microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch '1.0-dev' into thcrain/glibc-cve-2021-3326

This commit is contained in:
Thomas Crain 2021-02-12 14:52:41 -06:00 коммит произвёл GitHub
Родитель fa579fc877 f6bc5aa1f5
Коммит 7a69806354
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
42 изменённых файлов: 791 добавлений и 37 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

12
.github/workflows/validate-cg-manifest.sh поставляемый
Просмотреть файл

@ -33,9 +33,9 @@ ignore_list=" \
rm -f bad_registrations.txt
rm -rf ./cgmanifest_test_dir/
[[ -n "$@" ]] || echo "No specs passed to validate"
[[ $# -eq 0 ]] && echo "No specs passed to validate"
for spec in $@
for spec in "$@"
do
echo Checking "$spec"
@ -58,11 +58,11 @@ do
version=$(rpmspec --srpm --define "with_check 0" --qf "%{VERSION}" -q $spec 2>/dev/null )
# Some source files have been renamed, look for a comment and also try that (while manually substituting the name/version)
source0alt=$(grep "^#[[:blank:]]*Source0:" $spec | awk '{print $NF}' | sed "s/%{name}/$name/g" | sed "s/%{version}/$version/g" )
source0alt=$(grep "^#[[:blank:]]*Source0:" $spec | awk '{print $NF}' | sed "s/%\?%{name}/$name/g" | sed "s/%\?%{version}/$version/g" )
# Some packages define a %url as well
# Use ' ' as delimiter to avoid conflict with URL characters
specurl=$(rpmspec --srpm --define "with_check 0" --qf "%{URL}" -q $spec 2>/dev/null )
[[ -z specurl ]] || source0alt=$(echo $source0alt | sed "s %{url} $specurl g" )
[[ -z $specurl ]] || source0alt=$(echo $source0alt | sed "s %\?%{url} $specurl g" )
# Pull the current registration from the cgmanifest file. Every registration should have a url, so if we don't find one
# that implies the registration is missing.
@ -80,7 +80,7 @@ do
else
# Try a few times to download the source listed in the manifest
mkdir -p ./cgmanifest_test_dir
for i in {1..10}
for _ in {1..10}
do
wget --quiet -P ./cgmanifest_test_dir $manifesturl && touch ./cgmanifest_test_dir/WORKED && break
sleep 30
@ -98,4 +98,4 @@ then
echo "####"
cat bad_registrations.txt
exit 1
fi
fi

5
SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec
Просмотреть файл

@ -3,7 +3,7 @@
Summary: Signed Linux Kernel for aarch64 systems
Name: kernel-signed-aarch64
Version: 5.4.91
Release: 3%{?dist}
Release: 4%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
@ -82,6 +82,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%config %{_localstatedir}/lib/initramfs/kernel/%{uname_r}
%changelog
* Tue Feb 09 2021 Nicolas Ontiveros <niontive@microsoft.com> - 5.4.91-4
- Update to kernel release 5.4.91-4
* Thu Jan 28 2021 Nicolas Ontiveros <niontive@microsoft.com> - 5.4.91-3
- Add hmac files for FIPS

5
SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec
Просмотреть файл

@ -3,7 +3,7 @@
Summary: Signed Linux Kernel for x86_64 systems
Name: kernel-signed-x64
Version: 5.4.91
Release: 3%{?dist}
Release: 4%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
@ -82,6 +82,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%config %{_localstatedir}/lib/initramfs/kernel/%{uname_r}
%changelog
* Tue Feb 09 2021 Nicolas Ontiveros <niontive@microsoft.com> - 5.4.91-4
- Update to kernel release 5.4.91-4.
* Thu Jan 28 2021 Nicolas Ontiveros <niontive@microsoft.com> - 5.4.91-3
- Add hmac files for FIPS

2
SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

5
SPECS/bmon/bmon.signatures.json Normal file
Просмотреть файл

@ -0,0 +1,5 @@
{
"Signatures": {
"bmon-4.0.tar.gz": "d5e503ff6b116c681ebf4d10e238604dde836dceb9c0008eb92416a96c87ca40"
}
}

47
SPECS/bmon/bmon.spec Normal file
Просмотреть файл

@ -0,0 +1,47 @@
Summary: Monitoring and debugging tool to capture networking related statistics
Name: bmon
Version: 4.0
Release: 1%{?dist}
License: BSD-2-Clause AND MIT
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Applications/System
URL: https://github.com/tgraf/bmon
Source0: https://github.com/tgraf/bmon/archive/%{name}-%{version}.tar.gz
BuildRequires: gcc
BuildRequires: libconfuse-devel
BuildRequires: libnl3-devel
BuildRequires: make
BuildRequires: ncurses-devel
Requires: libconfuse
Requires: libnl3
Requires: ncurses
%description
bmon is a monitoring and debugging tool to capture networking related
statistics and prepare them visually in a human friendly way. It features
various output methods including an interactive curses user interface and
a programmable text output for scripting.
%prep
%autosetup -p1
%build
./autogen.sh
%configure
%make_build
%install
%make_install
%files
%license LICENSE.BSD LICENSE.MIT
%{_bindir}/bmon
%{_docdir}/bmon/examples/bmon.conf
%{_mandir}/man8/bmon.8.gz
%changelog
* Mon Feb 08 2021 Henry Beberman <henry.beberman@microsoft.com> 4.0-1
- Add bmon spec
- License verified
- Original version for CBL-Mariner

5
SPECS/bpftrace/bpftrace.signatures.json Normal file
Просмотреть файл

@ -0,0 +1,5 @@
{
"Signatures": {
"bpftrace-0.11.4.tar.gz": "5b9c7509887e4337841e3188eabcc7247bc2c1cc312c983cbb8b77e341d20242"
}
}

59
SPECS/bpftrace/bpftrace.spec Normal file
Просмотреть файл

@ -0,0 +1,59 @@
Summary: Berkeley Packet Filter Tracing Language
Name: bpftrace
Version: 0.11.4
Release: 1%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Applications/System
URL: https://github.com/iovisor/bpftrace
Source0: https://github.com/iovisor/%{name}/%{name}-%{version}.tar.gz
BuildRequires: bcc-devel
BuildRequires: binutils-devel
BuildRequires: bison
BuildRequires: clang-devel
BuildRequires: cmake
BuildRequires: elfutils-libelf-devel
BuildRequires: flex
BuildRequires: gcc
BuildRequires: git
BuildRequires: llvm-devel >= 8.0.1-5
BuildRequires: make
BuildRequires: systemtap-sdt-devel
BuildRequires: zlib-devel
Requires: bcc
Requires: binutils
Requires: clang
Requires: glibc
Requires: libgcc
Requires: libstdc++
Requires: llvm >= 8.0.1-5
%description
bpftrace is a high-level tracing language for Linux enhanced Berkeley Packet Filter (eBPF)
%prep
%autosetup -p1
%build
mkdir build; cd build; cmake -DCMAKE_BUILD_TYPE=Release -DOFFLINE_BUILDS=true ..
make bpftrace
%install
mkdir -p %{buildroot}%{_bindir}/
mkdir -p %{buildroot}%{_datadir}/bpftrace/tools/doc
install -p -m 755 build/src/bpftrace %{buildroot}%{_bindir}/
install -p -m 755 tools/*.bt %{buildroot}%{_datadir}/bpftrace/tools
install -p -m 644 tools/*.txt %{buildroot}%{_datadir}/bpftrace/tools/doc
%files
%license LICENSE
%doc README.md CONTRIBUTING-TOOLS.md
%{_bindir}/bpftrace
%{_datadir}/bpftrace/tools
%changelog
* Wed Feb 03 2021 Henry Beberman <henry.beberman@microsoft.com> - 0.11.4-1
- Add bpftrace spec.
- License verified
- Original version for CBL-Mariner

5
SPECS/clang/clang.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: C, C++, Objective C and Objective C++ front-end for the LLVM compiler.
Name: clang
Version: 8.0.1
Release: 3%{?dist}
Release: 4%{?dist}
License: NCSA
URL: https://clang.llvm.org
Source0: https://github.com/llvm/llvm-project/releases/download/llvmorg-%{version}/cfe-%{version}.src.tar.xz
@ -44,6 +44,7 @@ mkdir -p build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/usr \
-DCMAKE_BUILD_TYPE=Release \
-DLLVM_ENABLE_RTTI=ON \
-Wno-dev ..
make %{?_smp_mflags}
@ -80,6 +81,8 @@ rm -rf %{buildroot}/*
%{_includedir}/*
%changelog
* Tue Feb 09 2021 Henry Beberman <henry.beberman@microsoft.com> 8.0.1-4
- Enable RTTI (runtime type information) so other packages can depend on it.
* Fri Jun 12 2020 Henry Beberman <henry.beberman@microsoft.com> 8.0.1-3
- Temporarily disable generation of debug symbols.
* Sat May 09 00:21:24 PST 2020 Nick Samson <nisamson@microsoft.com> - 8.0.1-2

9
SPECS/dracut/dracut.spec
Просмотреть файл

@ -5,7 +5,7 @@
Summary: dracut to create initramfs
Name: dracut
Version: 049
Release: 3%{?dist}
Release: 4%{?dist}
# The entire source code is GPLv2+
# except install/* which is LGPLv2+
License: GPLv2+ AND LGPLv2+
@ -99,7 +99,7 @@ mkdir -p %{buildroot}%{_sharedstatedir}/initramfs
rm -f %{buildroot}%{_mandir}/man?/*suse*
install -m 0644 dracut.conf.d/fips.conf.example %{buildroot}%{dracutlibdir}/dracut.conf.d/40-fips.conf
install -m 0644 dracut.conf.d/fips.conf.example %{buildroot}%{_sysconfdir}/dracut.conf.d/40-fips.conf
> %{buildroot}%{_sysconfdir}/system-fips
# create compat symlink
@ -164,7 +164,7 @@ rm -rf -- %{buildroot}
%files fips
%defattr(-,root,root,0755)
%{dracutlibdir}/modules.d/01fips
%{dracutlibdir}/dracut.conf.d/40-fips.conf
%{_sysconfdir}/dracut.conf.d/40-fips.conf
%config(missingok) %{_sysconfdir}/system-fips
%files tools
@ -176,6 +176,9 @@ rm -rf -- %{buildroot}
%dir %{_sharedstatedir}/dracut/overlay
%changelog
* Wed Feb 10 2021 Nicolas Ontiveros <niontive@microsoft.com> - 049-4
- Move 40-fips.conf to /etc/dracut.conf.d/
* Mon Feb 01 2021 Nicolas Ontiveros <niontive@microsoft.com> - 049-3
- Add dracut-fips package.
- Disable kernel crypto testing in dracut-fips.

5
SPECS/kernel-headers/kernel-headers.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: Linux API header files
Name: kernel-headers
Version: 5.4.91
Release: 3%{?dist}
Release: 4%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
@ -34,6 +34,9 @@ cp -rv usr/include/* /%{buildroot}%{_includedir}
%{_includedir}/*
%changelog
* Tue Feb 09 2021 Nicolas Ontiveros <niontive@microsoft.com> - 5.4.91-4
- Update to kernel release 5.4.91-4
* Thu Jan 28 2021 Nicolas Ontiveros <niontive@microsoft.com> - 5.4.91-3
- Update to kernel release 5.4.91-3

3
SPECS/kernel-hyperv/kernel-hyperv.signatures.json
Просмотреть файл

@ -1,6 +1,7 @@
{
"Signatures": {
"config": "6d7b6c2962f5dbcde6fa38e09150ae50c457d536c297201d9043ed619c648c3a",
"linux-msft-5.4.91.tar.gz": "5f36254d8e78d0a17b7103df4a37d706b6f24a7cc343c938a8b6453e4137c97c"
"linux-msft-5.4.91.tar.gz": "5f36254d8e78d0a17b7103df4a37d706b6f24a7cc343c938a8b6453e4137c97c",
"sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f"
}
}

12
SPECS/kernel-hyperv/kernel-hyperv.spec
Просмотреть файл

@ -1,9 +1,10 @@
%global security_hardening none
%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
%define uname_r %{version}-%{release}
Summary: Linux Kernel optimized for Hyper-V
Name: kernel-hyperv
Version: 5.4.91
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
@ -11,15 +12,17 @@ Group: System Environment/Kernel
URL: https://github.com/microsoft/WSL2-Linux-Kernel
Source0: https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-%{version}.tar.gz
Source1: config
Source2: sha512hmac-openssl.sh
BuildRequires: audit-devel
BuildRequires: bash
BuildRequires: bc
BuildRequires: diffutils
BuildRequires: glib-devel
BuildRequires: kbd
BuildRequires: kmod-devel
BuildRequires: libdnet-devel
BuildRequires: libkcapi-hmaccalc
BuildRequires: libmspack-devel
BuildRequires: openssl
BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: procps-ng-devel
@ -167,7 +170,7 @@ EOF
chmod 600 %{buildroot}/boot/linux-%{uname_r}.cfg
# hmac sign the kernel for FIPS
sha512hmac %{buildroot}/boot/vmlinuz-%{uname_r} | sed -e "s,$RPM_BUILD_ROOT,," > %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac
%{sha512hmac} %{buildroot}/boot/vmlinuz-%{uname_r} | sed -e "s,$RPM_BUILD_ROOT,," > %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac
cp %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac %{buildroot}/lib/modules/%{uname_r}/.vmlinuz.hmac
# Register myself to initramfs
@ -269,6 +272,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%{_libdir}/perf/include/bpf/*
%changelog
* Tue Feb 09 2021 Nicolas Ontiveros <niontive@microsoft.com> - 5.4.91-3
- Use OpenSSL to perform HMAC calc
* Thu Jan 28 2021 Nicolas Ontiveros <niontive@microsoft.com> - 5.4.91-2
- Add configs for userspace crypto support
- HMAC calc the kernel for FIPS

6
SPECS/kernel-hyperv/sha512hmac-openssl.sh Normal file
Просмотреть файл

@ -0,0 +1,6 @@
#!/bin/bash
# Mocks sha512hmac using the openssl tool.
# Only for use during RPM build.
openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' ' | echo "$(cat -) $1"

3
SPECS/kernel/kernel.signatures.json
Просмотреть файл

@ -2,6 +2,7 @@
"Signatures": {
"config": "275d354e174577c3938803208e1eb0e13cf679ca109864583fc774e7b09e1a15",
"config_aarch64": "b2c6a2798a4378e8943e1f01f0111205f9e07b76968dbf0a6a3dba07b9772c17",
"linux-msft-5.4.91.tar.gz": "5f36254d8e78d0a17b7103df4a37d706b6f24a7cc343c938a8b6453e4137c97c"
"linux-msft-5.4.91.tar.gz": "5f36254d8e78d0a17b7103df4a37d706b6f24a7cc343c938a8b6453e4137c97c",
"sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f"
}
}

12
SPECS/kernel/kernel.spec
Просмотреть файл

@ -1,9 +1,10 @@
%global security_hardening none
%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
%define uname_r %{version}-%{release}
Summary: Linux Kernel
Name: kernel
Version: 5.4.91
Release: 3%{?dist}
Release: 4%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
@ -12,6 +13,7 @@ URL: https://github.com/microsoft/WSL2-Linux-Kernel
Source0: https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-%{version}.tar.gz
Source1: config
Source2: config_aarch64
Source3: sha512hmac-openssl.sh
# Arm64 HyperV support required patch
Patch0: ver5_4_72_arm64_hyperv_support.patch
Patch1: efi-libstub-tpm-enable-tpm-eventlog-function-for-ARM.patch
@ -130,14 +132,15 @@ Patch1101: CVE-2020-29569.nopatch
Patch1102: CVE-2020-28374.nopatch
Patch1103: CVE-2020-36158.nopatch
BuildRequires: audit-devel
BuildRequires: bash
BuildRequires: bc
BuildRequires: diffutils
BuildRequires: glib-devel
BuildRequires: kbd
BuildRequires: kmod-devel
BuildRequires: libdnet-devel
BuildRequires: libkcapi-hmaccalc
BuildRequires: libmspack-devel
BuildRequires: openssl
BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: procps-ng-devel
@ -325,7 +328,7 @@ EOF
chmod 600 %{buildroot}/boot/linux-%{uname_r}.cfg
# hmac sign the kernel for FIPS
sha512hmac %{buildroot}/boot/vmlinuz-%{uname_r} | sed -e "s,$RPM_BUILD_ROOT,," > %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac
%{sha512hmac} %{buildroot}/boot/vmlinuz-%{uname_r} | sed -e "s,$RPM_BUILD_ROOT,," > %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac
cp %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac %{buildroot}/lib/modules/%{uname_r}/.vmlinuz.hmac
# Register myself to initramfs
@ -456,6 +459,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%endif
%changelog
* Tue Feb 09 2021 Nicolas Ontiveros <niontive@microsoft.com> - 5.4.91-4
- Use OpenSSL to perform HMAC calc
* Thu Jan 28 2021 Nicolas Ontiveros <niontive@microsoft.com> - 5.4.91-3
- Add configs for userspace crypto support
- HMAC calc the kernel for FIPS

6
SPECS/kernel/sha512hmac-openssl.sh Normal file
Просмотреть файл

@ -0,0 +1,6 @@
#!/bin/bash
# Mocks sha512hmac using the openssl tool.
# Only for use during RPM build.
openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' ' | echo "$(cat -) $1"

5
SPECS/libacvp/libacvp.signatures.json Normal file
Просмотреть файл

@ -0,0 +1,5 @@
{
"Signatures": {
"libacvp-1.2.0.tar.gz": "92b5a0e30db2af62a8084b1523566b2ebba08282a48bfdb99871f45084677dc8"
}
}

61
SPECS/libacvp/libacvp.spec Normal file
Просмотреть файл

@ -0,0 +1,61 @@
Summary: A library that implements the client-side of the ACVP protocol
Name: libacvp
Version: 1.2.0
Release: 1%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Development/Libraries
URL: https://github.com/cisco/libacvp
# Source0: https://github.com/cisco/%%{name}/archive/v%%{version}.tar.gz
Source0: %{name}-%{version}.tar.gz
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: gcc
BuildRequires: make
%description
A library that implements the client-side of the ACVP protocol.
%package app
Summary: Libacvp application for OpenSSL
Group: Applications/System
BuildRequires: openssl-devel
Requires: openssl-libs
%description app
This app provides the glue between the OpenSSL module under test
and the library itself.
%prep
%autosetup
%build
./configure \
--prefix=%{_prefix} \
--enable-offline \
CFLAGS="-pthread" \
LIBS="-ldl"
make clean
make CC=gcc
%install
make install DESTDIR=%{buildroot}
find %{buildroot} -type f -name "*.la" -delete -print
%clean
rm -rf %{buildroot}/*
%files
%license LICENSE
%{_datadir}/README.md
%{_libdir}/libacvp.a
%{_includedir}/acvp/*
%files app
%{_bindir}/acvp_app
%changelog
* Mon Feb 08 2021 Nicolas Ontiveros <niontive@microsoft.com> - 1.2.0-1
- Original version for CBL-Mariner. License verified.

5
SPECS/libconfuse/libconfuse.signatures.json Normal file
Просмотреть файл

@ -0,0 +1,5 @@
{
"Signatures": {
"confuse-3.3.tar.gz": "3a59ded20bc652eaa8e6261ab46f7e483bc13dad79263c15af42ecbb329707b8"
}
}

61
SPECS/libconfuse/libconfuse.spec Normal file
Просмотреть файл

@ -0,0 +1,61 @@
Summary: Configuration file parser library
Name: libconfuse
Version: 3.3
Release: 1%{?dist}
License: ISC
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Development/Libraries
URL: https://github.com/libconfuse/libconfuse
Source0: https://github.com/libconfuse/libconfuse/releases/download/v%{version}/confuse-%{version}.tar.gz
BuildRequires: gcc
BuildRequires: make
%description
libConfuse is a configuration file parser library written in C.
It supports sections and (lists of) values, as well as other features
such as single/double quoted strings, environment variable expansion,
functions and nested include statements. Values can be strings,
integers, floats, booleans, and sections.
%package devel
Summary: Development headers for libconfuse.
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
%{summary}
%prep
%autosetup -p1 -n confuse-%{version}
%build
%configure
%make_build
%install
%make_install
find %{buildroot} -type f -name "*.la" -delete -print
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%license LICENSE
%{_libdir}/*.so*
%files devel
%license LICENSE
%doc README.md
%exclude %{_libdir}/libconfuse.a
%exclude %{_datadir}/locale
%{_docdir}
%{_includedir}/
%{_libdir}/*.so
%{_libdir}/pkgconfig/libconfuse.pc
%changelog
* Mon Feb 08 2021 Henry Beberman <henry.beberman@microsoft.com> 3.3-1
- Add libconfuse spec
- License verified
- Original version for CBL-Mariner

5
SPECS/libmaxminddb/libmaxminddb.signatures.json Normal file
Просмотреть файл

@ -0,0 +1,5 @@
{
"Signatures": {
"libmaxminddb-1.5.0.tar.gz": "7c56e791ff2a655215e7ed3864b1ffdd7d34a38835779efed56a42f056bd58aa"
}
}

60
SPECS/libmaxminddb/libmaxminddb.spec Normal file
Просмотреть файл

@ -0,0 +1,60 @@
Summary: C library for reading MaxMind DB files
Name: libmaxminddb
Version: 1.5.0
Release: 1%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Development/Libraries
URL: https://github.com/maxmind/libmaxminddb
Source0: https://github.com/maxmind/libmaxminddb/releases/download/%{version}/%{name}-%{version}.tar.gz
BuildRequires: gcc
BuildRequires: make
%description
The libmaxminddb library provides a C library for reading MaxMind DB files,
including the GeoIP2 databases from MaxMind. This is a custom binary format
designed to facilitate fast lookups of IP addresses while allowing for great
flexibility in the type of data associated with an address.
%package devel
Summary: Development headers for libmaxminddb.
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
%{summary}
%prep
%autosetup -p1
%build
%configure
%make_build
%install
%make_install
find %{buildroot} -type f -name "*.la" -delete -print
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%license LICENSE
%{_bindir}/mmdblookup
%{_libdir}/*.so*
%files devel
%license LICENSE
%doc README.md
%exclude %{_libdir}/libmaxminddb.a
%{_mandir}
%{_includedir}/
%{_libdir}/*.so
%{_libdir}/pkgconfig/libmaxminddb.pc
%changelog
* Fri Feb 05 2021 Henry Beberman <henry.beberman@microsoft.com> 1.5.0-1
- Add libmaxminddb spec
- License verified
- Original version for CBL-Mariner

5
SPECS/llvm/llvm.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: A collection of modular and reusable compiler and toolchain technologies.
Name: llvm
Version: 8.0.1
Release: 4%{?dist}
Release: 5%{?dist}
License: NCSA
URL: https://llvm.org/
Source0: https://github.com/llvm/llvm-project/releases/download/llvmorg-%{version}/%{name}-%{version}.src.tar.xz
@ -52,6 +52,7 @@ cmake -G Ninja \
-DLLVM_BUILD_TESTS=ON \
-DLLVM_TARGETS_TO_BUILD="host;AMDGPU;BPF" \
-DLLVM_INCLUDE_GO_TESTS=No \
-DLLVM_ENABLE_RTTI=ON \
-Wno-dev ..
%ninja_build LLVM
@ -93,6 +94,8 @@ rm -rf %{buildroot}/*
%{_includedir}/*
%changelog
* Wed Feb 03 2021 Henry Beberman <henry.beberman@microsoft.com> - 8.0.1-5
- Enable RTTI (runtime type information) so other packages can depend on it.
* Thu Dec 17 2020 Andrew Phelps <anphel@microsoft.com> - 8.0.1-4
- Enable tests in build and run test with ninja.
* Fri Jun 12 2020 Henry Beberman <henry.beberman@microsoft.com> - 8.0.1-3

6
SPECS/ntopng/ntopng.signatures.json Normal file
Просмотреть файл

@ -0,0 +1,6 @@
{
"Signatures": {
"nDPI-3.4.tar.gz": "dc9b291c7fde94edb45fb0f222e0d93c93f8d6d37f4efba20ebd9c655bfcedf9",
"ntopng-4.2.tar.gz": "c7ce8d0c7b4251aef276038ec3324530312fe232d38d7ad99de21575dc888e8b"
}
}

65
SPECS/ntopng/ntopng.spec Normal file
Просмотреть файл

@ -0,0 +1,65 @@
%global nDPIver 3.4
Summary: Web-based Network Traffic Monitoring Application
Name: ntopng
Version: 4.2
Release: 1%{?dist}
License: GPLv3
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Applications/System
URL: https://www.ntop.org/
Source0: https://github.com/ntop/ntopng/archive/%{name}-%{version}.tar.gz
Source1: https://github.com/ntop/nDPI/archive/nDPI-%{nDPIver}.tar.gz
BuildRequires: curl-devel
BuildRequires: gcc
BuildRequires: glib-devel
BuildRequires: groff
BuildRequires: json-c-devel
BuildRequires: libmaxminddb-devel
BuildRequires: libpcap-devel
BuildRequires: libxml2-devel
BuildRequires: make
BuildRequires: mysql-devel
BuildRequires: readline-devel
BuildRequires: sqlite-devel
BuildRequires: zeromq-devel
Requires: curl
Requires: glib
Requires: json-c
Requires: libmaxminddb
Requires: libpcap
Requires: libxml2
Requires: mysql
Requires: sqlite
Requires: zeromq
%description
ntopng® is a web-based network traffic monitoring application released
under GPLv3. It is the new incarnation of the original ntop written in
1998, and now revamped in terms of performance, usability, and features.
%prep
tar -xf %{SOURCE1}
mv nDPI-%{nDPIver} nDPI
%autosetup -p1 -b 0
%build
./autogen.sh
%configure
%make_build
%install
%make_install
%files
%license LICENSE COPYING
%doc README.md
%{_bindir}/ntopng
%{_prefix}/man/man8/*
%{_datadir}/ntopng/*
%changelog
* Fri Feb 05 2021 Henry Beberman <henry.beberman@microsoft.com> 4.2-1
- Add ntopng spec
- License verified
- Original version for CBL-Mariner

2
SPECS/pigz/pigz.signatures.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Signatures": {
"pigz-2.5.tar.gz": "a006645702caaecace633a89eb5c371482b44a48d04f34e0058e2b85d75d4c36"
"pigz-2.6.tar.gz": "577673676cd5c7219f94b236075451220bae3e1ca451cf849947a2998fbf5820"
}
}

7
SPECS/pigz/pigz.spec
Просмотреть файл

@ -1,13 +1,13 @@
Summary: Parallel Implementation of GZIP
Name: pigz
Version: 2.5
Version: 2.6
Release: 1%{?dist}
License: zlib
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Applications/System
URL: https://www.zlib.net/pigz
Source0: https://www.zlib.net/%{name}/%{name}-%{version}.tar.gz
Source0: https://github.com/madler/pigz/archive/%{name}-%{version}.tar.gz
BuildRequires: gcc
BuildRequires: make
BuildRequires: zlib-devel
@ -37,6 +37,9 @@ install -p -m 755 unpigz %{buildroot}%{_bindir}/
%{_bindir}/unpigz
%changelog
* Tue Feb 09 2021 Henry Beberman <henry.beberman@microsoft.com> 2.6-1
- Update pigz to 2.6
- Change source url to GitHub.
* Tue Feb 02 2021 Henry Beberman <henry.beberman@microsoft.com> 2.5-1
- Add pigz spec
- License verified

64
SPECS/qemu-kvm/CVE-2020-17380.patch Normal file
Просмотреть файл

@ -0,0 +1,64 @@
From: P J P
Subject: [PATCH v1] sd: sdhci: assert data_count is within fifo_buffer
Date: Thu, 3 Sep 2020 12:38:42 +0530
From: Prasad J Pandit <pjp@fedoraproject.org>
While doing multi block SDMA, transfer block size may exceed
the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the
current element pointer 's->data_count' pointing out of bounds.
Leading the subsequent DMA r/w operation to OOB access issue.
Assert that 's->data_count' is within fifo_buffer.
-> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1
==1459837==ERROR: AddressSanitizer: heap-buffer-overflow
WRITE of size 54722048 at 0x61500001e280 thread T3
#0 __interceptor_memcpy (/lib64/libasan.so.6+0x3a71d)
#1 flatview_read_continue ../exec.c:3245
#2 flatview_read ../exec.c:3278
#3 address_space_read_full ../exec.c:3291
#4 address_space_rw ../exec.c:3319
#5 dma_memory_rw_relaxed ../include/sysemu/dma.h:87
#6 dma_memory_rw ../include/sysemu/dma.h:110
#7 dma_memory_read ../include/sysemu/dma.h:116
#8 sdhci_sdma_transfer_multi_blocks ../hw/sd/sdhci.c:629
#9 sdhci_write ../hw/sd/sdhci.c:1097
#10 memory_region_write_accessor ../softmmu/memory.c:483
...
Reported-by: Ruhr-University <bugs-syssec@rub.de>
Suggested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/sd/sdhci.c | 2 ++
1 file changed, 2 insertions(+)
Update v1: use assert(3) calls
-> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg00966.html
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 1785d7e1f7..023acbed41 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -604,6 +604,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
s->blkcnt--;
}
}
+ assert(s->data_count <= s->buf_maxsz && s->data_count > begin);
dma_memory_write(s->dma_as, s->sdmasysad,
&s->fifo_buffer[begin], s->data_count - begin);
s->sdmasysad += s->data_count - begin;
@@ -626,6 +627,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
s->data_count = block_size;
boundary_count -= block_size - begin;
}
+ assert(s->data_count <= s->buf_maxsz && s->data_count > begin);
dma_memory_read(s->dma_as, s->sdmasysad,
&s->fifo_buffer[begin], s->data_count - begin);
s->sdmasysad += s->data_count - begin;
--
2.26.2

7
SPECS/qemu-kvm/qemu-kvm.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm
Version: 4.2.0
Release: 24%{?dist}
Release: 25%{?dist}
License: GPLv2 AND GPLv2+ AND CC-BY AND BSD
Vendor: Microsoft Corporation
Distribution: Mariner
@ -44,6 +44,7 @@ Patch25: CVE-2020-12829.nopatch
Patch26: CVE-2018-12617.patch
Patch27: CVE-2020-25723.patch
Patch28: CVE-2020-27821.patch
Patch29: CVE-2020-17380.patch
BuildRequires: alsa-lib-devel
BuildRequires: glib-devel
BuildRequires: pixman-devel
@ -97,6 +98,7 @@ This package provides a command line tool for manipulating disk images.
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%build
@ -157,6 +159,9 @@ chmod 755 %{buildroot}%{_bindir}/qemu
%{_bindir}/qemu-nbd
%changelog
* Mon Feb 08 2021 Rachel Menge <rachelmenge@microsoft.com> - 4.2.0-25
- Update CVE-2020-17380
* Wed Jan 13 2021 Henry Li <niontive@microsoft.com> - 4.2.0-24
- Update CVE-2020-15469

5
SPECS/vnstat/vnstat.signatures.json Normal file
Просмотреть файл

@ -0,0 +1,5 @@
{
"Signatures": {
"vnstat-2.6.tar.gz": "0e739311e005a7ab51de11156b9926446452486e606f20f8d320d967ec6d1c90"
}
}

52
SPECS/vnstat/vnstat.spec Normal file
Просмотреть файл

@ -0,0 +1,52 @@
Summary: Console-based network traffic monitor
Name: vnstat
Version: 2.6
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Applications/System
URL: https://humdi.net/vnstat/
Source0: https://github.com/vergoh/vnstat/archive/%{name}-%{version}.tar.gz
BuildRequires: gcc
BuildRequires: make
BuildRequires: systemd
%description
vnStat is a console-based network traffic monitor that uses the network
interface statistics provided by the kernel as information source. This
means that vnStat wont actually be sniffing any traffic and also ensures
light use of system resources regardless of network traffic rate.
%prep
%autosetup -p1
%build
%configure
%make_build
%install
mkdir -p %{buildroot}%{_unitdir}/
%make_install
%{__install} -p -m 644 examples/systemd/vnstat.service %{buildroot}%{_unitdir}/
%post
%systemd_post vnstat.service
%preun
%systemd_preun vnstat.service
%files
%license COPYING
%doc README
%{_unitdir}/vnstat.service
%{_sysconfdir}/vnstat.conf
%{_bindir}/vnstat
%{_sbindir}/vnstatd
%{_mandir}/*
%changelog
* Fri Feb 05 2021 Henry Beberman <henry.beberman@microsoft.com> 2.6-1
- Add vnstat spec
- License verified
- Original version for CBL-Mariner

84
cgmanifest.json
Просмотреть файл

@ -360,6 +360,16 @@
}
}
},
{
"component": {
"type": "other",
"other": {
"name": "bmon",
"version": "4.0",
"downloadUrl": "https://github.com/tgraf/bmon/archive/v4.0.tar.gz"
}
}
},
{
"component": {
"type": "other",
@ -380,6 +390,16 @@
}
}
},
{
"component": {
"type": "other",
"other": {
"name": "bpftrace",
"version": "0.11.4",
"downloadUrl": "https://github.com/iovisor/bpftrace/archive/v0.11.4.tar.gz"
}
}
},
{
"component": {
"type": "other",
@ -2190,6 +2210,16 @@
}
}
},
{
"component": {
"type": "other",
"other": {
"name": "libacvp",
"version": "1.2.0",
"downloadUrl": "https://github.com/cisco/libacvp/archive/v1.2.0.tar.gz"
}
}
},
{
"component": {
"type": "other",
@ -2310,6 +2340,16 @@
}
}
},
{
"component": {
"type": "other",
"other": {
"name": "libconfuse",
"version": "3.3",
"downloadUrl": "https://github.com/libconfuse/libconfuse/releases/download/v3.3/confuse-3.3.tar.gz"
}
}
},
{
"component": {
"type": "other",
@ -2520,6 +2560,16 @@
}
}
},
{
"component": {
"type": "other",
"other": {
"name": "libmaxminddb",
"version": "1.5.0",
"downloadUrl": "https://github.com/maxmind/libmaxminddb/releases/download/1.5.0/libmaxminddb-1.5.0.tar.gz"
}
}
},
{
"component": {
"type": "other",
@ -3490,6 +3540,16 @@
}
}
},
{
"component": {
"type": "other",
"other": {
"name": "nDPI",
"version": "3.4",
"downloadUrl": "https://github.com/ntop/nDPI/archive/3.4.tar.gz"
}
}
},
{
"component": {
"type": "other",
@ -3650,6 +3710,16 @@
}
}
},
{
"component": {
"type": "other",
"other": {
"name": "ntopng",
"version": "4.2",
"downloadUrl": "https://github.com/ntop/ntopng/archive/4.2.tar.gz"
}
}
},
{
"component": {
"type": "other",
@ -4225,8 +4295,8 @@
"type": "other",
"other": {
"name": "pigz",
"version": "2.5",
"downloadUrl": "https://www.zlib.net/pigz/pigz-2.5.tar.gz"
"version": "2.6",
"downloadUrl": "https://github.com/madler/pigz/archive/v2.6.tar.gz"
}
}
},
@ -6860,6 +6930,16 @@
}
}
},
{
"component": {
"type": "other",
"other": {
"name": "vnstat",
"version": "2.6",
"downloadUrl": "https://github.com/vergoh/vnstat/archive/v2.6.tar.gz"
}
}
},
{
"component": {
"type": "other",

60
toolkit/imageconfigs/core-fips.json Normal file
Просмотреть файл

@ -0,0 +1,60 @@
{
"Disks": [
{
"PartitionTableType": "gpt",
"MaxSize": 2048,
"Artifacts": [
{
"Name": "core",
"Type": "vhd"
}
],
"Partitions": [
{
"ID": "boot",
"Flags": [
"grub"
],
"Start": 1,
"End": 9,
"FsType": "fat32"
},
{
"ID": "rootfs",
"Start": 9,
"End": 0,
"FsType": "ext4"
}
]
}
],
"SystemConfigs": [
{
"Name": "Standard",
"BootType": "legacy",
"PartitionSettings": [
{
"ID": "boot",
"MountPoint": ""
},
{
"ID": "rootfs",
"MountPoint": "/"
}
],
"PackageLists": [
"packagelists/hyperv-packages.json",
"packagelists/fips-packages.json",
"packagelists/core-packages-image.json",
"packagelists/cloud-init-packages.json"
],
"KernelOptions": {
"default": "kernel"
},
"KernelCommandLine": {
"ExtraCommandLine": "fips=1"
},
"Hostname": "cbl-mariner"
}
]
}

6
toolkit/imageconfigs/packagelists/fips-packages.json Normal file
Просмотреть файл

@ -0,0 +1,6 @@
{
"packages": [
"dracut-fips"
],
"_comment": "Put dracut-fips before initramfs package to prevent extra initramfs generation"
}

2
toolkit/resources/manifests/package/pkggen_core_aarch64.txt
Просмотреть файл

@ -1,5 +1,5 @@
filesystem-1.1-7.cm1.aarch64.rpm
kernel-headers-5.4.91-3.cm1.noarch.rpm
kernel-headers-5.4.91-4.cm1.noarch.rpm
glibc-2.28-17.cm1.aarch64.rpm
glibc-devel-2.28-17.cm1.aarch64.rpm
glibc-i18n-2.28-17.cm1.aarch64.rpm

2
toolkit/resources/manifests/package/pkggen_core_x86_64.txt
Просмотреть файл

@ -1,5 +1,5 @@
filesystem-1.1-7.cm1.x86_64.rpm
kernel-headers-5.4.91-3.cm1.noarch.rpm
kernel-headers-5.4.91-4.cm1.noarch.rpm
glibc-2.28-17.cm1.x86_64.rpm
glibc-devel-2.28-17.cm1.x86_64.rpm
glibc-i18n-2.28-17.cm1.x86_64.rpm

2
toolkit/resources/manifests/package/toolchain_aarch64.txt
Просмотреть файл

@ -145,7 +145,7 @@ json-c-debuginfo-0.14-3.cm1.aarch64.rpm
json-c-devel-0.14-3.cm1.aarch64.rpm
kbd-2.0.4-5.cm1.aarch64.rpm
kbd-debuginfo-2.0.4-5.cm1.aarch64.rpm
kernel-headers-5.4.91-3.cm1.noarch.rpm
kernel-headers-5.4.91-4.cm1.noarch.rpm
kmod-25-4.cm1.aarch64.rpm
kmod-debuginfo-25-4.cm1.aarch64.rpm
kmod-devel-25-4.cm1.aarch64.rpm

2
toolkit/resources/manifests/package/toolchain_x86_64.txt
Просмотреть файл

@ -145,7 +145,7 @@ json-c-debuginfo-0.14-3.cm1.x86_64.rpm
json-c-devel-0.14-3.cm1.x86_64.rpm
kbd-2.0.4-5.cm1.x86_64.rpm
kbd-debuginfo-2.0.4-5.cm1.x86_64.rpm
kernel-headers-5.4.91-3.cm1.noarch.rpm
kernel-headers-5.4.91-4.cm1.noarch.rpm
kmod-25-4.cm1.x86_64.rpm
kmod-debuginfo-25-4.cm1.x86_64.rpm
kmod-devel-25-4.cm1.x86_64.rpm

8
toolkit/scripts/kubernertes-container/CreateContainerImages.sh
Просмотреть файл

@ -222,15 +222,15 @@ echo "+++ import container image $DISTROLESS_IMAGE_FULL_NAME"
cat $DISTROLESS_IMAGE_TARBALL | docker import - $DISTROLESS_IMAGE_FULL_NAME
cd $RPMS_FOLDER
DISTROLESS_COMPONENTS="kube-apiserver kube-controller-manager kube-scheduler pause"
BASE_ONLY_COMPONENTS="kube-proxy"
DISTROLESS_COMPONENTS="kubernetes-kube-apiserver kubernetes-kube-controller-manager kubernetes-kube-scheduler kubernetes-pause etcd coredns flannel"
BASE_ONLY_COMPONENTS="kubernetes-kube-proxy"
# create container based on cbl-mariner base
echo "======================================================================"
KUBERNETES_COMPONENTS="$DISTROLESS_COMPONENTS $BASE_ONLY_COMPONENTS"
echo "+++ create containers based on $BASE_IMAGE_FULL_NAME for $KUBERNETES_COMPONENTS"
for KUBERNETES_COMPONENT in $KUBERNETES_COMPONENTS ; do
for KUBERNETES_COMPONENT_RPM in $(find -name "kubernetes-$KUBERNETES_COMPONENT-*") ; do
for KUBERNETES_COMPONENT_RPM in $(find -name "$KUBERNETES_COMPONENT-[0-9]*") ; do
create_container_image_base $KUBERNETES_COMPONENT $KUBERNETES_COMPONENT_RPM
done
done
@ -242,7 +242,7 @@ echo "======================================================================"
KUBERNETES_COMPONENTS="$DISTROLESS_COMPONENTS"
echo "+++ create containers based on $DISTROLESS_IMAGE_FULL_NAME for $KUBERNETES_COMPONENTS"
for KUBERNETES_COMPONENT in $KUBERNETES_COMPONENTS ; do
for KUBERNETES_COMPONENT_RPM in $(find -name "kubernetes-$KUBERNETES_COMPONENT-*") ; do
for KUBERNETES_COMPONENT_RPM in $(find -name "$KUBERNETES_COMPONENT-[0-9]*") ; do
create_container_image_distroless $KUBERNETES_COMPONENT $KUBERNETES_COMPONENT_RPM
done
done

13
toolkit/tools/imageconfigvalidator/imageconfigvalidator.go
Просмотреть файл

@ -9,6 +9,7 @@ import (
"fmt"
"os"
"path/filepath"
"strings"
"gopkg.in/alecthomas/kingpin.v2"
"microsoft.com/pkggen/imagegen/configuration"
@ -71,6 +72,8 @@ func validatePackages(config configuration.Config) (err error) {
validateError = "failed to validate package lists in config"
verityPkgName = "verity-read-only-root"
verityDebugPkgName = "verity-read-only-root-debug-tools"
dracutFipsPkgName = "dracut-fips"
fipsKernelCmdLine = "fips=1"
)
for _, systemConfig := range config.SystemConfigs {
packageList, err := installutils.PackageNamesFromSingleSystemConfig(systemConfig)
@ -79,6 +82,8 @@ func validatePackages(config configuration.Config) (err error) {
}
foundVerityInitramfsPackage := false
foundVerityInitramfsDebugPackage := false
foundDracutFipsPackage := false
kernelCmdLineString := systemConfig.KernelCommandLine.ExtraCommandLine
for _, pkg := range packageList {
if pkg == "kernel" {
return fmt.Errorf("%s: kernel should not be included in a package list, add via config file's [KernelOptions] entry", validateError)
@ -89,6 +94,9 @@ func validatePackages(config configuration.Config) (err error) {
if pkg == verityDebugPkgName {
foundVerityInitramfsDebugPackage = true
}
if pkg == dracutFipsPkgName {
foundDracutFipsPackage = true
}
}
if systemConfig.ReadOnlyVerityRoot.Enable {
if !foundVerityInitramfsPackage {
@ -98,6 +106,11 @@ func validatePackages(config configuration.Config) (err error) {
return fmt.Errorf("%s: [ReadOnlyVerityRoot] and [TmpfsOverlayDebugEnabled] selected, but '%s' package is not included in the package lists", validateError, verityDebugPkgName)
}
}
if strings.Contains(kernelCmdLineString, fipsKernelCmdLine) {
if !foundDracutFipsPackage {
return fmt.Errorf("%s: 'fips=1' provided on kernel cmdline, but '%s' package is not included in the package lists", validateError, dracutFipsPkgName)
}
}
}
return
}

38
toolkit/tools/imageconfigvalidator/imageconfigvalidator_test.go
Просмотреть файл

@ -186,3 +186,41 @@ func TestShouldFailMissingVerityDebugPackageWithVerityDebug(t *testing.T) {
}
assert.Fail(t, "Could not find "+targetPackage+" to test")
}
func TestShouldFailMissingFipsPackageWithFipsCmdLine(t *testing.T) {
const (
configDirectory string = "../../imageconfigs/"
targetPackage = "core-fips.json"
fipsPackageListFile = "fips-packages.json"
)
configFiles, err := ioutil.ReadDir(configDirectory)
assert.NoError(t, err)
// Pick the core-fips config file, but remove the fips package list
for _, file := range configFiles {
if !file.IsDir() && strings.Contains(file.Name(), targetPackage) {
configPath := filepath.Join(configDirectory, file.Name())
fmt.Println("Corrupting ", configPath)
config, err := configuration.LoadWithAbsolutePaths(configPath, configDirectory)
assert.NoError(t, err)
newPackageList := []string{}
for _, pl := range config.SystemConfigs[0].PackageLists {
if !strings.Contains(pl, fipsPackageListFile) {
newPackageList = append(newPackageList, pl)
}
}
config.SystemConfigs[0].PackageLists = newPackageList
err = ValidateConfiguration(config)
assert.Error(t, err)
assert.Equal(t, "failed to validate package lists in config: 'fips=1' provided on kernel cmdline, but 'dracut-fips' package is not included in the package lists", err.Error())
return
}
}
assert.Fail(t, "Could not find "+targetPackage+" to test")
}