Update to 40.0

This commit is contained in:
Kalev Lember 2021-03-26 14:03:17 +01:00
parent 657c90b7b5
commit 3949a3b1a1
4 changed files with 8 additions and 92 deletions

1
.gitignore vendored
View File

@ -76,3 +76,4 @@ gnome-keyring-2.31.4.tar.bz2
/gnome-keyring-3.35.1.tar.xz /gnome-keyring-3.35.1.tar.xz
/gnome-keyring-3.35.90.tar.xz /gnome-keyring-3.35.90.tar.xz
/gnome-keyring-3.36.0.tar.xz /gnome-keyring-3.36.0.tar.xz
/gnome-keyring-40.0.tar.xz

View File

@ -1,86 +0,0 @@
diff -urp gnome-keyring-3.36.0.orig/daemon/gkd-capability.c gnome-keyring-3.36.0/daemon/gkd-capability.c
--- gnome-keyring-3.36.0.orig/daemon/gkd-capability.c 2018-06-25 00:15:03.000000000 -0400
+++ gnome-keyring-3.36.0/daemon/gkd-capability.c 2020-10-16 11:33:02.244614471 -0400
@@ -1,7 +1,7 @@
/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 8; tab-width: 8 -*- */
/* gkd-capability.c - the security-critical initial phase of the daemon
*
- * Copyright (C) 2011 Steve Grubb
+ * Copyright (C) 2011,2020 Steve Grubb
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
@@ -35,9 +35,10 @@
/* No logging, no gettext */
static void
-early_error (const char *err_string)
+early_error (const char *err_string, int rc)
{
- fprintf (stderr, "gnome-keyring-daemon: %s, aborting\n", err_string);
+ fprintf (stderr, "gnome-keyring-daemon: %s - %d, aborting\n",
+ err_string, rc);
exit (1);
}
@@ -64,6 +65,8 @@ void
gkd_capability_obtain_capability_and_drop_privileges (void)
{
#ifdef HAVE_LIBCAPNG
+ int rc;
+
capng_get_caps_process ();
switch (capng_have_capabilities (CAPNG_SELECT_CAPS))
{
@@ -73,32 +76,35 @@ gkd_capability_obtain_capability_and_dro
capng_update (CAPNG_ADD,
CAPNG_EFFECTIVE|CAPNG_PERMITTED,
CAP_IPC_LOCK);
- if (capng_change_id (getuid (), getgid (), 0))
- early_error ("failed dropping capabilities");
+ if ((rc = capng_change_id (getuid (), getgid (),
+ CAPNG_DROP_SUPP_GRP|
+ CAPNG_CLEAR_BOUNDING)))
+ early_error ("failed dropping capabilities",
+ rc);
break;
case CAPNG_FAIL:
- early_error ("error getting process capabilities");
+ early_error ("error getting process capabilities", 0);
break;
case CAPNG_NONE:
early_warning ("insufficient process capabilities, insecure memory might get used");
break;
case CAPNG_PARTIAL: /* File system based capabilities */
- if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
+ if (!capng_have_capability (CAPNG_EFFECTIVE,
+ CAP_IPC_LOCK))
early_warning ("insufficient process capabilities, insecure memory might get used");
- /* Drop all capabilities */
+
+ /* If we don't have CAP_SETPCAP, we can't do anything */
+ if (capng_have_capability (CAPNG_EFFECTIVE,
+ CAP_SETPCAP)) {
+ /* Drop all capabilities except ipc_lock */
capng_clear (CAPNG_SELECT_BOTH);
- capng_apply (CAPNG_SELECT_BOTH);
- break;
+ if ((rc = capng_update (CAPNG_ADD,
+ CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+ CAP_IPC_LOCK)) != 0)
+ early_error ("error updating process capabilities", rc);
+ if ((rc = capng_apply (CAPNG_SELECT_BOTH)) != 0)
+ early_error ("error dropping process capabilities", rc);
}
-
- /* Drop all capabilities except ipc_lock */
- capng_clear (CAPNG_SELECT_BOTH);
- if (capng_update (CAPNG_ADD,
- CAPNG_EFFECTIVE|CAPNG_PERMITTED,
- CAP_IPC_LOCK) != 0)
- early_error ("error dropping process capabilities");
- if (capng_apply (CAPNG_SELECT_BOTH) != 0)
- early_error ("error dropping process capabilities");
break;
}
#endif /* HAVE_LIBCAPNG */

View File

@ -3,15 +3,13 @@
%global gcrypt_version 1.2.2 %global gcrypt_version 1.2.2
Name: gnome-keyring Name: gnome-keyring
Version: 3.36.0 Version: 40.0
Release: 6%{?dist} Release: 1%{?dist}
Summary: Framework for managing passwords and other secrets Summary: Framework for managing passwords and other secrets
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
URL: https://wiki.gnome.org/Projects/GnomeKeyring URL: https://wiki.gnome.org/Projects/GnomeKeyring
Source0: https://download.gnome.org/sources/%{name}/3.36/%{name}-%{version}.tar.xz Source0: https://download.gnome.org/sources/%{name}/40/%{name}-%{version}.tar.xz
# https://bugzilla.redhat.com/show_bug.cgi?id=1888978
Patch0: gnome-keyring-3.36.0-capng.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: pkgconfig(gcr-3) >= %{gcr_version} BuildRequires: pkgconfig(gcr-3) >= %{gcr_version}
@ -107,6 +105,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/gnome-keyring/devel/*.la
%changelog %changelog
* Fri Mar 26 2021 Kalev Lember <klember@redhat.com> - 40.0-1
- Update to 40.0
* Fri Mar 05 2021 David King <amigadave@amigadave.com> - 3.36.0-6 * Fri Mar 05 2021 David King <amigadave@amigadave.com> - 3.36.0-6
- Apply upstream patch to fix capng usage (#1888978) - Apply upstream patch to fix capng usage (#1888978)

View File

@ -1 +1 @@
SHA512 (gnome-keyring-3.36.0.tar.xz) = e5aed36ad109cbd2dcb534843f8565829366acc955cadc6e9bbe87ebbb6a8a907211aa3a42f7f26148ac69726af2f9238965707d1259319435bd20aa8c4859ed SHA512 (gnome-keyring-40.0.tar.xz) = c9cb0dca8c46ee712200c96c20663a8d5cd39f07801a04e1afca26550a04af6cb369b53a1f29638bf4c8a29f418a69f565befcf4d08df5b0d30fb31894ecf95e