Package snapd: Specfile

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
%define _unpackaged_files_terminate_build 1
%define _localstatedir %_var

%def_disable check
%def_without test_keys
%def_without selinux

%global provider        github
%global provider_tld    com
%global project         snapcore
%global repo            snapd
# https://github.com/snapcore/snapd
%global provider_prefix %provider.%provider_tld/%project/%repo
%global import_path     %provider_prefix

%global snappy_svcs      snapd.service snapd.socket snapd.autoimport.service snapd.seeded.service snapd.mounts.target snapd.mounts-pre.target
%global snappy_user_svcs snapd.session-agent.service snapd.session-agent.socket

# Until we have a way to add more extldflags to gobuild macro...
%define gobuild_static(o:) go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -linkmode external -extldflags '${LDFLAGS:-} -static'" -a -v -x %{?**};

%define gobuild(o:) go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -linkmode external -extldflags '${LDFLAGS:-}'" -a -v -x %{?**};

# Compat path macros
%{!?_environmentdir: %global _environmentdir /lib/environment.d}
%{!?_systemdgeneratordir: %global _systemdgeneratordir /lib/systemd/system-generators}
%{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir /lib/systemd/system-environment-generators}
%{!?_tmpfilesdir: %global _tmpfilesdir /lib/tmpfiles.d}
#%%define _libexecdir %%_prefix/libexec

Name: snapd
Version: 2.59.1
Release: alt1.2
Summary: A transactional software package manager
License: GPLv3
Group: System/Configuration/Other
Url: https://%provider_prefix
Source0: https://%provider_prefix/releases/download/%version/%{name}_%version.no-vendor.tar.xz
Source1: https://%provider_prefix/releases/download/%version/%{name}_%version.only-vendor.tar.xz
Patch3500: snapd-loongarch64.patch

ExclusiveArch: %go_arches
BuildRequires(pre): rpm-build-golang rpm-build-systemd
BuildRequires: libsystemd-devel
# for generate manpages
BuildRequires: /proc
Requires: snap-confine = %EVR
Requires: squashfs-tools

#Requires: squashfuse fuse

%if_with selinux
# Force the SELinux module to be installed
Requires: %name-selinux = %version-%release
%endif

%description
Snappy is a modern, cross-distribution, transactional package manager
designed for working with self-contained, immutable packages.

%package -n snap-confine
Summary: Confinement system for snap applications
Group: System/Configuration/Other
License: GPLv3
BuildRequires: gettext
BuildRequires: gnupg
BuildRequires: pkgconfig(glib-2.0)
BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libseccomp)
%if_with selinux
BuildRequires: pkgconfig(libselinux)
%endif
BuildRequires: pkgconfig(libudev)
BuildRequires: pkgconfig(systemd)
BuildRequires: pkgconfig(udev)
BuildRequires: libxfs-devel
BuildRequires: glibc-devel-static
BuildRequires: %_bindir/rst2man
%if_enabled check
BuildRequires: %_bindir/shellcheck
%endif

%description -n snap-confine
This package is used internally by snapd to apply confinement to
the started snap applications.

%if_with selinux
%package selinux
Summary: SELinux module for snapd
License: GPLv2+
Group: System/Configuration/Other
BuildArch: noarch
BuildRequires: selinux-policy, selinux-policy-devel
Requires(post): selinux-policy-base
Requires(post): policycoreutils
Requires:  libselinux-utils

%description selinux
This package provides the SELinux policy module to ensure snapd
runs properly under an environment with SELinux enabled.
%endif

%prep
%setup -D -b 1
%patch3500 -p1

# We don't want/need squashfuse in the rpm
sed -e 's:_ "github.com/snapcore/squashfuse"::g' -i systemd/systemd.go
# We don't need the snapcore fork for bolt - it is just a fix on ppc
#sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go errtracker/*.go

sed -e "s:/usr/lib/environment.d/:/lib/environment.d/:g" -i data/systemd-env/Makefile
sed -e 's:${prefix}/lib/systemd/system-environment-generators:/lib/systemd/system-environment-generators:g' -i cmd/configure.ac

%build
# Build snapd
mkdir -p src/github.com/snapcore
ln -s ../../../ src/github.com/snapcore/snapd

#export BUILDDIR="$PWD/.gopath"
#export GOPATH="$BUILDDIR:%go_path"

export IMPORT_PATH="%import_path"
export GOPATH=$(pwd):%go_path
export GO111MODULE=off

# Generate version files
./mkversion.sh "%version-%release"

BUILDTAGS="nosecboot"

# We have to build snapd first to prevent the build from
# building various things from the tree without additional
# set tags.
%gobuild -o bin/snapd $GOFLAGS %import_path/cmd/snapd
BUILDTAGS="${BUILDTAGS} nomanagers"
%gobuild -o bin/snap $GOFLAGS %import_path/cmd/snap
%gobuild -o bin/snap-failure $GOFLAGS %import_path/cmd/snap-failure

# To ensure things work correctly with base snaps,
# snap-exec, snap-update-ns, and snapctl need to be built statically
%gobuild_static -o bin/snap-exec $GOFLAGS %import_path/cmd/snap-exec
%gobuild_static -o bin/snap-update-ns $GOFLAGS %import_path/cmd/snap-update-ns
%gobuild_static -o bin/snapctl $GOFLAGS %import_path/cmd/snapctl

%ifarch %ix86
export CGO_CFLAGS="$CGO_CFLAGS -fno-stack-protector"
%endif
%gobuild -o bin/snap-seccomp $GOFLAGS %import_path/cmd/snap-seccomp

%if_with selinux
    # Build SELinux module
    cd ./data/selinux
    # pass M4PARAM in env instead of as an override, so that make can still
    # manipulate it freely, for more details see:
    # https://www.gnu.org/software/make/manual/html_node/Override-Directive.html
    M4PARAM="$M4PARAM" make SHARE="%_datadir" TARGETS="snappy"
%endif

# Build snap-confine
pushd ./cmd
%autoreconf
# FIXME: add --enable-caps-over-setuid as soon as possible (setuid discouraged!)
%configure \
    --disable-apparmor \
%if_with selinux
    --enable-selinux \
%endif
    --libexecdir=%_libexecdir/snapd/ \
    --enable-nvidia-biarch \
    %if %_lib == lib64
    --with-32bit-libdir=%prefix/lib \
    %endif
    --with-snap-mount-dir=%_sharedstatedir/snapd/snap

%make_build
popd

# Build systemd units, dbus services, and env files
pushd ./data
make BINDIR="%_bindir" LIBEXECDIR="%_libexecdir" DATADIR="%_datadir" \
     SYSTEMDSYSTEMUNITDIR="%_unitdir" SYSTEMDUSERUNITDIR="%_userunitdir" \
     TMPFILESDIR="%_tmpfilesdir" \
     SNAP_MOUNT_DIR="%_sharedstatedir/snapd/snap" \
     SNAPD_ENVIRONMENT_FILE="%_sysconfdir/sysconfig/snapd"
popd

%install
install -d -p %buildroot%_bindir
install -d -p %buildroot%_libexecdir/snapd
install -d -p %buildroot%_man8dir
install -d -p %buildroot%_environmentdir
install -d -p %buildroot%_systemdgeneratordir
install -d -p %buildroot%_systemd_system_env_generator_dir
install -d -p %buildroot%_tmpfilesdir
install -d -p %buildroot%_unitdir
install -d -p %buildroot%_userunitdir
install -d -p %buildroot%_sysconfdir/profile.d
install -d -p %buildroot%_sysconfdir/sysconfig
install -d -p %buildroot%_sharedstatedir/snapd/assertions
install -d -p %buildroot%_sharedstatedir/snapd/cookie
install -d -p %buildroot%_sharedstatedir/snapd/dbus-1/services
install -d -p %buildroot%_sharedstatedir/snapd/dbus-1/system-services
install -d -p %buildroot%_sharedstatedir/snapd/desktop/applications
install -d -p %buildroot%_sharedstatedir/snapd/device
install -d -p %buildroot%_sharedstatedir/snapd/hostfs
install -d -p %buildroot%_sharedstatedir/snapd/inhibit
install -d -p %buildroot%_sharedstatedir/snapd/lib/gl
install -d -p %buildroot%_sharedstatedir/snapd/lib/gl32
install -d -p %buildroot%_sharedstatedir/snapd/lib/glvnd
install -d -p %buildroot%_sharedstatedir/snapd/lib/vulkan
install -d -p %buildroot%_sharedstatedir/snapd/mount
install -d -p %buildroot%_sharedstatedir/snapd/seccomp/bpf
install -d -p %buildroot%_sharedstatedir/snapd/snaps
install -d -p %buildroot%_sharedstatedir/snapd/snap/bin
install -d -p %buildroot%_cachedir
install -d -p %buildroot%_cachedir/snapd
install -d -p %buildroot%_datadir/polkit-1/actions
%if_with selinux
install -d -p %buildroot%_datadir/selinux/devel/include/contrib
install -d -p %buildroot%_datadir/selinux/packages
%endif

# Install snap and snapd
install -p -m 0755 bin/snap %buildroot%_bindir
install -p -m 0755 bin/snap-exec %buildroot%_libexecdir/snapd
install -p -m 0755 bin/snap-failure %buildroot%_libexecdir/snapd
install -p -m 0755 bin/snapd %buildroot%_libexecdir/snapd
install -p -m 0755 bin/snap-update-ns %buildroot%_libexecdir/snapd
install -p -m 0755 bin/snap-seccomp %buildroot%_libexecdir/snapd
# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
install -p -m 0755 bin/snapctl %buildroot%_libexecdir/snapd/snapctl
ln -sfr %buildroot%_libexecdir/snapd/snapctl %buildroot%_bindir/snapctl

%if_with selinux
# Install SELinux module
install -p -m 0644 data/selinux/snappy.if %buildroot%_datadir/selinux/devel/include/contrib
install -p -m 0644 data/selinux/snappy.pp.bz2 %buildroot%_datadir/selinux/packages
%endif

# Install snap(8) man page
bin/snap help --man > %buildroot%_mandir/man8/snap.8

# Install the "info" data file with snapd version
install -m 644 -D data/info %buildroot%_libexecdir/snapd/info

# Install bash completion for "snap"
install -m 644 -D data/completion/bash/snap %buildroot%_datadir/bash-completion/completions/snap
install -m 644 -D data/completion/bash/complete.sh %buildroot%_libexecdir/snapd
install -m 644 -D data/completion/bash/etelpmoc.sh %buildroot%_libexecdir/snapd
# Install zsh completion for "snap"
install -d -p %buildroot%_datadir/zsh/site-functions
install -m 644 -D data/completion/zsh/_snap %buildroot%_datadir/zsh/site-functions/_snap

# Install snap-confine
pushd cmd
%makeinstall_std
# Undo the 0111 permissions, they are restored in the files section
chmod 0755 %buildroot%_sharedstatedir/snapd/void
# We don't use AppArmor
rm -rfv %buildroot%_sysconfdir/apparmor.d
# ubuntu-core-launcher is dead
rm -fv %buildroot%_bindir/ubuntu-core-launcher
popd

# Install all systemd and dbus units, and env files
pushd data
%makeinstall_std BINDIR="%_bindir" LIBEXECDIR="%_libexecdir" DATADIR="%_datadir" \
              SYSTEMDSYSTEMUNITDIR="%_unitdir" SYSTEMDUSERUNITDIR="%_userunitdir" \
              TMPFILESDIR="%_tmpfilesdir" \
              SNAP_MOUNT_DIR="%_sharedstatedir/snapd/snap" \
              SNAPD_ENVIRONMENT_FILE="%_sysconfdir/sysconfig/snapd"
popd

# Remove snappy core specific units
rm -fv %buildroot%_unitdir/snapd.system-shutdown.service
rm -fv %buildroot%_unitdir/snapd.snap-repair.*
rm -fv %buildroot%_unitdir/snapd.core-fixup.*
rm -fv %buildroot%_unitdir/snapd.recovery-chooser-trigger.service

# Remove snappy core specific scripts and binaries
rm -f %buildroot%_libexecdir/snapd/snapd.core-fixup.sh
rm -f %buildroot%_libexecdir/snapd/system-shutdown

# Remove snapd apparmor service
rm -f %buildroot%_unitdir/snapd.apparmor.service
rm -f %buildroot%_libexecdir/snapd/snapd-apparmor

# Remove prompt services
rm %buildroot%_unitdir/snapd.aa-prompt-listener.service
rm %buildroot%_userunitdir/snapd.aa-prompt-ui.service
rm %buildroot%_datadir/dbus-1/services/io.snapcraft.Prompt.service

# Install Polkit configuration
install -m 644 -D data/polkit/io.snapcraft.snapd.policy %buildroot%_datadir/polkit-1/actions

# Disable re-exec by default
echo 'SNAP_REEXEC=0' > %buildroot%_sysconfdir/sysconfig/snapd

# Create state.json and the README file to be ghosted
touch %buildroot%_sharedstatedir/snapd/state.json
touch %buildroot%_sharedstatedir/snapd/snap/README

# When enabled, create a symlink for /snap to point to /var/lib/snapd/snap
%if_with snap_symlink
ln -sr %buildroot%_sharedstatedir/snapd/snap %buildroot/snap
%endif

%check
for binary in snap-exec snap-update-ns snapctl; do
    ldd bin/$binary 2>&1 | grep 'not a dynamic executable'
done

# snapd tests
export IMPORT_PATH="%import_path"
export GOPATH=$(pwd):%go_path
export GO111MODULE=off
%gotest %import_path/...

# snap-confine tests (these always run!)
pushd ./cmd
make check
popd

%post
%systemd_post %snappy_svcs
%systemd_user_post %snappy_user_svcs

# If install, test if snapd socket and timer are enabled.
# If enabled, then attempt to start them. This will silently fail
# in chroots or other environments where services aren't expected
# to be started.
if [ $1 -eq 1 ] ; then
   if systemctl -q is-enabled snapd.socket > /dev/null 2>&1 ; then
      systemctl start snapd.socket > /dev/null 2>&1 || :
   fi
fi

%preun
%systemd_preun %snappy_svcs
%systemd_user_preun %snappy_user_svcs

# Remove all Snappy content if snapd is being fully uninstalled
if [ $1 -eq 0 ]; then
   %_libexecdir/snapd/snap-mgmt --purge || :
fi

%postun
%systemd_postun_with_restart %snappy_svcs
%systemd_user_postun_with_restart %snappy_user_svcs

%if_with selinux
%pre selinux
%selinux_relabel_pre

%post selinux
%selinux_modules_install %_datadir/selinux/packages/snappy.pp.bz2
%selinux_relabel_post

%postun selinux
%selinux_modules_uninstall snappy
if [ $1 -eq 0 ]; then
    %selinux_relabel_post
fi
%endif

%files
%doc README.md docs/*
%_bindir/snap
%_bindir/snapctl
%_environmentdir/990-snapd.conf
%dir %_libexecdir/snapd
%_libexecdir/snapd/snapctl
%_libexecdir/snapd/snapd
%_libexecdir/snapd/snap-exec
%_libexecdir/snapd/snap-failure
%_libexecdir/snapd/info
%_libexecdir/snapd/snap-mgmt
%if_with selinux
%_libexecdir/snapd/snap-mgmt-selinux
%endif
%_mandir/man8/snap.8*
%_datadir/applications/snap-handle-link.desktop
%_datadir/bash-completion/completions/snap
%_libexecdir/snapd/complete.sh
%_libexecdir/snapd/etelpmoc.sh
%_datadir/zsh/site-functions/_snap
%_libexecdir/snapd/snapd.run-from-snap
%attr(0755,root,root) %_sysconfdir/profile.d/snapd.sh
%_mandir/man8/snapd-env-generator.8*
%_systemd_system_env_generator_dir/snapd-env-generator
%_datadir/fish/vendor_conf.d/snapd.fish
%_datadir/snapd/snapcraft-logo-bird.svg
%_unitdir/snapd.socket
%_unitdir/snapd.service
%_unitdir/snapd.autoimport.service
%_unitdir/snapd.failure.service
%_unitdir/snapd.seeded.service
%_unitdir/snapd.mounts.target
%_unitdir/snapd.mounts-pre.target
%_userunitdir/snapd.session-agent.service
%_userunitdir/snapd.session-agent.socket
%_tmpfilesdir/snapd.conf
%_datadir/dbus-1/services/io.snapcraft.Launcher.service
%_datadir/dbus-1/services/io.snapcraft.SessionAgent.service
%_datadir/dbus-1/services/io.snapcraft.Settings.service
%_datadir/dbus-1/session.d/snapd.session-services.conf
%_datadir/dbus-1/system.d/snapd.system-services.conf
%_datadir/polkit-1/actions/io.snapcraft.snapd.policy
%_datadir/applications/io.snapcraft.SessionAgent.desktop
%_sysconfdir/xdg/autostart/snap-userd-autostart.desktop
%config(noreplace) %_sysconfdir/sysconfig/snapd
%dir %_sharedstatedir/snapd
%dir %_sharedstatedir/snapd/assertions
%dir %_sharedstatedir/snapd/cookie
%dir %_sharedstatedir/snapd/dbus-1
%dir %_sharedstatedir/snapd/dbus-1/services
%dir %_sharedstatedir/snapd/dbus-1/system-services
%dir %_sharedstatedir/snapd/desktop
%dir %_sharedstatedir/snapd/desktop/applications
%dir %_sharedstatedir/snapd/device
%dir %_sharedstatedir/snapd/hostfs
%dir %_sharedstatedir/snapd/inhibit
%dir %_sharedstatedir/snapd/lib
%dir %_sharedstatedir/snapd/lib/gl
%dir %_sharedstatedir/snapd/lib/gl32
%dir %_sharedstatedir/snapd/lib/glvnd
%dir %_sharedstatedir/snapd/lib/vulkan
%dir %_sharedstatedir/snapd/mount
%dir %_sharedstatedir/snapd/seccomp
%dir %_sharedstatedir/snapd/seccomp/bpf
%dir %_sharedstatedir/snapd/snaps
%dir %_sharedstatedir/snapd/snap
%ghost %dir %_sharedstatedir/snapd/snap/bin
%dir %_cachedir/snapd
%ghost %_sharedstatedir/snapd/state.json
%ghost %_sharedstatedir/snapd/snap/README
%if_with snap_symlink
/snap
%endif

%files -n snap-confine
%doc cmd/snap-confine/PORTING
%dir %_libexecdir/snapd
# For now, we can't use caps
# FIXME: Switch to "%%attr(0755,root,root) %%caps(cap_sys_admin=pe)" asap!
%attr(4711,root,root) %_libexecdir/snapd/snap-confine
%_libexecdir/snapd/snap-device-helper
%_libexecdir/snapd/snap-discard-ns
%_libexecdir/snapd/snap-gdb-shim
%_libexecdir/snapd/snap-gdbserver-shim
%_libexecdir/snapd/snap-seccomp
%_libexecdir/snapd/snap-update-ns
%_mandir/man8/snap-confine.8*
%_mandir/man8/snap-discard-ns.8*
%_systemdgeneratordir/snapd-generator
%attr(0711,root,root) %_sharedstatedir/snapd/void

%if_with selinux
%files selinux
%doc data/selinux/COPYING
%doc data/selinux/README.md
%_datadir/selinux/packages/snappy.pp.bz2
%_datadir/selinux/devel/include/contrib/snappy.if
%endif

%changelog
* Tue Mar 12 2024 Alexey Sheplyakov <asheplyakov@altlinux.org> 2.59.1-alt1.2
- NMU: fixed FTBFS on LoongArch

* Thu Aug 31 2023 Ivan A. Melnikov <iv@altlinux.org> 2.59.1-alt1.1
- NMU: mark shellcheck as check-only BR

* Mon Apr 17 2023 Alexey Shabalin <shaba@altlinux.org> 2.59.1-alt1
- 2.59.1

* Wed Mar 22 2023 Alexey Shabalin <shaba@altlinux.org> 2.58.3-alt1
- 2.58.3

* Wed Dec 21 2022 Alexey Shabalin <shaba@altlinux.org> 2.58-alt1
- 2.58 (Fixes: CVE 2022-3328)

* Mon Jun 06 2022 Alexey Shabalin <shaba@altlinux.org> 2.56-alt1
- 2.56

* Sun Feb 20 2022 Alexey Shabalin <shaba@altlinux.org> 2.54.3-alt1
- 2.54.3 (Fixes: CVE-2021-44730, CVE-2021-44731, CVE-2021-4120)

* Sat Dec 25 2021 Alexey Shabalin <shaba@altlinux.org> 2.54.1-alt1
- 2.54.1
- /etc/profile.d/snapd.sh: made executable (ALT #41625)

* Wed Dec 15 2021 Alexey Shabalin <shaba@altlinux.org> 2.53.4-alt1
- 2.53.4
- Add altlinux support (ALT #41518)

* Mon Nov 01 2021 Alexey Shabalin <shaba@altlinux.org> 2.53.1-alt1
- 2.53.1.

* Thu Sep 02 2021 Alexey Shabalin <shaba@altlinux.org> 2.51.7-alt1
- 2.51.7.

* Mon Aug 23 2021 Alexey Shabalin <shaba@altlinux.org> 2.51.6-alt1
- Initial build for ALT