From ca3c023bfbd1c1bbb0f4cce17d3685c81a615457 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 31 Jul 2019 16:19:20 -0600 Subject: [PATCH 1/8] docs: minor changes to the RELEASE_PROCESS.md Fix some examples and add a note about deprecating older, unsupported releases. Signed-off-by: Paul Moore (cherry picked from commit 0d73daf07490656130e0f5311ad12ca8818752c5) Signed-off-by: Tom Hromatka Acked-by: Paul Moore --- RELEASE_PROCESS.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/RELEASE_PROCESS.md b/RELEASE_PROCESS.md index 25b3ac31..5f09ce10 100644 --- a/RELEASE_PROCESS.md +++ b/RELEASE_PROCESS.md @@ -65,7 +65,7 @@ release. #### 12. Tag the release in the repository with a signed tag # git tag -s -m "version X.Y.Z" vX.Y.Z - # git push --tags + # git push vX.Y.Z #### 13. Build final release tarball @@ -95,3 +95,11 @@ release. * libseccomp-X.Y.Z.tar.gz.asc * libseccomp-X.Y.Z.tar.gz.SHA256SUM * libseccomp-X.Y.Z.tar.gz.SHA256SUM.asc + +#### 18. Update the GitHub release notes for older releases which are now unsupported + +The following Markdown text is suggested at the top of the release note, see old GitHub releases for examples. + +``` +***This release is no longer supported upsteam, please use a more recent release*** +``` From 2e9dd627d5557be2645ad6ab2fc6d182239e05ea Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 31 Jul 2019 16:20:13 -0600 Subject: [PATCH 2/8] docs: create a doc/admin directory and move RELEASE_PROCESS.md into it The idea is that any administrative/process docs should go in doc/admin. Signed-off-by: Paul Moore (cherry picked from commit 3f214cbbbbd663dd4e7fe90638af4971b436ec00) Signed-off-by: Tom Hromatka Acked-by: Paul Moore --- Makefile.am | 2 +- RELEASE_PROCESS.md => doc/admin/RELEASE_PROCESS.md | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename RELEASE_PROCESS.md => doc/admin/RELEASE_PROCESS.md (100%) diff --git a/Makefile.am b/Makefile.am index b69cec5f..c0e5eeb7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -24,7 +24,7 @@ pkgconf_DATA = libseccomp.pc EXTRA_DIST = \ CHANGELOG CREDITS LICENSE \ - README.md CONTRIBUTING.md RELEASE_PROCESS.md + README.md CONTRIBUTING.md # support silent builds AM_MAKEFLAGS_0 = --quiet --no-print-directory diff --git a/RELEASE_PROCESS.md b/doc/admin/RELEASE_PROCESS.md similarity index 100% rename from RELEASE_PROCESS.md rename to doc/admin/RELEASE_PROCESS.md From 14ef1515d0f39d71fedca5910e0a7836c24f31c4 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 31 Jul 2019 16:21:30 -0600 Subject: [PATCH 3/8] db: properly reset the attribute state in db_col_reset() Signed-off-by: Paul Moore (cherry picked from commit 3570b5cf9acbd1711d417e08ec608eea7b83d416) [TJH: removed the SPEC_ALLOW logic since it isn't in the 2.4.x release] Signed-off-by: Tom Hromatka Acked-by: Paul Moore --- src/db.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/db.c b/src/db.c index 64e0924d..afb1c9f8 100644 --- a/src/db.c +++ b/src/db.c @@ -1063,6 +1063,7 @@ int db_col_reset(struct db_filter_col *col, uint32_t def_action) col->attr.nnp_enable = 1; col->attr.tsync_enable = 0; col->attr.api_tskip = 0; + col->attr.log_enable = 0; /* set the state */ col->state = _DB_STA_VALID; From 74b4d5f5d16ae34bcd541730bd49d66dcb1684de Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 31 Jul 2019 16:23:23 -0600 Subject: [PATCH 4/8] python: use Cython language "3str" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Set the Cython language level to "3str" which is described in the Cython 0.29 changelog: "A new language level name 3str was added that mostly corresponds to language level 3, but keeps unprefixed string literals as type ‘str’ in both Py2 and Py3, and the builtin ‘str’ type unchanged. This will become the default in the next Cython release and is meant to help user code a) transition more easily to this new default and b) migrate to Python 3 source code semantics without making support for Python 2.x difficult." Signed-off-by: Paul Moore (cherry picked from commit d390edad9a8540c2e2dd0b12732cc8dd3fe1cc69) Signed-off-by: Tom Hromatka Acked-by: Paul Moore --- configure.ac | 4 ++-- src/python/seccomp.pyx | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 05d34a55..1dc8e5d4 100644 --- a/configure.ac +++ b/configure.ac @@ -109,8 +109,8 @@ AC_ARG_ENABLE([python], [build the python bindings, requires cython])]) AS_IF([test "$enable_python" = yes], [ # cython version check - AS_IF([test "$CYTHON_VER_MAJ" -eq 0 -a "$CYTHON_VER_MIN" -lt 16], [ - AC_MSG_ERROR([python bindings require cython 0.16 or higher]) + AS_IF([test "$CYTHON_VER_MAJ" -eq 0 -a "$CYTHON_VER_MIN" -lt 29], [ + AC_MSG_ERROR([python bindings require cython 0.29 or higher]) ]) AM_PATH_PYTHON ]) diff --git a/src/python/seccomp.pyx b/src/python/seccomp.pyx index 771b9c3f..121a0d6a 100644 --- a/src/python/seccomp.pyx +++ b/src/python/seccomp.pyx @@ -19,6 +19,8 @@ # along with this library; if not, see . # +# cython: language_level = 3str + """ Python bindings for the libseccomp library The libseccomp library provides and easy to use, platform independent, From 44113f3043f66cbd76ffbd2bd3f9a391c365ccf5 Mon Sep 17 00:00:00 2001 From: Stephen Coleman Date: Wed, 31 Jul 2019 16:24:06 -0600 Subject: [PATCH 5/8] arch: add support for io-uring related system calls in kernel 5.1 Signed-off-by: Stephen Coleman Reviewed-by: Tom Hromatka [PM: added the "arch:" subj prefix] Signed-off-by: Paul Moore (cherry picked from commit 5fc22428507ecea00ee9e2215d972777da9a99b6) Signed-off-by: Tom Hromatka Acked-by: Paul Moore --- src/arch-aarch64-syscalls.c | 3 +++ src/arch-arm-syscalls.c | 3 +++ src/arch-mips-syscalls.c | 3 +++ src/arch-mips64-syscalls.c | 3 +++ src/arch-mips64n32-syscalls.c | 3 +++ src/arch-parisc-syscalls.c | 3 +++ src/arch-ppc-syscalls.c | 3 +++ src/arch-ppc64-syscalls.c | 3 +++ src/arch-s390-syscalls.c | 3 +++ src/arch-s390x-syscalls.c | 3 +++ src/arch-x32-syscalls.c | 3 +++ src/arch-x86-syscalls.c | 3 +++ src/arch-x86_64-syscalls.c | 3 +++ 13 files changed, 39 insertions(+) diff --git a/src/arch-aarch64-syscalls.c b/src/arch-aarch64-syscalls.c index 351143c0..90de2831 100644 --- a/src/arch-aarch64-syscalls.c +++ b/src/arch-aarch64-syscalls.c @@ -171,6 +171,9 @@ const struct arch_syscall_def aarch64_syscall_table[] = { \ { "io_pgetevents", 292 }, { "io_setup", 0 }, { "io_submit", 2 }, + { "io_uring_setup", 425 }, + { "io_uring_enter", 426 }, + { "io_uring_register", 427 }, { "ioctl", 29 }, { "ioperm", __PNR_ioperm }, { "iopl", __PNR_iopl }, diff --git a/src/arch-arm-syscalls.c b/src/arch-arm-syscalls.c index f543f65e..a0dbd603 100644 --- a/src/arch-arm-syscalls.c +++ b/src/arch-arm-syscalls.c @@ -183,6 +183,9 @@ const struct arch_syscall_def arm_syscall_table[] = { \ { "io_pgetevents", (__SCMP_NR_BASE + 399) }, { "io_setup", (__SCMP_NR_BASE + 243) }, { "io_submit", (__SCMP_NR_BASE + 246) }, + { "io_uring_setup", (__SCMP_NR_BASE + 425) }, + { "io_uring_enter", (__SCMP_NR_BASE + 426) }, + { "io_uring_register", (__SCMP_NR_BASE + 427) }, { "ioctl", (__SCMP_NR_BASE + 54) }, { "ioperm", __PNR_ioperm }, { "iopl", __PNR_iopl }, diff --git a/src/arch-mips-syscalls.c b/src/arch-mips-syscalls.c index 670b92ac..8706ae54 100644 --- a/src/arch-mips-syscalls.c +++ b/src/arch-mips-syscalls.c @@ -175,6 +175,9 @@ const struct arch_syscall_def mips_syscall_table[] = { \ { "io_pgetevents", (__SCMP_NR_BASE + 368) }, { "io_setup", (__SCMP_NR_BASE + 241) }, { "io_submit", (__SCMP_NR_BASE + 244) }, + { "io_uring_setup", (__SCMP_NR_BASE + 425) }, + { "io_uring_enter", (__SCMP_NR_BASE + 426) }, + { "io_uring_register", (__SCMP_NR_BASE + 427) }, { "ioctl", (__SCMP_NR_BASE + 54) }, { "ioperm", (__SCMP_NR_BASE + 101) }, { "iopl", (__SCMP_NR_BASE + 110) }, diff --git a/src/arch-mips64-syscalls.c b/src/arch-mips64-syscalls.c index 454c6815..b267072c 100644 --- a/src/arch-mips64-syscalls.c +++ b/src/arch-mips64-syscalls.c @@ -175,6 +175,9 @@ const struct arch_syscall_def mips64_syscall_table[] = { \ { "io_pgetevents", (__SCMP_NR_BASE + 328) }, { "io_setup", (__SCMP_NR_BASE + 200) }, { "io_submit", (__SCMP_NR_BASE + 203) }, + { "io_uring_setup", (__SCMP_NR_BASE + 425) }, + { "io_uring_enter", (__SCMP_NR_BASE + 426) }, + { "io_uring_register", (__SCMP_NR_BASE + 427) }, { "ioctl", (__SCMP_NR_BASE + 15) }, { "ioperm", __PNR_ioperm }, { "iopl", __PNR_iopl }, diff --git a/src/arch-mips64n32-syscalls.c b/src/arch-mips64n32-syscalls.c index f5053fc7..8af6b3e9 100644 --- a/src/arch-mips64n32-syscalls.c +++ b/src/arch-mips64n32-syscalls.c @@ -175,6 +175,9 @@ const struct arch_syscall_def mips64n32_syscall_table[] = { \ { "io_pgetevents", (__SCMP_NR_BASE + 332) }, { "io_setup", (__SCMP_NR_BASE + 200) }, { "io_submit", (__SCMP_NR_BASE + 203) }, + { "io_uring_setup", (__SCMP_NR_BASE + 425) }, + { "io_uring_enter", (__SCMP_NR_BASE + 426) }, + { "io_uring_register", (__SCMP_NR_BASE + 427) }, { "ioctl", (__SCMP_NR_BASE + 15) }, { "ioperm", __PNR_ioperm }, { "iopl", __PNR_iopl }, diff --git a/src/arch-parisc-syscalls.c b/src/arch-parisc-syscalls.c index 0c7ef427..8f19a03a 100644 --- a/src/arch-parisc-syscalls.c +++ b/src/arch-parisc-syscalls.c @@ -155,6 +155,9 @@ const struct arch_syscall_def parisc_syscall_table[] = { \ { "io_pgetevents", __PNR_io_pgetevents }, { "io_setup", 215 }, { "io_submit", 218 }, + { "io_uring_setup", 425 }, + { "io_uring_enter", 426 }, + { "io_uring_register", 427 }, { "ioctl", 54 }, { "ioperm", __PNR_ioperm }, { "iopl", __PNR_iopl }, diff --git a/src/arch-ppc-syscalls.c b/src/arch-ppc-syscalls.c index 7272a633..8275b38c 100644 --- a/src/arch-ppc-syscalls.c +++ b/src/arch-ppc-syscalls.c @@ -172,6 +172,9 @@ const struct arch_syscall_def ppc_syscall_table[] = { \ { "io_pgetevents", 388 }, { "io_setup", 227 }, { "io_submit", 230 }, + { "io_uring_setup", 425 }, + { "io_uring_enter", 426 }, + { "io_uring_register", 427 }, { "ioctl", 54 }, { "ioperm", 101 }, { "iopl", 110 }, diff --git a/src/arch-ppc64-syscalls.c b/src/arch-ppc64-syscalls.c index c7ff0a1c..2a8f387d 100644 --- a/src/arch-ppc64-syscalls.c +++ b/src/arch-ppc64-syscalls.c @@ -172,6 +172,9 @@ const struct arch_syscall_def ppc64_syscall_table[] = { \ { "io_pgetevents", 388 }, { "io_setup", 227 }, { "io_submit", 230 }, + { "io_uring_setup", 425 }, + { "io_uring_enter", 426 }, + { "io_uring_register", 427 }, { "ioctl", 54 }, { "ioperm", 101 }, { "iopl", 110 }, diff --git a/src/arch-s390-syscalls.c b/src/arch-s390-syscalls.c index a1403be8..c2e34395 100644 --- a/src/arch-s390-syscalls.c +++ b/src/arch-s390-syscalls.c @@ -155,6 +155,9 @@ const struct arch_syscall_def s390_syscall_table[] = { \ { "io_pgetevents", 382 }, { "io_setup", 243 }, { "io_submit", 246 }, + { "io_uring_setup", 425 }, + { "io_uring_enter", 426 }, + { "io_uring_register", 427 }, { "ioctl", 54 }, { "ioperm", 101 }, { "iopl", __PNR_iopl }, diff --git a/src/arch-s390x-syscalls.c b/src/arch-s390x-syscalls.c index e22ccaeb..e0a39f1d 100644 --- a/src/arch-s390x-syscalls.c +++ b/src/arch-s390x-syscalls.c @@ -155,6 +155,9 @@ const struct arch_syscall_def s390x_syscall_table[] = { \ { "io_pgetevents", 382 }, { "io_setup", 243 }, { "io_submit", 246 }, + { "io_uring_setup", 425 }, + { "io_uring_enter", 426 }, + { "io_uring_register", 427 }, { "ioctl", 54 }, { "ioperm", __PNR_ioperm}, { "iopl", __PNR_iopl }, diff --git a/src/arch-x32-syscalls.c b/src/arch-x32-syscalls.c index 65f64187..f6b941b4 100644 --- a/src/arch-x32-syscalls.c +++ b/src/arch-x32-syscalls.c @@ -171,6 +171,9 @@ const struct arch_syscall_def x32_syscall_table[] = { \ { "io_pgetevents", (X32_SYSCALL_BIT + 333) }, { "io_setup", (X32_SYSCALL_BIT + 543) }, { "io_submit", (X32_SYSCALL_BIT + 544) }, + { "io_uring_setup", (X32_SYSCALL_BIT + 425) }, + { "io_uring_enter", (X32_SYSCALL_BIT + 426) }, + { "io_uring_register", (X32_SYSCALL_BIT + 427) }, { "ioctl", (X32_SYSCALL_BIT + 514) }, { "ioperm", (X32_SYSCALL_BIT + 173) }, { "iopl", (X32_SYSCALL_BIT + 172) }, diff --git a/src/arch-x86-syscalls.c b/src/arch-x86-syscalls.c index 1f4573b5..5bd0ca20 100644 --- a/src/arch-x86-syscalls.c +++ b/src/arch-x86-syscalls.c @@ -171,6 +171,9 @@ const struct arch_syscall_def x86_syscall_table[] = { \ { "io_pgetevents", 385 }, { "io_setup", 245 }, { "io_submit", 248 }, + { "io_uring_setup", 425 }, + { "io_uring_enter", 426 }, + { "io_uring_register", 427 }, { "ioctl", 54 }, { "ioperm", 101 }, { "iopl", 110 }, diff --git a/src/arch-x86_64-syscalls.c b/src/arch-x86_64-syscalls.c index b07700d5..f7c8ce6a 100644 --- a/src/arch-x86_64-syscalls.c +++ b/src/arch-x86_64-syscalls.c @@ -171,6 +171,9 @@ const struct arch_syscall_def x86_64_syscall_table[] = { \ { "io_pgetevents", 333 }, { "io_setup", 206 }, { "io_submit", 209 }, + { "io_uring_setup", 425 }, + { "io_uring_enter", 426 }, + { "io_uring_register", 427 }, { "ioctl", 16 }, { "ioperm", 173 }, { "iopl", 172 }, From 933b096abe76a96cdbc6d17afcab64a1cc0c1752 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 31 Jul 2019 16:25:43 -0600 Subject: [PATCH 6/8] doc: new process docs and various updates A number of updates mainly focused on paving the way for multiple maintainers and making better use of the GitHub vulnerability reporting tools. Signed-off-by: Paul Moore Acked-by: Tom Hromatka (cherry picked from commit 4bec773fb401433bbfbbef111a49e1d2acbc4fcf) Signed-off-by: Tom Hromatka Acked-by: Paul Moore --- README.md | 2 +- SECURITY.md | 45 ++++++++++++++++ doc/admin/MAINTAINER_PROCESS.md | 95 +++++++++++++++++++++++++++++++++ 3 files changed, 141 insertions(+), 1 deletion(-) create mode 100644 SECURITY.md create mode 100644 doc/admin/MAINTAINER_PROCESS.md diff --git a/README.md b/README.md index cf67e47c..df77af0a 100644 --- a/README.md +++ b/README.md @@ -110,4 +110,4 @@ these tools are installed by default. Problems with the libseccomp library can be reported using the GitHub issue tracking system or the mailing list. Those who wish to privately report -potential vulnerabilities can send mail to paul@paul-moore.com. +potential vulnerabilities should follow the directions in SECURITY.md. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..3a173ccd --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,45 @@ +The libseccomp Security Vulnerability Handling Process +=============================================================================== +https://github.com/seccomp/libseccomp + +This document document attempts to describe the processes through which +sensitive security relevant bugs can be responsibly disclosed to the libseccomp +project and how the project maintainers should handle these reports. Just like +the other libseccomp process documents, this document should be treated as a +guiding document and not a hard, unyielding set of regulations; the bug +reporters and project maintainers are encouraged to work together to address +the issues as best they can, in a manner which works best for all parties +involved. + +### Reporting Problems + +Problems with the libseccomp library that are not suitable for immediate public +disclosure should be emailed to the current libseccomp maintainers, the list is +below. We typically request at most a 90 day time period to address the issue +before it is made public, but we will make every effort to address the issue as +quickly as possible and shorten the disclosure window. + +* Paul Moore, paul@paul-moore.com +* Tom Hromatka, tom.hromatka@oracle.com + +### Resolving Sensitive Security Issues + +Upon disclosure of a bug, the maintainers should work together to investigate +the problem and decide on a solution. In order to prevent an early disclosure +of the problem, those working on the solution should do so privately and +outside of the traditional libseccomp development practices. One possible +solution to this is to leverage the GitHub "Security" functionality to create a +private development fork that can be shared among the maintainers, and +optionally the reporter. A placeholder GitHub issue may be created, but +details should remain extremely limited until such time as the problem has been +fixed and responsibly disclosed. If a CVE, or other tag, has been assigned to +the problem, the GitHub issue title should include the vulnerability tag once +the problem has been disclosed. + +### Public Disclosure + +Whenever possible, responsible reporting and patching practices should be +followed, including notification to the linux-distros and oss-security mailing +lists. + +* https://oss-security.openwall.org/wiki/mailing-lists/distros diff --git a/doc/admin/MAINTAINER_PROCESS.md b/doc/admin/MAINTAINER_PROCESS.md new file mode 100644 index 00000000..6ae61ba4 --- /dev/null +++ b/doc/admin/MAINTAINER_PROCESS.md @@ -0,0 +1,95 @@ +The libseccomp Maintainer Process +=============================================================================== +https://github.com/seccomp/libseccomp + +This document attempts to describe the processes that should be followed by the +various libseccomp maintainers. It is not intended as a hard requirement, but +rather as a guiding document intended to make it easier for multiple +co-maintainers to manage the libseccomp project. + +We recognize this document, like all other parts of the libseccomp project, is +not perfect. If changes need to be made, they should be made following the +guidelines described here. + +### Reviewing and Merging Patches + +In a perfect world each patch would be independently reviewed and ACK'd by each +maintainer, but we recognize that is not likely to be practical for each patch. +Under normal circumstances, each patch should be ACK'd by a simple majority of +maintainers (in the case of an even number of maintainers, N/2+1) before being +merged into the repository. Maintainers should ACK patches using a format +similar to the Linux Kernel, for example: + +``` +Acked-by: John Smith +``` + +The maintainer which merged the patch into the repository should add their +sign-off after ensuring that it is correct to do so (see the documentation on +submitting patches); if it is not correct for the maintainer to add their +sign-off, it is likely the patch should not be merged. The maintainer should +add their sign-off using the standard format at the end of the patch's +metadata, for example: + +``` +Signed-off-by: Jane Smith +``` + +The maintainers are encouraged to communicate with each other for many reasons, +one of which is to let the others when one is going to be unreachable for an +extended period of time. If a patch is being held due to a lack of ACKs and +the other maintainers are not responding after a reasonable period of time (for +example, a delay of over two weeks), as long as there are no outstanding NACKs +the patch can be merged without a simple majority. + +### Managing Sensitive Vulnerability Reports + +The libseccomp vulnerability reporting process is documented in the SECURITY.md +document. + +The maintainers should work together with the reporter to asses the validity +and seriousness of the reported vulnerability. Whenever possible, responsible +reporting and patching practices should be followed, including notification to +the _linux-distros_ and _oss-security_ mailing lists. + +* https://oss-security.openwall.org/wiki/mailing-lists/distros + +### Managing the GitHub Issue Tracker + +We use the GitHub issue tracker to track bugs, feature requests, and sometimes +unanswered questions. The conventions here are intended to help distinguish +between the different uses, and prioritize within those categories. + +Feature requests MUST have a "RFE:" prefix added to the issue name and use the +"enhancement" label. Bug reports MUST a "BUG:" prefix added to the issue name +and use the "bug" label. + +Issues SHOULD be prioritized using the "priority/high", "priority/medium", and +"priority/low" labels. The meaning should hopefully be obvious. + +Issues CAN be additionally labeled with the "pending/info", "pending/review", +and "pending/revision" labels to indicate that additional information is +needed, the issue/patch is pending review, and/or the patch requires changes. + +### Managing the GitHub Release Milestones + +There should be at least two GitHub milestones at any point in time: one for +the next major/minor release (for example, v2.5), and one for the next patch +release (for example, v2.4.2). As issues are entered into the system, they can +be added to the milestones at the discretion of the maintainers. + +### Managing the Public Mailing List + +The mailing list is currently hosted on Google Groups, and while it is possible +to participate in discussions without a Google account, a Google account is +required to moderate/administer the group. Those maintainers who do have a +Google account and wish to be added to the moderators list should be added, but +there is no requirement to do so. + +Despite the term "moderator" the list is currently unmoderated and should +remain the way. + +### New Project Releases + +The libseccomp release process is documented in the RELEASE_PROCESS.md +document. From 7a882ddbc13be8d398fe38c1e7b38bb33b9931b9 Mon Sep 17 00:00:00 2001 From: Felix Geyer Date: Wed, 31 Jul 2019 16:26:13 -0600 Subject: [PATCH 7/8] python: install the python extension to the root package dir Commit 8ad3638ea9023c3948976dfadebd1554380a31c9 effectively added libseccomp/ to the install path of the python extension. This changed the import module name from "seccomp" to "libseccomp.seccomp", breaking existing users. Revert the install path like it was before 2.4.0 Signed-off-by: Felix Geyer [PM: tweaked the subject line] Signed-off-by: Paul Moore (cherry picked from commit ff7fc73bdf4602323ce320a2094c006c9c3e4d42) Signed-off-by: Tom Hromatka Acked-by: Paul Moore --- src/python/Makefile.am | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/python/Makefile.am b/src/python/Makefile.am index 3a34b0a8..f71ec24f 100644 --- a/src/python/Makefile.am +++ b/src/python/Makefile.am @@ -40,12 +40,12 @@ build: ../libseccomp.la libseccomp.pxd seccomp.pyx setup.py ${PY_BUILD} && touch build install-exec-local: build - ${PY_INSTALL} --install-lib=${DESTDIR}/${pkgpythondir} \ - --record=${DESTDIR}/${pkgpythondir}/install_files.txt + ${PY_INSTALL} --install-lib=${DESTDIR}/${pyexecdir} \ + --record=${DESTDIR}/${pyexecdir}/install_files.txt uninstall-local: - cat ${DESTDIR}/${pkgpythondir}/install_files.txt | xargs ${RM} -f - ${RM} -f ${DESTDIR}/${pkgpythondir}/install_files.txt + cat ${DESTDIR}/${pyexecdir}/install_files.txt | xargs ${RM} -f + ${RM} -f ${DESTDIR}/${pyexecdir}/install_files.txt clean-local: [ ${srcdir} == ${builddir} ] || ${RM} -f ${builddir}/seccomp.pyx From 88895cad65e78dff93d3b0188188ddcfa4c1e46a Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 31 Jul 2019 16:27:47 -0600 Subject: [PATCH 8/8] doc: ship the SECURITY.md file Signed-off-by: Paul Moore (cherry picked from commit 2b406e3b274407ceef53fa3de9469cfbd0fd0ddb) Signed-off-by: Tom Hromatka Acked-by: Paul Moore --- Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index c0e5eeb7..650dfaec 100644 --- a/Makefile.am +++ b/Makefile.am @@ -24,7 +24,7 @@ pkgconf_DATA = libseccomp.pc EXTRA_DIST = \ CHANGELOG CREDITS LICENSE \ - README.md CONTRIBUTING.md + README.md CONTRIBUTING.md SECURITY.md # support silent builds AM_MAKEFLAGS_0 = --quiet --no-print-directory