Merged update from upstream sources
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/gnome-keyring.git#657c90b7b52ae9cb228f277dba2a2113bb4ed068
This commit is contained in:
DistroBaker
parent
7eef6d447c
commit
9fc4059e0e
86
gnome-keyring-3.36.0-capng.patch
Normal file
86
gnome-keyring-3.36.0-capng.patch
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
diff -urp gnome-keyring-3.36.0.orig/daemon/gkd-capability.c gnome-keyring-3.36.0/daemon/gkd-capability.c
|
||||||
|
--- gnome-keyring-3.36.0.orig/daemon/gkd-capability.c 2018-06-25 00:15:03.000000000 -0400
|
||||||
|
+++ gnome-keyring-3.36.0/daemon/gkd-capability.c 2020-10-16 11:33:02.244614471 -0400
|
||||||
|
@@ -1,7 +1,7 @@
|
||||||
|
/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 8; tab-width: 8 -*- */
|
||||||
|
/* gkd-capability.c - the security-critical initial phase of the daemon
|
||||||
|
*
|
||||||
|
- * Copyright (C) 2011 Steve Grubb
|
||||||
|
+ * Copyright (C) 2011,2020 Steve Grubb
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Lesser General Public License as
|
||||||
|
@@ -35,9 +35,10 @@
|
||||||
|
|
||||||
|
/* No logging, no gettext */
|
||||||
|
static void
|
||||||
|
-early_error (const char *err_string)
|
||||||
|
+early_error (const char *err_string, int rc)
|
||||||
|
{
|
||||||
|
- fprintf (stderr, "gnome-keyring-daemon: %s, aborting\n", err_string);
|
||||||
|
+ fprintf (stderr, "gnome-keyring-daemon: %s - %d, aborting\n",
|
||||||
|
+ err_string, rc);
|
||||||
|
exit (1);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -64,6 +65,8 @@ void
|
||||||
|
gkd_capability_obtain_capability_and_drop_privileges (void)
|
||||||
|
{
|
||||||
|
#ifdef HAVE_LIBCAPNG
|
||||||
|
+ int rc;
|
||||||
|
+
|
||||||
|
capng_get_caps_process ();
|
||||||
|
switch (capng_have_capabilities (CAPNG_SELECT_CAPS))
|
||||||
|
{
|
||||||
|
@@ -73,32 +76,35 @@ gkd_capability_obtain_capability_and_dro
|
||||||
|
capng_update (CAPNG_ADD,
|
||||||
|
CAPNG_EFFECTIVE|CAPNG_PERMITTED,
|
||||||
|
CAP_IPC_LOCK);
|
||||||
|
- if (capng_change_id (getuid (), getgid (), 0))
|
||||||
|
- early_error ("failed dropping capabilities");
|
||||||
|
+ if ((rc = capng_change_id (getuid (), getgid (),
|
||||||
|
+ CAPNG_DROP_SUPP_GRP|
|
||||||
|
+ CAPNG_CLEAR_BOUNDING)))
|
||||||
|
+ early_error ("failed dropping capabilities",
|
||||||
|
+ rc);
|
||||||
|
break;
|
||||||
|
case CAPNG_FAIL:
|
||||||
|
- early_error ("error getting process capabilities");
|
||||||
|
+ early_error ("error getting process capabilities", 0);
|
||||||
|
break;
|
||||||
|
case CAPNG_NONE:
|
||||||
|
early_warning ("insufficient process capabilities, insecure memory might get used");
|
||||||
|
break;
|
||||||
|
case CAPNG_PARTIAL: /* File system based capabilities */
|
||||||
|
- if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
|
||||||
|
+ if (!capng_have_capability (CAPNG_EFFECTIVE,
|
||||||
|
+ CAP_IPC_LOCK))
|
||||||
|
early_warning ("insufficient process capabilities, insecure memory might get used");
|
||||||
|
- /* Drop all capabilities */
|
||||||
|
+
|
||||||
|
+ /* If we don't have CAP_SETPCAP, we can't do anything */
|
||||||
|
+ if (capng_have_capability (CAPNG_EFFECTIVE,
|
||||||
|
+ CAP_SETPCAP)) {
|
||||||
|
+ /* Drop all capabilities except ipc_lock */
|
||||||
|
capng_clear (CAPNG_SELECT_BOTH);
|
||||||
|
- capng_apply (CAPNG_SELECT_BOTH);
|
||||||
|
- break;
|
||||||
|
+ if ((rc = capng_update (CAPNG_ADD,
|
||||||
|
+ CAPNG_EFFECTIVE|CAPNG_PERMITTED,
|
||||||
|
+ CAP_IPC_LOCK)) != 0)
|
||||||
|
+ early_error ("error updating process capabilities", rc);
|
||||||
|
+ if ((rc = capng_apply (CAPNG_SELECT_BOTH)) != 0)
|
||||||
|
+ early_error ("error dropping process capabilities", rc);
|
||||||
|
}
|
||||||
|
-
|
||||||
|
- /* Drop all capabilities except ipc_lock */
|
||||||
|
- capng_clear (CAPNG_SELECT_BOTH);
|
||||||
|
- if (capng_update (CAPNG_ADD,
|
||||||
|
- CAPNG_EFFECTIVE|CAPNG_PERMITTED,
|
||||||
|
- CAP_IPC_LOCK) != 0)
|
||||||
|
- early_error ("error dropping process capabilities");
|
||||||
|
- if (capng_apply (CAPNG_SELECT_BOTH) != 0)
|
||||||
|
- early_error ("error dropping process capabilities");
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
#endif /* HAVE_LIBCAPNG */
|
||||||
@ -4,12 +4,14 @@
|
|||||||
|
|
||||||
Name: gnome-keyring
|
Name: gnome-keyring
|
||||||
Version: 3.36.0
|
Version: 3.36.0
|
||||||
Release: 5%{?dist}
|
Release: 6%{?dist}
|
||||||
Summary: Framework for managing passwords and other secrets
|
Summary: Framework for managing passwords and other secrets
|
||||||
|
|
||||||
License: GPLv2+ and LGPLv2+
|
License: GPLv2+ and LGPLv2+
|
||||||
URL: https://wiki.gnome.org/Projects/GnomeKeyring
|
URL: https://wiki.gnome.org/Projects/GnomeKeyring
|
||||||
Source0: https://download.gnome.org/sources/%{name}/3.36/%{name}-%{version}.tar.xz
|
Source0: https://download.gnome.org/sources/%{name}/3.36/%{name}-%{version}.tar.xz
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1888978
|
||||||
|
Patch0: gnome-keyring-3.36.0-capng.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: pkgconfig(gcr-3) >= %{gcr_version}
|
BuildRequires: pkgconfig(gcr-3) >= %{gcr_version}
|
||||||
@ -105,6 +107,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/gnome-keyring/devel/*.la
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Mar 05 2021 David King <amigadave@amigadave.com> - 3.36.0-6
|
||||||
|
- Apply upstream patch to fix capng usage (#1888978)
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.36.0-5
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.36.0-5
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user