diff --git a/1a4a1e90b747d65bdcf9e0de622776a15ed4cad4.patch b/1a4a1e90b747d65bdcf9e0de622776a15ed4cad4.patch deleted file mode 100644 index 75105e1..0000000 --- a/1a4a1e90b747d65bdcf9e0de622776a15ed4cad4.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 1a4a1e90b747d65bdcf9e0de622776a15ed4cad4 Mon Sep 17 00:00:00 2001 -From: Tom Gundersen -Date: Thu, 12 Jul 2018 22:14:03 +0200 -Subject: [PATCH] audit: fix check for existing capability - -We must not treat the return code for capng_has_capability() as a boolean, -it returns 0 if the capability is not set, 1 if it is, but CAPNG_FAIL on -failure. - -Internally, it calls capng_get_caps_process() if needed, and if this fails, -the failure is forwarded. - -Signed-off-by: Tom Gundersen ---- - src/util/audit.c | 23 +++++++++++++++++------ - 1 file changed, 17 insertions(+), 6 deletions(-) - -diff --git a/src/util/audit.c b/src/util/audit.c -index 5681b1c..1f73d49 100644 ---- a/src/util/audit.c -+++ b/src/util/audit.c -@@ -55,14 +55,25 @@ int util_audit_drop_permissions(uint32_t uid, uint32_t gid) { - if (r < 0) - return error_origin(-errno); - } else { -- int have_audit_write; -+ bool have_audit_write; -+ -+ r = capng_have_capability(CAPNG_PERMITTED, CAP_AUDIT_WRITE); -+ if (r == CAPNG_FAIL) -+ return error_origin(-EIO); -+ else if (r == 1) -+ have_audit_write = true; -+ else -+ have_audit_write = false; - -- have_audit_write = capng_have_capability(CAPNG_PERMITTED, CAP_AUDIT_WRITE); - capng_clear(CAPNG_SELECT_BOTH); -- if (have_audit_write) -- capng_update(CAPNG_ADD, -- CAPNG_EFFECTIVE | CAPNG_PERMITTED, -- CAP_AUDIT_WRITE); -+ -+ if (have_audit_write) { -+ r = capng_update(CAPNG_ADD, -+ CAPNG_EFFECTIVE | CAPNG_PERMITTED, -+ CAP_AUDIT_WRITE); -+ if (r < 0) -+ return error_origin(-EINVAL); -+ } - - r = capng_change_id(uid, gid, CAPNG_DROP_SUPP_GRP); - if (r) diff --git a/79ae661cd21ab6d6194ce6f95f98e36c0b31be85.patch b/79ae661cd21ab6d6194ce6f95f98e36c0b31be85.patch deleted file mode 100644 index 18f7594..0000000 --- a/79ae661cd21ab6d6194ce6f95f98e36c0b31be85.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 79ae661cd21ab6d6194ce6f95f98e36c0b31be85 Mon Sep 17 00:00:00 2001 -From: Tom Gundersen -Date: Thu, 12 Jul 2018 21:43:14 +0200 -Subject: [PATCH] audit: retain CAP_AUDIT_WRITE in the ambient capability set - when dropping caps - -Since we are not running at root, all caps will be dropped on execve(), unless -they are also in the ambient capability set, being in the inheritable set is -not sufficient. - -This ensures that dbus-broker retains CAP_AUDIT_WRITE (when enabled), and that -dbus-broker-launch still does not. - -This fixes issue #159. - -Signed-off-by: Tom Gundersen ---- - src/util/audit.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/util/audit.c b/src/util/audit.c -index ac9b3d7..5a837de 100644 ---- a/src/util/audit.c -+++ b/src/util/audit.c -@@ -7,6 +7,7 @@ - #include - #include - #include -+#include - #include - #include "util/audit.h" - #include "util/error.h" -@@ -69,7 +70,7 @@ int util_audit_drop_permissions(uint32_t uid, uint32_t gid) { - - if (have_audit_write) { - r = capng_update(CAPNG_ADD, -- CAPNG_EFFECTIVE | CAPNG_PERMITTED, -+ CAPNG_EFFECTIVE | CAPNG_PERMITTED | CAPNG_INHERITABLE, - CAP_AUDIT_WRITE); - if (r < 0) - return error_origin(-EINVAL); -@@ -78,6 +79,12 @@ int util_audit_drop_permissions(uint32_t uid, uint32_t gid) { - r = capng_change_id(uid, gid, CAPNG_DROP_SUPP_GRP); - if (r) - return error_origin(-EPERM); -+ -+ if (have_audit_write) { -+ r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_AUDIT_WRITE, 0, 0); -+ if (r < 0) -+ return error_origin(-errno); -+ } - } - - return 0; diff --git a/dbus-broker.spec b/dbus-broker.spec index c09b2e1..bcf7199 100644 --- a/dbus-broker.spec +++ b/dbus-broker.spec @@ -1,12 +1,10 @@ Name: dbus-broker -Version: 14 -Release: 3%{?dist} +Version: 15 +Release: 1%{?dist} Summary: Linux D-Bus Message Broker License: ASL 2.0 URL: https://github.com/bus1/dbus-broker Source0: https://github.com/bus1/dbus-broker/releases/download/v%{version}/dbus-broker-%{version}.tar.xz -Patch0: 1a4a1e90b747d65bdcf9e0de622776a15ed4cad4.patch -Patch1: 79ae661cd21ab6d6194ce6f95f98e36c0b31be85.patch Provides: bundled(c-dvar) = 1 Provides: bundled(c-list) = 3 Provides: bundled(c-rbtree) = 3 @@ -65,6 +63,10 @@ recent Linux kernel releases. %{_userunitdir}/dbus-broker.service %changelog +* Wed Aug 08 2018 Tom Gundersen - 15-1 +- fix audit support +- make logging about invalid config less verbose + * Thu Jul 12 2018 Fedora Release Engineering - 14-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild diff --git a/sources b/sources index 0b1eba9..758f071 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (dbus-broker-14.tar.xz) = 4a9b5042bb46d0fb135061d051813705375e003f3178aa9a2aa62255078ed0b9bfd88ba75525c1d1e55400c2a36b3f88f5f91d48ddbfc29fc41d5374486ffc27 +SHA512 (dbus-broker-15.tar.xz) = 0704dd53b2232361c944fba07e1fe1d5c522e21ece818d447d1d17950d21c802c57fdaaac9b2aec4e03325d3d26e701ba521380743944928cbe7a867d0471e5f