aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/libcap-ng/APKBUILD11
-rw-r--r--main/libcap-ng/apply.patch119
2 files changed, 4 insertions, 126 deletions
diff --git a/main/libcap-ng/APKBUILD b/main/libcap-ng/APKBUILD
index 9394be22ee..b51071ec5f 100644
--- a/main/libcap-ng/APKBUILD
+++ b/main/libcap-ng/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libcap-ng
-pkgver=0.8.1
-pkgrel=1
+pkgver=0.8.2
+pkgrel=0
pkgdesc="POSIX capabilities library"
url="http://people.redhat.com/sgrubb/libcap-ng/index.html"
arch="all"
@@ -10,7 +10,6 @@ depends_dev="linux-headers"
makedepends_host="$depends_dev"
subpackages="$pkgname-dev $pkgname-doc $pkgname-utils"
source="https://people.redhat.com/sgrubb/libcap-ng/libcap-ng-$pkgver.tar.gz
- apply.patch
apply-disable.patch
"
@@ -40,10 +39,8 @@ package() {
utils() {
pkgdesc="posix capabilities utils"
- mkdir -p "$subpkgdir"/usr/bin
- mv "$pkgdir"/usr/bin/* "$subpkgdir"/usr/bin/
+ amove usr/bin
}
-sha512sums="cd28ceb43e2cf5d3a0140fddbd2ea13dfda8eeea8a6de1817f3cc3b38df874ab8653917dbd405ad7aaaa71bcb9ec246d995079aa3cb0af1cffbdb37dfdd99232 libcap-ng-0.8.1.tar.gz
-47b6d7a61de15a9fc9c80ff8cd471723c74a010574ef3446c8895fb6e80b980672f16025ee94955a77f6088fcccf84b52e760a400c5239b637364caad391c0f7 apply.patch
+sha512sums="0ac6e55c03b1fba3a849048b721e250951afb59190d9646704d4fd9938eccc3bd0767380fbddc42f186b4f55695475e31f34f537ae91c04a37662577a5b7a19b libcap-ng-0.8.2.tar.gz
5f362d5d3f791d1bddc5d9ef3b31e5089c54f852904e12bc3b58dcd22fa87086766cfc095ae8b485bee1b3c4fd854575b89821052b77967a6fdca4ff7e0a0397 apply-disable.patch"
diff --git a/main/libcap-ng/apply.patch b/main/libcap-ng/apply.patch
deleted file mode 100644
index 5fb9f189c0..0000000000
--- a/main/libcap-ng/apply.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From fda0224fea4f01b77bd07ac195b3baaaf1a28fca Mon Sep 17 00:00:00 2001
-From: Steve Grubb <sgrubb@redhat.com>
-Date: Fri, 20 Nov 2020 14:01:33 -0500
-Subject: [PATCH] In capng_apply, allow continuing in spite of errors
-
-In capng_apply, if we blow up trying to adjust the bounding set without
-proper permissions, continue into the capabilities in case they called
-with SELECT_BOTH and they don't bother checking the return code. This
-will at least leave the application in a potentially safer state.
----
- src/cap-ng.c | 56 +++++++++++++++++++++++++++++++++++++++-------------
- 1 file changed, 42 insertions(+), 14 deletions(-)
-
-diff --git a/src/cap-ng.c b/src/cap-ng.c
-index a9de370..1474326 100644
---- a/src/cap-ng.c
-+++ b/src/cap-ng.c
-@@ -680,6 +680,8 @@ int capng_updatev(capng_act_t action, capng_type_t type,
-
- int capng_apply(capng_select_t set)
- {
-+ int rc = 0;
-+
- // Before updating, we expect that the data is initialized to something
- if (m.state < CAPNG_INIT)
- return -1;
-@@ -695,52 +697,78 @@ int capng_apply(capng_select_t set)
- for (i=0; i <= last_cap; i++) {
- if (capng_have_capability(CAPNG_BOUNDING_SET,
- i) == 0) {
-- if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0)
-- return -2;
-+ if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0) {
-+ rc = -2;
-+ goto try_caps;
-+ }
- }
- }
- m.state = CAPNG_APPLIED;
-- if (get_bounding_set() < 0)
-- return -3;
-+ if (get_bounding_set() < 0) {
-+ rc = -3;
-+ goto try_caps;
-+ }
- } else {
- memcpy(&m, &state, sizeof(m)); /* restore state */
-- return -4;
-+ rc = -4;
-+ goto try_caps;
- }
- #endif
- }
-+
-+ // Try caps is here so that if someone had SELECT_BOTH and we blew up
-+ // doing the bounding set, we at least try to set any capabilities
-+ // before returning in case the caller also doesn't bother checking
-+ // the return code.
-+try_caps:
- if (set & CAPNG_SELECT_CAPS) {
- if (capset((cap_user_header_t)&m.hdr,
- (cap_user_data_t)&m.data) == 0)
- m.state = CAPNG_APPLIED;
- else
-- return -5;
-+ rc = -5;
- }
-- // Put ambient last so that inheritable and permitted are set
-+
-+ // Most programs do not and should not mess with ambient capabilities.
-+ // Instead of returning here if rc is set, we'll let it try to
-+ // do something with ambient capabilities in hopes that it's lowering
-+ // capabilities. Again, this is for people that don't check their
-+ // return codes.
-+ //
-+ // Do ambient last so that inheritable and permitted are set by the
-+ // time we get here.
- if (set & CAPNG_SELECT_AMBIENT) {
- #ifdef PR_CAP_AMBIENT
- if (capng_have_capabilities(CAPNG_SELECT_AMBIENT) ==
- CAPNG_NONE) {
- if (prctl(PR_CAP_AMBIENT,
-- PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0)
-- return -6;
-+ PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
-+ rc = -6;
-+ goto out;
-+ }
- } else {
- unsigned int i;
-
- // Clear them all
- if (prctl(PR_CAP_AMBIENT,
-- PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0)
-- return -7;
-+ PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
-+ rc = -7;
-+ goto out;
-+ }
- for (i=0; i <= last_cap; i++) {
- if (capng_have_capability(CAPNG_AMBIENT, i))
- if (prctl(PR_CAP_AMBIENT,
-- PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
-- return -8;
-+ PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0){
-+ rc = -8;
-+ goto out;
-+ }
- }
- }
- m.state = CAPNG_APPLIED;
- #endif
- }
-- return 0;
-+out:
-+ return rc;
- }
-
- #ifdef VFS_CAP_U32