From mboxrd@z Thu Jan  1 00:00:00 1970
Received: by passt.top (Postfix, from userid 1000)
	id E04745A0271; Wed, 23 Aug 2023 15:48:44 +0200 (CEST)
From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Subject: [PATCH] fedora: Replace pasta hard links by copies, mangle Build-IDs
Date: Wed, 23 Aug 2023 15:48:44 +0200
Message-Id: <20230823134844.2188790-1-sbrivio@redhat.com>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: MRYFGX5DHTBZ3EU7XFN6MOLMBR74HCA2
X-Message-ID-Hash: MRYFGX5DHTBZ3EU7XFN6MOLMBR74HCA2
X-MailFrom: sbrivio@passt.top
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "'Richard W . M . Jones'" <rjones@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20230823134844.2188790-1-sbrivio@redhat.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/MRYFGX5DHTBZ3EU7XFN6MOLMBR74HCA2/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

The hard link trick didn't actually fix the issue with SELinux file
contexts properly: as opposed to symbolic links, SELinux now
correctly associates types to the labels that are set -- except that
those labels are now shared, so we can end up (depending on how
rpm(8) extracts the archives) with /usr/bin/passt having a
pasta_exec_t context.

This got rather confusing as running restorecon(8) seemed to fix up
labels -- but that's simply toggling between passt_exec_t and
pasta_exec_t for both links, because each invocation will just "fix"
the file with the mismatching context.

Replace the hard links with copies. AppArmor's attachment, instead,
works with hard links, and if there's no LSM, we can keep symbolic
links, so keep symbolic links in the Makefile.

With copies, rpmbuild(8) will warn about duplicate Build-IDs in the
same package. Mangle them in pasta binaries by summing one to the
last byte, modulo one byte, using xxd (provided by vim-common) and
disable the automatic rehashing by find-debuginfo(1) -- we already
have per-release Build-IDs thanks to $VERSION passed on 'make'.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/fedora/passt.spec | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
index d0c6895..51bf5a8 100644
--- a/contrib/fedora/passt.spec
+++ b/contrib/fedora/passt.spec
@@ -9,6 +9,10 @@
 
 %global git_hash {{{ git_head }}}
 %global selinuxtype targeted
+# Different Build-IDs for passt and pasta: don't let find-debuginfo touch them
+%undefine _unique_build_ids
+%global _no_recompute_build_ids 1
+
 
 Name:		passt
 Version:	{{{ git_version }}}
@@ -19,7 +23,7 @@ Group:		System Environment/Daemons
 URL:		https://passt.top/
 Source:		https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz
 
-BuildRequires:	gcc, make, checkpolicy, selinux-policy-devel
+BuildRequires:	gcc, make, checkpolicy, selinux-policy-devel, binutils, vim-common
 Requires:	(%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
 
 %description
@@ -56,15 +60,28 @@ This package adds SELinux enforcement to passt(1) and pasta(1).
 %install
 
 %make_install DESTDIR=%{buildroot} prefix=%{_prefix} bindir=%{_bindir} mandir=%{_mandir} docdir=%{_docdir}/%{name}
-# The Makefile creates symbolic links for pasta, but we need hard links for
+# The Makefile creates symbolic links for pasta, but we need actual copies for
 # SELinux file contexts to work as intended. Same with pasta.avx2 if present.
-ln -f %{buildroot}%{_bindir}/passt %{buildroot}%{_bindir}/pasta
+#
+# To avoid duplicate Build-IDs in the same package, we increase the last byte of
+# the value for pasta binaries by one (modulo one byte). Note that we already
+# have differentiated Build-IDs per release, courtesy of $VERSION, so we don't
+# need find-debuginfo(1) to recalculate them.
+rm %{buildroot}%{_bindir}/pasta
+objcopy --dump-section .note.gnu.build-id=%{buildroot}/build_id %{buildroot}%{_bindir}/passt
+printf '\x'$(printf %02x $(( ( 0x$(xxd -ps -s 35 %{buildroot}/build_id) + 1 ) % 0xff )) ) | dd of=%{buildroot}/build_id seek=35 bs=1 count=1 conv=notrunc
+objcopy --update-section .note.gnu.build-id=%{buildroot}/build_id %{buildroot}%{_bindir}/passt %{buildroot}%{_bindir}/pasta
+rm %{buildroot}/build_id
+
 %ifarch x86_64
-ln -f %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2
+rm %{buildroot}%{_bindir}/pasta.avx2
+objcopy --dump-section .note.gnu.build-id=%{buildroot}/build_id %{buildroot}%{_bindir}/passt.avx2
+printf '\x'$(printf %02x $(( ( 0x$(xxd -ps -s 35 %{buildroot}/build_id) + 1 ) % 0xff )) ) | dd of=%{buildroot}/build_id seek=35 bs=1 count=1 conv=notrunc
+objcopy --update-section .note.gnu.build-id=%{buildroot}/build_id %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2
+rm %{buildroot}/build_id
 
 ln -sr %{buildroot}%{_mandir}/man1/passt.1 %{buildroot}%{_mandir}/man1/passt.avx2.1
 ln -sr %{buildroot}%{_mandir}/man1/pasta.1 %{buildroot}%{_mandir}/man1/pasta.avx2.1
-install -p -m 755 %{buildroot}%{_bindir}/passt.avx2 %{buildroot}%{_bindir}/pasta.avx2
 %endif
 
 pushd contrib/selinux
-- 
2.39.2