Browse code
Support %global security_hardening flag in spec files
YustasSwamp authored on 2015/06/19 09:35:11Showing 7 changed files
- SPECS/glibc/glibc.spec
- SPECS/linux/linux.spec
- support/package-builder/PackageBuilder.py
- support/package-builder/SpecData.py
- support/package-builder/SpecParser.py
- support/package-builder/SpecUtils.py
- support/package-builder/adjust-gcc-specs.sh
| ... | ... |
@@ -147,13 +147,7 @@ class PackageBuilder(object): |
| 147 | 147 |
self.installPackage(pkg,chrootID,destLogPath,listInstalledPackages) |
| 148 | 148 |
|
| 149 | 149 |
def adjustGCCSpecs(self, package, chrootID, logPath): |
| 150 |
- opt = "" |
|
| 151 |
- # TODO: reading of hardening flag from spec files |
|
| 152 |
- if package == "linux" or package == "glibc": |
|
| 153 |
- opt = " clean" |
|
| 154 |
- elif package.startswith("xf86-") or package.startswith("xorg-server") :
|
|
| 155 |
- opt = " nonow" |
|
| 156 |
- |
|
| 150 |
+ opt = " " + constants.specData.getSecurityHardeningOption(package) |
|
| 157 | 151 |
shutil.copy2(self.adjustGCCSpecScript, chrootID+"/tmp/"+self.adjustGCCSpecScript) |
| 158 | 152 |
cmdUtils=CommandUtils() |
| 159 | 153 |
cmd = "/tmp/"+self.adjustGCCSpecScript+opt |
| ... | ... |
@@ -14,6 +14,7 @@ class SerializableSpecObject(object): |
| 14 | 14 |
self.specFile="" |
| 15 | 15 |
self.listSources=[] |
| 16 | 16 |
self.listPatches=[] |
| 17 |
+ self.securityHardening="" |
|
| 17 | 18 |
|
| 18 | 19 |
class SerializableSpecObjectsUtils(object): |
| 19 | 20 |
|
| ... | ... |
@@ -38,6 +39,7 @@ class SerializableSpecObjectsUtils(object): |
| 38 | 38 |
specObj.release=spec.getRelease() |
| 39 | 39 |
specObj.listSources=spec.getSourceNames() |
| 40 | 40 |
specObj.listPatches=spec.getPatchNames() |
| 41 |
+ specObj.securityHardening=spec.getSecurityHardeningOption() |
|
| 41 | 42 |
for specPkg in specObj.listPackages: |
| 42 | 43 |
specObj.installRequiresPackages[specPkg]=spec.getRequires(specPkg) |
| 43 | 44 |
self.mapPackageToSpec[specPkg]=specName |
| ... | ... |
@@ -97,6 +99,10 @@ class SerializableSpecObjectsUtils(object): |
| 97 | 97 |
self.logger.error("Could not able to find "+package+" package from specs")
|
| 98 | 98 |
raise Exception("Invalid package:"+package)
|
| 99 | 99 |
|
| 100 |
+ def getSecurityHardeningOption(self, package): |
|
| 101 |
+ specName=self.getSpecName(package) |
|
| 102 |
+ return self.mapSerializableSpecObjects[specName].securityHardening |
|
| 103 |
+ |
|
| 100 | 104 |
def printAllObjects(self): |
| 101 | 105 |
listSpecs=self.mapSerializableSpecObjects.keys() |
| 102 | 106 |
for spec in listSpecs: |
| ... | ... |
@@ -125,5 +131,6 @@ class SerializableSpecObjectsUtils(object): |
| 125 | 125 |
self.logger.info(specObj.installRequiresAllPackages) |
| 126 | 126 |
self.logger.info(" ")
|
| 127 | 127 |
self.logger.info(specObj.installRequiresPackages) |
| 128 |
+ self.logger.info("security_hardening: " + specObj.securityHardening)
|
|
| 128 | 129 |
self.logger.info("------------------------------------------------")
|
| 129 | 130 |
|
| ... | ... |
@@ -12,6 +12,7 @@ class SpecParser(object): |
| 12 | 12 |
self.checkMacro=rpmMacro().setName("check")
|
| 13 | 13 |
self.packages={}
|
| 14 | 14 |
self.specAdditionalContent="" |
| 15 |
+ self.globalSecurityHardening="" |
|
| 15 | 16 |
|
| 16 | 17 |
|
| 17 | 18 |
def readPkgNameFromPackageMacro(self,data,basePkgName=None): |
| ... | ... |
@@ -63,6 +64,8 @@ class SpecParser(object): |
| 63 | 63 |
self.packages[packageName].updatePackageMacro(macro) |
| 64 | 64 |
elif self.isPackageHeaders(line): |
| 65 | 65 |
self.readPackageHeaders(line, self.packages[currentPkg]) |
| 66 |
+ elif self.isGlobalSecurityHardening(line): |
|
| 67 |
+ self.readSecurityHardening(line) |
|
| 66 | 68 |
else: |
| 67 | 69 |
self.specAdditionalContent+=line+"\n" |
| 68 | 70 |
i=i+1 |
| ... | ... |
@@ -187,6 +190,11 @@ class SpecParser(object): |
| 187 | 187 |
return True |
| 188 | 188 |
return False |
| 189 | 189 |
|
| 190 |
+ def isGlobalSecurityHardening(self,line): |
|
| 191 |
+ if re.search('^%global *security_hardening',line,flags=re.IGNORECASE) :
|
|
| 192 |
+ return True |
|
| 193 |
+ return False |
|
| 194 |
+ |
|
| 190 | 195 |
def readHeader(self,line): |
| 191 | 196 |
headerSplitIndex=line.find(":")
|
| 192 | 197 |
if(headerSplitIndex+1 == len(line) ): |
| ... | ... |
@@ -290,3 +298,16 @@ class SpecParser(object): |
| 290 | 290 |
|
| 291 | 291 |
return True |
| 292 | 292 |
return False |
| 293 |
+ |
|
| 294 |
+ def readSecurityHardening(self,line): |
|
| 295 |
+ data = line.lower().strip(); |
|
| 296 |
+ words=data.split(" ")
|
|
| 297 |
+ nrWords = len(words) |
|
| 298 |
+ if (nrWords != 3): |
|
| 299 |
+ print "Error: Unable to parse line: "+line |
|
| 300 |
+ return False |
|
| 301 |
+ if (words[2] != "none" and words[2] != "nonow") : |
|
| 302 |
+ print "Error: Invalid security_hardening value: " + words[2] |
|
| 303 |
+ return False |
|
| 304 |
+ self.globalSecurityHardening = words[2] |
|
| 305 |
+ return True; |
| ... | ... |
@@ -170,6 +170,9 @@ class Specutils(object): |
| 170 | 170 |
pkg = self.spec.packages.get('default')
|
| 171 | 171 |
return pkg.name |
| 172 | 172 |
|
| 173 |
+ def getSecurityHardeningOption(self): |
|
| 174 |
+ return self.spec.globalSecurityHardening |
|
| 175 |
+ |
|
| 173 | 176 |
def main(): |
| 174 | 177 |
spec = Specutils("/workspace1/myrepos/photon/SPECS/docker/docker.spec")
|
| 175 | 178 |
print "packages",spec.getPackageNames() |