From 9fc4059e0e47cdfb6a22c5dad6c865a760c8ecd9 Mon Sep 17 00:00:00 2001
From: DistroBaker <osci-list@redhat.com>
Date: Thu, 11 Mar 2021 20:11:56 +0000
Subject: [PATCH] Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/gnome-keyring.git#657c90b7b52ae9cb228f277dba2a2113bb4ed068
---
 gnome-keyring-3.36.0-capng.patch | 86 ++++++++++++++++++++++++++++++++
 gnome-keyring.spec               |  7 ++-
 2 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 gnome-keyring-3.36.0-capng.patch

diff --git a/gnome-keyring-3.36.0-capng.patch b/gnome-keyring-3.36.0-capng.patch
new file mode 100644
index 0000000..8b92b7f
--- /dev/null
+++ b/gnome-keyring-3.36.0-capng.patch
@@ -0,0 +1,86 @@
+diff -urp gnome-keyring-3.36.0.orig/daemon/gkd-capability.c gnome-keyring-3.36.0/daemon/gkd-capability.c
+--- gnome-keyring-3.36.0.orig/daemon/gkd-capability.c	2018-06-25 00:15:03.000000000 -0400
++++ gnome-keyring-3.36.0/daemon/gkd-capability.c	2020-10-16 11:33:02.244614471 -0400
+@@ -1,7 +1,7 @@
+ /* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 8; tab-width: 8 -*- */
+ /* gkd-capability.c - the security-critical initial phase of the daemon
+  *
+- * Copyright (C) 2011 Steve Grubb
++ * Copyright (C) 2011,2020 Steve Grubb
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU Lesser General Public License as
+@@ -35,9 +35,10 @@
+ 
+ /* No logging, no gettext */
+ static void
+-early_error (const char *err_string)
++early_error (const char *err_string, int rc)
+ {
+-	fprintf (stderr, "gnome-keyring-daemon: %s, aborting\n", err_string);
++	fprintf (stderr, "gnome-keyring-daemon: %s - %d, aborting\n",
++		err_string, rc);
+ 	exit (1);
+ }
+ 
+@@ -64,6 +65,8 @@ void
+ gkd_capability_obtain_capability_and_drop_privileges (void)
+ {
+ #ifdef HAVE_LIBCAPNG
++	int rc;
++
+ 	capng_get_caps_process ();
+ 	switch (capng_have_capabilities (CAPNG_SELECT_CAPS))
+ 	{
+@@ -73,32 +76,35 @@ gkd_capability_obtain_capability_and_dro
+ 			capng_update (CAPNG_ADD,
+ 					CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+ 					CAP_IPC_LOCK);
+-			if (capng_change_id (getuid (), getgid (), 0))
+-				early_error ("failed dropping capabilities");
++			if ((rc = capng_change_id (getuid (), getgid (),
++						   CAPNG_DROP_SUPP_GRP|
++						   CAPNG_CLEAR_BOUNDING)))
++				early_error ("failed dropping capabilities",
++					     rc);
+ 			break;
+ 		case CAPNG_FAIL:
+-			early_error ("error getting process capabilities");
++			early_error ("error getting process capabilities", 0);
+ 			break;
+ 		case CAPNG_NONE:
+ 			early_warning ("insufficient process capabilities, insecure memory might get used");
+ 			break;
+ 		case CAPNG_PARTIAL: /* File system based capabilities */
+-			if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
++			if (!capng_have_capability (CAPNG_EFFECTIVE,
++							    CAP_IPC_LOCK))
+ 				early_warning ("insufficient process capabilities, insecure memory might get used");
+-				/* Drop all capabilities */
++
++			/* If we don't have CAP_SETPCAP, we can't do anything */
++			if (capng_have_capability (CAPNG_EFFECTIVE,
++								CAP_SETPCAP)) {
++				 /* Drop all capabilities except ipc_lock */
+ 				capng_clear (CAPNG_SELECT_BOTH);
+-				capng_apply (CAPNG_SELECT_BOTH);
+-				break;
++				if ((rc = capng_update (CAPNG_ADD,
++						CAPNG_EFFECTIVE|CAPNG_PERMITTED,
++						CAP_IPC_LOCK)) != 0)
++					early_error ("error updating process capabilities", rc);
++				if ((rc = capng_apply (CAPNG_SELECT_BOTH)) != 0)
++					early_error ("error dropping process capabilities", rc);
+ 			}
+-
+-			/* Drop all capabilities except ipc_lock */
+-			capng_clear (CAPNG_SELECT_BOTH);
+-			if (capng_update (CAPNG_ADD,
+-					  CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+-					  CAP_IPC_LOCK) != 0)
+-				early_error ("error dropping process capabilities");
+-			if (capng_apply (CAPNG_SELECT_BOTH) != 0)
+-				early_error ("error dropping process capabilities");
+ 			break;
+ 	}
+ #endif /* HAVE_LIBCAPNG */
diff --git a/gnome-keyring.spec b/gnome-keyring.spec
index 9429cde..69d411d 100644
--- a/gnome-keyring.spec
+++ b/gnome-keyring.spec
@@ -4,12 +4,14 @@
 
 Name: gnome-keyring
 Version: 3.36.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 Summary: Framework for managing passwords and other secrets
 
 License: GPLv2+ and LGPLv2+
 URL:     https://wiki.gnome.org/Projects/GnomeKeyring
 Source0: https://download.gnome.org/sources/%{name}/3.36/%{name}-%{version}.tar.xz
+# https://bugzilla.redhat.com/show_bug.cgi?id=1888978
+Patch0:  gnome-keyring-3.36.0-capng.patch
 
 BuildRequires:  gcc
 BuildRequires: pkgconfig(gcr-3) >= %{gcr_version}
@@ -105,6 +107,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/gnome-keyring/devel/*.la
 
 
 %changelog
+* Fri Mar 05 2021 David King <amigadave@amigadave.com> - 3.36.0-6
+- Apply upstream patch to fix capng usage (#1888978)
+
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.36.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild