Erich Cordoba e9d93b7e28 Recreate integrity patches using a new kernel revision
Before opensource these patches a kernel revision different
from the available in upstream was used. This changes recreates
the patches to use a valid revision.

Story: 2002964
Task: 22967

Change-Id: I424e928571ded42d2b768e1dbb1f87e8fb9aa847
Required-By: https://review.openstack.org/#/c/583016/
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
Signed-off-by: Scott Little <scott.little@windriver.com>
2018-08-01 15:31:44 -04:00

139 lines
5.2 KiB
RPMSpec

%if "%{?_tis_build_type}" == "rt"
%define bt_ext -rt
%else
%undefine bt_ext
%endif
# Define the kmod package name here.
%define kmod_name integrity
Name: %{kmod_name}-kmod%{?bt_ext}
# the version is the Kernel version from which
# this driver is extracted
Version: 4.12
Release: 0%{?_tis_dist}.%{tis_patch_ver}
Group: System Environment/Kernel
License: GPLv2
Summary: %{kmod_name}%{?bt_ext} kernel module(s)
BuildRequires: kernel%{?bt_ext}-devel, redhat-rpm-config, perl, tpm-kmod%{?bt_ext}-symbols, openssl
ExclusiveArch: x86_64
# Sources.
# the integrity is available as a tarball, with
# the git commit Id referenced in the name
Source0: %{kmod_name}-kmod-e6aef069.tar.gz
Source1: modules-load.conf
Source2: COPYING
Source3: README
Source4: integrity.conf
Source5: ima.conf
Source6: ima.policy
# Patches
Patch01: 0001-integrity-kcompat-support.patch
Patch02: 0002-integrity-expose-module-params.patch
Patch03: 0003-integrity-restrict-by-iversion.patch
Patch04: 0004-integrity-disable-set-xattr-on-imasig.patch
Patch05: Changes-for-CentOS-7.4-support.patch
%define kversion %(rpm -q kernel%{?bt_ext}-devel | sort --version-sort | tail -1 | sed 's/kernel%{?bt_ext}-devel-//')
%package -n kmod-integrity%{?bt_ext}
Summary: Integrity kernel module(s) and driver
Group: System Environment/Kernel
%global _use_internal_dependency_generator 0
Provides: kernel-modules >= %{kversion}
Provides: integrity-kmod = %{?epoch:%{epoch}:}%{version}-%{release}
Requires(post): /usr/sbin/depmod
Requires(postun): /usr/sbin/depmod
%description -n kmod-integrity%{?bt_ext}
This package provides the %{version} Integrity / IMA kernel module(s) and drivers built
for the Linux kernel using the %{_target_cpu} family of processors.
%post -n kmod-integrity%{?bt_ext}
echo "Working. This may take some time ..."
if [ -e "/boot/System.map-%{kversion}" ]; then
/usr/sbin/depmod -aeF "/boot/System.map-%{kversion}" "%{kversion}" > /dev/null || :
fi
modules=( $(find /lib/modules/%{kversion}/kernel/security/integrity/ | grep '\.ko$') )
if [ -x "/sbin/weak-modules" ]; then
printf '%s\n' "${modules[@]}" | /sbin/weak-modules --add-modules
fi
echo "Done."
%preun -n kmod-integrity%{?bt_ext}
rpm -ql kmod-integrity%{?bt_ext}-%{version}-%{release}.x86_64 | grep '\.ko$' > /var/run/rpm-kmod-integrity%{?bt_ext}-modules
%postun -n kmod-integrity%{?bt_ext}
echo "Working. This may take some time ..."
if [ -e "/boot/System.map-%{kversion}" ]; then
/usr/sbin/depmod -aeF "/boot/System.map-%{kversion}" "%{kversion}" > /dev/null || :
fi
modules=( $(cat /var/run/rpm-kmod-integrity%{?bt_ext}-modules) )
rm /var/run/rpm-kmod-integrity%{?bt_ext}-modules
if [ -x "/sbin/weak-modules" ]; then
printf '%s\n' "${modules[@]}" | /sbin/weak-modules --remove-modules
fi
echo "Done."
%files -n kmod-integrity%{?bt_ext}
%defattr(-,root,root,-)
/lib/modules/%{kversion}/
%doc /usr/share/doc/kmod-integrity/
%{_sysconfdir}/modules-load.d/ima.conf
%config(noreplace) %{_sysconfdir}/modprobe.d/integrity.conf
%config(noreplace) %{_sysconfdir}/modprobe.d/ima.conf
%{_sysconfdir}/ima.policy
# Disable the building of the debug package(s).
%define debug_package %{nil}
%description
This package provides the %{kmod_name} kernel module(s).
It is built to depend upon the specific ABI provided by a range of releases
of the same variant of the Linux kernel and not on any one specific build.
%prep
%autosetup -p 1 -n %{kmod_name}
%build
# build out all the Integrity / IMA kernel modules
%{__make} KSRC=%{_usrsrc}/kernels/%{kversion} KBUILD_EXTRA_SYMBOLS=%{_usrsrc}/debug/tpm/Module.symvers
%install
%{__install} -d %{buildroot}/lib/modules/%{kversion}/kernel/security/%{kmod_name}/
%{__install} *.ko %{buildroot}/lib/modules/%{kversion}/kernel/security/%{kmod_name}/
%{__install} -d %{buildroot}/lib/modules/%{kversion}/kernel/security/%{kmod_name}/ima/
%{__install} ima/*.ko %{buildroot}/lib/modules/%{kversion}/kernel/security/%{kmod_name}/ima/
%{__install} -d %{buildroot}%{_sysconfdir}/modules-load.d
%{__install} -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/modules-load.d/ima.conf
%{__install} -d %{buildroot}%{_sysconfdir}/modprobe.d
%{__install} -p -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/modprobe.d/integrity.conf
%{__install} -p -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/modprobe.d/ima.conf
%{__install} -p -m 0400 %{SOURCE6} %{buildroot}%{_sysconfdir}/ima.policy
%{__install} -d %{buildroot}%{_defaultdocdir}/kmod-%{kmod_name}/
%{__install} %{SOURCE2} %{buildroot}%{_defaultdocdir}/kmod-%{kmod_name}/
%{__install} %{SOURCE3} %{buildroot}%{_defaultdocdir}/kmod-%{kmod_name}/
# Strip the modules(s).
find %{buildroot} -type f -name \*.ko -exec %{__strip} --strip-debug \{\} \;
# Always Sign the modules(s).
# If the module signing keys are not defined, define them here.
%{!?privkey: %define privkey /usr/src/kernels/%{kversion}/signing_key.priv}
%{!?pubkey: %define pubkey /usr/src/kernels/%{kversion}/signing_key.x509}
for module in $(find %{buildroot} -type f -name \*.ko);
do %{__perl} /usr/src/kernels/%{kversion}/scripts/sign-file \
sha256 %{privkey} %{pubkey} $module;
done
%clean
%{__rm} -rf %{buildroot}
%changelog
* Mon Aug 21 2017 Kam Nasim <kam.nasim@windriver.com> 4.12
- Initial RPM package.