add patches to fix issue with cifs-utils and gnome keyring (see https://github.com/stevegrubb/libcap-ng/issues/21) [release 0.8.1-2mamba;Mon Nov 30 2020]

libcap-ng-0.8.1-apply-disable.patch

@@ -0,0 +1,26 @@
+diff -urp libcap-ng-0.8.2.orig/src/cap-ng.c libcap-ng-0.8.2/src/cap-ng.c
+--- libcap-ng-0.8.2.orig/src/cap-ng.c	2020-11-20 15:04:09.000000000 -0500
++++ libcap-ng-0.8.2/src/cap-ng.c	2020-11-20 16:04:55.425496426 -0500
+@@ -698,19 +698,19 @@ int capng_apply(capng_select_t set)
+ 				if (capng_have_capability(CAPNG_BOUNDING_SET,
+ 								 i) == 0) {
+ 				    if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0) {
+-					rc = -2;
++//					rc = -2;
+ 					goto try_caps;
+ 				    }
+ 				}
+ 			}
+ 			m.state = CAPNG_APPLIED;
+ 			if (get_bounding_set() < 0) {
+-				rc = -3;
++//				rc = -3;
+ 				goto try_caps;
+ 			}
+ 		} else {
+ 			memcpy(&m, &state, sizeof(m)); /* restore state */
+-			rc = -4;
++//			rc = -4;
+ 			goto try_caps;
+ 		}
+ #endif

libcap-ng-0.8.1-apply.patch

@@ -0,0 +1,105 @@
+diff -urp libcap-ng-0.8.2.orig/src/cap-ng.c libcap-ng-0.8.2/src/cap-ng.c
+--- libcap-ng-0.8.2.orig/src/cap-ng.c	2020-11-20 13:37:57.000000000 -0500
++++ libcap-ng-0.8.2/src/cap-ng.c	2020-11-20 13:57:54.934059250 -0500
+@@ -680,6 +680,8 @@ int capng_updatev(capng_act_t action, ca
+ 
+ int capng_apply(capng_select_t set)
+ {
++	int rc = 0;
++
+ 	// Before updating, we expect that the data is initialized to something
+ 	if (m.state < CAPNG_INIT)
+ 		return -1;
+@@ -695,52 +697,78 @@ int capng_apply(capng_select_t set)
+ 			for (i=0; i <= last_cap; i++) {
+ 				if (capng_have_capability(CAPNG_BOUNDING_SET,
+ 								 i) == 0) {
+-				    if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0)
+-					return -2;
++				    if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0) {
++					rc = -2;
++					goto try_caps;
++				    }
+ 				}
+ 			}
+ 			m.state = CAPNG_APPLIED;
+-			if (get_bounding_set() < 0)
+-				return -3;
++			if (get_bounding_set() < 0) {
++				rc = -3;
++				goto try_caps;
++			}
+ 		} else {
+ 			memcpy(&m, &state, sizeof(m)); /* restore state */
+-			return -4;
++			rc = -4;
++			goto try_caps;
+ 		}
+ #endif
+ 	}
++
++	// Try caps is here so that if someone had SELECT_BOTH and we blew up
++	// doing the bounding set, we at least try to set any capabilities
++	// before returning in case the caller also doesn't bother checking
++	// the return code.
++try_caps:
+ 	if (set & CAPNG_SELECT_CAPS) {
+ 		if (capset((cap_user_header_t)&m.hdr,
+ 				(cap_user_data_t)&m.data) == 0)
+ 			m.state = CAPNG_APPLIED;
+ 		else
+-			return -5;
++			rc = -5;
+ 	}
+-	// Put ambient last so that inheritable and permitted are set
++
++	// Most programs do not and should not mess with ambient capabilities.
++	// Instead of returning here if rc is set, we'll let it try to
++	// do something with ambient capabilities in hopes that it's lowering
++	// capabilities. Again, this is for people that don't check their
++	// return codes.
++	//
++	// Do ambient last so that inheritable and permitted are set by the
++	// time we get here.
+ 	if (set & CAPNG_SELECT_AMBIENT) {
+ #ifdef PR_CAP_AMBIENT
+ 		if (capng_have_capabilities(CAPNG_SELECT_AMBIENT) ==
+ 								CAPNG_NONE) {
+ 			if (prctl(PR_CAP_AMBIENT,
+-				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0)
+-				return -6;
++				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
++				rc = -6;
++				goto out;
++			}
+ 		} else {
+ 			unsigned int i;
+ 
+ 			// Clear them all
+ 			if (prctl(PR_CAP_AMBIENT,
+-				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0)
+-				return -7;
++				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
++				rc = -7;
++				goto out;
++			}
+ 			for (i=0; i <= last_cap; i++) {
+ 				if (capng_have_capability(CAPNG_AMBIENT, i))
+ 					if (prctl(PR_CAP_AMBIENT,
+-					    PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
+-						return -8;
++					    PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0){
++						rc = -8;
++						goto out;
++					}
+ 			}
+ 		}
+ 		m.state = CAPNG_APPLIED;
+ #endif
+ 	}
+-	return 0;
++out:
++	return rc;
+ }
+ 
+ #ifdef VFS_CAP_U32

libcap-ng.spec

@@ -1,6 +1,6 @@
 Name:          libcap-ng
 Version:       0.8.1
-Release:       1mamba
+Release:       2mamba
 Summary:       An alternate posix capabilities library
 Group:         System/Libraries
 Vendor:        openmamba
@@ -8,16 +8,17 @@ Distribution:  openmamba
 Packager:      Silvan Calarco <silvan.calarco@mambasoft.it>
 URL:           http://people.redhat.com/sgrubb/libcap-ng/
 Source:        http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-%{version}.tar.gz
+Patch0:        libcap-ng-0.6.3-euid.patch
+Patch1:        libcap-ng-0.6.3-setpcap.patch
+Patch2:        libcap-ng-0.8.1-apply.patch
+Patch3:        libcap-ng-0.8.1-apply-disable.patch
 License:       GPL
 ## AUTOBUILDREQ-BEGIN
 BuildRequires: glibc-devel
-BuildRequires: libpython-devel
-## AUTOBUILDREQ-END
 BuildRequires: libpython3-devel
+## AUTOBUILDREQ-END
 BuildRequires: libattr-devel
 BuildRequires: swig
-Patch0:        libcap-ng-0.6.3-euid.patch
-Patch1:        libcap-ng-0.6.3-setpcap.patch
 BuildRoot:     %{_tmppath}/%{name}-%{version}-root
 
 %description
@@ -76,8 +77,9 @@ It also lets you set the file system based capabilities.
 
 %prep
 %setup -q
-#%patch0 -p1
+# These 2 patches can be disabled when https://github.com/stevegrubb/libcap-ng/issues/21 is resolved
-#%patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 %configure \
@@ -147,6 +149,9 @@ It also lets you set the file system based capabilities.
 %doc COPYING
 
 %changelog
+* Mon Nov 30 2020 Silvan Calarco <silvan.calarco@mambasoft.it> 0.8.1-2mamba
+- add patches to fix issue with cifs-utils and gnome keyring (see https://github.com/stevegrubb/libcap-ng/issues/21)
+
 * Sat Nov 28 2020 Silvan Calarco <silvan.calarco@mambasoft.it> 0.8.1-1mamba
 - update to 0.8.1