diff --git a/revert-undocumented-config-file-format-changes.patch b/revert-undocumented-config-file-format-changes.patch new file mode 100644 index 0000000..6ba0610 --- /dev/null +++ b/revert-undocumented-config-file-format-changes.patch @@ -0,0 +1,17 @@ +Index: vsftpd-3.0.5/parseconf.c +=================================================================== +--- vsftpd-3.0.5.orig/parseconf.c 2022-02-01 20:35:02.703078850 +0100 ++++ vsftpd-3.0.5/parseconf.c 2022-02-01 20:35:44.042486850 +0100 +@@ -85,9 +85,9 @@ parseconf_bool_array[] = + { "ssl_sslv2", &tunable_sslv2 }, + { "ssl_sslv3", &tunable_sslv3 }, + { "ssl_tlsv1", &tunable_tlsv1 }, +- { "ssl_tlsv11", &tunable_tlsv1_1 }, +- { "ssl_tlsv12", &tunable_tlsv1_2 }, +- { "ssl_tlsv13", &tunable_tlsv1_3 }, ++ { "ssl_tlsv1_1", &tunable_tlsv1_1 }, ++ { "ssl_tlsv1_2", &tunable_tlsv1_2 }, ++ { "ssl_tlsv1_3", &tunable_tlsv1_3 }, + { "tilde_user_enable", &tunable_tilde_user_enable }, + { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, + { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, diff --git a/use-system-wide-tls-cipher-policy.patch b/use-system-wide-tls-cipher-policy.patch new file mode 100644 index 0000000..d395908 --- /dev/null +++ b/use-system-wide-tls-cipher-policy.patch @@ -0,0 +1,26 @@ +Index: vsftpd-3.0.5/tunables.c +=================================================================== +--- vsftpd-3.0.5.orig/tunables.c 2022-02-02 10:58:56.589962539 +0100 ++++ vsftpd-3.0.5/tunables.c 2022-02-02 11:00:17.600782133 +0100 +@@ -295,7 +295,7 @@ tunables_load_defaults() + install_str_setting("/usr/share/ssl/certs/vsftpd.pem", + &tunable_rsa_cert_file); + install_str_setting(0, &tunable_dsa_cert_file); +- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers); ++ install_str_setting("DEFAULT_SUSE", &tunable_ssl_ciphers); + install_str_setting(0, &tunable_rsa_private_key_file); + install_str_setting(0, &tunable_dsa_private_key_file); + install_str_setting(0, &tunable_ca_certs_file); +Index: vsftpd-3.0.5/vsftpd.conf.5 +=================================================================== +--- vsftpd-3.0.5.orig/vsftpd.conf.5 2022-02-02 10:58:56.589962539 +0100 ++++ vsftpd-3.0.5/vsftpd.conf.5 2022-02-02 11:01:58.855306755 +0100 +@@ -1025,7 +1025,7 @@ man page for further details. Note that + security precaution as it prevents malicious remote parties forcing a cipher + which they have found problems with. + +-Default: DES-CBC3-SHA ++Default: DEFAULT_SUSE + .TP + .B ssl_sni_hostname + If set, SSL connections will be rejected unless the SNI hostname in the diff --git a/vsftpd-2.0.4-dmapi.patch b/vsftpd-2.0.4-dmapi.patch index 4f9cf86..11a12c1 100644 --- a/vsftpd-2.0.4-dmapi.patch +++ b/vsftpd-2.0.4-dmapi.patch @@ -1,8 +1,8 @@ -Index: postlogin.c +Index: vsftpd-3.0.5/postlogin.c =================================================================== ---- postlogin.c.orig 2012-04-10 16:09:50.440384915 +0200 -+++ postlogin.c 2012-04-10 16:10:01.193753389 +0200 -@@ -1053,6 +1053,11 @@ +--- vsftpd-3.0.5.orig/postlogin.c 2015-07-22 21:03:22.000000000 +0200 ++++ vsftpd-3.0.5/postlogin.c 2022-02-01 20:12:02.710908421 +0100 +@@ -1061,6 +1061,11 @@ handle_upload_common(struct vsf_session* { do_truncate = 1; } diff --git a/vsftpd-2.0.4-enable-ssl.patch b/vsftpd-2.0.4-enable-ssl.patch index dd366b2..652c58f 100644 --- a/vsftpd-2.0.4-enable-ssl.patch +++ b/vsftpd-2.0.4-enable-ssl.patch @@ -1,5 +1,7 @@ ---- builddefs.h.orig -+++ builddefs.h +Index: vsftpd-3.0.5/builddefs.h +=================================================================== +--- vsftpd-3.0.5.orig/builddefs.h 2021-08-02 09:01:43.000000000 +0200 ++++ vsftpd-3.0.5/builddefs.h 2022-02-01 20:12:01.538925293 +0100 @@ -3,7 +3,7 @@ #undef VSF_BUILD_TCPWRAPPERS diff --git a/vsftpd-2.0.5-enable-debuginfo.patch b/vsftpd-2.0.5-enable-debuginfo.patch index 89b7d7f..0221e2e 100644 --- a/vsftpd-2.0.5-enable-debuginfo.patch +++ b/vsftpd-2.0.5-enable-debuginfo.patch @@ -1,8 +1,8 @@ -Index: Makefile +Index: vsftpd-3.0.5/Makefile =================================================================== ---- Makefile.orig 2012-04-03 09:21:18.000000000 +0200 -+++ Makefile 2012-04-10 16:10:53.545547162 +0200 -@@ -9,7 +9,6 @@ +--- vsftpd-3.0.5.orig/Makefile 2012-09-16 09:27:35.000000000 +0200 ++++ vsftpd-3.0.5/Makefile 2022-02-01 20:12:04.538882105 +0100 +@@ -9,7 +9,6 @@ CFLAGS = -O2 -fPIE -fstack-protector --p #-pedantic -Wconversion LIBS = `./vsf_findlibs.sh` @@ -10,7 +10,7 @@ Index: Makefile LDFLAGS = -fPIE -pie -Wl,-z,relro -Wl,-z,now OBJS = main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \ -@@ -26,7 +25,7 @@ +@@ -26,7 +25,7 @@ OBJS = main.o utility.o prelogin.o ftpcm $(CC) -c $*.c $(CFLAGS) $(IFLAGS) vsftpd: $(OBJS) diff --git a/vsftpd-2.0.5-utf8-log-names.patch b/vsftpd-2.0.5-utf8-log-names.patch index cc6e549..74273d3 100644 --- a/vsftpd-2.0.5-utf8-log-names.patch +++ b/vsftpd-2.0.5-utf8-log-names.patch @@ -1,8 +1,8 @@ -Index: str.c +Index: vsftpd-3.0.5/str.c =================================================================== ---- str.c.orig 2012-03-28 17:25:40.000000000 +0200 -+++ str.c 2012-04-10 16:10:59.965767345 +0200 -@@ -27,6 +27,24 @@ +--- vsftpd-3.0.5.orig/str.c 2012-09-16 09:09:06.000000000 +0200 ++++ vsftpd-3.0.5/str.c 2022-02-01 20:12:05.458868861 +0100 +@@ -27,6 +27,24 @@ static int str_equal_internal(const char const char* p_buf2, unsigned int buf2_len); /* Private functions */ @@ -27,7 +27,7 @@ Index: str.c static void s_setbuf(struct mystr* p_str, char* p_newbuf) { -@@ -181,6 +199,45 @@ +@@ -181,6 +199,45 @@ str_reserve(struct mystr* p_str, unsigne p_str->p_buf[res_len - 1] = '\0'; } @@ -73,29 +73,26 @@ Index: str.c int str_isempty(const struct mystr* p_str) { -@@ -702,11 +759,13 @@ +@@ -702,6 +759,7 @@ void str_replace_unprintable(struct mystr* p_str, char new_char) { unsigned int i; -- for (i=0; i < p_str->len; i++) -- { -- if (!vsf_sysutil_isprint(p_str->p_buf[i])) + if( !str_is_utf8( p_str ) ) { -+ for (i=0; i < p_str->len; i++) - { -- p_str->p_buf[i] = new_char; -+ if (!vsf_sysutil_isprint(p_str->p_buf[i])) -+ { -+ p_str->p_buf[i] = new_char; -+ } + for (i=0; i < p_str->len; i++) + { + if (!vsf_sysutil_isprint(p_str->p_buf[i])) +@@ -709,5 +767,6 @@ str_replace_unprintable(struct mystr* p_ + p_str->p_buf[i] = new_char; } } ++ } } -Index: str.h + +Index: vsftpd-3.0.5/str.h =================================================================== ---- str.h.orig 2008-12-17 06:53:23.000000000 +0100 -+++ str.h 2012-04-10 16:10:59.965767345 +0200 -@@ -36,6 +36,7 @@ +--- vsftpd-3.0.5.orig/str.h 2012-09-16 09:01:52.000000000 +0200 ++++ vsftpd-3.0.5/str.h 2022-02-01 20:12:05.458868861 +0100 +@@ -36,6 +36,7 @@ void str_free(struct mystr* p_str); void str_trunc(struct mystr* p_str, unsigned int trunc_len); void str_reserve(struct mystr* p_str, unsigned int res_len); diff --git a/vsftpd-2.0.5-vuser.patch b/vsftpd-2.0.5-vuser.patch index 9704224..0d6b5f1 100644 --- a/vsftpd-2.0.5-vuser.patch +++ b/vsftpd-2.0.5-vuser.patch @@ -1,5 +1,7 @@ ---- EXAMPLE/VIRTUAL_USERS/vsftpd.pam.orig -+++ EXAMPLE/VIRTUAL_USERS/vsftpd.pam +Index: vsftpd-3.0.5/EXAMPLE/VIRTUAL_USERS/vsftpd.pam +=================================================================== +--- vsftpd-3.0.5.orig/EXAMPLE/VIRTUAL_USERS/vsftpd.pam 2008-02-02 02:30:40.000000000 +0100 ++++ vsftpd-3.0.5/EXAMPLE/VIRTUAL_USERS/vsftpd.pam 2022-02-01 20:12:03.670894600 +0100 @@ -1,2 +1,2 @@ -auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login -account required /lib/security/pam_userdb.so db=/etc/vsftpd_login diff --git a/vsftpd-2.3.5-conf.patch b/vsftpd-2.3.5-conf.patch index 31ec526..c0e9d7d 100644 --- a/vsftpd-2.3.5-conf.patch +++ b/vsftpd-2.3.5-conf.patch @@ -1,7 +1,7 @@ -Index: vsftpd.conf +Index: vsftpd-3.0.5/vsftpd.conf =================================================================== ---- vsftpd.conf.orig -+++ vsftpd.conf +--- vsftpd-3.0.5.orig/vsftpd.conf 2011-12-17 19:24:40.000000000 +0100 ++++ vsftpd-3.0.5/vsftpd.conf 2022-02-01 20:12:06.546853199 +0100 @@ -4,23 +4,89 @@ # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. diff --git a/vsftpd-allow-dev-log-socket.patch b/vsftpd-allow-dev-log-socket.patch new file mode 100644 index 0000000..0a75b08 --- /dev/null +++ b/vsftpd-allow-dev-log-socket.patch @@ -0,0 +1,30 @@ +From: mvyskocil@suse.com +Subject: enable /dev/log related socket call + +Linux-PAM try to open /dev/log, but as socket is not enabled in seccomp +sandbox, daemon is killed by SIGSYS. Because the attempt is made by process +with RLIMIT_NOFILE, the correct fix would be to test if we can open a new fd in +pam. Anyway I would say the risc is small, and other socket syscalls are disabled. + +Fixes: https://bugzilla.novell.com/show_bug.cgi?id=786024 + +Index: vsftpd-3.0.5/seccompsandbox.c +=================================================================== +--- vsftpd-3.0.5.orig/seccompsandbox.c 2022-02-02 11:03:38.133860169 +0100 ++++ vsftpd-3.0.5/seccompsandbox.c 2022-02-02 11:03:38.177859528 +0100 +@@ -366,6 +366,15 @@ seccomp_sandbox_init() + { + bug("bad state in seccomp_sandbox_init"); + } ++ ++ //this is very probably an attempt to open /dev/log ++ //it fails because process cannot open any file, so it might be safe ++ //socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files) ++ allow_nr_3_arg_match(__NR_socket, ++ 1, PF_FILE, ++ 2, SOCK_DGRAM | SOCK_CLOEXEC, ++ 3, 0); ++ + } + + void diff --git a/vsftpd-enable-sendto-for-prelogin-syslog.patch b/vsftpd-enable-sendto-for-prelogin-syslog.patch new file mode 100644 index 0000000..ae01b4f --- /dev/null +++ b/vsftpd-enable-sendto-for-prelogin-syslog.patch @@ -0,0 +1,21 @@ +Enable sendto for syslog logging to /dev/log in prelogin + +We write to log from check_limits() and therefore we have to allow +sendto() for syslog otherwise sandbox will kill the child. + +Index: vsftpd-3.0.2/seccompsandbox.c +=================================================================== +--- vsftpd-3.0.2.orig/seccompsandbox.c ++++ vsftpd-3.0.2/seccompsandbox.c +@@ -388,6 +388,11 @@ seccomp_sandbox_setup_prelogin(const str + 1, PF_FILE, + 2, SOCK_DGRAM | SOCK_CLOEXEC, + 3, 0); ++ // allow syslog logs from check_limits() ++ if (tunable_syslog_enable) ++ { ++ allow_nr_1_arg_match(__NR_sendto, 6, 0); ++ } + + } + diff --git a/vsftpd-openlog-force.patch b/vsftpd-openlog-force.patch new file mode 100644 index 0000000..94c6ba0 --- /dev/null +++ b/vsftpd-openlog-force.patch @@ -0,0 +1,18 @@ +Force openlog() to open log immediately iff force!=0. +Otherwise is log opened on first syslog() call which may be +after the privileges are dropped and new file descriptors +cannot be created. + +Index: vsftpd-3.0.5/sysutil.c +=================================================================== +--- vsftpd-3.0.5.orig/sysutil.c 2022-02-01 19:38:36.487789134 +0100 ++++ vsftpd-3.0.5/sysutil.c 2022-02-01 19:44:08.787005494 +0100 +@@ -2700,7 +2700,7 @@ vsf_sysutil_openlog(int force) + { + int facility = LOG_DAEMON; + int option = LOG_PID; +- if (!force) ++ if (force) + { + option |= LOG_NDELAY; + } diff --git a/vsftpd-seccomp-getrandom.patch b/vsftpd-seccomp-getrandom.patch new file mode 100644 index 0000000..67342bc --- /dev/null +++ b/vsftpd-seccomp-getrandom.patch @@ -0,0 +1,15 @@ +Index: vsftpd-3.0.5/seccompsandbox.c +=================================================================== +--- vsftpd-3.0.5.orig/seccompsandbox.c 2022-02-01 19:47:13.916340458 +0100 ++++ vsftpd-3.0.5/seccompsandbox.c 2022-02-01 19:51:24.196737535 +0100 +@@ -406,6 +406,10 @@ seccomp_sandbox_setup_prelogin(const str + { + allow_nr_1_arg_match(__NR_recvmsg, 3, 0); + allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_TCP, 3, TCP_NODELAY); ++ // called from openssl's RAND_poll which is invoked in FIPS mode when the DRBG is seeded ++ allow_nr(__NR_getrandom); ++ allow_nr_1_arg_mask(__NR_open, 2, O_RDONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC); ++ allow_nr(__NR_getuid); + } + if (tunable_syslog_enable) + { diff --git a/vsftpd-seccomp-ssl.patch b/vsftpd-seccomp-ssl.patch new file mode 100644 index 0000000..589d3ec --- /dev/null +++ b/vsftpd-seccomp-ssl.patch @@ -0,0 +1,15 @@ +SSL initialization calls RAND_load_file() which needs stat() enabled. + +Index: vsftpd-3.0.3/seccompsandbox.c +=================================================================== +--- vsftpd-3.0.3.orig/seccompsandbox.c 2021-12-21 15:33:01.491786690 +0100 ++++ vsftpd-3.0.3/seccompsandbox.c 2021-12-21 15:33:01.499786535 +0100 +@@ -559,6 +559,8 @@ seccomp_sandbox_setup_postlogin_broker() + allow_nr(__NR_fstat); + allow_nr(__NR_fchown); + allow_nr_1_arg_match(__NR_recvmsg, 3, 0); ++ // called by RAND_load_file ++ allow_nr(__NR_stat); + } + if (tunable_syslog_enable) + { diff --git a/vsftpd-seccomp-wait4.patch b/vsftpd-seccomp-wait4.patch new file mode 100644 index 0000000..db406a9 --- /dev/null +++ b/vsftpd-seccomp-wait4.patch @@ -0,0 +1,14 @@ +Broker has to wait for its child. + +Index: vsftpd-3.0.2/seccompsandbox.c +=================================================================== +--- vsftpd-3.0.2.orig/seccompsandbox.c ++++ vsftpd-3.0.2/seccompsandbox.c +@@ -540,6 +540,7 @@ seccomp_sandbox_setup_postlogin_broker() + seccomp_sandbox_setup_base(); + seccomp_sandbox_setup_data_connections(); + allow_nr_1_arg_match(__NR_sendmsg, 3, 0); ++ allow_nr(__NR_wait4); + if (tunable_chown_uploads) + { + allow_nr(__NR_fstat); diff --git a/vsftpd.changes b/vsftpd.changes index 4219e1e..f200945 100644 --- a/vsftpd.changes +++ b/vsftpd.changes @@ -1,3 +1,49 @@ +------------------------------------------------------------------- +Tue Feb 1 18:42:41 UTC 2022 - Peter Simons + +- Add "seccomp-fixes.patch" to fix the syscall architecture offset + from 4 to 5, this change was documented in + . + +- Add "vsftpd-openlog-force.patch" to a logic error in the way the + force option for syslog's openlog() call was handled. + +- Add "vsftpd-seccomp-getrandom.patch" to fix a seccomp failure in + FIPS mode when SSL was enabled. [bsc#1052900] + +- Add "vsftpd-seccomp-ssl.patch" to allow stat() to be called, + which is required during SSL initialization by RAND_load_file(). + +- Add "vsftpd-seccomp-wait4.patch" to allow wait4() to be called so + that the broker can wait for its child processes. [bsc#1021387] + +- Refresh patches to -p1 style so that we can use %autosetup: + * vsftpd-2.0.4-dmapi.patch + * vsftpd-2.0.4-enable-ssl.patch + * vsftpd-2.0.5-enable-debuginfo.patch + * vsftpd-2.0.5-utf8-log-names.patch + * vsftpd-2.0.5-vuser.patch + * vsftpd-2.3.5-conf.patch + +- Apply "revert-undocumented-config-file-format-changes.patch" to + revert the "ssl_tlsv1_X"-style config file options back to their + original spelling. The changes that dropped the underscore from + the version numbers in release 3.0.4 breaks existing + configurations and it was never documented anywhere -- not in the + package's changelog and not in the packages's own man page. + +- Apply "use-system-wide-tls-cipher-policy.patch" so that vsftpd + follows the system-wide TLS cipher policy "DEFAULT_SUSE" by + default. Run the command "openssl ciphers -v DEFAULT_SUSE" to see + which ciphers this includes. + +- Apply "add vsftpd-allow-dev-log-socket.patch" to allow sendto() + syscall when /dev/log support is enabled. [bnc#786024] + +- Apply "vsftpd-enable-sendto-for-prelogin-syslog.patch" to allow + sendto() to be called from check_limits(), which is necessary for + vsftpd to write to the system log. + ------------------------------------------------------------------- Wed Jan 5 10:21:02 UTC 2022 - Johannes Segitz @@ -22,11 +68,33 @@ Tue Jun 15 07:49:13 AM UTC 2021 - Peter Simons * Close the control connection after 10 unknown commands pre-login. * Reject any TLS ALPN advertisement that's not 'ftp'. * Add ssl_sni_hostname option to require a match on incoming SNI hostname. + * The options "ssl_tlsv1_1", "ssl_tlsv1_2", and "ssl_tlsv1_3" + have been renamed to "ssl_tlsv11", "ssl_tlsv12", and + "ssl_tlsv13" respectively. Note that the man page has not been + updated accordingly. - Upstream has a new GPG key (7B89011BCAE1CFEA). - "0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch" is now obsolete. +- "0001-Introduce-TLSv1.3-option.patch" is now obsolete. + +- "vsftpd-seccomp-syslog.patch" is now obsolete. + +------------------------------------------------------------------- +Mon Jun 14 14:26:05 UTC 2021 - Peter Simons + +- OpenSSL was updated to version 1.1.1 in SLE-15-SP2, adding + support for the TLSv1.3 protocol. As a consequence, some SLE-15 + applications that link OpenSSL for TLS support -- like vsftpd --, + gained the ability to use the newer TLS protocol, which created + interoperability problems with FTP clients in some cases. To + remedy the situation, "0001-Introduce-TLSv1.3-option.patch" was + applied in a forked SLE-15-SP2 version of vsftpd. The patch adds + the configuration option "ssl_tlsv1_3" that system administrators + can use to disable TLSv1.3 support on their servers. + [bsc#1187188] + ------------------------------------------------------------------- Thu Dec 3 11:20:20 UTC 2020 - Ismail Dönmez @@ -105,7 +173,8 @@ Wed Apr 25 06:32:25 UTC 2018 - psimons@suse.com - vsftpd-enable-syscalls-needed-by-sle15.patch: Enable wait4(), sysinfo(), and shutdown() syscalls in seccomp sandbox. These are - required for the daemon to work properly on SLE-15. [bsc#1089088] + required for the daemon to work properly on SLE-15. [bsc#1089088, + bsc#1180314] ------------------------------------------------------------------- Tue Apr 3 11:48:08 UTC 2018 - vcizek@suse.com @@ -206,6 +275,12 @@ Wed Mar 23 10:07:55 UTC 2016 - tchvatal@suse.com - Require shadow and do not output the error out of useradd +------------------------------------------------------------------- +Tue Mar 22 14:56:05 UTC 2016 - tchvatal@suse.com + +- Fix hang when using seccomp and syslog bnc#971784: + * vsftpd-seccomp-syslog.patch + ------------------------------------------------------------------- Tue Mar 22 14:27:27 UTC 2016 - tchvatal@suse.com diff --git a/vsftpd.spec b/vsftpd.spec index 8ecd6be..55e4464 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -1,7 +1,7 @@ # # spec file for package vsftpd # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -88,6 +88,14 @@ Patch33: vsftpd-avoid-bogus-ssl-write.patch Patch35: 0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch # PATCH-FIX-UPSTREAM https://bugzilla.suse.com/show_bug.cgi?id=1179553 Patch36: seccomp-fixes.patch +Patch37: vsftpd-openlog-force.patch +Patch38: vsftpd-seccomp-getrandom.patch +Patch39: vsftpd-seccomp-ssl.patch +Patch40: vsftpd-seccomp-wait4.patch +Patch41: revert-undocumented-config-file-format-changes.patch +Patch42: use-system-wide-tls-cipher-policy.patch +Patch43: vsftpd-allow-dev-log-socket.patch +Patch44: vsftpd-enable-sendto-for-prelogin-syslog.patch BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: pam-devel @@ -121,40 +129,7 @@ vsftpd was always faster, supporting over twice as many users in some tests. %prep -%setup -q -%patch1 -p1 -%patch3 -p1 -%patch4 -%patch5 -%patch6 -%patch7 -%patch8 -%patch9 -%patch10 -p1 -%patch11 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch28 -p1 -%patch29 -p1 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 -%patch33 -p1 -%patch35 -p1 -%patch36 -p1 +%autosetup -p1 %build %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP