Update to 3.1.1
This commit is contained in:
parent
9bacde92fd
commit
cba54626cb
1
.gitignore
vendored
1
.gitignore
vendored
@ -11,3 +11,4 @@ gnome-keyring-2.31.4.tar.bz2
|
|||||||
/gnome-keyring-2.91.93.tar.bz2
|
/gnome-keyring-2.91.93.tar.bz2
|
||||||
/gnome-keyring-3.0.0.tar.bz2
|
/gnome-keyring-3.0.0.tar.bz2
|
||||||
/gnome-keyring-3.0.1.tar.bz2
|
/gnome-keyring-3.0.1.tar.bz2
|
||||||
|
/gnome-keyring-3.1.1.tar.bz2
|
||||||
|
186
file-caps.patch
186
file-caps.patch
@ -1,186 +0,0 @@
|
|||||||
diff -urp gnome-keyring-2.91.4.orig/configure.in gnome-keyring-2.91.4/configure.in
|
|
||||||
--- gnome-keyring-2.91.4.orig/configure.in 2011-01-13 08:24:04.000000000 -0500
|
|
||||||
+++ gnome-keyring-2.91.4/configure.in 2011-01-13 09:29:54.000000000 -0500
|
|
||||||
@@ -447,19 +447,19 @@ if test "$ASN1PARSER" = "no" ; then
|
|
||||||
fi
|
|
||||||
|
|
||||||
# -------------------------------------------------------------------
|
|
||||||
-# libcap2
|
|
||||||
+# libcap-ng
|
|
||||||
#
|
|
||||||
|
|
||||||
-AC_CHECK_LIB([cap], [cap_get_proc], have_libcap="yes", have_libcap="no")
|
|
||||||
+AC_CHECK_LIB([cap-ng], [capng_clear], have_libcapng="yes", have_libcapng="no")
|
|
||||||
|
|
||||||
-if test $have_libcap = yes; then
|
|
||||||
- AC_DEFINE(HAVE_LIBCAP, 1, [Have libcap2 package, libcap library])
|
|
||||||
- DAEMON_LIBS="$DAEMON_LIBS -lcap"
|
|
||||||
+if test $have_libcapng = yes; then
|
|
||||||
+ AC_DEFINE(HAVE_LIBCAPNG, 1, [Have libcap-ng package, libcap-ng library])
|
|
||||||
+ DAEMON_LIBS="$DAEMON_LIBS -lcap-ng"
|
|
||||||
else
|
|
||||||
- AC_MSG_WARN([libcap2 (or development headers) is not installed])
|
|
||||||
+ AC_MSG_WARN([libcap-ng (or development headers) is not installed])
|
|
||||||
fi
|
|
||||||
|
|
||||||
-libcap_status=$have_libcap
|
|
||||||
+libcapng_status=$have_libcapng
|
|
||||||
|
|
||||||
# --------------------------------------------------------------------
|
|
||||||
# Debug mode
|
|
||||||
@@ -748,7 +748,7 @@ ui/tests/Makefile
|
|
||||||
echo
|
|
||||||
echo "OPTIONAL DEPENDENCIES"
|
|
||||||
echo " PAM: $pam_status"
|
|
||||||
-echo " Linux capabilities: $libcap_status"
|
|
||||||
+echo " Linux capabilities: $libcapng_status"
|
|
||||||
echo
|
|
||||||
echo "CONFIGURATION"
|
|
||||||
echo " SSH Agent: $ssh_status"
|
|
||||||
diff -urp gnome-keyring-2.91.4.orig/daemon/gkd-capability.c gnome-keyring-2.91.4/daemon/gkd-capability.c
|
|
||||||
--- gnome-keyring-2.91.4.orig/daemon/gkd-capability.c 2011-01-13 08:24:04.000000000 -0500
|
|
||||||
+++ gnome-keyring-2.91.4/daemon/gkd-capability.c 2011-01-13 09:30:12.000000000 -0500
|
|
||||||
@@ -1,7 +1,7 @@
|
|
||||||
/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 8; tab-width: 8 -*- */
|
|
||||||
/* gkd-capability.c - the security-critical initial phase of the daemon
|
|
||||||
*
|
|
||||||
- * Copyright (C) 2010 Yaron Sheffer
|
|
||||||
+ * Copyright (C) 2011 Steve Grubb
|
|
||||||
*
|
|
||||||
* This program is free software; you can redistribute it and/or modify
|
|
||||||
* it under the terms of the GNU Lesser General Public License as
|
|
||||||
@@ -18,102 +18,62 @@
|
|
||||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
|
||||||
* 02111-1307, USA.
|
|
||||||
*
|
|
||||||
- * Author: Yaron Sheffer <yaronf@gmx.com>
|
|
||||||
- * Author: Stef Walter <stef@thewalter.net>
|
|
||||||
+ * Author: Steve Grubb <sgrubb@redhat.com>
|
|
||||||
*/
|
|
||||||
|
|
||||||
#include "config.h"
|
|
||||||
|
|
||||||
#include "gkd-capability.h"
|
|
||||||
|
|
||||||
-#ifdef HAVE_LIBCAP
|
|
||||||
-#include <sys/capability.h>
|
|
||||||
+#ifdef HAVE_LIBCAPNG
|
|
||||||
+#include <cap-ng.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include <stdio.h>
|
|
||||||
-#include <unistd.h>
|
|
||||||
-#include <sys/types.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
|
|
||||||
-/* Security note: this portion of the code is extremely sensitive.
|
|
||||||
- * DO NOT add any other include files.
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* No logging, no gettext
|
|
||||||
*/
|
|
||||||
static void
|
|
||||||
early_error (const char *err_string)
|
|
||||||
{
|
|
||||||
- fprintf (stderr, "gnome-keyring-daemon: %s\n", err_string);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-static void
|
|
||||||
-drop_privileges (void)
|
|
||||||
-{
|
|
||||||
- uid_t orig_uid;
|
|
||||||
- gid_t orig_gid;
|
|
||||||
-
|
|
||||||
- orig_uid = getuid ();
|
|
||||||
- orig_gid = getgid ();
|
|
||||||
-
|
|
||||||
- /* This is permanent, you cannot go back to root */
|
|
||||||
- setgid (orig_gid);
|
|
||||||
- setuid (orig_uid);
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * Check that the switch was ok
|
|
||||||
- * We do not allow programs to run without the drop being
|
|
||||||
- * successful as this would possibly run the program
|
|
||||||
- * using root-privs, when that is not what we want
|
|
||||||
- */
|
|
||||||
- if ((getegid () != orig_gid) || (geteuid () != orig_uid)) {
|
|
||||||
- early_error ("failed to drop privileges, aborting");
|
|
||||||
- exit (1);
|
|
||||||
- }
|
|
||||||
+ fprintf (stderr, "gnome-keyring-daemon: %s, aborting\n", err_string);
|
|
||||||
+ exit (1);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
- * Try to obtain the CAP_IPC_LOCK Linux capability.
|
|
||||||
- * Then, whether or not this is successful, drop root
|
|
||||||
- * privileges to run as the invoking user. The application is aborted
|
|
||||||
- * if for any reason we are unable to drop privileges. Note: even gettext
|
|
||||||
- * is unavailable!
|
|
||||||
+ * This program needs the CAP_IPC_LOCK posix capability.
|
|
||||||
+ * We want to allow either setuid root or file system based capabilies
|
|
||||||
+ * to work. If file system based capabilities, this is a no-op unless
|
|
||||||
+ * the root user is running the program. In that case we just drop
|
|
||||||
+ * capabilities down to IPC_LOCK. If we are setuid root, then change to the
|
|
||||||
+ * invoking user retaining just the IPC_LOCK capability. The application
|
|
||||||
+ * is aborted if for any reason we are unable to drop privileges.
|
|
||||||
+ * Note: even gettext is unavailable!
|
|
||||||
*/
|
|
||||||
void
|
|
||||||
gkd_capability_obtain_capability_and_drop_privileges (void)
|
|
||||||
{
|
|
||||||
-#ifdef HAVE_LIBCAP
|
|
||||||
- cap_t caps;
|
|
||||||
- cap_value_t cap_list[1];
|
|
||||||
-
|
|
||||||
- caps = cap_get_proc ();
|
|
||||||
- if (caps == NULL) {
|
|
||||||
- early_error ("capability state cannot be allocated");
|
|
||||||
- goto drop;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- cap_list[0] = CAP_IPC_LOCK;
|
|
||||||
- if (cap_set_flag (caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET) == -1) {
|
|
||||||
- early_error ("error when manipulating capability sets");
|
|
||||||
- goto drop;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (cap_set_proc (caps) == -1) {
|
|
||||||
- /* Only warn when it's root that's running */
|
|
||||||
- if (getuid () == 0)
|
|
||||||
- early_error ("cannot apply capabilities to process");
|
|
||||||
- goto drop;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (cap_free (caps) == -1) {
|
|
||||||
- early_error ("failed to free capability structure");
|
|
||||||
- goto drop;
|
|
||||||
+#ifdef HAVE_LIBCAPNG
|
|
||||||
+ capng_get_caps_process ();
|
|
||||||
+ switch (capng_have_capabilities (CAPNG_SELECT_CAPS))
|
|
||||||
+ {
|
|
||||||
+ case CAPNG_FULL:
|
|
||||||
+ /* We are either setuid root or the root user */
|
|
||||||
+ capng_clear (CAPNG_SELECT_CAPS);
|
|
||||||
+ capng_update (CAPNG_ADD,
|
|
||||||
+ CAPNG_EFFECTIVE|CAPNG_PERMITTED,
|
|
||||||
+ CAP_IPC_LOCK);
|
|
||||||
+ if (capng_change_id (getuid (), getgid (), 0))
|
|
||||||
+ early_error ("failed dropping capabilities");
|
|
||||||
+ break;
|
|
||||||
+ case CAPNG_FAIL:
|
|
||||||
+ case CAPNG_NONE:
|
|
||||||
+ early_error ("error getting process capabilities");
|
|
||||||
+ break;
|
|
||||||
+ case CAPNG_PARTIAL: /* File system based capabilities */
|
|
||||||
+ break;
|
|
||||||
}
|
|
||||||
-drop:
|
|
||||||
-
|
|
||||||
#endif
|
|
||||||
- /* Now finally drop the suid by becoming the invoking user */
|
|
||||||
- if (geteuid () != getuid() || getegid () != getgid ())
|
|
||||||
- drop_privileges ();
|
|
||||||
}
|
|
@ -1,101 +0,0 @@
|
|||||||
diff --git a/configure.in b/configure.in
|
|
||||||
index a5a434d..1d3801e 100644
|
|
||||||
--- a/configure.in
|
|
||||||
+++ b/configure.in
|
|
||||||
@@ -572,6 +572,24 @@ AC_SUBST(GCOV)
|
|
||||||
AC_SUBST(GENHTML)
|
|
||||||
|
|
||||||
# ----------------------------------------------------------------------
|
|
||||||
+# selinux
|
|
||||||
+
|
|
||||||
+LIBSELINUX=""
|
|
||||||
+selinux_status="no"
|
|
||||||
+AC_ARG_ENABLE([selinux],
|
|
||||||
+ AC_HELP_STRING([--disable-selinux],[do not use SELinux]))
|
|
||||||
+if test "x$enable_selinux" != "xno"; then
|
|
||||||
+ AC_CHECK_LIB([selinux],[getfilecon],
|
|
||||||
+ [AC_CHECK_LIB([selinux],[setexeccon],
|
|
||||||
+ [AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in])
|
|
||||||
+ LIBSELINUX="-lselinux"
|
|
||||||
+ selinux_status="yes"])
|
|
||||||
+ ])
|
|
||||||
+fi
|
|
||||||
+AC_SUBST(LIBSELINUX)
|
|
||||||
+AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"])
|
|
||||||
+
|
|
||||||
+# ----------------------------------------------------------------------
|
|
||||||
# Valgrind
|
|
||||||
|
|
||||||
AC_ARG_ENABLE(valgrind,
|
|
||||||
@@ -742,6 +760,7 @@ echo
|
|
||||||
echo "OPTIONAL DEPENDENCIES"
|
|
||||||
echo " PAM: $pam_status"
|
|
||||||
echo " Linux capabilities: $libcapng_status"
|
|
||||||
+echo " SELinux: $selinux_status"
|
|
||||||
echo
|
|
||||||
echo "CONFIGURATION"
|
|
||||||
echo " SSH Agent: $ssh_status"
|
|
||||||
diff --git a/pam/Makefile.am b/pam/Makefile.am
|
|
||||||
index 81bda13..2e6362d 100644
|
|
||||||
--- a/pam/Makefile.am
|
|
||||||
+++ b/pam/Makefile.am
|
|
||||||
@@ -16,6 +16,7 @@ pam_gnome_keyring_la_LIBADD = \
|
|
||||||
$(top_builddir)/egg/libegg-buffer.la \
|
|
||||||
$(top_builddir)/egg/libegg-creds.la \
|
|
||||||
$(top_builddir)/egg/libegg-secure.la \
|
|
||||||
+ $(LIBSELINUX) \
|
|
||||||
-lpam
|
|
||||||
|
|
||||||
pam_gnome_keyring_la_LDFLAGS = \
|
|
||||||
diff --git a/pam/gkr-pam-module.c b/pam/gkr-pam-module.c
|
|
||||||
index e63c917..8ad814c 100644
|
|
||||||
--- a/pam/gkr-pam-module.c
|
|
||||||
+++ b/pam/gkr-pam-module.c
|
|
||||||
@@ -317,6 +317,36 @@ cleanup_free_password (pam_handle_t *ph, void *data, int pam_end_status)
|
|
||||||
free_password (data);
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef WITH_SELINUX
|
|
||||||
+#include <selinux/flask.h>
|
|
||||||
+#include <selinux/selinux.h>
|
|
||||||
+/* Attempt to set SELinux Context. We are ignoring failure and just going
|
|
||||||
+ with default behaviour default behaviour
|
|
||||||
+*/
|
|
||||||
+static void setup_selinux_context(const char *command) {
|
|
||||||
+ security_context_t fcon = NULL, newcon = NULL, execcon = NULL;
|
|
||||||
+
|
|
||||||
+ if (is_selinux_enabled() != 1) return;
|
|
||||||
+
|
|
||||||
+ int ret = getexeccon(&execcon);
|
|
||||||
+ if ((ret < 0) || (! execcon)) goto err;
|
|
||||||
+
|
|
||||||
+ ret = getfilecon(command, &fcon);
|
|
||||||
+ if (ret < 0) goto err;
|
|
||||||
+
|
|
||||||
+ ret = security_compute_create(execcon, fcon, SECCLASS_PROCESS, &newcon);
|
|
||||||
+ if (ret < 0) goto err;
|
|
||||||
+
|
|
||||||
+ setexeccon(newcon);
|
|
||||||
+
|
|
||||||
+err:
|
|
||||||
+ freecon(newcon);
|
|
||||||
+ freecon(fcon);
|
|
||||||
+ freecon(execcon);
|
|
||||||
+ return;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
static void
|
|
||||||
setup_child (int inp[2], int outp[2], int errp[2], pam_handle_t *ph, struct passwd *pwd)
|
|
||||||
{
|
|
||||||
@@ -329,6 +359,10 @@ setup_child (int inp[2], int outp[2], int errp[2], pam_handle_t *ph, struct pass
|
|
||||||
char *args[] = { GNOME_KEYRING_DAEMON, "--daemonize", "--login", NULL};
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifdef WITH_SELINUX
|
|
||||||
+ setup_selinux_context(GNOME_KEYRING_DAEMON);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
assert (pwd);
|
|
||||||
assert (pwd->pw_dir);
|
|
||||||
|
|
@ -7,7 +7,7 @@
|
|||||||
|
|
||||||
Summary: Framework for managing passwords and other secrets
|
Summary: Framework for managing passwords and other secrets
|
||||||
Name: gnome-keyring
|
Name: gnome-keyring
|
||||||
Version: 3.0.1
|
Version: 3.1.1
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}
|
||||||
License: GPLv2+ and LGPLv2+
|
License: GPLv2+ and LGPLv2+
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -15,14 +15,6 @@ Group: System Environment/Libraries
|
|||||||
Source: http://download.gnome.org/sources/gnome-keyring/3.0/gnome-keyring-%{version}.tar.bz2
|
Source: http://download.gnome.org/sources/gnome-keyring/3.0/gnome-keyring-%{version}.tar.bz2
|
||||||
URL: http://www.gnome.org
|
URL: http://www.gnome.org
|
||||||
|
|
||||||
# why is gnome-keyring-daemon setuid root?
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=668831
|
|
||||||
Patch4: file-caps.patch
|
|
||||||
|
|
||||||
# gnome keyring pam module is starting gnome-keyring with the wrong SELinux context.
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=684225
|
|
||||||
Patch5: gnome-keyring-2.91.93-pam-selinux.patch
|
|
||||||
|
|
||||||
BuildRequires: glib2-devel >= %{glib2_version}
|
BuildRequires: glib2-devel >= %{glib2_version}
|
||||||
BuildRequires: gtk3-devel >= %{gtk3_version}
|
BuildRequires: gtk3-devel >= %{gtk3_version}
|
||||||
BuildRequires: dbus-devel >= %{dbus_version}
|
BuildRequires: dbus-devel >= %{dbus_version}
|
||||||
@ -73,8 +65,6 @@ automatically unlock the "login" keyring when the user logs in.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n gnome-keyring-%{version}
|
%setup -q -n gnome-keyring-%{version}
|
||||||
%patch4 -p1 -b .file-caps
|
|
||||||
%patch5 -p1 -b .pam-selinux
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf -i -f
|
autoreconf -i -f
|
||||||
@ -148,6 +138,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon May 9 2011 Tomas Bzatek <tbzatek@redhat.com> - 3.1.1-1
|
||||||
|
- Update to 3.1.1
|
||||||
|
|
||||||
* Mon Apr 25 2011 Matthias Clasen <mclasen@redhat.com> - 3.0.1-1
|
* Mon Apr 25 2011 Matthias Clasen <mclasen@redhat.com> - 3.0.1-1
|
||||||
- Update to 3.0.1
|
- Update to 3.0.1
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user