import libcap-2.26-5.el8
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
5258b1382c
commit
681b14fcc8
96
SOURCES/libcap-add-new-caps.patch
Normal file
96
SOURCES/libcap-add-new-caps.patch
Normal file
@ -0,0 +1,96 @@
|
||||
diff --color -ruN a/distcheck.sh b/distcheck.sh
|
||||
--- a/distcheck.sh 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ b/distcheck.sh 2021-06-10 10:06:19.618284780 +0200
|
||||
@@ -0,0 +1,13 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+actual=$(wget -o/dev/null -O/dev/stdout https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/include/uapi/linux/capability.h | grep "#define.CAP_LAST_CAP"|awk '{print $3}')
|
||||
+working=$(grep "#define.CAP_LAST_CAP" libcap/include/uapi/linux/capability.h|awk '{print $3}')
|
||||
+
|
||||
+if [[ ${actual} = ${working} ]]; then
|
||||
+ echo "up to date with officially named caps"
|
||||
+ exit 0
|
||||
+fi
|
||||
+
|
||||
+echo "want: ${actual}"
|
||||
+echo "have: ${working}"
|
||||
+exit 1
|
||||
diff --color -ruN a/libcap/include/uapi/linux/capability.h b/libcap/include/uapi/linux/capability.h
|
||||
--- a/libcap/include/uapi/linux/capability.h 2018-09-09 20:06:40.000000000 +0200
|
||||
+++ b/libcap/include/uapi/linux/capability.h 2021-06-10 10:05:19.729202015 +0200
|
||||
@@ -331,6 +331,8 @@
|
||||
|
||||
#define CAP_AUDIT_CONTROL 30
|
||||
|
||||
+/* Set capabilities on files. */
|
||||
+
|
||||
#define CAP_SETFCAP 31
|
||||
|
||||
/* Override MAC access.
|
||||
@@ -366,8 +368,50 @@
|
||||
|
||||
#define CAP_AUDIT_READ 37
|
||||
|
||||
+/* Allow system performance and observability privileged operations using
|
||||
+ * perf_events, i915_perf and other kernel subsystems. */
|
||||
+
|
||||
+#define CAP_PERFMON 38
|
||||
+
|
||||
+/*
|
||||
+ * CAP_BPF allows the following BPF operations:
|
||||
+ * - Creating all types of BPF maps
|
||||
+ * - Advanced verifier features
|
||||
+ * - Indirect variable access
|
||||
+ * - Bounded loops
|
||||
+ * - BPF to BPF function calls
|
||||
+ * - Scalar precision tracking
|
||||
+ * - Larger complexity limits
|
||||
+ * - Dead code elimination
|
||||
+ * - And potentially other features
|
||||
+ * - Loading BPF Type Format (BTF) data
|
||||
+ * - Retrieve xlated and JITed code of BPF programs
|
||||
+ * - Use bpf_spin_lock() helper
|
||||
+ *
|
||||
+ * CAP_PERFMON relaxes the verifier checks further:
|
||||
+ * - BPF progs can use of pointer-to-integer conversions
|
||||
+ * - speculation attack hardening measures are bypassed
|
||||
+ * - bpf_probe_read to read arbitrary kernel memory is allowed
|
||||
+ * - bpf_trace_printk to print kernel memory is allowed
|
||||
+ *
|
||||
+ * CAP_SYS_ADMIN is required to use bpf_probe_write_user.
|
||||
+ *
|
||||
+ * CAP_SYS_ADMIN is required to iterate system wide loaded
|
||||
+ * programs, maps, links, BTFs and convert their IDs to file descriptors.
|
||||
+ *
|
||||
+ * CAP_PERFMON and CAP_BPF are required to load tracing programs.
|
||||
+ * CAP_NET_ADMIN and CAP_BPF are required to load networking programs.
|
||||
+ */
|
||||
+
|
||||
+#define CAP_BPF 39
|
||||
+
|
||||
+/* Allow checkpoint/restore related operations */
|
||||
+/* Allow PID selection during clone3() */
|
||||
+/* Allow writing to ns_last_pid */
|
||||
+
|
||||
+#define CAP_CHECKPOINT_RESTORE 40
|
||||
|
||||
-#define CAP_LAST_CAP CAP_AUDIT_READ
|
||||
+#define CAP_LAST_CAP CAP_CHECKPOINT_RESTORE
|
||||
|
||||
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
|
||||
|
||||
diff --color -ruN a/Makefile b/Makefile
|
||||
--- a/Makefile 2018-09-15 23:51:38.000000000 +0200
|
||||
+++ b/Makefile 2021-06-10 10:07:30.872573023 +0200
|
||||
@@ -33,7 +33,10 @@
|
||||
test: all
|
||||
cd progs && sudo ./quicktest.sh
|
||||
|
||||
-morganrelease: distclean
|
||||
+distcheck:
|
||||
+ ./distcheck.sh
|
||||
+
|
||||
+morganrelease: distclean distcheck
|
||||
@echo "sign the tag twice: older DSA key; and newer RSA kernel.org key"
|
||||
git tag -u D41A6DF2 -s libcap-$(VERSION).$(MINOR) -m "This is libcap-$(VERSION).$(MINOR)"
|
||||
git tag -u E2CCF3F4 -s libcap-korg-$(VERSION).$(MINOR) -m "This is libcap-$(VERSION).$(MINOR)"
|
||||
@ -1,6 +1,6 @@
|
||||
Name: libcap
|
||||
Version: 2.26
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
Summary: Library for getting and setting POSIX.1e capabilities
|
||||
URL: https://sites.google.com/site/fullycapable/
|
||||
License: GPLv2
|
||||
@ -12,6 +12,7 @@ Source1: getpcaps.8
|
||||
Patch0: %{name}-2.25-buildflags.patch
|
||||
Patch1: %{name}-PAM_REINITIALIZE_CRED.patch
|
||||
Patch2: %{name}-2.26-ambient-caps.patch
|
||||
Patch3: %{name}-add-new-caps.patch
|
||||
|
||||
BuildRequires: libattr-devel pam-devel perl-interpreter
|
||||
|
||||
@ -50,6 +51,7 @@ libcap.
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
|
||||
%build
|
||||
# libcap can not be build with _smp_mflags:
|
||||
@ -91,6 +93,10 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
|
||||
%{_libdir}/pkgconfig/libcap.pc
|
||||
|
||||
%changelog
|
||||
* Thu Jun 10 2021 Zoltan Fridrich <zfridric@redhat.com> - 2.26-5
|
||||
- added CAP_PERFMON, CAP_BPF and CAP_CHECKPOINT_RESTORE capabilities
|
||||
resolves: rhbz#1946982 rhbz#1921576
|
||||
|
||||
* Fri May 22 2020 Jiri Vymazal <jvymazal@redhat.com> - 2.26-4
|
||||
- added patch implementing support for ambient capabilities
|
||||
resolves: rhbz#1487388
|
||||
|
||||
Loading…
Reference in New Issue
Block a user