From 311b9b401e2c9040d466fa28f9a21dd02b51c3e7b1ed1bb351cfce75b1e170f2 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Wed, 13 Feb 2019 16:58:42 +0000 Subject: [PATCH] Accepting request 672753 from home:mwilck:branches:Base:System - Update to version 15.1.10 (git b28b13d): - implemented fs blacklisting logic (jsc#SLES-4085, fate#326832) Difference to previous submission: bashism removed. OBS-URL: https://build.opensuse.org/request/show/672753 OBS-URL: https://build.opensuse.org/package/show/Base:System/suse-module-tools?expand=0&rev=59 --- _service | 2 +- _servicedata | 2 +- suse-module-tools-15.1.0.tar.xz | 3 -- suse-module-tools-15.1.10.tar.xz | 3 ++ suse-module-tools.changes | 6 ++++ suse-module-tools.spec | 50 +++++++++++++++++++++++++++++++- 6 files changed, 60 insertions(+), 6 deletions(-) delete mode 100644 suse-module-tools-15.1.0.tar.xz create mode 100644 suse-module-tools-15.1.10.tar.xz diff --git a/_service b/_service index a946cd2..76ee620 100644 --- a/_service +++ b/_service @@ -4,7 +4,7 @@ git enable suse-module-tools - 15.1.0 + 15.1.10 master *.spec *.rpmlintrc diff --git a/_servicedata b/_servicedata index a81ab34..550ca3b 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/openSUSE/suse-module-tools.git - 6b07b8840b0e26b7f4fcaf5c5ddf17f6a3b97810 \ No newline at end of file + b28b13d83209ebdbbb30fe3881462ff86bc46428 \ No newline at end of file diff --git a/suse-module-tools-15.1.0.tar.xz b/suse-module-tools-15.1.0.tar.xz deleted file mode 100644 index b55aab4..0000000 --- a/suse-module-tools-15.1.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:87bc4b41e92a4219d4042d9003a86ae46fe87f77dddb0735e1cab0a5080b579b -size 25976 diff --git a/suse-module-tools-15.1.10.tar.xz b/suse-module-tools-15.1.10.tar.xz new file mode 100644 index 0000000..de67ac5 --- /dev/null +++ b/suse-module-tools-15.1.10.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a71a58c37e8327292233bf6846af4c3b6d245b7c02f869fb282aba221bfec680 +size 25984 diff --git a/suse-module-tools.changes b/suse-module-tools.changes index 1a3ffff..2d0a147 100644 --- a/suse-module-tools.changes +++ b/suse-module-tools.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Feb 08 10:44:56 UTC 2019 - mwilck@suse.com + +- Update to version 15.1.10 (git b28b13d): +- implemented fs blacklisting logic (jsc#SLES-4085, fate#326832) + ------------------------------------------------------------------- Thu Jan 31 23:07:10 UTC 2019 - mwilck@suse.com diff --git a/suse-module-tools.spec b/suse-module-tools.spec index 6f97ea8..621e884 100644 --- a/suse-module-tools.spec +++ b/suse-module-tools.spec @@ -16,8 +16,16 @@ # +# List of legacy file systems to be blacklisted by default +%if 0%{?is_opensuse} +%global fs_blacklist adfs affs bfs befs cramfs efs erofs exofs freevxfs f2fs hfs hpfs jffs2 jfs minix nilfs2 ntfs omfs qnx4 qnx6 sysv ubifs ufs +%else +# SLE only ships a few of them +%global fs_blacklist cramfs ufs +%endif + Name: suse-module-tools -Version: 15.1.0 +Version: 15.1.10 Release: 0 Summary: Configuration for module loading and SUSE-specific utilities for KMPs License: GPL-2.0-or-later @@ -112,6 +120,25 @@ install -pm 644 sg.conf "%{buildroot}%{_sysconfdir}/modules-load.d" mkdir -p %{buildroot}%{_defaultlicensedir} +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150100 +for mod in %{fs_blacklist}; do + echo "\ +# The $mod file system is blacklisted by default because it isn't actively +# supported by SUSE, not well maintained, and may have security vulnerabilites. +# To enable autoloading the $mod file system module, comment out the +# \"blacklist $mod\" statement below. ENABLE AT YOUR OWN RISK. +# +# File system modules loaded at installation time of the %{name} package +# are not blacklisted. This is achieved by commenting out the blacklist +# line in the post-installation script. To prevent the post-installation +# script from modifying this file, delete the line containing \"THIS FILE MAY +# BE MODIFIED\" at the bottom. +blacklist $mod +# __THIS FILE MAY BE MODIFIED__" \ + >%{buildroot}%{_sysconfdir}/modprobe.d/60-blacklist_fs-"$mod".conf +done +%endif + %post %if 0%{?sle_version} >= 150000 # Delete obsolete unsupported-modules file from SLE11 @@ -180,6 +207,26 @@ if test -e %{_sysconfdir}/modprobe.conf.local; then %{_sysconfdir}/modprobe.d/99-local.conf fi +# Avoid systems becoming unbootable by blacklisting filesystem +# modules. Modules loaded at installation time will not be +# blacklisted (the blacklist statement is commented out). +# config(noreplace) makes sure that this is not overwritten by rpm. +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150100 +for mod in %{fs_blacklist}; do + conf=%{_sysconfdir}/modprobe.d/60-blacklist_fs-"$mod".conf + if [ -f "$conf" ] && \ + grep -q '^# __THIS FILE MAY BE MODIFIED__$' "$conf" && \ + sed '/^nodev/d;' /proc/filesystems | grep -q "\<$mod\>"; then + sed -i ' +/^# next line was commented out by postinstall script of %{name}$/d +/^blacklist '"$mod"'/{i\ +# next line was commented out by postinstall script of %{name} +s/^/# / +}' "$conf" + fi +done +%endif + %files %defattr(-,root,root) @@ -193,6 +240,7 @@ fi %config(noreplace) %{_sysconfdir}/modprobe.d/10-unsupported-modules.conf %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150100 %config(noreplace) %{_sysconfdir}/modprobe.d/50-blacklist.conf +%config(noreplace) %{_sysconfdir}/modprobe.d/60-blacklist_fs-*.conf %endif %config(noreplace) %{_sysconfdir}/modprobe.d/99-local.conf %dir %{_sysconfdir}/depmod.d