From a67c77e2884b8abb05de38ae3fc104b04e174a1c Mon Sep 17 00:00:00 2001
From: DistroBaker <osci-list@redhat.com>
Date: Fri, 20 Nov 2020 21:21:25 +0000
Subject: [PATCH] Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/libcap-ng.git#49e3114cf75fabe9919300e42f7b151eee9e37d1
---
 libcap-ng-0.8.2-apply-disable.patch |  26 +++++++
 libcap-ng-0.8.2-apply.patch         | 105 ++++++++++++++++++++++++++++
 libcap-ng.spec                      |  10 ++-
 3 files changed, 140 insertions(+), 1 deletion(-)
 create mode 100644 libcap-ng-0.8.2-apply-disable.patch
 create mode 100644 libcap-ng-0.8.2-apply.patch

diff --git a/libcap-ng-0.8.2-apply-disable.patch b/libcap-ng-0.8.2-apply-disable.patch
new file mode 100644
index 0000000..23c7eca
--- /dev/null
+++ b/libcap-ng-0.8.2-apply-disable.patch
@@ -0,0 +1,26 @@
+diff -urp libcap-ng-0.8.2.orig/src/cap-ng.c libcap-ng-0.8.2/src/cap-ng.c
+--- libcap-ng-0.8.2.orig/src/cap-ng.c	2020-11-20 15:04:09.000000000 -0500
++++ libcap-ng-0.8.2/src/cap-ng.c	2020-11-20 16:04:55.425496426 -0500
+@@ -698,19 +698,19 @@ int capng_apply(capng_select_t set)
+ 				if (capng_have_capability(CAPNG_BOUNDING_SET,
+ 								 i) == 0) {
+ 				    if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0) {
+-					rc = -2;
++//					rc = -2;
+ 					goto try_caps;
+ 				    }
+ 				}
+ 			}
+ 			m.state = CAPNG_APPLIED;
+ 			if (get_bounding_set() < 0) {
+-				rc = -3;
++//				rc = -3;
+ 				goto try_caps;
+ 			}
+ 		} else {
+ 			memcpy(&m, &state, sizeof(m)); /* restore state */
+-			rc = -4;
++//			rc = -4;
+ 			goto try_caps;
+ 		}
+ #endif
diff --git a/libcap-ng-0.8.2-apply.patch b/libcap-ng-0.8.2-apply.patch
new file mode 100644
index 0000000..ef6ad55
--- /dev/null
+++ b/libcap-ng-0.8.2-apply.patch
@@ -0,0 +1,105 @@
+diff -urp libcap-ng-0.8.2.orig/src/cap-ng.c libcap-ng-0.8.2/src/cap-ng.c
+--- libcap-ng-0.8.2.orig/src/cap-ng.c	2020-11-20 13:37:57.000000000 -0500
++++ libcap-ng-0.8.2/src/cap-ng.c	2020-11-20 13:57:54.934059250 -0500
+@@ -680,6 +680,8 @@ int capng_updatev(capng_act_t action, ca
+ 
+ int capng_apply(capng_select_t set)
+ {
++	int rc = 0;
++
+ 	// Before updating, we expect that the data is initialized to something
+ 	if (m.state < CAPNG_INIT)
+ 		return -1;
+@@ -695,52 +697,78 @@ int capng_apply(capng_select_t set)
+ 			for (i=0; i <= last_cap; i++) {
+ 				if (capng_have_capability(CAPNG_BOUNDING_SET,
+ 								 i) == 0) {
+-				    if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0)
+-					return -2;
++				    if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0) {
++					rc = -2;
++					goto try_caps;
++				    }
+ 				}
+ 			}
+ 			m.state = CAPNG_APPLIED;
+-			if (get_bounding_set() < 0)
+-				return -3;
++			if (get_bounding_set() < 0) {
++				rc = -3;
++				goto try_caps;
++			}
+ 		} else {
+ 			memcpy(&m, &state, sizeof(m)); /* restore state */
+-			return -4;
++			rc = -4;
++			goto try_caps;
+ 		}
+ #endif
+ 	}
++
++	// Try caps is here so that if someone had SELECT_BOTH and we blew up
++	// doing the bounding set, we at least try to set any capabilities
++	// before returning in case the caller also doesn't bother checking
++	// the return code.
++try_caps:
+ 	if (set & CAPNG_SELECT_CAPS) {
+ 		if (capset((cap_user_header_t)&m.hdr,
+ 				(cap_user_data_t)&m.data) == 0)
+ 			m.state = CAPNG_APPLIED;
+ 		else
+-			return -5;
++			rc = -5;
+ 	}
+-	// Put ambient last so that inheritable and permitted are set
++
++	// Most programs do not and should not mess with ambient capabilities.
++	// Instead of returning here if rc is set, we'll let it try to
++	// do something with ambient capabilities in hopes that it's lowering
++	// capabilities. Again, this is for people that don't check their
++	// return codes.
++	//
++	// Do ambient last so that inheritable and permitted are set by the
++	// time we get here.
+ 	if (set & CAPNG_SELECT_AMBIENT) {
+ #ifdef PR_CAP_AMBIENT
+ 		if (capng_have_capabilities(CAPNG_SELECT_AMBIENT) ==
+ 								CAPNG_NONE) {
+ 			if (prctl(PR_CAP_AMBIENT,
+-				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0)
+-				return -6;
++				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
++				rc = -6;
++				goto out;
++			}
+ 		} else {
+ 			unsigned int i;
+ 
+ 			// Clear them all
+ 			if (prctl(PR_CAP_AMBIENT,
+-				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0)
+-				return -7;
++				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
++				rc = -7;
++				goto out;
++			}
+ 			for (i=0; i <= last_cap; i++) {
+ 				if (capng_have_capability(CAPNG_AMBIENT, i))
+ 					if (prctl(PR_CAP_AMBIENT,
+-					    PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
+-						return -8;
++					    PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0){
++						rc = -8;
++						goto out;
++					}
+ 			}
+ 		}
+ 		m.state = CAPNG_APPLIED;
+ #endif
+ 	}
+-	return 0;
++out:
++	return rc;
+ }
+ 
+ #ifdef VFS_CAP_U32
diff --git a/libcap-ng.spec b/libcap-ng.spec
index 6db9298..7e083b4 100644
--- a/libcap-ng.spec
+++ b/libcap-ng.spec
@@ -1,10 +1,13 @@
 Summary: An alternate posix capabilities library
 Name: libcap-ng
 Version: 0.8.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: LGPLv2+
 URL: http://people.redhat.com/sgrubb/libcap-ng
 Source0: http://people.redhat.com/sgrubb/libcap-ng/%{name}-%{version}.tar.gz
+# These 2 patches can be disabled when 1899540 is resolved
+Patch1: libcap-ng-0.8.2-apply.patch
+Patch2: libcap-ng-0.8.2-apply-disable.patch
 BuildRequires: gcc
 BuildRequires: kernel-headers >= 2.6.11 
 BuildRequires: libattr-devel
@@ -45,6 +48,8 @@ lets you set the file system based capabilities.
 
 %prep
 %setup -q
+%patch1 -p1
+%patch2 -p1
 
 %build
 %configure --libdir=%{_libdir} --with-python=no --with-python3
@@ -92,6 +97,9 @@ make check
 %attr(0644,root,root) %{_mandir}/man8/*
 
 %changelog
+* Fri Nov 20 2020 Steve Grubb <sgrubb@redhat.com> 0.8.1-2
+- Add temporary patch disabling bounding set error codes
+
 * Wed Nov 18 2020 Steve Grubb <sgrubb@redhat.com> 0.8.1-1
 - New upstream bugfix release