diff --git a/.github/rpm-matrix.json b/.github/rpm-matrix.json index 63d7c096c..3248caa55 100644 --- a/.github/rpm-matrix.json +++ b/.github/rpm-matrix.json @@ -1,11 +1,20 @@ { "props": [ + { + "platform": "fedora", + "dist": "fc42", + "spec": "fapolicy-analyzer.spec", + "image": "registry.fedoraproject.org/fedora:42", + "chroot": "fedora-rawhide-x86_64", + "version": "42", + "prerelease": true + }, { "platform": "fedora", "dist": "fc41", "spec": "fapolicy-analyzer.spec", "image": "registry.fedoraproject.org/fedora:41", - "chroot": "fedora-rawhide-x86_64", + "chroot": "fedora-41-x86_64", "version": "41", "prerelease": true }, diff --git a/.github/workflows/rpm.yml b/.github/workflows/rpm.yml index e35c321e0..d8d4a9e33 100644 --- a/.github/workflows/rpm.yml +++ b/.github/workflows/rpm.yml @@ -109,8 +109,6 @@ jobs: - name: Adjust spec run: | - # disable dev-tools crate - sed -i '/tools/d' Cargo.toml # generate build deps with cargo2rpm cargo2rpm -p Cargo.toml buildrequires | while read line; do grep -n "BuildRequires:" fapolicy-analyzer.spec | head -n1 | cut -d: -f1 | xargs -I{} sed -i "{}iBuildRequires: $line" fapolicy-analyzer.spec diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml index 75304d892..fdf8ba344 100644 --- a/.github/workflows/tools.yml +++ b/.github/workflows/tools.yml @@ -44,7 +44,6 @@ jobs: run: | mkdir /tmp/tools mv target/release/tdb /tmp/tools/tdb - mv target/release/rulec /tmp/tools/rulec mv target/release/faprofiler /tmp/tools/faprofiler - name: Archive Tools diff --git a/Cargo.lock b/Cargo.lock index 6b79d572a..511b9d647 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -17,15 +17,6 @@ version = "1.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bddcadddf5e9015d310179a59bb28c4d4b9920ad0f11e8e14dbadf654890c9a6" -[[package]] -name = "ariadne" -version = "0.1.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1cb2a2046bea8ce5e875551f5772024882de0b540c7f93dfc5d6cf1ca8b030c" -dependencies = [ - "yansi", -] - [[package]] name = "assert_matches" version = "1.5.0" @@ -432,7 +423,6 @@ dependencies = [ name = "fapolicy-tools" version = "0.5.0" dependencies = [ - "ariadne", "clap", "fapolicy-analyzer", "fapolicy-app", @@ -1331,9 +1321,3 @@ name = "windows_x86_64_msvc" version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" - -[[package]] -name = "yansi" -version = "0.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9fc79f4a1e39857fc00c3f662cbf2651c771f00e9c15fe2abc341806bd46bd71" diff --git a/Containerfile b/Containerfile index b51f827e5..bfc599c88 100644 --- a/Containerfile +++ b/Containerfile @@ -1,7 +1,11 @@ -ARG image=registry.fedoraproject.org/fedora:39 -FROM $image AS build-stage +ARG image=registry.fedoraproject.org/fedora:latest +FROM $image AS fedorabuild +ARG version +ARG spec=fapolicy-analyzer.spec -RUN dnf install -y rpm-build rpmdevtools dnf-plugins-core python3-pip nano +# rpmbuild tools could be installed in the el stage +# but caching them here ends up saving time on rebuilds +RUN dnf install -y mock rpm-build rpmdevtools RUN useradd -u 10001 -g 0 -d /home/default default @@ -9,17 +13,28 @@ USER 10001 RUN mkdir -p /tmp/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS} WORKDIR /tmp/rpmbuild -COPY --chown=10001:0 fapolicy-analyzer.spec SPECS/ +COPY --chown=10001:0 $spec SPECS/fapolicy-analyzer.spec USER root RUN dnf -y builddep SPECS/fapolicy-analyzer.spec USER 10001 -COPY --chown=10001:0 fapolicy-analyzer.tar.gz SOURCES/ -COPY --chown=10001:0 vendor-docs.tar.gz SOURCES/ -COPY --chown=10001:0 scripts/srpm/build.sh ./build.sh +COPY --chown=10001:0 fapolicy-analyzer-$version.tar.gz SOURCES/ +COPY --chown=10001:0 vendor-docs-$version.tar.gz SOURCES/ +COPY --chown=10001:0 scripts/srpm/build.sh . -RUN spectool -g -C /tmp/rpmbuild/SOURCES/ SPECS/fapolicy-analyzer.spec +USER root ENTRYPOINT ["/tmp/rpmbuild/build.sh"] + +FROM fedorabuild as elbuild +ARG version + +USER 10001 + +RUN spectool --list-files SPECS/fapolicy-analyzer.spec | grep pythonhosted | cut -d' ' -f2 | xargs -I{} curl -sLO --output-dir SOURCES {} + +COPY --chown=10001:0 vendor-rs-$version.tar.gz SOURCES/ + +USER root diff --git a/Makefile b/Makefile index 990d7c032..e93af971c 100644 --- a/Makefile +++ b/Makefile @@ -23,6 +23,8 @@ GRN=\033[0;32m RED=\033[0;31m NC=\033[0m # No Color +VERSION ?= $(shell sed -n 's/^Version: *//p' fapolicy-analyzer.spec) + # List the common developer targets list: @echo @@ -139,17 +141,17 @@ build-info: # Generate Fedora rawhide rpms fc-rpm: - @echo -e "${GRN}--- Fedora RPM generation...${NC}" - make -f .copr/Makefile vendor OS_ID=fedora - podman build -t fapolicy-analyzer:39 -f Containerfile . - podman run --rm -it --network=none -v /tmp:/v fapolicy-analyzer:39 /v + @echo -e "${GRN}--- Fedora RPM generation v${VERSION}...${NC}" + make -f .copr/Makefile vendor OS_ID=fedora VERSION=${VERSION} + podman build -t fapolicy-analyzer:build --target fedorabuild --build-arg version=${VERSION} -f Containerfile . + podman run --privileged --rm -it -v /tmp:/v fapolicy-analyzer:build fedora-39-x86_64 /v # Generate RHEL 9 rpms el9-rpm: - @echo -e "${GRN}--- el9 RPM generation...${NC}" - make -f .copr/Makefile vendor OS_ID=rhel DIST=.el9 spec=scripts/srpm/fapolicy-analyzer.el9.spec - podman build -t fapolicy-analyzer:el9 -f scripts/srpm/Containerfile.el9 . - podman run --rm -it --network=none -v /tmp:/v fapolicy-analyzer:el9 /v + @echo -e "${GRN}--- el9 RPM generation v${VERSION}...${NC}" + make -f .copr/Makefile vendor vendor-rs OS_ID=rhel VERSION=${VERSION} DIST=.el9 spec=scripts/srpm/fapolicy-analyzer.el9.spec + podman build -t fapolicy-analyzer:build --target elbuild --build-arg version=${VERSION} --build-arg spec=scripts/srpm/fapolicy-analyzer.el9.spec -f Containerfile . + podman run --privileged --rm -it -v /tmp:/v fapolicy-analyzer:build rocky+epel-9-x86_64 /v # Update embedded help documentation help-docs: diff --git a/crates/tools/Cargo.toml b/crates/tools/Cargo.toml index 5b8be378e..2cb3bcec8 100644 --- a/crates/tools/Cargo.toml +++ b/crates/tools/Cargo.toml @@ -9,10 +9,6 @@ edition = "2021" name = "tdb" path = "src/trust_db_util.rs" -[[bin]] -name = "rulec" -path = "src/rule_check.rs" - [[bin]] name = "faprofiler" path = "src/fapolicy_profiler.rs" @@ -23,7 +19,6 @@ lmdb = "0.8" nom = "7.1" rayon = "1.5" thiserror = "1.0" -ariadne = "0.1" log = "0.4" fapolicy-analyzer = { path = "../analyzer" } diff --git a/fapolicy-analyzer.spec b/fapolicy-analyzer.spec index 25f59a2ca..0300ff0e3 100644 --- a/fapolicy-analyzer.spec +++ b/fapolicy-analyzer.spec @@ -1,4 +1,6 @@ %bcond_without check +%bcond_without cli +%bcond_without gui Summary: File Access Policy Analyzer Name: fapolicy-analyzer @@ -41,6 +43,22 @@ BuildRequires: audit-libs-devel BuildRequires: cargo-rpm-macros BuildRequires: python3dist(setuptools-rust) +Requires: %{name}-cli +Requires: %{name}-gui + +%description +Tools to assist with the configuration and management of fapolicyd. + + +%package cli +Summary: File Access Policy Analyzer CLI + +%description cli +CLI Tools to assist with the configuration and management of fapolicyd. + +%package gui +Summary: File Access Policy Analyzer GUI + Requires: python3 Requires: python3-gobject Requires: python3-events @@ -67,15 +85,22 @@ Requires: webkit2gtk4.1 %global module_version %{lua: v = string.gsub(rpm.expand("%{?version}"), "~dev", ".dev"); \ v = string.gsub(v, "~rc", "rc"); print(v) } -%description -Tools to assist with the configuration and management of fapolicyd. +%description gui +GUI Tools to assist with the configuration and management of fapolicyd. %prep %autosetup -n %{name} %cargo_prep -# disable dev-tools crate +%if %{without cli} +# disable tools crate sed -i '/tools/d' Cargo.toml +%endif + +%if %{without gui} +# disable pyo3 crate +sed -i '/pyo3/d' Cargo.toml +%endif # extract our doc sourcs tar xvzf %{SOURCE1} @@ -96,6 +121,12 @@ echo "audit" > FEATURES %cargo_generate_buildrequires -a %build + +%if %{with cli} +cargo build --bin tdb --release +%endif + +%if %{with gui} # ensure standard Rust compiler flags are set export RUSTFLAGS="%{build_rustflags}" @@ -105,8 +136,15 @@ export RUSTFLAGS="%{build_rustflags}" %{cargo_license_summary} %{cargo_license} > LICENSE.dependencies +%endif %install + +%if %{with cli} +install -D target/release/tdb %{buildroot}/%{_sbindir}/%{name}-trust +%endif + +%if %{with gui} %{py3_install_wheel %{module}-%{module_version}*%{_target_cpu}.whl} %{python3} help install --dest %{buildroot}/%{_datadir}/help install -D bin/%{name} %{buildroot}/%{_sbindir}/%{name} @@ -115,14 +153,17 @@ install -D data/config.toml -t %{buildroot}%{_sysconfdir}/%{name}/ desktop-file-install data/%{name}.desktop find locale -name %{name}.mo -exec cp --parents -rv {} %{buildroot}/%{_datadir} \; %find_lang %{name} --with-gnome +%endif %check +%if %{with gui} desktop-file-validate %{buildroot}/%{_datadir}/applications/%{name}.desktop +%endif -%files -n %{name} -f %{name}.lang -%doc scripts/srpm/README -%license LICENSE -%license LICENSE.dependencies +%files cli +%attr(755,root,root) %{_sbindir}/%{name}-trust + +%files gui %{python3_sitearch}/%{module} %{python3_sitearch}/%{module}-%{module_version}* %attr(755,root,root) %{_sbindir}/%{name} @@ -131,6 +172,11 @@ desktop-file-validate %{buildroot}/%{_datadir}/applications/%{name}.desktop %config(noreplace) %attr(644,root,root) %{_sysconfdir}/%{name}/config.toml %ghost %attr(640,root,root) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}/%{name}.log +%files -f %{name}.lang +%doc scripts/srpm/README +%license LICENSE +%license LICENSE.dependencies + %changelog * Sun Jul 28 2024 John Wass 1.4.0-1 - New release diff --git a/news/1025.packaging.md b/news/1025.packaging.md new file mode 100644 index 000000000..94f3fe164 --- /dev/null +++ b/news/1025.packaging.md @@ -0,0 +1 @@ +Subpackaged RPM build to support separate CLI and GUI installations. diff --git a/scripts/srpm/Containerfile.el9 b/scripts/srpm/Containerfile.el9 deleted file mode 100644 index 32b0d63b8..000000000 --- a/scripts/srpm/Containerfile.el9 +++ /dev/null @@ -1,27 +0,0 @@ -ARG image=rockylinux:9 -FROM $image AS build-stage - -RUN dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm -RUN dnf install -y rpm-build rpmdevtools dnf-plugins-core python3-pip nano - -RUN useradd -u 10001 -g 0 -d /home/default default - -USER 10001 -RUN mkdir -p /tmp/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS} -WORKDIR /tmp/rpmbuild - -COPY --chown=10001:0 scripts/srpm/fapolicy-analyzer.el9.spec SPECS/fapolicy-analyzer.spec - -USER root -RUN dnf -y builddep SPECS/fapolicy-analyzer.spec - -USER 10001 - -COPY --chown=10001:0 fapolicy-analyzer-*.tar.gz SOURCES/ -COPY --chown=10001:0 vendor-rs-*.tar.gz SOURCES/ -COPY --chown=10001:0 vendor-docs-*.tar.gz SOURCES/ -COPY --chown=10001:0 scripts/srpm/build.sh ./build.sh - -RUN spectool -g -C SOURCES/ SPECS/fapolicy-analyzer.spec - -ENTRYPOINT ["/tmp/rpmbuild/build.sh"] diff --git a/scripts/srpm/build.sh b/scripts/srpm/build.sh index e5263a42c..d8f016ff6 100755 --- a/scripts/srpm/build.sh +++ b/scripts/srpm/build.sh @@ -18,18 +18,13 @@ spec_file="fapolicy-analyzer.spec" rpmbuild_dir=/tmp/rpmbuild -if [[ "$ONLINE" -eq 1 ]]; then - cd ${rpmbuild_dir}/SOURCES - spectool -g "../SPECS/$spec_file" - cd ${rpmbuild_dir}/SPECS - dnf builddep "$spec_file" -y -fi - -cd ${rpmbuild_dir}/SPECS -rpmbuild -ba "$spec_file" -D "_topdir ${rpmbuild_dir}" +echo "[build.sh] mock $1" +mock -r "$1" --init +mock -r "$1" --resultdir ${rpmbuild_dir} --buildsrpm --sources ${rpmbuild_dir}/SOURCES/ --spec ${rpmbuild_dir}/SPECS/${spec_file} +mock -r "$1" --resultdir ${rpmbuild_dir} --rebuild ${rpmbuild_dir}/*.src.rpm -if [[ ! -z "$1" ]]; then - echo "[build.sh] exporting *rpms to ${1}" - cp -v ${rpmbuild_dir}/RPMS/**/*.rpm ${1} - cp -v ${rpmbuild_dir}/SRPMS/*.rpm ${1} +if [[ -n "$2" ]]; then + echo "[build.sh] exporting rpms to ${2}" + cp -v ${rpmbuild_dir}/*.rpm ${2} + cp -v ${rpmbuild_dir}/*.rpm ${2} fi diff --git a/scripts/srpm/fapolicy-analyzer.el9.spec b/scripts/srpm/fapolicy-analyzer.el9.spec index 67dc2d950..296ff56e2 100644 --- a/scripts/srpm/fapolicy-analyzer.el9.spec +++ b/scripts/srpm/fapolicy-analyzer.el9.spec @@ -1,3 +1,6 @@ +%bcond_without cli +%bcond_without gui + Summary: File Access Policy Analyzer Name: fapolicy-analyzer Version: 1.4.0 @@ -68,6 +71,7 @@ BuildRequires: rust-glob-devel BuildRequires: rust-heck-devel BuildRequires: rust-indoc-devel BuildRequires: rust-instant-devel +BuildRequires: rust-is_executable-devel BuildRequires: rust-lazy_static-devel BuildRequires: rust-libc-devel BuildRequires: rust-libloading-devel @@ -100,6 +104,34 @@ BuildRequires: rust-unindent-devel BuildRequires: rust-version_check-devel BuildRequires: rust-which-devel +%global module fapolicy_analyzer + +%global venv_dir %{_builddir}/vendor-py +%global venv_py3 %{venv_dir}/bin/python3 +%global venv_lib %{venv_dir}/lib/python3.9/site-packages +%global venv_install %{venv_py3} -m pip install --find-links=%{_sourcedir} --no-index --quiet + +# pep440 versions handle dev and rc differently, so we call them out explicitly here +%global module_version %{lua: v = string.gsub(rpm.expand("%{?version}"), "~dev", ".dev"); \ + v = string.gsub(v, "~rc", "rc"); print(v) } + +Requires: %{name}-cli +Requires: %{name}-gui + +%description +Tools to assist with the configuration and management of fapolicyd. + + +%package cli +Summary: File Access Policy Analyzer CLI + +%description cli +CLI Tools to assist with the configuration and management of fapolicyd. + + +%package gui +Summary: File Access Policy Analyzer GUI + Requires: python3 Requires: python3-gobject Requires: python3-events @@ -117,21 +149,12 @@ Requires: gnome-icon-theme Requires: webkit2gtk3 Requires: mesa-dri-drivers -%global module fapolicy_analyzer - -%global venv_dir %{_builddir}/vendor-py -%global venv_py3 %{venv_dir}/bin/python3 -%global venv_lib %{venv_dir}/lib/python3.9/site-packages -%global venv_install %{venv_py3} -m pip install --find-links=%{_sourcedir} --no-index --quiet - -# pep440 versions handle dev and rc differently, so we call them out explicitly here -%global module_version %{lua: v = string.gsub(rpm.expand("%{?version}"), "~dev", ".dev"); \ - v = string.gsub(v, "~rc", "rc"); print(v) } - -%description -Tools to assist with the configuration and management of fapolicyd. +%description gui +GUI Tools to assist with the configuration and management of fapolicyd. %prep + +%if %{with gui} # setuptools-rust is not available as a package. installing it requires # upgrades of pip, setuptools, wheel, and some transient dependencies. # install these to a virtual environment to isolate changes, and @@ -166,6 +189,7 @@ CARGO_REG_DIR=%{_builddir}/vendor-rs mkdir -p ${CARGO_REG_DIR} for d in %{cargo_registry}/*; do ln -sf ${d} ${CARGO_REG_DIR} || true; done tar -xzf %{SOURCE2} -C ${CARGO_REG_DIR} --skip-old-files --strip-components=2 +%endif %cargo_prep -v ${CARGO_REG_DIR} @@ -173,8 +197,10 @@ tar -xzf %{SOURCE2} -C ${CARGO_REG_DIR} --skip-old-files --strip-components=2 rm Cargo.lock +%if %{without cli} # disable the dev-tools crate sed -i '/tools/d' Cargo.toml +%endif # extract our doc sourcs tar xvzf %{SOURCE1} @@ -190,11 +216,24 @@ scripts/build-info.py --os --time # ensure standard Rust compiler flags are set export RUSTFLAGS="%{build_rustflags}" +%if %{with cli} +cargo build --bin tdb --release +%endif + +%if %{with gui} %{venv_py3} setup.py compile_catalog -f %{venv_py3} help build %{venv_py3} setup.py bdist_wheel +%endif + %install + +%if %{with cli} +install -D target/release/tdb %{buildroot}/%{_sbindir}/%{name}-trust +%endif + +%if %{with gui} %{py3_install_wheel %{module}-%{module_version}*%{_target_cpu}.whl} %{python3} help install --dest %{buildroot}/%{_datadir}/help install -D bin/%{name} %{buildroot}/%{_sbindir}/%{name} @@ -202,19 +241,27 @@ install -D data/%{name}.8 -t %{buildroot}/%{_mandir}/man8/ desktop-file-install data/%{name}.desktop find locale -name %{name}.mo -exec cp --parents -rv {} %{buildroot}/%{_datadir} \; %find_lang %{name} --with-gnome +%endif %check +%if %{with gui} desktop-file-validate %{buildroot}/%{_datadir}/applications/%{name}.desktop +%endif -%files -n %{name} -f %{name}.lang -%doc scripts/srpm/README -%license LICENSE +%files cli +%attr(755,root,root) %{_sbindir}/%{name}-trust + +%files gui %{python3_sitearch}/%{module} %{python3_sitearch}/%{module}-%{module_version}* %attr(755,root,root) %{_sbindir}/%{name} %attr(644,root,root) %{_mandir}/man8/%{name}.8* %attr(755,root,root) %{_datadir}/applications/%{name}.desktop +%files -f %{name}.lang +%doc scripts/srpm/README +%license LICENSE + %changelog * Sun Jul 28 2024 John Wass 1.4.0-1 - New release diff --git a/scripts/srpm/vendor-rs.sh b/scripts/srpm/vendor-rs.sh index 7eb1ddd5f..d94105b6c 100755 --- a/scripts/srpm/vendor-rs.sh +++ b/scripts/srpm/vendor-rs.sh @@ -30,6 +30,7 @@ case $id in echo "fedora: vendoring packages" mkdir -p ${vendor_dest} cp -r /usr/share/cargo/registry/* ${vendor_dest} + find ${vendor_dest} -type d -exec touch {}/README.md \; ;; ubuntu)