From 7810269ffcb27e600331be28a6a1ab83e33e6021 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 09 2021 10:10:27 +0000
Subject: import libcap-2.26-5.el8


---

diff --git a/SOURCES/libcap-add-new-caps.patch b/SOURCES/libcap-add-new-caps.patch
new file mode 100644
index 0000000..de1751e
--- /dev/null
+++ b/SOURCES/libcap-add-new-caps.patch
@@ -0,0 +1,96 @@
+diff --color -ruN a/distcheck.sh b/distcheck.sh
+--- a/distcheck.sh	1970-01-01 01:00:00.000000000 +0100
++++ b/distcheck.sh	2021-06-10 10:06:19.618284780 +0200
+@@ -0,0 +1,13 @@
++#!/bin/bash
++
++actual=$(wget -o/dev/null -O/dev/stdout https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/include/uapi/linux/capability.h | grep "#define.CAP_LAST_CAP"|awk '{print $3}')
++working=$(grep "#define.CAP_LAST_CAP" libcap/include/uapi/linux/capability.h|awk '{print $3}')
++
++if [[ ${actual} = ${working} ]]; then
++    echo "up to date with officially named caps"
++    exit 0
++fi
++
++echo "want: ${actual}"
++echo "have: ${working}"
++exit 1
+diff --color -ruN a/libcap/include/uapi/linux/capability.h b/libcap/include/uapi/linux/capability.h
+--- a/libcap/include/uapi/linux/capability.h	2018-09-09 20:06:40.000000000 +0200
++++ b/libcap/include/uapi/linux/capability.h	2021-06-10 10:05:19.729202015 +0200
+@@ -331,6 +331,8 @@
+ 
+ #define CAP_AUDIT_CONTROL    30
+ 
++/* Set capabilities on files. */
++
+ #define CAP_SETFCAP	     31
+ 
+ /* Override MAC access.
+@@ -366,8 +368,50 @@
+ 
+ #define CAP_AUDIT_READ       37
+ 
++/* Allow system performance and observability privileged operations using
++ * perf_events, i915_perf and other kernel subsystems. */
++
++#define CAP_PERFMON      38
++
++/*
++ * CAP_BPF allows the following BPF operations:
++ * - Creating all types of BPF maps
++ * - Advanced verifier features
++ *   - Indirect variable access
++ *   - Bounded loops
++ *   - BPF to BPF function calls
++ *   - Scalar precision tracking
++ *   - Larger complexity limits
++ *   - Dead code elimination
++ *   - And potentially other features
++ * - Loading BPF Type Format (BTF) data
++ * - Retrieve xlated and JITed code of BPF programs
++ * - Use bpf_spin_lock() helper
++ *
++ * CAP_PERFMON relaxes the verifier checks further:
++ * - BPF progs can use of pointer-to-integer conversions
++ * - speculation attack hardening measures are bypassed
++ * - bpf_probe_read to read arbitrary kernel memory is allowed
++ * - bpf_trace_printk to print kernel memory is allowed
++ *
++ * CAP_SYS_ADMIN is required to use bpf_probe_write_user.
++ *
++ * CAP_SYS_ADMIN is required to iterate system wide loaded
++ * programs, maps, links, BTFs and convert their IDs to file descriptors.
++ *
++ * CAP_PERFMON and CAP_BPF are required to load tracing programs.
++ * CAP_NET_ADMIN and CAP_BPF are required to load networking programs.
++ */
++
++#define CAP_BPF          39
++
++/* Allow checkpoint/restore related operations */
++/* Allow PID selection during clone3() */
++/* Allow writing to ns_last_pid */
++
++#define CAP_CHECKPOINT_RESTORE 40
+ 
+-#define CAP_LAST_CAP         CAP_AUDIT_READ
++#define CAP_LAST_CAP         CAP_CHECKPOINT_RESTORE
+ 
+ #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
+ 
+diff --color -ruN a/Makefile b/Makefile
+--- a/Makefile	2018-09-15 23:51:38.000000000 +0200
++++ b/Makefile	2021-06-10 10:07:30.872573023 +0200
+@@ -33,7 +33,10 @@
+ test: all
+ 	cd progs && sudo ./quicktest.sh
+ 
+-morganrelease: distclean
++distcheck:
++	./distcheck.sh
++
++morganrelease: distclean distcheck
+ 	@echo "sign the tag twice: older DSA key; and newer RSA kernel.org key"
+ 	git tag -u D41A6DF2 -s libcap-$(VERSION).$(MINOR) -m "This is libcap-$(VERSION).$(MINOR)"
+ 	git tag -u E2CCF3F4 -s libcap-korg-$(VERSION).$(MINOR) -m "This is libcap-$(VERSION).$(MINOR)"
diff --git a/SPECS/libcap.spec b/SPECS/libcap.spec
index 1b0361f..b869d05 100644
--- a/SPECS/libcap.spec
+++ b/SPECS/libcap.spec
@@ -1,6 +1,6 @@
 Name: libcap
 Version: 2.26
-Release: 4%{?dist}
+Release: 5%{?dist}
 Summary: Library for getting and setting POSIX.1e capabilities
 URL: https://sites.google.com/site/fullycapable/
 License: GPLv2
@@ -12,6 +12,7 @@ Source1: getpcaps.8
 Patch0: %{name}-2.25-buildflags.patch
 Patch1: %{name}-PAM_REINITIALIZE_CRED.patch
 Patch2: %{name}-2.26-ambient-caps.patch
+Patch3: %{name}-add-new-caps.patch
 
 BuildRequires: libattr-devel pam-devel perl-interpreter
 
@@ -50,6 +51,7 @@ libcap.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 # libcap can not be build with _smp_mflags:
@@ -91,6 +93,10 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
 %{_libdir}/pkgconfig/libcap.pc
 
 %changelog
+* Thu Jun 10 2021 Zoltan Fridrich <zfridric@redhat.com> - 2.26-5
+- added CAP_PERFMON, CAP_BPF and CAP_CHECKPOINT_RESTORE capabilities
+  resolves: rhbz#1946982 rhbz#1921576
+
 * Fri May 22 2020 Jiri Vymazal <jvymazal@redhat.com> - 2.26-4
 - added patch implementing support for ambient capabilities
   resolves: rhbz#1487388