[opencryptoki] - include token specific directories (#1013017, #1045775, #1054442) - fix pkcsconf crash for non-roo
Dan Horák
sharkcz at fedoraproject.org
Mon Jan 20 17:26:49 UTC 2014
commit 102c73f31a112f445bf439ab806beaf035d982e7
Author: Dan Horák <dan at danny.cz>
Date: Mon Jan 20 18:27:04 2014 +0100
- include token specific directories (#1013017, #1045775, #1054442)
- fix pkcsconf crash for non-root users (#10054661)
- the libs subpackage must care of creating the pkcs11 group, it's the first to be installed
opencryptoki-3.0-bz1054661.patch | 59 ++++++++++++++++++++++++++++++++++++++
opencryptoki.spec | 43 +++++++++++++++++++++++----
2 files changed, 95 insertions(+), 7 deletions(-)
---
diff --git a/opencryptoki-3.0-bz1054661.patch b/opencryptoki-3.0-bz1054661.patch
new file mode 100644
index 0000000..99e12b5
--- /dev/null
+++ b/opencryptoki-3.0-bz1054661.patch
@@ -0,0 +1,59 @@
+From 95064291fe13d4ed98e195946d931fe779f8a48f Mon Sep 17 00:00:00 2001
+From: Joy Latten <jmlatten at linux.vnet.ibm.com>
+Date: Fri, 17 Jan 2014 10:33:19 -0600
+Subject: [PATCH] Problem: A regular user in pkcs11 group cannot issue pkcsconf
+ -t. When shm_open() creates shared memory object, it honors umask of the
+ caller. This patch ensures the shared memory has expected permissions when it
+ is created.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Joy Latten <jmlatten at linux.vnet.ibm.com>
+Signed-off-by: Dan Horák <dan at danny.cz>
+---
+ usr/lib/pkcs11/common/shared_memory.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/usr/lib/pkcs11/common/shared_memory.c b/usr/lib/pkcs11/common/shared_memory.c
+index a8710c5..bf0411d 100644
+--- a/usr/lib/pkcs11/common/shared_memory.c
++++ b/usr/lib/pkcs11/common/shared_memory.c
+@@ -161,12 +161,29 @@ sm_open(const char *sm_name, int mode, void **p_addr, size_t len, int force)
+ goto done;
+ }
+
+- fd = shm_open(name, O_RDWR | O_CREAT, mode);
++ /* try and open first... */
++ fd = shm_open(name, O_RDWR, mode);
+ if (fd < 0) {
+- rc = -errno;
+- SYS_ERROR(errno, "Failed to open shared memory \"%s\".\n",
+- name);
+- goto done;
++ /* maybe it needs to be created ... */
++ fd = shm_open(name, O_RDWR | O_CREAT, mode);
++ if (fd < 0) {
++ rc = -errno;
++ SYS_ERROR(errno,
++ "Failed to open shared memory \"%s\".\n",
++ name);
++ goto done;
++ } else {
++ /* umask may have altered permissions if we created
++ * the shared memory in above call, so set proper
++ * permissions just in case.
++ */
++ if (fchmod(fd, mode) == -1) {
++ rc = -errno;
++ SYS_ERROR(errno, "fchmod(%s): %s\n",
++ name, strerror(errno));
++ goto done;
++ }
++ }
+ }
+
+ /*
+--
+1.8.1.4
+
diff --git a/opencryptoki.spec b/opencryptoki.spec
index 5ef28c6..eb2d29f 100644
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@@ -3,7 +3,7 @@
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
Version: 3.0
-Release: 7%{?dist}
+Release: 8%{?dist}
License: CPL
Group: System Environment/Base
URL: http://sourceforge.net/projects/opencryptoki
@@ -19,12 +19,14 @@ Patch1: %{name}-3.0-pkcsconf-man.patch
Patch2: %{name}-3.0-unit.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1001729
# http://sourceforge.net/p/opencryptoki/opencryptoki/ci/b50eb39e3cf8ccfdb735fbddfcdae10bdb70e1c4/
-Patch3: opencryptoki-3.0-opencryptoki-man.patch
+Patch3: %{name}-3.0-opencryptoki-man.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1033284
# post-3.0 upstream fixes
-Patch4: opencryptoki-3.0-bz1033284.patch
+Patch4: %{name}-3.0-bz1033284.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1037228
-Patch5: opencryptoki-3.0-format.patch
+Patch5: %{name}-3.0-format.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1054661
+Patch6: %{name}-3.0-bz1054661.patch
Requires(pre): shadow-utils coreutils sed
BuildRequires: openssl-devel
BuildRequires: trousers-devel
@@ -170,10 +172,23 @@ cryptographic hardware such as IBM 4764 or 4765 that uses the
%patch3 -p1 -b .opencryptoki-man
%patch4 -p1 -b .bz1033284
%patch5 -p1 -b .format
+%patch6 -p1 -b .bz1054661
# Upstream tarball has unnecessary executable perms set on the sources
find . -name '*.[ch]' -print0 | xargs -0 chmod -x
+# append token specific subdirs to tmpfiles.d config
+token_subdirs="icsf swtok tpm"
+%ifarch s390 s390x
+token_subdirs="$token_subdirs lite cca"
+%endif
+
+cp -p %{SOURCE1} %{name}-tmpfiles.conf
+for d in $token_subdirs
+do
+ echo "D /var/lock/opencryptoki/$d 0770 root pkcs11 -" >> %{name}-tmpfiles.conf
+done
+
%build
./bootstrap.sh
@@ -197,7 +212,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/stdll/*.la
# systemd must create /var/lock/opencryptoki
mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d
-install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/%{name}.conf
+install -m 0644 %{name}-tmpfiles.conf $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/%{name}.conf
%post libs -p /sbin/ldconfig
@@ -218,7 +233,7 @@ install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/%{name}.conf
%postun ccatok -p /sbin/ldconfig
%endif
-%pre
+%pre libs
getent group pkcs11 >/dev/null || groupadd -r pkcs11
exit 0
@@ -250,6 +265,7 @@ exit 0
%{_libdir}/pkcs11/methods
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}
+%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}/*
%files libs
%doc LICENSE
@@ -258,7 +274,7 @@ exit 0
# needs them in the main package, because:
# pkcs11_startup looks for opencryptoki/stdll/*.so, and
# documentation suggests that programs should dlopen "PKCS11_API.so".
-%dir %{_libdir}/opencryptoki
+%dir %{_libdir}/opencryptoki/
%{_libdir}/opencryptoki/libopencryptoki.*
%{_libdir}/opencryptoki/PKCS11_API.so
%dir %{_libdir}/opencryptoki/stdll
@@ -273,11 +289,14 @@ exit 0
%files swtok
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.*
%{_libdir}/opencryptoki/stdll/PKCS11_SW.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
%files tpmtok
%doc doc/README.tpm_stdll
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
%files icsftok
%doc doc/README.icsf_stdll
@@ -285,21 +304,31 @@ exit 0
%{_mandir}/man1/pkcsicsf.1*
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
%ifarch s390 s390x
%files icatok
%{_libdir}/opencryptoki/stdll/libpkcs11_ica.*
%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
%files ccatok
%doc doc/README-IBM_CCA_users
%doc doc/README.cca_stdll
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.*
%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
%endif
%changelog
+* Mon Jan 20 2014 Dan Horák <dan[at]danny.cz> - 3.0-8
+- include token specific directories (#1013017, #1045775, #1054442)
+- fix pkcsconf crash for non-root users (#10054661)
+- the libs subpackage must care of creating the pkcs11 group, it's the first to be installed
+
* Tue Dec 03 2013 Dan Horák <dan[at]danny.cz> - 3.0-7
- fix build with -Werror=format-security (#1037228)
More information about the scm-commits
mailing list