From 11f401c43c47ed1a474de3fea408ef92d6d5e81f Mon Sep 17 00:00:00 2001
From: Eric Garver <egarver@redhat.com>
Date: Mon, 16 May 2022 13:34:05 -0400
Subject: [PATCH] rebase to v1.1.1

Resolves: rhbz 2040689
Resolves: rhbz 2039542
---
 .gitignore                                    |  1 +
 ...keep-linux-capability-CAP_SYS_MODULE.patch | 54 -------------------
 ...ewalld-check-capng_apply-return-code.patch | 48 -----------------
 firewalld-0.2.6-MDNS-default.patch            | 40 --------------
 firewalld.spec                                |  9 ++--
 sources                                       |  2 +-
 6 files changed, 7 insertions(+), 147 deletions(-)
 delete mode 100644 0002-fix-firewalld-keep-linux-capability-CAP_SYS_MODULE.patch
 delete mode 100644 0003-fix-firewalld-check-capng_apply-return-code.patch
 delete mode 100644 firewalld-0.2.6-MDNS-default.patch

diff --git a/.gitignore b/.gitignore
index 67f6f34..7e6ceee 100644
--- a/.gitignore
+++ b/.gitignore
@@ -66,3 +66,4 @@
 /firewalld-0.9.3.tar.gz
 /firewalld-1.0.0-alpha.tar.gz
 /firewalld-1.0.0.tar.gz
+/firewalld-1.1.1.tar.gz
diff --git a/0002-fix-firewalld-keep-linux-capability-CAP_SYS_MODULE.patch b/0002-fix-firewalld-keep-linux-capability-CAP_SYS_MODULE.patch
deleted file mode 100644
index 714e43d..0000000
--- a/0002-fix-firewalld-keep-linux-capability-CAP_SYS_MODULE.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 09cdc166ddfe53b6e8ce3a2920f798320c170b7f Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Wed, 11 Aug 2021 14:47:59 -0400
-Subject: [PATCH 2/3] fix(firewalld): keep linux capability CAP_SYS_MODULE
-
-When firewalld calls ip6tables it may implicitly load the ip6_tables, et
-al kernel modules. As such we need to retain CAP_SYS_MODULE so that
-implicit module is allowed. Otherwise we get EPERM from the kernel.
-
-This only affects the -legacy variants and the top level table/chain
-modules. The userspace binaries will modprobe the kernel modules.
-Extensions, e.g. xt_conntrack, are implicitly loaded by the kernel based
-on the rules being added and thus not subject to linux capabilities
-checks.
-
-The -nft variants are unaffected because they use the nftables
-infrastructure which has implicit module loading in the kernel similar
-to the iptables extensions (xt_* modules).
-
-Fixes: rhbz 1990271
-Fixes: fb0532e8a200 ("feat(firewalld): drop linux capabilities")
-(cherry picked from commit 13801962073f478c68d818b314091badcf8b5614)
-(cherry picked from commit d3cd7e088f946c75593b0569bd658266b2e9329d)
----
- src/firewalld.in | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/firewalld.in b/src/firewalld.in
-index abcbe3508f86..b1c886c6f02f 100755
---- a/src/firewalld.in
-+++ b/src/firewalld.in
-@@ -136,6 +136,7 @@ def startup(args):
-         # attempt to drop Linux capabilities to a minimal set:
-         #   - CAP_NET_ADMIN
-         #   - CAP_NET_RAW
-+        #   - CAP_SYS_MODULE
-         try:
-             import capng
-             capng.capng_clear(capng.CAPNG_SELECT_BOTH)
-@@ -143,8 +144,10 @@ def startup(args):
-                                capng.CAP_NET_ADMIN)
-             capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
-                                capng.CAP_NET_RAW)
-+            capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
-+                               capng.CAP_SYS_MODULE)
-             capng.capng_apply(capng.CAPNG_SELECT_BOTH)
--            log.info(log.INFO1, "Dropped Linux capabilities to NET_ADMIN, NET_RAW.")
-+            log.info(log.INFO1, "Dropped Linux capabilities to NET_ADMIN, NET_RAW, SYS_MODULE.")
-         except ImportError:
-             pass
- 
--- 
-2.31.1
-
diff --git a/0003-fix-firewalld-check-capng_apply-return-code.patch b/0003-fix-firewalld-check-capng_apply-return-code.patch
deleted file mode 100644
index b93f0ea..0000000
--- a/0003-fix-firewalld-check-capng_apply-return-code.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 4a627847d36afedfca20026fb763fbb71005b92f Mon Sep 17 00:00:00 2001
-From: Eric Garver <eric@garver.life>
-Date: Mon, 30 Aug 2021 13:24:47 -0400
-Subject: [PATCH 3/3] fix(firewalld): check capng_apply() return code
-
-If dropping capabilities is blocked by SELinux, e.g. old selinux-policy,
-then capng_apply() will return non-zero. Also check other things that
-may fail, i.e. capng_update().
-
-Fixes: rhbz 1999090
-(cherry picked from commit 36749f512bbcfc55f0e9e46354009073941d7363)
-(cherry picked from commit cf7f3320c78a8b3f2b8f22779c5747f113d25c57)
----
- src/firewalld.in | 18 ++++++++++--------
- 1 file changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/src/firewalld.in b/src/firewalld.in
-index b1c886c6f02f..38331a0b49a9 100755
---- a/src/firewalld.in
-+++ b/src/firewalld.in
-@@ -140,14 +140,16 @@ def startup(args):
-         try:
-             import capng
-             capng.capng_clear(capng.CAPNG_SELECT_BOTH)
--            capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
--                               capng.CAP_NET_ADMIN)
--            capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
--                               capng.CAP_NET_RAW)
--            capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
--                               capng.CAP_SYS_MODULE)
--            capng.capng_apply(capng.CAPNG_SELECT_BOTH)
--            log.info(log.INFO1, "Dropped Linux capabilities to NET_ADMIN, NET_RAW, SYS_MODULE.")
-+            if capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
-+                                  capng.CAP_NET_ADMIN) or \
-+               capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
-+                                  capng.CAP_NET_RAW) or \
-+               capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
-+                                  capng.CAP_SYS_MODULE) or \
-+               capng.capng_apply(capng.CAPNG_SELECT_BOTH):
-+                log.info(log.INFO1, "libcap-ng failed to drop Linux capabilities.")
-+            else:
-+                log.info(log.INFO1, "Dropped Linux capabilities to NET_ADMIN, NET_RAW, SYS_MODULE.")
-         except ImportError:
-             pass
- 
--- 
-2.31.1
-
diff --git a/firewalld-0.2.6-MDNS-default.patch b/firewalld-0.2.6-MDNS-default.patch
deleted file mode 100644
index 0316962..0000000
--- a/firewalld-0.2.6-MDNS-default.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 0e9306e9df41142503b4efc90032043183a3cb7b Mon Sep 17 00:00:00 2001
-From: Stef Walter <stefw@gnome.org>
-Date: Mon, 6 Aug 2012 10:01:09 +0200
-Subject: [PATCH] Make MDNS work in all but the most restrictive zones
-
- * MDNS is a discovery protocol, and much like DNS or DHCP should
-   be available for the network to function as expected.
- * Avahi (the main MDNS) implementation has taken steps to make sure
-   no private information is published by default.
- * See: https://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault
----
- config/zones/public.xml | 1 +
- config/zones/work.xml   | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/config/zones/public.xml b/config/zones/public.xml
-index 929ad72..a56e95c 100644
---- a/config/zones/public.xml
-+++ b/config/zones/public.xml
-@@ -3,5 +3,6 @@
-   <short>Public</short>
-   <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
-   <service name="ssh"/>
-+  <service name="mdns"/>
-   <service name="dhcpv6-client"/>
- </zone>
-diff --git a/config/zones/work.xml b/config/zones/work.xml
-index 7e750fc..77f13c8 100644
---- a/config/zones/work.xml
-+++ b/config/zones/work.xml
-@@ -3,5 +3,6 @@
-   <short>Work</short>
-   <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
-   <service name="ssh"/>
-+  <service name="mdns"/>
-   <service name="dhcpv6-client"/>
- </zone>
--- 
-1.7.11.2
-
diff --git a/firewalld.spec b/firewalld.spec
index 1245be3..1ba3cc7 100644
--- a/firewalld.spec
+++ b/firewalld.spec
@@ -1,13 +1,11 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
-Version: 1.0.0
-Release: 4%{?dist}
+Version: 1.1.1
+Release: 1%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
 Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
-Patch2: 0002-fix-firewalld-keep-linux-capability-CAP_SYS_MODULE.patch
-Patch3: 0003-fix-firewalld-check-capng_apply-return-code.patch
 BuildArch: noarch
 BuildRequires: autoconf
 BuildRequires: automake
@@ -229,6 +227,9 @@ rm -rf %{buildroot}%{_datadir}/firewalld/testsuite
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
+* Mon May 16 2022 Eric Garver <egarver@redhat.com> - 1.1.1-1
+- package rebase to v1.1.1
+
 * Mon Nov 22 2021 Eric Garver <egarver@redhat.com> - 1.0.0-4
 - fix(firewalld): check capng_apply() return code
 
diff --git a/sources b/sources
index a4d6815..83b9e40 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (firewalld-1.0.0.tar.gz) = 4c541453fde3012b9a2cc885f6dcf3dc3ca7c5c6292f365f8b75c262fa7a1bb81a280392c5d7dc0c5ff1a4141ff47d63e9a766784c59f03f918d3e45500fc3c4
+SHA512 (firewalld-1.1.1.tar.gz) = d869e40ffba2687e8aa56d6c6b4440d183ad5a61f5288824794737cb617b91bf83a8198256834c93baa432efc70ebfc36fd068dccd4f46f391fcfac909f6ef1f