From 5648544aaba8a542ab14990ac83c4c401637aebf Mon Sep 17 00:00:00 2001
From: Laura Abbott <labbott@redhat.com>
Date: Oct 29 2019 19:28:51 +0000
Subject: Add mod-internal package


Some of the downstream users want to package some modules for
internal use only. While Fedora isn't internal, it's still
useful to have packaging aligned. Add a few modules to this
package.

---

diff --git a/kernel.spec b/kernel.spec
index f102af3..c8a2ebc 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -525,6 +525,7 @@ Source15: merge.pl
 Source16: mod-extra.list
 Source17: mod-extra.sh
 Source18: mod-sign.sh
+Source19: mod-extra-blacklist.sh
 Source90: filter-x86_64.sh
 Source91: filter-armv7hl.sh
 Source92: filter-i686.sh
@@ -555,6 +556,8 @@ Source41: generate_debug_configs.sh
 Source42: process_configs.sh
 Source43: generate_bls_conf.sh
 
+Source44: mod-internal.list
+
 # This file is intentionally left empty in the stock kernel. Its a nicety
 # added for those wanting to do custom rebuilds with altered config opts.
 Source1000: kernel-local
@@ -832,6 +835,27 @@ This package provides *.ipa-clones files.\
 %{nil}
 
 #
+# This macro creates a kernel-<subpackage>-modules-internal package.
+#	%%kernel_modules_internal_package <subpackage> <pretty-name>
+#
+%define kernel_modules_internal_package() \
+%package %{?1:%{1}-}modules-internal\
+Summary: Extra kernel modules to match the %{?2:%{2} }kernel\
+Group: System Environment/Kernel\
+Provides: kernel%{?1:-%{1}}-modules-internal-%{_target_cpu} = %{version}-%{release}\
+Provides: kernel%{?1:-%{1}}-modules-internal-%{_target_cpu} = %{version}-%{release}%{?1:+%{1}}\
+Provides: kernel%{?1:-%{1}}-modules-internal = %{version}-%{release}%{?1:+%{1}}\
+Provides: installonlypkg(kernel-module)\
+Provides: kernel%{?1:-%{1}}-modules-internal-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
+Requires: kernel-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
+Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
+AutoReq: no\
+AutoProv: yes\
+%description %{?1:%{1}-}modules-internal\
+This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\
+%{nil}
+
+#
 # This macro creates a kernel-<subpackage>-modules-extra package.
 #	%%kernel_modules_extra_package <subpackage> <pretty-name>
 #
@@ -904,6 +928,7 @@ Obsoletes: kernel-bootwrapper\
 %{expand:%%kernel_devel_package %{?1:%{1}} %{!?{-n}:%{1}}%{?{-n}:%{-n*}}}\
 %{expand:%%kernel_modules_package %{?1:%{1}} %{!?{-n}:%{1}}%{?{-n}:%{-n*}}}\
 %{expand:%%kernel_modules_extra_package %{?1:%{1}} %{!?{-n}:%{1}}%{?{-n}:%{-n*}}}\
+%{expand:%%kernel_modules_internal_package %{?1:%{1}} %{!?{-n}:%{1}}%{?{-n}:%{-n*}}}\
 %{expand:%%kernel_debuginfo_package %{?1:%{1}}}\
 %{nil}
 
@@ -1464,6 +1489,7 @@ BuildKernel() {
     (cd $RPM_BUILD_ROOT/lib/modules/$KernelVer ; ln -s build source)
     # dirs for additional modules per module-init-tools, kbuild/modules.txt
     mkdir -p $RPM_BUILD_ROOT/lib/modules/$KernelVer/extra
+    mkdir -p $RPM_BUILD_ROOT/lib/modules/$KernelVer/internal
     mkdir -p $RPM_BUILD_ROOT/lib/modules/$KernelVer/updates
     mkdir -p $RPM_BUILD_ROOT/lib/modules/$KernelVer/weak-updates
     # first copy everything
@@ -1686,6 +1712,10 @@ BuildKernel() {
 
     # Call the modules-extra script to move things around
     %{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE16}
+    # Blacklist net autoloadable modules in modules-extra
+    %{SOURCE19} $RPM_BUILD_ROOT lib/modules/$KernelVer
+    # Call the modules-extra script for internal modules
+    %{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE44} internal
 
     #
     # Generate the kernel-core and kernel-modules files lists
@@ -1699,7 +1729,7 @@ BuildKernel() {
     cp -r lib/modules/$KernelVer/* restore/.
 
     # don't include anything going into k-m-e in the file lists
-    rm -rf lib/modules/$KernelVer/extra
+    rm -rf lib/modules/$KernelVer/{extra,internal}
 
 
     if [ $DoModules -eq 1 ]; then
@@ -2068,6 +2098,20 @@ fi\
 %{nil}
 
 #
+# This macro defines a %%post script for a kernel*-modules-internal package.
+# It also defines a %%postun script that does the same thing.
+#	%%kernel_modules_internal_post [<subpackage>]
+#
+%define kernel_modules_internal_post() \
+%{expand:%%post %{?1:%{1}-}modules-internal}\
+/sbin/depmod -a %{KVERREL}%{?1:+%{1}}\
+%{nil}\
+%{expand:%%postun %{?1:%{1}-}modules-internal}\
+/sbin/depmod -a %{KVERREL}%{?1:+%{1}}\
+%{nil}
+
+
+#
 # This macro defines a %%post script for a kernel*-modules package.
 # It also defines a %%postun script that does the same thing.
 #	%%kernel_modules_post [<subpackage>]
@@ -2102,6 +2146,7 @@ fi\
 %{expand:%%kernel_devel_post %{?-v*}}\
 %{expand:%%kernel_modules_post %{?-v*}}\
 %{expand:%%kernel_modules_extra_post %{?-v*}}\
+%{expand:%%kernel_modules_internal_post %{?-v*}}\
 %{expand:%%kernel_variant_posttrans %{?-v*}}\
 %{expand:%%post %{?-v*:%{-v*}-}core}\
 %{-r:\
@@ -2237,7 +2282,13 @@ fi
 %defverify(not mtime)\
 /usr/src/kernels/%{KVERREL}%{?3:+%{3}}\
 %{expand:%%files %{?3:%{3}-}modules-extra}\
+%config(noreplace) /etc/modprobe.d/*-blacklist.conf\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/extra\
+%%defattr(-,root,root)\
+%defverify(not mtime)\
+/usr/src/kernels/%{KVERREL}%{?3:+%{3}}\
+%{expand:%%files %{?3:%{3}-}modules-internal}\
+/lib/modules/%{KVERREL}%{?3:+%{3}}/internal\
 %if %{with_debuginfo}\
 %ifnarch noarch\
 %{expand:%%files -f debuginfo%{?3}.list %{?3:%{3}-}debuginfo}\
diff --git a/mod-extra-blacklist.sh b/mod-extra-blacklist.sh
new file mode 100755
index 0000000..9569ef6
--- /dev/null
+++ b/mod-extra-blacklist.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+buildroot="$1"
+kernel_base="$2"
+
+blacklist()
+{
+	cat > "$buildroot/etc/modprobe.d/$1-blacklist.conf" <<-__EOF__
+	# This kernel module can be automatically loaded by non-root users. To
+	# enhance system security, the module is blacklisted by default to ensure
+	# system administrators make the module available for use as needed.
+	# See https://access.redhat.com/articles/3760101 for more details.
+	#
+	# Remove the blacklist by adding a comment # at the start of the line.
+	blacklist $1
+__EOF__
+}
+
+check_blacklist()
+{
+	if modinfo "$1" | grep -q '^alias:\s\+net-'; then
+		mod="${1##*/}"
+		mod="${mod%.ko*}"
+		echo "$mod has an alias that allows auto-loading. Blacklisting."
+		blacklist "$mod"
+	fi
+}
+
+foreachp()
+{
+	P=$(nproc)
+	bgcount=0
+	while read mod; do
+		$1 "$mod" &
+
+		bgcount=$((bgcount + 1))
+		if [ $bgcount -eq $P ]; then
+			wait -n
+			bgcount=$((bgcount - 1))
+		fi
+	done
+
+	wait
+}
+
+[ -d "$buildroot/etc/modprobe.d/" ] || mkdir -p "$buildroot/etc/modprobe.d/"
+find "$buildroot/$kernel_base/extra" -name "*.ko*" | \
+	foreachp check_blacklist
diff --git a/mod-extra.sh b/mod-extra.sh
index d121bd0..7dc075b 100755
--- a/mod-extra.sh
+++ b/mod-extra.sh
@@ -2,6 +2,10 @@
 
 Dir=$1
 List=$2
+Dest="extra"
+
+# Destination was specified on the command line
+test -n "$3" && Dest="$3"
 
 pushd $Dir
 rm -rf modnames
@@ -11,43 +15,45 @@ find . -name "*.ko" -type f > modnames
 rm -rf dep.list dep2.list
 rm -rf req.list req2.list
 touch dep.list req.list
-cp $2 .
+cp "$List" .
 
-for dep in `cat modnames`
-do
-  depends=`modinfo $dep | grep depends| cut -f2 -d":" | sed -e 's/^[ \t]*//'`
-  [ -z "$depends" ] && continue;
-  for mod in `echo $depends | sed -e 's/,/ /g'`
+# This variable needs to be exported because it is used in sub-script
+# executed by xargs
+export ListName=$(basename "$List")
+
+# NB: this loop runs 2000+ iterations. Try to be fast.
+NPROC=`nproc`
+[ -z "$NPROC" ] && NPROC=1
+cat modnames | xargs -r -n1 -P $NPROC sh -c '
+  dep=$1
+  depends=`modinfo $dep | sed -n -e "/^depends/ s/^depends:[ \t]*//p"`
+  [ -z "$depends" ] && exit
+  for mod in ${depends//,/ }
   do
-    match=`grep "^$mod.ko" mod-extra.list` ||:
-    if [ -z "$match" ]
+    match=$(grep "^$mod.ko" "$ListName")
+    [ -z "$match" ] && continue
+    # check if the module we are looking at is in mod-extra too.
+    # if so we do not need to mark the dep as required.
+    mod2=${dep##*/}  # same as `basename $dep`, but faster
+    match2=$(grep "^$mod2" "$ListName")
+    if [ -n "$match2" ]
     then
+      #echo $mod2 >> notreq.list
       continue
-    else
-      # check if the module we're looking at is in mod-extra too.  if so
-      # we don't need to mark the dep as required
-      mod2=`basename $dep`
-      match2=`grep "^$mod2" mod-extra.list` ||:
-      if [ -n "$match2" ]
-      then
-        continue
-          #echo $mod2 >> notreq.list
-        else
-          echo $mod.ko >> req.list
-      fi
     fi
+    echo $mod.ko >> req.list
   done
-done
+' DUMMYARG0   # xargs appends MODNAME, which becomes $dep in the script above
 
 sort -u req.list > req2.list
-sort -u mod-extra.list > mod-extra2.list
-join -v 1 mod-extra2.list req2.list > mod-extra3.list
+sort -u "$ListName" > modules2.list
+join -v 1 modules2.list req2.list > modules3.list
 
-for mod in `cat mod-extra3.list`
+for mod in $(cat modules3.list)
 do
   # get the path for the module
-  modpath=`grep /$mod modnames` ||:
-  [ -z "$modpath" ]  && continue;
+  modpath=`grep /$mod modnames`
+  [ -z "$modpath" ] && continue
   echo $modpath >> dep.list
 done
 
@@ -56,7 +62,7 @@ sort -u dep.list > dep2.list
 # now move the modules into the extra/ directory
 for mod in `cat dep2.list`
 do
-  newpath=`dirname $mod | sed -e 's/kernel\//extra\//'`
+  newpath=`dirname $mod | sed -e "s/kernel\\//$Dest\//"`
   mkdir -p $newpath
   mv $mod $newpath
 done
@@ -76,5 +82,5 @@ done
 
 pushd $Dir
 rm modnames dep.list dep2.list req.list req2.list
-rm mod-extra.list mod-extra2.list mod-extra3.list
+rm "$ListName" modules2.list modules3.list
 popd
diff --git a/mod-internal.list b/mod-internal.list
new file mode 100644
index 0000000..9270dcc
--- /dev/null
+++ b/mod-internal.list
@@ -0,0 +1,4 @@
+mac80211_hwsim
+netdevsim
+pktgen
+rocker