- add compatibility %buildroot definition

- backport unshare fix from upstream OBS-URL: https://build.opensuse.org/package/show/Base:System/rpm?expand=0&rev=679
2024-12-16 13:00:08 +00:00 · 2024-12-16 13:00:08 +00:00 · b01ea491c0
commit b01ea491c0
parent 5857a2d144
5 changed files with 77 additions and 13 deletions
--- a/macrosin.diff
+++ b/macrosin.diff
@ -1,6 +1,16 @@
--- macros.in.orig	2024-12-16 09:16:20.616343895 +0000
-+++ macros.in	2024-12-16 09:16:24.676335428 +0000
-@@ -163,6 +163,7 @@
+--- macros.in.orig	2024-12-16 12:48:44.110837972 +0000
+++ macros.in	2024-12-16 12:52:32.014378635 +0000
+@@ -118,6 +118,9 @@
+ #	The directory where sources/patches will be unpacked and built.
+ %_builddir		%{_topdir}/BUILD
+ 
+#	The build root where built files will be installed into
+%buildroot		%{_builddir}/%{NAME}-%{VERSION}-%{_arch}/BUILDROOT
+
+ #	The interpreter used for build scriptlets.
+ %_buildshell		/bin/sh
+ 
+@@ -163,6 +166,7 @@
     %{?_unique_debug_names:--unique-debug-suffix "-%{VERSION}-%{RELEASE}.%{_arch}"} \\\
     %{?_unique_debug_srcs:--unique-debug-src-base "%{name}-%{VERSION}-%{RELEASE}.%{_arch}"} \\\
     %{?_find_debuginfo_dwz_opts} \\\
@ -8,7 +18,7 @@
     %{?_find_debuginfo_opts} \\\
     %{?_debugsource_packages:-S debugsourcefiles.list} \\\
     "%{builddir}/%{?buildsubdir}"\
-@@ -216,7 +217,8 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -216,7 +220,8 @@ Supplements:   (%{name} = %{version}-%{r
 %files langpack-%{1}\
 %{nil}
 
@ -18,7 +28,7 @@
 %_defaultlicensedir	%{_datadir}/licenses
 
 # Following macros for filtering auto deps must not be used in spec files.
-@@ -275,7 +277,8 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -275,7 +280,8 @@ Supplements:   (%{name} = %{version}-%{r
 %_tmppath		%{_var}/tmp
 
 #	Path to top of build area.
@ -28,7 +38,7 @@
 
 #==============================================================================
 # ---- Optional rpmrc macros.
-@@ -366,7 +369,7 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -366,7 +372,7 @@ Supplements:   (%{name} = %{version}-%{r
 #		"w.ufdio"	uncompressed
 #
 #%_source_payload	w9.gzdio
@ -37,7 +47,7 @@
 
 #	Algorithm to use for generating file checksum digests on build.
 #	If not specified or 0, MD5 is used.
-@@ -476,6 +479,19 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -476,6 +482,19 @@ Supplements:   (%{name} = %{version}-%{r
 #
 #%_include_minidebuginfo	1
 
@ -57,7 +67,7 @@
 #
 # Include a .gdb_index section in the .debug files.
 # Requires _enable_debug_packages and gdb-add-index installed.
-@@ -508,39 +524,39 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -508,39 +527,39 @@ Supplements:   (%{name} = %{version}-%{r
 #   Same as for "separate" but if the __debug_package global is set then
 #   the -debuginfo package will have a compatibility link for the main
 #   ELF /usr/lib/debug/.build-id/xx/yyy -> /usr/lib/.build-id/xx/yyy
@ -104,7 +114,7 @@
 
 #
 # Use internal dependency generator rather than external helpers?
-@@ -559,6 +575,7 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -559,6 +578,7 @@ Supplements:   (%{name} = %{version}-%{r
 %__find_requires	%{_rpmconfigdir}/find-requires
 #%__find_conflicts	???
 #%__find_obsoletes	???
@ -112,7 +122,7 @@
 
 # 
 # Path to file attribute classifications for automatic dependency 
-@@ -980,7 +997,7 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -980,7 +1000,7 @@ Supplements:   (%{name} = %{version}-%{r
 %_build_vendor		%{_host_vendor}
 %_build_os		%{_host_os}
 %_host			@host@
@ -121,7 +131,7 @@
 %_host_cpu		@host_cpu@
 %_host_vendor		@host_vendor@
 %_host_os		@host_os@
-@@ -1105,11 +1122,13 @@ Supplements:   (%{name} = %{version}-%{r
+@@ -1105,11 +1125,13 @@ Supplements:   (%{name} = %{version}-%{r
 
 #------------------------------------------------------------------------------
 # arch macro for all supported 32-bit ARM processors
--- a/1
+++ b/1
@ -1 +0,0 @@
-addFilter("file-contains-buildroot")	# until rpmlint is fixed
--- a/rpm.changes
+++ b/rpm.changes
@ -23,6 +23,9 @@ Mon Dec 16 11:55:23 CET 2024 - mls@suse.de
  * auto-config-update-aarch64-ppc64le.diff
  * 0002-log-build-time-if-it-is-set-from-SOURCE_DATE_EPOCH.patch
  * 0003-Error-out-on-a-missing-changelog-date.patch
+- add compatibility %buildroot definition
+- backport unshare fix from upstream
+  * new patch: unshare.diff

 -------------------------------------------------------------------
 Mon Nov 11 08:43:56 UTC 2024 - Michal Suchanek <msuchanek@suse.de>
--- a/rpm.spec
+++ b/rpm.spec
@ -65,7 +65,6 @@ URL:            https://rpm.org/
 Source:         https://ftp.osuosl.org/pub/rpm/releases/rpm-4.19.x/rpm-%{version}.tar.bz2
 #Git-Clone:     https://github.com/rpm-software-management/rpmpgp_legacy
 Source1:        rpmpgp_legacy-1.0.tar.gz
-Source2:        rpm-rpmlintrc
 Source5:        rpmsort
 Source8:        rpmconfigcheck
 Source9:        sysconfig.services-rpm
@ -120,6 +119,7 @@ Patch139:       cmake_python_version.diff
 Patch140:       0001-Add-option-to-set-mtime-of-files-in-rpms.patch
 Patch141:       0002-log-build-time-if-it-is-set-from-SOURCE_DATE_EPOCH.patch
 Patch142:       0003-Error-out-on-a-missing-changelog-date.patch
+Patch150:       unshare.diff
 Patch6464:      auto-config-update-aarch64-ppc64le.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #
@ -234,6 +234,7 @@ rm -rf sqlite
 %patch -P 140
 %endif
 %patch -P 141 -P 142
+%patch -P 150

 %ifarch aarch64 ppc64le riscv64
 %patch -P 6464
--- a/unshare.diff
+++ b/unshare.diff
@ -0,0 +1,51 @@
+--- docs/man/rpm-plugin-unshare.8.md.orig	2024-10-07 09:35:46.000000000 +0000
+++ docs/man/rpm-plugin-unshare.8.md	2024-12-16 12:57:40.781754250 +0000
+@@ -27,6 +27,11 @@ This plugin implements the following con
+     execution. Typical examples would be `/tmp` to protect against
+     insecure temporary file usage inside scriptlets, and `/home` to
+     prevent scriptlets from accessing user home directories.
+    When path unsharing is enabled, any mounts made from scriptlets
+    are also private to the scriptlet (and vice versa, mount changes
+    on the host are not visible to the scriptlet).
+
+    Private mounts in chroot-operations is unimplemented.
+ 
+ `%__transaction_unshare_nonet`
+ 
+--- plugins/unshare.c.orig	2024-10-07 09:35:46.000000000 +0000
+++ plugins/unshare.c	2024-12-16 12:57:40.781754250 +0000
+@@ -19,8 +19,18 @@ static rpmRC unshare_init(rpmPlugin plug
+ {
+     char *paths = rpmExpand("%{?__transaction_unshare_paths}", NULL);
+     private_mounts = argvSplitString(paths, ":", ARGV_SKIPEMPTY);
+-    if (private_mounts)
+-	unshare_flags |= CLONE_NEWNS;
+    if (private_mounts) {
+	/*
+	 * Changing mount propagation from inside a chroot fails if the root
+	 * is not also a mount point, disable for now.
+	 */
+	if (strcmp(rpmtsRootDir(ts), "/")) {
+	    rpmlog(RPMLOG_WARNING,
+			"private mounts in chroot not implemented\n");
+	} else {
+	    unshare_flags |= CLONE_NEWNS;
+	}
+    }
+     free(paths);
+ 
+     if (rpmExpandNumeric("%{?__transaction_unshare_nonet}"))
+@@ -47,9 +57,10 @@ static rpmRC unshare_scriptlet_fork_post
+ 	goto exit;
+     }
+ 
+-    if (private_mounts) {
+-	if (mount("/", "/", NULL, MS_REC | MS_PRIVATE, NULL) == -1) {
+-	    rpmlog(RPMLOG_ERR, _("failed to mount private %s: %s\n"),
+    if (unshare_flags & CLONE_NEWNS) {
+	if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL) == -1) {
+	    rpmlog(RPMLOG_ERR,
+		    _("failed to change mount propagation %s: %s\n"),
+ 		    "/", strerror(errno));
+ 	    goto exit;
+ 	}
				`@ -1 +0,0 @@`
				`addFilter("file-contains-buildroot") # until rpmlint is fixed`