From 7be6390a5a38049d6f65bf4413858eefe32fe8c3ff4316adb64fedbf238b3adf Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Sat, 2 Oct 2010 00:11:18 +0000 Subject: [PATCH] Accepting request 49430 from security Copy from security/haveged based on submit request 49430 from user elvigia OBS-URL: https://build.opensuse.org/request/show/49430 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haveged?expand=0&rev=1 --- .gitattributes | 23 ++++++++ .gitignore | 1 + haveged-0.9-cloexec.patch | 68 +++++++++++++++++++++++ haveged-0.9.tar.bz2 | 3 + haveged-capabilties.patch | 58 +++++++++++++++++++ haveged.changes | 53 ++++++++++++++++++ haveged.init | 113 ++++++++++++++++++++++++++++++++++++++ haveged.spec | 99 +++++++++++++++++++++++++++++++++ 8 files changed, 418 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 haveged-0.9-cloexec.patch create mode 100644 haveged-0.9.tar.bz2 create mode 100644 haveged-capabilties.patch create mode 100644 haveged.changes create mode 100644 haveged.init create mode 100644 haveged.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/haveged-0.9-cloexec.patch b/haveged-0.9-cloexec.patch new file mode 100644 index 0000000..3cd4264 --- /dev/null +++ b/haveged-0.9-cloexec.patch @@ -0,0 +1,68 @@ +Index: src/haveged.c +=================================================================== +--- src/haveged.c.orig 2009-09-02 18:58:14.000000000 +0200 ++++ src/haveged.c 2010-07-26 17:14:35.334236000 +0200 +@@ -83,7 +83,7 @@ void daemonize(struct hperf *perf) + signal(SIGTERM, tidy_exit); + if (daemon(0, 0) == -1) + error_exit("Cannot fork into the background"); +- fh = fopen(params->pid_file, "w"); ++ fh = fopen(params->pid_file, "we"); + if (!fh) + error_exit("Couldn't open PID file \"%s\" for writing: %m.", params->pid_file); + fprintf(fh, "%i", getpid()); +@@ -147,12 +147,12 @@ int get_poolsize() + int max_bits,major,minor; + + if (params->run_level==0) { +- poolsize_fh = fopen(params->poolsize, "rb"); ++ poolsize_fh = fopen(params->poolsize, "rbe"); + if (poolsize_fh) { + if (fscanf(poolsize_fh, "%d", &max_bits)!=1) + max_bits = -1; + fclose(poolsize_fh); +- osrel_fh = fopen(params->os_rel, "rb"); ++ osrel_fh = fopen(params->os_rel, "rbe"); + if (osrel_fh) { + if (fscanf(osrel_fh,"%d.%d", &major, &minor)<2) + major = minor = 0; +@@ -263,7 +263,7 @@ void run(int poolsize, struct rand_pool_ + daemonize(perf); + if (params->low_water>0) + set_watermark(params->low_water); +- random_fd = open(params->random_device, O_RDWR); ++ random_fd = open(params->random_device, O_RDWR | O_CLOEXEC); + if (random_fd == -1) + error_exit("Couldn't open random device: %m"); + break; +@@ -272,7 +272,7 @@ void run(int poolsize, struct rand_pool_ + return; + default: + ct = params->sample_size*1024; +- if (!(fout = fopen (params->sample_out, "wb"))) ++ if (!(fout = fopen (params->sample_out, "wbe"))) + error_exit("Cannot open file <%s> for writing.\n", params->sample_out); + fprintf(stderr, "Writing %d byte sample\n",ct); + } +@@ -334,7 +334,7 @@ void set_watermark(int level) + { + FILE *wm_fh; + +- wm_fh = fopen(params->watermark, "w"); ++ wm_fh = fopen(params->watermark, "we"); + if (wm_fh) { + fprintf(wm_fh, "%d\n", level); + fclose(wm_fh); +Index: configure.ac +=================================================================== +--- configure.ac.orig 2009-09-02 01:22:33.000000000 +0200 ++++ configure.ac 2010-07-26 17:20:58.745701000 +0200 +@@ -8,7 +8,7 @@ AC_CONFIG_AUX_DIR(config) + AC_CONFIG_HEADER([config.h]) + AM_INIT_AUTOMAKE + AC_CONFIG_SRCDIR([/src/haveged.c]) +- ++AC_USE_SYSTEM_EXTENSIONS + ## Make nist self-test configurable + AC_ARG_ENABLE(nistest, AS_HELP_STRING([--enable-nistest=[no/yes]],[Run NIST test suite [default=no]]),, enable_nistest="no") + if test "x$enable_nistest" = "xyes"; then diff --git a/haveged-0.9.tar.bz2 b/haveged-0.9.tar.bz2 new file mode 100644 index 0000000..9a62809 --- /dev/null +++ b/haveged-0.9.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b94fdb1c0891aaf8b7a00faa0b426e1a6c93a0665c60cd8db510ca4d87ea834d +size 166681 diff --git a/haveged-capabilties.patch b/haveged-capabilties.patch new file mode 100644 index 0000000..b3dc18a --- /dev/null +++ b/haveged-capabilties.patch @@ -0,0 +1,58 @@ +--- configure.ac.orig 2010-09-24 18:13:42.282707000 +0200 ++++ configure.ac 2010-09-24 18:13:42.311704000 +0200 +@@ -68,7 +68,7 @@ AC_FUNC_MALLOC + AC_FUNC_SELECT_ARGTYPES + AC_TYPE_SIGNAL + AC_CHECK_FUNCS([floor gettimeofday memset pow select sqrt]) +- ++LIBCAP_NG_PATH + # Sets hardware depedent define for the build + AC_SUBST(HA_CPPFLAGS,$HA_CPPFLAGS) + +--- src/Makefile.am.orig 2009-09-01 22:45:25.000000000 +0200 ++++ src/Makefile.am 2010-09-24 18:13:42.319719000 +0200 +@@ -4,5 +4,5 @@ AM_CFLAGS=-Wall + AM_CPPFLAGS = @HA_CPPFLAGS@ + + haveged_SOURCES = haveged.c havege.c havegedef.h haveged.h havege.h oneiteration.h loopbody.h +- ++haveged_LDADD = @CAPNG_LDADD@ + MAINTAINERCLEANFILES = Makefile.in +--- src/haveged.c.orig 2010-09-24 18:13:42.276714000 +0200 ++++ src/haveged.c 2010-09-24 18:14:41.605757000 +0200 +@@ -16,6 +16,11 @@ + ** You should have received a copy of the GNU General Public License + ** along with this program. If not, see . + */ ++ ++#ifdef HAVE_CONFIG_H ++#include "config.h" ++#endif ++ + #include + #include + #include +@@ -37,6 +42,10 @@ + #include + #include + ++#ifdef HAVE_LIBCAP_NG ++#include ++#endif ++ + #include "havege.h" + /** + * Parameters +@@ -170,6 +179,12 @@ int get_poolsize() + */ + int main(int argc, char **argv) + { ++#ifdef HAVE_LIBCAP_NG ++ /* Drop capabilities */ ++ capng_clear(CAPNG_SELECT_BOTH); ++ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_ADMIN); ++ capng_apply(CAPNG_SELECT_BOTH); ++#endif + static const char* cmds[] = { + "d", "data", "1", "Data cache size [KB]", + "i", "inst", "1", "Instruction cache size [KB]", diff --git a/haveged.changes b/haveged.changes new file mode 100644 index 0000000..a7c9dcf --- /dev/null +++ b/haveged.changes @@ -0,0 +1,53 @@ +------------------------------------------------------------------- +Fri Sep 24 16:14:20 UTC 2010 - cristian.rodriguez@opensuse.org + +- Drop as much capabilitites as possible using libcap-ng + +------------------------------------------------------------------- +Sat Jul 31 23:55:20 UTC 2010 - cristian.rodriguez@opensuse.org + +- I meant Enhances not Supplements + +------------------------------------------------------------------- +Fri Jul 30 22:18:23 UTC 2010 - cristian.rodriguez@opensuse.org + +- Implement hack to start by default only in VMs + +------------------------------------------------------------------- +Tue Jul 27 22:02:20 UTC 2010 - cristian.rodriguez@opensuse.org + +- Run the complete test suite (for the paranoid) +- use O_CLOEXEC on fds + +------------------------------------------------------------------- +Tue Jul 20 21:27:49 UTC 2010 - cristian.rodriguez@opensuse.org + +- enable daemon by default +- add a few Supplements so the it gets installed automatically. + +------------------------------------------------------------------- +Sun Jul 18 21:25:16 UTC 2010 - cristian.rodriguez@opensuse.org + +- add proper Requires(pre) + +------------------------------------------------------------------- +Fri Jul 16 17:30:31 UTC 2010 - cristian.rodriguez@opensuse.org + +- build with no optimization, there are reports saying it + may crash with -O1 like http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563938 + +------------------------------------------------------------------- +Thu Jul 15 17:37:11 UTC 2010 - cristian.rodriguez@opensuse.org + +- move deamon to /sbin +- tune the spec file +- add a SUSE standard init script + +------------------------------------------------------------------- +Fri May 28 14:03:54 CEST 2010 - meissner@suse.de + +- haveged 0.9 + + Gather entropy by doing calculation and looking + at secondary high resolution processor information + (tsc, cache misses etc.) diff --git a/haveged.init b/haveged.init new file mode 100644 index 0000000..8989e5c --- /dev/null +++ b/haveged.init @@ -0,0 +1,113 @@ +#! /bin/sh + +### BEGIN INIT INFO +# Provides: haveged +# Required-Start: $syslog $local_fs +# Required-Stop: $syslog $local_fs +# Default-Start: 2 3 5 +# Default-Stop: +# Short-Description: Daemon to feed entropy into /dev/urandom +# Description: The haveged daemon uses the timing variations that occur in executing a fixed loop +# to generate random numbers that are fed into the random pool. +### END INIT INFO + +HAVEGED_BIN=/sbin/haveged +HAVEGED_PARAMS="-w 1024 -v 1" + +# Shell functions sourced from /etc/rc.status: +# rc_check check and set local and overall rc status +# rc_status check and set local and overall rc status +# rc_status -v ditto but be verbose in local rc status +# rc_status -v -r ditto and clear the local rc status +# rc_failed set local and overall rc status to failed +# rc_reset clear local rc status (overall remains) +# rc_exit exit appropriate to overall rc status +. /etc/rc.status + +# First reset status of this service +rc_reset + +# Return values acc. to LSB for all commands but status: +# 0 - success +# 1 - misc error +# 2 - invalid or excess args +# 3 - unimplemented feature (e.g. reload) +# 4 - insufficient privilege +# 5 - program not installed +# 6 - program not configured +# +# Note that starting an already running service, stopping +# or restarting a not-running service as well as the restart +# with force-reload (in case signalling is not supported) are +# considered a success. +case "$1" in + start) + echo -n "Starting haveged daemon " + ## Start daemon with startproc(8). If this fails + ## the echo return value is set appropriate. + + + # startproc should return 0, even if service is + # already running to match LSB spec. + startproc $HAVEGED_BIN $HAVEGED_PARAMS + + # Remember status and be verbose + rc_status -v + ;; + stop) + echo -n "Shutting down haveged daemon " + killproc -TERM $HAVEGED_BIN + + # Remember status and be verbose + rc_status -v + ;; + try-restart|condrestart) + ## Do a restart only if the service was active before. + ## Note: try-restart is now part of LSB (as of 1.9). + ## RH has a similar command named condrestart. + if test "$1" = "condrestart"; then + echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" + fi + $0 status + if test $? = 0; then + $0 restart + else + rc_reset # Not running is not a failure. + fi + # Remember status and be quiet + rc_status + ;; + restart | force-reload) + $0 stop + $0 start + ;; + reload) + ## Like force-reload, but if daemon does not support + ## signaling, do nothing (!) + rc_failed 3 + rc_status -v + ;; + status) + echo -n "Checking for haveged daemon " + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + # Status has a slightly different for the status command: + # 0 - service running + # 1 - service dead, but /var/run/ pid file exists + # 2 - service dead, but /var/lock/ lock file exists + # 3 - service not running + + # NOTE: checkproc returns LSB compliant status values. + checkproc $HAVEGED_BIN + rc_status -v + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|reload}" + exit 1 + ;; +esac + +rc_exit + +# vim: set sw=4 ts=4 et: diff --git a/haveged.spec b/haveged.spec new file mode 100644 index 0000000..31fe7a9 --- /dev/null +++ b/haveged.spec @@ -0,0 +1,99 @@ +# +# spec file for package haveged (Version 0.9) +# +# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + + + +Name: haveged +Version: 0.9 +Release: 1 +License: GPLv3 +Group: System/Daemons +Summary: Feed entropy into random pool +Url: http://www.issihosts.com/haveged/ +Source0: http://www.issihosts.com/haveged/haveged-%{version}.tar.bz2 +Source1: haveged.init +BuildRoot: %{_tmppath}/%{name}-%{version}-build +Requires(pre): %insserv_prereq +Requires(post): grep util-linux +Enhances: openssl gpg2 php5 apache2 openvpn smtp_daemon +Patch: haveged-0.9-cloexec.patch +Patch1: haveged-capabilties.patch +BuildRequires: libcap-ng-devel + +%description +The haveged daemon feeds the linux entropy pool with random +numbers generated from hidden processor state. + +For more informations see http://www.issihosts.com/haveged/ + +%prep +%setup -q +%patch +%patch1 + +%build +autoreconf -fiv +CFLAGS="$RPM_OPT_FLAGS -O0" +%configure --with-libcap-ng=yes --sbindir=/sbin --enable-nistest=yes +make %{?smp_flags} + +%check +make %{?smp_flags} check + +%install +make DESTDIR=$RPM_BUILD_ROOT install +%{__install} -m0755 %{S:1} %{buildroot}/etc/init.d/haveged +%{__mkdir_p} %{buildroot}%{_sbindir} +%{__ln_s} -f %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name} + +%clean +rm -rf $RPM_BUILD_ROOT + +%post +## brace for impact... +%if 0%{?sles_version} + if [ -x /usr/bin/lscpu ]; then + if /usr/bin/lscpu | grep -q "Virtualization type" ; then + ## Is a VM + %{fillup_and_insserv -fy %{name}} + else + ## it isnt. + %{fillup_and_insserv -f %{name}} + fi + else + ##there is no lscpu! shouldnt happend... + %{fillup_and_insserv -f %{name}} + fi +%else + %{fillup_and_insserv -fy %{name}} +%endif + +%postun +%restart_on_update %{name} +%{insserv_cleanup} + +%preun +%stop_on_removal %{name} + +%files +%defattr(-,root,root) +%{_sbindir}/rc%{name} +/sbin/haveged +%config /etc/init.d/haveged +%{_mandir}/man8/haveged.8.gz + +%changelog