Accepting request 910608 from home:gmbr3:Active

- Update to version 0.6.0: - Addressed potential symlink attack issue (CVE-2020-28407) - Rewritten in 'C'; needs json-glib - Use timeouts for communicating with swtpm (Unix socket) - Fix --print-capabilities for 'swtpm chardev' - Various cleanups and fixes (coverity) - Enable selinux support OBS-URL: https://build.opensuse.org/request/show/910608 OBS-URL: https://build.opensuse.org/package/show/security/swtpm?expand=0&rev=18
2021-08-09 08:47:13 +00:00 · 2021-08-09 08:47:13 +00:00 · 9f05f64ac4
commit 9f05f64ac4
parent 099d31ba0a
5 changed files with 77 additions and 155 deletions
--- a/swtpm-0.6.0.tar.gz
+++ b/swtpm-0.6.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d05098d6879a44f02cb0225290f2edeea083ea9a322f5acf98c7a6ddb5f46d29
+size 326049
--- a/swtpm-rename_deprecated_libtasn1_types.patch
+++ b/swtpm-rename_deprecated_libtasn1_types.patch
@ -1,114 +0,0 @@
-From 0b0041bda9df8bf704d7aff8c32da0d18cd9eb28 Mon Sep 17 00:00:00 2001
-From: Jonas Witschel <diabonas@archlinux.org>
-Date: Wed, 19 May 2021 10:30:41 +0200
-Subject: [PATCH] swtpm_cert: rename deprecated libtasn1 types
-
-These types have been renamed in libtasn1 version 3.0 (released 2012-10-28).
-The most recent libtasn1 version 4.17.0 (released 2021-05-13) now prints
-deprecation warnings that are made fatal by -Werror:
-
-ek-cert.c:76:13: error: 'ASN1_ARRAY_TYPE' macro is deprecated, use 'asn1_static_node' instead. [-Werror]
-   76 | extern const ASN1_ARRAY_TYPE tpm_asn1_tab[];
-      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-[...]
-
-The new types were introduced almost ten years ago, so they should be pretty
-universally available by now.
-
-Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
---
- src/swtpm_cert/ek-cert.c | 24 ++++++++++++------------
- 1 file changed, 12 insertions(+), 12 deletions(-)
-
-diff --git a/src/swtpm_cert/ek-cert.c b/src/swtpm_cert/ek-cert.c
-index c991559c..c8074614 100644
--- a/src/swtpm_cert/ek-cert.c
-+++ b/src/swtpm_cert/ek-cert.c
-@@ -73,9 +73,9 @@ enum cert_type_t {
- #define ALLOW_SIGNING_F  2 /* EK can be used for signing */
- #define DECRYPTION_F     4 /* EK can be used for decryption; default */
- 
-extern const ASN1_ARRAY_TYPE tpm_asn1_tab[];
-+extern const asn1_static_node tpm_asn1_tab[];
- 
-ASN1_TYPE _tpm_asn;
-+asn1_node _tpm_asn;
- 
- typedef struct tdTCG_PCCLIENT_STORED_CERT {
-     uint16_t tag;
-@@ -333,7 +333,7 @@ asn_free(void)
- }
- 
- static int
-encode_asn1(gnutls_datum_t *asn1, ASN1_TYPE at)
-+encode_asn1(gnutls_datum_t *asn1, asn1_node at)
- {
-     int err;
- 
-@@ -361,7 +361,7 @@ encode_asn1(gnutls_datum_t *asn1, ASN1_TYPE at)
- }
- 
- static int
-build_tpm_manufacturer_info(ASN1_TYPE *at,
-+build_tpm_manufacturer_info(asn1_node *at,
-                             const char *manufacturer,
-                             const char *tpm_model,
-                             const char *tpm_version)
-@@ -443,7 +443,7 @@ create_tpm_manufacturer_info(const char *manufacturer,
-                              const char *tpm_version,
-                              gnutls_datum_t *asn1)
- {
-    ASN1_TYPE at = ASN1_TYPE_EMPTY;
-+    asn1_node at = NULL;
-     int err;
- 
-     err = asn_init();
-@@ -475,7 +475,7 @@ create_tpm_manufacturer_info(const char *manufacturer,
- }
- 
- static int
-build_platf_manufacturer_info(ASN1_TYPE *at,
-+build_platf_manufacturer_info(asn1_node *at,
-                               const char *manufacturer,
-                               const char *platf_model,
-                               const char *platf_version,
-@@ -569,7 +569,7 @@ create_platf_manufacturer_info(const char *manufacturer,
-                                gnutls_datum_t *asn1,
-                                bool forTPM2)
- {
-    ASN1_TYPE at = ASN1_TYPE_EMPTY;
-+    asn1_node at = NULL;
-     int err;
- 
-     err = asn_init();
-@@ -612,9 +612,9 @@ create_tpm_and_platform_manuf_info(
-                                gnutls_datum_t *asn1,
-                                bool forTPM2)
- {
-    ASN1_TYPE at = ASN1_TYPE_EMPTY;
-    ASN1_TYPE tpm_at = ASN1_TYPE_EMPTY;
-    ASN1_TYPE platf_at = ASN1_TYPE_EMPTY;
-+    asn1_node at = NULL;
-+    asn1_node tpm_at = NULL;
-+    asn1_node platf_at = NULL;
-     int err;
-     gnutls_datum_t datum = {
-         .data = NULL,
-@@ -725,7 +725,7 @@ create_tpm_specification_info(const char *spec_family,
-                               unsigned int spec_revision,
-                               gnutls_datum_t *asn1)
- {
-    ASN1_TYPE at = ASN1_TYPE_EMPTY;
-+    asn1_node at = NULL;
-     int err;
-     unsigned int bigendian;
-     unsigned char twoscomp[1 + sizeof(bigendian)] = { 0, };
-@@ -797,7 +797,7 @@ create_tpm_specification_info(const char *spec_family,
- static int
- create_cert_extended_key_usage(const char *oid, gnutls_datum_t *asn1)
- {
-    ASN1_TYPE at = ASN1_TYPE_EMPTY;
-+    asn1_node at = NULL;
-     int err;
- 
-     err = asn_init();
--- a/swtpm.changes
+++ b/swtpm.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Sat Aug  7 15:02:40 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
+
+- Update to version 0.6.0:
+  - Addressed potential symlink attack issue (CVE-2020-28407)
+  - Rewritten in 'C'; needs json-glib
+  - Use timeouts for communicating with swtpm (Unix socket)
+  - Fix --print-capabilities for 'swtpm chardev'
+  - Various cleanups and fixes (coverity)
+- Enable selinux support
+
 -------------------------------------------------------------------
 Thu May 20 06:56:39 UTC 2021 - Pedro Monreal <pmonreal@suse.com>

--- a/swtpm.spec
+++ b/swtpm.spec
@ -18,16 +18,19 @@

 # Scripts in this package are python3
 %define skip_python2 1
-
+# SELinux
+%define selinuxtype targeted
+%define modulename1 swtpm
+%define modulename2 swtpm_svirt
+%define modulename3 swtpmcuse
 Name:           swtpm
-Version:        0.5.2
+Version:        0.6.0
 Release:        0
 Summary:        Software TPM emulator
 License:        BSD-3-Clause
 Group:          System/Base
 URL:            https://github.com/stefanberger/swtpm
-Source:         https://github.com/stefanberger/swtpm/archive/v%{version}.tar.gz
-Patch0:         swtpm-rename_deprecated_libtasn1_types.patch
+Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  expect
@ -41,13 +44,18 @@ BuildRequires:  libseccomp-devel
 BuildRequires:  libtasn1-devel
 BuildRequires:  libtool
 BuildRequires:  libtpms-devel
+BuildRequires:  pkgconfig
 BuildRequires:  python3-cryptography
+BuildRequires:  selinux-policy-devel
+BuildRequires:  selinux-policy-targeted
 BuildRequires:  socat
+BuildRequires:  pkgconfig(json-glib-1.0)
+BuildRequires:  pkgconfig(systemd)
 Requires:       iproute2
 Requires:       python3-cryptography
 Requires:       trousers
-Requires:       user(tss)
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+Requires:       (%{name}-selinux if selinux-policy-base)
+Requires(pre):  user(tss)

 %description
 The SWTPM package provides TPM emulators with different front-end interfaces
@ -67,60 +75,77 @@ Requires:       libtpms-devel
 %description    devel
 The development files for SWTPM

+%package        selinux
+Summary:        SELinux module for the Software TPM emulator
+Group:          System/Management
+Requires:       %{name} = %{version}
+BuildArch:      noarch
+%{selinux_requires}
+
+%description    selinux
+This package provides the SELinux module for the Software TPM emulator.
+
 %prep
-%setup -q -n %{name}-%{version}
-%patch0 -p1
+%autosetup

 %build
-
-# Fix rpmlint env-script-interpreter error
-sed -i -e "s|^#!/usr/bin/env |#!/usr/bin/|" \
-  %_builddir/%buildsubdir/src/swtpm_setup/swtpm_setup.in \
-  %_builddir/%buildsubdir/src/swtpm_setup/py_swtpm_setup/swtpm_setup.py \
-  %_builddir/%buildsubdir/samples/swtpm-create-tpmca \
-  %_builddir/%buildsubdir/samples/swtpm-create-user-config-files.in \
-  %_builddir/%buildsubdir/samples/swtpm-localca.in \
-  %_builddir/%buildsubdir/samples/py_swtpm_localca/swtpm_localca.py
-
-./autogen.sh
+mkdir m4
+autoreconf -fiv
+# configure looks for semodule on PATH
+export PATH="$PATH:%{_sbindir}"
 %configure --with-openssl --disable-static \
-     --with-tss-user=root --with-tss-group=tss
-make %{?_smp_mflags}
+     --with-tss-user=root --with-tss-group=tss \
+     --with-selinux
+%make_build

 %install
 %make_install
-
+find %{buildroot} -type f -name "*.la" -delete -print
+mkdir %{buildroot}%{_datadir}/selinux/packages/targeted
+mv %{buildroot}%{_datadir}/selinux/packages/*.pp %{buildroot}%{_datadir}/selinux/packages/targeted
 mkdir -p %{buildroot}%{_localstatedir}/lib/swtpm-localca

 %post -p /sbin/ldconfig
 %postun -p /sbin/ldconfig

+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename1}.pp
+%selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename2}.pp
+%selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename3}.pp
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename1}
+    %selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename2}
+    %selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename3}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+
 %files
-%defattr(-,root,root)
 %doc CHANGES README TODO
 %license LICENSE
 %{_bindir}/swtpm*
 %config %{_sysconfdir}/swtpm*
-%dir %{_datadir}/swtpm
-%{_datadir}/swtpm/*
+%{_datadir}/swtpm
 %dir %{_libdir}/swtpm
 %{_libdir}/swtpm/*.so.*
-%{_mandir}/man8/swtpm*
-%dir %{python_sitelib}/py_swtpm_localca
-%dir %{python_sitelib}/py_swtpm_setup
-%pycache_only %{python_sitelib}/py_swtpm_localca/__pycache__
-%pycache_only %{python_sitelib}/py_swtpm_setup/__pycache__
-%{python_sitelib}/py_swtpm_localca/*.py
-%{python_sitelib}/py_swtpm_setup/*.py
-%{python_sitelib}/swtpm_localca*
-%{python_sitelib}/swtpm_setup*
+%{_mandir}/man8/swtpm*%{?ext_man}
 %dir %attr(0750,tss,root) %{_localstatedir}/lib/swtpm-localca

 %files devel
 %{_libdir}/swtpm/*.so
-%{_libdir}/swtpm/*.la
-%dir %{_includedir}/swtpm/
-%{_includedir}/swtpm/*
-%{_mandir}/man3/swtpm*
+%{_includedir}/swtpm
+%{_mandir}/man3/swtpm*%{?ext_man}
+
+%files selinux
+%{_datadir}/selinux/packages/targeted/*.pp
+%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename1}
+%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename2}
+%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename3}

 %changelog
--- a/v0.5.2.tar.gz
+++ b/v0.5.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2e5ccf591e34c25bd9ae78a0aff9ff1d037dacd90b5e05b9fdc9bcece239f0af
-size 309436