From d684d9988bcc56e376cf89e51160d10ac8c9c9ff Mon Sep 17 00:00:00 2001 From: Jon Griffiths Date: Tue, 16 Feb 2016 04:28:24 +1300 Subject: Fix mkrpm.sh --- platform/rpm/firejail.spec | 26 ++-- platform/rpm/mkrpm.sh | 309 ++++----------------------------------------- 2 files changed, 40 insertions(+), 295 deletions(-) (limited to 'platform/rpm') diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec index 98b556d56..f6c9efa18 100644 --- a/platform/rpm/firejail.spec +++ b/platform/rpm/firejail.spec @@ -1,5 +1,5 @@ -Name: firejail -Version: 0.9.30 +Name: __NAME__ +Version: __VERSION__ Release: 1 Summary: Linux namepaces sandbox program @@ -32,18 +32,18 @@ rm -rf %{buildroot} %files %doc %defattr(-, root, root, -) -%attr(4755, -, -) %{_bindir}/firejail +%attr(4755, -, -) %{_bindir}/__NAME__ %{_bindir}/firemon -%{_libdir}/firejail/ftee -%{_libdir}/firejail/fshaper.sh -%{_libdir}/firejail/libtrace.so -%{_libdir}/firejail/libtracelog.so -%{_datarootdir}/bash-completion/completions/firejail +%{_libdir}/__NAME__/ftee +%{_libdir}/__NAME__/fshaper.sh +%{_libdir}/__NAME__/libtrace.so +%{_libdir}/__NAME__/libtracelog.so +%{_datarootdir}/bash-completion/completions/__NAME__ %{_datarootdir}/bash-completion/completions/firemon -%{_docdir}/firejail -%{_mandir}/man1/firejail.1.gz +%{_docdir}/__NAME__ +%{_mandir}/man1/__NAME__.1.gz %{_mandir}/man1/firemon.1.gz -%{_mandir}/man5/firejail-login.5.gz -%{_mandir}/man5/firejail-profile.5.gz -%config %{_sysconfdir}/firejail +%{_mandir}/man5/__NAME__-login.5.gz +%{_mandir}/man5/__NAME__-profile.5.gz +%config %{_sysconfdir}/__NAME__ diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index 3daede84c..e600c6bdd 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh @@ -1,296 +1,41 @@ #!/bin/bash # -# Usage: ./mkrpm.sh -# ./mkrpm.sh /path/to/firejail-0.9.30.tar.gz +# Usage: ./platform/rpm/mkrpm.sh firejail # -# Script builds rpm in a temporary directory and places the built rpm in the +# Builds rpms in a temporary directory then places the result in the # current working directory. +name=$1 +version=$2 -source=$1 - -create_tmp_dir() { - tmpdir=$(mktemp -d) - mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS} -} - - -# copy or download source -if [[ $source ]]; then - - # check file exists - if [[ ! -f $source ]]; then - echo "$source does not exist!" - exit 1 - fi - - name=$(awk '/Name:/ {print $2}' firejail.spec) - version=$(awk '/Version:/ {print $2}' firejail.spec) - expected_filename="${name}-${version}.tar.gz" - - # ensure file name matches spec file expets - if [[ $(basename $source) != $expected_filename ]]; then - echo "source ($source) does not match expected filename ($(basename $expected_filename))" - exit 1 - fi - - create_tmp_dir - cp ${source} ${tmpdir}/SOURCES -else - create_tmp_dir - if ! spectool -C ${tmpdir}/SOURCES -g firejail.spec; then - echo "Failed to fetch firejail source code" +if [[ ! -f platform/rpm/${name}.spec ]]; then + echo error: spec file not found for name \"${name}\" exit 1 - fi fi -cp ./firejail.spec "${tmpdir}/SPECS/firejail.spec" - -<<<<<<< HEAD -echo "building tar.gz archive" -tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION - -cp firejail-$VERSION.tar.gz SOURCES/. - -echo "building config spec" -cat < SPECS/firejail.spec -%define __spec_install_post %{nil} -%define debug_package %{nil} -%define __os_install_post %{_dbpath}/brp-compress - -Summary: Linux namepaces sandbox program -Name: firejail -Version: $VERSION -Release: 1 -License: GPL+ -Group: Development/Tools -SOURCE0 : %{name}-%{version}.tar.gz -URL: http://github.com/netblue30/firejail - -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root - -%description -Firejail is a SUID sandbox program that reduces the risk of security -breaches by restricting the running environment of untrusted applications -using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. - -%prep -%setup -q - -%build - -%install -rm -rf %{buildroot} -mkdir -p %{buildroot} - -cp -a * %{buildroot} - - -%clean -rm -rf %{buildroot} - - -%files -%defattr(-,root,root,-) -%config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile -%config(noreplace) %{_sysconfdir}/%{name}/chromium.profile -%config(noreplace) %{_sysconfdir}/%{name}/disable-mgmt.inc -%config(noreplace) %{_sysconfdir}/%{name}/disable-secret.inc -%config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile -%config(noreplace) %{_sysconfdir}/%{name}/evince.profile -%config(noreplace) %{_sysconfdir}/%{name}/firefox.profile -%config(noreplace) %{_sysconfdir}/%{name}/icedove.profile -%config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile -%config(noreplace) %{_sysconfdir}/%{name}/login.users -%config(noreplace) %{_sysconfdir}/%{name}/midori.profile -%config(noreplace) %{_sysconfdir}/%{name}/opera.profile -%config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile -%config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile -%config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile -%config(noreplace) %{_sysconfdir}/%{name}/vlc.profile -%config(noreplace) %{_sysconfdir}/%{name}/audacious.profile -%config(noreplace) %{_sysconfdir}/%{name}/clementine.profile -%config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile -%config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile -%config(noreplace) %{_sysconfdir}/%{name}/totem.profile -%config(noreplace) %{_sysconfdir}/%{name}/deluge.profile -%config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile -%config(noreplace) %{_sysconfdir}/%{name}/generic.profile -%config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile -%config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc -%config(noreplace) %{_sysconfdir}/%{name}/disable-history.inc -%config(noreplace) %{_sysconfdir}/%{name}/empathy.profile -%config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile -%config(noreplace) %{_sysconfdir}/%{name}/icecat.profile -%config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile -%config(noreplace) %{_sysconfdir}/%{name}/quassel.profile -%config(noreplace) %{_sysconfdir}/%{name}/server.profile -%config(noreplace) %{_sysconfdir}/%{name}/xchat.profile - -/usr/bin/firejail -/usr/bin/firemon -/usr/lib/firejail/libtrace.so -/usr/lib/firejail/ftee -/usr/lib/firejail/fshaper.sh -/usr/share/doc/packages/firejail/COPYING -/usr/share/doc/packages/firejail/README -/usr/share/doc/packages/firejail/RELNOTES -/usr/share/man/man1/firejail.1.gz -/usr/share/man/man1/firemon.1.gz -/usr/share/man/man5/firejail-profile.5.gz -/usr/share/man/man5/firejail-login.5.gz -/usr/share/bash-completion/completions/firejail -/usr/share/bash-completion/completions/firemon - -%post -chmod u+s /usr/bin/firejail - -%changelog -* Mon Sep 14 2015 netblue30 0.9.30-1 - - added a disable-history.inc profile as a result of Firefox PDF.js exploit; - disable-history.inc included in all default profiles - - Firefox PDF.js exploit (CVE-2015-4495) fixes - - added --private-etc option - - added --env option - - added --whitelist option - - support ${HOME} token in include directive in profile files - - --private.keep is transitioned to --private-home - - support ~ and blanks in blacklist option - - support "net none" command in profile files - - using /etc/firejail/generic.profile by default for user sessions - - using /etc/firejail/server.profile by default for root sessions - - added build --enable-fatal-warnings configure option - - added persistence to --overlay option - - added --overlay-tmpfs option - - make install-strip implemented, make install renamed - - bugfixes - -* Sat Aug 1 2015 netblue30 0.9.28-1 - - network scanning, --scan option - - interface MAC address support, --mac option - - IP address range, --iprange option - - traffic shaping, --bandwidth option - - reworked printing of network status at startup - - man pages rework - - added firejail-login man page - - added GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF default - profiles - - added an /etc/firejail/disable-common.inc file to hold common directory - blacklists - - blacklist Opera and Chrome/Chromium config directories in profile files - - support noroot option for profile files - - enabled noroot in default profile files - - bugfixes - -* Thu Apr 30 2015 netblue30 0.9.26-1 - - private dev directory - - private.keep option for whitelisting home files in a new private directory - - user namespaces support, noroot option - - added Deluge and qBittorent profiles - - bugfixes - -* Sun Apr 5 2015 netblue30 0.9.24-1 - - whitelist and blacklist seccomp filters - - doubledash option - - --shell=none support - - netfilter file support in profile files - - dns server support in profile files - - added --dns.print option - - added default profiles for Audoacious, Clementine, Rhythmbox and Totem. - - added --caps.drop=all in default profiles - - new syscalls in default seccomp filter: sysfs, sysctl, adjtimex, kcmp - - clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init - - Bugfix: using /proc/sys/kernel/pid_max for the max number of pids - - two build patches from Reiner Herman (tickets 11, 12) - - man page patch from Reiner Herman (ticket 13) - - output patch (ticket 15) from sshirokov - -* Mon Mar 9 2015 netblue30 0.9.22-1 - - Replaced --noip option with --ip=none - - Container stdout logging and log rotation - - Added process_vm_readv, process_vm_writev and mknod to - default seccomp blacklist - - Added CAP_MKNOD to default caps blacklist - - Blacklist and whitelist custom Linux capabilities filters - - macvlan device driver support for --net option - - DNS server support, --dns option - - Netfilter support - - Monitor network statistics, --netstats option - - Added profile for Mozilla Thunderbird/Icedove - - --overlay support for Linux kernels 3.18+ - - Bugfix: preserve .Xauthority file in private mode (test with ssh -X) - - Bugfix: check uid/gid for cgroup - -* Fri Feb 6 2015 netblue30 0.9.20-1 - - utmp, btmp and wtmp enhancements - - create empty /var/log/wtmp and /var/log/btmp files in sandbox - - generate a new /var/run/utmp file in sandbox - - CPU affinity, --cpu option - - Linux control groups support, --cgroup option - - Opera web browser support - - VLC support - - Added "empty" attribute to seccomp command to remove the default - - syscall list form seccomp blacklist - - Added --nogroups option to disable supplementary groups for regular - - users. root user always runs without supplementary groups. - - firemon enhancements - - display the command that started the sandbox - - added --caps option to display capabilities for all sandboxes - - added --cgroup option to display the control groups for all sandboxes - - added --cpu option to display CPU affinity for all sandboxes - - added --seccomp option to display seccomp setting for all sandboxes - - New compile time options: --disable-chroot, --disable-bind - - bugfixes - -* Sat Dec 27 2014 netblue30 0.9.18-1 - - Support for tracing system, setuid, setgid, setfsuid, setfsgid syscalls - - Support for tracing setreuid, setregid, setresuid, setresguid syscalls - - Added profiles for transmission-gtk and transmission-qt - - bugfixes - -* Tue Nov 4 2014 netblue30 0.9.16-1 - - Configurable private home directory - - Configurable default user shell - - Software configuration support for --docdir and DESTDIR - - Profile file support for include, caps, seccomp and private keywords - - Dropbox profile file - - Linux capabilities and seccomp filters enabled by default for Firefox, - Midori, Evince and Dropbox - - bugfixes +if [[ -z "${version}" ]]; then + echo error: version must be given + exit 1 +fi -* Wed Oct 8 2014 netblue30 0.9.14-1 - - Linux capabilities and seccomp filters are automatically enabled in - chroot mode (--chroot option) if the sandbox is started as regular - user - - Added support for user defined seccomp blacklists - - Added syscall trace support - - Added --tmpfs option - - Added --balcklist option - - Added --read-only option - - Added --bind option - - Logging enhancements - - --overlay option was reactivated - - Added firemon support to print the ARP table for each sandbox - - Added firemon support to print the route table for each sandbox - - Added firemon support to print interface information for each sandbox - - bugfixes +# Make a temporary directory and arrange to clean up on exit +tmpdir=$(mktemp -d) +mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS} +function cleanup { + rm -rf ${tmpdir} +} +trap cleanup EXIT -* Tue Sep 16 2014 netblue30 0.9.12-1 - - Added capabilities support - - Added support for CentOS 7 - - bugfixes +# Create the spec file +tmp_spec_file=${tmpdir}/SPECS/${name}.spec +sed -e "s/__NAME__/${name}/g" -e "s/__VERSION__/${version}/g" platform/rpm/${name}.spec >${tmp_spec_file} +# FIXME: We could parse RELNOTES and create a %changelog section here -EOF +# Copy the source to build into a tarball +tar czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . --transform "s/^./${name}-${version}/" --exclude='.git/*' -echo "building rpm" -rpmbuild -ba SPECS/firejail.spec -rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm -cd .. -rm -f firejail-$VERSION-1.x86_64.rpm -cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm . -======= -rpmbuild --define "_topdir ${tmpdir}" -ba "${tmpdir}/SPECS/firejail.spec" ->>>>>>> d69c2f8a62fca967460265dedd5afa62592264dd +# Build the files (rpm, debug rpm and source rpm) +rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file} -cp ${tmpdir}/RPMS/x86_64/firejail-*-1.x86_64.rpm . -rm -rf "${tmpdir}" +# Copy the results to cwd +mv ${tmpdir}/SRPMS/*.rpm ${tmpdir}/RPMS/*/*rpm . -- cgit v1.2.3-54-g00ecf