Accepting request 984413 from home:aplanas:branches:security

- Update to version 0.1.0+git.1655384301.b834667: * Update fmf plans to run test with IMA policy * .github/dependabot.yml: prevent updates that require manifest change - Add logrotate configuration for the agent service - Requires libtss2-tcti-device0 to interact with the real device - Drop legacy Python subpackage and feature - Move conflicts into the Python version - Drop CFSSL port from the keylime.xml firewalld rules OBS-URL: https://build.opensuse.org/request/show/984413 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=15
2022-06-22 09:04:26 +00:00 · 2022-06-22 09:04:26 +00:00 · e9611ec490
commit e9611ec490
parent 25830373fa
8 changed files with 42 additions and 34 deletions
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/keylime/rust-keylime.git</param>
-              <param name="changesrevision">7c4121ed6474f4bfacd5afe23488baf05bf49a09</param></service></servicedata>
+              <param name="changesrevision">b834667b4d775065be3d7677e8cb6ad209c43668</param></service></servicedata>
--- a/keylime.xml
+++ b/keylime.xml
@ -4,7 +4,6 @@
  <description>Keylime is a remote attestation tool that requires access to several ports.</description>
  <port protocol="tcp" port="443"/><!-- Webapp -->
  <port protocol="tcp" port="8881"/><!-- Verifier -->
-  <port protocol="tcp" port="8888"/><!-- CFSSL -->
  <port protocol="tcp" port="8890"/><!-- Registrar -->
  <port protocol="tcp" port="8891"/><!-- Registrar TLS -->
  <port protocol="tcp" port="8992"/><!-- Revocation -->
--- a/logrotate.keylime
+++ b/logrotate.keylime
@ -0,0 +1,8 @@
+/var/log/keylime/*.log {
+    su keylime tss
+    weekly
+    missingok
+    rotate 4
+    copytruncate
+    minsize 1M
+}
--- a/rust-keylime-0.1.0+git.1655143451.7c4121e.tar.xz
+++ b/rust-keylime-0.1.0+git.1655143451.7c4121e.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:93b11bb2a3c58028b23ee4ca1bf2286ee49fa3da25a3caf758bed81e4b7af96c
-size 115220
--- a/rust-keylime-0.1.0+git.1655384301.b834667.tar.xz
+++ b/rust-keylime-0.1.0+git.1655384301.b834667.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cb272a91f71f4b197a28390da64a56319b45e9bf2878f31c8f700e1b2a6b8924
+size 115404
--- a/rust-keylime.changes
+++ b/rust-keylime.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Wed Jun 22 08:45:20 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 0.1.0+git.1655384301.b834667:
+  * Update fmf plans to run test with IMA policy
+  * .github/dependabot.yml: prevent updates that require manifest change
+- Add logrotate configuration for the agent service
+- Requires libtss2-tcti-device0 to interact with the real device
+- Drop legacy Python subpackage and feature
+- Move conflicts into the Python version
+
+-------------------------------------------------------------------
+Wed Jun 15 09:52:48 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Drop CFSSL port from the keylime.xml firewalld rules
+
 -------------------------------------------------------------------
 Tue Jun 14 11:05:01 UTC 2022 - aplanas@suse.com

--- a/rust-keylime.spec
+++ b/rust-keylime.spec
@ -18,7 +18,7 @@

 %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now'
 Name:           rust-keylime
-Version:        0.1.0+git.1655143451.7c4121e
+Version:        0.1.0+git.1655384301.b834667
 Release:        0
 Summary:        Rust implementation of the keylime agent
 License:        Apache-2.0 AND MIT
@ -28,6 +28,7 @@ Source1:        vendor.tar.xz
 Source2:        cargo_config
 Source3:        keylime_agent.service
 Source4:        keylime.xml
+Source5:        logrotate.keylime
 # PATCH-FIX-OPENSUSE keylime.conf.diff
 Patch1:         keylime.conf.diff
 BuildRequires:  cargo
@ -36,47 +37,33 @@ BuildRequires:  libarchive-devel
 BuildRequires:  rust
 BuildRequires:  tpm2-0-tss-devel
 BuildRequires:  zeromq-devel
-Recommends:     %{name}-python = %{version}
-Conflicts:      keylime-agent
-Conflicts:      keylime-config
-Conflicts:      keylime-firewalld
-Conflicts:      python-keylime
+Requires:       libtss2-tcti-device0
+Requires:       logrotate
 ExcludeArch:    %{ix86} s390x ppc64 ppc64le armhfp armv7hl

 %description
 Rust implementation of keylime agent. Keylime is system integrity
 monitoring system.

-%package -n %{name}-python
-Summary:        Shim loader for Python compatibility
-Requires:       %{name} = %{version}
-Requires:       python3-base
-
-%description -n %{name}-python
-Subpackage of %{name} for executing Python based revocation scripts.
-
 %prep
 %autosetup -a1 -p1
 mkdir .cargo
 cp %{SOURCE2} .cargo/config

 %build
-RUSTFLAGS=%{rustflags} cargo build --release
+RUSTFLAGS=%{rustflags} cargo build --release --no-default-features --features "with-zmq"

 %install
 RUSTFLAGS=%{rustflags} cargo install --frozen --root=%{buildroot}%{_prefix} --path .

 install -Dpm 644 keylime.conf %{buildroot}%{_sysconfdir}/keylime.conf
 install -Dpm 644 %{SOURCE3} %{buildroot}%{_unitdir}/keylime_agent.service
-
-install -D -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml
+install -Dpm 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml
+install -Dpm 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/logrotate.d/keylime
+install -d %{buildroot}%{_localstatedir}/log/keylime

 # Create work directory
-mkdir -p %{buildroot}%{_sharedstatedir}/keylime
-
-# Create work directory for revocation actions
-mkdir -p %{buildroot}%{_libexecdir}/keylime
-cp tests/actions/shim.py %{buildroot}%{_libexecdir}/keylime
+mkdir -p %{buildroot}%{_localstatedir}/keylime

 rm %{buildroot}%{_prefix}/.crates.toml
 rm %{buildroot}%{_prefix}/.crates2.json
@ -100,14 +87,12 @@ rm %{buildroot}%{_prefix}/.crates2.json
 %{_bindir}/keylime_agent
 %{_bindir}/keylime_ima_emulator
 %config(noreplace) %{_sysconfdir}/keylime.conf
-%dir %attr(0700, root, root) %{_sharedstatedir}/keylime
+%dir %attr(0700,root,root) %{_localstatedir}/keylime
 %dir %{_prefix}/lib/firewalld
 %dir %{_prefix}/lib/firewalld/services
 %{_prefix}/lib/firewalld/services/keylime.xml
 %{_unitdir}/keylime_agent.service
-
-%files -n %{name}-python
-%dir %{_libexecdir}/keylime
-%{_libexecdir}/keylime/shim.py
+%config(noreplace) %{_sysconfdir}/logrotate.d/keylime
+%dir %attr(750,keylime,tss) %{_localstatedir}/log

 %changelog
--- a/vendor.tar.xz
+++ b/vendor.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:1fe478492e83ec8393af64f6a91ec4e84b865cf019c35df48d7f9782c4239672
-size 20105032
+oid sha256:0e4b91a6bff3824b1f58ff875102020400e200b4d4baa68c0b175bc0ee96f77d
+size 20113908