import libcap-2.48-8.el9

2022-03-01 08:15:24 -05:00 · 2022-03-01 08:15:24 -05:00 · 5825377672
parent 2b8fd97521
commit 5825377672
4 changed files with 336 additions and 1 deletions
--- a/SOURCES/libcap-disable-golang.patch
+++ b/SOURCES/libcap-disable-golang.patch
@ -0,0 +1,12 @@
+diff --color -ru a/Make.Rules b/Make.Rules
+--- a/Make.Rules	2022-01-04 16:57:52.071890314 +0100
+++ b/Make.Rules	2022-01-04 16:59:33.171786150 +0100
+@@ -104,7 +104,7 @@
+ 
+ ifeq ($(PTHREADS),yes)
+ GO ?= go
+-GOLANG ?= $(shell if [ -n "$(shell $(GO) version 2>/dev/null)" ]; then echo yes ; else echo no ; fi)
+GOLANG ?= no
+ ifeq ($(GOLANG),yes)
+ GOROOT ?= $(shell $(GO) env GOROOT)
+ GOCGO ?= $(shell if [ "$(shell $(GO) env CGO_ENABLED)" = 1 ]; then echo yes ; else echo no ; fi)
--- a/SOURCES/libcap-fix-ambient-caps.patch
+++ b/SOURCES/libcap-fix-ambient-caps.patch
@ -0,0 +1,147 @@
+diff --color -ru a/libcap/cap_proc.c b/libcap/cap_proc.c
+--- a/libcap/cap_proc.c	2021-12-22 12:33:20.739126763 +0100
+++ b/libcap/cap_proc.c	2021-12-22 12:33:53.195733115 +0100
+@@ -406,6 +406,29 @@
+ }
+ 
+ /*
+ * cap_prctl performs a prctl() 6 argument call on the current
+ * thread. Use cap_prctlw() if you want to perform a POSIX semantics
+ * prctl() system call.
+ */
+int cap_prctl(long int pr_cmd, long int arg1, long int arg2,
+             long int arg3, long int arg4, long int arg5)
+{
+    return prctl(pr_cmd, arg1, arg2, arg3, arg4, arg5);
+}
+
+/*
+ * cap_prctlw performs a POSIX semantics prctl() call. That is a 6 arg
+ * prctl() call that executes on all available threads when libpsx is
+ * linked. The suffix 'w' refers to the fact one only ever needs to
+ * invoke this is if the call will write some kernel state.
+ */
+int cap_prctlw(long int pr_cmd, long int arg1, long int arg2,
+              long int arg3, long int arg4, long int arg5)
+{
+    return _libcap_wprctl6(&multithread, pr_cmd, arg1, arg2, arg3, arg4, arg5);
+}
+
+/*
+  * Some predefined constants
+  */
+ #define CAP_SECURED_BITS_BASIC                                 \
+diff --color -ru a/libcap/include/sys/capability.h b/libcap/include/sys/capability.h
+--- a/libcap/include/sys/capability.h	2021-02-05 06:52:17.000000000 +0100
+++ b/libcap/include/sys/capability.h	2021-12-22 12:33:53.196733134 +0100
+@@ -175,6 +175,11 @@
+ extern unsigned cap_get_secbits(void);
+ extern int cap_set_secbits(unsigned bits);
+ 
+extern int cap_prctl(long int pr_cmd, long int arg1, long int arg2,
+		    long int arg3, long int arg4, long int arg5);
+extern int cap_prctlw(long int pr_cmd, long int arg1, long int arg2,
+		     long int arg3, long int arg4, long int arg5);
+
+ extern int cap_setuid(uid_t uid);
+ extern int cap_setgroups(gid_t gid, size_t ngroups, const gid_t groups[]);
+ 
+diff --color -ru a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
+--- a/pam_cap/pam_cap.c	2021-12-22 12:33:20.740126781 +0100
+++ b/pam_cap/pam_cap.c	2021-12-22 12:33:53.196733134 +0100
+@@ -21,6 +21,7 @@
+ #include <string.h>
+ #include <syslog.h>
+ #include <sys/capability.h>
+#include <sys/prctl.h>
+ #include <sys/types.h>
+ #include <linux/limits.h>
+ 
+@@ -33,8 +34,11 @@
+ 
+ struct pam_cap_s {
+     int debug;
+    int keepcaps;
+    int defer;
+     const char *user;
+     const char *conf_filename;
+    pam_handle_t *pamh;
+ };
+ 
+ /*
+@@ -178,6 +182,33 @@
+ }
+ 
+ /*
+ * This is the "defer" cleanup function that actually applies the IAB
+ * tuple. This happens really late in the PAM session, hopefully after
+ * the application has performed its setuid() function.
+ */
+static void iab_apply(pam_handle_t *pamh, void *data, int error_status)
+{
+    cap_iab_t iab = data;
+    int retval = error_status & ~(PAM_DATA_REPLACE|PAM_DATA_SILENT);
+
+    data = NULL;
+    if (error_status & PAM_DATA_REPLACE) {
+	goto done;
+    }
+
+    if (retval != PAM_SUCCESS || !(error_status & PAM_DATA_SILENT)) {
+	goto done;
+    }
+
+    if (cap_iab_set_proc(iab) != 0) {
+	D(("IAB setting failed"));
+    }
+
+done:
+    cap_free(iab);
+}
+
+/*
+  * Set capabilities for current process to match the current
+  * permitted+executable sets combined with the configured inheritable
+  * set.
+@@ -230,12 +261,21 @@
+ 	goto cleanup_conf;
+     }
+ 
+-    if (!cap_iab_set_proc(iab)) {
+    if (cs->defer) {
+	D(("configured to delay applying IAB"));
+	pam_set_data(cs->pamh, "pam_cap_iab", iab, iab_apply);
+	iab = NULL;
+    } else if (!cap_iab_set_proc(iab)) {
+ 	D(("able to set the IAB [%s] value", conf_caps));
+ 	ok = 1;
+     }
+     cap_free(iab);
+ 
+    if (cs->keepcaps) {
+	D(("setting keepcaps"));
+	(void) cap_prctlw(PR_SET_KEEPCAPS, 1, 0, 0, 0, 0);
+    }
+
+ cleanup_conf:
+     memset(conf_caps, 0, conf_caps_length);
+     _pam_drop(conf_caps);
+@@ -268,6 +308,10 @@
+ 	    pcs->debug = 1;
+ 	} else if (!strncmp(*argv, "config=", 7)) {
+ 	    pcs->conf_filename = 7 + *argv;
+	} else if (!strcmp(*argv, "keepcaps")) {
+	    pcs->keepcaps = 1;
+	} else if (!strcmp(*argv, "defer")) {
+	    pcs->defer = 1;
+ 	} else {
+ 	    _pam_log(LOG_ERR, "unknown option; %s", *argv);
+ 	}
+@@ -353,6 +397,7 @@
+ 	return PAM_AUTH_ERR;
+     }
+ 
+    pcs.pamh = pamh;
+     retval = set_capabilities(&pcs);
+     memset(&pcs, 0, sizeof(pcs));
+ 
--- a/SOURCES/libcap-static-analysis-fix-3.patch
+++ b/SOURCES/libcap-static-analysis-fix-3.patch
@ -0,0 +1,169 @@
+diff --color -ru a/libcap/_makenames.c b/libcap/_makenames.c
+--- a/libcap/_makenames.c	2022-01-28 14:41:38.357147972 +0100
+++ b/libcap/_makenames.c	2022-01-28 14:42:45.681379827 +0100
+@@ -45,7 +45,7 @@
+ 	if (maxcaps <= list[i].index) {
+ 	    maxcaps = list[i].index + 1;
+ 	}
+-        if (list[i].index >= pointers_avail) {
+        if (pointers == NULL || list[i].index >= pointers_avail) {
+ 	    int was = pointers_avail * sizeof(char *);
+ 	    pointers_avail = 2 * list[i].index + 1;
+ 	    pointers = recalloc(pointers, was, pointers_avail * sizeof(char *));
+diff --color -ru a/progs/capsh.c b/progs/capsh.c
+--- a/progs/capsh.c	2022-01-28 14:41:38.359148009 +0100
+++ b/progs/capsh.c	2022-01-28 14:42:45.682379846 +0100
+@@ -34,6 +34,35 @@
+ 
+ #define MAX_GROUPS       100   /* max number of supplementary groups for user */
+ 
+/* parse a non-negative integer with some error handling */
+static unsigned long nonneg_uint(const char *text, const char *prefix, int *ok)
+{
+    char *remains;
+    unsigned long value;
+    ssize_t len = strlen(text);
+
+    if (len == 0 || *text == '-') {
+	goto fail;
+    }
+    value = strtoul(text, &remains, 0);
+    if (*remains) {
+	goto fail;
+    }
+    if (ok != NULL) {
+	*ok = 1;
+    }
+    return value;
+
+fail:
+    if (ok == NULL) {
+	fprintf(stderr, "%s: want non-negative integer, got \"%s\"\n",
+		prefix, text);
+	exit(1);
+    }
+    *ok = 0;
+    return 0;
+}
+
+ static char *binary(unsigned long value)
+ {
+     static char string[8*sizeof(unsigned long) + 1];
+@@ -362,7 +391,7 @@
+ 
+     parts = strdup(path);
+     if (parts == NULL) {
+-        fprintf(stderr, "insufficient memory for parts of path\n");
+	fprintf(stderr, "insufficient memory for parts of path\n");
+ 	exit(1);
+     }
+ 
+@@ -610,7 +639,7 @@
+ 	    unsigned value;
+ 	    int set;
+ 
+-	    value = strtoul(argv[i]+7, NULL, 0);
+	    value = nonneg_uint(argv[i]+7, "invalid --keep value", NULL);
+ 	    set = prctl(PR_SET_KEEPCAPS, value);
+ 	    if (set < 0) {
+ 		fprintf(stderr, "prctl(PR_SET_KEEPCAPS, %u) failed: %s\n",
+@@ -667,7 +696,7 @@
+ 	} else if (!strncmp("--secbits=", argv[i], 10)) {
+ 	    unsigned value;
+ 	    int status;
+-	    value = strtoul(argv[i]+10, NULL, 0);
+	    value = nonneg_uint(argv[i]+10, "invalid --secbits value", NULL);
+ 	    status = cap_set_secbits(value);
+ 	    if (status < 0) {
+ 		fprintf(stderr, "failed to set securebits to 0%o/0x%x\n",
+@@ -680,7 +709,7 @@
+ 		fprintf(stderr, "already forked\n");
+ 		exit(1);
+ 	    }
+-	    value = strtoul(argv[i]+10, NULL, 0);
+	    value = nonneg_uint(argv[i]+10, "invalid --forkfor value", NULL);
+ 	    if (value == 0) {
+ 		goto usage;
+ 	    }
+@@ -696,7 +725,8 @@
+ 	    pid_t result;
+ 	    unsigned value;
+ 
+-	    value = strtoul(argv[i]+9, NULL, 0);
+	    value = nonneg_uint(argv[i]+9, "invalid --killit signo value",
+				NULL);
+ 	    if (!child) {
+ 		fprintf(stderr, "no forked process to kill\n");
+ 		exit(1);
+@@ -722,7 +752,7 @@
+ 	    unsigned value;
+ 	    int status;
+ 
+-	    value = strtoul(argv[i]+6, NULL, 0);
+	    value = nonneg_uint(argv[i]+6, "invalid --uid value", NULL);
+ 	    status = setuid(value);
+ 	    if (status < 0) {
+ 		fprintf(stderr, "Failed to set uid=%u: %s\n",
+@@ -733,7 +763,7 @@
+ 	    unsigned value;
+ 	    int status;
+ 
+-	    value = strtoul(argv[i]+10, NULL, 0);
+	    value = nonneg_uint(argv[i]+10, "invalid --cap-uid value", NULL);
+ 	    status = cap_setuid(value);
+ 	    if (status < 0) {
+ 		fprintf(stderr, "Failed to cap_setuid(%u): %s\n",
+@@ -744,7 +774,7 @@
+ 	    unsigned value;
+ 	    int status;
+ 
+-	    value = strtoul(argv[i]+6, NULL, 0);
+	    value = nonneg_uint(argv[i]+6, "invalid --gid value", NULL);
+ 	    status = setgid(value);
+ 	    if (status < 0) {
+ 		fprintf(stderr, "Failed to set gid=%u: %s\n",
+@@ -924,7 +954,7 @@
+ 	} else if (!strncmp("--is-uid=", argv[i], 9)) {
+ 	    unsigned value;
+ 	    uid_t uid;
+-	    value = strtoul(argv[i]+9, NULL, 0);
+	    value = nonneg_uint(argv[i]+9, "invalid --is-uid value", NULL);
+ 	    uid = getuid();
+ 	    if (uid != value) {
+ 		fprintf(stderr, "uid: got=%d, want=%d\n", uid, value);
+@@ -933,7 +963,7 @@
+ 	} else if (!strncmp("--is-gid=", argv[i], 9)) {
+ 	    unsigned value;
+ 	    gid_t gid;
+-	    value = strtoul(argv[i]+9, NULL, 0);
+	    value = nonneg_uint(argv[i]+9, "invalid --is-gid value", NULL);
+ 	    gid = getgid();
+ 	    if (gid != value) {
+ 		fprintf(stderr, "gid: got=%d, want=%d\n", gid, value);
+diff --color -ru a/tests/libcap_psx_test.c b/tests/libcap_psx_test.c
+--- a/tests/libcap_psx_test.c	2022-01-28 14:41:38.360148027 +0100
+++ b/tests/libcap_psx_test.c	2022-01-28 14:42:45.683379864 +0100
+@@ -21,7 +21,10 @@
+ 	exit(1);
+     }
+     if (pid == 0) {
+-	cap_set_proc(start);
+	if (cap_set_proc(start)) {
+	    perror("setting empty caps failed");
+	    exit(1);
+	}
+ 	exit(0);
+     }
+     int res;
+@@ -51,7 +54,10 @@
+     for (i = 0; i < 10; i++) {
+ 	printf(".");     /* because of fork, this may print double */
+ 	fflush(stdout);  /* try to limit the above effect */
+-	cap_set_proc(start);
+	if (cap_set_proc(start)) {
+	    perror("failed to set proc");
+	    exit(1);
+	}
+ 	usleep(1000);
+     }
+     printf(" PASSED\n");
--- a/SPECS/libcap.spec
+++ b/SPECS/libcap.spec
@ -1,6 +1,6 @@
 Name: libcap
 Version: 2.48
-Release: 7%{?dist}
+Release: 8%{?dist}
 Summary: Library for getting and setting POSIX.1e capabilities
 URL: https://sites.google.com/site/fullycapable/
 License: BSD or GPLv2
@ -9,6 +9,9 @@ Source: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/snapshot/%{name}-%
 Patch0: libcap-use-compiler-flag-options.patch
 Patch1: libcap-static-analysis-fix.patch
 Patch2: libcap-static-analysis-fix-2.patch
+Patch3: libcap-static-analysis-fix-3.patch
+Patch4: libcap-disable-golang.patch
+Patch5: libcap-fix-ambient-caps.patch

 BuildRequires: libattr-devel pam-devel perl-interpreter gcc
 BuildRequires: make
@ -85,6 +88,10 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*


 %changelog
+* Fri Jan 28 2022 Zoltan Fridrich <zfridric@redhat.com> - 2.48-8
+- Fix ambient capabilities for non-root users
+  Related: rhbz#2037215
+
 * Fri Aug 27 2021 Zoltan Fridrich <zfridric@redhat.com> - 2.48-7
 - Fix issues detected by static analyzers
  Related: rhbz#1985346