From 8684168f675ea62e5bdb1d1d5e7147766c87c322 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Dec 07 2021 19:14:33 +0000 Subject: import firewalld-1.0.0-2.el9 --- diff --git a/SOURCES/0002-fix-firewalld-keep-linux-capability-CAP_SYS_MODULE.patch b/SOURCES/0002-fix-firewalld-keep-linux-capability-CAP_SYS_MODULE.patch deleted file mode 100644 index 110d1b7..0000000 --- a/SOURCES/0002-fix-firewalld-keep-linux-capability-CAP_SYS_MODULE.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 07db6dfac060d474b73f9b963435f4b6472e3f48 Mon Sep 17 00:00:00 2001 -From: Eric Garver -Date: Wed, 11 Aug 2021 14:47:59 -0400 -Subject: [PATCH] fix(firewalld): keep linux capability CAP_SYS_MODULE - -When firewalld calls ip6tables it may implicitly load the ip6_tables, et -al kernel modules. As such we need to retain CAP_SYS_MODULE so that -implicit module is allowed. Otherwise we get EPERM from the kernel. - -This only affects the -legacy variants and the top level table/chain -modules. The userspace binaries will modprobe the kernel modules. -Extensions, e.g. xt_conntrack, are implicitly loaded by the kernel based -on the rules being added and thus not subject to linux capabilities -checks. - -The -nft variants are unaffected because they use the nftables -infrastructure which has implicit module loading in the kernel similar -to the iptables extensions (xt_* modules). - -Fixes: rhbz 1990271 -Fixes: fb0532e8a200 ("feat(firewalld): drop linux capabilities") -(cherry picked from commit 13801962073f478c68d818b314091badcf8b5614) -(cherry picked from commit d3cd7e088f946c75593b0569bd658266b2e9329d) ---- - src/firewalld.in | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/firewalld.in b/src/firewalld.in -index abcbe3508f86..b1c886c6f02f 100755 ---- a/src/firewalld.in -+++ b/src/firewalld.in -@@ -136,6 +136,7 @@ def startup(args): - # attempt to drop Linux capabilities to a minimal set: - # - CAP_NET_ADMIN - # - CAP_NET_RAW -+ # - CAP_SYS_MODULE - try: - import capng - capng.capng_clear(capng.CAPNG_SELECT_BOTH) -@@ -143,8 +144,10 @@ def startup(args): - capng.CAP_NET_ADMIN) - capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET, - capng.CAP_NET_RAW) -+ capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET, -+ capng.CAP_SYS_MODULE) - capng.capng_apply(capng.CAPNG_SELECT_BOTH) -- log.info(log.INFO1, "Dropped Linux capabilities to NET_ADMIN, NET_RAW.") -+ log.info(log.INFO1, "Dropped Linux capabilities to NET_ADMIN, NET_RAW, SYS_MODULE.") - except ImportError: - pass - --- -2.31.1 - diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec index 15e4409..353b48c 100644 --- a/SPECS/firewalld.spec +++ b/SPECS/firewalld.spec @@ -1,12 +1,11 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 1.0.0 -Release: 3%{?dist} +Release: 2%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch -Patch2: 0002-fix-firewalld-keep-linux-capability-CAP_SYS_MODULE.patch BuildArch: noarch BuildRequires: autoconf BuildRequires: automake @@ -228,9 +227,6 @@ rm -rf %{buildroot}%{_datadir}/firewalld/testsuite %{_mandir}/man1/firewall-config*.1* %changelog -* Tue Sep 07 2021 Eric Garver - 1.0.0-3 -- fix(firewalld): keep linux capability CAP_SYS_MODULE - * Mon Aug 09 2021 Mohan Boddu - 1.0.0-2 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688