From e9611ec490a6ba657a3b0e1b2273c852fde83e97a68f390b825aa1b8307a71ec Mon Sep 17 00:00:00 2001 From: Alberto Planas Dominguez Date: Wed, 22 Jun 2022 09:04:26 +0000 Subject: [PATCH] Accepting request 984413 from home:aplanas:branches:security - Update to version 0.1.0+git.1655384301.b834667: * Update fmf plans to run test with IMA policy * .github/dependabot.yml: prevent updates that require manifest change - Add logrotate configuration for the agent service - Requires libtss2-tcti-device0 to interact with the real device - Drop legacy Python subpackage and feature - Move conflicts into the Python version - Drop CFSSL port from the keylime.xml firewalld rules OBS-URL: https://build.opensuse.org/request/show/984413 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=15 --- _servicedata | 2 +- keylime.xml | 1 - logrotate.keylime | 8 ++++ ...eylime-0.1.0+git.1655143451.7c4121e.tar.xz | 3 -- ...eylime-0.1.0+git.1655384301.b834667.tar.xz | 3 ++ rust-keylime.changes | 16 ++++++++ rust-keylime.spec | 39 ++++++------------- vendor.tar.xz | 4 +- 8 files changed, 42 insertions(+), 34 deletions(-) create mode 100644 logrotate.keylime delete mode 100644 rust-keylime-0.1.0+git.1655143451.7c4121e.tar.xz create mode 100644 rust-keylime-0.1.0+git.1655384301.b834667.tar.xz diff --git a/_servicedata b/_servicedata index 29914a8..65e651c 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/keylime/rust-keylime.git - 7c4121ed6474f4bfacd5afe23488baf05bf49a09 \ No newline at end of file + b834667b4d775065be3d7677e8cb6ad209c43668 \ No newline at end of file diff --git a/keylime.xml b/keylime.xml index 4b98b36..d970af5 100644 --- a/keylime.xml +++ b/keylime.xml @@ -4,7 +4,6 @@ Keylime is a remote attestation tool that requires access to several ports. - diff --git a/logrotate.keylime b/logrotate.keylime new file mode 100644 index 0000000..812f8e5 --- /dev/null +++ b/logrotate.keylime @@ -0,0 +1,8 @@ +/var/log/keylime/*.log { + su keylime tss + weekly + missingok + rotate 4 + copytruncate + minsize 1M +} diff --git a/rust-keylime-0.1.0+git.1655143451.7c4121e.tar.xz b/rust-keylime-0.1.0+git.1655143451.7c4121e.tar.xz deleted file mode 100644 index 64787ef..0000000 --- a/rust-keylime-0.1.0+git.1655143451.7c4121e.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:93b11bb2a3c58028b23ee4ca1bf2286ee49fa3da25a3caf758bed81e4b7af96c -size 115220 diff --git a/rust-keylime-0.1.0+git.1655384301.b834667.tar.xz b/rust-keylime-0.1.0+git.1655384301.b834667.tar.xz new file mode 100644 index 0000000..a7bc8ad --- /dev/null +++ b/rust-keylime-0.1.0+git.1655384301.b834667.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb272a91f71f4b197a28390da64a56319b45e9bf2878f31c8f700e1b2a6b8924 +size 115404 diff --git a/rust-keylime.changes b/rust-keylime.changes index d8e4782..23403d3 100644 --- a/rust-keylime.changes +++ b/rust-keylime.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Wed Jun 22 08:45:20 UTC 2022 - Alberto Planas Dominguez + +- Update to version 0.1.0+git.1655384301.b834667: + * Update fmf plans to run test with IMA policy + * .github/dependabot.yml: prevent updates that require manifest change +- Add logrotate configuration for the agent service +- Requires libtss2-tcti-device0 to interact with the real device +- Drop legacy Python subpackage and feature +- Move conflicts into the Python version + +------------------------------------------------------------------- +Wed Jun 15 09:52:48 UTC 2022 - Alberto Planas Dominguez + +- Drop CFSSL port from the keylime.xml firewalld rules + ------------------------------------------------------------------- Tue Jun 14 11:05:01 UTC 2022 - aplanas@suse.com diff --git a/rust-keylime.spec b/rust-keylime.spec index ca7df52..68aebc7 100644 --- a/rust-keylime.spec +++ b/rust-keylime.spec @@ -18,7 +18,7 @@ %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now' Name: rust-keylime -Version: 0.1.0+git.1655143451.7c4121e +Version: 0.1.0+git.1655384301.b834667 Release: 0 Summary: Rust implementation of the keylime agent License: Apache-2.0 AND MIT @@ -28,6 +28,7 @@ Source1: vendor.tar.xz Source2: cargo_config Source3: keylime_agent.service Source4: keylime.xml +Source5: logrotate.keylime # PATCH-FIX-OPENSUSE keylime.conf.diff Patch1: keylime.conf.diff BuildRequires: cargo @@ -36,47 +37,33 @@ BuildRequires: libarchive-devel BuildRequires: rust BuildRequires: tpm2-0-tss-devel BuildRequires: zeromq-devel -Recommends: %{name}-python = %{version} -Conflicts: keylime-agent -Conflicts: keylime-config -Conflicts: keylime-firewalld -Conflicts: python-keylime +Requires: libtss2-tcti-device0 +Requires: logrotate ExcludeArch: %{ix86} s390x ppc64 ppc64le armhfp armv7hl %description Rust implementation of keylime agent. Keylime is system integrity monitoring system. -%package -n %{name}-python -Summary: Shim loader for Python compatibility -Requires: %{name} = %{version} -Requires: python3-base - -%description -n %{name}-python -Subpackage of %{name} for executing Python based revocation scripts. - %prep %autosetup -a1 -p1 mkdir .cargo cp %{SOURCE2} .cargo/config %build -RUSTFLAGS=%{rustflags} cargo build --release +RUSTFLAGS=%{rustflags} cargo build --release --no-default-features --features "with-zmq" %install RUSTFLAGS=%{rustflags} cargo install --frozen --root=%{buildroot}%{_prefix} --path . install -Dpm 644 keylime.conf %{buildroot}%{_sysconfdir}/keylime.conf install -Dpm 644 %{SOURCE3} %{buildroot}%{_unitdir}/keylime_agent.service - -install -D -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml +install -Dpm 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml +install -Dpm 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/logrotate.d/keylime +install -d %{buildroot}%{_localstatedir}/log/keylime # Create work directory -mkdir -p %{buildroot}%{_sharedstatedir}/keylime - -# Create work directory for revocation actions -mkdir -p %{buildroot}%{_libexecdir}/keylime -cp tests/actions/shim.py %{buildroot}%{_libexecdir}/keylime +mkdir -p %{buildroot}%{_localstatedir}/keylime rm %{buildroot}%{_prefix}/.crates.toml rm %{buildroot}%{_prefix}/.crates2.json @@ -100,14 +87,12 @@ rm %{buildroot}%{_prefix}/.crates2.json %{_bindir}/keylime_agent %{_bindir}/keylime_ima_emulator %config(noreplace) %{_sysconfdir}/keylime.conf -%dir %attr(0700, root, root) %{_sharedstatedir}/keylime +%dir %attr(0700,root,root) %{_localstatedir}/keylime %dir %{_prefix}/lib/firewalld %dir %{_prefix}/lib/firewalld/services %{_prefix}/lib/firewalld/services/keylime.xml %{_unitdir}/keylime_agent.service - -%files -n %{name}-python -%dir %{_libexecdir}/keylime -%{_libexecdir}/keylime/shim.py +%config(noreplace) %{_sysconfdir}/logrotate.d/keylime +%dir %attr(750,keylime,tss) %{_localstatedir}/log %changelog diff --git a/vendor.tar.xz b/vendor.tar.xz index 311e077..287dad8 100644 --- a/vendor.tar.xz +++ b/vendor.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:1fe478492e83ec8393af64f6a91ec4e84b865cf019c35df48d7f9782c4239672 -size 20105032 +oid sha256:0e4b91a6bff3824b1f58ff875102020400e200b4d4baa68c0b175bc0ee96f77d +size 20113908