conf -mv freshclam.conf.sample freshclam.conf -popd +mv %{buildroot}%{_sysconfdir}/clamd.conf{.sample,} +mv %{buildroot}%{_sysconfdir}/clamav-milter.conf{.sample,} +mv %{buildroot}%{_sysconfdir}/freshclam.conf{.sample,} # Systemd... -install -d -m 0755 %buildroot/%_unitdir -install -m 0644 %SOURCE7 %buildroot/%_unitdir/clamd.service -install -m 0644 %SOURCE8 %buildroot/%_unitdir/freshclam.service -install -m 0644 %SOURCE9 %buildroot/%_unitdir/clamav-milter.service -rm -f %buildroot/%_unitdir/clamav-clamonacc.service -rm -f %buildroot/%_unitdir/clamav-daemon.service -rm -f %buildroot/%_unitdir/clamav-daemon.socket -rm -f %buildroot/%_unitdir/clamav-freshclam.service +install -d -m 0755 %{buildroot}%{_unitdir} +rm -f %{buildroot}%{_unitdir}/clamav-* +install -m 0644 %SOURCE7 %{buildroot}%{_unitdir}/clamd.service +install -m 0644 %SOURCE8 %{buildroot}%{_unitdir}/freshclam.service +install -m 0644 %SOURCE9 %{buildroot}%{_unitdir}/clamav-milter.service +install -m 0644 %SOURCE10 %{buildroot}%{_unitdir}/freshclam.timer # this is broken if system does not have systemd so don't # use it at all on systems without mandatory systemd -for srvname in clamd freshclam clamav-milter;do - (export PATH=%_prefix/sbin:/sbin:$PATH ;ln -sf $(which service) %buildroot/%_sbindir/rc${srvname}) +for srvname in clamd freshclam clamav-milter; do + (export PATH=%_prefix/sbin:/sbin:$PATH ;ln -sf $(which service) %{buildroot}/%{_sbindir}/rc${srvname}) done %check - # regression tests %if !0%{?qemu_user_space_build:1} make check VG=1 %endif +%if 0%{?suse_version} > 1500 +%pre +%else +%pre -f vscan.pre +%endif +%service_add_pre clamd.service clamav-milter.service + +%post +%tmpfiles_create %{_tmpfilesdir}/clamav.conf +%service_add_post clamd.service clamav-milter.service + +%preun +%service_del_preun clamd.service clamav-milter.service + +%postun +%service_del_postun clamd.service clamav-milter.service + +%if 0%{?suse_version} > 1500 +%ldconfig_scriptlets -n libclamav9 +%ldconfig_scriptlets -n libfreshclam2 +%if %{with clammspack} +%ldconfig_scriptlets -n libclammspack0 +%endif +%else %post -n libclamav9 -p /sbin/ldconfig %postun -n libclamav9 -p /sbin/ldconfig %post -n libfreshclam2 -p /sbin/ldconfig %postun -n libfreshclam2 -p /sbin/ldconfig +%if %{with clammspack} %post -n libclammspack0 -p /sbin/ldconfig %postun -n libclammspack0 -p /sbin/ldconfig +%endif +%endif %files -%config(noreplace) %_sysconfdir/*.conf -#systemd... -%_unitdir/clamd.service -%_unitdir/freshclam.service -%_unitdir/clamav-milter.service -%_tmpfilesdir %license COPYING* %doc docs/html/* -%_mandir/*/* -%_bindir/* -%_sbindir/* +%config(noreplace) %{_sysconfdir}/*.conf +#systemd... +%{_bindir}/* +%{_sbindir}/* +%{_mandir}/man?/* +%{_tmpfilesdir}/* +%{_unitdir}/clamd.service +%{_unitdir}/freshclam.service +%{_unitdir}/freshclam.timer +%{_unitdir}/clamav-milter.service %defattr(-,vscan,vscan) -%dir %attr(750,vscan,vscan) %{_localstatedir}/spool/amavis %dir %{_localstatedir}/lib/clamav +%if 0%{?suse_version} <= 1500 +%dir %attr(750,vscan,vscan) %{_localstatedir}/spool/amavis +%endif %ghost %attr(755,vscan,vscan) /run/clamav %files -n libclamav9 -%_libdir/libclam*.so.9* +%{_libdir}/libclam*.so.9* %files -n libfreshclam2 -%_libdir/libfreshclam.so.2* +%{_libdir}/libfreshclam.so.2* %if %{with clammspack} %files -n libclammspack0 -%_libdir/libclammspack.so.0* +%{_libdir}/libclammspack.so.0* %endif %files devel -%_libdir/pkgconfig/* -%_libdir/libclam*.so -%_libdir/libfreshclam*.so -%_includedir/* - -%pre -getent group vscan >/dev/null || %_sbindir/groupadd -r vscan -getent passwd vscan >/dev/null || \ - %_sbindir/useradd -r -o -g vscan -u 65 -s /bin/false \ - -c "Vscan account" -d %{_localstatedir}/spool/amavis vscan -%_sbindir/usermod vscan -g vscan -%service_add_pre clamd.service freshclam.service clamav-milter.service - -%post -%tmpfiles_create %_tmpfilesdir/clamav.conf -%service_add_post clamd.service freshclam.service clamav-milter.service - -%preun -%service_del_preun clamd.service freshclam.service clamav-milter.service - -%postun -%service_del_postun clamd.service freshclam.service clamav-milter.service +%{_includedir}/* +%{_libdir}/pkgconfig/* +%{_libdir}/libclam*.so +%{_libdir}/libfreshclam*.so %changelog diff --git a/service.freshclam b/service.freshclam index 1667812..6cd2625 100644 --- a/service.freshclam +++ b/service.freshclam @@ -4,11 +4,8 @@ After=network-online.target Wants=network-online.target [Service] -Type=forking -ExecStart=/usr/bin/freshclam -d +Type=oneshot +ExecStart=/usr/bin/freshclam ;User=vscan ;Group=vscan ;PrivateTmp=yes - -[Install] -WantedBy=multi-user.target diff --git a/system-user-vscan.conf b/system-user-vscan.conf new file mode 100644 index 0000000..275f911 --- /dev/null +++ b/system-user-vscan.conf @@ -0,0 +1,3 @@ +# Type Name ID GECOS [HOME] +g vscan 65 - - +u vscan 65 "Vscan account" /var/spool/amavis diff --git a/timer.freshclam b/timer.freshclam new file mode 100644 index 0000000..ad3c904 --- /dev/null +++ b/timer.freshclam @@ -0,0 +1,9 @@ +[Unit] +Description=Timer for freshclam virus definitions downloader + +[Timer] +OnUnitActiveSec=2h +Persistent=true + +[Install] +WantedBy=timers.target