aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2020-11-24 13:16:38 -0300
committerLeo <thinkabit.ukim@gmail.com>2020-11-24 13:18:30 -0300
commitfd99f143e50e6412f8bdd889c89813f12f0f0ec5 (patch)
tree8be66626170e62aaa8730019d51dc6002bad8e28
parentdb0a1b476d29cf2c5c3f1335573cbbe82e5e27c9 (diff)
downloadaports-fd99f143e50e6412f8bdd889c89813f12f0f0ec5.tar.gz
aports-fd99f143e50e6412f8bdd889c89813f12f0f0ec5.tar.bz2
aports-fd99f143e50e6412f8bdd889c89813f12f0f0ec5.tar.xz
main/libcap-ng: fix starting gnome-keyring
https://github.com/stevegrubb/libcap-ng/issues/21
-rw-r--r--main/libcap-ng/APKBUILD11
-rw-r--r--main/libcap-ng/apply-disable.patch29
-rw-r--r--main/libcap-ng/apply.patch119
3 files changed, 156 insertions, 3 deletions
diff --git a/main/libcap-ng/APKBUILD b/main/libcap-ng/APKBUILD
index 2bca9fcca1..9394be22ee 100644
--- a/main/libcap-ng/APKBUILD
+++ b/main/libcap-ng/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libcap-ng
pkgver=0.8.1
-pkgrel=0
+pkgrel=1
pkgdesc="POSIX capabilities library"
url="http://people.redhat.com/sgrubb/libcap-ng/index.html"
arch="all"
@@ -9,7 +9,10 @@ license="GPL-2.0-or-later LGPL-2.1-or-later"
depends_dev="linux-headers"
makedepends_host="$depends_dev"
subpackages="$pkgname-dev $pkgname-doc $pkgname-utils"
-source="https://people.redhat.com/sgrubb/libcap-ng/libcap-ng-$pkgver.tar.gz"
+source="https://people.redhat.com/sgrubb/libcap-ng/libcap-ng-$pkgver.tar.gz
+ apply.patch
+ apply-disable.patch
+ "
build() {
ac_cv_prog_swig_found=no \
@@ -41,4 +44,6 @@ utils() {
mv "$pkgdir"/usr/bin/* "$subpkgdir"/usr/bin/
}
-sha512sums="cd28ceb43e2cf5d3a0140fddbd2ea13dfda8eeea8a6de1817f3cc3b38df874ab8653917dbd405ad7aaaa71bcb9ec246d995079aa3cb0af1cffbdb37dfdd99232 libcap-ng-0.8.1.tar.gz"
+sha512sums="cd28ceb43e2cf5d3a0140fddbd2ea13dfda8eeea8a6de1817f3cc3b38df874ab8653917dbd405ad7aaaa71bcb9ec246d995079aa3cb0af1cffbdb37dfdd99232 libcap-ng-0.8.1.tar.gz
+47b6d7a61de15a9fc9c80ff8cd471723c74a010574ef3446c8895fb6e80b980672f16025ee94955a77f6088fcccf84b52e760a400c5239b637364caad391c0f7 apply.patch
+5f362d5d3f791d1bddc5d9ef3b31e5089c54f852904e12bc3b58dcd22fa87086766cfc095ae8b485bee1b3c4fd854575b89821052b77967a6fdca4ff7e0a0397 apply-disable.patch"
diff --git a/main/libcap-ng/apply-disable.patch b/main/libcap-ng/apply-disable.patch
new file mode 100644
index 0000000000..a476c1ae5b
--- /dev/null
+++ b/main/libcap-ng/apply-disable.patch
@@ -0,0 +1,29 @@
+Upstream: Fedora patch
+Reason: Remove error codes that nobody handles and crashes everything
+
+diff -urp libcap-ng-0.8.2.orig/src/cap-ng.c libcap-ng-0.8.2/src/cap-ng.c
+--- libcap-ng-0.8.2.orig/src/cap-ng.c 2020-11-20 15:04:09.000000000 -0500
++++ libcap-ng-0.8.2/src/cap-ng.c 2020-11-20 16:04:55.425496426 -0500
+@@ -698,19 +698,19 @@ int capng_apply(capng_select_t set)
+ if (capng_have_capability(CAPNG_BOUNDING_SET,
+ i) == 0) {
+ if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0) {
+- rc = -2;
++// rc = -2;
+ goto try_caps;
+ }
+ }
+ }
+ m.state = CAPNG_APPLIED;
+ if (get_bounding_set() < 0) {
+- rc = -3;
++// rc = -3;
+ goto try_caps;
+ }
+ } else {
+ memcpy(&m, &state, sizeof(m)); /* restore state */
+- rc = -4;
++// rc = -4;
+ goto try_caps;
+ }
+ #endif
diff --git a/main/libcap-ng/apply.patch b/main/libcap-ng/apply.patch
new file mode 100644
index 0000000000..5fb9f189c0
--- /dev/null
+++ b/main/libcap-ng/apply.patch
@@ -0,0 +1,119 @@
+From fda0224fea4f01b77bd07ac195b3baaaf1a28fca Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Fri, 20 Nov 2020 14:01:33 -0500
+Subject: [PATCH] In capng_apply, allow continuing in spite of errors
+
+In capng_apply, if we blow up trying to adjust the bounding set without
+proper permissions, continue into the capabilities in case they called
+with SELECT_BOTH and they don't bother checking the return code. This
+will at least leave the application in a potentially safer state.
+---
+ src/cap-ng.c | 56 +++++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 42 insertions(+), 14 deletions(-)
+
+diff --git a/src/cap-ng.c b/src/cap-ng.c
+index a9de370..1474326 100644
+--- a/src/cap-ng.c
++++ b/src/cap-ng.c
+@@ -680,6 +680,8 @@ int capng_updatev(capng_act_t action, capng_type_t type,
+
+ int capng_apply(capng_select_t set)
+ {
++ int rc = 0;
++
+ // Before updating, we expect that the data is initialized to something
+ if (m.state < CAPNG_INIT)
+ return -1;
+@@ -695,52 +697,78 @@ int capng_apply(capng_select_t set)
+ for (i=0; i <= last_cap; i++) {
+ if (capng_have_capability(CAPNG_BOUNDING_SET,
+ i) == 0) {
+- if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0)
+- return -2;
++ if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0) {
++ rc = -2;
++ goto try_caps;
++ }
+ }
+ }
+ m.state = CAPNG_APPLIED;
+- if (get_bounding_set() < 0)
+- return -3;
++ if (get_bounding_set() < 0) {
++ rc = -3;
++ goto try_caps;
++ }
+ } else {
+ memcpy(&m, &state, sizeof(m)); /* restore state */
+- return -4;
++ rc = -4;
++ goto try_caps;
+ }
+ #endif
+ }
++
++ // Try caps is here so that if someone had SELECT_BOTH and we blew up
++ // doing the bounding set, we at least try to set any capabilities
++ // before returning in case the caller also doesn't bother checking
++ // the return code.
++try_caps:
+ if (set & CAPNG_SELECT_CAPS) {
+ if (capset((cap_user_header_t)&m.hdr,
+ (cap_user_data_t)&m.data) == 0)
+ m.state = CAPNG_APPLIED;
+ else
+- return -5;
++ rc = -5;
+ }
+- // Put ambient last so that inheritable and permitted are set
++
++ // Most programs do not and should not mess with ambient capabilities.
++ // Instead of returning here if rc is set, we'll let it try to
++ // do something with ambient capabilities in hopes that it's lowering
++ // capabilities. Again, this is for people that don't check their
++ // return codes.
++ //
++ // Do ambient last so that inheritable and permitted are set by the
++ // time we get here.
+ if (set & CAPNG_SELECT_AMBIENT) {
+ #ifdef PR_CAP_AMBIENT
+ if (capng_have_capabilities(CAPNG_SELECT_AMBIENT) ==
+ CAPNG_NONE) {
+ if (prctl(PR_CAP_AMBIENT,
+- PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0)
+- return -6;
++ PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
++ rc = -6;
++ goto out;
++ }
+ } else {
+ unsigned int i;
+
+ // Clear them all
+ if (prctl(PR_CAP_AMBIENT,
+- PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0)
+- return -7;
++ PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
++ rc = -7;
++ goto out;
++ }
+ for (i=0; i <= last_cap; i++) {
+ if (capng_have_capability(CAPNG_AMBIENT, i))
+ if (prctl(PR_CAP_AMBIENT,
+- PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
+- return -8;
++ PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0){
++ rc = -8;
++ goto out;
++ }
+ }
+ }
+ m.state = CAPNG_APPLIED;
+ #endif
+ }
+- return 0;
++out:
++ return rc;
+ }
+
+ #ifdef VFS_CAP_U32