Update patches for 2.10.0

2024-10-16 14:19:19 +02:00 · 2024-10-16 14:19:19 +02:00 · 5594f1d5a9
commit 5594f1d5a9
parent da3ea7db5b
7 changed files with 97 additions and 79 deletions
--- a/0001-Remove-versions-checks-that-need-updating-every-iter.patch
+++ b/0001-Remove-versions-checks-that-need-updating-every-iter.patch
@ -0,0 +1,25 @@
+From f3ee55182600b2731b21bbdabbc5c891202f6dbb Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Fri, 15 Feb 2019 17:20:47 +0100
+Subject: [PATCH 1/4] Remove versions checks that need updating every
+ iteration.
+
+---
+ src/external/pac_responder.m4 | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
+index 90727185b..af9fded6f 100644
+--- a/src/external/pac_responder.m4
+++ b/src/external/pac_responder.m4
+@@ -11,6 +11,7 @@ then
+     AC_MSG_CHECKING(for supported MIT krb5 version)
+     KRB5_VERSION="`$KRB5_CONFIG --version`"
+     case $KRB5_VERSION in
+        *|\
+         Kerberos\ 5\ release\ 1.9* | \
+         Kerberos\ 5\ release\ 1.10* | \
+         Kerberos\ 5\ release\ 1.11* | \
+-- 
+2.46.1
+
--- a/0002-Harden-sssd-ifp.service.patch
+++ b/0002-Harden-sssd-ifp.service.patch
@ -0,0 +1,36 @@
+From 7889dbb390091f0be5fea8f915fab68020556de7 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Wed, 16 Oct 2024 14:03:06 +0200
+Subject: [PATCH 2/4] Harden sssd-ifp.service
+
+---
+ src/sysv/systemd/sssd-ifp.service.in | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in
+index 1ab163392..c8d6dc9ae 100644
+--- a/src/sysv/systemd/sssd-ifp.service.in
+++ b/src/sysv/systemd/sssd-ifp.service.in
+@@ -5,6 +5,19 @@ After=sssd.service
+ BindsTo=sssd.service
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
+ Environment=DEBUG_LOGGER=--logger=files
+ EnvironmentFile=-@environment_file@
+ Type=dbus
+-- 
+2.46.1
+
--- a/0003-Harden-sssd-kcm.service.patch
+++ b/0003-Harden-sssd-kcm.service.patch
@ -1,14 +1,14 @@
-From 47a18db90ae89803532d6fa8e0790fcb98b76a07 Mon Sep 17 00:00:00 2001
+From 1fea2a4039f9e838554abe17bbf1513a8f99f348 Mon Sep 17 00:00:00 2001
 From: Samuel Cabrero <scabrero@suse.de>
-Date: Tue, 16 Jul 2024 09:21:00 +0200
-Subject: [PATCH] Harden sssd-kcm.service
+Date: Wed, 16 Oct 2024 14:05:02 +0200
+Subject: [PATCH 3/4] Harden sssd-kcm.service

 ---
 src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++
 1 file changed, 13 insertions(+)

 diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
-index 2b3de184b..610ba2e18 100644
+index 0c839ec5c..b403cd709 100644
 --- a/src/sysv/systemd/sssd-kcm.service.in
 +++ b/src/sysv/systemd/sssd-kcm.service.in
@@ -8,6 +8,19 @@ After=sssd-kcm.socket
@ -29,8 +29,8 @@ index 2b3de184b..610ba2e18 100644
 +RestrictRealtime=true
 +# end of automatic additions
 Environment=DEBUG_LOGGER=--logger=files
+ ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
 ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
- ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
 -- 
-2.45.2
+2.46.1

--- a/0004-Add-symvers.patch
+++ b/0004-Add-symvers.patch
@ -1,24 +1,25 @@
-From 1ad3abee3ed69cad410aff5f2e17542d2f34deb7 Mon Sep 17 00:00:00 2001
+From 20c2e36a1a98a5fc648d16389fc9861eb61768d3 Mon Sep 17 00:00:00 2001
 From: Jan Engelhardt <jengelh@inai.de>
 Date: Thu, 22 Dec 2022 00:09:20 +0100
-Subject: [PATCH] The theory for this sssd crash is that during rpm upgrading
- it, sssd-2.8.2 gets installed, %post runs to restart it, but oh no,
- sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls over its
- feet when it loads 2.7.4 .so files. Addin symvers like below should prevent
- this and pin the modules to another: sssd_be's attempt to dlopen
- libsss_ldap.so(-2.7.4) will fail because libsss_ldap.so(-2.7.4) cannot find a
- libsss_util.so(-2.7.4), since the system only has libsss_util.so(-2.8.2) at
- this point.
+Subject: [PATCH 4/4] Add symvers

+The theory for this sssd crash is that during rpm upgrading it,
+sssd-2.8.2 gets installed, %post runs to restart it, but oh no,
+sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls over
+its feet when it loads 2.7.4 .so files. Addin symvers like below should
+prevent this and pin the modules to another: sssd_be's attempt to dlopen
+libsss_ldap.so(-2.7.4) will fail because libsss_ldap.so(-2.7.4) cannot
+find a libsss_util.so(-2.7.4), since the system only has
+libsss_util.so(-2.8.2) at this point.
 ---
 Makefile.am | 47 ++++++++++++++++++++++++++++++++---------------
 1 file changed, 32 insertions(+), 15 deletions(-)

 diff --git a/Makefile.am b/Makefile.am
-index f4cadee6f..ea01d0ea5 100644
+index 839b25eae..e79da4a40 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -971,7 +971,11 @@ libsss_debug_la_SOURCES = \
+@@ -964,7 +964,11 @@ libsss_debug_la_SOURCES = \
 libsss_debug_la_LIBADD = \
     $(SYSLOG_LIBS)
 libsss_debug_la_LDFLAGS = \
@ -31,7 +32,7 @@ index f4cadee6f..ea01d0ea5 100644
 
 pkglib_LTLIBRARIES += libsss_child.la
 libsss_child_la_SOURCES = src/util/child_common.c
-@@ -981,7 +985,8 @@ libsss_child_la_LIBADD = \
+@@ -974,7 +978,8 @@ libsss_child_la_LIBADD = \
     $(DHASH_LIBS) \
     libsss_debug.la \
     $(NULL)
@ -41,7 +42,7 @@ index f4cadee6f..ea01d0ea5 100644
 
 pkglib_LTLIBRARIES += libsss_crypt.la
 
-@@ -1020,7 +1025,8 @@ libsss_crypt_la_LIBADD = \
+@@ -1014,7 +1019,8 @@ libsss_crypt_la_LIBADD = \
     libsss_debug.la \
     $(NULL)
 libsss_crypt_la_LDFLAGS = \
@ -51,7 +52,7 @@ index f4cadee6f..ea01d0ea5 100644
 
 pkglib_LTLIBRARIES += libsss_cert.la
 
-@@ -1045,8 +1051,9 @@ libsss_cert_la_LIBADD = \
+@@ -1039,8 +1045,9 @@ libsss_cert_la_LIBADD = \
     libsss_debug.la \
     $(NULL)
 libsss_cert_la_LDFLAGS = \
@ -62,7 +63,7 @@ index f4cadee6f..ea01d0ea5 100644
 
 generate-sbus-code:
 	$(builddir)/sbus_generate.sh $(abs_srcdir)
-@@ -1147,8 +1154,9 @@ libsss_sbus_la_CFLAGS = \
+@@ -1141,8 +1148,9 @@ libsss_sbus_la_CFLAGS = \
     $(DBUS_CFLAGS) \
     $(NULL)
 libsss_sbus_la_LDFLAGS = \
@ -73,7 +74,7 @@ index f4cadee6f..ea01d0ea5 100644
 
 pkglib_LTLIBRARIES += libsss_sbus_sync.la
 libsss_sbus_sync_la_SOURCES = \
-@@ -1183,8 +1191,9 @@ libsss_sbus_sync_la_CFLAGS = \
+@@ -1177,8 +1185,9 @@ libsss_sbus_sync_la_CFLAGS = \
     $(UNICODE_LIBS) \
     $(NULL)
 libsss_sbus_sync_la_LDFLAGS = \
@ -84,7 +85,7 @@ index f4cadee6f..ea01d0ea5 100644
 
 pkglib_LTLIBRARIES += libsss_iface.la
 libsss_iface_la_SOURCES = \
-@@ -1213,8 +1222,9 @@ libsss_iface_la_CFLAGS = \
+@@ -1207,8 +1216,9 @@ libsss_iface_la_CFLAGS = \
     $(DBUS_CFLAGS) \
     $(NULL)
 libsss_iface_la_LDFLAGS = \
@ -95,7 +96,7 @@ index f4cadee6f..ea01d0ea5 100644
 
 pkglib_LTLIBRARIES += libsss_iface_sync.la
 libsss_iface_sync_la_SOURCES = \
-@@ -1241,8 +1251,9 @@ libsss_iface_sync_la_CFLAGS = \
+@@ -1235,8 +1245,9 @@ libsss_iface_sync_la_CFLAGS = \
     $(DBUS_CFLAGS) \
     $(NULL)
 libsss_iface_sync_la_LDFLAGS = \
@ -106,7 +107,7 @@ index f4cadee6f..ea01d0ea5 100644
 
 pkglib_LTLIBRARIES += libsss_util.la
 libsss_util_la_SOURCES = \
-@@ -1338,7 +1349,8 @@ endif
+@@ -1333,7 +1344,8 @@ endif
 if BUILD_PASSKEY
 libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c
 endif # BUILD_PASSKEY
@ -116,7 +117,7 @@ index f4cadee6f..ea01d0ea5 100644
 
 pkglib_LTLIBRARIES += libsss_semanage.la
 libsss_semanage_la_CFLAGS = \
-@@ -1357,7 +1369,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS)
+@@ -1352,7 +1364,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS)
 endif
 
 libsss_semanage_la_LDFLAGS = \
@ -126,7 +127,7 @@ index f4cadee6f..ea01d0ea5 100644
 
 SSSD_INTERNAL_LTLIBS = \
     libsss_util.la \
-@@ -1373,7 +1386,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
+@@ -1368,7 +1381,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
                   $(NULL)
 
 pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc
@ -135,7 +136,7 @@ index f4cadee6f..ea01d0ea5 100644
 libipa_hbac_la_SOURCES = \
     src/lib/ipa_hbac/hbac_evaluator.c \
     src/util/sss_utf8.c
-@@ -1699,8 +1712,9 @@ libifp_iface_la_CFLAGS = \
+@@ -1691,8 +1704,9 @@ libifp_iface_la_CFLAGS = \
     $(DBUS_CFLAGS) \
     $(NULL)
 libifp_iface_la_LDFLAGS = \
@ -146,7 +147,7 @@ index f4cadee6f..ea01d0ea5 100644
 
 pkglib_LTLIBRARIES += libifp_iface_sync.la
 libifp_iface_sync_la_SOURCES = \
-@@ -1725,8 +1739,9 @@ libifp_iface_sync_la_CFLAGS = \
+@@ -1717,8 +1731,9 @@ libifp_iface_sync_la_CFLAGS = \
     $(DBUS_CFLAGS) \
     $(NULL)
 libifp_iface_sync_la_LDFLAGS = \
@ -157,7 +158,7 @@ index f4cadee6f..ea01d0ea5 100644
 
 sssd_ifp_SOURCES = \
     src/responder/ifp/ifpsrv.c \
-@@ -4362,8 +4377,9 @@ libsss_ldap_common_la_LIBADD = \
+@@ -4352,8 +4367,9 @@ libsss_ldap_common_la_LIBADD = \
     $(SSSD_INTERNAL_LTLIBS) \
     $(NULL)
 libsss_ldap_common_la_LDFLAGS = \
@ -168,7 +169,7 @@ index f4cadee6f..ea01d0ea5 100644
 if BUILD_SYSTEMTAP
 libsss_ldap_common_la_LIBADD += stap_generated_probes.lo
 endif
-@@ -4420,7 +4436,8 @@ libsss_krb5_common_la_LIBADD = \
+@@ -4410,7 +4426,8 @@ libsss_krb5_common_la_LIBADD = \
     $(SSSD_INTERNAL_LTLIBS) \
     $(NULL)
 libsss_krb5_common_la_LDFLAGS = \
--- a/harden_sssd-ifp.service.patch
+++ b/harden_sssd-ifp.service.patch
@ -1,24 +0,0 @@
-Index: sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
-===================================================================
--- sssd-2.5.2.orig/src/sysv/systemd/sssd-ifp.service.in
-+++ sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
-@@ -5,6 +5,19 @@ After=sssd.service
- BindsTo=sssd.service
- 
- [Service]
-+# added automatically, for details please see
-+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
-+ProtectSystem=full
-+ProtectHome=true
-+PrivateDevices=true
-+ProtectHostname=true
-+ProtectClock=true
-+ProtectKernelTunables=true
-+ProtectKernelModules=true
-+ProtectKernelLogs=true
-+ProtectControlGroups=true
-+RestrictRealtime=true
-+# end of automatic additions 
- Environment=DEBUG_LOGGER=--logger=files
- EnvironmentFile=-@environment_file@
- Type=dbus
--- a/krb-noversion.diff
+++ b/krb-noversion.diff
@ -1,20 +0,0 @@
-From: Jan Engelhardt <jengelh@inai.de>
-Date: 2019-02-15 17:20:47.842813210 +0100
-
-Remove versions checks that need updating every iteration.
---
- src/external/pac_responder.m4 |    1 +
- 1 file changed, 1 insertion(+)
-
-Index: sssd-2.0.0/src/external/pac_responder.m4
-===================================================================
--- sssd-2.0.0.orig/src/external/pac_responder.m4
-+++ sssd-2.0.0/src/external/pac_responder.m4
-@@ -11,6 +11,7 @@ then
-     AC_MSG_CHECKING(for supported MIT krb5 version)
-     KRB5_VERSION="`$KRB5_CONFIG --version`"
-     case $KRB5_VERSION in
-+        *|\
-         Kerberos\ 5\ release\ 1.9* | \
-         Kerberos\ 5\ release\ 1.10* | \
-         Kerberos\ 5\ release\ 1.11* | \
--- a/sssd.spec
+++ b/sssd.spec
@ -30,10 +30,10 @@ Source3:        baselibs.conf
 Source5:        %name.keyring
 Source6:        sssd.sysusers
 Source7:        sssd.permissions
-Patch1:         krb-noversion.diff
-Patch2:         harden_sssd-ifp.service.patch
-Patch3:         harden_sssd-kcm.service.patch
-Patch4:         symvers.patch
+Patch1:         0001-Remove-versions-checks-that-need-updating-every-iter.patch
+Patch2:         0002-Harden-sssd-ifp.service.patch
+Patch3:         0003-Harden-sssd-kcm.service.patch
+Patch4:         0004-Add-symvers.patch

 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake