diff options
| -rw-r--r-- | kabi.attr | 2 | ||||
| -rw-r--r-- | kabi.sh | 22 | ||||
| -rw-r--r-- | kmod.attr | 54 | ||||
| -rw-r--r-- | macros | 11 | ||||
| -rw-r--r-- | macros.perl | 5 | ||||
| -rw-r--r-- | openEuler-rpm-config.spec | 21 |
6 files changed, 110 insertions, 5 deletions
diff --git a/kabi.attr b/kabi.attr new file mode 100644 index 0000000..5500b17 --- /dev/null +++ b/kabi.attr @@ -0,0 +1,2 @@ +%__kabi_provides %{_rpmconfigdir}/kabi.sh +%__kabi_path ^(/boot/symvers-.*|/lib/modules/[1-9].*/symvers)\.(gz|xz)$ @@ -0,0 +1,22 @@ +#!/bin/bash +x +# +# kabi.sh - Automatically extract any kernel symbol checksum from the +# symvers file and add to RPM deps. This is used to move the +# checksum checking from modprobe to rpm install for 3rd party +# modules (so they can fail during install and not at load). + +IFS=$'\n' + +for symvers in $(grep -E '(/boot/symvers-.*|/lib/modules/[1-9].*/symvers)\.(gz|xz)') "$@"; +do + cat_prog="cat" + case "$symvers" in + *.gz) cat_prog="zcat" ;; + *.xz) cat_prog="xzcat" ;; + esac + + # We generate dependencies only for symbols exported by vmlinux itself + # and not for kmods here as they are spread across subpackages, + # so Provides: generation for kmods is handled by find-provides.ksyms. + "$cat_prog" "$symvers" | awk '/[^ ]* [^ ]* vmlinux .*/ { print "kernel(" $2 ") = " $1 }' +done diff --git a/kmod.attr b/kmod.attr new file mode 100644 index 0000000..8c57d0b --- /dev/null +++ b/kmod.attr @@ -0,0 +1,54 @@ +%__kmod_path ^/lib/modules/.*/(modules.builtin|.*\.ko|.*\.ko\.gz|.*\.ko\.bz2|.*\.ko\.xz|.*\.ko\.zst)$ + +# Notes on Lua: +# The backslash in strings (like "\n" newline) needs to be doubled +# because we are inside rpm macro. Single backslashes before most chars +# disappear (removed by rpm's parser), so "\n" turns into just "n". +# In string.gsub patterns, unlike regexps, backslash has no special meaning. +# It can't escape . and such. (Use one-character set [.] to represent +# literal period, or lua's percent escape: %.) +# Pipe (|) has no special meaning too. + +%__kmod_provides() %{lua: + function basename(fn) + local b = string.gsub(fn, ".*/", "") + -- the above adjusts gsub() result to 1 value + -- "return f()" construct would return _all_ values, two in case of gsub() + return b + end + function strip_compress_sfx(fn) + local cnt + fn, cnt = string.gsub(fn, "%.gz$", "") + if cnt == 1 then return fn; end + fn, cnt = string.gsub(fn, "%.bz2$", "") + if cnt == 1 then return fn; end + fn, cnt = string.gsub(fn, "%.xz$", "") + if cnt == 1 then return fn; end + fn, cnt = string.gsub(fn, "%.zst$", "") + return fn + end + function printdep(mod) + print("kmod("..mod..") ") + end + local fn = rpm.expand("%1") + local bn = basename(fn) + if bn == "modules.builtin" then + for l in io.lines(fn) do + local builtin_mod = basename(l) + printdep(builtin_mod) + local nocompr = strip_compress_sfx(builtin_mod) + if nocompr ~= builtin_mod then + printdep(nocompr) + end + end + else + local mod = string.match(bn, "%g+%.ko") + if mod then + printdep(mod) + local nocompr = strip_compress_sfx(mod) + if nocompr ~= mod then + printdep(nocompr) + end + end + end +} @@ -362,9 +362,18 @@ for k,_ in pairs(stripped_flags) do print(k .. " ") end %_clang_lto_cflags -flto=thin %_lto_cflags %{expand:%%{_%{toolchain}_lto_cflags}} +# Default fortification level. +# "%define _fortify_level 1" to downgrade and +# "%define _fortify_level 0" or "%undefine _fortify_level" to disable +# +# We use a single -Wp here to enforce order so that ccache does not ever +# reorder them. +%_fortify_level 2 +%_fortify_level_flags %[ 0%{?_fortify_level} > 0 ? "-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=%{_fortify_level}" : "" ] + %_general_options -O2 %{?_lto_cflags} -g -grecord-gcc-switches -pipe -fstack-protector-strong %[ "%{toolchain}" == "clang" ? "-fgcc-compatible" : "" ] %_warning_options -Wall -Werror=format-security -%_preprocessor_defines -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS +%_preprocessor_defines %{_fortify_level_flags} -Wp,-D_GLIBCXX_ASSERTIONS %__global_compiler_flags %{_general_options} %{_warning_options} %{_preprocessor_defines} %{_hardened_cflags} diff --git a/macros.perl b/macros.perl index 9c1fd0c..1e45bcb 100644 --- a/macros.perl +++ b/macros.perl @@ -31,7 +31,7 @@ export PERL_MM_USE_DEFAULT=1 %perl_default_filter_revision 3 # By default, for perl packages we want to filter all files in _docdir from -# req/prov scanning. +# req/prov scanning, except META.json/yml for scanning requirements. # Filtering out any provides caused by private libs in vendorarch/archlib # (vendor/core) is done by rpmbuild since Fedora 20 # <https://fedorahosted.org/fpc/ticket/353>. @@ -40,8 +40,9 @@ export PERL_MM_USE_DEFAULT=1 # "%{?perl_default_filter}", before any %description block. %perl_default_filter %{expand: \ +%global __global_requires_exclude_from %{nil} %global __provides_exclude_from %{?__provides_exclude_from:%__provides_exclude_from|}^%{_docdir} -%global __requires_exclude_from %{?__requires_exclude_from:%__requires_exclude_from|}^%{_docdir} +%global __requires_exclude_from %{?__requires_exclude_from:%__requires_exclude_from|}^%{_docdir}/.*\\\\(?=META.json|\\\\(MY|\\\\)META.yml\\\\)$ %global __provides_exclude %{?__provides_exclude:%__provides_exclude|}^perl\\\\(VMS|^perl\\\\(Win32|^perl\\\\(DB\\\\)|^perl\\\\(UNIVERSAL\\\\) %global __requires_exclude %{?__requires_exclude:%__requires_exclude|}^perl\\\\(VMS|^perl\\\\(Win32 } diff --git a/openEuler-rpm-config.spec b/openEuler-rpm-config.spec index a36338f..c0ad452 100644 --- a/openEuler-rpm-config.spec +++ b/openEuler-rpm-config.spec @@ -3,8 +3,8 @@ Name: %{vendor}-rpm-config Version: 31 -Release: 12 -License: GPL+ +Release: 15 +License: GPL+ AND MIT Summary: specific rpm configuration files URL: https://gitee.com/src-openeuler/openEuler-rpm-config Buildarch: noarch @@ -38,6 +38,10 @@ Source201: infopages.attr Source202: manpages.attr Source203: nbdkit.attr Source204: find-provides.nbdkit +# Source 205-207 from fedora, licenced under MIT +Source205: kabi.attr +Source206: kabi.sh +Source207: kmod.attr # Misc helper scripts Source300: kmodtool @@ -149,6 +153,7 @@ install -p -m 755 -t %{buildroot}%{rpmvdir} config.* install -p -m 755 -t %{buildroot}%{_rpmconfigdir} brp-* install -p -m 644 -t %{buildroot}%{_rpmconfigdir} generic-* install -p -m 755 -t %{buildroot}%{_rpmconfigdir} fix-libtool-from-moving-options-after-libs +install -p -m 755 -t %{buildroot}%{_rpmconfigdir} kabi.sh install -p -m 755 -t %{buildroot}%{rpmvdir} kmodtool install -p -m 755 -t %{buildroot}%{rpmvdir} find-requires* install -p -m 755 -t %{buildroot}%{rpmvdir} find-provides* @@ -184,8 +189,20 @@ sed -i "s/@VENDOR@/%{vendor}/g" `grep "@VENDOR@" -rl %{buildroot}%{_rpmconfigdir %{_rpmconfigdir}/macros.d/macros.kmp %{rpmvdir}/find-requires %{rpmvdir}/find-requires.ksyms +%{_rpmconfigdir}/kabi.sh +%{_fileattrsdir}/kabi.attr +%{_fileattrsdir}/kmod.attr %changelog +* Fri Jan 31 2025 Funda Wang <fundawang@yeah.net> - 31-15 +- add kabi, kmod dependency generators from fedora + +* Tue Jan 28 2025 Funda Wang <fundawang@yeah.net> - 31-14 +- whitelist META.json/yml for scanning perl dependencies + +* Fri Jan 17 2025 Funda Wang <fundawang@yeah.net> - 31-13 +- split out fortify level definition for supporting build with FORTIFY_SOURCE=3 in the future + * Wed Jan 15 2025 luhuaxin <luhuaxin1@huawei.com> - 31-12 - ima: keep the process of OBS signing same as previous version |