From 6e629fb1adb48940264c8b2851d6130a5aa5b186 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 15 Apr 2020 20:23:38 -0400 Subject: [PATCH 1/7] Increase Seccomp_test timeout --- cjdns.fuzz.patch | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/cjdns.fuzz.patch b/cjdns.fuzz.patch index 33b4ada..2cbbccf 100644 --- a/cjdns.fuzz.patch +++ b/cjdns.fuzz.patch @@ -1,7 +1,7 @@ diff -up ./test/Main_fuzz_test.c.fuzz ./test/Main_fuzz_test.c ---- ./test/Main_fuzz_test.c.fuzz 2019-05-08 19:31:34.995364838 -0400 -+++ ./test/Main_fuzz_test.c 2019-05-08 19:31:51.955608910 -0400 -@@ -59,8 +59,8 @@ static Iface_DEFUN incomingTun(struct Me +--- ./test/Main_fuzz_test.c.fuzz 2020-04-09 14:01:51.000000000 -0400 ++++ ./test/Main_fuzz_test.c 2020-04-14 17:17:24.101260879 -0400 +@@ -60,8 +60,8 @@ static Iface_DEFUN incomingTun(struct Me static void notLinkedYet(struct Context* ctx) { uint64_t now = Time_currentTimeMilliseconds(ctx->base); @@ -12,3 +12,24 @@ diff -up ./test/Main_fuzz_test.c.fuzz ./test/Main_fuzz_test.c } } +diff -up ./util/test/Seccomp_test.c.fuzz ./util/test/Seccomp_test.c +--- ./util/test/Seccomp_test.c.fuzz 2020-04-15 20:21:02.563170274 -0400 ++++ ./util/test/Seccomp_test.c 2020-04-15 20:21:22.893491368 -0400 +@@ -70,7 +70,7 @@ static int child(char* pipeName, struct + pipe->logger = logger; + pipe->userData = alloc; + +- Timeout_setTimeout(timeout, eb, 2000, eb, alloc); ++ Timeout_setTimeout(timeout, eb, 3000, eb, alloc); + EventBase_beginLoop(eb); + + return 0; +@@ -120,7 +120,7 @@ int main(int argc, char** argv) + + Assert_true(!Process_spawn(path, args, eb, alloc, NULL)); + +- Timeout_setTimeout(timeout, NULL, 2000, eb, alloc); ++ Timeout_setTimeout(timeout, NULL, 3000, eb, alloc); + + EventBase_beginLoop(eb); + return 0; From 609d8ee22761aacf842558e1637de85c415a3d2c Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 15 Apr 2020 20:32:13 -0400 Subject: [PATCH 2/7] Increase Seccomp_test timeout even more - armv7hl is slow --- cjdns.fuzz.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cjdns.fuzz.patch b/cjdns.fuzz.patch index 2cbbccf..4cc8694 100644 --- a/cjdns.fuzz.patch +++ b/cjdns.fuzz.patch @@ -20,7 +20,7 @@ diff -up ./util/test/Seccomp_test.c.fuzz ./util/test/Seccomp_test.c pipe->userData = alloc; - Timeout_setTimeout(timeout, eb, 2000, eb, alloc); -+ Timeout_setTimeout(timeout, eb, 3000, eb, alloc); ++ Timeout_setTimeout(timeout, eb, 4000, eb, alloc); EventBase_beginLoop(eb); return 0; @@ -29,7 +29,7 @@ diff -up ./util/test/Seccomp_test.c.fuzz ./util/test/Seccomp_test.c Assert_true(!Process_spawn(path, args, eb, alloc, NULL)); - Timeout_setTimeout(timeout, NULL, 2000, eb, alloc); -+ Timeout_setTimeout(timeout, NULL, 3000, eb, alloc); ++ Timeout_setTimeout(timeout, NULL, 4000, eb, alloc); EventBase_beginLoop(eb); return 0; From ef43061a9fb2349ded4946e7ecd60a8a6540dccf Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 15 Apr 2020 23:14:25 -0400 Subject: [PATCH 3/7] Give up on armv7hl for now --- cjdns.fuzz.patch | 21 ++++++++++++++++----- cjdns.spec | 2 ++ 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/cjdns.fuzz.patch b/cjdns.fuzz.patch index 4cc8694..d071a7c 100644 --- a/cjdns.fuzz.patch +++ b/cjdns.fuzz.patch @@ -14,22 +14,33 @@ diff -up ./test/Main_fuzz_test.c.fuzz ./test/Main_fuzz_test.c diff -up ./util/test/Seccomp_test.c.fuzz ./util/test/Seccomp_test.c --- ./util/test/Seccomp_test.c.fuzz 2020-04-15 20:21:02.563170274 -0400 -+++ ./util/test/Seccomp_test.c 2020-04-15 20:21:22.893491368 -0400 -@@ -70,7 +70,7 @@ static int child(char* pipeName, struct ++++ ./util/test/Seccomp_test.c 2020-04-15 22:32:21.633653339 -0400 +@@ -61,6 +61,10 @@ static void timeout(void* vNULL) + { + Assert_true(!"timed out"); + } ++static void timeout2(void* vNULL) ++{ ++ Assert_true(!"time out 2"); ++} + + static int child(char* pipeName, struct Allocator* alloc, struct Log* logger) + { +@@ -70,7 +74,7 @@ static int child(char* pipeName, struct pipe->logger = logger; pipe->userData = alloc; - Timeout_setTimeout(timeout, eb, 2000, eb, alloc); -+ Timeout_setTimeout(timeout, eb, 4000, eb, alloc); ++ Timeout_setTimeout(timeout, eb, 8000, eb, alloc); EventBase_beginLoop(eb); return 0; -@@ -120,7 +120,7 @@ int main(int argc, char** argv) +@@ -120,7 +124,7 @@ int main(int argc, char** argv) Assert_true(!Process_spawn(path, args, eb, alloc, NULL)); - Timeout_setTimeout(timeout, NULL, 2000, eb, alloc); -+ Timeout_setTimeout(timeout, NULL, 4000, eb, alloc); ++ Timeout_setTimeout(timeout2, NULL, 160000, eb, alloc); EventBase_beginLoop(eb); return 0; diff --git a/cjdns.spec b/cjdns.spec index cacbc91..33bceb7 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -192,6 +192,8 @@ Provides: bundled(nacl) = 20110221 %endif # build system requires nodejs, unfortunately ExclusiveArch: %{nodejs_arches} +# Seccomp_test is too slow on koji for this arch +ExcludeArch: armv7hl %description Cjdns implements an encrypted IPv6 network using public-key cryptography for From 4e0e75897d16a12bb04a5bb23f820299aea0b1da Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 29 Apr 2020 21:07:12 -0400 Subject: [PATCH 4/7] Disable SECCOMP for armv7hl instead of using ExcludeArch --- cjdns.spec | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/cjdns.spec b/cjdns.spec index 33bceb7..df24d8f 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -14,7 +14,11 @@ %bcond_with libsodium # Option to disable SECCOMP: confusing backward logic # Needed to run on openvz and other container systems +%ifarch armv7hl +%bcond_with seccomp +%else %bcond_without seccomp +%endif # Option to use system libuv instead of bundled libuv-0.11.19 %bcond_with libuv # When with_python3 is set, this replaces tools in bin and libexec @@ -81,7 +85,7 @@ Name: cjdns # major version is cjdns protocol version: Version: 20.6 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The privacy-friendly network without borders # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC # cnacl is unused except when use_embedded is true @@ -193,7 +197,7 @@ Provides: bundled(nacl) = 20110221 # build system requires nodejs, unfortunately ExclusiveArch: %{nodejs_arches} # Seccomp_test is too slow on koji for this arch -ExcludeArch: armv7hl +#ExcludeArch: armv7hl %description Cjdns implements an encrypted IPv6 network using public-key cryptography for @@ -332,7 +336,7 @@ fi rm -rf node_build/dependencies/libuv %else rm -rf node_build/dependencies/libuv/build/gyp # use system gyp -%ifarch s390x +%ifarch armv7hl sed -i -e '/optimizeLevel:/ s/-O0/-O3/' node_build/make.js %else sed -i -e '/optimizeLevel:/ s/-O0/-O3/' node_build/make.js @@ -750,6 +754,9 @@ fi %{_bindir}/graphStats %changelog +* Wed Apr 29 2020 Stuart Gathman - 20.6-2 +- Disable SECCOMP by default for armv7hl instead of excluding arch + * Mon Mar 16 2020 Stuart Gathman - 20.6-1 - New upstream release From c4f54c8271b0ce8e7a8125922a2fe7c6d51a34b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Tue, 26 May 2020 02:42:37 +0200 Subject: [PATCH 5/7] Rebuilt for Python 3.9 --- cjdns.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cjdns.spec b/cjdns.spec index df24d8f..289a3db 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -85,7 +85,7 @@ Name: cjdns # major version is cjdns protocol version: Version: 20.6 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The privacy-friendly network without borders # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC # cnacl is unused except when use_embedded is true @@ -754,6 +754,9 @@ fi %{_bindir}/graphStats %changelog +* Tue May 26 2020 Miro Hrončok - 20.6-3 +- Rebuilt for Python 3.9 + * Wed Apr 29 2020 Stuart Gathman - 20.6-2 - Disable SECCOMP by default for armv7hl instead of excluding arch From 03a96097be4c2d9fc5778bdb56d2a0875980612e Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Fri, 29 May 2020 16:15:56 -0400 Subject: [PATCH 6/7] Disable ronn patch --- cjdns.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cjdns.spec b/cjdns.spec index 289a3db..faeb372 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -157,7 +157,7 @@ Patch19: cjdns.fuzz.patch # patch to use /proc/sys/kernel/random/uuid instead of sysctl before 20.4 Patch20: cjdns.sysctl.patch # Patch ronn to stop using deprecated util.puts and util.debug -Patch21: cjdns.puts.patch +#Patch21: cjdns.puts.patch # gcc-10 no longer allows duplicate globals Patch22: cjdns.gcc10.patch @@ -400,7 +400,7 @@ rm node_build/dependencies/cnacl/node_build/plans/*_AVX_plan.json %if !%{use_marked} cp -r /usr/lib/node_modules/ronn node_modules -%patch21 -p1 -b .puts +#patch21 -p1 -b .puts ln -s node_modules/ronn/bin/ronn.js ronn %endif @@ -756,6 +756,7 @@ fi %changelog * Tue May 26 2020 Miro Hrončok - 20.6-3 - Rebuilt for Python 3.9 +- disable patch for nodejs-ronn, now included in Fedora * Wed Apr 29 2020 Stuart Gathman - 20.6-2 - Disable SECCOMP by default for armv7hl instead of excluding arch From e8d4b4b6351524143c571825fed158931343192c Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 1 Jul 2020 19:47:28 -0400 Subject: [PATCH 7/7] New upstream release --- .gitignore | 1 + cjdns.genconf.patch | 22 +++++++++++----------- cjdns.selinux.patch | 12 ++++++++---- cjdns.spec | 35 +++++++++++++++-------------------- sources | 1 + 5 files changed, 36 insertions(+), 35 deletions(-) diff --git a/.gitignore b/.gitignore index a0b72fa..71dd0db 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ /python-cjdns-0.1.tar.gz /cjdns-v20.5.tar.gz /cjdns-v20.6.tar.gz +/cjdns-v20.7.tar.gz diff --git a/cjdns.genconf.patch b/cjdns.genconf.patch index 940fd29..e30349d 100644 --- a/cjdns.genconf.patch +++ b/cjdns.genconf.patch @@ -1,16 +1,16 @@ diff -up ./client/cjdroute2.c.genconf ./client/cjdroute2.c ---- ./client/cjdroute2.c.genconf 2019-05-02 04:02:32.000000000 -0400 -+++ ./client/cjdroute2.c 2019-05-08 12:14:53.146838389 -0400 -@@ -336,7 +336,7 @@ static int genconf(struct Random* rand, - " // and ETHInterface will be unable to hot-add new interfaces\n" - " // Use { \"setuser\": 0 } to disable.\n" - " // Default: enabled with keepNetAdmin\n" -- " { \"setuser\": \"nobody\", \"keepNetAdmin\": 1 },\n" -+ " { \"setuser\": \"cjdns\", \"keepNetAdmin\": 1 },\n" - "\n" +--- ./client/cjdroute2.c.genconf 2020-06-23 08:37:44.000000000 -0400 ++++ ./client/cjdroute2.c 2020-07-01 13:48:09.041257042 -0400 +@@ -359,7 +359,7 @@ static int genconf(struct Allocator* all + if (Defined(android) || Defined(darwin)) { + printf(" { \"setuser\": 0 },\n"); + } else { +- printf(" { \"setuser\": \"nobody\", \"keepNetAdmin\": 1 },\n"); ++ printf(" { \"setuser\": \"cjdns\", \"keepNetAdmin\": 1 },\n"); + } + printf("\n" " // Chroot changes the filesystem root directory which cjdns sees, blocking it\n" - " // from accessing files outside of the chroot sandbox, if the user does not\n" -@@ -348,7 +348,7 @@ static int genconf(struct Random* rand, +@@ -372,7 +372,7 @@ static int genconf(struct Allocator* all } else { printf(" // Default: enabled (using \"/var/run\")\n" diff --git a/cjdns.selinux.patch b/cjdns.selinux.patch index b274924..8248b18 100644 --- a/cjdns.selinux.patch +++ b/cjdns.selinux.patch @@ -1,6 +1,6 @@ diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te ---- ./contrib/selinux/cjdns.te.selinux 2019-05-02 04:02:32.000000000 -0400 -+++ ./contrib/selinux/cjdns.te 2019-08-15 22:23:18.807845457 -0400 +--- ./contrib/selinux/cjdns.te.selinux 2020-06-23 08:37:44.000000000 -0400 ++++ ./contrib/selinux/cjdns.te 2020-07-01 19:34:24.473531348 -0400 @@ -7,8 +7,9 @@ require { type port_t; type unreserved_port_t; @@ -12,7 +12,7 @@ diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te } type cjdns_t; -@@ -17,24 +18,26 @@ init_daemon_domain(cjdns_t,cjdns_exec_t) +@@ -17,27 +18,29 @@ init_daemon_domain(cjdns_t,cjdns_exec_t) #============= cjdns_t ============== # Let master process run further restricted subprocess @@ -44,4 +44,8 @@ diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te - # management API allow cjdns_t self:unix_stream_socket connectto; - allow cjdns_t tmp_t:sock_file { write create unlink }; +-allow cjdns_t tmp_t:sock_file { write create unlink }; ++allow cjdns_t tmp_t:sock_file { write create unlink getattr }; + allow cjdns_t tmp_t:dir { write remove_name add_name }; + allow cjdns_t urandom_device_t:chr_file { read open }; + diff --git a/cjdns.spec b/cjdns.spec index faeb372..e735584 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -73,7 +73,7 @@ %global makeman marked-man %else %global use_marked 0 -%global makeman ../../ronn +%global makeman pandoc -s -tman %endif # FIXME: Needs dependencies and install www dir someplace reasonable. @@ -84,8 +84,8 @@ Name: cjdns # major version is cjdns protocol version: -Version: 20.6 -Release: 3%{?dist} +Version: 20.7 +Release: 1%{?dist} Summary: The privacy-friendly network without borders # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC # cnacl is unused except when use_embedded is true @@ -115,10 +115,6 @@ Patch1: cjdns.el6.patch # # https://lwn.net/Articles/451985/ # -# On the 2.6.32 kernel used by EL6, the above causes setuid() to fail. -# This patch sets RLIMIT_NPROC to { 1, 1 } instead, which prevents -# fork(), but not exec, and calls setgroups() before setuid(). -Patch2: cjdns.nprocs.patch # Change defaults generated by cjdroute --genconf Patch4: cjdns.genconf.patch # Patch contributed init scripts to put cjdroute in /usr/sbin and @@ -129,7 +125,7 @@ Patch6: cjdns.dyn.patch # Patch to use _LINUX_CAPABILITY_3 (cjdns < 18) #Patch7: cjdns.cap3.patch # Patch some source files to ignore selected warnings that break gcc6 builds -Patch8: cjdns.warnings.patch +#Patch8: cjdns.warnings.patch # Man pages Patch9: cjdns.man.patch # Patch some bugs in nodejs tools @@ -153,18 +149,16 @@ Patch12: cjdns.sign.patch #Patch17: cjdns.s390x.patch # patch build to use system libuv Patch18: cjdns.libuv.patch -Patch19: cjdns.fuzz.patch +#Patch19: cjdns.fuzz.patch # patch to use /proc/sys/kernel/random/uuid instead of sysctl before 20.4 Patch20: cjdns.sysctl.patch -# Patch ronn to stop using deprecated util.puts and util.debug -#Patch21: cjdns.puts.patch # gcc-10 no longer allows duplicate globals Patch22: cjdns.gcc10.patch %if %{use_marked} BuildRequires: nodejs, nodejs-marked, python3 %else -BuildRequires: nodejs, nodejs-ronn, python3 +BuildRequires: nodejs, pandoc, python3 %endif # Automated package review hates explicit BR on make, but it *is* needed @@ -288,7 +282,6 @@ Python peer graph tools for cjdns. %patch1 -b .el6 %endif -%patch2 -b .nprocs %patch4 -b .genconf %patch5 -b .sbin @@ -322,7 +315,7 @@ fi %endif %if !0%{?rhel} || 0%{?rhel} > 6 -%patch8 -b .warnings +#patch8 -b .warnings %endif %patch9 -b .man @@ -342,7 +335,7 @@ sed -i -e '/optimizeLevel:/ s/-O0/-O3/' node_build/make.js sed -i -e '/optimizeLevel:/ s/-O0/-O3/' node_build/make.js %endif %endif -%patch19 -p1 -b .fuzz +#patch19 -p1 -b .fuzz #patch20 -p1 -b .sysctl #patch22 -b .gcc10 @@ -399,9 +392,9 @@ rm node_build/dependencies/cnacl/node_build/plans/*_AVX_plan.json %endif %if !%{use_marked} -cp -r /usr/lib/node_modules/ronn node_modules -#patch21 -p1 -b .puts -ln -s node_modules/ronn/bin/ronn.js ronn +for i in contrib/doc/*.md; do + sed -i -e'1,1 s/^/% /' -e'1,1 s/--/|/' -e'2,2d' $i +done %endif # remove hidden files from node_modules/nthen @@ -482,8 +475,6 @@ install -p publictoip6 privatetopublic mkpasswd makekeys randombytes sybilsim \ %{buildroot}%{_libexecdir}/cjdns rm -f node_modules/nthen/.npmignore cp -pr tools node_modules %{buildroot}%{_libexecdir}/cjdns -# but not local copy of ronn -rm -rf %{buildroot}%{_libexecdir}/cjdns/node_modules/ronn %if %{with_admin} rm -f contrib/nodejs/admin/.gitignore @@ -754,6 +745,10 @@ fi %{_bindir}/graphStats %changelog +* Wed Jul 1 2020 Stuart Gathman - 20.7-1 +- New upstream release +- Use pandoc for manpages + * Tue May 26 2020 Miro Hrončok - 20.6-3 - Rebuilt for Python 3.9 - disable patch for nodejs-ronn, now included in Fedora diff --git a/sources b/sources index a1f0a31..4773c62 100644 --- a/sources +++ b/sources @@ -2,3 +2,4 @@ SHA512 (cjdns-v20.4.tar.gz) = 5a6bd36b2edd07fa883efa4b14dd8a7ba0189bf43404e27ab6 SHA512 (python-cjdns-0.1.tar.gz) = f3b7c9afe6bc2f8b0b872cc7fbe9e997657ecf1cbb1f7e8e417099f1265541af919e965be2508a8613f3a2223020ac077473fe48c78f9553dda1a927364bb256 SHA512 (cjdns-v20.5.tar.gz) = 36ae20182b9e9601ae64630cb0fa96caccbe5279be48520ea8b457a15437da5c9b48a5ae5588bd76ef819efe696b5a582a906a50e4dbe7760bb96fa7d1d63ea3 SHA512 (cjdns-v20.6.tar.gz) = 34057583f2215899b96f95cc60ba0532aff12834ad2c4b432a6752c811f60ed3d6d33ec82e039b159f090558020faf69c71b373ac33ca9e41b186be0b87c3332 +SHA512 (cjdns-v20.7.tar.gz) = db103e70e3d9f5e4958dcbeed51df358450f9489b6573f9b9eddc1839ee2051fe5180eede894b465e92915fabcb4cb64ce08a41c06450f14de75943879633f25