Use tmpfiles.d for /var directories (jsc#PED-14736)

Also update to version 0.2.8+96 Signed-off-by: Alberto Planas <aplanas@suse.com>
2026-01-07 21:37:03 +01:00
12 changed files with 1513 additions and 811 deletions
--- a/Cargo_lock.patch
+++ b/Cargo_lock.patch
--- a/2
+++ b/2
@@ -4,7 +4,7 @@
    <!-- <param name="versionformat">@PARENT_TAG@</param> -->
    <param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param>
    <param name="scm">git</param>
-    <param name="revision">v0.2.7</param>
+    <param name="revision">v0.2.8</param>
    <param name="revision">master</param>
    <param name="match-tag">*</param>
    <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/keylime/rust-keylime.git</param>
-              <param name="changesrevision">7b746b08d3c0fdd866a6e47e893f426adc1eec70</param></service></servicedata>
+              <param name="changesrevision">e658b57da74e1255f6c05088bed9bdcbad75a541</param></service></servicedata>
--- a/keylime-agent.conf.diff
+++ b/keylime-agent.conf.diff
@@ -1,8 +1,8 @@
-Index: rust-keylime-0.2.0+git.1677002906.cf6c4f0/keylime-agent.conf
-===================================================================
--- rust-keylime-0.2.0+git.1677002906.cf6c4f0.orig/keylime-agent.conf
-+++ rust-keylime-0.2.0+git.1677002906.cf6c4f0/keylime-agent.conf
-@@ -19,13 +19,15 @@ version = "2.2"
+diff --git i/keylime-agent.conf w/keylime-agent.conf
+index 49124f3..5dd707b 100644
+--- i/keylime-agent.conf
+++ w/keylime-agent.conf
+@@ -33,14 +33,16 @@ api_versions = "default"
 # of 'SHA256(public EK in PEM format)'.
 #
 # To override, set KEYLIME_AGENT_UUID environment variable.
@@ -10,7 +10,8 @@ Index: rust-keylime-0.2.0+git.1677002906.cf6c4f0/keylime-agent.conf
 +# uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
 +uuid = "generate"
 
- # The binding IP address and port for the agent server
+ # The binding IP address or hostname (FQDN) and port for the agent server
+ # Supports IPv4, IPv6, or fully qualified domain names
 #
 # To override ip, set KEYLIME_AGENT_IP environment variable.
 # To override port, set KEYLIME_AGENT_PORT environment variable.
@@ -19,8 +20,8 @@ Index: rust-keylime-0.2.0+git.1677002906.cf6c4f0/keylime-agent.conf
 +ip = "0.0.0.0"
 port = 9002
 
- # Address and port where the verifier and tenant can connect to reach the agent.
-@@ -41,7 +43,8 @@ contact_port = 9002
+ # Address (IP or hostname/FQDN) and port where the verifier and tenant can connect to reach the agent.
+@@ -58,7 +60,8 @@ contact_port = 9002
 # To override registrar_ip, set KEYLIME_AGENT_REGISTRAR_IP environment variable.
 # To override registrar_port, set KEYLIME_AGENT_REGISTRAR_PORT environment
 # variable.
@@ -30,7 +31,7 @@ Index: rust-keylime-0.2.0+git.1677002906.cf6c4f0/keylime-agent.conf
 registrar_port = 8890
 
 # Enable mTLS communication between agent, verifier and tenant.
-@@ -151,7 +154,8 @@ revocation_actions_dir = "/usr/libexec/k
+@@ -191,7 +194,8 @@ revocation_actions_dir = "/usr/libexec/keylime"
 # KEYLIME_AGENT_REVOCATION_NOTIFICATION_IP environment variable.
 # To override revocation_notification_port, set
 # KEYLIME_AGENT_REVOCATION_NOTIFICATION_PORT environment variable.
--- a/rust-keylime-0.2.7+117.tar.zst
+++ b/rust-keylime-0.2.7+117.tar.zst
--- a/rust-keylime-0.2.8+96.tar.zst
+++ b/rust-keylime-0.2.8+96.tar.zst
--- a/rust-keylime.changes
+++ b/rust-keylime.changes
@@ -1,3 +1,153 @@
+-------------------------------------------------------------------
+Wed Jan 07 15:53:59 UTC 2026 - aplanas@suse.com
+
+- Use tmpfiles.d for /var directories (PED-14736)
+
+- Update to version 0.2.8+96:
+  * build(deps): bump wiremock from 0.6.4 to 0.6.5
+  * build(deps): bump actions/checkout from 5 to 6
+  * build(deps): bump chrono from 0.4.41 to 0.4.42
+  * packit: Get coverage from Fedora 43 runs
+  * Fix issues pointed out by clippy
+  * Replace mutex unwraps with proper error handling in TPM library
+  * Remove unused session request methods from StructureFiller
+  * Fix config panic on missing ek_handle in push model agent
+  * build(deps): bump tempfile from 3.21.0 to 3.23.0
+  * build(deps): bump actions/upload-artifact from 4 to 6 (#1163)
+  * Fix clippy warnings project-wide
+  * Add KEYLIME_DIR support for verifier TLS certificates in push model agent
+  * Thread privileged resources and use MeasurementList for IMA reading
+  * Add privileged resource initialization and privilege dropping to push model agent
+  * Fix privilege dropping order in run_as()
+  * add documentation on FQDN hostnames
+  * Remove confusing logs for push mode agent
+  * Set correct default Verifier port (8891->8881) (#1159)
+  * Add verifier_url to reference configuration file (#1158)
+  * Add TLS support for Registrar communication (#1139)
+  * Fix agent handling of 403 registration responses (#1154)
+  * Add minor README.md rephrasing (#1151)
+  * build(deps): bump actions/checkout from 5 to 6 (#1153)
+  * ci: update spec files for packit COPR build
+  * docs: improve challenge encoding and async TPM documentation
+  * refactor: improve middleware and error handling
+  * feat: add authentication client with middleware integration
+  * docker: Include keylime_push_model_agent binary
+  * Include attestation_interval configuration (#1146)
+  * Persist payload keys to avoid attestation failure on restart
+  * crypto: Implement the load or generate pattern for keys
+  * Use simple algorithm specifiers in certification_keys object (#1140)
+  * tests: Enable more tests in CI
+  * Fix RSA2048 algorithm reporting in keylime agent
+  * Remove disabled_signing_algorithms configuration
+  * rpm: Fix metadata patches to apply to current code
+  * workflows/rpm.yml: Use more strict patching
+  * build(deps): bump uuid from 1.17.0 to 1.18.1
+  * Fix ECC algorithm selection and reporting for keylime agent
+  * Improve logging consistency and coherency
+  * Implement minimal RFC compliance for Location header and URI parsing (#1125)
+  * Use separate keys for payload mechanism and mTLS
+  * docker: update rust to 1.81 for distroless Dockerfile
+  * Ensure UEFI log capabilities are set to false
+  * build(deps): bump http from 1.1.0 to 1.3.1
+  * build(deps): bump log from 0.4.27 to 0.4.28
+  * build(deps): bump cfg-if from 1.0.1 to 1.0.3
+  * build(deps): bump actix-rt from 2.10.0 to 2.11.0
+  * build(deps): bump async-trait from 0.1.88 to 0.1.89
+  * build(deps): bump trybuild from 1.0.105 to 1.0.110
+  * Accept evidence handling structures null entries
+  * workflows: Add test to check if RPM patches still apply
+  * CI: Enable test add-agent-with-malformed-ek-cert
+  * config: Fix singleton tests
+  * FSM: Remove needless lifetime annotations (#1105)
+  * rpm: Do not remove wiremock which is now available in Fedora
+  * Use latest Fedora httpdate version (1.0.3)
+  * Enhance coverage with parse_retry_after test
+  * Fix issues reported by CI regarding unwrap() calls
+  * Reuse max retries indicated to the ResilientClient
+  * Include limit of retries to 5 for Retry-After
+  * Add policy to handle Retry-After response headers
+  * build(deps): bump wiremock from 0.6.3 to 0.6.4
+  * build(deps): bump serde_json from 1.0.140 to 1.0.143
+  * build(deps): bump pest_derive from 2.8.0 to 2.8.1
+  * build(deps): bump syn from 2.0.90 to 2.0.106
+  * build(deps): bump tempfile from 3.20.0 to 3.21.0
+  * build(deps): bump thiserror from 2.0.12 to 2.0.16
+  * rpm: Fix patches to apply to current master code
+  * build(deps): bump anyhow from 1.0.98 to 1.0.99
+  * state_machine: Automatically clean config override during tests
+  * config: Implement singleton and factory pattern
+  * testing: Support overriding configuration during tests
+  * feat: implement standalone challenge-response authentication module
+  * structures: rename session structs for clarity and fix typos
+  * tpm: refactor certify_credential_with_iak() into a more generic function
+  * Add Push Model Agent Mermaid FSM chart (#1095)
+  * Add state to avoid exiting on wrong attestation (#1093)
+  * Add 6 alphanumeric lowercase X-Request-ID header
+  * Enhance Evidence Handling response parsing
+  * build(deps): bump quote from 1.0.35 to 1.0.40
+  * build(deps): bump libc from 0.2.172 to 0.2.175
+  * build(deps): bump glob from 0.3.2 to 0.3.3
+  * build(deps): bump actix-web from 4.10.2 to 4.11.0
+
+-------------------------------------------------------------------
+Wed Aug 20 09:26:08 UTC 2025 - aplanas@suse.com
+
+- Update vendored crates (bsc#1248006, CVE-2025-55159)
+  * slab 0.4.11
+
+- Add Cargo_lock.patch patch to update slab and other dependencies
+
+- Update to version 0.2.8+12:
+  * build(deps): bump actions/checkout from 4 to 5
+  * build(deps): bump cfg-if from 1.0.0 to 1.0.1
+  * build(deps): bump openssl from 0.10.72 to 0.10.73
+  * build(deps): bump clap from 4.5.39 to 4.5.45
+  * build(deps): bump pest from 2.8.0 to 2.8.1
+  * Fix clippy warnings
+  * Use verifier-provided interval for continuous attestation timing
+  * Add meta object with seconds_to_next_attestation to evidence response
+  * Fix boot time retrieval
+  * Fix IMA log format (it must be ['text/plain']) (#1073)
+  * Remove unnecessary configuration fields
+  * cargo: Bump retry-policies to version 0.4.0
+  * Bump version to 0.2.8
+
+-------------------------------------------------------------------
+Thu Aug 07 12:17:29 UTC 2025 - aplanas@suse.com
+
+- Update vendored crates (bsc#1247193, CVE-2025-58266)
+  * shlex 1.3.0
+
+- Rebase keylime-agent.conf.diff for current configuration
+
+- Drop Cargo_lock.patch patch, already present in Cargo.lock
+
+- Update to version 0.2.7+141:
+  * service: Use WantedBy=multi-user.target
+  * rpm: Add subpackage for push-attestation agent
+  * push-model: implement continuous attestation with configurable intervals
+  * Retry registration forever in the state machine
+  * Add Verifier URL to configuration
+  * Align exp.backoff to current configuration format
+  * Increase coverage of state machine (using Context)
+  * Increase coverage of struct_filler.rs
+  * Groom code (remove dead code)
+  * Fix exponential backoff (10secs, 4xx accepted)
+  * test: Add documentation test to tests/run.sh
+  * tpm: Avoid running code example during documentation tests
+  * state_machine: Always start the agent from the Unregistered state
+  * Add fixes for the URL construction
+  * Refactor evidences collection in push attestation agent
+  * push-model: refactor attestation logic into a state machine
+  * Fix body sending by allowing serializing strings (#1057)
+  * Log ResilientClient errors/response status codes (#1055)
+  * Add AK signing scheme and hash algorithm to negotiation
+  * tpm: Add method to extract signing scheme and hash algorithm from AK
+  * Allow custom content-type/accept headers
+  * Integrate exponential backoff to registration (#1052)
+  * keylime/structures: Rename ShaValues to PcrBanks
+  * Add resilient_client for exponential backoff (#1048)
+
 -------------------------------------------------------------------
 Mon Jul 14 12:56:25 UTC 2025 - aplanas@suse.com

--- a/rust-keylime.conf
+++ b/rust-keylime.conf
@@ -0,0 +1,5 @@
+#Type Path                   Mode User    Group Age Argument...
+d     /var/log/keylime       0750 keylime tss   -   -
+d     /var/lib/keylime       0700 keylime tss   -   -
+d     /var/lib/keylime/cv_ca 0700 keylime tss   -   -
+d     /run/keylime           0700 keylime tss   -   -
--- a/rust-keylime.obsinfo
+++ b/rust-keylime.obsinfo
@@ -1,4 +1,4 @@
 name: rust-keylime
-version: 0.2.7+117
-mtime: 1752485269
-commit: 7b746b08d3c0fdd866a6e47e893f426adc1eec70
+version: 0.2.8+96
+mtime: 1767778745
+commit: e658b57da74e1255f6c05088bed9bdcbad75a541
--- a/rust-keylime.spec
+++ b/rust-keylime.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package rust-keylime
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,7 +25,7 @@
  %define _config_norepl %config(noreplace)
 %endif
 Name:           rust-keylime
-Version:        0.2.7+117
+Version:        0.2.8+96
 Release:        0
 Summary:        Rust implementation of the keylime agent
 License:        (Apache-2.0 OR MIT) AND BSD-3-Clause AND (Apache-2.0 OR MIT) AND Unicode-DFS-2016 AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR ISC OR MIT) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND (MIT OR Unlicense) AND (Apache-2.0 OR Zlib OR MIT) AND Apache-2.0 AND Apache-2.0 WITH LLVM-exception AND BSD-3-Clause AND ISC AND MIT
@@ -35,7 +35,7 @@ Source1:        vendor.tar.zst
 Source2:        cargo_config
 Source3:        keylime.xml
 Source4:        keylime-user.conf
-Source5:        tmpfiles.keylime
+Source5:        rust-keylime.conf
 Source6:        ima-policy
 Source7:        ima-policy.service
 Source8:        README.suse
@@ -97,13 +97,9 @@ install -Dpm 0644 ./dist/systemd/system/var-lib-keylime-secure.mount %{buildroot

 install -Dpm 0644 %{SOURCE3} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml
 install -Dpm 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/keylime-user.conf
-install -Dpm 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/keylime.conf
-install -d %{buildroot}%{_localstatedir}/log/keylime
+install -Dpm 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/rust-keylime.conf
 install -d %{buildroot}%{_libexecdir}/keylime

-# Create work directory and the certificate directory
-mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca
-
 install -Dpm 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ima/ima-policy
 install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service

@@ -116,7 +112,7 @@ install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service

 %post
 %firewalld_reload
-%tmpfiles_create keylime.conf
+%tmpfiles_create %{_tmpfilesdir}/rust-keylime.conf
 %service_add_post keylime_agent.service
 %service_add_post var-lib-keylime-secure.mount

@@ -141,11 +137,9 @@ install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service
 %dir %{_prefix}/lib/firewalld/services
 %{_prefix}/lib/firewalld/services/keylime.xml
 %{_sysusersdir}/keylime-user.conf
-%{_tmpfilesdir}/keylime.conf
-%dir %attr(0750,keylime,tss) %{_localstatedir}/log/keylime
+%dir %{_tmpfilesdir}
+%{_tmpfilesdir}/rust-keylime.conf
 %dir %attr(0750,keylime,tss) %{_libexecdir}/keylime
-%dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime
-%dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime/cv_ca

 %files -n keylime-ima-policy
 %dir %attr(0750,root,root) %{_sysconfdir}/ima
--- a/tmpfiles.keylime
+++ b/tmpfiles.keylime
@@ -1 +0,0 @@
-d /run/keylime 0700 keylime tss
--- a/vendor.tar.zst
+++ b/vendor.tar.zst