!23 Upgrade to 2.0.5

From: @jxy_git Reviewed-by: @yangzhao_kl Signed-off-by: @yangzhao_kl
2022-10-11 01:57:05 +00:00 · 2022-10-11 01:57:05 +00:00 · 8cc0e29740
commit 8cc0e29740
parent c89234b5ff a58e511c5b
8 changed files with 99 additions and 646 deletions
--- a/Build-fix-unability-to-build-with-Inkscape-1.0-beta-.patch
+++ b/Build-fix-unability-to-build-with-Inkscape-1.0-beta-.patch
@ -1,44 +0,0 @@
 From 47ecd21b9acb108eb4e024c51cdefadac2d74a64 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>
 Date: Tue, 26 Nov 2019 20:07:36 +0100
 Subject: [PATCH] Build: fix unability to build with Inkscape 1.0 beta
 version(s)
 ...and possibly beyond.
 References:
 https://gitlab.com/inkscape/inbox/issues/1244
 ---
 doc/Makefile.am | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)
 diff --git a/doc/Makefile.am b/doc/Makefile.am
 index 257f5cdf5..d8c846830 100644
 --- a/doc/Makefile.am
 +++ b/doc/Makefile.am
@@ -84,14 +84,19 @@ PNGS = $(PNGS_ORIGINAL) $(PNGS_GENERATED)
 graphics: $(PNGS)
 +
 +# two-phased attempts for Inkscape pre-1.0 and 1.0+ (upcoming) discrepancy
 %.png: %.svg
 -	$(AM_V_GEN)$(INKSCAPE) --file=$< --export-dpi=90 -C --export-png=$@ $(PCMK_quiet)
 +	$(AM_V_GEN) { $(INKSCAPE) --export-dpi=90 -C --export-png=$@ $< \
 +	  || $(INKSCAPE) --export-dpi=90 -C --export-file=$@ $<; } $(PCMK_quiet)
 %-small.png: %.svg
 -	$(AM_V_GEN)$(INKSCAPE) --file=$< --export-dpi=45 -C --export-png=$@ $(PCMK_quiet)
 +	$(AM_V_GEN) { $(INKSCAPE) --export-dpi=45 -C --export-png=$@ $< \
 +	  || $(INKSCAPE) --export-dpi=45 -C --export-file=$@ $<; } $(PCMK_quiet)
 %-large.png: %.svg
 -	$(AM_V_GEN)$(INKSCAPE) --file=$< --export-dpi=180 -C --export-png=$@ $(PCMK_quiet)
 +	$(AM_V_GEN) { $(INKSCAPE) --export-dpi=180 -C --export-png=$@ $< \
 +	  || $(INKSCAPE) --export-dpi=180 -C --export-file=$@ $<; } $(PCMK_quiet)
 if IS_ASCIIDOC
 ASCIIDOC_HTML_ARGS	= --unsafe --backend=xhtml11
 -- 
 2.24.0
--- a/CVE-2020-25654.patch
+++ b/CVE-2020-25654.patch
@ -1,514 +0,0 @@
 From 3d1a7dc0c545c1ffba216df5c82b5ee3e3c7b3bf Mon Sep 17 00:00:00 2001
 From: Ken Gaillot <kgaillot@redhat.com>
 Date: Fri, 9 Oct 2020 09:56:03 -0500
 Subject: [PATCH 1/7] Log: executor: show CRM_OP_REGISTER rc in debug message
 Previously, process_lrmd_signon() would add the rc to the client reply
 but not pass it back to process_lrmd_message(), which would always log "OK" in
 its debug message, even if the sign-on was rejected.
 ---
 daemons/execd/execd_commands.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)
 diff --git a/daemons/execd/execd_commands.c b/daemons/execd/execd_commands.c
 index 9ded90c..aadbc4d 100644
 --- a/daemons/execd/execd_commands.c
 +++ b/daemons/execd/execd_commands.c
@@ -1517,10 +1517,10 @@ free_rsc(gpointer data)
     free(rsc);
 }
 -static xmlNode *
 -process_lrmd_signon(crm_client_t *client, xmlNode *request, int call_id)
 +static int
 +process_lrmd_signon(crm_client_t *client, xmlNode *request, int call_id,
 +                    xmlNode **reply)
 {
 -    xmlNode *reply = NULL;
     int rc = pcmk_ok;
     const char *is_ipc_provider = crm_element_value(request, F_LRMD_IS_IPC_PROVIDER);
     const char *protocol_version = crm_element_value(request, F_LRMD_PROTOCOL_VERSION);
@@ -1531,18 +1531,19 @@ process_lrmd_signon(crm_client_t *client, xmlNode *request, int call_id)
         rc = -EPROTO;
     }
 -    reply = create_lrmd_reply(__FUNCTION__, rc, call_id);
 -    crm_xml_add(reply, F_LRMD_OPERATION, CRM_OP_REGISTER);
 -    crm_xml_add(reply, F_LRMD_CLIENTID, client->id);
 -    crm_xml_add(reply, F_LRMD_PROTOCOL_VERSION, LRMD_PROTOCOL_VERSION);
 -
     if (crm_is_true(is_ipc_provider)) {
         // This is a remote connection from a cluster node's controller
 #ifdef SUPPORT_REMOTE
         ipc_proxy_add_provider(client);
 #endif
     }
 -    return reply;
 +
 +    *reply = create_lrmd_reply(__func__, rc, call_id);
 +    crm_xml_add(*reply, F_LRMD_OPERATION, CRM_OP_REGISTER);
 +    crm_xml_add(*reply, F_LRMD_CLIENTID, client->id);
 +    crm_xml_add(*reply, F_LRMD_PROTOCOL_VERSION, LRMD_PROTOCOL_VERSION);
 +
 +    return rc;
 }
 static int
@@ -1854,7 +1855,7 @@ process_lrmd_message(crm_client_t * client, uint32_t id, xmlNode * request)
 #endif
         do_reply = 1;
     } else if (crm_str_eq(op, CRM_OP_REGISTER, TRUE)) {
 -        reply = process_lrmd_signon(client, request, call_id);
 +        rc = process_lrmd_signon(client, request, call_id, &reply);
         do_reply = 1;
     } else if (crm_str_eq(op, LRMD_OP_RSC_REG, TRUE)) {
         rc = process_lrmd_rsc_register(client, id, request);
 -- 
 1.8.3.1
 From d4cc1949292aaa42368e2871a04e67f65f22c154 Mon Sep 17 00:00:00 2001
 From: Ken Gaillot <kgaillot@redhat.com>
 Date: Fri, 9 Oct 2020 15:16:39 -0500
 Subject: [PATCH 2/7] Low: executor: mark controller connections to
 pacemaker-remoted as privileged
 Previously, crm_client_flag_ipc_privileged was only set when local clients connected
 (as root or hacluster). Now, set it when pacemaker-remoted successfully
 completes the TLS handshake with a remote client (i.e., the controller on a
 cluster node).
 This has no effect as of this commit but will with later commits.
 ---
 daemons/execd/remoted_tls.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/daemons/execd/remoted_tls.c b/daemons/execd/remoted_tls.c
 index cd7cbe5..ea9cf3e 100644
 --- a/daemons/execd/remoted_tls.c
 +++ b/daemons/execd/remoted_tls.c
@@ -74,6 +74,11 @@ remoted__read_handshake_data(crm_client_t *client)
     client->remote->tls_handshake_complete = TRUE;
     crm_notice("Remote client connection accepted");
 +    /* Only a client with access to the TLS key can connect, so we can treat
 +     * it as privileged.
 +     */
 +    set_bit(client->flags, crm_client_flag_ipc_privileged);
 +
     // Alert other clients of the new connection
     notify_of_new_client(client);
     return 0;
 -- 
 1.8.3.1
 From bb6ae415a534fa9f1bd1ec06e0a0b4c64b1e8530 Mon Sep 17 00:00:00 2001
 From: Ken Gaillot <kgaillot@redhat.com>
 Date: Thu, 15 Oct 2020 15:33:13 -0500
 Subject: [PATCH 3/7] Low: executor: return appropriate error code when no
 remote support
 ---
 daemons/execd/execd_commands.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/daemons/execd/execd_commands.c b/daemons/execd/execd_commands.c
 index aadbc4d..84e9c40 100644
 --- a/daemons/execd/execd_commands.c
 +++ b/daemons/execd/execd_commands.c
@@ -1532,9 +1532,11 @@ process_lrmd_signon(crm_client_t *client, xmlNode *request, int call_id,
     }
     if (crm_is_true(is_ipc_provider)) {
 -        // This is a remote connection from a cluster node's controller
 #ifdef SUPPORT_REMOTE
 +        // This is a remote connection from a cluster node's controller
         ipc_proxy_add_provider(client);
 +#else
 +        rc = -EPROTONOSUPPORT;
 #endif
     }
@@ -1852,6 +1854,8 @@ process_lrmd_message(crm_client_t * client, uint32_t id, xmlNode * request)
     if (crm_str_eq(op, CRM_OP_IPC_FWD, TRUE)) {
 #ifdef SUPPORT_REMOTE
         ipc_proxy_forward_client(client, request);
 +#else
 +        rc = -EPROTONOSUPPORT;
 #endif
         do_reply = 1;
     } else if (crm_str_eq(op, CRM_OP_REGISTER, TRUE)) {
 -- 
 1.8.3.1
 From 6fdf576fe506837099561a0fc6409fc315a9f2b7 Mon Sep 17 00:00:00 2001
 From: Ken Gaillot <kgaillot@redhat.com>
 Date: Thu, 15 Oct 2020 15:33:57 -0500
 Subject: [PATCH 4/7] High: executor: restrict certain IPC requests to
 Pacemaker daemons
 The executor IPC API allows clients to register resources, request agent
 execution, and so forth.
 If ACLs are enabled, this could allow an ACL-restricted user to bypass ACLs and
 execute any code as root. (If ACLs are not enabled, users in the haclient group
 have full access to the CIB, which already gives them that ability, so there is
 no additional exposure in that case.)
 When ACLs are supported, this commit effectively disables the executor IPC API
 for clients that aren't connecting as root or hacluster. Such clients can only
 register and poke now.
 ---
 daemons/execd/execd_commands.c | 91 +++++++++++++++++++++++++++++++++---------
 1 file changed, 73 insertions(+), 18 deletions(-)
 diff --git a/daemons/execd/execd_commands.c b/daemons/execd/execd_commands.c
 index 84e9c40..e217ce7 100644
 --- a/daemons/execd/execd_commands.c
 +++ b/daemons/execd/execd_commands.c
@@ -1533,8 +1533,12 @@ process_lrmd_signon(crm_client_t *client, xmlNode *request, int call_id,
     if (crm_is_true(is_ipc_provider)) {
 #ifdef SUPPORT_REMOTE
 -        // This is a remote connection from a cluster node's controller
 -        ipc_proxy_add_provider(client);
 +        if ((client->remote != NULL) && client->remote->tls_handshake_complete) {
 +            // This is a remote connection from a cluster node's controller
 +            ipc_proxy_add_provider(client);
 +        } else {
 +            rc = -EACCES;
 +        }
 #else
         rc = -EPROTONOSUPPORT;
 #endif
@@ -1848,12 +1852,26 @@ process_lrmd_message(crm_client_t * client, uint32_t id, xmlNode * request)
     int do_notify = 0;
     xmlNode *reply = NULL;
 +    bool allowed = true;
 +
 +#if ENABLE_ACL
 +    /* Certain IPC commands may be done only by privileged users (i.e. root or
 +     * hacluster) when ACLs are enabled, because they would otherwise provide a
 +     * means of bypassing ACLs.
 +     */
 +    allowed = is_set(client->flags, crm_client_flag_ipc_privileged);
 +#endif
 +
     crm_trace("Processing %s operation from %s", op, client->id);
     crm_element_value_int(request, F_LRMD_CALLID, &call_id);
     if (crm_str_eq(op, CRM_OP_IPC_FWD, TRUE)) {
 #ifdef SUPPORT_REMOTE
 -        ipc_proxy_forward_client(client, request);
 +        if (allowed) {
 +            ipc_proxy_forward_client(client, request);
 +        } else {
 +            rc = -EACCES;
 +        }
 #else
         rc = -EPROTONOSUPPORT;
 #endif
@@ -1862,38 +1880,70 @@ process_lrmd_message(crm_client_t * client, uint32_t id, xmlNode * request)
         rc = process_lrmd_signon(client, request, call_id, &reply);
         do_reply = 1;
     } else if (crm_str_eq(op, LRMD_OP_RSC_REG, TRUE)) {
 -        rc = process_lrmd_rsc_register(client, id, request);
 -        do_notify = 1;
 +        if (allowed) {
 +            rc = process_lrmd_rsc_register(client, id, request);
 +            do_notify = 1;
 +        } else {
 +            rc = -EACCES;
 +        }
         do_reply = 1;
     } else if (crm_str_eq(op, LRMD_OP_RSC_INFO, TRUE)) {
 -        reply = process_lrmd_get_rsc_info(request, call_id);
 +        if (allowed) {
 +            reply = process_lrmd_get_rsc_info(request, call_id);
 +        } else {
 +            rc = -EACCES;
 +        }
         do_reply = 1;
     } else if (crm_str_eq(op, LRMD_OP_RSC_UNREG, TRUE)) {
 -        rc = process_lrmd_rsc_unregister(client, id, request);
 -        /* don't notify anyone about failed un-registers */
 -        if (rc == pcmk_ok || rc == -EINPROGRESS) {
 -            do_notify = 1;
 +        if (allowed) {
 +            rc = process_lrmd_rsc_unregister(client, id, request);
 +            /* don't notify anyone about failed un-registers */
 +            if (rc == pcmk_ok || rc == -EINPROGRESS) {
 +                do_notify = 1;
 +            }
 +        } else {
 +            rc = -EACCES;
         }
         do_reply = 1;
     } else if (crm_str_eq(op, LRMD_OP_RSC_EXEC, TRUE)) {
 -        rc = process_lrmd_rsc_exec(client, id, request);
 +        if (allowed) {
 +            rc = process_lrmd_rsc_exec(client, id, request);
 +        } else {
 +            rc = -EACCES;
 +        }
         do_reply = 1;
     } else if (crm_str_eq(op, LRMD_OP_RSC_CANCEL, TRUE)) {
 -        rc = process_lrmd_rsc_cancel(client, id, request);
 +        if (allowed) {
 +            rc = process_lrmd_rsc_cancel(client, id, request);
 +        } else {
 +            rc = -EACCES;
 +        }
         do_reply = 1;
     } else if (crm_str_eq(op, LRMD_OP_POKE, TRUE)) {
         do_notify = 1;
         do_reply = 1;
     } else if (crm_str_eq(op, LRMD_OP_CHECK, TRUE)) {
 -        xmlNode *data = get_message_xml(request, F_LRMD_CALLDATA); 
 -        const char *timeout = crm_element_value(data, F_LRMD_WATCHDOG);
 -        CRM_LOG_ASSERT(data != NULL);
 -        check_sbd_timeout(timeout);
 +        if (allowed) {
 +            xmlNode *data = get_message_xml(request, F_LRMD_CALLDATA);
 +
 +            CRM_LOG_ASSERT(data != NULL);
 +            check_sbd_timeout(crm_element_value(data, F_LRMD_WATCHDOG));
 +        } else {
 +            rc = -EACCES;
 +        }
     } else if (crm_str_eq(op, LRMD_OP_ALERT_EXEC, TRUE)) {
 -        rc = process_lrmd_alert_exec(client, id, request);
 +        if (allowed) {
 +            rc = process_lrmd_alert_exec(client, id, request);
 +        } else {
 +            rc = -EACCES;
 +        }
         do_reply = 1;
     } else if (crm_str_eq(op, LRMD_OP_GET_RECURRING, TRUE)) {
 -        reply = process_lrmd_get_recurring(request, call_id);
 +        if (allowed) {
 +            reply = process_lrmd_get_recurring(request, call_id);
 +        } else {
 +            rc = -EACCES;
 +        }
         do_reply = 1;
     } else {
         rc = -EOPNOTSUPP;
@@ -1902,6 +1952,11 @@ process_lrmd_message(crm_client_t * client, uint32_t id, xmlNode * request)
         crm_log_xml_warn(request, "UnknownOp");
     }
 +    if (rc == -EACCES) {
 +        crm_warn("Rejecting IPC request '%s' from unprivileged client %s",
 +                 op, crm_client_name(client));
 +    }
 +
     crm_debug("Processed %s operation from %s: rc=%d, reply=%d, notify=%d",
               op, client->id, rc, do_reply, do_notify);
 -- 
 1.8.3.1
 From 38397e6a04a4b8a16771e57b5b19fc0f7111063b Mon Sep 17 00:00:00 2001
 From: Ken Gaillot <kgaillot@redhat.com>
 Date: Fri, 9 Oct 2020 11:16:43 -0500
 Subject: [PATCH 5/7] Low: pacemakerd: check client for NULL before using it
 ... to guard against bugs in client tracking
 ---
 daemons/pacemakerd/pacemakerd.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/daemons/pacemakerd/pacemakerd.c b/daemons/pacemakerd/pacemakerd.c
 index d8ff53d..278b48b 100644
 --- a/daemons/pacemakerd/pacemakerd.c
 +++ b/daemons/pacemakerd/pacemakerd.c
@@ -560,9 +560,12 @@ pcmk_ipc_dispatch(qb_ipcs_connection_t * qbc, void *data, size_t size)
     uint32_t id = 0;
     uint32_t flags = 0;
     const char *task = NULL;
 +    xmlNode *msg = NULL;
     crm_client_t *c = crm_client_get(qbc);
 -    xmlNode *msg = crm_ipcs_recv(c, data, size, &id, &flags);
 +    CRM_CHECK(c != NULL, return 0);
 +
 +    msg = crm_ipcs_recv(c, data, size, &id, &flags);
     crm_ipcs_send_ack(c, id, flags, "ack", __FUNCTION__, __LINE__);
     if (msg == NULL) {
         return 0;
 -- 
 1.8.3.1
 From 03d1f5861229b3b28728fa0eabfc99ddc9bccaa4 Mon Sep 17 00:00:00 2001
 From: Ken Gaillot <kgaillot@redhat.com>
 Date: Fri, 9 Oct 2020 11:17:18 -0500
 Subject: [PATCH 6/7] High: pacemakerd: ignore shutdown requests from
 unprivileged users
 The pacemakerd IPC API supports a shutdown request, along with a
 command-line interface for using it (pacemakerd --shutdown).
 Only the haclient group has access to the IPC. Without ACLs, that group can
 already shut down Pacemaker via the CIB, so there's no security implication.
 However, it might not be desired to allow ACL-restricted users to shut down
 Pacemaker, so block users other than root or hacluster if ACLs are supported.
 ---
 daemons/pacemakerd/pacemakerd.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)
 diff --git a/daemons/pacemakerd/pacemakerd.c b/daemons/pacemakerd/pacemakerd.c
 index 278b48b..ebb14e8 100644
 --- a/daemons/pacemakerd/pacemakerd.c
 +++ b/daemons/pacemakerd/pacemakerd.c
@@ -573,10 +573,26 @@ pcmk_ipc_dispatch(qb_ipcs_connection_t * qbc, void *data, size_t size)
     task = crm_element_value(msg, F_CRM_TASK);
     if (crm_str_eq(task, CRM_OP_QUIT, TRUE)) {
 -        /* Time to quit */
 -        crm_notice("Shutting down in response to ticket %s (%s)",
 -                   crm_element_value(msg, F_CRM_REFERENCE), crm_element_value(msg, F_CRM_ORIGIN));
 -        pcmk_shutdown(15);
 +        bool allowed = true;
 +
 +#if ENABLE_ACL
 +        /* Only allow privileged users (i.e. root or hacluster)
 +         * to shut down Pacemaker from the command line (or direct IPC).
 +         *
 +         * We only check when ACLs are enabled, because without them, any client
 +         * with IPC access could shut down Pacemaker via the CIB anyway.
 +         */
 +        allowed = is_set(c->flags, crm_client_flag_ipc_privileged);
 +#endif
 +        if (allowed) {
 +            crm_notice("Shutting down in response to IPC request %s from %s",
 +                       crm_element_value(msg, F_CRM_REFERENCE),
 +                       crm_element_value(msg, F_CRM_ORIGIN));
 +            pcmk_shutdown(15);
 +        } else {
 +            crm_warn("Ignoring shutdown request from unprivileged client %s",
 +                     crm_client_name(c));
 +        }
     } else if (crm_str_eq(task, CRM_OP_RM_NODE_CACHE, TRUE)) {
         /* Send to everyone */
 -- 
 1.8.3.1
 From 5fcb1e923d2e900da672306fb82a946a0af5e641 Mon Sep 17 00:00:00 2001
 From: Ken Gaillot <kgaillot@redhat.com>
 Date: Fri, 9 Oct 2020 11:55:26 -0500
 Subject: [PATCH 7/7] Fix: fencer: restrict certain IPC requests to privileged
 users
 The fencer IPC API allows clients to register fence devices.
 If ACLs are enabled, this could allow an ACL-restricted user to bypass ACLs to
 configure fencing. If the user is able to install executables to the standard
 fencing agent locations, have arbitrary code executed as root (the standard
 locations generally require root for write access, so that is unlikely to be an
 issue).
 If ACLs are not enabled, users in the haclient group have full access to the
 CIB, which already gives them these capabilities, so there is no additional
 exposure in that case.
 This commit does not restrict unprivileged users from using other fencing API,
 such as requesting actual fencing.
 ---
 daemons/fenced/fenced_commands.c | 41 ++++++++++++++++++++++++++++++++++++----
 1 file changed, 37 insertions(+), 4 deletions(-)
 diff --git a/daemons/fenced/fenced_commands.c b/daemons/fenced/fenced_commands.c
 index 9d3f924..d965d7c 100644
 --- a/daemons/fenced/fenced_commands.c
 +++ b/daemons/fenced/fenced_commands.c
@@ -2455,6 +2455,18 @@ handle_request(crm_client_t * client, uint32_t id, uint32_t flags, xmlNode * req
     const char *op = crm_element_value(request, F_STONITH_OPERATION);
     const char *client_id = crm_element_value(request, F_STONITH_CLIENTID);
 +    bool allowed = true;
 +
 +#if ENABLE_ACL
 +    /* IPC commands related to fencing configuration may be done only by
 +     * privileged users (i.e. root or hacluster) when ACLs are supported,
 +     * because all other users should go through the CIB to have ACLs applied.
 +     */
 +    if (client != NULL) {
 +        allowed = is_set(client->flags, crm_client_flag_ipc_privileged);
 +    }
 +#endif
 +
     crm_element_value_int(request, F_STONITH_CALLOPTS, &call_options);
     if (is_set(call_options, st_opt_sync_call)) {
@@ -2604,27 +2616,43 @@ handle_request(crm_client_t * client, uint32_t id, uint32_t flags, xmlNode * req
     } else if (crm_str_eq(op, STONITH_OP_DEVICE_ADD, TRUE)) {
         const char *device_id = NULL;
 -        rc = stonith_device_register(request, &device_id, FALSE);
 +        if (allowed) {
 +            rc = stonith_device_register(request, &device_id, FALSE);
 +        } else {
 +            rc = -EACCES;
 +        }
         do_stonith_notify_device(call_options, op, rc, device_id);
     } else if (crm_str_eq(op, STONITH_OP_DEVICE_DEL, TRUE)) {
         xmlNode *dev = get_xpath_object("//" F_STONITH_DEVICE, request, LOG_ERR);
         const char *device_id = crm_element_value(dev, XML_ATTR_ID);
 -        rc = stonith_device_remove(device_id, FALSE);
 +        if (allowed) {
 +            rc = stonith_device_remove(device_id, FALSE);
 +        } else {
 +            rc = -EACCES;
 +        }
         do_stonith_notify_device(call_options, op, rc, device_id);
     } else if (crm_str_eq(op, STONITH_OP_LEVEL_ADD, TRUE)) {
         char *device_id = NULL;
 -        rc = stonith_level_register(request, &device_id);
 +        if (allowed) {
 +            rc = stonith_level_register(request, &device_id);
 +        } else {
 +            rc = -EACCES;
 +        }
         do_stonith_notify_level(call_options, op, rc, device_id);
         free(device_id);
     } else if (crm_str_eq(op, STONITH_OP_LEVEL_DEL, TRUE)) {
         char *device_id = NULL;
 -        rc = stonith_level_remove(request, &device_id);
 +        if (allowed) {
 +            rc = stonith_level_remove(request, &device_id);
 +        } else {
 +            rc = -EACCES;
 +        }
         do_stonith_notify_level(call_options, op, rc, device_id);
     } else if(safe_str_eq(op, CRM_OP_RM_NODE_CACHE)) {
@@ -2644,6 +2672,11 @@ handle_request(crm_client_t * client, uint32_t id, uint32_t flags, xmlNode * req
   done:
 +    if (rc == -EACCES) {
 +        crm_warn("Rejecting IPC request '%s' from unprivileged client %s",
 +                 crm_str(op), crm_client_name(client));
 +    }
 +
     /* Always reply unless the request is in process still.
      * If in progress, a reply will happen async after the request
      * processing is finished */
 -- 
 1.8.3.1
--- a/Resolve-the-failure-of-time-matching-in-test-cases.patch
+++ b/Resolve-the-failure-of-time-matching-in-test-cases.patch
@ -1,13 +0,0 @@
 diff --git a/cts/cts-cli.in b/cts/cts-cli.in
 index cff4bbf..707403f 100644
 --- a/cts/cts-cli.in
 +++ b/cts/cts-cli.in
@@ -947,7 +947,7 @@ EOF
     if [ "$(uname)" == "FreeBSD" ]; then
         tomorrow=$(date -v+1d +"%F %T %z")
     else
 -        tomorrow=$(date --date=tomorrow +"%F %T %z")
 +        tomorrow=$(date --date=tomorrow +"%F %T")
     fi
     TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
--- a/fix-function-declaration-error.patch
+++ b/fix-function-declaration-error.patch
@ -0,0 +1,10 @@
 --- configure.ac	2020-12-03 01:08:53.000000000 +0800
 +++ configure.ac	2022-02-16 06:04:06.770474753 +0800
@@ -1728,7 +1728,6 @@ dnl otherwise none of both
                 -Wno-long-long
                 -Wno-strict-aliasing
                 -Wpointer-arith
 -                -Wstrict-prototypes
                 -Wwrite-strings
                 -Wunused-but-set-variable
                 -Wunsigned-char"
--- a/nagios-agents-metadata-105ab8a7b2c16b9a29cf1c1596b80136eeef332b.tar.gz
+++ b/nagios-agents-metadata-105ab8a7b2c16b9a29cf1c1596b80136eeef332b.tar.gz
--- a/pacemaker-2.0.3.tar.gz
+++ b/pacemaker-2.0.3.tar.gz
--- a/pacemaker-Pacemaker-2.0.5.tar.gz
+++ b/pacemaker-Pacemaker-2.0.5.tar.gz
--- a/pacemaker.spec
+++ b/pacemaker.spec
@ -3,6 +3,7 @@
 ## User and group to use for nonprivileged services
 %global uname hacluster
 %global gname haclient
 %global hacluster_id 189
 ## Where to install Pacemaker documentation
 %global pcmk_docdir %{_docdir}/%{name}
@ -13,12 +14,12 @@
 ## Upstream pacemaker version, and its package version (specversion
 ## can be incremented to build packages reliably considered "newer"
 ## than previously built packages with the same pcmkversion)
-%global pcmkversion 2.0.3
+%global pcmkversion 2.0.5
-%global specversion 3
+%global specversion 1
 ## Upstream commit (or git tag, such as "Pacemaker-" plus the
 ## {pcmkversion} macro for an official release) to use for this package
-%global commit Pacemaker-2.0.3
+%global commit Pacemaker-2.0.5
 ## Since git v2.11, the extent of abbreviation is autoscaled by default
 ## (used to be constant of 7), so we need to convey it for non-tags, too.
 %global commit_abbrev 9
@ -26,7 +27,7 @@
 ## Nagios source control identifiers
 %global nagios_name nagios-agents-metadata
 %global nagios_hash 105ab8a7b2c16b9a29cf1c1596b80136eeef332b
-
+%global nagios_archive_github_url %{nagios_hash}#/%{nagios_name}-%{nagios_hash}.tar.gz
 # Define globals for convenient use later
@ -34,18 +35,26 @@
 %global lparen (
 %global rparen )
-## Short version of git commit
+## Whether this is a tagged release (final or release candidate)
-%define shortcommit %(c=%{commit}; case ${c} in
+%define tag_release %(c=%{commit}; case ${c} in Pacemaker-*%{rparen} echo 1 ;;
-                      Pacemaker-*%{rparen} echo ${c:10};;
+                      *%{rparen} echo 0 ;; esac)
                      *%{rparen} echo ${c:0:%{commit_abbrev}};; esac)
-## Whether this is a tagged release
+## Portion of export/dist tarball name after "pacemaker-", and release version
-%define tag_release %([ %{commit} != Pacemaker-%{shortcommit} ]; echo $?)
+%if 0%{tag_release}
-
+%define archive_version %{commit}
-## Whether this is a release candidate (in case of a tagged release)
+%define archive_github_url %{commit}#/%{name}-%{archive_version}.tar.gz
-%define pre_release %([ "%{tag_release}" -eq 0 ] || {
+%define pcmk_release %(c=%{commit}; case $c in *-rc[[:digit:]]*%{rparen}
-                      case "%{shortcommit}" in *-rc[[:digit:]]*%{rparen} false;;
+                       echo 0.%{specversion}.${c: -3} ;;
-                      esac; }; echo $?)
+                       *%{rparen} echo %{specversion} ;; esac)
 %else
 %define archive_version %(c=%{commit}; echo ${c:0:%{commit_abbrev}})
 %define archive_github_url %{archive_version}#/%{name}-%{archive_version}.tar.gz
 %if %{with pre_release}
 %define pcmk_release 0.%{specversion}.%{archive_version}.git
 %else
 %define pcmk_release %{specversion}.%{archive_version}.git
 %endif
 %endif
 ## Heuristic used to infer bleeding-edge deployments that are
 ## less likely to have working versions of the documentation tools
@ -72,16 +81,19 @@
 ## Values that differ by Python major version
 %global python_path /usr/bin/python%{?python3_pkgversion}%{!?python3_pkgversion:3}
-%global python_pkg python3
+%global python_name python3
 %global python_min 3.2
-%define py_site %{?python3_sitelib}%{!?python3_sitelib:%(
+%define python_site %{?python3_sitelib}%{!?python3_sitelib:%(
-  python3 -c 'from distutils.sysconfig import get_python_lib as gpl; print(gpl(1))' 2>/dev/null)}
+  %{python_path} -c 'from distutils.sysconfig import get_python_lib as gpl; print(gpl(1))' 2>/dev/null)}
 # Define conditionals so that "rpmbuild --with <feature>" and
 # "rpmbuild --without <feature>" can enable and disable specific features
-## NOTE: skip --with stonith
+## NOTE: skip --with stonithd
 ## Add option to enable support for storing sensitive information outside CIB
 %bcond_with cibsecrets
 ## Add option to create binaries suitable for use with profiling tools
 %bcond_with profiling
@ -89,7 +101,7 @@
 ## Add option to create binaries with coverage analysis
 %bcond_with coverage
-## Add option to skip generating documentation
+## Add option to skip/enable generating documentation
 ## (the build tools aren't available everywhere)
 %bcond_without doc
@ -115,33 +127,30 @@
 %endif
 %define pcmk_release %{specversion}
 Name:          pacemaker
 Summary:       Scalable High-Availability cluster resource manager
 Version:       %{pcmkversion}
 Release:       %{pcmk_release}
 License:       GPLv2+ and LGPLv2+
-Url:           http://www.clusterlabs.org
+Url:           https://www.clusterlabs.org
 # Hint: use "spectool -s 0 pacemaker.spec" (rpmdevtools) to check the final URL
-Source0:       https://github.com/%{github_owner}/%{name}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
+Source0:       https://codeload.github.com/%{github_owner}/%{name}/tar.gz/%{archive_github_url}
-Source1:       https://github.com/%{github_owner}/%{nagios_name}/archive/%{nagios_hash}/%{nagios_name}-%{nagios_hash}.tar.gz
+Source1:       https://codeload.github.com/%{github_owner}/%{nagios_name}/tar.gz/%{nagios_archive_github_url}
 # ---
-Patch0:        Build-fix-unability-to-build-with-Inkscape-1.0-beta-.patch
+Patch0:        fix-function-declaration-error.patch
 Patch1:        Resolve-the-failure-of-time-matching-in-test-cases.patch
 Patch2:        CVE-2020-25654.patch
 Requires:      resource-agents
-Requires:      %{name}-libs%{?_isa} = %{version}-%{release}
+Requires:      %{name}-libs = %{version}-%{release}
-Requires:      %{name}-cluster-libs%{?_isa} = %{version}-%{release}
+Requires:      %{name}-cluster-libs = %{version}-%{release}
 Requires:      %{name}-cli = %{version}-%{release}
 %{?systemd_requires}
 # Pacemaker requires a minimum Python functionality
-Requires:      %{python_pkg} >= %{python_min}
+Requires:      %{python_name} >= %{python_min}
-BuildRequires: %{python_pkg}-devel >= %{python_min}
+BuildRequires: make
 BuildRequires: %{python_name}-devel >= %{python_min}
 # Pacemaker requires a minimum libqb functionality
 Requires:      libqb >= 0.13.0
@ -169,17 +178,17 @@ BuildRequires: corosynclib-devel >= 2.0.0
 #BuildRequires: pkgconfig(libcfg)
 ## (note no avoiding effect when building through non-customized mock)
-#%%if !%%{bleeding}
+# %if !%{bleeding}
-#%%if %%{with doc}
+# %if %{with doc}
-#BuildRequires: asciidoc inkscape publican
+# BuildRequires: asciidoc inkscape publican
-#%%endif
+# %endif
-#%%endif
+# %endif
 # git-style patch application
-BuildRequires: git
+# BuildRequires: git
 Provides:      pcmk-cluster-manager = %{version}-%{release}
-Provides:      pcmk-cluster-manager%{?_isa} = %{version}-%{release}
+Provides:      pcmk-cluster-manager = %{version}-%{release}
 # Pacemaker uses the crypto/md5 module from gnulib
 Provides:      bundled(gnulib)
@ -196,15 +205,16 @@ when related resources fail and can be configured to periodically check
 resource health.
 Available rpmbuild rebuild options:
-  --with(out) : coverage doc hardening pre_release profiling
+  --with(out) : cibsecrets coverage doc hardening pre_release profiling
 %package cli
 License:       GPLv2+ and LGPLv2+
 Summary:       Command line tools for controlling Pacemaker clusters
-Requires:      %{name}-libs%{?_isa} = %{version}-%{release}
+Requires:      %{name}-libs = %{version}-%{release}
 %if 0%{?fedora} > 22 || 0%{?rhel} > 7
 Recommends:    pcmk-cluster-manager = %{version}-%{release}
-%endif
+# For crm_report
 Recommends:    tar
 Recommends:    bzip2
 Requires:      perl-TimeDate
 Requires:      procps-ng
 Requires:      psmisc
@ -236,7 +246,7 @@ nodes and those just running the CLI tools.
 %package cluster-libs
 License:       GPLv2+ and LGPLv2+
 Summary:       Cluster Libraries used by Pacemaker
-Requires:      %{name}-libs%{?_isa} = %{version}-%{release}
+Requires:      %{name}-libs = %{version}-%{release}
 %description cluster-libs
 Pacemaker is an advanced, scalable High-Availability cluster resource
@ -248,13 +258,13 @@ libraries needed for nodes that will form part of the cluster nodes.
 %package remote
 License:       GPLv2+ and LGPLv2+
 Summary:       Pacemaker remote daemon for non-cluster nodes
-Requires:      %{name}-libs%{?_isa} = %{version}-%{release}
+Requires:      %{name}-libs = %{version}-%{release}
 Requires:      %{name}-cli = %{version}-%{release}
 Requires:      resource-agents
 # -remote can be fully independent of systemd
 %{?systemd_ordering}%{!?systemd_ordering:%{?systemd_requires}}
 Provides:      pcmk-cluster-manager = %{version}-%{release}
-Provides:      pcmk-cluster-manager%{?_isa} = %{version}-%{release}
+Provides:      pcmk-cluster-manager = %{version}-%{release}
 %description remote
 Pacemaker is an advanced, scalable High-Availability cluster resource
@ -267,13 +277,13 @@ nodes not running the full corosync/cluster stack.
 %package libs-devel
 License:       GPLv2+ and LGPLv2+
 Summary:       Pacemaker development package
-Requires:      %{name}-libs%{?_isa} = %{version}-%{release}
+Requires:      %{name}-libs = %{version}-%{release}
-Requires:      %{name}-cluster-libs%{?_isa} = %{version}-%{release}
+Requires:      %{name}-cluster-libs = %{version}-%{release}
 Requires:      libtool-ltdl-devel libuuid-devel
-Requires:      libxml2-devel%{?_isa} libxslt-devel%{?_isa}
+Requires:      libxml2-devel libxslt-devel
-Requires:      bzip2-devel%{?_isa} glib2-devel%{?_isa}
+Requires:      bzip2-devel glib2-devel
-Requires:      libqb-devel%{?_isa}
+Requires:      libqb-devel
-Requires:      corosynclib-devel%{?_isa} >= 2.0.0
+Requires:      corosynclib-devel >= 2.0.0
 %description libs-devel
 Pacemaker is an advanced, scalable High-Availability cluster resource
@ -285,21 +295,24 @@ for developing tools for Pacemaker.
 %package       cts
 License:       GPLv2+ and LGPLv2+
 Summary:       Test framework for cluster-related technologies like Pacemaker
-Requires:      %{python_pkg} >= %{python_min}
+Requires:      %{python_name} >= %{python_min}
 Requires:      %{python_path}
 Requires:      %{name}-libs = %{version}-%{release}
 Requires:      procps-ng
 Requires:      psmisc
 BuildArch:     noarch
-Requires:      %{python_pkg}-systemd
+Requires:      %{python_name}-systemd
 %description   cts
 Test framework for cluster-related technologies like Pacemaker
 %package       doc
-License:       CC-BY-SA
+License:       CC-BY-SA-4.0
 Summary:       Documentation for Pacemaker
 BuildArch:     noarch
 Conflicts:     %{name}-libs > %{version}-%{release}
 Conflicts:     %{name}-libs < %{version}-%{release}
 %description   doc
 Documentation for Pacemaker.
@ -323,11 +336,11 @@ License:       GPLv3
 Summary:       Pacemaker Nagios Metadata
 BuildArch:     noarch
 # NOTE below are the plugins this metadata uses.
-Requires:      nagios-plugins-http
+# Requires:      nagios-plugins-http
-Requires:      nagios-plugins-ldap
+# Requires:      nagios-plugins-ldap
-Requires:      nagios-plugins-mysql
+# Requires:      nagios-plugins-mysql
-Requires:      nagios-plugins-pgsql
+# Requires:      nagios-plugins-pgsql
-Requires:      nagios-plugins-tcp
+# Requires:      nagios-plugins-tcp
 Requires:      pcmk-cluster-manager
 %description  nagios-plugins-metadata
@ -335,18 +348,10 @@ The metadata files required for Pacemaker to execute the nagios plugin
 monitor resources.
 %prep
-%setup -q -a 1 -n %{name}-%{commit}
+%setup -q -a 1 -n %{name}-%{archive_version}
-%global __scm git_am
+%patch0
 %__scm_setup_git
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
 %build
 # Early versions of autotools (e.g. RHEL <= 5) do not support --docdir
 export docdir=%{pcmk_docdir}
 export systemdsystemunitdir=%{?_unitdir}%{!?_unitdir:no}
 %if %{with hardening}
@ -372,8 +377,10 @@ export CPPFLAGS="-UPCMK_TIME_EMERGENCY_CGT $CPPFLAGS"
        %{!?with_legacy_links: --disable-legacy-links}                          \
        %{?with_profiling:     --with-profiling}                                \
        %{?with_coverage:      --with-coverage}                                 \
        %{?with_cibsecrets:    --with-cibsecrets}                               \
        %{!?with_doc:          --with-brand=}                                   \
        %{?gnutls_priorities:  --with-gnutls-priorities="%{gnutls_priorities}"} \
        --disable-static                                                        \
        --with-initdir=%{_initrddir}                                            \
        --with-runstatedir=%{_rundir}                                           \
        --localstatedir=%{_var}                                                 \
@ -386,6 +393,7 @@ export CPPFLAGS="-UPCMK_TIME_EMERGENCY_CGT $CPPFLAGS"
 make %{_smp_mflags} V=1
 %check
 make %{_smp_mflags} check
 { cts/cts-scheduler --run load-stopped-loop \
  && cts/cts-cli \
  && touch .CHECKED
@ -438,7 +446,7 @@ rm -f %{buildroot}/%{_initrddir}/pacemaker_remote
 %if %{defined py_byte_compile} && %{defined python_path}
 %{py_byte_compile %{python_path} %{buildroot}%{_datadir}/pacemaker/tests}
 %if !%{defined _python_bytecompile_extra}
-%{py_byte_compile %{python_path} %{buildroot}%{py_site}/cts}
+%{py_byte_compile %{python_path} %{buildroot}%{python_site}/cts}
 %endif
 %endif
@ -498,7 +506,7 @@ fi
 %post cli
 %systemd_post crm_mon.service
-if [ "$1" = 2 ]; then
+if [ "$1" -eq 2 ]; then
    # Package upgrade, not initial install:
    # Move any pre-2.0 logs to new location to ensure they get rotated
    { mv -fbS.rpmsave %{_var}/log/pacemaker.log* %{_var}/log/pacemaker \
@ -516,8 +524,8 @@ fi
 # XXX keep an eye on https://fedoraproject.org/wiki/Changes/SystemdSysusers
 #     reopened recently:
 # https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/AETGESYR4IEQJMA6SKL7OERSDZFWFNEU/
-getent group %{gname} >/dev/null || groupadd -r %{gname} -g 189
+getent group %{gname} >/dev/null || groupadd -r %{gname} -g %{hacluster_id}
-getent passwd %{uname} >/dev/null || useradd -r -g %{gname} -u 189 -s /sbin/nologin -c "cluster user" %{uname}
+getent passwd %{uname} >/dev/null || useradd -r -g %{gname} -u %{hacluster_id} -s /sbin/nologin -c "cluster user" %{uname}
 exit 0
 %ldconfig_scriptlets libs
@ -572,6 +580,9 @@ exit 0
 %{_sbindir}/attrd_updater
 %{_sbindir}/cibadmin
 %if %{with cibsecrets}
 %{_sbindir}/cibsecret
 %endif
 %{_sbindir}/crm_diff
 %{_sbindir}/crm_error
 %{_sbindir}/crm_failcount
@ -667,7 +678,7 @@ exit 0
 %license licenses/CC-BY-SA-4.0
 %files cts
-%{py_site}/cts
+%{python_site}/cts
 %{_datadir}/pacemaker/tests
 %{_libexecdir}/pacemaker/cts-log-watcher
@ -703,6 +714,9 @@ exit 0
 %license %{nagios_name}-%{nagios_hash}/COPYING
 %changelog
 * Mon Oct 10 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 2.0.5-1
 - upgrade to 2.0.5
 * Sat Sep 03 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 2.0.3-3
 - Type:cves
 - ID:CVE-2020-25654