From f7da3e92f0eb6ee1c2ef1d2c1af8a81ee67e88e6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 12 2014 16:08:15 +0000 Subject: import libreswan-3.8-6.el7_0 --- diff --git a/SOURCES/libreswan-3.8-1092047.patch b/SOURCES/libreswan-3.8-1092047.patch new file mode 100644 index 0000000..1410e89 --- /dev/null +++ b/SOURCES/libreswan-3.8-1092047.patch @@ -0,0 +1,58 @@ +diff -Naur libreswan-3.8-orig/programs/pluto/plutomain.c libreswan-3.8/programs/pluto/plutomain.c +--- libreswan-3.8-orig/programs/pluto/plutomain.c 2014-07-14 14:06:22.408265468 -0400 ++++ libreswan-3.8/programs/pluto/plutomain.c 2014-07-14 14:34:39.150794888 -0400 +@@ -447,23 +447,7 @@ + leak_detective = 0; + #endif + +-#ifdef HAVE_LIBCAP_NG +- /* +- * Drop capabilities - this generates a false positive valgrind warning +- * See: http://marc.info/?l=linux-security-module&m=125895232029657 +- */ +- capng_clear(CAPNG_SELECT_BOTH); + +- capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, +- CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW, +- CAP_IPC_LOCK, CAP_AUDIT_WRITE, +- CAP_SETGID, CAP_SETUID, /* for google authenticator pam */ +- -1); +- /* our children must be able to CAP_NET_ADMIN to change routes. +- */ +- capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_DAC_READ_SEARCH, -1); /* DAC needed for google authenticator pam */ +- capng_apply(CAPNG_SELECT_BOTH); +-#endif + + libreswan_passert_fail = passert_fail; + +@@ -1104,6 +1088,30 @@ + pluto_init_log(); + pluto_init_nss(oco->confddir); + ++#ifdef HAVE_LIBCAP_NG ++ /* ++ * Drop capabilities - this generates a false positive valgrind warning ++ * See: http://marc.info/?l=linux-security-module&m=125895232029657 ++ * ++ * We drop these after creating the pluto socket or else we can't ++ * create a socket if the parent dir is non-root ++ */ ++ capng_clear(CAPNG_SELECT_BOTH); ++ ++ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, ++ CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW, ++ CAP_IPC_LOCK, CAP_AUDIT_WRITE, ++ CAP_SETGID, CAP_SETUID, /* for google authenticator pam */ ++ -1); ++ /* our children must be able to CAP_NET_ADMIN to change routes. ++ */ ++ capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_DAC_READ_SEARCH, -1); /* DAC needed for google authenticator pam */ ++ capng_apply(CAPNG_SELECT_BOTH); ++ libreswan_log("libcap-ng support [enabled]"); ++#else ++ libreswan_log("libcap-ng support [disabled]"); ++#endif ++ + #ifdef FIPS_CHECK + /* + * FIPS Kernel mode: fips=1 kernel boot parameter diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec index 4344af5..74d601d 100644 --- a/SPECS/libreswan.spec +++ b/SPECS/libreswan.spec @@ -16,7 +16,7 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols Version: 3.8 -Release: %{?prever:0.}5%{?prever:.%{prever}}%{?dist} +Release: %{?prever:0.}6%{?prever:.%{prever}}%{?dist} License: GPLv2 Url: https://www.libreswan.org/ Source: https://download.libreswan.org/%{name}-%{version}%{?prever}.tar.gz @@ -33,6 +33,8 @@ Patch2: libreswan-3.8-no-acerts.patch Patch3: libreswan-3.8-newhostkey-1058813.patch Patch4: libreswan-3.8-log-1069024.patch Patch5: libreswan-3.8-create_child_stub.patch +# rhbz#1119723 +Patch6: libreswan-3.8-1092047.patch Conflicts: openswan < %{version}-%{release} Obsoletes: openswan < %{version}-%{release} @@ -91,6 +93,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %build %if %{buildefence} @@ -212,6 +215,9 @@ if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then fi %changelog +* Tue Jul 15 2014 Paul Wouters - 3.8-6 +- Resolves: rhbz#1119723 pluto cannot write to directories not owned by root + * Thu Apr 10 2014 Paul Wouters - 3.8-5 - Resolves: rhbz#1052834 create_child_sa message ID handling