From 21b9f164e3a94f1a0a921d164902324eab81473fbeb3f4c675c6f70489ab9404 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tchvatal@suse.com>
Date: Wed, 12 Jun 2019 06:04:55 +0000
Subject: [PATCH] Accepting request 709214 from home:jaicaa:branches:network

- Add upstream patches to fix bsc#1135884:
  * 0001-rhel-secure-openvswitch-useropts.patch
  * 0002-rhel-let-ctl-handle-runtime-directory.patch

OBS-URL: https://build.opensuse.org/request/show/709214
OBS-URL: https://build.opensuse.org/package/show/network/openvswitch?expand=0&rev=184
---
 0001-rhel-secure-openvswitch-useropts.patch   | 39 +++++++++++++++
 ...hel-let-ctl-handle-runtime-directory.patch | 48 +++++++++++++++++++
 openvswitch.changes                           |  7 +++
 openvswitch.spec                              |  7 +++
 4 files changed, 101 insertions(+)
 create mode 100644 0001-rhel-secure-openvswitch-useropts.patch
 create mode 100644 0002-rhel-let-ctl-handle-runtime-directory.patch

diff --git a/0001-rhel-secure-openvswitch-useropts.patch b/0001-rhel-secure-openvswitch-useropts.patch
new file mode 100644
index 0000000..6571b83
--- /dev/null
+++ b/0001-rhel-secure-openvswitch-useropts.patch
@@ -0,0 +1,39 @@
+From aec69da8a2385b3d1368b484aa247876fbc2018d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaime=20Caama=C3=B1o=20Ruiz?= <jcaamano@suse.com>
+Date: Wed, 8 May 2019 13:53:47 +0200
+Subject: [PATCH 1/2] rhel: secure openvswitch useropts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The openvswitch useropts file is being stored in a directory where the
+openvswitch user has write permissions. The openvswitch user can then
+manipulate the file to change the user under which switchd daemon runs.
+
+This patch changes the file to /var/openvswitch.useropts preventing any
+manipulation.
+
+Signed-off-by: Jaime Caamaño Ruiz <jcaamano@suse.com>
+Signed-off-by: Ben Pfaff <blp@ovn.org>
+---
+ rhel/usr_lib_systemd_system_ovsdb-server.service | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service
+index 70da1ec95..0f9d936b3 100644
+--- a/rhel/usr_lib_systemd_system_ovsdb-server.service
++++ b/rhel/usr_lib_systemd_system_ovsdb-server.service
+@@ -11,8 +11,8 @@ Restart=on-failure
+ EnvironmentFile=/etc/openvswitch/default.conf
+ EnvironmentFile=-/etc/sysconfig/openvswitch
+ ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch /var/log/openvswitch
+-ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch/useropts; if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch/useropts; fi'
+-EnvironmentFile=-/run/openvswitch/useropts
++ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch.useropts; if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch.useropts; fi'
++EnvironmentFile=-/run/openvswitch.useropts
+ ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
+           --no-ovs-vswitchd --no-monitor --system-id=random \
+           ${OVSUSER} \
+-- 
+2.16.4
+
diff --git a/0002-rhel-let-ctl-handle-runtime-directory.patch b/0002-rhel-let-ctl-handle-runtime-directory.patch
new file mode 100644
index 0000000..2edfbc1
--- /dev/null
+++ b/0002-rhel-let-ctl-handle-runtime-directory.patch
@@ -0,0 +1,48 @@
+From eb48aba90b582df6dd7d2798a34ac31f7ed68282 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaime=20Caama=C3=B1o=20Ruiz?= <jcaamano@suse.com>
+Date: Mon, 10 Jun 2019 14:58:10 +0200
+Subject: [PATCH] rhel: let *-ctl handle runtime directory
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Recent versions of systemd restores RuntimeDirectory ownership to the
+unit's User in between execution of *Exec directives (see [1]). Using
+ExecStartPre to reset RuntimeDirectory ownership to OVS_USER no longer
+works as expected.
+
+The ctl scripts already handle creation of the runtime directory with
+correct ownership and permissions so we can basically remove
+RuntimeDirectory from systemd unit file. There is still need to handle
+ownsership to cover some upgrade scenarios, but success of that will be
+optional as the directory itself wont exist at first time run.
+
+[1] https://github.com/systemd/systemd/issues/12713
+
+Signed-off-by: Jaime Caamaño Ruiz <jcaamano@suse.com>
+---
+ rhel/usr_lib_systemd_system_ovsdb-server.service | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service
+index 0f9d936b3..22c704561 100644
+--- a/rhel/usr_lib_systemd_system_ovsdb-server.service
++++ b/rhel/usr_lib_systemd_system_ovsdb-server.service
+@@ -10,7 +10,7 @@ Type=forking
+ Restart=on-failure
+ EnvironmentFile=/etc/openvswitch/default.conf
+ EnvironmentFile=-/etc/sysconfig/openvswitch
+-ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch /var/log/openvswitch
++ExecStartPre=-/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch /var/log/openvswitch
+ ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch.useropts; if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch.useropts; fi'
+ EnvironmentFile=-/run/openvswitch.useropts
+ ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
+@@ -21,5 +21,3 @@ ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop
+ ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \
+            ${OVSUSER} \
+            --no-monitor restart $OPTIONS
+-RuntimeDirectory=openvswitch
+-RuntimeDirectoryMode=0755
+-- 
+2.16.4
+
diff --git a/openvswitch.changes b/openvswitch.changes
index b3ca08c..0a4e47b 100644
--- a/openvswitch.changes
+++ b/openvswitch.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Jun 10 17:12:00 UTC 2019 -  <jcaamano@suse.com>
+
+- Add upstream patches to fix bsc#1135884:
+  * 0001-rhel-secure-openvswitch-useropts.patch  
+  * 0002-rhel-let-ctl-handle-runtime-directory.patch
+
 -------------------------------------------------------------------
 Mon May  6 17:08:26 UTC 2019 -  <jcaamano@suse.com>
 
diff --git a/openvswitch.spec b/openvswitch.spec
index e9df9b8..c390b29 100644
--- a/openvswitch.spec
+++ b/openvswitch.spec
@@ -55,6 +55,10 @@ Source1:        preamble
 Source89:       Module.supported.updates
 # PATCH-FIX-OPENSUSE: Use-strongswan-for-openvswitch-ipsec-service.patch
 Patch0:         0001-Use-strongswan-for-openvswitch-ipsec-service.patch
+# PATCH-FIX-UPSTREAM: 0001-rhel-secure-openvswitch-useropts.patch
+Patch1:         0001-rhel-secure-openvswitch-useropts.patch
+# PATCH-FIX-UPSTREAM: 0002-rhel-let-ctl-handle-runtime-directory.patch
+Patch2:         0002-rhel-let-ctl-handle-runtime-directory.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  graphviz
@@ -336,6 +340,8 @@ performance and connectivity issues in Open vSwitch setup.
 %prep
 %setup -q -n openvswitch-%{version}
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
 
 %build
 set -- * .travis* .mailmap .cirrus.yml
@@ -903,6 +909,7 @@ exit 0
 %endif
 %attr(750,root,root) %dir %{_localstatedir}/log/openvswitch
 %ghost %attr(755,root,root) %{_rundir}/openvswitch
+%ghost %attr(644,root,root) %{_rundir}/openvswitch.useropts
 %if %{with dpdk}
 %{_prefix}/lib/udev/rules.d/91-vfio.rules
 %endif