Single security manifest in debuginfo package

Rpm builder adds one security manifest for each debug file in debuginfo
package. For packages containing more than one binary this leads to creation of
multiple copies of the manifest in the debuginfo package.

The msm plugin expects only one manifest and if there's more of them, it treats
it as an error and falls back to the default policy ("No manifest in this
package. Creating default one"). As a result the debug files get their labels
from the installing process. This leads to access denials when unprivileged
processes try to access the debug files.

This commit modifies the builder so that the security manifest is added only
once.

Change-Id: I8c29897d80664af0760eb2e3204baec1fe7ecdb2

1 files changed, 3 insertions, 3 deletions

diff --git a/build/files.c b/build/files.c
index c4d54fc88..6f2cc7d98 100644
--- a/build/files.c
+++ b/build/files.c
@@ -2307,9 +2307,6 @@ static void addDebuginfoPackage(rpmSpec spec, Package pkg, char *buildroot)
 	    if (access (tmp, F_OK) != 0)
 	      continue;
 
-	    /* Add security manifest to set right SMACK labels */
-	    argvAdd(&files, "%manifest %{name}-debuginfo.manifest");
-
 	    /* Append the file list preamble.  */
 	    if (!files)
 	      {
@@ -2352,6 +2349,9 @@ static void addDebuginfoPackage(rpmSpec spec, Package pkg, char *buildroot)
 	   new debuginfo package.  */
 	if (files)
 	  {
+	    /* Add security manifest to set right SMACK labels */
+	    argvAdd(&files, "%manifest %{name}-debuginfo.manifest");
+
 	    dbg = newPackage (spec);
 	    headerNVR (pkg->header, &name, NULL, NULL);
 	    /* Set name, summary and group.  */