import nbdkit-1.40.4-1.el10

.gitignore

@@ -0,0 +1,2 @@
+SOURCES/libguestfs.keyring
+SOURCES/nbdkit-1.40.4.tar.gz

.nbdkit.metadata

@@ -0,0 +1,2 @@
+cc1b37b9cfafa515aab3eefd345ecc59aac2ce7b SOURCES/libguestfs.keyring
+b2efd184db679430aa17e70f69077fff4df7f7dd SOURCES/nbdkit-1.40.4.tar.gz

SOURCES/copy-patches.sh

@@ -0,0 +1,55 @@
+#!/bin/bash -
+
+set -e
+
+# Maintainer script to copy patches from the git repo to the current
+# directory.  Use it like this:
+#   ./copy-patches.sh
+
+rhel_version=10.0
+
+# Check we're in the right directory.
+if [ ! -f nbdkit.spec ]; then
+    echo "$0: run this from the directory containing 'nbdkit.spec'"
+    exit 1
+fi
+
+git_checkout=$HOME/d/nbdkit-rhel-$rhel_version
+if [ ! -d $git_checkout ]; then
+    echo "$0: $git_checkout does not exist"
+    echo "This script is only for use by the maintainer when preparing a"
+    echo "nbdkit release on RHEL."
+    exit 1
+fi
+
+# Get the base version of nbdkit.
+version=`grep '^Version:' nbdkit.spec | awk '{print $2}'`
+tag="v$version"
+
+# Remove any existing patches.
+git rm -f [0-9]*.patch ||:
+rm -f [0-9]*.patch
+
+# Get the patches.
+(cd $git_checkout; rm -f [0-9]*.patch; git format-patch -N $tag)
+mv $git_checkout/[0-9]*.patch .
+
+# Remove any not to be applied.
+rm -f *NOT-FOR-RPM*.patch
+
+# Add the patches.
+git add [0-9]*.patch
+
+# Print out the patch lines.
+echo
+echo "--- Copy the following text into nbdkit.spec file"
+echo
+
+echo "# Patches."
+for f in [0-9]*.patch; do
+    n=`echo $f | awk -F- '{print $1}'`
+    echo "Patch$n:     $f"
+done
+
+echo
+echo "--- End of text"

SOURCES/nbdkit-1.40.4.tar.gz.sig

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAmb3G0QRHHJpY2hAYW5u
+ZXhpYS5vcmcACgkQkXOPc+G3aKBAohAAmJ03Ebg70A6EiKf2HCI1rLC5emLCzwX+
+6YihoD7lFoYh8LPNfg7WCfG8WlrHS3kgb7zIRaqVYn5HWWs/vNAU2+R8uoHoRETe
+hvAZZuXKxDkgNM5CYT7G6sGXQnh5Gn/XNo45oypHFh/vupkjEj5KtgRHkBFivut9
+/fe9JC2IW22FhyuK3XD0zf4tI2m78bLdE4S/tyWuHSGks1cJy5oq03qOkOwFUNOb
+xPvMkPepLClxmgr5fWuKt2A4K/EgrnBOtEvT+lAfI70J12Yiz19VdKK4AV3kBfOm
+U9LrDa6jOCtEkO9leiWUl7LguzyqCsI8r/72OC+Ub/RIIqDqh7tQi7ZwcdvJCZb7
+ZtIY43/XeqFtLXh8D//FpcBwdu9O8h81aTH2s/5QaIUPoY3jCTY+3r5ENv1793YB
+Ar6uWRXt6ID4TaFWO9gPJ4+J0qJJwK39K1CmvA72xn2wBTzoZMp1DEt8Jh/Dnnnp
+74yqhisWXN4ZH+sXKhmSuDl37B0zjRtrGQltTEdcSykh2Gr92f89v87FcUh9PFrj
+cq+hjzoYNQWsjutgKEuqwSM1wmeFOok81fKfwAFqqt+damw7vSUyCXDidh8FDgHC
+l2EwibvKWAQzB+ywqRxP0cekhqqY2WEqW0JFNMLMvJRFOdwooSjB03kwTMQj7/42
+01UYnKoT2u4=
+=7H2+
+-----END PGP SIGNATURE-----

SOURCES/nbdkit-find-provides

@@ -0,0 +1,23 @@
+#!/bin/bash -
+
+# Generate RPM provides automatically for nbdkit packages and filters.
+# Copyright (C) 2009-2022 Red Hat Inc.
+
+# To test:
+# find /usr/lib64/nbdkit/plugins | ./nbdkit-find-provides VER REL
+# find /usr/lib64/nbdkit/filters | ./nbdkit-find-provides VER REL
+
+ver="$1"
+rel="$2"
+
+function process_file
+{
+    if [[ $1 =~ /plugins/nbdkit-.*-plugin ]] ||
+       [[ $1 =~ /filters/nbdkit-.*-filter ]]; then
+        echo "Provides:" "$(basename $1 .so)" "=" "$ver-$rel"
+    fi
+}
+
+while read line; do
+    process_file "$line"
+done

SOURCES/nbdkit.attr

@@ -0,0 +1,3 @@
+%__nbdkit_provides %{_rpmconfigdir}/nbdkit-find-provides %{version} %{release}
+%__nbdkit_path     %{_libdir}/nbdkit/(plugins|filters)/nbdkit-.*-(plugin|filter)(\.so)?$
+%__nbdkit_flags    exeonly

SOURCES/nbdkit.fc

@@ -0,0 +1,3 @@
+/usr/sbin/nbdkit	 --    gen_context(system_u:object_r:nbdkit_exec_t,s0)
+
+/usr/lib/systemd/system/nbdkit.*	gen_context(system_u:object_r:nbdkit_unit_file_t,s0)

SOURCES/nbdkit.if

@@ -0,0 +1,207 @@
+## <summary>policy for nbdkit</summary>
+
+########################################
+## <summary>
+##    Execute nbdkit_exec_t in the nbdkit domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##    Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nbdkit_domtrans',`
+	gen_require(`
+		type nbdkit_t, nbdkit_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, nbdkit_exec_t, nbdkit_t)
+')
+
+######################################
+## <summary>
+##    Execute nbdkit in the caller domain.
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed access.
+##    </summary>
+## </param>
+#
+interface(`nbdkit_exec',`
+	gen_require(`
+		type nbdkit_exec_t;
+	')
+    
+	corecmd_search_bin($1)
+	can_exec($1, nbdkit_exec_t)
+')
+
+########################################
+## <summary>
+##    Execute nbdkit in the nbdkit domain, and
+##    allow the specified role the nbdkit domain.
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed to transition
+##    </summary>
+## </param>
+## <param name="role">
+##    <summary>
+##    The role to be allowed the nbdkit domain.
+##    </summary>
+## </param>
+#
+interface(`nbdkit_run',`
+	gen_require(`
+		type nbdkit_t;
+		attribute_role nbdkit_roles;
+	')
+
+	nbdkit_domtrans($1)
+	roleattribute $2 nbdkit_roles;
+')
+
+########################################
+## <summary>
+##    Role access for nbdkit
+## </summary>
+## <param name="role">
+##    <summary>
+##    Role allowed access
+##    </summary>
+## </param>
+## <param name="domain">
+##    <summary>
+##    User domain for the role
+##    </summary>
+## </param>
+#
+interface(`nbdkit_role',`
+	gen_require(`
+		type nbdkit_t;
+		attribute_role nbdkit_roles;
+	')
+
+	roleattribute $1 nbdkit_roles;
+
+	nbdkit_domtrans($2)
+
+	ps_process_pattern($2, nbdkit_t)
+	allow $2 nbdkit_t:process { signull signal sigkill };
+')
+
+########################################
+## <summary>
+##	Allow attempts to connect to nbdkit
+##	with a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`nbdkit_stream_connect',`
+	gen_require(`
+		type nbdkit_t;
+	')
+
+	allow $1 nbdkit_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##      Allow nbdkit_exec_t to be an entrypoint
+##      of the specified domain
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nbdkit_entrypoint',`
+        gen_require(`
+                type nbdkit_exec_t;
+        ')
+        allow $1 nbdkit_exec_t:file entrypoint;
+')
+
+# ----------------------------------------------------------------------
+# RWMJ: See:
+# https://issues.redhat.com/browse/RHEL-5174?focusedId=23387259&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-23387259
+# Remove this when virt.if gets updated.
+
+########################################
+#
+# Interface compatibility blocks
+#
+# The following definitions ensure compatibility with distribution policy
+# versions that do not contain given interfaces (epel, or older Fedora
+# releases).
+# Each block tests for existence of given interface and defines it if needed.
+#
+
+########################################
+## <summary>
+##      Read and write to svirt_image dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+ifndef(`virt_rw_svirt_image_dirs',`
+	interface(`virt_rw_svirt_image_dirs',`
+		gen_require(`
+			type svirt_image_t;
+		')
+
+		allow $1 svirt_image_t:dir rw_dir_perms;
+	')
+')
+
+########################################
+## <summary>
+##      Create svirt_image sock_files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+ifndef(`virt_create_svirt_image_sock_files',`
+	interface(`virt_create_svirt_image_sock_files',`
+		gen_require(`
+			type svirt_image_t;
+		')
+
+		allow $1 svirt_image_t:sock_file create_sock_file_perms;
+	')
+')
+
+########################################
+## <summary>
+## 	Read and write virtlogd pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+ifndef(`virtlogd_rw_pipes',`
+	interface(`virtlogd_rw_pipes',`
+	        gen_require(`
+	                type virtlogd_t;
+	        ')
+
+	        allow $1 virtlogd_t:fifo_file rw_fifo_file_perms;
+	')
+')

SOURCES/nbdkit.te

@@ -0,0 +1,100 @@
+policy_module(nbdkit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+gen_require(`
+    type unconfined_t;
+')
+
+type nbdkit_t;
+type nbdkit_exec_t;
+application_domain(nbdkit_t, nbdkit_exec_t)
+mcs_constrained(nbdkit_t)
+role system_r types nbdkit_t;
+
+type nbdkit_home_t;
+userdom_user_home_content(nbdkit_home_t)
+
+type nbdkit_tmp_t;
+files_tmp_file(nbdkit_tmp_t)
+
+type nbdkit_unit_file_t;
+systemd_unit_file(nbdkit_unit_file_t)
+
+permissive nbdkit_t;
+
+########################################
+#
+# nbdkit local policy
+#
+allow nbdkit_t self:capability { setgid setuid };
+allow nbdkit_t self:fifo_file rw_fifo_file_perms;
+allow nbdkit_t self:netlink_route_socket rw_netlink_socket_perms;
+allow nbdkit_t self:process { fork setsockcreate signal_perms };
+allow nbdkit_t self:tcp_socket create_stream_socket_perms;
+allow nbdkit_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t)
+manage_files_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t) 
+userdom_user_tmp_filetrans(nbdkit_t, nbdkit_tmp_t, { dir file })
+
+manage_dirs_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t)
+manage_files_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t) 
+userdom_user_home_dir_filetrans(nbdkit_t, nbdkit_home_t, { dir file })
+
+corenet_tcp_connect_http_port(nbdkit_t)
+corenet_tcp_connect_ssh_port(nbdkit_t)
+corenet_tcp_connect_tftp_port(nbdkit_t)
+corenet_tcp_bind_generic_port(nbdkit_t)
+corenet_tcp_bind_generic_node(nbdkit_t)
+
+domain_use_interactive_fds(nbdkit_t)
+
+files_read_etc_files(nbdkit_t)
+
+init_abstract_socket_activation(nbdkit_t)
+init_ioctl_stream_sockets(nbdkit_t)
+init_rw_stream_sockets(nbdkit_t)
+
+optional_policy(`
+	auth_use_nsswitch(nbdkit_t)
+')
+
+optional_policy(`
+	logging_send_syslog_msg(nbdkit_t)
+')
+
+optional_policy(`
+	miscfiles_read_localization(nbdkit_t)
+	miscfiles_read_generic_certs(nbdkit_t)
+')
+
+optional_policy(`
+	sysnet_dns_name_resolve(nbdkit_t)
+	sysnet_read_config(nbdkit_t)
+')
+
+optional_policy(`
+	userdom_read_user_home_content_files(nbdkit_t)
+	userdom_use_inherited_user_ptys(nbdkit_t)
+')
+
+optional_policy(`
+	virt_create_svirt_image_sock_files(nbdkit_t)
+	virt_read_qemu_pid_files(nbdkit_t)
+	virtlogd_rw_pipes(nbdkit_t)
+	virt_rw_svirt_image(nbdkit_t)
+	virt_rw_svirt_image_dirs(nbdkit_t)
+	virt_search_lib(nbdkit_t)
+	virt_stream_connect_svirt(nbdkit_t)
+')
+
+
+# FIXME: It would be nice to allow libvirt to transition nbdkit_exec_t to 
+# nbdkit_t when libvirtd was started manually from the commandline (i.e. in 
+# unconfined_t), but we don't want this transition to happen automatically 
+# when starting directly from the shell. I'm not sure how to achieve this...  
+#nbdkit_domtrans(unconfined_t, nbdkit_exec_t, nbdkit_t)