diff --git a/icecream-0.9.3-fix-gcc44-ftbfs.patch b/icecream-0.9.3-fix-gcc44-ftbfs.patch deleted file mode 100644 index 9d935b8..0000000 --- a/icecream-0.9.3-fix-gcc44-ftbfs.patch +++ /dev/null @@ -1,38 +0,0 @@ -With gcc 4.4 this fixes not just a warning, but an error. -- Michal - - -commit f1ed14e4062869f583472f74a1b51b9c5ad42cde -Author: coolo -Date: Mon Feb 16 11:09:03 2009 +0000 - - fix compilation warnings - - - git-svn-id: svn://anonsvn.kde.org/home/kde/trunk/icecream@926812 283d02a7-25f6-0310-bc7c-ecb5cbfe19da - -diff --git a/daemon/load.cpp b/daemon/load.cpp -index 5cb1685..08e6f70 100644 ---- a/daemon/load.cpp -+++ b/daemon/load.cpp -@@ -203,7 +203,7 @@ static void updateCPULoad( CPULoadInfo* load ) - #ifndef USE_SYSCTL - static unsigned long int scan_one( const char* buff, const char *key ) - { -- char *b = strstr( buff, key ); -+ const char *b = strstr( buff, key ); - if ( !b ) - return 0; - unsigned long int val = 0; -diff --git a/daemon/main.cpp b/daemon/main.cpp -index f7be369..ee9c0f3 100644 ---- a/daemon/main.cpp -+++ b/daemon/main.cpp -@@ -619,7 +619,7 @@ bool Daemon::maybe_stats(bool send_ping) - #ifdef HAVE_SYS_VFS_H - struct statfs buf; - int ret = statfs(envbasedir.c_str(), &buf); -- if (!ret && buf.f_bavail < (max_kids + 1 - current_kids) * 4 * 1024 * 1024 / buf.f_bsize) -+ if (!ret && long(buf.f_bavail) < long(max_kids + 1 - current_kids) * 4 * 1024 * 1024 / buf.f_bsize) - msg.load = 1000; - #endif - diff --git a/icecream-0.9.3-fix-perms-of-cache.patch b/icecream-0.9.3-fix-perms-of-cache.patch deleted file mode 100644 index 32650c9..0000000 --- a/icecream-0.9.3-fix-perms-of-cache.patch +++ /dev/null @@ -1,124 +0,0 @@ -Patch sent upstream (to Stephan Kulow) on 2009-04-06. -- Michal - -commit e5dcc8beda99ffb4cb19b8eef024dbc22b010d54 -Author: Michal Schmidt -Date: Sun Apr 5 23:32:32 2009 +0200 - - fix permissions in the cache dir - - The way icecream changes permissions of /var/cache/icecream is buggy. - When the daemon initializes, it creates the directory owned by root:root - and readable for everyone. As soon as it installs a foreign environment, - it changes the owner to root:icecream and removes access for everyone - else. This causes trouble for locally run icecc which wants read access - to /var/cache/icecream/native. As a result, local compile jobs can no - longer determine the native environment and fail to get distributed to - other nodes. - - This patch assigns the owners and permissions like this: - 0755 root:root /var/cache/icecream/ - 0775 root:icecream /var/cache/icecream/native/ - 0770 root:icecream /var/cache/icecream/target=/ - 0770 root:icecream /var/cache/icecream/target=// - - It also sets the umask in the initialization of the daemon so that we - can depend on it being sane and we no longer need some of the chmods. - - The access() check in start_install_environment() can be dropped, - because if we don't have access, we'll soon find out anyway. - -diff --git a/daemon/environment.cpp b/daemon/environment.cpp -index 9dc2831..979da91 100644 ---- a/daemon/environment.cpp -+++ b/daemon/environment.cpp -@@ -180,8 +180,6 @@ bool cleanup_cache( const string &basedir ) - log_perror( "mkdir in cleanup_cache() failed" ); - return false; - } -- chown( basedir.c_str(), 0, 0 ); -- chmod( basedir.c_str(), 0755 ); - - return ret; - } -@@ -219,14 +217,14 @@ size_t setup_env_cache(const string &basedir, string &native_environment, uid_t - if ( ::access( "/usr/bin/gcc", X_OK ) || ::access( "/usr/bin/g++", X_OK ) ) - return 0; - -- if ( mkdir( nativedir.c_str(), 0755 ) ) -+ if ( mkdir( nativedir.c_str(), 0775 ) ) - return 0; - -- if ( chown( nativedir.c_str(), nobody_uid, nobody_gid) ) { -+ if ( chown( nativedir.c_str(), 0, nobody_gid ) || -+ chmod( nativedir.c_str(), 0775 ) ) { - rmdir( nativedir.c_str() ); - return 0; - } -- chmod( nativedir.c_str(), 0755 ); - - flush_debug(); - pid_t pid = fork(); -@@ -251,7 +249,6 @@ size_t setup_env_cache(const string &basedir, string &native_environment, uid_t - } - } - // else -- umask(022); - - if ( setgid( nobody_gid ) < 0) { - log_perror("setgid failed"); -@@ -313,30 +310,28 @@ pid_t start_install_environment( const std::string &basename, const std::string - compression = BZip2; - } - -- if( ::access( basename.c_str(), W_OK ) ) { -- log_error() << "access for basename " << basename.c_str() << " gives " << strerror(errno) << endl; -- return 0; -- } -- -- chown( basename.c_str(), 0, nobody_gid ); -- chmod( basename.c_str(), 0770 ); -- -- if ( mkdir( dirname.c_str(), 0755 ) && errno != EEXIST ) { -+ if ( mkdir( dirname.c_str(), 0770 ) && errno != EEXIST ) { - log_perror( "mkdir target" ); - return 0; - } - -- chown( dirname.c_str(), 0, nobody_gid ); -- chmod( dirname.c_str(), 0770 ); -+ if ( chown( dirname.c_str(), 0, nobody_gid ) || -+ chmod( dirname.c_str(), 0770 ) ) { -+ log_perror( "chown,chmod target" ); -+ return 0; -+ } - - dirname = dirname + "/" + name; -- if ( mkdir( dirname.c_str(), 0700 ) ) { -+ if ( mkdir( dirname.c_str(), 0770 ) ) { - log_perror( "mkdir name" ); - return 0; - } - -- chown( dirname.c_str(), 0, nobody_gid ); -- chmod( dirname.c_str(), 0770 ); -+ if ( chown( dirname.c_str(), 0, nobody_gid ) || -+ chmod( dirname.c_str(), 0770 ) ) { -+ log_perror( "chown,chmod name" ); -+ return 0; -+ } - - int fds[2]; - if ( pipe( fds ) ) -diff --git a/daemon/main.cpp b/daemon/main.cpp -index 17fc761..7a6498f 100644 ---- a/daemon/main.cpp -+++ b/daemon/main.cpp -@@ -1598,6 +1598,8 @@ int main( int argc, char ** argv ) - } - } - -+ umask(022); -+ - if ( !logfile.length() && detach) - logfile = "/var/log/iceccd"; - diff --git a/icecream-0.9.3-tighten-security.patch b/icecream-0.9.3-tighten-security.patch deleted file mode 100644 index 233d51d..0000000 --- a/icecream-0.9.3-tighten-security.patch +++ /dev/null @@ -1,118 +0,0 @@ -commit 3cf2e4b4f1912d18772a0fa476d4671c25ca2ea4 -Author: coolo -Date: Mon Mar 2 09:47:26 2009 +0000 - - more fixes from Michal Schmidt: - - don't leak file descriptor to create-env - - don't use the shell to call simple commands - - - git-svn-id: svn://anonsvn.kde.org/home/kde/trunk/icecream@934044 283d02a7-25f6-0310-bc7c-ecb5cbfe19da - -diff --git a/daemon/environment.cpp b/daemon/environment.cpp -index fd38f8e..9dc2831 100644 ---- a/daemon/environment.cpp -+++ b/daemon/environment.cpp -@@ -142,40 +142,48 @@ static void list_target_dirs( const string ¤t_target, const string &target - closedir( envdir ); - } - --bool cleanup_cache( const string &basedir ) -+/* Returns true if the child exited with success */ -+static bool exec_and_wait( const char *const argv[] ) - { -- flush_debug(); - pid_t pid = fork(); -- if ( pid ) -- { -- int status = 0; -+ if ( pid == -1 ) { -+ log_perror("fork"); -+ return false; -+ } -+ if ( pid ) { -+ // parent -+ int status; - while ( waitpid( pid, &status, 0 ) < 0 && errno == EINTR ) - ; -+ return WIFEXITED(status) && WEXITSTATUS(status) == 0; -+ } -+ // child -+ _exit(execv(argv[0], const_cast(argv))); -+} - -- if ( mkdir( basedir.c_str(), 0755 ) && errno != EEXIST ) { -- if ( errno == EPERM ) -- log_error() << "permission denied on mkdir " << basedir << endl; -- else -- log_perror( "mkdir in cleanup_cache() failed" ); -- return false; -- } -- chown( basedir.c_str(), 0, 0 ); -- chmod( basedir.c_str(), 0755 ); -+bool cleanup_cache( const string &basedir ) -+{ -+ flush_debug(); - -- return WIFEXITED(status); -- } -- // else -- char **argv; -- argv = new char*[5]; -- argv[0] = strdup( "/bin/rm" ); -- argv[1] = strdup( "-rf" ); -- argv[2] = strdup( "--" ); - // make sure it ends with '/' to not fall into symlink traps - string bdir = basedir + '/'; -- argv[3] = strdup( bdir.c_str() ); -- argv[4] = NULL; -+ const char *const argv[] = { -+ "/bin/rm", "-rf", "--", bdir.c_str(), NULL -+ }; - -- _exit(execv(argv[0], argv)); -+ bool ret = exec_and_wait( argv ); -+ -+ if ( mkdir( basedir.c_str(), 0755 ) && errno != EEXIST ) { -+ if ( errno == EPERM ) -+ log_error() << "permission denied on mkdir " << basedir << endl; -+ else -+ log_perror( "mkdir in cleanup_cache() failed" ); -+ return false; -+ } -+ chown( basedir.c_str(), 0, 0 ); -+ chmod( basedir.c_str(), 0755 ); -+ -+ return ret; - } - - Environments available_environmnents(const string &basedir) -@@ -259,7 +267,10 @@ size_t setup_env_cache(const string &basedir, string &native_environment, uid_t - _exit(1); - } - -- if ( system( BINDIR "/icecc --build-native" ) ) { -+ const char *const argv[] = { -+ BINDIR "/icecc", "--build-native", NULL -+ }; -+ if ( !exec_and_wait( argv ) ) { - log_error() << BINDIR "/icecc --build-native failed\n"; - _exit(1); - } -diff --git a/services/comm.cpp b/services/comm.cpp -index 47e7304..5ffb790 100644 ---- a/services/comm.cpp -+++ b/services/comm.cpp -@@ -987,6 +987,12 @@ open_send_broadcast (void) - return -1; - } - -+ if (fcntl (ask_fd, F_SETFD, FD_CLOEXEC) < 0) -+ { -+ log_perror("open_send_broadcast fcntl"); -+ close (ask_fd); -+ return -1; -+ } - int optval = 1; - if (setsockopt (ask_fd, SOL_SOCKET, SO_BROADCAST, &optval, sizeof(optval)) < 0) - { diff --git a/icecream-fix-createenv-when-ldconfig-fails.patch b/icecream-fix-createenv-when-ldconfig-fails.patch new file mode 100644 index 0000000..d8c5ccf --- /dev/null +++ b/icecream-fix-createenv-when-ldconfig-fails.patch @@ -0,0 +1,32 @@ +Patch sent to Stephan Kulow on 2009-10-12 +----------------------------------------- +[PATCH icecream] allow ldconfig to fail when creating the environment + +We should only expect ld.so.cache to be created if ldconfig finished +successfully. + +ld.so.cache is not essential for correct functioning of the +created environment. + +ldconfig may fail for example if SELinux enforcing policy prevents +it from working in the confined domain. That's actually how I +noticed this. The tar at the end of the script was failing because of +it. And yes, I will look at fixing the policy too... + +Michal + +Index: icecc-0.9.4/client/icecc-create-env +=================================================================== +--- icecc-0.9.4.orig/client/icecc-create-env ++++ icecc-0.9.4/client/icecc-create-env +@@ -157,8 +157,8 @@ for i in $target_files; do + done + + if test -x /sbin/ldconfig; then +- /sbin/ldconfig -r $tempdir +- new_target_files="$new_target_files etc/ld.so.cache" ++ /sbin/ldconfig -r $tempdir && \ ++ new_target_files="$new_target_files etc/ld.so.cache" + fi + + md5sum=NONE diff --git a/icecream.spec b/icecream.spec index 5f4e276..e57470b 100644 --- a/icecream.spec +++ b/icecream.spec @@ -11,7 +11,7 @@ Name: icecream Version: 0.9.4 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Distributed compiler Group: Development/Tools @@ -29,6 +29,7 @@ Source7: initscript-scheduler Source8: %{name}-manpages.tar.bz2 Patch0: %{name}-rename-scheduler.patch Patch1: %{name}-cleanup-conffile.patch +Patch2: %{name}-fix-createenv-when-ldconfig-fails.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -76,6 +77,7 @@ This package contains development files for %{name}. %setup -q -a 8 -n icecc-%{version} %patch0 -p1 %patch1 -p0 +%patch2 -p1 sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE1} > icecream.sh sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE2} > icecream.csh mkdir SELinux @@ -233,6 +235,10 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/icecc.pc %changelog +* Mon Oct 12 2009 Michal Schmidt 0.9.4-5 +- Fix failure to build native environment in SELinux enforcing mode. +- 'cvs rm ...' unused patches. + * Mon Aug 17 2009 Michal Schmidt 0.9.4-4 - SELinux policy: Allow untrusted binaries to getattr all filesystems. (BSD process accounting does vfs_getattr() to check disk space.)