add patches to fix issue with cifs-utils and gnome keyring (see https://github.com/stevegrubb/libcap-ng/issues/21) [release 0.8.1-2mamba;Mon Nov 30 2020]
This commit is contained in:
parent
02f76c3f43
commit
56e51dea5c
26
libcap-ng-0.8.1-apply-disable.patch
Normal file
26
libcap-ng-0.8.1-apply-disable.patch
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
diff -urp libcap-ng-0.8.2.orig/src/cap-ng.c libcap-ng-0.8.2/src/cap-ng.c
|
||||||
|
--- libcap-ng-0.8.2.orig/src/cap-ng.c 2020-11-20 15:04:09.000000000 -0500
|
||||||
|
+++ libcap-ng-0.8.2/src/cap-ng.c 2020-11-20 16:04:55.425496426 -0500
|
||||||
|
@@ -698,19 +698,19 @@ int capng_apply(capng_select_t set)
|
||||||
|
if (capng_have_capability(CAPNG_BOUNDING_SET,
|
||||||
|
i) == 0) {
|
||||||
|
if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0) {
|
||||||
|
- rc = -2;
|
||||||
|
+// rc = -2;
|
||||||
|
goto try_caps;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
m.state = CAPNG_APPLIED;
|
||||||
|
if (get_bounding_set() < 0) {
|
||||||
|
- rc = -3;
|
||||||
|
+// rc = -3;
|
||||||
|
goto try_caps;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
memcpy(&m, &state, sizeof(m)); /* restore state */
|
||||||
|
- rc = -4;
|
||||||
|
+// rc = -4;
|
||||||
|
goto try_caps;
|
||||||
|
}
|
||||||
|
#endif
|
105
libcap-ng-0.8.1-apply.patch
Normal file
105
libcap-ng-0.8.1-apply.patch
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
diff -urp libcap-ng-0.8.2.orig/src/cap-ng.c libcap-ng-0.8.2/src/cap-ng.c
|
||||||
|
--- libcap-ng-0.8.2.orig/src/cap-ng.c 2020-11-20 13:37:57.000000000 -0500
|
||||||
|
+++ libcap-ng-0.8.2/src/cap-ng.c 2020-11-20 13:57:54.934059250 -0500
|
||||||
|
@@ -680,6 +680,8 @@ int capng_updatev(capng_act_t action, ca
|
||||||
|
|
||||||
|
int capng_apply(capng_select_t set)
|
||||||
|
{
|
||||||
|
+ int rc = 0;
|
||||||
|
+
|
||||||
|
// Before updating, we expect that the data is initialized to something
|
||||||
|
if (m.state < CAPNG_INIT)
|
||||||
|
return -1;
|
||||||
|
@@ -695,52 +697,78 @@ int capng_apply(capng_select_t set)
|
||||||
|
for (i=0; i <= last_cap; i++) {
|
||||||
|
if (capng_have_capability(CAPNG_BOUNDING_SET,
|
||||||
|
i) == 0) {
|
||||||
|
- if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0)
|
||||||
|
- return -2;
|
||||||
|
+ if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0) {
|
||||||
|
+ rc = -2;
|
||||||
|
+ goto try_caps;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
m.state = CAPNG_APPLIED;
|
||||||
|
- if (get_bounding_set() < 0)
|
||||||
|
- return -3;
|
||||||
|
+ if (get_bounding_set() < 0) {
|
||||||
|
+ rc = -3;
|
||||||
|
+ goto try_caps;
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
memcpy(&m, &state, sizeof(m)); /* restore state */
|
||||||
|
- return -4;
|
||||||
|
+ rc = -4;
|
||||||
|
+ goto try_caps;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ // Try caps is here so that if someone had SELECT_BOTH and we blew up
|
||||||
|
+ // doing the bounding set, we at least try to set any capabilities
|
||||||
|
+ // before returning in case the caller also doesn't bother checking
|
||||||
|
+ // the return code.
|
||||||
|
+try_caps:
|
||||||
|
if (set & CAPNG_SELECT_CAPS) {
|
||||||
|
if (capset((cap_user_header_t)&m.hdr,
|
||||||
|
(cap_user_data_t)&m.data) == 0)
|
||||||
|
m.state = CAPNG_APPLIED;
|
||||||
|
else
|
||||||
|
- return -5;
|
||||||
|
+ rc = -5;
|
||||||
|
}
|
||||||
|
- // Put ambient last so that inheritable and permitted are set
|
||||||
|
+
|
||||||
|
+ // Most programs do not and should not mess with ambient capabilities.
|
||||||
|
+ // Instead of returning here if rc is set, we'll let it try to
|
||||||
|
+ // do something with ambient capabilities in hopes that it's lowering
|
||||||
|
+ // capabilities. Again, this is for people that don't check their
|
||||||
|
+ // return codes.
|
||||||
|
+ //
|
||||||
|
+ // Do ambient last so that inheritable and permitted are set by the
|
||||||
|
+ // time we get here.
|
||||||
|
if (set & CAPNG_SELECT_AMBIENT) {
|
||||||
|
#ifdef PR_CAP_AMBIENT
|
||||||
|
if (capng_have_capabilities(CAPNG_SELECT_AMBIENT) ==
|
||||||
|
CAPNG_NONE) {
|
||||||
|
if (prctl(PR_CAP_AMBIENT,
|
||||||
|
- PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0)
|
||||||
|
- return -6;
|
||||||
|
+ PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
|
||||||
|
+ rc = -6;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
unsigned int i;
|
||||||
|
|
||||||
|
// Clear them all
|
||||||
|
if (prctl(PR_CAP_AMBIENT,
|
||||||
|
- PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0)
|
||||||
|
- return -7;
|
||||||
|
+ PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
|
||||||
|
+ rc = -7;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
for (i=0; i <= last_cap; i++) {
|
||||||
|
if (capng_have_capability(CAPNG_AMBIENT, i))
|
||||||
|
if (prctl(PR_CAP_AMBIENT,
|
||||||
|
- PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
|
||||||
|
- return -8;
|
||||||
|
+ PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0){
|
||||||
|
+ rc = -8;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
m.state = CAPNG_APPLIED;
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
- return 0;
|
||||||
|
+out:
|
||||||
|
+ return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef VFS_CAP_U32
|
@ -1,6 +1,6 @@
|
|||||||
Name: libcap-ng
|
Name: libcap-ng
|
||||||
Version: 0.8.1
|
Version: 0.8.1
|
||||||
Release: 1mamba
|
Release: 2mamba
|
||||||
Summary: An alternate posix capabilities library
|
Summary: An alternate posix capabilities library
|
||||||
Group: System/Libraries
|
Group: System/Libraries
|
||||||
Vendor: openmamba
|
Vendor: openmamba
|
||||||
@ -8,16 +8,17 @@ Distribution: openmamba
|
|||||||
Packager: Silvan Calarco <silvan.calarco@mambasoft.it>
|
Packager: Silvan Calarco <silvan.calarco@mambasoft.it>
|
||||||
URL: http://people.redhat.com/sgrubb/libcap-ng/
|
URL: http://people.redhat.com/sgrubb/libcap-ng/
|
||||||
Source: http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-%{version}.tar.gz
|
Source: http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-%{version}.tar.gz
|
||||||
|
Patch0: libcap-ng-0.6.3-euid.patch
|
||||||
|
Patch1: libcap-ng-0.6.3-setpcap.patch
|
||||||
|
Patch2: libcap-ng-0.8.1-apply.patch
|
||||||
|
Patch3: libcap-ng-0.8.1-apply-disable.patch
|
||||||
License: GPL
|
License: GPL
|
||||||
## AUTOBUILDREQ-BEGIN
|
## AUTOBUILDREQ-BEGIN
|
||||||
BuildRequires: glibc-devel
|
BuildRequires: glibc-devel
|
||||||
BuildRequires: libpython-devel
|
|
||||||
## AUTOBUILDREQ-END
|
|
||||||
BuildRequires: libpython3-devel
|
BuildRequires: libpython3-devel
|
||||||
|
## AUTOBUILDREQ-END
|
||||||
BuildRequires: libattr-devel
|
BuildRequires: libattr-devel
|
||||||
BuildRequires: swig
|
BuildRequires: swig
|
||||||
Patch0: libcap-ng-0.6.3-euid.patch
|
|
||||||
Patch1: libcap-ng-0.6.3-setpcap.patch
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-root
|
BuildRoot: %{_tmppath}/%{name}-%{version}-root
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -76,8 +77,9 @@ It also lets you set the file system based capabilities.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
#%patch0 -p1
|
# These 2 patches can be disabled when https://github.com/stevegrubb/libcap-ng/issues/21 is resolved
|
||||||
#%patch1 -p1
|
%patch2 -p1
|
||||||
|
%patch3 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure \
|
%configure \
|
||||||
@ -147,6 +149,9 @@ It also lets you set the file system based capabilities.
|
|||||||
%doc COPYING
|
%doc COPYING
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Nov 30 2020 Silvan Calarco <silvan.calarco@mambasoft.it> 0.8.1-2mamba
|
||||||
|
- add patches to fix issue with cifs-utils and gnome keyring (see https://github.com/stevegrubb/libcap-ng/issues/21)
|
||||||
|
|
||||||
* Sat Nov 28 2020 Silvan Calarco <silvan.calarco@mambasoft.it> 0.8.1-1mamba
|
* Sat Nov 28 2020 Silvan Calarco <silvan.calarco@mambasoft.it> 0.8.1-1mamba
|
||||||
- update to 0.8.1
|
- update to 0.8.1
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user