diff --git a/libcap-ng-0.7.11.tar.gz b/libcap-ng-0.7.11.tar.gz deleted file mode 100644 index 079fd3768b0bef3d8be0707949d36a7953d2c4c6..0000000000000000000000000000000000000000 Binary files a/libcap-ng-0.7.11.tar.gz and /dev/null differ diff --git a/libcap-ng-0.8-vararg-support.patch b/libcap-ng-0.8-vararg-support.patch deleted file mode 100644 index a9fc7e77c7f1d982d6ef20ef691844e2ab2045ac..0000000000000000000000000000000000000000 --- a/libcap-ng-0.8-vararg-support.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -ru a/bindings/src/capng_swig.i b/bindings/src/capng_swig.i ---- a/bindings/src/capng_swig.i -+++ b/bindings/src/capng_swig.i -@@ -26,6 +26,9 @@ - %} - - #if defined(SWIGPYTHON) -+ -+%varargs(16, unsigned capability = 0) capng_updatev; -+ - %except(python) { - $action - if (result < 0) { diff --git a/libcap-ng-0.8.1-procfs-lastcap.patch b/libcap-ng-0.8.1-procfs-lastcap.patch deleted file mode 100644 index 00deac0c02c913209584ddb92d36040789e8e20f..0000000000000000000000000000000000000000 --- a/libcap-ng-0.8.1-procfs-lastcap.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff -ru a/src/cap-ng.c b/src/cap-ng.c ---- a/src/cap-ng.c -+++ b/src/cap-ng.c -@@ -204,12 +204,7 @@ - int fd; - - fd = open("/proc/sys/kernel/cap_last_cap", O_RDONLY); -- if (fd == -1) { -- if (errno != ENOENT) { -- m.state = CAPNG_ERROR; -- return; -- } -- } else { -+ if (fd >= 0) { - char buf[8]; - int num = read(fd, buf, sizeof(buf) - 1); - if (num > 0) { diff --git a/libcap-ng-0.8.1-signed-unsigned-fix.patch b/libcap-ng-0.8.1-signed-unsigned-fix.patch deleted file mode 100644 index 7f3c8257ac294d2d2ab36b5bf550f4a20e5ffb04..0000000000000000000000000000000000000000 --- a/libcap-ng-0.8.1-signed-unsigned-fix.patch +++ /dev/null @@ -1,179 +0,0 @@ -diff -ru a/src/cap-ng.c b/src/cap-ng.c ---- a/src/cap-ng.c -+++ b/src/cap-ng.c -@@ -46,7 +46,7 @@ - #endif - - # define hidden __attribute__ ((visibility ("hidden"))) --int last_cap hidden = -1; -+unsigned int last_cap hidden = 0; - /* - * Some milestones of when things became available: - * 2.6.24 kernel XATTR_NAME_CAPS -@@ -65,7 +65,7 @@ - // Local defines - #define MASK(x) (1U << (x)) - #ifdef PR_CAPBSET_DROP --#define UPPER_MASK ~(unsigned)((~0U)<<(last_cap-31)) -+#define UPPER_MASK ~((~0U)<<(last_cap-31)) - #else - // For v1 systems UPPER_MASK will never be used - #define UPPER_MASK (unsigned)(~0U) -@@ -73,7 +73,7 @@ - - // Re-define cap_valid so its uniform between V1 and V3 - #undef cap_valid --#define cap_valid(x) ((x) <= (unsigned int)last_cap) -+#define cap_valid(x) ((x) <= last_cap) - - // If we don't have the xattr library, then we can't - // compile-in file system capabilities -@@ -174,6 +174,26 @@ - #ifdef HAVE_PTHREAD_H - pthread_atfork(NULL, NULL, deinit); - #endif -+ // Detect last cap -+ if (last_cap == 0) { -+ int fd; -+ -+ fd = open("/proc/sys/kernel/cap_last_cap", O_RDONLY); -+ if (fd >= 0) { -+ char buf[8]; -+ int num = read(fd, buf, sizeof(buf) - 1); -+ if (num > 0) { -+ buf[num] = 0; -+ errno = 0; -+ unsigned int val = strtoul(buf, NULL, 10); -+ if (errno == 0) -+ last_cap = val; -+ } -+ close(fd); -+ } -+ if (last_cap == 0) -+ last_cap = CAP_LAST_CAP; -+ } - } - - static void init(void) -@@ -199,26 +219,6 @@ - #else - m.hdr.pid = (unsigned)getpid(); - #endif -- // Detect last cap -- if (last_cap == -1) { -- int fd; -- -- fd = open("/proc/sys/kernel/cap_last_cap", O_RDONLY); -- if (fd >= 0) { -- char buf[8]; -- int num = read(fd, buf, sizeof(buf) - 1); -- if (num > 0) { -- buf[num] = 0; -- errno = 0; -- int val = strtoul(buf, NULL, 10); -- if (errno == 0) -- last_cap = val; -- } -- close(fd); -- } -- if (last_cap == -1) -- last_cap = CAP_LAST_CAP; -- } - m.state = CAPNG_ALLOCATED; - } - -@@ -478,7 +478,7 @@ - if (CAPNG_INHERITABLE & type) - v1_update(action, capability, &m.data.v1.inheritable); - } else { -- int idx; -+ unsigned int idx; - - if (capability > 31) { - idx = capability>>5; -@@ -545,7 +545,7 @@ - memcpy(&state, &m, sizeof(state)); /* save state */ - capng_get_caps_process(); - if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { -- int i; -+ unsigned int i; - memcpy(&m, &state, sizeof(m)); /* restore state */ - rc = 0; - for (i=0; i <= last_cap && rc == 0; i++) -@@ -602,7 +602,7 @@ - #ifndef VFS_CAP_U32 - return -1; - #else -- int rc, size; -+ int rc, size = 0; - struct vfs_cap_data filedata; - struct stat buf; - -@@ -1010,7 +1010,7 @@ - - char *capng_print_caps_text(capng_print_t where, capng_type_t which) - { -- int i, once = 0, cnt = 0; -+ unsigned int i, once = 0, cnt = 0; - char *ptr = NULL; - - if (m.state < CAPNG_INIT) -diff -ru a/src/lookup_table.c b/src/lookup_table.c ---- a/src/lookup_table.c -+++ b/src/lookup_table.c -@@ -29,10 +29,10 @@ - - - #define hidden __attribute__ ((visibility ("hidden"))) --extern int last_cap hidden; -+extern unsigned int last_cap hidden; - - #undef cap_valid --#define cap_valid(x) ((x) <= (unsigned int)last_cap) -+#define cap_valid(x) ((x) <= last_cap) - - - struct transtab { -diff -ru a/src/test/lib_test.c b/src/test/lib_test.c ---- a/src/test/lib_test.c -+++ b/src/test/lib_test.c -@@ -29,7 +29,7 @@ - #include - #include - --int get_last_cap(void) -+static unsigned int get_last_cap(void) - { - int fd; - -@@ -41,17 +41,19 @@ - int num = read(fd, buf, sizeof(buf)); - if (num > 0) { - errno = 0; -- int val = strtoul(buf, NULL, 10); -+ unsigned int val = strtoul(buf, NULL, 10); - if (errno == 0) - return val; - } -+ close(fd); - } - return CAP_LAST_CAP; - } - - int main(void) - { -- int rc, i, len, last = get_last_cap(); -+ int rc; -+ unsigned int i, len, last = get_last_cap(); - char *text; - void *saved; - -@@ -127,7 +129,7 @@ - abort(); - } - name = capng_capability_to_name(i); -- if (name == NULL) { -+ if (name == NULL) { - printf("Failed converting capability %d to name\n", i); - abort(); - } diff --git a/libcap-ng-0.8.2-apply-disable.patch b/libcap-ng-0.8.2-apply-disable.patch new file mode 100644 index 0000000000000000000000000000000000000000..a6620b673a1681e4c0728fe440fe7ed863dfdfdc --- /dev/null +++ b/libcap-ng-0.8.2-apply-disable.patch @@ -0,0 +1,66 @@ +diff -urp libcap-ng-0.8.3.orig/src/cap-ng.c libcap-ng-0.8.3/src/cap-ng.c +--- libcap-ng-0.8.3.orig/src/cap-ng.c 2021-01-30 09:26:33.000000000 -0500 ++++ libcap-ng-0.8.3/src/cap-ng.c 2021-01-30 09:52:43.507967643 -0500 +@@ -713,6 +713,36 @@ int capng_updatev(capng_act_t action, ca + return rc; + } + ++#include ++static char *get_exename(char *exename, int size) ++{ ++ char tmp[PATH_MAX+1]; ++ int res; ++ ++ /* get the name of the current executable */ ++ if ((res = readlink("/proc/self/exe", tmp, PATH_MAX)) < 0) ++ strcpy(exename, "\"?\""); ++ else { ++ tmp[res] = '\0'; ++ snprintf(exename, size, "\"%s\"", tmp); ++ } ++ return exename; ++} ++ ++#include ++static void log_problem(unsigned int msg) ++{ ++ static const char *text[3] = { ++ "dropping bounding set", ++ "getting new bounding set", ++ "dropping bounding set due to not having CAP_SETPCAP" ++ }; ++ unsigned idx = msg - 2; ++ char exe[2048]; ++ syslog(LOG_ERR, "libcap-ng used by %s failed %s in capng_apply", ++ get_exename(exe, 2047), text[idx]); ++} ++ + int capng_apply(capng_select_t set) + { + int rc = 0; +@@ -733,19 +763,22 @@ int capng_apply(capng_select_t set) + if (capng_have_capability(CAPNG_BOUNDING_SET, + i) == 0) { + if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0) { +- rc = -2; ++// rc = -2; ++ log_problem(2); + goto try_caps; + } + } + } + m.state = CAPNG_APPLIED; + if (get_bounding_set() < 0) { +- rc = -3; ++// rc = -3; ++ log_problem(3); + goto try_caps; + } + } else { + memcpy(&m, &state, sizeof(m)); /* restore state */ +- rc = -4; ++// rc = -4; ++ log_problem(4); + goto try_caps; + } + #endif diff --git a/libcap-ng-0.8.2-improve-lastcap-check.patch b/libcap-ng-0.8.2-improve-lastcap-check.patch deleted file mode 100644 index a5c12ee661b09a23bc69965bdab151f4ae6f60f2..0000000000000000000000000000000000000000 --- a/libcap-ng-0.8.2-improve-lastcap-check.patch +++ /dev/null @@ -1,87 +0,0 @@ -diff -ru a/configure.ac b/configure.ac ---- a/configure.ac -+++ b/configure.ac -@@ -59,6 +59,9 @@ - AC_CHECK_HEADERS(pthread.h, - [AC_SEARCH_LIBS(pthread_atfork, pthread)], - [AC_MSG_WARN(pthread.h not found, disabling pthread_atfork.)]) -+AC_CHECK_HEADERS(sys/vfs.h, [ -+ AC_CHECK_HEADERS(linux/magic.h, [] [AC_MSG_WARN(linux/magic.h is required in order to verify procfs.)]) -+ ], [AC_MSG_WARN(sys/vfs.h is required in order to verify procfs.)]) - - AC_C_CONST - AC_C_INLINE -diff -ru a/src/cap-ng.c b/src/cap-ng.c ---- a/src/cap-ng.c -+++ b/src/cap-ng.c -@@ -44,6 +44,10 @@ - #ifdef HAVE_LINUX_SECUREBITS_H - #include - #endif -+#ifdef HAVE_LINUX_MAGIC_H -+#include -+#include -+#endif - - # define hidden __attribute__ ((visibility ("hidden"))) - unsigned int last_cap hidden = 0; -@@ -168,6 +172,15 @@ - m.state = CAPNG_NEW; - } - -+static inline int test_cap(unsigned int cap) -+{ -+ // prctl returns 0 or 1 for valid caps, -1 otherwise -+ return prctl(PR_CAPBSET_READ, cap) >= 0; -+} -+ -+// The maximum cap value is determined by VFS_CAP_U32 -+#define MAX_CAP_VALUE (VFS_CAP_U32 * sizeof(__le32) * 8) -+ - static void init_lib(void) __attribute__ ((constructor)); - static void init_lib(void) - { -@@ -178,8 +191,15 @@ - if (last_cap == 0) { - int fd; - -+ // Try to read last cap from procfs - fd = open("/proc/sys/kernel/cap_last_cap", O_RDONLY); - if (fd >= 0) { -+#ifdef HAVE_LINUX_MAGIC_H -+ struct statfs st; -+ // Bail out if procfs is invalid or fstatfs fails -+ if (fstatfs(fd, &st) || st.f_type != PROC_SUPER_MAGIC) -+ goto fail; -+#endif - char buf[8]; - int num = read(fd, buf, sizeof(buf) - 1); - if (num > 0) { -@@ -189,10 +209,25 @@ - if (errno == 0) - last_cap = val; - } -+fail: - close(fd); - } -- if (last_cap == 0) -- last_cap = CAP_LAST_CAP; -+ // Run a binary search over capabilities -+ if (last_cap == 0) { -+ // starting with last_cap=MAX_CAP_VALUE means we always know -+ // that cap1 is invalid after the first iteration -+ last_cap = MAX_CAP_VALUE; -+ unsigned int cap0 = 0, cap1 = MAX_CAP_VALUE; -+ -+ while (cap0 < last_cap) { -+ if (test_cap(last_cap)) -+ cap0 = last_cap; -+ else -+ cap1 = last_cap; -+ -+ last_cap = (cap0 + cap1) / 2U; -+ } -+ } - } - } - diff --git a/libcap-ng-0.8.2.tar.gz b/libcap-ng-0.8.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..9eb618e6661c0293eeb73a2e2e7103825d3aa8c3 Binary files /dev/null and b/libcap-ng-0.8.2.tar.gz differ diff --git a/libcap-ng.spec b/libcap-ng.spec index a71a10cede76ae4c19b14ffd5ff2ba6f2f0c590a..adf30142ae5c7abb5752cc6b98156e301874f43e 100644 --- a/libcap-ng.spec +++ b/libcap-ng.spec @@ -1,19 +1,17 @@ -%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} +%define anolis_release .0.1 -Summary: An alternate posix capabilities library +Summary: Alternate posix capabilities library Name: libcap-ng -Version: 0.7.11 -Release: 1%{?dist} +Version: 0.8.2 +Release: 7%{anolis_release}%{?dist} License: LGPLv2+ -URL: http://people.redhat.com/sgrubb/libcap-ng -Source0: http://people.redhat.com/sgrubb/libcap-ng/%{name}-%{version}.tar.gz -Patch1: libcap-ng-0.8-vararg-support.patch -Patch2: libcap-ng-0.8.1-procfs-lastcap.patch -Patch3: libcap-ng-0.8.1-signed-unsigned-fix.patch -Patch4: libcap-ng-0.8.2-improve-lastcap-check.patch -BuildRequires: autoconf automake libtool +URL: https://people.redhat.com/sgrubb/libcap-ng/ +Source0: https://people.redhat.com/sgrubb/libcap-ng/%{name}-%{version}.tar.gz +# This patch can be removed when 1899540 is resolved +Patch1: libcap-ng-0.8.2-apply-disable.patch BuildRequires: gcc -BuildRequires: kernel-headers >= 2.6.11 +BuildRequires: make +BuildRequires: kernel-headers >= 2.6.11 BuildRequires: libattr-devel %description @@ -23,7 +21,7 @@ Libcap-ng is a library that makes using posix capabilities easier Summary: Header files for libcap-ng library License: LGPLv2+ Requires: kernel-headers >= 2.6.11 -Requires: %{name} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{version}-%{release} Requires: pkgconfig %description devel @@ -34,7 +32,8 @@ applications that need to use the libcap-ng library. Summary: Python3 bindings for libcap-ng library License: LGPLv2+ BuildRequires: python3-devel swig -Requires: %{name} = %{version}-%{release} +BuildRequires: make +Requires: %{name}%{?_isa} = %{version}-%{release} %description python3 The libcap-ng-python3 package contains the bindings so that libcap-ng @@ -43,43 +42,39 @@ and can be used by python3 applications. %package utils Summary: Utilities for analyzing and setting file capabilities License: GPLv2+ -Requires: %{name} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{version}-%{release} %description utils The libcap-ng-utils package contains applications to analyze the posix capabilities of all the program running on a system. It also lets you set the file system based capabilities. +%package doc +Summary: Documents for %{name} +BuildArch: noarch +Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release} + +%description doc +Doc pages for %{name}. + %prep %setup -q -%patch1 -p1 -b .vararg-support -%patch2 -p1 -b .procfs-lastcap -%patch3 -p1 -b .signed-unsigned-fix -%patch4 -p1 -b .improve-lastcap-check +%patch1 -p1 %build -autoreconf -fiv -%configure --libdir=/%{_lib} --with-python=no --with-python3 -make CFLAGS="%{optflags}" %{?_smp_mflags} +%configure --libdir=%{_libdir} --with-python=no --with-python3 +%make_build CFLAGS="%{optflags}" %install -make DESTDIR="${RPM_BUILD_ROOT}" INSTALL='install -p' install - -# Move the symlink -rm -f $RPM_BUILD_ROOT/%{_lib}/%{name}.so -mkdir -p $RPM_BUILD_ROOT%{_libdir} -VLIBNAME=$(ls $RPM_BUILD_ROOT/%{_lib}/%{name}.so.*.*.*) -LIBNAME=$(basename $VLIBNAME) -ln -s ../../%{_lib}/$LIBNAME $RPM_BUILD_ROOT%{_libdir}/%{name}.so - -# Move the pkgconfig file -mv $RPM_BUILD_ROOT/%{_lib}/pkgconfig $RPM_BUILD_ROOT%{_libdir} +%make_install # Remove a couple things so they don't get picked up -rm -f $RPM_BUILD_ROOT/%{_lib}/libcap-ng.la -rm -f $RPM_BUILD_ROOT/%{_lib}/libcap-ng.a -rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_capng.a -rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_capng.la +rm -f $RPM_BUILD_ROOT%{_libdir}/libcap-ng.la +rm -f $RPM_BUILD_ROOT%{_libdir}/libcap-ng.a +rm -f $RPM_BUILD_ROOT%{_libdir}/libdrop_ambient.la +rm -f $RPM_BUILD_ROOT%{_libdir}/libdrop_ambient.a +rm -f $RPM_BUILD_ROOT%{_libdir}/python?.?/site-packages/_capng.a +rm -f $RPM_BUILD_ROOT%{_libdir}/python?.?/site-packages/_capng.la %check make check @@ -87,14 +82,16 @@ make check %ldconfig_scriptlets %files -%{!?_licensedir:%global license %%doc} %license COPYING.LIB -/%{_lib}/libcap-ng.so.* +%{_libdir}/libcap-ng.so.* +%{_libdir}/libdrop_ambient.so.* +%attr(0644,root,root) %{_mandir}/man7/* %files devel %attr(0644,root,root) %{_mandir}/man3/* %attr(0644,root,root) %{_includedir}/cap-ng.h %{_libdir}/libcap-ng.so +%{_libdir}/libdrop_ambient.so %attr(0644,root,root) %{_datadir}/aclocal/cap-ng.m4 %{_libdir}/pkgconfig/libcap-ng.pc @@ -103,26 +100,87 @@ make check %{python3_sitearch}/capng.py* %files utils -%{!?_licensedir:%global license %%doc} %license COPYING %attr(0755,root,root) %{_bindir}/* %attr(0644,root,root) %{_mandir}/man8/* +%files doc +%doc AUTHORS ChangeLog COPYING NEWS README + %changelog -* Thu Mar 18 2021 Zoltan Fridrich 0.7.11-1 -resolves: rhbz#1939386 - Rebase libcap-ng to version 0.7.11 +* Fri Nov 25 2022 Xiaoping Liu - 0.8.2-7.0.1 +- Add doc sub package + +* Tue Feb 15 2022 - 0.8.2-7 +- Update apply-disable patch (#2045857) + Resolves: rhbz#2045857 + +* Mon Aug 09 2021 Mohan Boddu - 0.8.2-6 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Fri Apr 16 2021 Mohan Boddu - 0.8.2-5 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Feb 02 2021 Steve Grubb 0.8.2-4 +- Adjust syslog warning for bad use of capng_apply + +* Sat Jan 30 2021 Steve Grubb 0.8.2-3 +- Add syslog warning for bad use of capng_apply + +* Tue Jan 26 2021 Fedora Release Engineering - 0.8.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Dec 09 2020 Steve Grubb 0.8.2-1 +- New upstream bugfix release + +* Fri Nov 20 2020 Steve Grubb 0.8.1-2 +- Add temporary patch disabling bounding set error codes + +* Wed Nov 18 2020 Steve Grubb 0.8.1-1 +- New upstream bugfix release + +* Tue Sep 08 2020 Steve Grubb 0.8-1 +- New upstream feature release + +* Sun Aug 23 2020 Steve Grubb 0.7.11-1 +- New upstream release + +* Tue Jul 28 2020 Fedora Release Engineering - 0.7.10-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue May 26 2020 Miro Hrončok - 0.7.10-3 +- Rebuilt for Python 3.9 + +* Wed Jan 29 2020 Fedora Release Engineering - 0.7.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Oct 01 2019 Steve Grubb 0.7.10-1 +- New upstream release + +* Mon Aug 19 2019 Miro Hrončok - 0.7.9-9 +- Rebuilt for Python 3.8 + +* Thu Jul 25 2019 Fedora Release Engineering - 0.7.9-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Mar 8 2019 Joe Orton - 0.7.9-7 +- fix crash on dlclose due to atfork handler (#1680481) + +* Fri Feb 01 2019 Fedora Release Engineering - 0.7.9-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild -* Tue Nov 05 2019 Marek Tamaskovic 0.7.9-5 -resolves: rhbz#1740775 - segfault after dlclose +* Tue Oct 16 2018 Steve Grubb 0.7.9-5 +- Remove python2 bindings (#1634889) -* Tue Jan 08 2019 Steve Grubb 0.7.9-4 -resolves: rhbz#1599364 - filecap fails of files with no capabilities +* Thu Aug 09 2018 Steve Grubb 0.7.9-4 +- Fix bug where filecap may not show capabilities -* Thu Aug 09 2018 Steve Grubb 0.7.9-3 -resolves: rhbz#1599364 - filecap fails of files with no capabilities +* Fri Jul 13 2018 Fedora Release Engineering - 0.7.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild -* Thu Jun 07 2018 Steve Grubb 0.7.9-2 -- Drop python2 bindings (#1588449) +* Tue Jun 19 2018 Miro Hrončok - 0.7.9-2 +- Rebuilt for Python 3.7 * Wed Feb 07 2018 Steve Grubb 0.7.9-1 - New upstream bugfix release