From d781c92341d1cffd89d7c8d7b595f5a82c02647e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 06 2021 13:19:45 +0000 Subject: import libcap-ng-0.7.11-1.el8 --- diff --git a/.gitignore b/.gitignore index 389ba7b..72303c6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libcap-ng-0.7.9.tar.gz +SOURCES/libcap-ng-0.7.11.tar.gz diff --git a/.libcap-ng.metadata b/.libcap-ng.metadata index 3e3aca4..27619f2 100644 --- a/.libcap-ng.metadata +++ b/.libcap-ng.metadata @@ -1 +1 @@ -f29f1eefdfbbd93501d9c7a54ac340d4ca660634 SOURCES/libcap-ng-0.7.9.tar.gz +786cf60a922f55442d1aab1112faa6203b4d8aaf SOURCES/libcap-ng-0.7.11.tar.gz diff --git a/SOURCES/libcap-ng-0.7.9-fixatfork.patch b/SOURCES/libcap-ng-0.7.9-fixatfork.patch deleted file mode 100644 index fc21e04..0000000 --- a/SOURCES/libcap-ng-0.7.9-fixatfork.patch +++ /dev/null @@ -1,28 +0,0 @@ ---- libcap-ng-0.7.9/src/cap-ng.c.noatfork -+++ libcap-ng-0.7.9/src/cap-ng.c -@@ -153,15 +153,6 @@ - CAPNG_NEW, - {0, 0} }; - -- --/* -- * The pthread_atfork function is being made weak so that we can use it -- * if the program is linked with pthreads and not requiring it for -- * everything that uses libcap-ng. -- */ --extern int __attribute__((weak)) pthread_atfork(void (*prepare)(void), -- void (*parent)(void), void (*child)(void)); -- - /* - * Reset the state so that init gets called to erase everything - */ -@@ -173,8 +164,7 @@ - static void init_lib(void) __attribute__ ((constructor)); - static void init_lib(void) - { -- if (pthread_atfork) -- pthread_atfork(NULL, NULL, deinit); -+ pthread_atfork(NULL, NULL, deinit); - } - - static void init(void) diff --git a/SOURCES/libcap-ng-0.8-permitted.patch b/SOURCES/libcap-ng-0.8-permitted.patch deleted file mode 100644 index cc48b86..0000000 --- a/SOURCES/libcap-ng-0.8-permitted.patch +++ /dev/null @@ -1,142 +0,0 @@ -diff -urp libcap-ng-0.8.orig/docs/capng_have_capabilities.3 libcap-ng-0.8/docs/capng_have_capabilities.3 ---- libcap-ng-0.8.orig/docs/capng_have_capabilities.3 2018-02-07 13:20:31.000000000 -0500 -+++ libcap-ng-0.8/docs/capng_have_capabilities.3 2018-08-09 16:29:40.521624973 -0400 -@@ -1,14 +1,20 @@ --.TH "CAPNG_HAVE_CAPABILITIES" "3" "June 2009" "Red Hat" "Libcap-ng API" -+.TH "CAPNG_HAVE_CAPABILITIES" "3" "Aug 2018" "Red Hat" "Libcap-ng API" - .SH NAME --capng_have_capabilities \- general check for capabilities -+.nf -+capng_have_capabilities, capng_have_permitted_capabilities \- check for capabilities - .SH "SYNOPSIS" - .B #include - .sp - capng_results_t capng_have_capabilities(capng_select_t set); -+capng_results_t capng_have_permitted_capabilities(void); - - .SH "DESCRIPTION" - --capng_have_capabilities will check the selected internal capabilities sets to see what the status is. The capabilities sets must be previously setup with calls to capng_get_caps_process, capng_get_caps_fd, or in some other way setup. The options are CAPNG_SELECT_CAPS for the traditional capabilities, CAPNG_SELECT_BOUNDS for the bounding set, or CAPNG_SELECT_BOTH if clearing both is desired. -+capng_have_capabilities will check the selected internal capabilities sets to see what the status is. The capabilities sets must be previously setup with calls to capng_get_caps_process, capng_get_caps_fd, or in some other way setup. The options are CAPNG_SELECT_CAPS for the traditional capabilities, CAPNG_SELECT_BOUNDS for the bounding set, or CAPNG_SELECT_BOTH if clearing both is desired. When capabilities are checked, it will only look at the effective capabilities. -+ -+If, however, the source of capabilities comes from a file, then you may need to additionally check the permitted capabilities. It's for this reason that -+.B capng_have_permitted_capabilities -+was created. It takes no arguments because it simply checks the permitted set. - - .SH "RETURN VALUE" - -diff -urp libcap-ng-0.8.orig/src/cap-ng.c libcap-ng-0.8/src/cap-ng.c ---- libcap-ng-0.8.orig/src/cap-ng.c 2018-07-02 14:42:53.993939477 -0400 -+++ libcap-ng-0.8/src/cap-ng.c 2018-08-09 16:31:47.255611373 -0400 -@@ -777,10 +776,10 @@ capng_results_t capng_have_capabilities( - full = 1; - else - return CAPNG_PARTIAL; -- if ((m.data.v3[1].effective & UPPER_MASK) == 0) -+ if ((m.data.v3[1].effective & UPPER_MASK) == 0 && !full) - empty = 1; - else if ((m.data.v3[1].effective & UPPER_MASK) == -- UPPER_MASK) -+ UPPER_MASK && !empty) - full = 1; - else - return CAPNG_PARTIAL; -@@ -805,6 +804,40 @@ capng_results_t capng_have_capabilities( - - if (empty == 1 && full == 0) - return CAPNG_NONE; -+ else if (empty == 0 && full == 1) -+ return CAPNG_FULL; -+ -+ return CAPNG_PARTIAL; -+} -+ -+// -1 - error, 0 - no caps, 1 partial caps, 2 full caps -+capng_results_t capng_have_permitted_capabilities(void) -+{ -+ int empty = 0, full = 0; -+ -+ // First, try to init with current set -+ if (m.state < CAPNG_INIT) -+ capng_get_caps_process(); -+ -+ // If we still don't have anything, error out -+ if (m.state < CAPNG_INIT) -+ return CAPNG_FAIL; -+ -+ if (m.data.v3[0].permitted == 0) -+ empty = 1; -+ else if (m.data.v3[0].permitted == 0xFFFFFFFFU) -+ full = 1; -+ else -+ return CAPNG_PARTIAL; -+ if ((m.data.v3[1].permitted & UPPER_MASK) == 0 && !full) -+ empty = 1; -+ else if ((m.data.v3[1].permitted & UPPER_MASK) == UPPER_MASK && !empty) -+ full = 1; -+ else -+ return CAPNG_PARTIAL; -+ -+ if (empty == 1 && full == 0) -+ return CAPNG_NONE; - else if (empty == 0 && full == 1) - return CAPNG_FULL; - -diff -urp libcap-ng-0.8.orig/src/cap-ng.h libcap-ng-0.8/src/cap-ng.h ---- libcap-ng-0.8.orig/src/cap-ng.h 2018-02-07 13:20:31.000000000 -0500 -+++ libcap-ng-0.8/src/cap-ng.h 2018-08-09 15:54:10.054853595 -0400 -@@ -63,6 +63,7 @@ int capng_apply_caps_fd(int fd); - - // These functions check capability bits - capng_results_t capng_have_capabilities(capng_select_t set); -+capng_results_t capng_have_permitted_capabilities(void); - int capng_have_capability(capng_type_t which, unsigned int capability); - - // These functions printout capabilities -diff -urp libcap-ng-0.8.orig/utils/filecap.8 libcap-ng-0.8/utils/filecap.8 ---- libcap-ng-0.8.orig/utils/filecap.8 2018-02-07 13:20:31.000000000 -0500 -+++ libcap-ng-0.8/utils/filecap.8 2018-08-09 16:35:39.751586424 -0400 -@@ -1,10 +1,10 @@ --.TH FILECAP: "8" "March 2009" "Red Hat" "System Administration Utilities" -+.TH FILECAP: "8" "Aug 2018" "Red Hat" "System Administration Utilities" - .SH NAME - filecap \- a program to see capabilities - .SH SYNOPSIS - .B filecap [ \-a | \-d | /dir | /dir/file [cap1 cap2 ...] ] - .SH DESCRIPTION --\fBfilecap\fP is a program that prints out a report of programs with file based capabilities. If a file is not in the report or there is no report at all, no capabilities were found. For expedience, the default is to check only the directories in the PATH environmental variable. If the \-a command line option is given, then all directories will be checked. If a directory is passed, it will recursively check that directory. If a path to a file is given, it will only check that file. If the path to the file includes capabilities, then they are written to the file. -+\fBfilecap\fP is a program that prints out a report of programs with file based capabilities. If a file is not in the report or there is no report at all, no capabilities were found. For expedience, the default is to check only the directories in the PATH environmental variable. If the \-a command line option is given, then all directories will be checked. If a directory is passed, it will recursively check that directory. If a path to a file is given, it will only check that file. If a file is given followed by capabilities, then the capabilities are written to the file. - - .SH OPTIONS - .TP -diff -urp libcap-ng-0.8.orig/utils/filecap.c libcap-ng-0.8/utils/filecap.c ---- libcap-ng-0.8.orig/utils/filecap.c 2018-02-07 13:20:31.000000000 -0500 -+++ libcap-ng-0.8/utils/filecap.c 2018-08-09 16:03:18.989794688 -0400 -@@ -59,6 +59,7 @@ static int check_file(const char *fpath, - int fd = open(fpath, O_RDONLY|O_CLOEXEC); - if (fd >= 0) { - capng_results_t rc; -+ int permitted = 0; - - capng_clear(CAPNG_SELECT_BOTH); - if (capng_get_caps_fd(fd) < 0) { -@@ -68,12 +69,17 @@ static int check_file(const char *fpath, - ret = 1; - } - rc = capng_have_capabilities(CAPNG_SELECT_CAPS); -+ if (rc == CAPNG_NONE) { -+ permitted = 1; -+ rc = capng_have_permitted_capabilities(); -+ } - if (rc > CAPNG_NONE) { - if (header == 0) { - header = 1; -- printf("%-20s capabilities\n", "file"); -+ printf("%-9s %-20s capabilities\n", "set", "file"); - } -- printf("%s ", fpath); -+ printf("%s %s ", -+ permitted ? "permitted" : "effective", fpath); - if (rc == CAPNG_FULL) - printf("full"); - else diff --git a/SOURCES/libcap-ng-0.8-vararg-support.patch b/SOURCES/libcap-ng-0.8-vararg-support.patch new file mode 100644 index 0000000..a9fc7e7 --- /dev/null +++ b/SOURCES/libcap-ng-0.8-vararg-support.patch @@ -0,0 +1,13 @@ +diff -ru a/bindings/src/capng_swig.i b/bindings/src/capng_swig.i +--- a/bindings/src/capng_swig.i ++++ b/bindings/src/capng_swig.i +@@ -26,6 +26,9 @@ + %} + + #if defined(SWIGPYTHON) ++ ++%varargs(16, unsigned capability = 0) capng_updatev; ++ + %except(python) { + $action + if (result < 0) { diff --git a/SOURCES/libcap-ng-0.8.1-procfs-lastcap.patch b/SOURCES/libcap-ng-0.8.1-procfs-lastcap.patch new file mode 100644 index 0000000..00deac0 --- /dev/null +++ b/SOURCES/libcap-ng-0.8.1-procfs-lastcap.patch @@ -0,0 +1,17 @@ +diff -ru a/src/cap-ng.c b/src/cap-ng.c +--- a/src/cap-ng.c ++++ b/src/cap-ng.c +@@ -204,12 +204,7 @@ + int fd; + + fd = open("/proc/sys/kernel/cap_last_cap", O_RDONLY); +- if (fd == -1) { +- if (errno != ENOENT) { +- m.state = CAPNG_ERROR; +- return; +- } +- } else { ++ if (fd >= 0) { + char buf[8]; + int num = read(fd, buf, sizeof(buf) - 1); + if (num > 0) { diff --git a/SOURCES/libcap-ng-0.8.1-signed-unsigned-fix.patch b/SOURCES/libcap-ng-0.8.1-signed-unsigned-fix.patch new file mode 100644 index 0000000..7f3c825 --- /dev/null +++ b/SOURCES/libcap-ng-0.8.1-signed-unsigned-fix.patch @@ -0,0 +1,179 @@ +diff -ru a/src/cap-ng.c b/src/cap-ng.c +--- a/src/cap-ng.c ++++ b/src/cap-ng.c +@@ -46,7 +46,7 @@ + #endif + + # define hidden __attribute__ ((visibility ("hidden"))) +-int last_cap hidden = -1; ++unsigned int last_cap hidden = 0; + /* + * Some milestones of when things became available: + * 2.6.24 kernel XATTR_NAME_CAPS +@@ -65,7 +65,7 @@ + // Local defines + #define MASK(x) (1U << (x)) + #ifdef PR_CAPBSET_DROP +-#define UPPER_MASK ~(unsigned)((~0U)<<(last_cap-31)) ++#define UPPER_MASK ~((~0U)<<(last_cap-31)) + #else + // For v1 systems UPPER_MASK will never be used + #define UPPER_MASK (unsigned)(~0U) +@@ -73,7 +73,7 @@ + + // Re-define cap_valid so its uniform between V1 and V3 + #undef cap_valid +-#define cap_valid(x) ((x) <= (unsigned int)last_cap) ++#define cap_valid(x) ((x) <= last_cap) + + // If we don't have the xattr library, then we can't + // compile-in file system capabilities +@@ -174,6 +174,26 @@ + #ifdef HAVE_PTHREAD_H + pthread_atfork(NULL, NULL, deinit); + #endif ++ // Detect last cap ++ if (last_cap == 0) { ++ int fd; ++ ++ fd = open("/proc/sys/kernel/cap_last_cap", O_RDONLY); ++ if (fd >= 0) { ++ char buf[8]; ++ int num = read(fd, buf, sizeof(buf) - 1); ++ if (num > 0) { ++ buf[num] = 0; ++ errno = 0; ++ unsigned int val = strtoul(buf, NULL, 10); ++ if (errno == 0) ++ last_cap = val; ++ } ++ close(fd); ++ } ++ if (last_cap == 0) ++ last_cap = CAP_LAST_CAP; ++ } + } + + static void init(void) +@@ -199,26 +219,6 @@ + #else + m.hdr.pid = (unsigned)getpid(); + #endif +- // Detect last cap +- if (last_cap == -1) { +- int fd; +- +- fd = open("/proc/sys/kernel/cap_last_cap", O_RDONLY); +- if (fd >= 0) { +- char buf[8]; +- int num = read(fd, buf, sizeof(buf) - 1); +- if (num > 0) { +- buf[num] = 0; +- errno = 0; +- int val = strtoul(buf, NULL, 10); +- if (errno == 0) +- last_cap = val; +- } +- close(fd); +- } +- if (last_cap == -1) +- last_cap = CAP_LAST_CAP; +- } + m.state = CAPNG_ALLOCATED; + } + +@@ -478,7 +478,7 @@ + if (CAPNG_INHERITABLE & type) + v1_update(action, capability, &m.data.v1.inheritable); + } else { +- int idx; ++ unsigned int idx; + + if (capability > 31) { + idx = capability>>5; +@@ -545,7 +545,7 @@ + memcpy(&state, &m, sizeof(state)); /* save state */ + capng_get_caps_process(); + if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { +- int i; ++ unsigned int i; + memcpy(&m, &state, sizeof(m)); /* restore state */ + rc = 0; + for (i=0; i <= last_cap && rc == 0; i++) +@@ -602,7 +602,7 @@ + #ifndef VFS_CAP_U32 + return -1; + #else +- int rc, size; ++ int rc, size = 0; + struct vfs_cap_data filedata; + struct stat buf; + +@@ -1010,7 +1010,7 @@ + + char *capng_print_caps_text(capng_print_t where, capng_type_t which) + { +- int i, once = 0, cnt = 0; ++ unsigned int i, once = 0, cnt = 0; + char *ptr = NULL; + + if (m.state < CAPNG_INIT) +diff -ru a/src/lookup_table.c b/src/lookup_table.c +--- a/src/lookup_table.c ++++ b/src/lookup_table.c +@@ -29,10 +29,10 @@ + + + #define hidden __attribute__ ((visibility ("hidden"))) +-extern int last_cap hidden; ++extern unsigned int last_cap hidden; + + #undef cap_valid +-#define cap_valid(x) ((x) <= (unsigned int)last_cap) ++#define cap_valid(x) ((x) <= last_cap) + + + struct transtab { +diff -ru a/src/test/lib_test.c b/src/test/lib_test.c +--- a/src/test/lib_test.c ++++ b/src/test/lib_test.c +@@ -29,7 +29,7 @@ + #include + #include + +-int get_last_cap(void) ++static unsigned int get_last_cap(void) + { + int fd; + +@@ -41,17 +41,19 @@ + int num = read(fd, buf, sizeof(buf)); + if (num > 0) { + errno = 0; +- int val = strtoul(buf, NULL, 10); ++ unsigned int val = strtoul(buf, NULL, 10); + if (errno == 0) + return val; + } ++ close(fd); + } + return CAP_LAST_CAP; + } + + int main(void) + { +- int rc, i, len, last = get_last_cap(); ++ int rc; ++ unsigned int i, len, last = get_last_cap(); + char *text; + void *saved; + +@@ -127,7 +129,7 @@ + abort(); + } + name = capng_capability_to_name(i); +- if (name == NULL) { ++ if (name == NULL) { + printf("Failed converting capability %d to name\n", i); + abort(); + } diff --git a/SOURCES/libcap-ng-0.8.2-improve-lastcap-check.patch b/SOURCES/libcap-ng-0.8.2-improve-lastcap-check.patch new file mode 100644 index 0000000..a5c12ee --- /dev/null +++ b/SOURCES/libcap-ng-0.8.2-improve-lastcap-check.patch @@ -0,0 +1,87 @@ +diff -ru a/configure.ac b/configure.ac +--- a/configure.ac ++++ b/configure.ac +@@ -59,6 +59,9 @@ + AC_CHECK_HEADERS(pthread.h, + [AC_SEARCH_LIBS(pthread_atfork, pthread)], + [AC_MSG_WARN(pthread.h not found, disabling pthread_atfork.)]) ++AC_CHECK_HEADERS(sys/vfs.h, [ ++ AC_CHECK_HEADERS(linux/magic.h, [] [AC_MSG_WARN(linux/magic.h is required in order to verify procfs.)]) ++ ], [AC_MSG_WARN(sys/vfs.h is required in order to verify procfs.)]) + + AC_C_CONST + AC_C_INLINE +diff -ru a/src/cap-ng.c b/src/cap-ng.c +--- a/src/cap-ng.c ++++ b/src/cap-ng.c +@@ -44,6 +44,10 @@ + #ifdef HAVE_LINUX_SECUREBITS_H + #include + #endif ++#ifdef HAVE_LINUX_MAGIC_H ++#include ++#include ++#endif + + # define hidden __attribute__ ((visibility ("hidden"))) + unsigned int last_cap hidden = 0; +@@ -168,6 +172,15 @@ + m.state = CAPNG_NEW; + } + ++static inline int test_cap(unsigned int cap) ++{ ++ // prctl returns 0 or 1 for valid caps, -1 otherwise ++ return prctl(PR_CAPBSET_READ, cap) >= 0; ++} ++ ++// The maximum cap value is determined by VFS_CAP_U32 ++#define MAX_CAP_VALUE (VFS_CAP_U32 * sizeof(__le32) * 8) ++ + static void init_lib(void) __attribute__ ((constructor)); + static void init_lib(void) + { +@@ -178,8 +191,15 @@ + if (last_cap == 0) { + int fd; + ++ // Try to read last cap from procfs + fd = open("/proc/sys/kernel/cap_last_cap", O_RDONLY); + if (fd >= 0) { ++#ifdef HAVE_LINUX_MAGIC_H ++ struct statfs st; ++ // Bail out if procfs is invalid or fstatfs fails ++ if (fstatfs(fd, &st) || st.f_type != PROC_SUPER_MAGIC) ++ goto fail; ++#endif + char buf[8]; + int num = read(fd, buf, sizeof(buf) - 1); + if (num > 0) { +@@ -189,10 +209,25 @@ + if (errno == 0) + last_cap = val; + } ++fail: + close(fd); + } +- if (last_cap == 0) +- last_cap = CAP_LAST_CAP; ++ // Run a binary search over capabilities ++ if (last_cap == 0) { ++ // starting with last_cap=MAX_CAP_VALUE means we always know ++ // that cap1 is invalid after the first iteration ++ last_cap = MAX_CAP_VALUE; ++ unsigned int cap0 = 0, cap1 = MAX_CAP_VALUE; ++ ++ while (cap0 < last_cap) { ++ if (test_cap(last_cap)) ++ cap0 = last_cap; ++ else ++ cap1 = last_cap; ++ ++ last_cap = (cap0 + cap1) / 2U; ++ } ++ } + } + } + diff --git a/SOURCES/libcap-ng-filecap-enodata.patch b/SOURCES/libcap-ng-filecap-enodata.patch deleted file mode 100644 index 3832fc4..0000000 --- a/SOURCES/libcap-ng-filecap-enodata.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/utils/filecap.c b/utils/filecap.c -index 4e40beb..475995c 100644 ---- a/utils/filecap.c -+++ b/utils/filecap.c -@@ -63,7 +63,7 @@ static int check_file(const char *fpath, - int permitted = 0; - - capng_clear(CAPNG_SELECT_BOTH); -- if (capng_get_caps_fd(fd) < 0) { -+ if (capng_get_caps_fd(fd) < 0 && errno != ENODATA) { - fprintf(stderr, "Unable to get capabilities of %s: %s\n", - fpath, strerror(errno)); - if (single_file) diff --git a/SPECS/libcap-ng.spec b/SPECS/libcap-ng.spec index 858c185..a71a10c 100644 --- a/SPECS/libcap-ng.spec +++ b/SPECS/libcap-ng.spec @@ -2,14 +2,16 @@ Summary: An alternate posix capabilities library Name: libcap-ng -Version: 0.7.9 -Release: 5%{?dist} +Version: 0.7.11 +Release: 1%{?dist} License: LGPLv2+ URL: http://people.redhat.com/sgrubb/libcap-ng Source0: http://people.redhat.com/sgrubb/libcap-ng/%{name}-%{version}.tar.gz -Patch1: libcap-ng-0.8-permitted.patch -Patch2: libcap-ng-filecap-enodata.patch -Patch3: libcap-ng-0.7.9-fixatfork.patch +Patch1: libcap-ng-0.8-vararg-support.patch +Patch2: libcap-ng-0.8.1-procfs-lastcap.patch +Patch3: libcap-ng-0.8.1-signed-unsigned-fix.patch +Patch4: libcap-ng-0.8.2-improve-lastcap-check.patch +BuildRequires: autoconf automake libtool BuildRequires: gcc BuildRequires: kernel-headers >= 2.6.11 BuildRequires: libattr-devel @@ -50,11 +52,13 @@ lets you set the file system based capabilities. %prep %setup -q -%patch1 -p1 -b .permitted -%patch2 -p1 -b .filecap-enodata -%patch3 -p1 -b .fixatfork +%patch1 -p1 -b .vararg-support +%patch2 -p1 -b .procfs-lastcap +%patch3 -p1 -b .signed-unsigned-fix +%patch4 -p1 -b .improve-lastcap-check %build +autoreconf -fiv %configure --libdir=/%{_lib} --with-python=no --with-python3 make CFLAGS="%{optflags}" %{?_smp_mflags} @@ -105,6 +109,9 @@ make check %attr(0644,root,root) %{_mandir}/man8/* %changelog +* Thu Mar 18 2021 Zoltan Fridrich 0.7.11-1 +resolves: rhbz#1939386 - Rebase libcap-ng to version 0.7.11 + * Tue Nov 05 2019 Marek Tamaskovic 0.7.9-5 resolves: rhbz#1740775 - segfault after dlclose @@ -114,7 +121,7 @@ resolves: rhbz#1599364 - filecap fails of files with no capabilities * Thu Aug 09 2018 Steve Grubb 0.7.9-3 resolves: rhbz#1599364 - filecap fails of files with no capabilities -* Thu Jun 08 2018 Steve Grubb 0.7.9-2 +* Thu Jun 07 2018 Steve Grubb 0.7.9-2 - Drop python2 bindings (#1588449) * Wed Feb 07 2018 Steve Grubb 0.7.9-1