Accepting request 1085591 from home:jeff_mahoney:branches:security:sensor:updates

- Update to version 0.6.7.5~git78.2bef6fc: * bpf: fix path to vmlinux.h - Update to version 0.6.7.5~git77.997aa73: * file_store/test_utils/server_config.go: update test certificate * Update bluemonday dependency. * vql/functions/hash: cache results on Linux * libbpfgo: update to velociraptor-branch-v0.4.8-libbpf-1.2.0 * logscale/backport: don't use networking.GetHttpTransport * vql/tools/logscale: add plugin to post events to LogScale ingestion endpoint * file_store/directory: add ability to report pending size - Change clang dependency to clang16 - Fix velociraptor-golang-mage-vendoring.diff to account for newer 'go mod vendor' honoring build flags. - Fix update-vendoring.sh script to actually run the %setup part of the spec. - Merge client package into server spec and use _multibuild to create client package from same spec file. - Adjust changelog to retain changes for client package. - Fix building in static mode on earlier releases. - Added patch: velociraptor-libbpfgo-only-build-libbpf.patch - Tightening the security of the services a bit: - tmp files are now moved to /var/lib/velociraptor{,-client}/tmp from /tmp - run velociraptor server as user velociraptor instead of root we do not really need root permissions here - introduce /var/lib/velociraptor/filestore to make it easier to split out large file upload - change permissions for the data directory and subdirectories to OBS-URL: https://build.opensuse.org/request/show/1085591 OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=46
2023-05-09 00:49:51 +00:00 · 2023-05-09 00:49:51 +00:00 · 3a5ec10ba3
commit 3a5ec10ba3
parent bfb6d78d98
24 changed files with 336 additions and 1397 deletions
--- a/4
+++ b/4
@ -0,0 +1,4 @@
+<multibuild>
+  <package>client</package>                                                  
+</multibuild>                                                                   
+
--- a/4
+++ b/4
@ -5,8 +5,8 @@
    <param name="versionformat">@PARENT_TAG@~git@TAG_OFFSET@.%h</param>
    <param name="revision">sensor-base-0.6.7</param>
    <param name="scm">git</param>
-    <param name="parent-tag">v0.6.7-4</param>
-    <param name="versionrewrite-pattern">v([0-9\.]*)-(.*)</param>
+    <param name="parent-tag">v0.6.7-5</param>
+    <param name="versionrewrite-pattern">v([0-9\.\-]*)-(.*)</param>
    <param name="versionrewrite-replacement">\1.\2</param>
    <param name="changesgenerate">enable</param>
    <param name="submodules">enable</param>
--- a/6
+++ b/6
@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
-                <param name="url">https://github.com/jeffmahoney/linux-security-sensor</param>
-              <param name="changesrevision">0e858552af3d6ab57bae796cc3e50ccef36b4aff</param></service><service name="tar_scm">
                <param name="url">https://github.com/SUSE/linux-security-sensor</param>
-              <param name="changesrevision">4a1ed09d50339b902c6446686bd16deedbb23804</param></service></servicedata>
+              <param name="changesrevision">2bef6fce8e26733a13a3bbfeaa8c4828db1a99ba</param></service><service name="tar_scm">
+                <param name="url">https://github.com/jeffmahoney/linux-security-sensor</param>
+              <param name="changesrevision">02020f9752134efd8a6a92ab83a7b55b498e1948</param></service></servicedata>
--- a/sysconfig.velociraptor-kafka-humio-gateway
+++ b/sysconfig.velociraptor-kafka-humio-gateway
@ -0,0 +1,15 @@
+## Path:        Security/Monitoring
+## Description: Velociraptor Kafka-Humio Gateway settings
+## Type:        string                                                          
+## Default:     ""
+## ServiceRestart: velociraptor
+#
+# Options for velociraptor
+#
+KAFKA_HUMIO_GATEWAY_OPTIONS="--verbose"
+
+#
+# Location of configuration file
+#
+KAFKA_HUMIO_GATEWAY_CONFIG="/etc/velociraptor-kafka-humio-gateway/transport.yml"
+
--- a/update-vendoring.sh
+++ b/update-vendoring.sh
@ -21,20 +21,23 @@ version=$(rpmspec -q --queryformat="%{VERSION}\n" velociraptor.spec|head -1)
 dir="$(realpath "$(mktemp -d vendoring.XXXXXX)")"
 topdir="$(realpath "$(dirname "$0")")"

-rpmspec -P velociraptor.spec --define "_sourcedir $PWD" | \
+# Pull the %prep section out of the spec file and replace the tarball with the obscpio
+awk '
+BEGIN { go=1; };
+/^%build/ { go=0; };
+{ if (go) print };' < velociraptor.spec > ${dir}/velociraptor.spec
+
+rpmspec -P ${dir}/velociraptor.spec --define "_sourcedir $PWD" --define "_builddir ${dir}"| \
 awk '
 BEGIN { go=0; };
 /^%build/ { go=0; };
 { if (go) print };
-/^%setup/ { go=1 }' > ${dir}/setup.sh
-
-echo "Expanding archive..."
-cpio -D "${dir}" -id < velociraptor-${version}.obscpio
+/^%prep/ { go=1 }' | sed -e "/rpmuncompress.*velociraptor-.*.tar.xz/s#.*#cpio -D . -id < $PWD/velociraptor-${version}.obscpio#" > ${dir}/setup.sh

 echo "Running %prep"
+cd ${dir}
+sh -e ${dir}/setup.sh
 cd "${dir}/velociraptor-${version}"
-tar Jxf ${topdir}/vmlinux.h-5.14.21150400.22-150400-default.tar.xz
-sh ${dir}/setup.sh

 echo "Re-vendoring Go code..."
 gopathdir="$(mktemp -d /tmp/gopath.XXXXXXX)"
--- a/velociraptor-0.6.7.4~git63.4a1ed09d.obscpio
+++ b/velociraptor-0.6.7.4~git63.4a1ed09d.obscpio
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7fb845e3c71742cdfd51fd4b7eb0587c9a8ba9894874a5d6353fbf375a733f6d
-size 127596558
--- a/velociraptor-0.6.7.5~git78.2bef6fc.obscpio
+++ b/velociraptor-0.6.7.5~git78.2bef6fc.obscpio
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:638b6e6ef4d9146cd59ba9252358f1605b64af59ab902f1b919be6e6fe8c38e4
+size 130006542
--- a/velociraptor-client.changes
+++ b/velociraptor-client.changes
--- a/velociraptor-client.service
+++ b/velociraptor-client.service
@ -9,7 +9,8 @@ UMask=0027
 MemoryHigh=4G
 MemoryMax=8G
 EnvironmentFile=-/etc/sysconfig/velociraptor-client
-ExecStart=/usr/bin/velociraptor client --config /etc/velociraptor/client.config $VELOCIRAPTOR_CLIENT_OPTS
+Environment=TMPDIR=/var/lib/velociraptor-client/tmp
+ExecStart=/usr/bin/velociraptor-client client --config /etc/velociraptor/client.config $VELOCIRAPTOR_CLIENT_OPTS

 PrivateTmp=true
 PrivateDevices=true
--- a/velociraptor-client.spec
+++ b/velociraptor-client.spec
@ -1,157 +0,0 @@
-#
-# spec file for package velociraptor-client
-#
-# Copyright (c) 2023 SUSE LLC
-#
-# All modifications and additions to the file contributed by third parties
-# remain the property of their copyright owners, unless otherwise agreed
-# upon. The license for this file, and modifications and additions to the
-# file, is the same license as for the pristine package itself (unless the
-# license for the pristine package is not an Open Source License, in which
-# case the license is the MIT License). An "Open Source License" is a
-# license that conforms to the Open Source Definition (Version 1.9)
-# published by the Open Source Initiative.
-
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
-#
-
-
-%define projname velociraptor
-%define vendor_version 0.6.7.4~git41.678ed56
-%define vmlinux_h_version 5.14.21150400.22-150400-default
-
-# SLE 15 SP2 / Leap 15.2 or newer gets eBPF
-# Earlier versions don't have a usable eBPF and the
-# release doesn't easily build llvm13
-%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150200
-%bcond_without bpf
-%else
-%bcond_with bpf
-%endif
-
-#Compat macro for new _fillupdir macro introduced in Nov 2017
-%if ! %{defined _fillupdir}
-  %define _fillupdir %{_localstatedir}/adm/fillup-templates
-%endif
-
-# SLE12 has _sharedstatedir in an odd place
-%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
-%define _sharedstatedir /var/lib
-%endif
-
-Name:           velociraptor-client
-Version:        0.6.7.4~git63.4a1ed09d
-Release:        0
-Summary:        Endpoint visibility and collection tool (endpoint only)
-Group:          System/Monitoring
-License:        AGPL-3.0-only
-URL:            https://github.com/Velocidex/velociraptor
-Source:         %{projname}-%{version}.tar.xz
-Source1:        vendor-golang-%{vendor_version}.tar.xz
-Source2:        %{name}.service
-Source3:        %{name}.config.placeholder
-Source4:        vmlinux.h-%{vmlinux_h_version}.tar.xz
-Source5:        update-vendoring.sh
-Source6:        sysconfig.%{name}
-Source7:        %{projname}.obsinfo
-Patch1:         velociraptor-golang-mage-vendoring.diff
-Patch2:         velociraptor-skip-git-submodule-import-for-OBS-build.patch
-Patch3:         vendor-build-fixes-for-SLE12.patch
-Patch4:         sdjournal-build-fix-for-SLE12.patch
-Patch5:         velociraptor-reproducible-timestamp.diff
-BuildRequires:  fileb0x
-BuildRequires:  golang-packaging
-BuildRequires:  mage
-BuildRequires:  systemd-rpm-macros
-BuildRequires:  golang(API) >= 1.19
-BuildRequires:  pkgconfig(libsystemd)
-%ifarch x86_64
-BuildRequires:  libtsan0
-%endif
-%if %{with bpf}
-# clang15 causes libbpfo to crash immediately
-BuildRequires:  clang13
-BuildRequires:  libelf-devel
-BuildRequires:  llvm13
-BuildRequires:  zlib-devel-static
-%endif
-Conflicts:      velociraptor
-ExclusiveArch:  x86_64 ppc64le aarch64 s390x
-
-%description
-Velociraptor is a tool for collecting host based state information
-using The Velociraptor Query Language (VQL) queries.
-
-To learn more about Velociraptor, read the documentation on:
-
-https://docs.velociraptor.app/
-
-This package contains only the endpoint agent.  For the full console, please
-install the 'velociraptor' package.
-
-%prep
-%setup -q -a 1 -a 4 -n %{projname}-%{version}
-%autopatch -p1
-
-# Set the version to something more specific than <next-tag>-dev
-sed -ie "s/\(VERSION *= \).*/\1 \"%{version}\"/" constants/constants.go
-
-%if %{with bpf}
-mkdir -p third_party/libbpfgo/output
-
-cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \
-   third_party/libbpfgo/output/vmlinux.h
-%endif
-
-# These just clutter the GUI and we don't have Windows clients
-# Note: There are dependencies on these that need to be resolved before
-# removing them outright.
-# rm -rf artifacts/definitions/Windows
-
-%build
-
-# Reproductible builds need stable timestamps
-timestamp=$(date -Iseconds --utc --date=@$(grep mtime: %{SOURCE7}|sed -e 's/mtime: //'))
-git_commit=$(grep commit: %{SOURCE7}|sed -e 's/commit: //g')
-
-export VELOCIRAPTOR_BUILD_TIME=$timestamp
-export VELOCIRAPTOR_GIT_HEAD=$git_commit
-
-PATH=$PATH:/usr/sbin make linux_bare BUILD_LIBBPFGO=%{with bpf}
-
-%install
-mkdir -p %buildroot/%{_bindir}
-mkdir -p %buildroot/%{_sysconfdir}/velociraptor
-mkdir -p %buildroot/%{_unitdir}
-mkdir -p %buildroot/%{_sharedstatedir}/velociraptor-client
-install -m 0755 output/velociraptor-v%{version}-linux-* %buildroot/%{_bindir}/velociraptor
-install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}.service
-install -m 0600 %{SOURCE3} %{buildroot}%{_sysconfdir}/velociraptor/client.config
-install -d -m 755 %{buildroot}%{_fillupdir}
-install -m 0644 %{SOURCE6} %{buildroot}%{_fillupdir}
-
-%files
-%defattr(-, root, root)
-%license LICENSE
-%doc README.md
-%dir %{_sysconfdir}/velociraptor
-%{_bindir}/velociraptor
-%config(noreplace) %{_sysconfdir}/velociraptor/client.config
-%{_unitdir}/%{name}.service
-%dir %{_sharedstatedir}/velociraptor-client
-%{_fillupdir}/sysconfig.%{name}
-
-%pre
-%service_add_pre %{name}.service
-
-%post
-%{fillup_only}
-%service_add_post %{name}.service
-
-%preun
-%service_del_preun %{name}.service
-
-%postun
-%service_del_postun %{name}.service
-
-%changelog
--- a/velociraptor-golang-mage-vendoring.diff
+++ b/velociraptor-golang-mage-vendoring.diff
@ -1,22 +1,19 @@
 From: Jeff Mahoney <jeffm@suse.com>
-Subject: [PATCH] velociraptor: add dummy main function for mage
+Subject: [PATCH] velociraptor: remove ignore tag to allow vendoring of mage
+
+The ignore tag in make.go means it won't be properly vendored.

-Mage won't pull in the full dependencies without there being a real
-import.  This isn't used in the executable, since that's in bin/, but it
-will be used for 'go mod vendor'
 ---
- dummy.go |    9 +++++++++
- 1 file changed, 9 insertions(+)
+ make.go |    2 --
+ 1 file changed, 2 deletions(-)

--- /dev/null
-+++ b/dummy.go
-@@ -0,0 +1,9 @@
-+// +build useless
-+package main
-+
-+import (
-+	"github.com/magefile/mage"
-+)
-+
-+func main() {
-+}
+diff --git a/make.go b/make.go
+index 28b3e90..8fad8b9 100644
+--- a/make.go
+++ b/make.go
+@@ -1,5 +1,3 @@
+-// +build ignore
+-
+ /*
+    Velociraptor - Dig Deeper
+    Copyright (C) 2019-2022 Rapid7 Inc.
--- a/velociraptor-kafka-humio-gateway.service
+++ b/velociraptor-kafka-humio-gateway.service
@ -0,0 +1,24 @@
+[Unit]
+Description=Velociraptor Kafka-Humio Gateway Service
+
+[Service]
+Type=simple
+User=velociraptor-kafka
+Group=velociraptor-kafka
+UMask=0027
+User=velociraptor
+Group=velociraptor
+EnvironmentFile=-/etc/sysconfig/velociraptor-kafka-humio-gateway
+ExecStart=/usr/bin/velociraptor-kafka-humio-gateway $KAFKA_HUMIO_GATEWAY_OPTS --config $KAFKA_HUMIO_GATEWAY_CONFIG
+
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target
--- a/velociraptor-kafka.sysusers
+++ b/velociraptor-kafka.sysusers
@ -0,0 +1,2 @@
+u velociraptor-kafka - "User for velociraptor Kafka Humio Gateway" /var/lib/velociraptor-kafka-humio-gateway
+g velociraptor-kafka - -
--- a/velociraptor-skip-git-submodule-import-for-OBS-build.patch
+++ b/velociraptor-skip-git-submodule-import-for-OBS-build.patch
@ -1,23 +0,0 @@
-From: Jeff Mahoney <jeffm@suse.com>
-Subject: skip git submodule import for OBS build
-
-For OBS builds, the git submodule is imported during obs_scm.
-
-Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
- Makefile |    4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
--- a/Makefile
-+++ b/Makefile
-@@ -61,8 +61,8 @@ ifeq ($(BUILD_LIBBPFGO), 1)
- 	vql/linux/chattrsnoop/chattrsnoop.bpf.o
- 
- $(LIBBPFGO_DIR): always-check
-	echo "INFO: updating submodule 'libbpfgo'"
-	$(GIT) submodule update --init --recursive $@
-+#	echo "INFO: updating submodule 'libbpfgo'"
-+#	$(GIT) submodule update --init --recursive $@
- 
- $(LIBBPF_LIB): $(LIBBPFGO_DIR)
- 	make -C $(LIBBPFGO_DIR) libbpfgo-full-static
--- a/velociraptor.changes
+++ b/velociraptor.changes
@ -1,5 +1,65 @@
 -------------------------------------------------------------------
-Thu Jan 26 20:06:09 UTC 2023 - jeffm@suse.com
+Mon May 08 20:21:03 UTC 2023 - jeffm@suse.com
+
+- Update to version 0.6.7.5~git78.2bef6fc:
+  * bpf: fix path to vmlinux.h
+
+-------------------------------------------------------------------
+Mon May 08 19:42:58 UTC 2023 - Jeff Mahoney <jeffm@suse.com>
+
+- Update to version 0.6.7.5~git77.997aa73:
+  * file_store/test_utils/server_config.go: update test certificate
+  * Update bluemonday dependency.
+  * vql/functions/hash: cache results on Linux
+  * libbpfgo: update to velociraptor-branch-v0.4.8-libbpf-1.2.0
+  * logscale/backport: don't use networking.GetHttpTransport
+  * vql/tools/logscale: add plugin to post events to LogScale ingestion endpoint
+  * file_store/directory: add ability to report pending size
+- Change clang dependency to clang16
+- Fix velociraptor-golang-mage-vendoring.diff to account for newer
+  'go mod vendor' honoring build flags.
+- Fix update-vendoring.sh script to actually run the %setup part of
+  the spec.
+- Merge client package into server spec and use _multibuild to create
+  client package from same spec file.
+- Adjust changelog to retain changes for client package.
+- Fix building in static mode on earlier releases.
+  - Added patch: velociraptor-libbpfgo-only-build-libbpf.patch
+
+-------------------------------------------------------------------
+Fri Mar 10 18:54:37 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
+
+- Tightening the security of the services a bit:
+  - tmp files are now moved to /var/lib/velociraptor{,-client}/tmp
+    from /tmp
+  - run velociraptor server as user velociraptor instead of root
+    we do not really need root permissions here
+  - introduce /var/lib/velociraptor/filestore to make it easier to
+    split out large file upload
+  - change permissions for the data directory and subdirectories to
+    /var/lib/velociraptor/      u=rwX,go= velociraptor:velociraptor
+    /var/lib/velociraptor-client/ u=rwX,go= root:root
+  - change permissions of config directory to:
+    /etc/velociraptor/ u=rwX,g=rX,o= root:velociraptor
+    /etc/velociraptor/server.config u=rw,g=r,o= root:velociraptor
+    /etc/velociraptor/client.config u=rw,go=    root:root
+
+-------------------------------------------------------------------
+Fri Mar 10 15:36:18 UTC 2023 - Jeff Mahoney <jeffm@suse.com>
+
+- Update to version 0.6.7.5~git6.73efb2a:
+  * libbpfgo: update submodule to require libzstd for newer libelf
+  * utils/time.js: fix handling of nanosecond-resolution timestamps
+  * libbpfgo: switch to using regular static builds
+  * Create a new 0.6.7-5 release (#2385)
+    - Verify FILESYSTEM_WRITE permission on copy() function (#2384) (bsc#1207936, CVE-2023-0242)
+    - Also ensure client id is considered unsafe (bsc#1207937, CVE-2023-0290)
+  * github/workflows/linux: do apt-get update to refresh package lists
+- Remove unnecessary dependency on libtsan0.
+- Allow velociraptor and velociraptor-client packages to coexist.
+
+-------------------------------------------------------------------
+Thu Jan 26 20:06:09 UTC 2023 - Jeff Mahoney <jeffm@suse.com>

 - Update to version 0.6.7.4~git63.4a1ed09d:
  * utils/time.js: fix handling of nanosecond-resolution timestamps
@ -12,7 +72,7 @@ Tue Jan 24 20:57:08 UTC 2023 - Jeff Mahoney <jeffm@suse.com>
 - Use obsinfo mtime to produce stable build timestamp (bsc#1207369).

 -------------------------------------------------------------------
-Tue Jan 24 15:07:09 UTC 2023 - jeffm@suse.com
+Tue Jan 24 15:07:09 UTC 2023 - Jeff Mahoney <jeffm@suse.com>

 - Update to version 0.6.7.4~git60.8abed37a:
  * http_comms: create ring buffer temporary file in the same directory
@ -48,6 +108,11 @@ Fri Jan 20 20:18:49 UTC 2023 - Jeff Mahoney <jeffm@suse.com>
  - vendor-build-fixes-for-SLE12.patch
  - sdjournal-build-fix-for-SLE12.patch

+-------------------------------------------------------------------
+Fri Jan 20 16:37:17 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- client: add memory limit to systemd unit
+
 -------------------------------------------------------------------
 Thu Jan 19 15:17:22 UTC 2023 - Jeff Mahoney <jeffm@suse.com>

@ -77,6 +142,11 @@ Thu Jan 19 01:01:09 UTC 2023 - Jeff Mahoney <jeffm@suse.com>
  - Define ExclusiveArch for x86_64, ppc64le, aarch64, and s390x
    Neither the client or server builds on ix86.

+-------------------------------------------------------------------
+Mon Jan  9 16:01:44 UTC 2023 - Jeff Mahoney <jeffm@suse.com>
+
+- Added Restart=on-failure to restart the client automatically.
+
 -------------------------------------------------------------------
 Mon Dec 12 20:03:23 UTC 2022 - Jeff Mahoney <jeffm@suse.com>

@ -1030,7 +1100,12 @@ Thu Jan 27 17:27:42 UTC 2022 - Jeff Mahoney <jeffm@suse.com>
  * Propagate column types from artifact to flow notebook. (#1346)

 -------------------------------------------------------------------
-Thu Jan 06 20:14:39 UTC 2022 - Jeff Mahoney <jeffm@suse.com>
+Thu Jan  6 21:50:43 UTC 2022 - Jeff Mahoney <jeffm@suse.com>
+
+- client: Remove dependencies on nodejs since we don't use it in client mode.
+
+-------------------------------------------------------------------
+Thu Jan  6 20:14:39 UTC 2022 - Jeff Mahoney <jeffm@suse.com>

 - Update to version 0.6.2~git73.dc02b45e:
  * Update PrivateKeys.yaml (#1459)
@ -1056,6 +1131,8 @@ Thu Dec 16 14:12:05 UTC 2021 - Jeff Mahoney <jeffm@suse.com>
 - Switch to using master branch via service files.
  - Added update-vendoring.sh to update the nodejs and go dependencies
    after version update.
+  - Now building the client with linux_bare target that disables
+    the GUI for endpoint usage.
  - Patch the version string to reflect the package version instead
    of an indistinguishable <next-tag>-dev.

--- a/velociraptor.obsinfo
+++ b/velociraptor.obsinfo
@ -1,4 +1,4 @@
 name: velociraptor
-version: 0.6.7.4~git63.4a1ed09d
-mtime: 1674763484
-commit: 4a1ed09d50339b902c6446686bd16deedbb23804
+version: 0.6.7.5~git78.2bef6fc
+mtime: 1683577211
+commit: 2bef6fce8e26733a13a3bbfeaa8c4828db1a99ba
--- a/velociraptor.service
+++ b/velociraptor.service
@ -3,10 +3,11 @@ Description=Velociraptor Server Service

 [Service]
 Type=simple
-User=root
-Group=root
 UMask=0027
+User=velociraptor
+Group=velociraptor
 EnvironmentFile=-/etc/sysconfig/velociraptor
+Environment=TMPDIR=/var/lib/velociraptor/tmp
 ExecStart=/usr/bin/velociraptor frontend --verbose --config /etc/velociraptor/server.config $VELOCIRAPTOR_OPTS

 PrivateTmp=true
--- a/velociraptor.spec
+++ b/velociraptor.spec
@ -1,5 +1,5 @@
 #
-# spec file for package velociraptor
+# spec file
 #
 # Copyright (c) 2023 SUSE LLC
 #
@ -16,8 +16,28 @@
 #


+%define flavor @BUILD_FLAVOR@%{nil}
+
+%if "%{flavor}" == "client"
+%define build_client 1
+%define build_server 0
+%define build_kafka_humio_gateway 0
+%define name_suffix -client
+%define make_target linux_bare
+%define config_perms %attr(0600, root, root)
+%define state_dir_perms %attr(0700, root, root)
+%else
+%define build_kafka_humio_gateway 1
+%define build_server 1
+%define build_client 0
+%define name_suffix %{nil}
+%define make_target linux
+%define config_perms %attr(0640, root, velociraptor)
+%define state_dir_perms %attr(0700, velociraptor, velociraptor)
+%endif
+
 %define projname velociraptor
-%define vendor_version 0.6.7.4~git41.678ed56
+%define vendor_version 0.6.7.5~git77.997aa73
 %define vmlinux_h_version 5.14.21150400.22-150400-default

 # SLE 15 SP2 / Leap 15.2 or newer gets eBPF
@ -39,10 +59,14 @@
 %define _sharedstatedir /var/lib
 %endif

-Name:           velociraptor
-Version:        0.6.7.4~git63.4a1ed09d
+Name:           velociraptor%{name_suffix}
+Version:        0.6.7.5~git78.2bef6fc
 Release:        0
+%if %{build_server}
 Summary:        Endpoint visibility and collection tool
+%else
+Summary:        Endpoint visibility and collection tool (endpoint only)
+%endif
 Group:          System/Monitoring
 License:        AGPL-3.0-only
 URL:            https://github.com/Velocidex/velociraptor
@ -50,41 +74,50 @@ Source:         %{projname}-%{version}.tar.xz
 Source1:        vendor-golang-%{vendor_version}.tar.xz
 Source2:        vendor-golang-kafka-humio-gateway-%{vendor_version}.tar.xz
 Source3:        vendor-nodejs-%{vendor_version}.tar.xz
-Source4:        %{name}.service
-Source5:        %{name}-server.config.placeholder
-Source6:        %{name}-client.service
-Source7:        %{name}-client.config.placeholder
-Source8:        vmlinux.h-%{vmlinux_h_version}.tar.xz
+Source4:        vmlinux.h-%{vmlinux_h_version}.tar.xz
+Source5:        velociraptor.service
+Source6:        velociraptor-server.config.placeholder
+Source7:        velociraptor-client.service
+Source8:        velociraptor-client.config.placeholder
 Source9:        update-vendoring.sh
-Source10:       sysconfig.%{name}
-Source11:       sysconfig.%{name}-client
+Source10:       sysconfig.velociraptor
+Source11:       sysconfig.velociraptor-client
 Source12:       %{projname}.obsinfo
+Source13:       velociraptor-kafka.sysusers
+Source14:       velociraptor-kafka-humio-gateway.service
+Source15:       sysconfig.velociraptor-kafka-humio-gateway
 Patch1:         velociraptor-golang-mage-vendoring.diff
-Patch2:         velociraptor-skip-git-submodule-import-for-OBS-build.patch
-Patch3:         vendor-build-fixes-for-SLE12.patch
-Patch4:         sdjournal-build-fix-for-SLE12.patch
-Patch5:         velociraptor-reproducible-timestamp.diff
+Patch2:         vendor-build-fixes-for-SLE12.patch
+Patch3:         sdjournal-build-fix-for-SLE12.patch
+Patch4:         velociraptor-reproducible-timestamp.diff
 BuildRequires:  fileb0x
 BuildRequires:  golang-packaging
 BuildRequires:  mage
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  golang(API) >= 1.18
 BuildRequires:  pkgconfig(libsystemd)
-%ifarch x86_64
-BuildRequires:  libtsan0
-%endif
+%if %{build_server}
 BuildRequires:  nodejs >= 16
 BuildRequires:  npm >= 16
-%if %{with bpf}
-# clang15 causes libbpfo to crash immediately
-BuildRequires:  clang13
-BuildRequires:  libelf-devel
-BuildRequires:  llvm13
-BuildRequires:  zlib-devel-static
 %endif
-Conflicts:      velociraptor-client
+%if %{with bpf}
+# clang15 causes libbpfgo to crash immediately
+BuildRequires:  clang16
+BuildRequires:  libelf-devel
+BuildRequires:  libzstd-devel
+BuildRequires:  libzstd-devel
+BuildRequires:  llvm16
+BuildRequires:  zlib-devel
+%endif
+Requires:       group(velociraptor)
+Requires:       user(velociraptor)
 ExclusiveArch:  x86_64 ppc64le aarch64 s390x
+%if %{build_kafka_humio_gateway}
+BuildRequires:  sysuser-tools
+%{?sysusers_requires}
+%endif

+%if %{build_server}
 %description
 Velociraptor is a tool for collecting host based state information
 using The Velociraptor Query Language (VQL) queries.
@ -93,19 +126,37 @@ To learn more about Velociraptor, read the documentation on:

 https://docs.velociraptor.app/

-This package contains the endpoint agent and full console GUI.
+This package contains the velociraptor server and full console GUI.
 For just the endpoint agent, please install the 'velociraptor-client' package.
+%endif

+%if %{build_kafka_humio_gateway}
 %package kafka-humio-gateway
 Summary:        Gateway between Kafka and Humio for Velociraptor Artifacts
-Version:        0.6.7.4~git63.4a1ed09d
+Version:        0.6.7.5~git78.2bef6fc
+Requires:       group(velociraptor-kafka)
+Requires:       user(velociraptor-kafka)

 %description kafka-humio-gateway
 This tool is used to consume events generated by the Kafka Velociraptor plugin
 and post them to a Humio cluster.
+%endif
+
+%if %{build_client}
+%description
+Velociraptor is a tool for collecting host based state information
+using The Velociraptor Query Language (VQL) queries.
+
+To learn more about Velociraptor, read the documentation on:
+
+https://docs.velociraptor.app/
+
+This package contains only the endpoint agent.  For the full server and GUI
+console, please install the 'velociraptor' package.
+%endif

 %prep
-%setup -q -a 1 -a 2 -a 3 -a 8 -n %{projname}-%{version}
+%setup -q -a 1 -a 2 -a 3 -a 4 -n %{projname}-%{version}
 %autopatch -p1

 # Set the version to something more specific than <next-tag>-dev
@ -132,67 +183,108 @@ git_commit=$(grep commit: %{SOURCE12}|sed -e 's/commit: //g')
 export VELOCIRAPTOR_BUILD_TIME=$timestamp
 export VELOCIRAPTOR_GIT_HEAD=$git_commit

+%if %{build_server}
 (cd gui/velociraptor ; npm run build)
-PATH=$PATH:/usr/sbin make linux BUILD_LIBBPFGO=%{with bpf}
+%endif

+make %{make_target} BUILD_LIBBPFGO=%{with bpf} GIT=echo
+
+%if %{build_kafka_humio_gateway}
 (cd contrib/kafka-humio-gateway; go build -o %{name}-kafka-humio-gateway)
+%sysusers_generate_pre %{SOURCE13} user
+%endif

 %install
-mkdir -p %buildroot/%{_bindir}
-mkdir -p %buildroot/%{_sysconfdir}/velociraptor
-mkdir -p %buildroot/%{_unitdir}
-mkdir -p %buildroot/%{_sharedstatedir}/velociraptor/data
-mkdir -p %buildroot/%{_sharedstatedir}/velociraptor/logs
-mkdir -p %buildroot/%{_sharedstatedir}/velociraptor-client
-mkdir -p %buildroot/%{_datadir}/%{name}-kafka-humio-gateway
-install -m 0755 output/velociraptor-v%{version}-linux-* %buildroot/%{_bindir}/velociraptor
-install -m 0755 contrib/kafka-humio-gateway/%{name}-kafka-humio-gateway %buildroot/%{_bindir}
-install -m 0644 contrib/kafka-humio-gateway/sample-config.yml %buildroot/%{_datadir}/%{name}-kafka-humio-gateway/sample-config.yml
-install -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/%{name}.service
-install -m 0600 %{SOURCE5} %{buildroot}%{_sysconfdir}/velociraptor/server.config
-install -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/%{name}-client.service
-install -m 0600 %{SOURCE7} %{buildroot}%{_sysconfdir}/velociraptor/client.config
-install -d -m 755 %{buildroot}%{_fillupdir}
-install -m 0644 %{SOURCE10} %{buildroot}%{_fillupdir}
-install -m 0644 %{SOURCE11} %{buildroot}%{_fillupdir}
+install -D -d -m 0750 %buildroot/%{_sysconfdir}/velociraptor
+install -D -d -m 0700 %buildroot/%{_sharedstatedir}/%{name}/data
+install -D -d -m 0700 %buildroot/%{_sharedstatedir}/%{name}/logs
+install -D -d -m 0700 %buildroot/%{_sharedstatedir}/%{name}/tmp
+
+%if %{build_server}
+service_file_source=%{SOURCE5}
+config_file_source=%{SOURCE6}
+sysconfig_file_source=%{SOURCE10}
+config_file=server.config
+%else
+service_file_source=%{SOURCE7}
+config_file_source=%{SOURCE8}
+sysconfig_file_source=%{SOURCE11}
+config_file=client.config
+%endif
+
+install -D -m 0644 "$service_file_source" %{buildroot}%{_unitdir}/%{name}.service
+install -D -m 0644 "$sysconfig_file_source" %{buildroot}%{_fillupdir}/sysconfig.%{name}
+install -D -m 0640 "$config_file_source" "%{buildroot}%{_sysconfdir}/velociraptor/$config_file"
+install -D -m 0755 output/velociraptor-v%{version}-linux-* %buildroot/%{_bindir}/%{name}
+
+%if %{build_kafka_humio_gateway}
+install -D -m 0644 %{SOURCE14} %{buildroot}%{_unitdir}/
+install -D -m 0644 %{SOURCE15} %{buildroot}%{_fillupdir}/
+install -D -m 0755 contrib/kafka-humio-gateway/velociraptor-kafka-humio-gateway %buildroot/%{_bindir}
+install -D -m 0644 contrib/kafka-humio-gateway/sample-config.yml \
+		   %buildroot/%{_datadir}/velociraptor-kafka-humio-gateway/sample-config.yml
+install -D -m 0644 %{SOURCE10} %{buildroot}%{_sysusersdir}/velociraptor-kafka.conf
+install -D -d -m 0750 %{buildroot}%{_sysconfdir}/velociraptor-kafka-humio-gateway
+install -D -m 0640 contrib/kafka-humio-gateway/sample-config.yml \
+		   %buildroot/%{_sysconfdir}/velociraptor-kafka-humio-gateway/transport.yml
+%endif

 %files
 %defattr(-, root, root)
 %license LICENSE
 %doc README.md
-%dir %{_sysconfdir}/velociraptor
-%{_bindir}/velociraptor
-%config(noreplace) %{_sysconfdir}/velociraptor/server.config
-%config(noreplace) %{_sysconfdir}/velociraptor/client.config
+%{_bindir}/%{name}
 %{_unitdir}/%{name}.service
-%{_unitdir}/%{name}-client.service
-%dir %{_sharedstatedir}/velociraptor
-%dir %{_sharedstatedir}/velociraptor/data
-%dir %{_sharedstatedir}/velociraptor/logs
-%dir %{_sharedstatedir}/velociraptor-client
 %{_fillupdir}/sysconfig.%{name}
-%{_fillupdir}/sysconfig.%{name}-client

+%dir %attr(-, root, velociraptor) %{_sysconfdir}/velociraptor
+
+%config(noreplace) %{config_perms} %{_sysconfdir}/velociraptor/*.config
+%dir %{state_dir_perms} %{_sharedstatedir}/%{name}
+%dir %{state_dir_perms} %{_sharedstatedir}/%{name}/data
+%dir %{state_dir_perms} %{_sharedstatedir}/%{name}/logs
+%dir %{state_dir_perms} %{_sharedstatedir}/%{name}/tmp
+
+%pre
+%service_add_pre %{name}.service
+
+%post
+%{fillup_only}
+%service_add_post %{name}.service
+
+%preun
+%service_del_preun %{name}.service
+
+%postun
+%service_del_postun %{name}.service
+
+%if %{build_kafka_humio_gateway}
 %files kafka-humio-gateway
 %defattr(-, root, root)
 %license LICENSE
 %doc contrib/kafka-humio-gateway/README.md
-%{_bindir}/%{name}-kafka-humio-gateway
-%dir %{_datadir}/%{name}-kafka-humio-gateway
-%{_datadir}/%{name}-kafka-humio-gateway/sample-config.yml
+%{_bindir}/velociraptor-kafka-humio-gateway
+%dir %{_datadir}/velociraptor-kafka-humio-gateway
+%{_datadir}/velociraptor-kafka-humio-gateway/sample-config.yml
+%{_sysusersdir}/velociraptor-kafka.conf
+%{_unitdir}/velociraptor-kafka-humio-gateway.service
+%{_fillupdir}/sysconfig.velociraptor-kafka-humio-gateway
+%dir %attr(750, root, velociraptor-kafka) %{_sysconfdir}/velociraptor-kafka-humio-gateway
+%config(noreplace) %attr(0640, root, velociraptor-kafka) %{_sysconfdir}/velociraptor-kafka-humio-gateway/transport.yml

-%pre
-%service_add_pre %{name}.service %{name}-client.service
+%pre kafka-humio-gateway -f user.pre
+%service_add_pre velociraptor-kafka-humio-gateway.service

-%post
-%{fillup_only}
-%{fillup_only -s client}
-%service_add_post %{name}.service %{name}-client.service
+%post kafka-humio-gateway
+%{fillup_only -s kafka-humio-gateway}
+%service_add_post velociraptor-kafka-humio-gateway.service

-%preun
-%service_del_preun %{name}.service %{name}-client.service
+%preun kafka-humio-gateway
+%service_del_preun velociraptor-kafka-humio-gateway.service

-%postun
-%service_del_postun %{name}.service %{name}-client.service
+%postun kafka-humio-gateway
+%service_del_postun velociraptor-kafka-humio-gateway.service
+
+%endif

 %changelog
--- a/vendor-golang-0.6.7.4~git41.678ed56.tar.xz
+++ b/vendor-golang-0.6.7.4~git41.678ed56.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d0e93278e02bdcba1d6f81dc318ae07131c1f8492dc5db7340ddd8f3841d31f4
-size 27825180
--- a/vendor-golang-0.6.7.5~git77.997aa73.tar.xz
+++ b/vendor-golang-0.6.7.5~git77.997aa73.tar.xz
--- a/vendor-golang-kafka-humio-gateway-0.6.7.4~git41.678ed56.tar.xz
+++ b/vendor-golang-kafka-humio-gateway-0.6.7.4~git41.678ed56.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:73c425c59d06d58c64c5f0f45e4211f9d9f51e8e1e688e070ccf53a8eb9bbc6f
-size 454256
--- a/vendor-golang-kafka-humio-gateway-0.6.7.5~git77.997aa73.tar.xz
+++ b/vendor-golang-kafka-humio-gateway-0.6.7.5~git77.997aa73.tar.xz
--- a/vendor-nodejs-0.6.7.4~git41.678ed56.tar.xz
+++ b/vendor-nodejs-0.6.7.4~git41.678ed56.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e8734e871d5df2ccfd120ab591ed195fcb2b111ee7cc41378e5c29b68c3e83cb
-size 37872364
--- a/vendor-nodejs-0.6.7.5~git77.997aa73.tar.xz
+++ b/vendor-nodejs-0.6.7.5~git77.997aa73.tar.xz