Accepting request 919835 from filesystems

OBS-URL: https://build.opensuse.org/request/show/919835 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/e2fsprogs?expand=0&rev=121
2021-09-21 19:12:15 +00:00 · 2021-09-21 19:12:15 +00:00 · 5cbfc67189
commit 5cbfc67189
parent a969cf920b ab79e3335e
11 changed files with 150 additions and 4 deletions
--- a/e2fsprogs-1.46.3.tar.sign
+++ b/e2fsprogs-1.46.3.tar.sign
--- a/e2fsprogs-1.46.3.tar.xz
+++ b/e2fsprogs-1.46.3.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:86d1580facdd49f2e0e6b027e26b1e6c48af538762dc40aeed2a87153c1f11b7
-size 7024896
--- a/e2fsprogs-1.46.4.tar.sign
+++ b/e2fsprogs-1.46.4.tar.sign
--- a/e2fsprogs-1.46.4.tar.xz
+++ b/e2fsprogs-1.46.4.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b11042533c1b1dcf17512f0da48e05b0c573dada1dd8b762864d10f4dc399713
+size 7035200
--- a/e2fsprogs.changes
+++ b/e2fsprogs.changes
@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Wed Sep 15 09:16:54 UTC 2021 - Jan Kara <jack@suse.cz>
+
+- Update to 1.46.4:
+  * Default to 256-byte inodes for all filesystems, not only larger ones
+  * Bigalloc is considered supported now for small cluster sizes
+  * E2fsck and e2image fixes for quota feature
+  * Fix mke2fs creation of filesystem into non-existent file
+- libss-add-newer-libreadline.so.8-to-dlopen-path.patch: libss: add newer
+  libreadline.so.8 to dlopen path (bsc#1189453)
+
+-------------------------------------------------------------------
+Tue Sep 14 07:03:07 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_e2scrub@.service.patch
+  * harden_e2scrub_all.service.patch
+  * harden_e2scrub_fail@.service.patch
+  * harden_e2scrub_reap.service.patch
+
 -------------------------------------------------------------------
 Mon Aug  2 20:47:09 UTC 2021 - Jan Kara <jack@suse.cz>

--- a/e2fsprogs.spec
+++ b/e2fsprogs.spec
@ -66,7 +66,7 @@ Conflicts:      libcom_err2-mini
 Conflicts:      libcom_err-mini-devel
 %endif
 #
-Version:        1.46.3
+Version:        1.46.4
 Release:        0
 Summary:        Utilities for the Second Extended File System
 License:        GPL-2.0-only
@ -89,6 +89,11 @@ Source5:        https://thunk.org/tytso/tytso-key.asc#/%{name}.keyring
 Patch3:         libcom_err-compile_et_permissions.patch
 Patch4:         e2fsprogs-1.42-implicit_fortify_decl.patch
 Patch5:         e2fsprogs-1.42-ext2fsh_implicit.patch
+Patch6:         harden_e2scrub@.service.patch
+Patch7:         harden_e2scrub_all.service.patch
+Patch8:         harden_e2scrub_fail@.service.patch
+Patch9:         harden_e2scrub_reap.service.patch
+Patch10:        libss-add-newer-libreadline.so.8-to-dlopen-path.patch
 # Do not suppress make commands
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

@ -253,6 +258,11 @@ Development files for the com_err error message display library. Static librarie
 %patch4
 %patch5
 cp %{SOURCE2} .
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1

 %build
 %global _lto_cflags %{_lto_cflags} -ffat-lto-objects
--- a/harden_e2scrub@.service.patch
+++ b/harden_e2scrub@.service.patch
@ -0,0 +1,20 @@
+Index: e2fsprogs-1.46.4/scrub/e2scrub@.service.in
+===================================================================
+--- e2fsprogs-1.46.4.orig/scrub/e2scrub@.service.in
+++ e2fsprogs-1.46.4/scrub/e2scrub@.service.in
+@@ -10,6 +10,15 @@ PrivateNetwork=true
+ ProtectSystem=true
+ ProtectHome=read-only
+ PrivateTmp=yes
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_RAWIO
+ NoNewPrivileges=yes
+ User=root
--- a/harden_e2scrub_all.service.patch
+++ b/harden_e2scrub_all.service.patch
@ -0,0 +1,23 @@
+Index: e2fsprogs-1.46.3/scrub/e2scrub_all.service.in
+===================================================================
+--- e2fsprogs-1.46.3.orig/scrub/e2scrub_all.service.in
+++ e2fsprogs-1.46.3/scrub/e2scrub_all.service.in
+@@ -6,6 +6,18 @@ ConditionCapability=CAP_SYS_RAWIO
+ Documentation=man:e2scrub_all(8)
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=oneshot
+ Environment=SERVICE_MODE=1
+ ExecStart=@root_sbindir@/e2scrub_all
--- a/harden_e2scrub_fail@.service.patch
+++ b/harden_e2scrub_fail@.service.patch
@ -0,0 +1,23 @@
+Index: e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in
+===================================================================
+--- e2fsprogs-1.46.3.orig/scrub/e2scrub_fail@.service.in
+++ e2fsprogs-1.46.3/scrub/e2scrub_fail@.service.in
+@@ -3,6 +3,18 @@ Description=Online ext4 Metadata Check F
+ Documentation=man:e2scrub(8)
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=oneshot
+ ExecStart=@pkglibdir@/e2scrub_fail "%I"
+ User=mail
--- a/harden_e2scrub_reap.service.patch
+++ b/harden_e2scrub_reap.service.patch
@ -0,0 +1,21 @@
+Index: e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in
+===================================================================
+--- e2fsprogs-1.46.3.orig/scrub/e2scrub_reap.service.in
+++ e2fsprogs-1.46.3/scrub/e2scrub_reap.service.in
+@@ -11,6 +11,16 @@ PrivateNetwork=true
+ ProtectSystem=true
+ ProtectHome=read-only
+ PrivateTmp=yes
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_RAWIO
+ NoNewPrivileges=yes
+ User=root
--- a/libss-add-newer-libreadline.so.8-to-dlopen-path.patch
+++ b/libss-add-newer-libreadline.so.8-to-dlopen-path.patch
@ -0,0 +1,29 @@
+From 0a60ee129b9137a9a5cd49c4dd15247830a7f319 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 20 Aug 2021 18:12:04 +0200
+Subject: [PATCH] libss: add newer libreadline.so.8 to dlopen path
+
+OpenSUSE Tumbleweed now has libreadline.so.8. Add it to the list of libs
+to look for.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+---
+ lib/ss/get_readline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ss/get_readline.c b/lib/ss/get_readline.c
+index 11c72b3387d1..aa1615747934 100644
+--- a/lib/ss/get_readline.c
+++ b/lib/ss/get_readline.c
+@@ -37,7 +37,7 @@ static void ss_release_readline(ss_data *info)
+ #endif
+ 
+ /* Libraries we will try to use for readline/editline functionality */
+-#define DEFAULT_LIBPATH "libreadline.so.7:libreadline.so.6:libreadline.so.5:libreadline.so.4:libreadline.so:libedit.so.2:libedit.so:libeditline.so.0:libeditline.so"
+#define DEFAULT_LIBPATH "libreadline.so.8:libreadline.so.7:libreadline.so.6:libreadline.so.5:libreadline.so.4:libreadline.so:libedit.so.2:libedit.so:libeditline.so.0:libeditline.so"
+ 
+ #ifdef HAVE_DLOPEN
+ void ss_get_readline(int sci_idx)
+-- 
+2.26.2
+