From 5594f1d5a9a70d3da316520e7a3a5bc4f531d30ebb8cba143623562df10b0a12 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 16 Oct 2024 14:19:19 +0200
Subject: [PATCH] Update patches for 2.10.0

---
 ...checks-that-need-updating-every-iter.patch | 25 +++++++++
 0002-Harden-sssd-ifp.service.patch            | 36 +++++++++++++
 ...atch => 0003-Harden-sssd-kcm.service.patch | 12 ++---
 symvers.patch => 0004-Add-symvers.patch       | 51 ++++++++++---------
 harden_sssd-ifp.service.patch                 | 24 ---------
 krb-noversion.diff                            | 20 --------
 sssd.spec                                     |  8 +--
 7 files changed, 97 insertions(+), 79 deletions(-)
 create mode 100644 0001-Remove-versions-checks-that-need-updating-every-iter.patch
 create mode 100644 0002-Harden-sssd-ifp.service.patch
 rename harden_sssd-kcm.service.patch => 0003-Harden-sssd-kcm.service.patch (77%)
 rename symvers.patch => 0004-Add-symvers.patch (74%)
 delete mode 100644 harden_sssd-ifp.service.patch
 delete mode 100644 krb-noversion.diff

diff --git a/0001-Remove-versions-checks-that-need-updating-every-iter.patch b/0001-Remove-versions-checks-that-need-updating-every-iter.patch
new file mode 100644
index 0000000..2ecd592
--- /dev/null
+++ b/0001-Remove-versions-checks-that-need-updating-every-iter.patch
@@ -0,0 +1,25 @@
+From f3ee55182600b2731b21bbdabbc5c891202f6dbb Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Fri, 15 Feb 2019 17:20:47 +0100
+Subject: [PATCH 1/4] Remove versions checks that need updating every
+ iteration.
+
+---
+ src/external/pac_responder.m4 | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
+index 90727185b..af9fded6f 100644
+--- a/src/external/pac_responder.m4
++++ b/src/external/pac_responder.m4
+@@ -11,6 +11,7 @@ then
+     AC_MSG_CHECKING(for supported MIT krb5 version)
+     KRB5_VERSION="`$KRB5_CONFIG --version`"
+     case $KRB5_VERSION in
++        *|\
+         Kerberos\ 5\ release\ 1.9* | \
+         Kerberos\ 5\ release\ 1.10* | \
+         Kerberos\ 5\ release\ 1.11* | \
+-- 
+2.46.1
+
diff --git a/0002-Harden-sssd-ifp.service.patch b/0002-Harden-sssd-ifp.service.patch
new file mode 100644
index 0000000..a168400
--- /dev/null
+++ b/0002-Harden-sssd-ifp.service.patch
@@ -0,0 +1,36 @@
+From 7889dbb390091f0be5fea8f915fab68020556de7 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Wed, 16 Oct 2024 14:03:06 +0200
+Subject: [PATCH 2/4] Harden sssd-ifp.service
+
+---
+ src/sysv/systemd/sssd-ifp.service.in | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in
+index 1ab163392..c8d6dc9ae 100644
+--- a/src/sysv/systemd/sssd-ifp.service.in
++++ b/src/sysv/systemd/sssd-ifp.service.in
+@@ -5,6 +5,19 @@ After=sssd.service
+ BindsTo=sssd.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions
+ Environment=DEBUG_LOGGER=--logger=files
+ EnvironmentFile=-@environment_file@
+ Type=dbus
+-- 
+2.46.1
+
diff --git a/harden_sssd-kcm.service.patch b/0003-Harden-sssd-kcm.service.patch
similarity index 77%
rename from harden_sssd-kcm.service.patch
rename to 0003-Harden-sssd-kcm.service.patch
index a198f9e..24e0ac1 100644
--- a/harden_sssd-kcm.service.patch
+++ b/0003-Harden-sssd-kcm.service.patch
@@ -1,14 +1,14 @@
-From 47a18db90ae89803532d6fa8e0790fcb98b76a07 Mon Sep 17 00:00:00 2001
+From 1fea2a4039f9e838554abe17bbf1513a8f99f348 Mon Sep 17 00:00:00 2001
 From: Samuel Cabrero <scabrero@suse.de>
-Date: Tue, 16 Jul 2024 09:21:00 +0200
-Subject: [PATCH] Harden sssd-kcm.service
+Date: Wed, 16 Oct 2024 14:05:02 +0200
+Subject: [PATCH 3/4] Harden sssd-kcm.service
 
 ---
  src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++
  1 file changed, 13 insertions(+)
 
 diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
-index 2b3de184b..610ba2e18 100644
+index 0c839ec5c..b403cd709 100644
 --- a/src/sysv/systemd/sssd-kcm.service.in
 +++ b/src/sysv/systemd/sssd-kcm.service.in
 @@ -8,6 +8,19 @@ After=sssd-kcm.socket
@@ -29,8 +29,8 @@ index 2b3de184b..610ba2e18 100644
 +RestrictRealtime=true
 +# end of automatic additions
  Environment=DEBUG_LOGGER=--logger=files
+ ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
  ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
- ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
 -- 
-2.45.2
+2.46.1
 
diff --git a/symvers.patch b/0004-Add-symvers.patch
similarity index 74%
rename from symvers.patch
rename to 0004-Add-symvers.patch
index 096851c..6a9b63f 100644
--- a/symvers.patch
+++ b/0004-Add-symvers.patch
@@ -1,24 +1,25 @@
-From 1ad3abee3ed69cad410aff5f2e17542d2f34deb7 Mon Sep 17 00:00:00 2001
+From 20c2e36a1a98a5fc648d16389fc9861eb61768d3 Mon Sep 17 00:00:00 2001
 From: Jan Engelhardt <jengelh@inai.de>
 Date: Thu, 22 Dec 2022 00:09:20 +0100
-Subject: [PATCH] The theory for this sssd crash is that during rpm upgrading
- it, sssd-2.8.2 gets installed, %post runs to restart it, but oh no,
- sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls over its
- feet when it loads 2.7.4 .so files. Addin symvers like below should prevent
- this and pin the modules to another: sssd_be's attempt to dlopen
- libsss_ldap.so(-2.7.4) will fail because libsss_ldap.so(-2.7.4) cannot find a
- libsss_util.so(-2.7.4), since the system only has libsss_util.so(-2.8.2) at
- this point.
+Subject: [PATCH 4/4] Add symvers
 
+The theory for this sssd crash is that during rpm upgrading it,
+sssd-2.8.2 gets installed, %post runs to restart it, but oh no,
+sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls over
+its feet when it loads 2.7.4 .so files. Addin symvers like below should
+prevent this and pin the modules to another: sssd_be's attempt to dlopen
+libsss_ldap.so(-2.7.4) will fail because libsss_ldap.so(-2.7.4) cannot
+find a libsss_util.so(-2.7.4), since the system only has
+libsss_util.so(-2.8.2) at this point.
 ---
  Makefile.am | 47 ++++++++++++++++++++++++++++++++---------------
  1 file changed, 32 insertions(+), 15 deletions(-)
 
 diff --git a/Makefile.am b/Makefile.am
-index f4cadee6f..ea01d0ea5 100644
+index 839b25eae..e79da4a40 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -971,7 +971,11 @@ libsss_debug_la_SOURCES = \
+@@ -964,7 +964,11 @@ libsss_debug_la_SOURCES = \
  libsss_debug_la_LIBADD = \
      $(SYSLOG_LIBS)
  libsss_debug_la_LDFLAGS = \
@@ -31,7 +32,7 @@ index f4cadee6f..ea01d0ea5 100644
  
  pkglib_LTLIBRARIES += libsss_child.la
  libsss_child_la_SOURCES = src/util/child_common.c
-@@ -981,7 +985,8 @@ libsss_child_la_LIBADD = \
+@@ -974,7 +978,8 @@ libsss_child_la_LIBADD = \
      $(DHASH_LIBS) \
      libsss_debug.la \
      $(NULL)
@@ -41,7 +42,7 @@ index f4cadee6f..ea01d0ea5 100644
  
  pkglib_LTLIBRARIES += libsss_crypt.la
  
-@@ -1020,7 +1025,8 @@ libsss_crypt_la_LIBADD = \
+@@ -1014,7 +1019,8 @@ libsss_crypt_la_LIBADD = \
      libsss_debug.la \
      $(NULL)
  libsss_crypt_la_LDFLAGS = \
@@ -51,7 +52,7 @@ index f4cadee6f..ea01d0ea5 100644
  
  pkglib_LTLIBRARIES += libsss_cert.la
  
-@@ -1045,8 +1051,9 @@ libsss_cert_la_LIBADD = \
+@@ -1039,8 +1045,9 @@ libsss_cert_la_LIBADD = \
      libsss_debug.la \
      $(NULL)
  libsss_cert_la_LDFLAGS = \
@@ -62,7 +63,7 @@ index f4cadee6f..ea01d0ea5 100644
  
  generate-sbus-code:
  	$(builddir)/sbus_generate.sh $(abs_srcdir)
-@@ -1147,8 +1154,9 @@ libsss_sbus_la_CFLAGS = \
+@@ -1141,8 +1148,9 @@ libsss_sbus_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_sbus_la_LDFLAGS = \
@@ -73,7 +74,7 @@ index f4cadee6f..ea01d0ea5 100644
  
  pkglib_LTLIBRARIES += libsss_sbus_sync.la
  libsss_sbus_sync_la_SOURCES = \
-@@ -1183,8 +1191,9 @@ libsss_sbus_sync_la_CFLAGS = \
+@@ -1177,8 +1185,9 @@ libsss_sbus_sync_la_CFLAGS = \
      $(UNICODE_LIBS) \
      $(NULL)
  libsss_sbus_sync_la_LDFLAGS = \
@@ -84,7 +85,7 @@ index f4cadee6f..ea01d0ea5 100644
  
  pkglib_LTLIBRARIES += libsss_iface.la
  libsss_iface_la_SOURCES = \
-@@ -1213,8 +1222,9 @@ libsss_iface_la_CFLAGS = \
+@@ -1207,8 +1216,9 @@ libsss_iface_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_iface_la_LDFLAGS = \
@@ -95,7 +96,7 @@ index f4cadee6f..ea01d0ea5 100644
  
  pkglib_LTLIBRARIES += libsss_iface_sync.la
  libsss_iface_sync_la_SOURCES = \
-@@ -1241,8 +1251,9 @@ libsss_iface_sync_la_CFLAGS = \
+@@ -1235,8 +1245,9 @@ libsss_iface_sync_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_iface_sync_la_LDFLAGS = \
@@ -106,7 +107,7 @@ index f4cadee6f..ea01d0ea5 100644
  
  pkglib_LTLIBRARIES += libsss_util.la
  libsss_util_la_SOURCES = \
-@@ -1338,7 +1349,8 @@ endif
+@@ -1333,7 +1344,8 @@ endif
  if BUILD_PASSKEY
  libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c
  endif # BUILD_PASSKEY
@@ -116,7 +117,7 @@ index f4cadee6f..ea01d0ea5 100644
  
  pkglib_LTLIBRARIES += libsss_semanage.la
  libsss_semanage_la_CFLAGS = \
-@@ -1357,7 +1369,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS)
+@@ -1352,7 +1364,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS)
  endif
  
  libsss_semanage_la_LDFLAGS = \
@@ -126,7 +127,7 @@ index f4cadee6f..ea01d0ea5 100644
  
  SSSD_INTERNAL_LTLIBS = \
      libsss_util.la \
-@@ -1373,7 +1386,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
+@@ -1368,7 +1381,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
                    $(NULL)
  
  pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc
@@ -135,7 +136,7 @@ index f4cadee6f..ea01d0ea5 100644
  libipa_hbac_la_SOURCES = \
      src/lib/ipa_hbac/hbac_evaluator.c \
      src/util/sss_utf8.c
-@@ -1699,8 +1712,9 @@ libifp_iface_la_CFLAGS = \
+@@ -1691,8 +1704,9 @@ libifp_iface_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libifp_iface_la_LDFLAGS = \
@@ -146,7 +147,7 @@ index f4cadee6f..ea01d0ea5 100644
  
  pkglib_LTLIBRARIES += libifp_iface_sync.la
  libifp_iface_sync_la_SOURCES = \
-@@ -1725,8 +1739,9 @@ libifp_iface_sync_la_CFLAGS = \
+@@ -1717,8 +1731,9 @@ libifp_iface_sync_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libifp_iface_sync_la_LDFLAGS = \
@@ -157,7 +158,7 @@ index f4cadee6f..ea01d0ea5 100644
  
  sssd_ifp_SOURCES = \
      src/responder/ifp/ifpsrv.c \
-@@ -4362,8 +4377,9 @@ libsss_ldap_common_la_LIBADD = \
+@@ -4352,8 +4367,9 @@ libsss_ldap_common_la_LIBADD = \
      $(SSSD_INTERNAL_LTLIBS) \
      $(NULL)
  libsss_ldap_common_la_LDFLAGS = \
@@ -168,7 +169,7 @@ index f4cadee6f..ea01d0ea5 100644
  if BUILD_SYSTEMTAP
  libsss_ldap_common_la_LIBADD += stap_generated_probes.lo
  endif
-@@ -4420,7 +4436,8 @@ libsss_krb5_common_la_LIBADD = \
+@@ -4410,7 +4426,8 @@ libsss_krb5_common_la_LIBADD = \
      $(SSSD_INTERNAL_LTLIBS) \
      $(NULL)
  libsss_krb5_common_la_LDFLAGS = \
diff --git a/harden_sssd-ifp.service.patch b/harden_sssd-ifp.service.patch
deleted file mode 100644
index 250a49f..0000000
--- a/harden_sssd-ifp.service.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Index: sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
-===================================================================
---- sssd-2.5.2.orig/src/sysv/systemd/sssd-ifp.service.in
-+++ sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
-@@ -5,6 +5,19 @@ After=sssd.service
- BindsTo=sssd.service
- 
- [Service]
-+# added automatically, for details please see
-+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
-+ProtectSystem=full
-+ProtectHome=true
-+PrivateDevices=true
-+ProtectHostname=true
-+ProtectClock=true
-+ProtectKernelTunables=true
-+ProtectKernelModules=true
-+ProtectKernelLogs=true
-+ProtectControlGroups=true
-+RestrictRealtime=true
-+# end of automatic additions 
- Environment=DEBUG_LOGGER=--logger=files
- EnvironmentFile=-@environment_file@
- Type=dbus
diff --git a/krb-noversion.diff b/krb-noversion.diff
deleted file mode 100644
index 3dea2c2..0000000
--- a/krb-noversion.diff
+++ /dev/null
@@ -1,20 +0,0 @@
-From: Jan Engelhardt <jengelh@inai.de>
-Date: 2019-02-15 17:20:47.842813210 +0100
-
-Remove versions checks that need updating every iteration.
----
- src/external/pac_responder.m4 |    1 +
- 1 file changed, 1 insertion(+)
-
-Index: sssd-2.0.0/src/external/pac_responder.m4
-===================================================================
---- sssd-2.0.0.orig/src/external/pac_responder.m4
-+++ sssd-2.0.0/src/external/pac_responder.m4
-@@ -11,6 +11,7 @@ then
-     AC_MSG_CHECKING(for supported MIT krb5 version)
-     KRB5_VERSION="`$KRB5_CONFIG --version`"
-     case $KRB5_VERSION in
-+        *|\
-         Kerberos\ 5\ release\ 1.9* | \
-         Kerberos\ 5\ release\ 1.10* | \
-         Kerberos\ 5\ release\ 1.11* | \
diff --git a/sssd.spec b/sssd.spec
index d99d506..694b63d 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -30,10 +30,10 @@ Source3:        baselibs.conf
 Source5:        %name.keyring
 Source6:        sssd.sysusers
 Source7:        sssd.permissions
-Patch1:         krb-noversion.diff
-Patch2:         harden_sssd-ifp.service.patch
-Patch3:         harden_sssd-kcm.service.patch
-Patch4:         symvers.patch
+Patch1:         0001-Remove-versions-checks-that-need-updating-every-iter.patch
+Patch2:         0002-Harden-sssd-ifp.service.patch
+Patch3:         0003-Harden-sssd-kcm.service.patch
+Patch4:         0004-Add-symvers.patch
 
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake