Merged update from upstream sources

This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/libcap-ng.git#a5b0f536df1132d8e7afa4c0ce07b630e7970cad
2020-12-10 01:20:55 +01:00 · 2020-12-10 01:20:55 +01:00 · ef17e5799c
commit ef17e5799c
parent a67c77e288
4 changed files with 9 additions and 112 deletions
--- a/.gitignore
+++ b/.gitignore
@ -23,3 +23,4 @@ libcap-ng-0.6.4.tar.gz
 /libcap-ng-0.7.11.tar.gz
 /libcap-ng-0.8.tar.gz
 /libcap-ng-0.8.1.tar.gz
+/libcap-ng-0.8.2.tar.gz
--- a/libcap-ng-0.8.2-apply.patch
+++ b/libcap-ng-0.8.2-apply.patch
@ -1,105 +0,0 @@
-diff -urp libcap-ng-0.8.2.orig/src/cap-ng.c libcap-ng-0.8.2/src/cap-ng.c
--- libcap-ng-0.8.2.orig/src/cap-ng.c	2020-11-20 13:37:57.000000000 -0500
-+++ libcap-ng-0.8.2/src/cap-ng.c	2020-11-20 13:57:54.934059250 -0500
-@@ -680,6 +680,8 @@ int capng_updatev(capng_act_t action, ca
- 
- int capng_apply(capng_select_t set)
- {
-+	int rc = 0;
-+
- 	// Before updating, we expect that the data is initialized to something
- 	if (m.state < CAPNG_INIT)
- 		return -1;
-@@ -695,52 +697,78 @@ int capng_apply(capng_select_t set)
- 			for (i=0; i <= last_cap; i++) {
- 				if (capng_have_capability(CAPNG_BOUNDING_SET,
- 								 i) == 0) {
-				    if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0)
-					return -2;
-+				    if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0) {
-+					rc = -2;
-+					goto try_caps;
-+				    }
- 				}
- 			}
- 			m.state = CAPNG_APPLIED;
-			if (get_bounding_set() < 0)
-				return -3;
-+			if (get_bounding_set() < 0) {
-+				rc = -3;
-+				goto try_caps;
-+			}
- 		} else {
- 			memcpy(&m, &state, sizeof(m)); /* restore state */
-			return -4;
-+			rc = -4;
-+			goto try_caps;
- 		}
- #endif
- 	}
-+
-+	// Try caps is here so that if someone had SELECT_BOTH and we blew up
-+	// doing the bounding set, we at least try to set any capabilities
-+	// before returning in case the caller also doesn't bother checking
-+	// the return code.
-+try_caps:
- 	if (set & CAPNG_SELECT_CAPS) {
- 		if (capset((cap_user_header_t)&m.hdr,
- 				(cap_user_data_t)&m.data) == 0)
- 			m.state = CAPNG_APPLIED;
- 		else
-			return -5;
-+			rc = -5;
- 	}
-	// Put ambient last so that inheritable and permitted are set
-+
-+	// Most programs do not and should not mess with ambient capabilities.
-+	// Instead of returning here if rc is set, we'll let it try to
-+	// do something with ambient capabilities in hopes that it's lowering
-+	// capabilities. Again, this is for people that don't check their
-+	// return codes.
-+	//
-+	// Do ambient last so that inheritable and permitted are set by the
-+	// time we get here.
- 	if (set & CAPNG_SELECT_AMBIENT) {
- #ifdef PR_CAP_AMBIENT
- 		if (capng_have_capabilities(CAPNG_SELECT_AMBIENT) ==
- 								CAPNG_NONE) {
- 			if (prctl(PR_CAP_AMBIENT,
-				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0)
-				return -6;
-+				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
-+				rc = -6;
-+				goto out;
-+			}
- 		} else {
- 			unsigned int i;
- 
- 			// Clear them all
- 			if (prctl(PR_CAP_AMBIENT,
-				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0)
-				return -7;
-+				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
-+				rc = -7;
-+				goto out;
-+			}
- 			for (i=0; i <= last_cap; i++) {
- 				if (capng_have_capability(CAPNG_AMBIENT, i))
- 					if (prctl(PR_CAP_AMBIENT,
-					    PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
-						return -8;
-+					    PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0){
-+						rc = -8;
-+						goto out;
-+					}
- 			}
- 		}
- 		m.state = CAPNG_APPLIED;
- #endif
- 	}
-	return 0;
-+out:
-+	return rc;
- }
- 
- #ifdef VFS_CAP_U32
--- a/libcap-ng.spec
+++ b/libcap-ng.spec
@ -1,13 +1,12 @@
 Summary: An alternate posix capabilities library
 Name: libcap-ng
-Version: 0.8.1
-Release: 2%{?dist}
+Version: 0.8.2
+Release: 1%{?dist}
 License: LGPLv2+
 URL: http://people.redhat.com/sgrubb/libcap-ng
 Source0: http://people.redhat.com/sgrubb/libcap-ng/%{name}-%{version}.tar.gz
-# These 2 patches can be disabled when 1899540 is resolved
-Patch1: libcap-ng-0.8.2-apply.patch
-Patch2: libcap-ng-0.8.2-apply-disable.patch
+# This patch can be removed when 1899540 is resolved
+Patch1: libcap-ng-0.8.2-apply-disable.patch
 BuildRequires: gcc
 BuildRequires: kernel-headers >= 2.6.11 
 BuildRequires: libattr-devel
@ -49,7 +48,6 @@ lets you set the file system based capabilities.
 %prep
 %setup -q
 %patch1 -p1
-%patch2 -p1

 %build
 %configure --libdir=%{_libdir} --with-python=no --with-python3
@ -97,6 +95,9 @@ make check
 %attr(0644,root,root) %{_mandir}/man8/*

 %changelog
+* Wed Dec 09 2020 Steve Grubb <sgrubb@redhat.com> 0.8.2-1
+- New upstream bugfix release
+
 * Fri Nov 20 2020 Steve Grubb <sgrubb@redhat.com> 0.8.1-2
 - Add temporary patch disabling bounding set error codes

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (libcap-ng-0.8.1.tar.gz) = cd28ceb43e2cf5d3a0140fddbd2ea13dfda8eeea8a6de1817f3cc3b38df874ab8653917dbd405ad7aaaa71bcb9ec246d995079aa3cb0af1cffbdb37dfdd99232
+SHA512 (libcap-ng-0.8.2.tar.gz) = 0ac6e55c03b1fba3a849048b721e250951afb59190d9646704d4fd9938eccc3bd0767380fbddc42f186b4f55695475e31f34f537ae91c04a37662577a5b7a19b