Accepting request 871162 from home:adkorte

- Don't daemonize freshclam, but use a systemd timer instead to
  trigger updates
  + timer.freshclam
  % service.freshclam
  % clamav-conf.patch
- Remove obsolete patch (replaced by SOURCE_DATE_EPOCH)
  - clamav-disable-timestamps.patch
- Cleanup spec
  * use pkgconfig() to resolve BuildRequires where upstream uses it
  * rework creating vscan user (new system-user in Tumbleweed)
  * remove obsolete configure option --disable-zlib-vcheck

OBS-URL: https://build.opensuse.org/request/show/871162
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=218
This commit is contained in:
Reinhard Max 2021-02-22 18:54:31 +00:00 committed by Git OBS Bridge
parent d2b70b567c
commit 50d583a507
9 changed files with 156 additions and 217 deletions

View File

@ -0,0 +1,22 @@
From 58d199cbe00e8a5ef5858ffc7991a346b9f3469e Mon Sep 17 00:00:00 2001
From: Orion Poplawski <orion@nwra.com>
Date: Thu, 17 Sep 2020 22:26:04 -0600
Subject: [PATCH] Fix ck_assert_msg() call
---
unit_tests/check_jsnorm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/unit_tests/check_jsnorm.c b/unit_tests/check_jsnorm.c
index 5067a21a55..64f6bf8b37 100644
--- a/unit_tests/check_jsnorm.c
+++ b/unit_tests/check_jsnorm.c
@@ -247,7 +247,7 @@ static void tokenizer_test(const char *in, const char *expected, int split)
fd = open(filename, O_RDONLY);
if (fd < 0) {
jstest_teardown();
- ck_assert_msg("failed to open output file: %s", filename);
+ ck_assert_msg(0, "failed to open output file: %s", filename);
}
diff_file_mem(fd, expected, len);

View File

@ -113,24 +113,6 @@
# Sets the group ownership on the unix socket. # Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd) # Default: disabled (the primary group of the user running clamd)
@@ -106,7 +102,7 @@ Example
# TCP port address.
# Default: no
-#TCPSocket 3310
+TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
@@ -114,7 +110,7 @@ Example
# from the outside world. This option can be specified multiple
# times if you want to listen on multiple IPs. IPv6 is now supported.
# Default: no
-#TCPAddr 127.0.0.1
+TCPAddr 127.0.0.1
# Maximum length the queue of pending connections may grow to.
# Default: 200
@@ -204,7 +200,7 @@ Example @@ -204,7 +200,7 @@ Example
# Run as another user (clamd must be started by root for this option to work) # Run as another user (clamd must be started by root for this option to work)
@ -156,27 +138,12 @@
# Path to the database directory. # Path to the database directory.
# WARNING: It must match clamd.conf's directive! # WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options) # Default: hardcoded (depends on installation options)
@@ -35,12 +31,12 @@ Example
# Use system logger (can work together with UpdateLogFile).
# Default: no
-#LogSyslog yes
+LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
-#LogFacility LOG_MAIL
+LogFacility LOG_MAIL
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
@@ -48,12 +44,12 @@ Example @@ -48,12 +44,12 @@ Example
# It is recommended that the directory where this file is stored is # It is recommended that the directory where this file is stored is
# also owned by root to keep other users from tampering with it. # also owned by root to keep other users from tampering with it.
# Default: disabled # Default: disabled
-#PidFile /var/run/freshclam.pid -#PidFile /var/run/freshclam.pid
+PidFile /run/clamav/freshclam.pid +#PidFile /run/clamav/freshclam.pid
# By default when started freshclam drops privileges and switches to the # By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner. # "clamav" user. This directive allows you to change the database owner.

View File

@ -1,85 +0,0 @@
Index: libclamav/tomsfastmath/misc/fp_ident.c
===================================================================
--- libclamav/tomsfastmath/misc/fp_ident.c.orig
+++ libclamav/tomsfastmath/misc/fp_ident.c
@@ -15,7 +15,11 @@ const char *fp_ident(void)
memset(buf, 0, sizeof(buf));
snprintf(buf, sizeof(buf)-1,
-"TomsFastMath (%s)\n"
+#if (ENABLE_TIMESTAMPS == 1)
+ "TomsFastMath (%s)\n"
+#else
+ "TomsFastMath\n"
+#endif
"\n"
"Sizeofs\n"
"\tfp_digit = %llu\n"
@@ -70,7 +74,11 @@ const char *fp_ident(void)
#ifdef TFM_HUGE
" TFM_HUGE "
#endif
+#if (ENABLE_TIMESTAMPS == 1)
"\n", __DATE__, (long long unsigned)sizeof(fp_digit), (long long unsigned)sizeof(fp_word), FP_MAX_SIZE);
+#else
+ "\n", (long long unsigned)sizeof(fp_digit), (long long unsigned)sizeof(fp_word), FP_MAX_SIZE);
+#endif
if (sizeof(fp_digit) == sizeof(fp_word)) {
strncat(buf, "WARNING: sizeof(fp_digit) == sizeof(fp_word), this build is likely to not work properly.\n",
Index: configure
===================================================================
--- configure.orig
+++ configure
@@ -814,6 +814,7 @@ FGREP
LIBFRESHCLAM_VERSION
LIBCLAMAV_VERSION_NUM
LIBCLAMAV_VERSION
+ENABLE_TIMESTAMPS
PACKAGE_VERSION_NUM
ac_ct_AR
AR
@@ -924,6 +925,7 @@ ac_user_opts='
enable_mmap_for_cross_compiling
enable_dependency_tracking
enable_silent_rules
+enable_timestamps
enable_static
enable_shared
with_pic
@@ -1644,6 +1646,8 @@ Optional Features:
--enable-silent-rules less verbose build output (undo: "make V=1")
--disable-silent-rules verbose build output (undo: "make V=0")
--enable-static[=PKGS] build static libraries [default=no]
+ --enable-timestamps Enable embedding timestamp information in build
+ (default is YES)
--enable-shared[=PKGS] build shared libraries [default=yes]
--enable-fast-install[=PKGS]
optimize for fast installation [default=yes]
@@ -5927,6 +5931,26 @@ $as_echo "$ac_cv_safe_to_define___extens
$as_echo "#define PACKAGE PACKAGE_NAME" >>confdefs.h
+# Check whether --enable-timestamps was given.
+if test "${enable_timestamps+set}" = set; then :
+ enableval=$enable_timestamps;
+else
+ enableval=default
+fi
+
+case "$enableval" in
+ yes) ENABLE_TIMESTAMPS=1
+ ;;
+ no) ENABLE_TIMESTAMPS=0
+ ;;
+ default) ENABLE_TIMESTAMPS=1
+ ;;
+ *) as_fn_error $? "Invalid setting for --enable-timestamps. Use \"yes\" or \"no\"" "$LINENO" 5 ;;
+esac
+
+cat >>confdefs.h <<_ACEOF
+#define ENABLE_TIMESTAMPS $ENABLE_TIMESTAMPS
+_ACEOF
VERSION="0.103.1"

View File

@ -1,3 +1,4 @@
addFilter("non-standard-uid.*") addFilter("non-standard-uid.*")
addFilter("devel-file-in-non-devel-package.*") addFilter("devel-file-in-non-devel-package.*")
addFilter("obsolete-not-provided") addFilter("obsolete-not-provided")
addFilter("systemd-service-without-service_.* freshclam.service")

View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Tue Feb 9 16:00:25 UTC 2021 - Arjen de Korte <suse+build@de-korte.org>
- Don't daemonize freshclam, but use a systemd timer instead to
trigger updates
+ timer.freshclam
% service.freshclam
% clamav-conf.patch
- Remove obsolete patch (replaced by SOURCE_DATE_EPOCH)
- clamav-disable-timestamps.patch
- Cleanup spec
* use pkgconfig() to resolve BuildRequires where upstream uses it
* rework creating vscan user (new system-user in Tumbleweed)
* remove obsolete configure option --disable-zlib-vcheck
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Feb 6 11:20:37 UTC 2021 - Arjen de Korte <suse+build@de-korte.org> Sat Feb 6 11:20:37 UTC 2021 - Arjen de Korte <suse+build@de-korte.org>

View File

@ -16,8 +16,8 @@
# #
%define clamav_check --enable-check %bcond_with clammspack
%bcond_with clammspack %bcond_with valgrind
Name: clamav Name: clamav
Version: 0.103.1 Version: 0.103.1
Release: 0 Release: 0
@ -25,40 +25,35 @@ Summary: Antivirus Toolkit
License: GPL-2.0-only License: GPL-2.0-only
Group: Productivity/Security Group: Productivity/Security
URL: http://www.clamav.net URL: http://www.clamav.net
Source0: http://www.clamav.net/downloads/production/%name-%version.tar.gz Source0: http://www.clamav.net/downloads/production/%{name}-%{version}.tar.gz
Source1: http://www.clamav.net/downloads/production/%name-%version.tar.gz.sig Source1: http://www.clamav.net/downloads/production/%{name}-%{version}.tar.gz.sig
Source4: clamav-rpmlintrc Source4: clamav-rpmlintrc
Source6: clamav-tmpfiles.conf Source6: clamav-tmpfiles.conf
Source7: service.clamd Source7: service.clamd
Source8: service.freshclam Source8: service.freshclam
Source9: service.clamav-milter Source9: service.clamav-milter
Source10: timer.freshclam
Source11: clamav.keyring Source11: clamav.keyring
Source65: system-user-vscan.conf
Patch1: clamav-conf.patch Patch1: clamav-conf.patch
Patch4: clamav-disable-timestamps.patch
Patch5: clamav-obsolete-config.patch Patch5: clamav-obsolete-config.patch
Patch6: clamav-disable-yara.patch Patch6: clamav-disable-yara.patch
Patch12: clamav-fips.patch Patch12: clamav-fips.patch
Patch13: clamav-ck_assert_msg.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: bc
BuildRequires: check-devel
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: libbz2-devel BuildRequires: libbz2-devel
BuildRequires: libcurl-devel >= 7.45 BuildRequires: libcurl-devel >= 7.45
BuildRequires: libjson-c-devel BuildRequires: libjson-c-devel
BuildRequires: libopenssl-devel BuildRequires: libopenssl-devel >= 1.0.2
BuildRequires: libtool BuildRequires: libtool
BuildRequires: libxml2-devel BuildRequires: libxml2-devel
BuildRequires: ncurses-devel
BuildRequires: pcre2-devel
BuildRequires: pkgconfig
BuildRequires: pwdutils
BuildRequires: sed
BuildRequires: sendmail-devel BuildRequires: sendmail-devel
BuildRequires: systemd-rpm-macros BuildRequires: pkgconfig(check)
#BuildRequires: valgrind BuildRequires: pkgconfig(libpcre2-8) >= 10.30
BuildRequires: zlib-devel BuildRequires: pkgconfig(ncurses)
BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(zlib)
# #
# Workaround to keep "make check" from using an existing libclamav # Workaround to keep "make check" from using an existing libclamav
# instead of the just built one. This should rather be fixed # instead of the just built one. This should rather be fixed
@ -66,19 +61,23 @@ BuildRequires: pkgconfig(libsystemd)
# of the test binaries. # of the test binaries.
# #
#!BuildIgnore: clamav #!BuildIgnore: clamav
Requires(pre): %_bindir/awk
Requires(pre): %_sbindir/groupadd
Requires(pre): %_sbindir/useradd
Requires(pre): %_sbindir/usermod
Requires(pre): /bin/sed
Requires(pre): /bin/tar
Obsoletes: clamav-db < 0.88.3 Obsoletes: clamav-db < 0.88.3
Provides: clamav-nodb = %version Provides: clamav-nodb = %{version}
Obsoletes: clamav-nodb <= 0.98.4 Obsoletes: clamav-nodb < %{version}
%systemd_ordering
%if %{without clammspack} %if %{without clammspack}
BuildRequires: libmspack-devel BuildRequires: pkgconfig(libmspack)
%endif %endif
%if %{with valgrind}
BuildRequires: valgrind
%endif
%if 0%{?suse_version} > 1500
Requires(pre): group(vscan)
Requires(pre): user(vscan)
%else
BuildRequires: sysuser-tools
%sysusers_requires
%endif
%{?systemd_ordering}
%description %description
ClamAV is an antivirus engine designed for detecting trojans, ClamAV is an antivirus engine designed for detecting trojans,
@ -117,8 +116,8 @@ viruses, malware and other malicious threats.
%package devel %package devel
Summary: Development files for libclamav, an antivirus engine Summary: Development files for libclamav, an antivirus engine
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
Requires: libclamav9 = %version Requires: libclamav9 = %{version}
Requires: libfreshclam2 = %version Requires: libfreshclam2 = %{version}
%description devel %description devel
ClamAV is an antivirus engine designed for detecting trojans, ClamAV is an antivirus engine designed for detecting trojans,
@ -130,18 +129,22 @@ that want to make use of libclamav.
%prep %prep
%setup -q %setup -q
%patch1 %patch1
%patch4
%patch5 %patch5
%patch6 %patch6
%patch12 %patch12
%patch13 -p1
%build %build
%if 0%{?suse_version} <= 1500
# Create vscan user
%sysusers_generate_pre %{SOURCE65} vscan
%endif
CFLAGS="-fstack-protector" CFLAGS="-fstack-protector"
CXXFLAGS="-fstack-protector" CXXFLAGS="-fstack-protector"
export CFLAGS="%optflags $CFLAGS -fPIE -fno-strict-aliasing" export CFLAGS="%optflags $CFLAGS -fPIE -fno-strict-aliasing"
export CXXFLAGS="%optflags $CXXFLAGS -fPIE -fno-strict-aliasing -std=gnu++98" export CXXFLAGS="%optflags $CXXFLAGS -fPIE -fno-strict-aliasing -std=gnu++98"
export LDFLAGS="-pie" export LDFLAGS="-pie"
%if "%_lib" == "lib64" %if "%{_lib}" == "lib64"
# tomsfastmath needs this for correct operation on 64-bit platforms # tomsfastmath needs this for correct operation on 64-bit platforms
CFLAGS="$CFLAGS -DFP_64BIT" CFLAGS="$CFLAGS -DFP_64BIT"
%endif %endif
@ -152,10 +155,8 @@ CFLAGS="$CFLAGS -DFP_64BIT"
--with-user=vscan \ --with-user=vscan \
--with-group=vscan \ --with-group=vscan \
--enable-milter \ --enable-milter \
%clamav_check \ --enable-check \
--enable-clamdtop \ --enable-clamdtop \
--disable-zlib-vcheck \
--disable-timestamps \
--disable-yara \ --disable-yara \
%if %{without clammspack} %if %{without clammspack}
--with-system-libmspack --with-system-libmspack
@ -165,104 +166,113 @@ CFLAGS="$CFLAGS -DFP_64BIT"
%install %install
%make_install %make_install
install -d -m755 %buildroot%{_localstatedir}/lib/clamav install -d -m755 %{buildroot}%{_localstatedir}/lib/clamav
install -d -m755 %buildroot/%_tmpfilesdir install -d -m755 %{buildroot}%{_tmpfilesdir}
install -m644 %SOURCE6 %buildroot%_tmpfilesdir/clamav.conf install -m644 %SOURCE6 %{buildroot}%{_tmpfilesdir}/clamav.conf
mkdir -p %buildroot%{_localstatedir}/spool/amavis %if 0%{?suse_version} <= 1500
mkdir -p -m 0755 %buildroot/run/clamav mkdir -p %{buildroot}%{_localstatedir}/spool/amavis
find %buildroot -type f -name "*.la" -delete -print %endif
mkdir -p -m 0755 %{buildroot}/run/clamav
find %{buildroot} -type f -name "*.la" -delete -print
# libclammspack is not meant to be linked against by anything but # libclammspack is not meant to be linked against by anything but
# libclamav # libclamav
rm -f %buildroot%_libdir/pkgconfig/libclammspack.pc rm -f %{buildroot}%{_libdir}/pkgconfig/libclammspack.pc
rm -f %buildroot%_libdir/libclammspack.so rm -f %{buildroot}%{_libdir}/libclammspack.so
# fix the new config file names # fix the new config file names
pushd %buildroot%_sysconfdir mv %{buildroot}%{_sysconfdir}/clamd.conf{.sample,}
mv clamd.conf.sample clamd.conf mv %{buildroot}%{_sysconfdir}/clamav-milter.conf{.sample,}
mv clamav-milter.conf.sample clamav-milter.conf mv %{buildroot}%{_sysconfdir}/freshclam.conf{.sample,}
mv freshclam.conf.sample freshclam.conf
popd
# Systemd... # Systemd...
install -d -m 0755 %buildroot/%_unitdir install -d -m 0755 %{buildroot}%{_unitdir}
install -m 0644 %SOURCE7 %buildroot/%_unitdir/clamd.service rm -f %{buildroot}%{_unitdir}/clamav-*
install -m 0644 %SOURCE8 %buildroot/%_unitdir/freshclam.service install -m 0644 %SOURCE7 %{buildroot}%{_unitdir}/clamd.service
install -m 0644 %SOURCE9 %buildroot/%_unitdir/clamav-milter.service install -m 0644 %SOURCE8 %{buildroot}%{_unitdir}/freshclam.service
rm -f %buildroot/%_unitdir/clamav-clamonacc.service install -m 0644 %SOURCE9 %{buildroot}%{_unitdir}/clamav-milter.service
rm -f %buildroot/%_unitdir/clamav-daemon.service install -m 0644 %SOURCE10 %{buildroot}%{_unitdir}/freshclam.timer
rm -f %buildroot/%_unitdir/clamav-daemon.socket
rm -f %buildroot/%_unitdir/clamav-freshclam.service
# this is broken if system does not have systemd so don't # this is broken if system does not have systemd so don't
# use it at all on systems without mandatory systemd # use it at all on systems without mandatory systemd
for srvname in clamd freshclam clamav-milter;do for srvname in clamd freshclam clamav-milter; do
(export PATH=%_prefix/sbin:/sbin:$PATH ;ln -sf $(which service) %buildroot/%_sbindir/rc${srvname}) (export PATH=%_prefix/sbin:/sbin:$PATH ;ln -sf $(which service) %{buildroot}/%{_sbindir}/rc${srvname})
done done
%check %check
# regression tests # regression tests
%if !0%{?qemu_user_space_build:1} %if !0%{?qemu_user_space_build:1}
make check VG=1 make check VG=1
%endif %endif
%if 0%{?suse_version} > 1500
%pre
%else
%pre -f vscan.pre
%endif
%service_add_pre clamd.service clamav-milter.service
%post
%tmpfiles_create %{_tmpfilesdir}/clamav.conf
%service_add_post clamd.service clamav-milter.service
%preun
%service_del_preun clamd.service clamav-milter.service
%postun
%service_del_postun clamd.service clamav-milter.service
%if 0%{?suse_version} > 1500
%ldconfig_scriptlets -n libclamav9
%ldconfig_scriptlets -n libfreshclam2
%if %{with clammspack}
%ldconfig_scriptlets -n libclammspack0
%endif
%else
%post -n libclamav9 -p /sbin/ldconfig %post -n libclamav9 -p /sbin/ldconfig
%postun -n libclamav9 -p /sbin/ldconfig %postun -n libclamav9 -p /sbin/ldconfig
%post -n libfreshclam2 -p /sbin/ldconfig %post -n libfreshclam2 -p /sbin/ldconfig
%postun -n libfreshclam2 -p /sbin/ldconfig %postun -n libfreshclam2 -p /sbin/ldconfig
%if %{with clammspack}
%post -n libclammspack0 -p /sbin/ldconfig %post -n libclammspack0 -p /sbin/ldconfig
%postun -n libclammspack0 -p /sbin/ldconfig %postun -n libclammspack0 -p /sbin/ldconfig
%endif
%endif
%files %files
%config(noreplace) %_sysconfdir/*.conf
#systemd...
%_unitdir/clamd.service
%_unitdir/freshclam.service
%_unitdir/clamav-milter.service
%_tmpfilesdir
%license COPYING* %license COPYING*
%doc docs/html/* %doc docs/html/*
%_mandir/*/* %config(noreplace) %{_sysconfdir}/*.conf
%_bindir/* #systemd...
%_sbindir/* %{_bindir}/*
%{_sbindir}/*
%{_mandir}/man?/*
%{_tmpfilesdir}/*
%{_unitdir}/clamd.service
%{_unitdir}/freshclam.service
%{_unitdir}/freshclam.timer
%{_unitdir}/clamav-milter.service
%defattr(-,vscan,vscan) %defattr(-,vscan,vscan)
%dir %attr(750,vscan,vscan) %{_localstatedir}/spool/amavis
%dir %{_localstatedir}/lib/clamav %dir %{_localstatedir}/lib/clamav
%if 0%{?suse_version} <= 1500
%dir %attr(750,vscan,vscan) %{_localstatedir}/spool/amavis
%endif
%ghost %attr(755,vscan,vscan) /run/clamav %ghost %attr(755,vscan,vscan) /run/clamav
%files -n libclamav9 %files -n libclamav9
%_libdir/libclam*.so.9* %{_libdir}/libclam*.so.9*
%files -n libfreshclam2 %files -n libfreshclam2
%_libdir/libfreshclam.so.2* %{_libdir}/libfreshclam.so.2*
%if %{with clammspack} %if %{with clammspack}
%files -n libclammspack0 %files -n libclammspack0
%_libdir/libclammspack.so.0* %{_libdir}/libclammspack.so.0*
%endif %endif
%files devel %files devel
%_libdir/pkgconfig/* %{_includedir}/*
%_libdir/libclam*.so %{_libdir}/pkgconfig/*
%_libdir/libfreshclam*.so %{_libdir}/libclam*.so
%_includedir/* %{_libdir}/libfreshclam*.so
%pre
getent group vscan >/dev/null || %_sbindir/groupadd -r vscan
getent passwd vscan >/dev/null || \
%_sbindir/useradd -r -o -g vscan -u 65 -s /bin/false \
-c "Vscan account" -d %{_localstatedir}/spool/amavis vscan
%_sbindir/usermod vscan -g vscan
%service_add_pre clamd.service freshclam.service clamav-milter.service
%post
%tmpfiles_create %_tmpfilesdir/clamav.conf
%service_add_post clamd.service freshclam.service clamav-milter.service
%preun
%service_del_preun clamd.service freshclam.service clamav-milter.service
%postun
%service_del_postun clamd.service freshclam.service clamav-milter.service
%changelog %changelog

View File

@ -4,11 +4,8 @@ After=network-online.target
Wants=network-online.target Wants=network-online.target
[Service] [Service]
Type=forking Type=oneshot
ExecStart=/usr/bin/freshclam -d ExecStart=/usr/bin/freshclam
;User=vscan ;User=vscan
;Group=vscan ;Group=vscan
;PrivateTmp=yes ;PrivateTmp=yes
[Install]
WantedBy=multi-user.target

3
system-user-vscan.conf Normal file
View File

@ -0,0 +1,3 @@
# Type Name ID GECOS [HOME]
g vscan 65 - -
u vscan 65 "Vscan account" /var/spool/amavis

9
timer.freshclam Normal file
View File

@ -0,0 +1,9 @@
[Unit]
Description=Timer for freshclam virus definitions downloader
[Timer]
OnUnitActiveSec=2h
Persistent=true
[Install]
WantedBy=timers.target