rpms/gnome-keyring
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Improved libcap-ng patches

Browse Source
This commit is contained in:
Tomas Bzatek 2011-05-10 14:54:54 +02:00
parent cba54626cb
commit 0fc6506ba8
3 changed files with 110 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
gnome-keyring-3.1.2-caps-ext-check.patch Normal file
View File

@ -0,0 +1,49 @@
From fd0bf3d36f3295fbc7c6d4bed34e2d2849764e68 Mon Sep 17 00:00:00 2001
From: Vincent Untz <vuntz@gnome.org>
Date: Fri, 6 May 2011 14:14:21 +0200
Subject: [PATCH] Improved checks for fs capabilities, and drop unneeded ones
If we have fs capabilities, we first need to check that we really do
have ipc_lock, and if that's the case we just keep ipc_lock and drop
everything else.
https://bugzilla.gnome.org/show_bug.cgi?id=649560
---
daemon/gkd-capability.c | 19 +++++++++++++++++--
1 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c
index 5b47f4e..e15200a 100644
--- a/daemon/gkd-capability.c
+++ b/daemon/gkd-capability.c
@@ -71,11 +71,26 @@ gkd_capability_obtain_capability_and_drop_privileges (void)
early_error ("failed dropping capabilities");
break;
case CAPNG_FAIL:
- case CAPNG_NONE:
early_error ("error getting process capabilities");
break;
+ case CAPNG_NONE:
+ early_error ("insufficient process capabilities");
+ break;
case CAPNG_PARTIAL: /* File system based capabilities */
- break;
+ if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
+ early_error ("insufficient process capabilities");
+ break;
+ }
+
+ /* Drop all capabilities except ipc_lock */
+ capng_clear (CAPNG_SELECT_BOTH);
+ if (capng_update (CAPNG_ADD,
+ CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+ CAP_IPC_LOCK) != 0)
+ early_error ("error dropping process capabilities");
+ if (capng_apply (CAPNG_SELECT_BOTH) != 0)
+ early_error ("error dropping process capabilities");
+ break;
}
#endif /* HAVE_LIBCAPNG */
}
--
1.7.4.2

50
gnome-keyring-3.1.2-caps-warn-unavail.patch Normal file
View File

@ -0,0 +1,50 @@
From 156f6f318daa782cd209c90ed69a0d24595af5d1 Mon Sep 17 00:00:00 2001
From: Vincent Untz <vuntz@gnome.org>
Date: Fri, 6 May 2011 14:18:00 +0200
Subject: [PATCH] Accept to run if ipc_lock capability is not available
We print a warning about potential use of unsecure memory, but still
run (and drop unneeded capabilities if we have some). This is better
than nothing.
https://bugzilla.gnome.org/show_bug.cgi?id=649560
---
daemon/gkd-capability.c | 13 +++++++++++--
1 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c
index e15200a..92c000c 100644
--- a/daemon/gkd-capability.c
+++ b/daemon/gkd-capability.c
@@ -42,6 +42,12 @@ early_error (const char *err_string)
exit (1);
}
+static void
+early_warning (const char *warn_string)
+{
+ fprintf (stderr, "gnome-keyring-daemon: %s\n", warn_string);
+}
+
#endif /* HAVE_LIPCAPNG */
/*
@@ -74,11 +80,14 @@ gkd_capability_obtain_capability_and_drop_privileges (void)
early_error ("error getting process capabilities");
break;
case CAPNG_NONE:
- early_error ("insufficient process capabilities");
+ early_warning ("insufficient process capabilities, unsecure memory might get used");
break;
case CAPNG_PARTIAL: /* File system based capabilities */
if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
- early_error ("insufficient process capabilities");
+ early_warning ("insufficient process capabilities, unsecure memory might get used");
+ /* Drop all capabilities */
+ capng_clear (CAPNG_SELECT_BOTH);
+ capng_apply (CAPNG_SELECT_BOTH);
break;
}
--
1.7.4.2

12
gnome-keyring.spec
View File

@ -8,13 +8,18 @@
Summary: Framework for managing passwords and other secrets Summary: Framework for managing passwords and other secrets
Name: gnome-keyring Name: gnome-keyring
Version: 3.1.1 Version: 3.1.1
Release: 1%{?dist} Release: 2%{?dist}
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
Group: System Environment/Libraries Group: System Environment/Libraries
#VCS: git:git://git.gnome.org/gnome-keyring #VCS: git:git://git.gnome.org/gnome-keyring
Source: http://download.gnome.org/sources/gnome-keyring/3.0/gnome-keyring-%{version}.tar.bz2 Source: http://download.gnome.org/sources/gnome-keyring/3.0/gnome-keyring-%{version}.tar.bz2
URL: http://www.gnome.org URL: http://www.gnome.org
# Improve checks for fs capabilities
# https://bugzilla.gnome.org/show_bug.cgi?id=649560
Patch6: gnome-keyring-3.1.2-caps-ext-check.patch
Patch7: gnome-keyring-3.1.2-caps-warn-unavail.patch
BuildRequires: glib2-devel >= %{glib2_version} BuildRequires: glib2-devel >= %{glib2_version}
BuildRequires: gtk3-devel >= %{gtk3_version} BuildRequires: gtk3-devel >= %{gtk3_version}
BuildRequires: dbus-devel >= %{dbus_version} BuildRequires: dbus-devel >= %{dbus_version}
@ -65,6 +70,8 @@ automatically unlock the "login" keyring when the user logs in.
%prep %prep
%setup -q -n gnome-keyring-%{version} %setup -q -n gnome-keyring-%{version}
%patch6 -p1 -b .caps-ext-check
%patch7 -p1 -b .caps-warn-unavail
%build %build
autoreconf -i -f autoreconf -i -f
@ -138,6 +145,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas
%changelog %changelog
* Tue May 10 2011 Tomas Bzatek <tbzatek@redhat.com> - 3.1.1-2
- Improved libcap-ng patches
* Mon May 9 2011 Tomas Bzatek <tbzatek@redhat.com> - 3.1.1-1 * Mon May 9 2011 Tomas Bzatek <tbzatek@redhat.com> - 3.1.1-1
- Update to 3.1.1 - Update to 3.1.1