Merge for Mariner 2.0 Dec 2023 Monthly Update. (#6878)

Author: jslobodzian

.pipelines/templates/PackageBuild.yml

@@ -62,6 +62,10 @@ parameters:
       - "false"
       - "true"
 
+  - name: maxCascadingRebuilds
+    type: string
+    default: ""
+
   - name: outputArtifactsFolder
     type: string
     default: "$(Build.ArtifactStagingDirectory)"
@@ -146,6 +150,7 @@ steps:
             echo "ERROR: toolchain archive not found!" >&2
             exit 1
           fi
+          echo "##vso[task.setvariable variable=toolchainArchive]$toolchain_archive"
 
           sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" toolchain TOOLCHAIN_ARCHIVE="$toolchain_archive"
         displayName: "Populate toolchain"
@@ -192,18 +197,24 @@ steps:
         use_ccache_arg="USE_CCACHE=n"
       fi
 
+      if [[ -n "${{ parameters.customToolchainArtifactName }}" ]]; then
+        toolchain_archive_arg="TOOLCHAIN_ARCHIVE=$(toolchainArchive)"
+      fi
+
       sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" build-packages -j$(nproc) \
         CONCURRENT_PACKAGE_BUILDS=${{ parameters.concurrentPackageBuilds }} \
         CONFIG_FILE="" \
+        MAX_CASCADING_REBUILDS="${{ parameters.maxCascadingRebuilds }}" \
         MAX_CPU="${{ parameters.maxCPU }}" \
         REBUILD_TOOLS=y \
         REPO_LIST="${{ parameters.extraPackageRepos }}" \
         SPECS_DIR="${{ parameters.buildRepoRoot }}/${{ parameters.specsFolderPath }}" \
         SRPM_PACK_LIST="${{ parameters.srpmPackList }}" \
+        TEST_RERUN_LIST="${{ parameters.testRerunList }}" \
         $delta_fetch_arg \
         $quick_rebuild_packages_arg \
         $run_check_arg \
-        TEST_RERUN_LIST="${{ parameters.testRerunList }}" \
+        $toolchain_archive_arg \
         $use_ccache_arg
     displayName: "Build packages"
 

SPECS-EXTENDED/buildah/buildah.spec

@@ -127,7 +127,7 @@ cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
 - Bump release to rebuild against glibc 2.35-6
 
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 1.18.0-20
-- Bump release to rebuild with go 1.20.10
+- Bump release to rebuild with go 1.20.9
 
 * Tue Oct 10 2023 Dan Streetman <[email protected]> - 1.18.0-19
 - Bump release to rebuild with updated version of Go.

SPECS-EXTENDED/containernetworking-plugins/containernetworking-plugins.spec

@@ -130,7 +130,7 @@ install -p plugins/ipam/dhcp/systemd/cni-dhcp.socket %{buildroot}%{_unitdir}
 
 %changelog
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 1.1.1-13
-- Bump release to rebuild with go 1.20.10
+- Bump release to rebuild with go 1.20.9
 
 * Tue Oct 10 2023 Dan Streetman <[email protected]> - 1.1.1-12
 - Bump release to rebuild with updated version of Go.

SPECS-EXTENDED/delve/delve.spec

@@ -73,7 +73,7 @@ done
 
 %changelog
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 1.5.0-16
-- Bump release to rebuild with go 1.20.10
+- Bump release to rebuild with go 1.20.9
 
 * Tue Oct 10 2023 Dan Streetman <[email protected]> - 1.5.0-15
 - Bump release to rebuild with updated version of Go.

SPECS-EXTENDED/linuxptp/linuxptp.signatures.json

@@ -391,7 +391,7 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
 - Bump release to rebuild against glibc 2.35-6
 
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 4.1.1-17
-- Bump release to rebuild with go 1.20.10
+- Bump release to rebuild with go 1.20.9
 
 * Tue Oct 10 2023 Dan Streetman <[email protected]> - 4.1.1-16
 - Bump release to rebuild with updated version of Go.

SPECS-EXTENDED/podman/podman.spec

@@ -40,7 +40,7 @@ go test -mod=vendor
 
 %changelog
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 0.4.7-13
-- Bump release to rebuild with go 1.20.10
+- Bump release to rebuild with go 1.20.9
 
 * Tue Oct 10 2023 Dan Streetman <[email protected]> - 0.4.7-12
 - Bump release to rebuild with updated version of Go.

SPECS-EXTENDED/umoci/umoci.spec

@@ -9,7 +9,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for Azure
 Name:           kernel-azure-signed-%{buildarch}
-Version:        5.15.137.1
+Version:        5.15.138.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -153,6 +153,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Tue Nov 21 2023 CBL-Mariner Servicing Account <[email protected]> - 5.15.138.1-1
+- Auto-upgrade to 5.15.138.1
+
+* Mon Nov 20 2023 Rachel Menge <[email protected]> - 5.15.137.1-2
+- Bump release to match kernel
+
 * Mon Nov 06 2023 CBL-Mariner Servicing Account <[email protected]> - 5.15.137.1-1
 - Auto-upgrade to 5.15.137.1
 

SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec

@@ -4,7 +4,7 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for HCI
 Name:           kernel-hci-signed-%{buildarch}
-Version:        5.15.137.1
+Version:        5.15.138.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -149,6 +149,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Tue Nov 21 2023 CBL-Mariner Servicing Account <[email protected]> - 5.15.138.1-1
+- Auto-upgrade to 5.15.138.1
+
+* Mon Nov 20 2023 Rachel Menge <[email protected]> - 5.15.137.1-2
+- Bump release to match kernel
+
 * Mon Nov 06 2023 CBL-Mariner Servicing Account <[email protected]> - 5.15.137.1-1
 - Auto-upgrade to 5.15.137.1
 

SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec

@@ -9,8 +9,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.15.137.1
-Release:        1%{?dist}
+Version:        5.15.138.1
+Release:        4%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -153,6 +153,21 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Tue Nov 28 2023 Juan Camposeco <[email protected]> - 5.15.138.1-4
+- Bump release to match kernel
+
+* Tue Nov 28 2023 Thien Trung Vuong <[email protected]> - 5.15.138.1-3
+- Bump release to match kernel
+
+* Wed Nov 22 2023 David Daney <[email protected]> - 5.15.138.1-2
+- Bump release to match kernel
+
+* Tue Nov 21 2023 CBL-Mariner Servicing Account <[email protected]> - 5.15.138.1-1
+- Auto-upgrade to 5.15.138.1
+
+* Mon Nov 20 2023 Rachel Menge <[email protected]> - 5.15.137.1-2
+- Bump release to match kernel
+
 * Mon Nov 06 2023 CBL-Mariner Servicing Account <[email protected]> - 5.15.137.1-1
 - Auto-upgrade to 5.15.137.1
 

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -75,7 +75,7 @@ fi
 
 %changelog
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 0.3.4-3
-- Bump release to rebuild with go 1.20.10
+- Bump release to rebuild with go 1.20.9
 
 * Tue Oct 10 2023 Dan Streetman <[email protected]> - 0.3.4-2
 - Bump release to rebuild with updated version of Go.

SPECS/KeysInUse-OpenSSL/KeysInUse-OpenSSL.spec

@@ -184,6 +184,7 @@
                 "dogtail",
                 "dos2unix",
                 "dotconf",
+                "double-conversion",
                 "dovecot",
                 "dpdk",
                 "dpkg",
@@ -1679,6 +1680,7 @@
                 "python-isodate",
                 "python-isort",
                 "python-itsdangerous",
+                "python-junit-xml",
                 "python-justbases",
                 "python-justbytes",
                 "python-jwcrypto",

SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md

@@ -55,7 +55,7 @@ cp appgw-ingress %{buildroot}%{_bindir}/
 
 %changelog
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 1.4.0-16
-- Bump release to rebuild with go 1.20.10
+- Bump release to rebuild with go 1.20.9
 
 * Tue Oct 10 2023 Dan Streetman <[email protected]> - 1.4.0-15
 - Bump release to rebuild with updated version of Go.

SPECS/LICENSES-AND-NOTICES/data/licenses.json

@@ -62,7 +62,7 @@ go test -mod=vendor
 
 %changelog
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 10.15.0-14
-- Bump release to rebuild with go 1.20.10
+- Bump release to rebuild with go 1.20.9
 
 * Tue Oct 10 2023 Dan Streetman <[email protected]> - 10.15.0-13
 - Bump release to rebuild with updated version of Go.

SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec

@@ -47,7 +47,7 @@ install -p -m 755 build/blobfuse %{buildroot}%{_bindir}/
 
 %changelog
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 1.4.5-13
-- Bump release to rebuild with go 1.20.10
+- Bump release to rebuild with go 1.20.9
 
 * Tue Oct 10 2023 Dan Streetman <[email protected]> - 1.4.5-12
 - Bump release to rebuild with updated version of Go.

SPECS/azcopy/azcopy.spec

@@ -1,6 +1,6 @@
 {
     "Signatures": {
-     "blobfuse2-2.1.1.tar.gz": "6bbed0d7db05ecfe7b7e12b5c4506dde1e2ef018ce1ac6fe6c8b7d697af24968",
-     "blobfuse2-2.1.1-vendor.tar.gz": "85cbf93aacaa63e583dd9a72f4823f9c993449d5f2ab2332d8b97b4bf91e7da0"
+     "blobfuse2-2.1.2.tar.gz": "4605015d99c7ffac37ae464aa1d23c11ecd6218122acb06f1c46ac7bdced908e",
+     "blobfuse2-2.1.2-vendor.tar.gz": "84229241b170316438aa408ae38216e01c54fffdbe50b59ae3b5ab1b4f7122c6"
     }
 }

SPECS/blobfuse/blobfuse.spec

@@ -1,7 +1,7 @@
 %global debug_package %{nil}
 
 %define our_gopath %{_topdir}/.gopath
-%define blobfuse2_version 2.1.1
+%define blobfuse2_version 2.1.2
 %define blobfuse2_health_monitor bfusemon
 
 Summary:        FUSE adapter - Azure Storage
@@ -80,11 +80,14 @@ install -D -m 0644 ./setup/blobfuse2-logrotate %{buildroot}%{_sysconfdir}/logrot
 %{_sysconfdir}/logrotate.d/blobfuse2
 
 %changelog
+* Fri Nov 17 2023 Anubhuti Shruti <[email protected]> - 2.1.2-1
+- Bump version to 2.1.2
+
 * Thu Nov 02 2023 Sourav Gupta <[email protected]> - 2.1.1-1
 - Bump version to 2.1.1
 
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <[email protected]> - 2.1.0-3
-- Bump release to rebuild with go 1.20.10
+- Bump release to rebuild with go 1.20.9
 
 * Tue Oct 10 2023 Dan Streetman <[email protected]> - 2.1.0-2
 - Bump release to rebuild with updated version of Go.

SPECS/blobfuse2/blobfuse2.signatures.json

@@ -31,7 +31,7 @@ CONFIG_FEATURE_SUID_CONFIG=y
 CONFIG_FEATURE_SUID_CONFIG_QUIET=y
 # CONFIG_FEATURE_PREFER_APPLETS is not set
 CONFIG_BUSYBOX_EXEC_PATH="/proc/self/exe"
-# CONFIG_SELINUX is not set
+CONFIG_SELINUX=y
 # CONFIG_FEATURE_CLEAN_UP is not set
 CONFIG_PLATFORM_LINUX=y
 #
@@ -176,7 +176,7 @@ CONFIG_FEATURE_TAR_GNU_EXTENSIONS=y
 CONFIG_FEATURE_TAR_TO_COMMAND=y
 CONFIG_FEATURE_TAR_UNAME_GNAME=y
 CONFIG_FEATURE_TAR_NOPRESERVE_TIME=y
-# CONFIG_FEATURE_TAR_SELINUX is not set
+CONFIG_FEATURE_TAR_SELINUX=y
 CONFIG_UNZIP=y
 CONFIG_FEATURE_UNZIP_CDF=y
 CONFIG_FEATURE_UNZIP_BZIP2=y

SPECS/blobfuse2/blobfuse2.spec

@@ -2,6 +2,6 @@
  "Signatures": {
   "busybox-1.35.0.tar.bz2": "faeeb244c35a348a334f4a59e44626ee870fb07b6884d68c10ae8bc19f83a694",
   "busybox-petitboot.config": "28a4006863e0125bb564159c120067cb83b52ee0a829579cd399274cc78a10be",
-  "busybox-static.config": "6f2f534548da57df8b1f5fd4dfe6ceece0f1b97bf7d0baa4c484ac9850cf8e37"
+  "busybox-static.config": "e97bc24c897e41e5a6fc6b54955b20e3c49ea5828f9ecba6ba520f8291470e58"
  }
 }

SPECS/busybox/busybox-static.config

@@ -1,7 +1,7 @@
 Summary:        Statically linked binary providing simplified versions of system commands
 Name:           busybox
 Version:        1.35.0
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -15,6 +15,8 @@ Patch2:         awk-input-numbers-are-never-octal-or-hex-only-progra.patch
 Patch3:         CVE-2022-30065.patch
 Patch4:         ash-fix-use-after-free-in-pattern-substituon-code.patch
 Patch5:         ash-fix-use-after-free-in-bash-pattern-substitution.patch
+Patch6:         selinux-copy-file.patch
+Patch7:         selinux-cp-a.patch
 BuildRequires:  gcc
 BuildRequires:  glibc-static >= 2.35-6%{?dist}
 BuildRequires:  libselinux-devel >= 1.27.7-2
@@ -94,6 +96,10 @@ install -m 644 docs/busybox.petitboot.1 %{buildroot}/%{_mandir}/man1/busybox.pet
 %{_mandir}/man1/busybox.petitboot.1.gz
 
 %changelog
+* Thu Nov 16 2023 Chris PeBenito <[email protected]> - 1.35.0-9
+- Enable SELinux features.
+- Improve SELinux behavior for copy funtions.
+
 * Wed Oct 04 2023 Minghe Ren <[email protected]> - 1.35.0-8
 - Bump release to rebuild against glibc 2.35-6
 

SPECS/busybox/busybox.signatures.json

@@ -0,0 +1,50 @@
+From 23b2d8b498939723413a60adc6b29e37ec46b91e Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <[email protected]>
+Date: Wed, 25 Mar 2020 16:43:17 -0400
+Subject: copy_file(): Revise completion of SELinux security context
+ preserve/set.
+
+The existing setfscreatecon() at the beginning of copy_file() is the secure
+method for setting the context of new files, but it doesn't apply to
+existing files. Change the setfilecon() to only run on preexisting files.
+
+Signed-off-by: Chris PeBenito <[email protected]>
+
+diff -ur busybox-1.35.0.orig/libbb/copy_file.c busybox-1.35.0/libbb/copy_file.c
+--- busybox-1.35.0.orig/libbb/copy_file.c	2021-12-26 16:53:20.000000000 +0000
++++ busybox-1.35.0/libbb/copy_file.c	2023-08-16 22:04:45.557799523 +0000
+@@ -327,19 +327,22 @@
+ 		if ((flags & (FILEUTILS_PRESERVE_SECURITY_CONTEXT|FILEUTILS_SET_SECURITY_CONTEXT))
+ 		 && is_selinux_enabled() > 0
+ 		) {
+-			security_context_t con;
+-			if (getfscreatecon(&con) == -1) {
++			/* Failure to preserve the security context isn't fatal here since
++			 * the copy has been done at this point. */
++			security_context_t con = NULL;
++			if (getfscreatecon(&con) < 0)
+ 				bb_simple_perror_msg("getfscreatecon");
+-				return -1;
+-			}
+-			if (con) {
+-				if (setfilecon(dest, con) == -1) {
+-					bb_perror_msg("setfilecon:%s,%s", dest, con);
+-					freecon(con);
+-					return -1;
+-				}
+-				freecon(con);
+-			}
++
++			if (setfscreatecon(NULL) < 0)
++				bb_perror_msg("can't reset fscreate");
++
++			/* setfscreatecon() only works when a file is created. If dest
++			 * preexisted, use setfilecon instead */
++			if (con && dest_exists)
++				if (fsetfilecon(dst_fd, con) < 0)
++					bb_perror_msg("fsetfilecon:%s,%s", dest, con);
++
++			freecon(con);
+ 		}
+ #endif
+ #if ENABLE_FEATURE_CP_REFLINK