diff --git a/.gitignore b/.gitignore index dbf7071..3df235d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libcap-2.48.tar.gz +libcap-2.69.tar.gz diff --git a/.libcap.metadata b/.libcap.metadata deleted file mode 100644 index eb616eb..0000000 --- a/.libcap.metadata +++ /dev/null @@ -1 +0,0 @@ -c81102815c481257e53168e83b8849bc9f154d54 SOURCES/libcap-2.48.tar.gz diff --git a/0001-doc-document-pam_cap-and-its-conf.patch b/0001-doc-document-pam_cap-and-its-conf.patch new file mode 100644 index 0000000..c87afb3 --- /dev/null +++ b/0001-doc-document-pam_cap-and-its-conf.patch @@ -0,0 +1,179 @@ +From 7787f4019a86b962ef3b44305cde5888a14cfe52 Mon Sep 17 00:00:00 2001 +From: Carlos Rodriguez-Fernandez +Date: Wed, 3 Apr 2024 11:57:14 -0700 +Subject: [PATCH] doc: document pam_cap and its conf + +Signed-off-by: Carlos Rodriguez-Fernandez +--- + doc/Makefile | 8 ++-- + doc/capability.conf.5 | 85 +++++++++++++++++++++++++++++++++++++++++++ + doc/pam_cap.8 | 35 ++++++++++++++++++ + 3 files changed, 125 insertions(+), 3 deletions(-) + create mode 100644 doc/capability.conf.5 + create mode 100644 doc/pam_cap.8 + +diff --git a/doc/Makefile b/doc/Makefile +index 6919488..9d1574c 100644 +--- a/doc/Makefile ++++ b/doc/Makefile +@@ -32,9 +32,10 @@ MAN3S = cap_init.3 cap_free.3 cap_dup.3 \ + psx_syscall.3 psx_syscall3.3 psx_syscall6.3 psx_set_sensitivity.3 \ + psx_load_syscalls.3 __psx_syscall.3 \ + libpsx.3 +-MAN8S = getcap.8 setcap.8 getpcaps.8 captree.8 ++MAN5S = capability.conf.5 ++MAN8S = getcap.8 setcap.8 getpcaps.8 captree.8 pam_cap.8 + +-MANS = $(MAN1S) $(MAN3S) $(MAN8S) ++MANS = $(MAN1S) $(MAN3S) $(MAN5S) $(MAN8S) + + all: $(MANS) + +@@ -54,10 +55,11 @@ html: + done + + install: +- mkdir -p -m 755 $(FAKEROOT)$(MANDIR)/man1 $(FAKEROOT)$(MANDIR)/man3 $(FAKEROOT)$(MANDIR)/man8 ++ mkdir -p -m 755 $(FAKEROOT)$(MANDIR)/man1 $(FAKEROOT)$(MANDIR)/man3 $(FAKEROOT)$(MANDIR)/man5 $(FAKEROOT)$(MANDIR)/man8 + for man in \ + $(FAKEROOT)$(MANDIR)/man1 $(MAN1S) \ + $(FAKEROOT)$(MANDIR)/man3 $(MAN3S) \ ++ $(FAKEROOT)$(MANDIR)/man5 $(MAN5S) \ + $(FAKEROOT)$(MANDIR)/man8 $(MAN8S) \ + ; \ + do \ +diff --git a/doc/capability.conf.5 b/doc/capability.conf.5 +new file mode 100644 +index 0000000..10ff63b +--- /dev/null ++++ b/doc/capability.conf.5 +@@ -0,0 +1,85 @@ ++.\" generated with Ronn-NG/v0.9.1 ++.\" http://github.com/apjanke/ronn-ng/tree/0.9.1 ++.TH "CAPABILITY\.CONF" "5" "April 2024" "" ++.SH "NAME" ++\fBcapability\.conf\fR \- pam_cap module configuration file ++.SH "SYNOPSIS" ++\fB/etc/security/capability\.conf\fR ++.SH "DESCRIPTION" ++The syntax for lines in this configuration file is: ++.P ++\fB# <\-\- \'#\' precedes a comment\fR ++.P ++\fB\fR ++.P ++Where \fB\fR refers to the text format for an inheritable IAB capability tuple, or the words \fBall\fR or \fBnone\fR\. ++.P ++The reserved word \fBall\fR does \fInot\fR grant \fIall the inheritable capabilities\fR, but acts as a simple \fIpass\-through\fR for any prevailing IAB tuple capabilities\. The reserved word \fBnone\fR refers to an empty \fIInheritable\fR capability set (and by extension an empty \fIAmbient\fR vector)\. ++.P ++Here \fB\fR refers to the space separated PAM username values that will be granted the specified \fIIAB\fR tuple\. A name prefixed with the character \fB@\fR refers to the locally defined \fB/etc/group\fR \fIetc\fR users listed under that group name\. ++.P ++The parsing of the file chooses the first line that applies to the authenticating user, and attempts to apply that and only that\. ++.P ++Examples of valid syntax are: ++.IP "" 4 ++.nf ++# only root gets to keep what it had ++ ++all root ++ ++ ++# this should fire for user beta only, who will have ++ ++# cap_chown dropped from their bounding set\. ++ ++!cap_chown beta ++ ++ ++# the next one should snag the members of the \'three\' group ++ ++# granting them cap_setuid and cap_chown ++ ++cap_setuid,cap_chown @three ++ ++ ++# this would apply to beta and gamma, but beta is already ++ ++# granted a lack of cap_chown above\. Further, if gamma is ++ ++# in the \'three\' group, it would not reach this line\. ++ ++cap_chown beta gamma ++ ++ ++# members of the \'one\' group are granted the cap_setuid Inheritable ++ ++# capability, but cap_chown is dropped from their bounding set\. ++ ++!cap_chown,cap_setuid @one ++ ++ ++# user alpha gets an ambient capability (unless it is also ++ ++# a member of the groups \'one\' or \'three\')\. ++ ++^cap_setuid alpha ++ ++ ++# user delta (if not a member of groups \'one\' and \'three\') will get ++ ++# cap_chown and cap_setgid Ambient capabilities, but have cap_setuid ++ ++# dropped from its bounding set\. ++ ++^cap_chown,^cap_setgid,!cap_setuid delta ++ ++ ++# any remaining members of group \'four\' will get the cap_setuid ++ ++# Inheritable capability\. ++ ++cap_setuid @four ++.fi ++.IP "" 0 ++.SH "SEE ALSO" ++pam_cap(8) +diff --git a/doc/pam_cap.8 b/doc/pam_cap.8 +new file mode 100644 +index 0000000..93c1a71 +--- /dev/null ++++ b/doc/pam_cap.8 +@@ -0,0 +1,35 @@ ++.\" generated with Ronn-NG/v0.9.1 ++.\" http://github.com/apjanke/ronn-ng/tree/0.9.1 ++.TH "PAM_CAP" "8" "April 2024" "" ++.SH "NAME" ++\fBpam_cap\fR \- Capabilities PAM module ++.SH "SYNOPSIS" ++[service\-name] \fBauth\fR control\-flag \fBpam_cap\fR [options] ++.SH "DESCRIPTION" ++The \fBpam_so\fR module can be used to specify \fIInheritable\fR capabilities to process trees rooted in the PAM application\. The module also supports blocking \fIBounding\fR vector capabilities and adding \fIAmbient\fR vector capabilities\. ++.P ++For general PAM apps to work correctly, the application must be run with at least \fBCAP_SETPCAP\fR raised in its \fIPermitted\fR capability flag\. Many PAM applications run as \fIroot\fR, which has all of the bits in the \fIBounding\fR set raised, so this requirement is typically met\. To grant an \fIAmbient\fR vector capability, the corresponding Permitted bit must be available to the application too\. ++.P ++The \fBpam_so\fR module is a Linux\-PAM \fIauth\fR module\. It provides functionality to back \fBpam_sm_authenticate()\fR and \fBpam_sm_setcred()\fR\. It is the latter that actually modifies the inheritable 3\-tuple of capability vectors: the configured \fIIAB\fR\. In a typical application configuration you might have a line like this: ++.IP "" 4 ++.nf ++auth optional pam_cap\.so ++.fi ++.IP "" 0 ++.P ++The module arguments are: ++.IP "\[ci]" 4 ++\fBdebug\fR: While supported, this is a no\-op at present\. ++.IP "\[ci]" 4 ++\fBconfig=\fR\fI/path/to/file\fR: Override the default config for the module\. The unspecified default value for this file is \fB/etc/security/capability\.conf\fR\. Note, \fBconfig=/dev/null\fR is a valid value\. See \fBdefault=\fR below for situations in which this might be appropriate\. ++.IP "\[ci]" 4 ++\fBkeepcaps\fR: This is as much as the \fBpam_cap\.so\fR module can do to help an application support use of the \fIAmbient\fR capability vector\. The application support for the \fIAmbient\fR set is poor at the present time\. ++.IP "\[ci]" 4 ++\fBautoauth\fR: This argument causes the \fBpam_cap\.so\fR module to return \fBPAM_SUCCESS\fR if the \fBPAM_USER\fR being authenticated exists\. The absence of this argument will cause \fBpam_cap\.so\fR to only return \fBPAM_SUCCESS\fR if the \fBPAM_USER\fR is covered by a specific rule in the prevailing config file\. ++.IP "\[ci]" 4 ++\fBdefault=\fR\fIIAB\fR: This argument is ignored if the prevailing configuration file contains a "\fB*\fR" rule\. If there is no such rule, the \fIIAB\fR 3\-tuple is inserted at the end of the config file and applies to all \fBPAM_USER\fRs not covered by an earlier rule\. Note, if you want all \fBPAM_USER\fRs to be covered by this default rule, you can supply the module argument \fBconfig=/dev/null\fR\. ++.IP "\[ci]" 4 ++\fBdefer\fR: This argument arranges for the \fIIAB\fR capabilities granted to a user to be added sufficiently late in the Linux\-PAM authentication stack that they stick\. That is, \fIafter\fR the application does its \fBsetuid(UID)\fR call\. As such, in conjunction with the \fBkeepcaps\fR module argument, such compliant applications can support granting \fIAmbient\fR vector capabilities with \fBpam_cap\.so\fR\. ++.IP "" 0 ++.SH "SEE ALSO" ++pam\.conf(5), capability\.conf(5), pam(8) +-- +2.44.0 + diff --git a/0002-doc-document-the-use-of-to-refer-to-all-users.patch b/0002-doc-document-the-use-of-to-refer-to-all-users.patch new file mode 100644 index 0000000..9741d75 --- /dev/null +++ b/0002-doc-document-the-use-of-to-refer-to-all-users.patch @@ -0,0 +1,26 @@ +From 70783bddc65628a1afc3dd2f8b4b3f03fc839b8e Mon Sep 17 00:00:00 2001 +From: Carlos Rodriguez-Fernandez +Date: Fri, 5 Apr 2024 16:37:30 -0700 +Subject: [PATCH] doc: document the use of `*` to refer to all users + +Signed-off-by: Carlos Rodriguez-Fernandez +--- + doc/capability.conf.5 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/capability.conf.5 b/doc/capability.conf.5 +index 10ff63b..15535f4 100644 +--- a/doc/capability.conf.5 ++++ b/doc/capability.conf.5 +@@ -16,7 +16,7 @@ Where \fB\fR refers to the text format for an inheritable IAB capability tu + .P + The reserved word \fBall\fR does \fInot\fR grant \fIall the inheritable capabilities\fR, but acts as a simple \fIpass\-through\fR for any prevailing IAB tuple capabilities\. The reserved word \fBnone\fR refers to an empty \fIInheritable\fR capability set (and by extension an empty \fIAmbient\fR vector)\. + .P +-Here \fB\fR refers to the space separated PAM username values that will be granted the specified \fIIAB\fR tuple\. A name prefixed with the character \fB@\fR refers to the locally defined \fB/etc/group\fR \fIetc\fR users listed under that group name\. ++Here \fB\fR refers to the space separated PAM username values that will be granted the specified \fIIAB\fR tuple\. A name prefixed with the character \fB@\fR refers to the locally defined \fB/etc/group\fR \fIetc\fR users listed under that group name\. An asterisk "\fB*\fR" can be used to denote all users\. + .P + The parsing of the file chooses the first line that applies to the authenticating user, and attempts to apply that and only that\. + .P +-- +2.44.0 + diff --git a/29EE848AE2CCF3F4.asc b/29EE848AE2CCF3F4.asc new file mode 100644 index 0000000..6d95430 --- /dev/null +++ b/29EE848AE2CCF3F4.asc @@ -0,0 +1,105 @@ +pub rsa4096 2011-10-07 [SC] + 38A644698C69787344E954CE29EE848AE2CCF3F4 +uid Andrew G. Morgan +uid Andrew G. Morgan (Work Address) +sub rsa4096 2011-10-07 [E] + E8BBFE9EBCE94FB48D2F98FC61B996743B143E89 + +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBE6OiBIBEADpdtUxC8Fmhn5UK6UCZdU7mFgZwN8U9cabFUPfUIkMqXULhCD0 +hG2/amuiiUoLollPjOopNqk4cc8LcZfszOdBFAYj7MeWzNySVw4KkWrVCEH/bZ0Q +QzZH2qmoMT5CIrtcNxCAvukYsZLhyZYO0HdfuE05mVhVjtX9Btfxr7Ndvb7L4MRS +3Qb6+nHTgfn/Oow92/koIWvi0YvskKdZypeU888TQL99E8xdgL2n2Ip3xYwBHRR2 +GPb5MGOuEItF3tJ0kkILW5mzkJq/iLzRphzKjdF76I9QVRP8dZ+uWHPubWePm/5c +1H9lnlw00ZZ/ucQvSwTesUYk2aKkxzgm6X8fCdJXBLGgW5K6CkynpjN3qJ9KpcNY +H55smUgp8BaiWuoHe4pLvuBhnN2wiYOe2j9UvGX1OaRstMXFx7YbBvkGgdoZthUe +VPGAa4K+dnI2oy4wukzl/unAKrlMCBRsRoW2qjy3TDSXqwJhd34ilHzrdAdchrh/ +acBfbBtRzVlcDTnGltDNMuRTXzujaY9C3B0L2E+Jfrds8WcM8ASO4mHwJUTMrBwM +b5sFSG+/X9Ufg/c2G086HQ7xMERUA5oz66P5ReHCph8WHQN2L5vtZwL7//hZB9hn +G0K1210YEDXpFPijpis/54MKUSkWEFOLjUbiSPbwEfb79A00CcHojQQinwARAQAB +tCRBbmRyZXcgRy4gTW9yZ2FuIDxtb3JnYW5Aa2VybmVsLm9yZz6JAhwEEAECAAYF +Ak6YnFgACgkQINBOWnE2YKdO8Q//fwzZuxAacpWE2wByvuwM7hiYOtzxX9tSsaMA +NaYtxb8rYwM5YtkjCaBnWoyJ8de7L82HJff/GnxVpw0CWm5Dyj9Pvs/VAIvC4+75 ++5cs6YWQIhIV5NbmD92lKFni2xNcBomzttB1CexjemtmXQIwm0i06HBbfg8Nkv3l +WnZlHHzgOffnkodR56rJCOq75wTPZPmx9WP87bDW2B5ZwzGs4jcBEP8qz4J5agVk +97OrYrhy2RrtD6a4f3/VYJq12mvJ/lImgEwNoLsZfMZ6B6wpCvfmx80z1dE/VOmG +YKpDPhU5v6y0gQm/UOpz0tzgRJw7CYRK3mbM/Ctnc4n6y0UpbVAmAStRvnlM1DgL +3nuuh3EJ6s1r2m2l1SRT09va+lK6s1GARMD+6tmQE7+89DwwSB0lJtWCHRGP/M8W +ePdqRAVz3xTkqbRMgcnuvpL6qPveK1Qzv2MxUomB7A8QDxzKzQAIugzm5E1irfmZ +jg54/8R2bo0uIp8PS6wx8RD7TYHxGpe4cEAkBr/5/5TfMaTDbrx/f/XqRm/89Mx9 +04TLVyMqVDcsXAgd+fIGtv/e8cBVMDIRsE9aZQsSOil168Q8qYrJbYRcWmEGaM4d +KCGYhEPE7ZaZK4jxshSwfiirozCoAmkTmvOt4E0s2HlljjLPDecAlvoFvn2bSS3Z +8coir4CJAjsEEwECACUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJOmRGP +AhkBAAoJECnuhIrizPP0wK0P/RMvjmzeXbgoa36cBDvDKReAiC56Au4qGXkNah39 +84tNPT1hVUKCiwiUmULoNJbEI4qFJTtwsMi5QzE+daCA7t+ALJiC+PKiKFG1LDz7 +mxfhmBeS3XcYuqZdjyKrATUFr0SHbsJxtRCslawGD2gKczLknFeBXL0997TfJS9i +pLibqCtmvyryHn4EbZfoJqcpj/RBN/izVGHNYI8BsZpO5F6z7vXoncDL0dKh65nd +GaIbhVDUPsDBvzg3i+EzhB51hYTTNKK0QpWbmsXfJBnvztinfLUsnO9HV8aRaygO +I/DAKAtT7YPXORA1oFYtx69bzulqC+TXUmeV8YW8bETH4xHM9mQb0oNLPibR2nK2 +FSDiLp0/eEM5vgzfPVUX7WzBJUPsf0ah/e1yrXqudGUUZ0R+3VMOdxMryZBKLymk +zyvu6a5DcLarqAt8y9ciRH67HKNnE1gvHf5K2Q37gwSecwmXCjpMlbVJnIarLKBc +VRcYKtxgPxCv6483I8heSKF7PB/IFBmzT1cX7lhln9+62Ks/0Gs0pA0iNLaD+POP +iqWrAwZsFvKjD9PDaCBDFRWjFqZLyJMsMi1qmP8jWsdQqPdUskQC0ftvw3Z6Siyy +rriSAzglCjmmAcfdt+w4b/EO4SzSZUnd/ApkHkZx1Lbta15WKxGi7S8/5zNdaK72 +1nUdiQIzBBABCAAdFiEEIHnICkX+vZuglRryyyMS4ez3P1cFAl0PDA8ACgkQyyMS +4ez3P1eHXg//ceYbw0RGvvkpBn41t2D2OEDnowyAqgdrByFoub4mam3lxjKZob6F +nIVcp0aY6TTOW0Peo0ZMigLh2DkEpF0JZrtTu5Om2tZpn+16d2c9ThROEasTERqI +AnUHMmpXupRZDSdHJTSD+HdlBSvO9Ve2vtIv/F9AW8pIQqZby3rJeFwsaQl9GUuw +T6teyBG5GZVFLDvNM2r64moTGvxsZdOEz/2KSZNMONEIFWYJPbBtaKZjlNJebh+i +YwOda6YqGwmyBpudtMtyHUT5gXBIaaMfKW40CxxTesOuV7YWg52ZkJe8tsURnIUi +55wCaLnNM+bsqjRIDZ5tAvCqTCj+T5hg6uJbmWOhCHW4VMp3PKEgmajMSZVAfzcW +iryAT/xol531qwer+3LRRS21qha3lfAJNaDy6rTHBqeDXyo7oeBQwoFIJFA5w9Ia +DVRfWXiKnHjsma0CEg1JXXnL1eb2Bzh8qInUQEgm92B/w2tJgNDDNPIDQDlbWgQw +24Wzx5QGOfr4CJM3WMhSdUEn8jyyFj+GmCfCAtRTEPhGIf4op6rZfH5Q8O0UJ865 +iIvshNNLoWtkVx2MTU4juXsz666Vq+HFzyIw2xPeabVIKVzF25+vbTTRQIhohuU9 +FV36IqXOGGwYAlnu8/2NFDWbUIhaCaB0N2AeVH8kQcO9L0OEHB0MJy+0MEFuZHJl +dyBHLiBNb3JnYW4gKFdvcmsgQWRkcmVzcykgPGFnbUBnb29nbGUuY29tPokCOAQT +AQIAIgUCTpUPggIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQKe6EiuLM +8/TM2hAAwOPHeKi+9/SukBgW+8Cg9vOERdwnjX9P6lrFY4mbxISDt9edQeBd5PBb +dEk8ins+C5y0+iC8pBX7sZxTkNyDXcNk7icytKy8iewtCR94NVT/OXYy4cU60Eyk +OnqIZxTCNLRthu+XTd8+Ptlcgwv4js5LI16hn+fbO0j1SIgEei+wepmpibh3tU6L +idWPVj8ZqT32zDdwu9TCr1/eLyKg3PKeoFPuMD4ZYVp5Um4as4IEEGC4i7QSSDjY +0BnYBHfbBA/l4S2VICrwiX1FnN7BrW/viWgM0k6X6Rbn+NArq0aPYD2+VOpXMdQO +Y9n2foOzuHfCjaDeDNhfVy4zeylb1SwDxdQM1jbI0VgML0iwAjT27Xw3t/z2Kwb/ +JiHkxmknPZ/Htx5we3BJW6RMYcOxqgdNcyV+NCZVTl585FklroHHRORpILB5x6be +r7c5x2BbxfA9aKT/la/wHd0mikwfUzDelGGKu1N3r/zzE3IuQlK2m0ENm9uq8Hac +yZKKqCHSY96yWfC5vEnn/gVs/3OUs3vOnj1FkcoOX/wQxJcYKOYbpRPFbojdikp1 +zj7IR3X39RS3GpA59uAW+Vxt6xDkgu8s7NmJ2RLvLS/iL2tkF78cTLd4bzPizl2W +gGulIG8rJLCpa65IOfe0yrDgHPYF7cWC1gDhOc3LuyFwVHYEwWiJAjMEEAEIAB0W +IQQgecgKRf69m6CVGvLLIxLh7Pc/VwUCXQ8MGwAKCRDLIxLh7Pc/V0F9EACHKNqF +l5xXDHe/0nlZ+J/OFRNIE8ObZAxQLaPfK3gRkFn/SbKQzkzB84X2il7A/W221Lzi +me5eTFPhTX3RxUcoSQdrtCCov5gCeuiUbhuJ28zuJxslxLE8bhnmNfpLmFFGtbMI +kXq+y0uqc08Yj8frPXKgx7KvOoovpm0X/igiAkiuKLhbq8xIwaIN0NL4slFlx+ZP +Ed0KA6qOvlLr0T/lLVptAeMrzfi2gqY1utSqE5IVrbtU6Kptw3zfURsGFFIaKjIr +hzu25Cdpg/NxYGqo2GqD0lZ+OeWSy0WI5sxCSDqr0to9lvsJGv2Nc06ixIjH7vG2 +Hc/cC0QyHdBM6GwaLmUH9hrcSCLR5kxTzAW0Cf6lrAZUL36Ivl5l+zoLdJqSgZLY +YXqMdQf75Y5TRFzry5pWRef3ba4/sgui89W11Uccdq/pGe4OKo0I/vq3bv35/3cZ +aMGjj3x6v67kk8GWbKg6CPBnzb1dY7VDA5RWOt2lPZr4omUNFwRpxAfZADUz2Q4S +tMQVE018SSH1i6G9EB8KVQEBeD4qgaWs1z9sqA7K5wlBzGarTa2RspH0GMmYwxBY +hXtYpKm/47Dkg8j3N01VVwky0XGPFHCVgFbeXGknL1O3thOGs5XPO05jtBcbYI1u +vvK+h/CNn1yuTG13BSG4pgRF1Sy6CFLHme0d/rkCDQROjogSARAAtLny8nlyr8fy +YGAocQz0S47a99n/X0Vmgwo1trJsCXWbOrpztznY8IFRK/dRnRHiMwBxWQ4CvdUk +2p0MweUiOjpEN7bUm92jeFXMr0hpQKf+O4DMExHS4hxLwArnKFuAk2ejRQGXBcEo +Mv11LiUwuzFbWdXqMsA1TbuA+WvEBnFUYM/6xNiJeRIUIiGydhG1yaw8HrNWLHnh +hcOfT6z5AO69hZZiJacp9pU/+jnep/M42p4J17x81+ESpJeladwR0Qxc0qxOyWid +N7oO5hSiBEwU6lYQjdQ23pa7tN1o90P9jyN2nFBEdBu2D/mi4DV/+VXUYHNEy3uN +hmmLGwMoPVWiZveRmG74+ne7MVyxwb9EIF3IenS4T65ee1dlZvaoMxUlUe8htEK0 +ChrQZOfITs9MyjUwoTiLUVo3kQeMli9HJEQXPRjHqkkZ7W65LhkEVnHSPHWtttRS +DkuZYtze+he142GzDSQA3dF2zy/tLpBb5CA29ITcQTspgV7AuV8YQqDZ4XWHsR9A +m5334N83EXk2oouqxl7mKUB0Vg6tujNCBSRn6A3CUaA29w/MyTg4z6Yw6HD3il1J +8PcWEoOzqlUoPd8tA5pcZCcKngkXndpXgsZCgoCgvx9WNU+LUrHBfhC3TLLsI7iG +O1JvLghkesKTARF3O2hS3xAhfGZxn8MAEQEAAYkCHwQYAQIACQUCTo6IEgIbDAAK +CRAp7oSK4szz9HSYD/9hmEsJuSgAGwx/OPweYuDGkA25ajDAu59LpzTbjB/yOU1r +DVUu3cMH+UEyaEGlhbneGvHF2DsEC9il/8fVL4eaE9EWpopIonYndBE91+YiGHPT +oiyKcdp0KuQMwm2ENAiEf/qErrB2NLna4wfZUx5lzvEOEk3cNPmNz2ERyMPXIeei +Q9VKp3MzopWhvBItAyIzzuydKKvJAKzDoTOEL4w60slAphj8rVCsW45k2AurWUH7 +VFM8ezXunieLeygCGb+YJZAet6yVXD3UwnNcWCGQ+xKSPuyKrn4xKG0N5gzxnGIh +/S/7IOjRaNR5X+pfWd6YzN9qURUfiXmuLSPRHK4Flfam4gMMHul9wL6XBayFo2NU +PBaxg4U9ACAgSJxgCTNPCKwnovecOsRmIESKtT1F3hbZRRgRGj/TDepJQNfHSyk/ +ZQfuoJggBMQLJKzGII42rb0W90QLMk0SyCzeb3LO3yyNiKpluNpJsl2IqdBJE5t1 +LxhKDnju6JlFyPcGJnP/doTuDTjjL0V+guPAGVbuq0g2hku+ZlJwjMStNwHPWxei +fuDJbQVIp0xZbI5djdHC8hVJX+d09J5eq0PlgMEidc4F+Vv+mmGJl0GiNfhmTaAC +SRzbI25/bhvj2xhx8A2LEOuU/+nzYgQzPcFpawiUP1wBnTqi+maxKx5/9ifyrw== +=6WX5 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/SOURCES/libcap-2.48-buildflags.patch b/SOURCES/libcap-2.48-buildflags.patch deleted file mode 100644 index 7ebd16f..0000000 --- a/SOURCES/libcap-2.48-buildflags.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff --color -ru a/Make.Rules b/Make.Rules ---- a/Make.Rules 2021-02-05 06:52:17.000000000 +0100 -+++ b/Make.Rules 2021-12-13 17:09:11.225308225 +0100 -@@ -56,10 +56,10 @@ - - CC := $(CROSS_COMPILE)gcc - DEFINES := -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 --COPTS ?= -O2 -+COPTS ?= $(RPM_OPT_FLAGS) - CFLAGS ?= $(COPTS) $(DEFINES) - BUILD_CC ?= $(CC) --BUILD_COPTS ?= -O2 -+BUILD_COPTS ?= $(RPM_OPT_FLAGS) - BUILD_CFLAGS ?= $(BUILD_COPTS) $(DEFINES) $(IPATH) - AR := $(CROSS_COMPILE)ar - RANLIB := $(CROSS_COMPILE)ranlib -@@ -69,7 +69,7 @@ - -Wstrict-prototypes -Wmissing-prototypes \ - -Wnested-externs -Winline -Wshadow - LD=$(CC) -Wl,-x -shared --LDFLAGS ?= #-g -+LDFLAGS ?= $(RPM_LD_FLAGS) - LIBCAPLIB := -L$(topdir)/libcap -lcap - PSXLINKFLAGS := -lpthread -Wl,-wrap,pthread_create - LIBPSXLIB := -L$(topdir)/libcap -lpsx $(PSXLINKFLAGS) -@@ -104,7 +104,7 @@ - - ifeq ($(PTHREADS),yes) - GO ?= go --GOLANG ?= $(shell if [ -n "$(shell $(GO) version 2>/dev/null)" ]; then echo yes ; else echo no ; fi) -+GOLANG ?= no - ifeq ($(GOLANG),yes) - GOROOT ?= $(shell $(GO) env GOROOT) - GOCGO ?= $(shell if [ "$(shell $(GO) env CGO_ENABLED)" = 1 ]; then echo yes ; else echo no ; fi) diff --git a/SOURCES/libcap-abi-compatibility.patch b/SOURCES/libcap-abi-compatibility.patch deleted file mode 100644 index 88b4601..0000000 --- a/SOURCES/libcap-abi-compatibility.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff --color -ru a/libcap/cap_text.c b/libcap/cap_text.c ---- a/libcap/cap_text.c 2021-02-05 06:52:17.000000000 +0100 -+++ b/libcap/cap_text.c 2021-12-15 13:03:44.993774400 +0100 -@@ -15,7 +15,7 @@ - #define LIBCAP_PLEASE_INCLUDE_ARRAY - #include "libcap.h" - --static char const *_cap_names[__CAP_BITS] = LIBCAP_CAP_NAMES; -+extern char const *_cap_names[__CAP_BITS]; - - #include - #include -diff --color -ru a/libcap/_makenames.c b/libcap/_makenames.c ---- a/libcap/_makenames.c 2021-02-05 06:52:17.000000000 +0100 -+++ b/libcap/_makenames.c 2021-12-15 12:47:07.921408357 +0100 -@@ -66,17 +66,17 @@ - "#define __CAP_NAME_SIZE %d\n" - "\n" - "#ifdef LIBCAP_PLEASE_INCLUDE_ARRAY\n" -- "#define LIBCAP_CAP_NAMES { \\\n", maxcaps, maxlength+1); -+ " char const *_cap_names[__CAP_BITS] = {\n", maxcaps, maxlength+1); - - for (i=0; iarg0 = arg0; ---- a/libcap/cap_proc.c 2022-05-17 20:07:36.301803359 +0200 -+++ b/libcap/cap_proc.c 2022-05-17 20:06:59.238592623 +0200 -@@ -677,9 +677,25 @@ - */ - cap_iab_t cap_iab_get_proc(void) - { -- cap_iab_t iab = cap_iab_init(); -- cap_t current = cap_get_proc(); -+ cap_iab_t iab; -+ cap_t current; -+ -+ iab = cap_iab_init(); -+ if (iab == NULL) { -+ _cap_debug("no memory for IAB tuple"); -+ return NULL; -+ } -+ -+ current = cap_get_proc(); -+ if (current == NULL) { -+ _cap_debug("no memory for cap_t"); -+ cap_free(iab); -+ return NULL; -+ } -+ - cap_iab_fill(iab, CAP_IAB_INH, current, CAP_INHERITABLE); -+ cap_free(current); -+ - cap_value_t c; - for (c = cap_max_bits(); c; ) { - --c; diff --git a/SOURCES/libcap-cve-2023-2602.patch b/SOURCES/libcap-cve-2023-2602.patch deleted file mode 100644 index be940cb..0000000 --- a/SOURCES/libcap-cve-2023-2602.patch +++ /dev/null @@ -1,36 +0,0 @@ -commit bc6b36682f188020ee4770fae1d41bde5b2c97bb -Author: Andrew G. Morgan -Date: Wed May 3 19:18:36 2023 -0700 - - Correct the check of pthread_create()'s return value. - - This function returns a positive number (errno) on error, so the code - wasn't previously freeing some memory in this situation. - - Discussion: - - https://stackoverflow.com/a/3581020/14760867 - - Credit for finding this bug in libpsx goes to David Gstir of - X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security - audit of the libcap source code in April of 2023. The audit - was sponsored by the Open Source Technology Improvement Fund - (https://ostif.org/). - - Audit ref: LCAP-CR-23-01 (CVE-2023-2602) - - Signed-off-by: Andrew G. Morgan - -diff --git a/psx/psx.c b/psx/psx.c -index d9c0485..65eb2aa 100644 ---- a/psx/psx.c -+++ b/psx/psx.c -@@ -516,7 +516,7 @@ int __wrap_pthread_create(pthread_t *thread, const pthread_attr_t *attr, - pthread_sigmask(SIG_BLOCK, &sigbit, NULL); - - int ret = __real_pthread_create(thread, attr, _psx_start_fn, starter); -- if (ret == -1) { -+ if (ret > 0) { - psx_new_state(_PSX_CREATE, _PSX_IDLE); - memset(starter, 0, sizeof(*starter)); - free(starter); diff --git a/SOURCES/libcap-cve-2023-2603.patch b/SOURCES/libcap-cve-2023-2603.patch deleted file mode 100644 index 1020f84..0000000 --- a/SOURCES/libcap-cve-2023-2603.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- a/libcap/cap_alloc.c 2023-06-26 18:42:42.295817583 +0200 -+++ b/libcap/cap_alloc.c 2023-06-26 18:40:32.485375859 +0200 -@@ -82,7 +82,14 @@ - return NULL; - } - -- raw_data = malloc( sizeof(__u32) + strlen(old) + 1 ); -+ size_t len = strlen(old); -+ if ((len & 0x3fffffff) != len) { -+ _cap_debug("len is too long for libcap to manage"); -+ errno = EINVAL; -+ return NULL; -+ } -+ len += 1 + sizeof(__u32); -+ raw_data = calloc(1, len); - if (raw_data == NULL) { - errno = ENOMEM; - return NULL; diff --git a/SOURCES/libcap-fix-ambient-caps.patch b/SOURCES/libcap-fix-ambient-caps.patch deleted file mode 100644 index de08d03..0000000 --- a/SOURCES/libcap-fix-ambient-caps.patch +++ /dev/null @@ -1,147 +0,0 @@ -diff --color -ru a/libcap/cap_proc.c b/libcap/cap_proc.c ---- a/libcap/cap_proc.c 2021-12-22 12:33:20.739126763 +0100 -+++ b/libcap/cap_proc.c 2021-12-22 12:33:53.195733115 +0100 -@@ -406,6 +406,29 @@ - } - - /* -+ * cap_prctl performs a prctl() 6 argument call on the current -+ * thread. Use cap_prctlw() if you want to perform a POSIX semantics -+ * prctl() system call. -+ */ -+int cap_prctl(long int pr_cmd, long int arg1, long int arg2, -+ long int arg3, long int arg4, long int arg5) -+{ -+ return prctl(pr_cmd, arg1, arg2, arg3, arg4, arg5); -+} -+ -+/* -+ * cap_prctlw performs a POSIX semantics prctl() call. That is a 6 arg -+ * prctl() call that executes on all available threads when libpsx is -+ * linked. The suffix 'w' refers to the fact one only ever needs to -+ * invoke this is if the call will write some kernel state. -+ */ -+int cap_prctlw(long int pr_cmd, long int arg1, long int arg2, -+ long int arg3, long int arg4, long int arg5) -+{ -+ return _libcap_wprctl6(&multithread, pr_cmd, arg1, arg2, arg3, arg4, arg5); -+} -+ -+/* - * Some predefined constants - */ - #define CAP_SECURED_BITS_BASIC \ -diff --color -ru a/libcap/include/sys/capability.h b/libcap/include/sys/capability.h ---- a/libcap/include/sys/capability.h 2021-02-05 06:52:17.000000000 +0100 -+++ b/libcap/include/sys/capability.h 2021-12-22 12:33:53.196733134 +0100 -@@ -175,6 +175,11 @@ - extern unsigned cap_get_secbits(void); - extern int cap_set_secbits(unsigned bits); - -+extern int cap_prctl(long int pr_cmd, long int arg1, long int arg2, -+ long int arg3, long int arg4, long int arg5); -+extern int cap_prctlw(long int pr_cmd, long int arg1, long int arg2, -+ long int arg3, long int arg4, long int arg5); -+ - extern int cap_setuid(uid_t uid); - extern int cap_setgroups(gid_t gid, size_t ngroups, const gid_t groups[]); - -diff --color -ru a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c ---- a/pam_cap/pam_cap.c 2021-12-22 12:33:20.740126781 +0100 -+++ b/pam_cap/pam_cap.c 2021-12-22 12:33:53.196733134 +0100 -@@ -21,6 +21,7 @@ - #include - #include - #include -+#include - #include - #include - -@@ -33,8 +34,11 @@ - - struct pam_cap_s { - int debug; -+ int keepcaps; -+ int defer; - const char *user; - const char *conf_filename; -+ pam_handle_t *pamh; - }; - - /* -@@ -178,6 +182,33 @@ - } - - /* -+ * This is the "defer" cleanup function that actually applies the IAB -+ * tuple. This happens really late in the PAM session, hopefully after -+ * the application has performed its setuid() function. -+ */ -+static void iab_apply(pam_handle_t *pamh, void *data, int error_status) -+{ -+ cap_iab_t iab = data; -+ int retval = error_status & ~(PAM_DATA_REPLACE|PAM_DATA_SILENT); -+ -+ data = NULL; -+ if (error_status & PAM_DATA_REPLACE) { -+ goto done; -+ } -+ -+ if (retval != PAM_SUCCESS || !(error_status & PAM_DATA_SILENT)) { -+ goto done; -+ } -+ -+ if (cap_iab_set_proc(iab) != 0) { -+ D(("IAB setting failed")); -+ } -+ -+done: -+ cap_free(iab); -+} -+ -+/* - * Set capabilities for current process to match the current - * permitted+executable sets combined with the configured inheritable - * set. -@@ -230,12 +261,21 @@ - goto cleanup_conf; - } - -- if (!cap_iab_set_proc(iab)) { -+ if (cs->defer) { -+ D(("configured to delay applying IAB")); -+ pam_set_data(cs->pamh, "pam_cap_iab", iab, iab_apply); -+ iab = NULL; -+ } else if (!cap_iab_set_proc(iab)) { - D(("able to set the IAB [%s] value", conf_caps)); - ok = 1; - } - cap_free(iab); - -+ if (cs->keepcaps) { -+ D(("setting keepcaps")); -+ (void) cap_prctlw(PR_SET_KEEPCAPS, 1, 0, 0, 0, 0); -+ } -+ - cleanup_conf: - memset(conf_caps, 0, conf_caps_length); - _pam_drop(conf_caps); -@@ -268,6 +308,10 @@ - pcs->debug = 1; - } else if (!strncmp(*argv, "config=", 7)) { - pcs->conf_filename = 7 + *argv; -+ } else if (!strcmp(*argv, "keepcaps")) { -+ pcs->keepcaps = 1; -+ } else if (!strcmp(*argv, "defer")) { -+ pcs->defer = 1; - } else { - _pam_log(LOG_ERR, "unknown option; %s", *argv); - } -@@ -353,6 +397,7 @@ - return PAM_AUTH_ERR; - } - -+ pcs.pamh = pamh; - retval = set_capabilities(&pcs); - memset(&pcs, 0, sizeof(pcs)); - diff --git a/SOURCES/libcap-fix-prctl-usage.patch b/SOURCES/libcap-fix-prctl-usage.patch deleted file mode 100644 index 018310a..0000000 --- a/SOURCES/libcap-fix-prctl-usage.patch +++ /dev/null @@ -1,128 +0,0 @@ -diff --git a/libcap/cap_proc.c b/libcap/cap_proc.c ---- a/libcap/cap_proc.c -+++ b/libcap/cap_proc.c -@@ -135,7 +135,13 @@ static int _libcap_wprctl3(struct syscaller_s *sc, - long int pr_cmd, long int arg1, long int arg2) - { - if (_libcap_overrode_syscalls) { -- return sc->three(SYS_prctl, pr_cmd, arg1, arg2); -+ int result; -+ result = sc->three(SYS_prctl, pr_cmd, arg1, arg2); -+ if (result >= 0) { -+ return result; -+ } -+ errno = -result; -+ return -1; - } - return prctl(pr_cmd, arg1, arg2, 0, 0, 0); - } -@@ -145,7 +151,13 @@ static int _libcap_wprctl6(struct syscaller_s *sc, - long int arg3, long int arg4, long int arg5) - { - if (_libcap_overrode_syscalls) { -- return sc->six(SYS_prctl, pr_cmd, arg1, arg2, arg3, arg4, arg5); -+ int result; -+ result = sc->six(SYS_prctl, pr_cmd, arg1, arg2, arg3, arg4, arg5); -+ if (result >= 0) { -+ return result; -+ } -+ errno = -result; -+ return -1; - } - return prctl(pr_cmd, arg1, arg2, arg3, arg4, arg5); - } -@@ -271,26 +283,12 @@ int capsetp(pid_t pid, cap_t cap_d) - - int cap_get_bound(cap_value_t cap) - { -- int result; -- -- result = prctl(PR_CAPBSET_READ, pr_arg(cap), pr_arg(0)); -- if (result < 0) { -- errno = -result; -- return -1; -- } -- return result; -+ return prctl(PR_CAPBSET_READ, pr_arg(cap), pr_arg(0)); - } - - static int _cap_drop_bound(struct syscaller_s *sc, cap_value_t cap) - { -- int result; -- -- result = _libcap_wprctl3(sc, PR_CAPBSET_DROP, pr_arg(cap), pr_arg(0)); -- if (result < 0) { -- errno = -result; -- return -1; -- } -- return result; -+ return _libcap_wprctl3(sc, PR_CAPBSET_DROP, pr_arg(cap), pr_arg(0)); - } - - /* drop a capability from the bounding set */ -@@ -316,7 +314,7 @@ int cap_get_ambient(cap_value_t cap) - static int _cap_set_ambient(struct syscaller_s *sc, - cap_value_t cap, cap_flag_value_t set) - { -- int result, val; -+ int val; - switch (set) { - case CAP_SET: - val = PR_CAP_AMBIENT_RAISE; -@@ -328,13 +326,8 @@ static int _cap_set_ambient(struct syscaller_s *sc, - errno = EINVAL; - return -1; - } -- result = _libcap_wprctl6(sc, PR_CAP_AMBIENT, pr_arg(val), pr_arg(cap), -- pr_arg(0), pr_arg(0), pr_arg(0)); -- if (result < 0) { -- errno = -result; -- return -1; -- } -- return result; -+ return _libcap_wprctl6(sc, PR_CAP_AMBIENT, pr_arg(val), pr_arg(cap), -+ pr_arg(0), pr_arg(0), pr_arg(0)); - } - - /* -diff --git a/libcap/cap_test.c b/libcap/cap_test.c ---- a/libcap/cap_test.c 2021-02-05 06:52:17.000000000 +0100 -+++ b/libcap/cap_test.c 2022-05-16 18:24:55.754193142 +0200 -@@ -29,11 +29,36 @@ - return failed; - } - -+static int test_prctl(void) -+{ -+ int ret, retval=0; -+ errno = 0; -+ ret = cap_get_bound((cap_value_t) -1); -+ if (ret != -1) { -+ printf("cap_get_bound(-1) did not return error: %d\n", ret); -+ retval = -1; -+ } else if (errno != EINVAL) { -+ perror("cap_get_bound(-1) errno != EINVAL"); -+ retval = -1; -+ } -+ return retval; -+} -+ - int main(int argc, char **argv) { - int result = 0; -+ printf("test_cap_bits: being called\n"); -+ fflush(stdout); - result = test_cap_bits() | result; -+ printf("test_prctl: being called\n"); -+ fflush(stdout); -+ result = test_prctl() | result; -+ printf("tested\n"); -+ fflush(stdout); -+ - if (result) { -- printf("test FAILED\n"); -+ printf("cap_test FAILED\n"); - exit(1); - } -+ printf("cap_test PASS\n"); -+ exit(0); - } diff --git a/SOURCES/libcap-static-analysis.patch b/SOURCES/libcap-static-analysis.patch deleted file mode 100644 index c72ca73..0000000 --- a/SOURCES/libcap-static-analysis.patch +++ /dev/null @@ -1,494 +0,0 @@ -diff --color -ru a/libcap/cap_proc.c b/libcap/cap_proc.c ---- a/libcap/cap_proc.c 2022-01-28 12:42:39.726331628 +0100 -+++ b/libcap/cap_proc.c 2022-01-28 12:44:05.007936110 +0100 -@@ -712,6 +712,10 @@ - cap_value_t c; - int raising = 0; - -+ if (temp == NULL) { -+ return -1; -+ } -+ - for (i = 0; i < _LIBCAP_CAPABILITY_U32S; i++) { - __u32 newI = iab->i[i]; - __u32 oldIP = temp->u[i].flat[CAP_INHERITABLE] | -diff --color -ru a/libcap/cap_text.c b/libcap/cap_text.c ---- a/libcap/cap_text.c 2022-01-28 12:42:39.725331609 +0100 -+++ b/libcap/cap_text.c 2022-01-28 12:44:05.008936129 +0100 -@@ -160,6 +160,7 @@ - cap_blks = _LINUX_CAPABILITY_U32S_3; - break; - default: -+ cap_free(res); - errno = EINVAL; - return NULL; - } -@@ -398,6 +399,9 @@ - for (n = 0; n < cmb; n++) { - if (getstateflags(caps, n) == t) { - char *this_cap_name = cap_to_name(n); -+ if (this_cap_name == NULL) { -+ return NULL; -+ } - if ((strlen(this_cap_name) + (p - buf)) > CAP_TEXT_SIZE) { - cap_free(this_cap_name); - errno = ERANGE; -@@ -450,6 +454,9 @@ - for (n = cmb; n < __CAP_MAXBITS; n++) { - if (getstateflags(caps, n) == t) { - char *this_cap_name = cap_to_name(n); -+ if (this_cap_name == NULL) { -+ return NULL; -+ } - if ((strlen(this_cap_name) + (p - buf)) > CAP_TEXT_SIZE) { - cap_free(this_cap_name); - errno = ERANGE; -@@ -549,6 +556,9 @@ - cap_iab_t cap_iab_from_text(const char *text) - { - cap_iab_t iab = cap_iab_init(); -+ if (iab == NULL) { -+ return iab; -+ } - if (text != NULL) { - unsigned flags; - for (flags = 0; *text; text++) { -diff --color -ru a/libcap/_makenames.c b/libcap/_makenames.c ---- a/libcap/_makenames.c 2022-01-28 12:42:39.725331609 +0100 -+++ b/libcap/_makenames.c 2022-01-28 13:07:28.700817691 +0100 -@@ -45,10 +45,14 @@ - if (maxcaps <= list[i].index) { - maxcaps = list[i].index + 1; - } -- if (list[i].index >= pointers_avail) { -+ if (pointers == NULL || list[i].index >= pointers_avail) { - int was = pointers_avail * sizeof(char *); - pointers_avail = 2 * list[i].index + 1; - pointers = recalloc(pointers, was, pointers_avail * sizeof(char *)); -+ if (pointers == NULL) { -+ perror("unable to continue"); -+ exit(1); -+ } - } - pointers[list[i].index] = list[i].name; - int n = strlen(list[i].name); -diff --color -ru a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c ---- a/pam_cap/pam_cap.c 2022-01-28 12:42:39.726331628 +0100 -+++ b/pam_cap/pam_cap.c 2022-01-28 12:44:05.009936148 +0100 -@@ -64,6 +64,9 @@ - } - - *groups = calloc(ngrps, sizeof(char *)); -+ if (*groups == NULL) { -+ return -1; -+ } - int g_n = 0, i; - for (i = 0; i < ngrps; i++) { - const struct group *g = getgrgid(grps[i]); -@@ -249,7 +252,7 @@ - if (!cap_set_proc(cap_s)) { - ok = 1; - } -- goto cleanup_cap_s; -+ goto cleanup_conf; - } - - iab = cap_iab_from_text(conf_caps); -@@ -278,10 +281,9 @@ - _pam_drop(conf_caps); - - cleanup_cap_s: -- if (cap_s) { -- cap_free(cap_s); -- cap_s = NULL; -- } -+ cap_free(cap_s); -+ cap_s = NULL; -+ - return ok; - } - -diff --color -ru a/progs/capsh.c b/progs/capsh.c ---- a/progs/capsh.c 2021-02-05 06:52:17.000000000 +0100 -+++ b/progs/capsh.c 2022-01-28 13:06:15.803465885 +0100 -@@ -34,6 +34,35 @@ - - #define MAX_GROUPS 100 /* max number of supplementary groups for user */ - -+/* parse a non-negative integer with some error handling */ -+static unsigned long nonneg_uint(const char *text, const char *prefix, int *ok) -+{ -+ char *remains; -+ unsigned long value; -+ ssize_t len = strlen(text); -+ -+ if (len == 0 || *text == '-') { -+ goto fail; -+ } -+ value = strtoul(text, &remains, 0); -+ if (*remains) { -+ goto fail; -+ } -+ if (ok != NULL) { -+ *ok = 1; -+ } -+ return value; -+ -+fail: -+ if (ok == NULL) { -+ fprintf(stderr, "%s: want non-negative integer, got \"%s\"\n", -+ prefix, text); -+ exit(1); -+ } -+ *ok = 0; -+ return 0; -+} -+ - static char *binary(unsigned long value) - { - static char string[8*sizeof(unsigned long) + 1]; -@@ -100,7 +129,16 @@ - display_prctl_set("Bounding", cap_get_bound); - display_prctl_set("Ambient", cap_get_ambient); - iab = cap_iab_get_proc(); -+ if (iab == NULL) { -+ perror("failed to get IAB for process"); -+ exit(1); -+ } - text = cap_iab_to_text(iab); -+ if (text == NULL) { -+ perror("failed to obtain text for IAB"); -+ cap_free(iab); -+ exit(1); -+ } - printf("Current IAB: %s\n", text); - cap_free(text); - cap_free(iab); -@@ -336,8 +374,8 @@ - */ - static char *find_self(const char *arg0) - { -- int i; -- char *parts, *dir, *scratch; -+ int i, status=1; -+ char *p = NULL, *parts, *dir, *scratch; - const char *path; - - for (i = strlen(arg0)-1; i >= 0 && arg0[i] != '/'; i--); -@@ -352,21 +390,45 @@ - } - - parts = strdup(path); -+ if (parts == NULL) { -+ fprintf(stderr, "insufficient memory for parts of path\n"); -+ exit(1); -+ } -+ - scratch = malloc(2+strlen(path)+strlen(arg0)); -- if (parts == NULL || scratch == NULL) { -+ if (scratch == NULL) { - fprintf(stderr, "insufficient memory for path building\n"); -- exit(1); -+ goto free_parts; - } - -- for (i=0; (dir = strtok(parts, ":")); parts = NULL) { -+ for (p = parts; (dir = strtok(p, ":")); p = NULL) { - sprintf(scratch, "%s/%s", dir, arg0); - if (access(scratch, X_OK) == 0) { -- return scratch; -+ status = 0; -+ break; - } - } -+ if (status) { -+ fprintf(stderr, "unable to find executable '%s' in PATH\n", arg0); -+ free(scratch); -+ } - -- fprintf(stderr, "unable to find executable '%s' in PATH\n", arg0); -- exit(1); -+free_parts: -+ free(parts); -+ if (status) { -+ exit(status); -+ } -+ return scratch; -+} -+ -+static long safe_sysconf(int name) -+{ -+ long ans = sysconf(name); -+ if (ans <= 0) { -+ fprintf(stderr, "sysconf(%d) returned a non-positive number: %ld\n", name, ans); -+ exit(1); -+ } -+ return ans; - } - - int main(int argc, char *argv[], char *envp[]) -@@ -378,6 +440,10 @@ - child = 0; - - char *temp_name = cap_to_name(cap_max_bits() - 1); -+ if (temp_name == NULL) { -+ perror("obtaining highest capability name"); -+ exit(1); -+ } - if (temp_name[0] != 'c') { - printf("WARNING: libcap needs an update (cap=%d should have a name).\n", - cap_max_bits() - 1); -@@ -573,7 +639,7 @@ - unsigned value; - int set; - -- value = strtoul(argv[i]+7, NULL, 0); -+ value = nonneg_uint(argv[i]+7, "invalid --keep value", NULL); - set = prctl(PR_SET_KEEPCAPS, value); - if (set < 0) { - fprintf(stderr, "prctl(PR_SET_KEEPCAPS, %u) failed: %s\n", -@@ -617,7 +683,9 @@ - * Given we are now in a new directory tree, its good practice - * to start off in a sane location - */ -- status = chdir("/"); -+ if (status == 0) { -+ status = chdir("/"); -+ } - - cap_free(orig); - -@@ -628,7 +696,7 @@ - } else if (!strncmp("--secbits=", argv[i], 10)) { - unsigned value; - int status; -- value = strtoul(argv[i]+10, NULL, 0); -+ value = nonneg_uint(argv[i]+10, "invalid --secbits value", NULL); - status = cap_set_secbits(value); - if (status < 0) { - fprintf(stderr, "failed to set securebits to 0%o/0x%x\n", -@@ -641,7 +709,7 @@ - fprintf(stderr, "already forked\n"); - exit(1); - } -- value = strtoul(argv[i]+10, NULL, 0); -+ value = nonneg_uint(argv[i]+10, "invalid --forkfor value", NULL); - if (value == 0) { - goto usage; - } -@@ -657,7 +725,8 @@ - pid_t result; - unsigned value; - -- value = strtoul(argv[i]+9, NULL, 0); -+ value = nonneg_uint(argv[i]+9, "invalid --killit signo value", -+ NULL); - if (!child) { - fprintf(stderr, "no forked process to kill\n"); - exit(1); -@@ -683,7 +752,7 @@ - unsigned value; - int status; - -- value = strtoul(argv[i]+6, NULL, 0); -+ value = nonneg_uint(argv[i]+6, "invalid --uid value", NULL); - status = setuid(value); - if (status < 0) { - fprintf(stderr, "Failed to set uid=%u: %s\n", -@@ -694,7 +763,7 @@ - unsigned value; - int status; - -- value = strtoul(argv[i]+10, NULL, 0); -+ value = nonneg_uint(argv[i]+10, "invalid --cap-uid value", NULL); - status = cap_setuid(value); - if (status < 0) { - fprintf(stderr, "Failed to cap_setuid(%u): %s\n", -@@ -705,7 +774,7 @@ - unsigned value; - int status; - -- value = strtoul(argv[i]+6, NULL, 0); -+ value = nonneg_uint(argv[i]+6, "invalid --gid value", NULL); - status = setgid(value); - if (status < 0) { - fprintf(stderr, "Failed to set gid=%u: %s\n", -@@ -718,14 +787,14 @@ - gid_t *group_list; - int g_count; - -- length = sysconf(_SC_GETGR_R_SIZE_MAX); -+ length = safe_sysconf(_SC_GETGR_R_SIZE_MAX); - buf = calloc(1, length); - if (NULL == buf) { - fprintf(stderr, "No memory for [%s] operation\n", argv[i]); - exit(1); - } - -- max_groups = sysconf(_SC_NGROUPS_MAX); -+ max_groups = safe_sysconf(_SC_NGROUPS_MAX); - group_list = calloc(max_groups, sizeof(gid_t)); - if (NULL == group_list) { - fprintf(stderr, "No memory for gid list\n"); -@@ -741,8 +810,7 @@ - } - if (!isdigit(*ptr)) { - struct group *g, grp; -- getgrnam_r(ptr, &grp, buf, length, &g); -- if (NULL == g) { -+ if (getgrnam_r(ptr, &grp, buf, length, &g) || NULL == g) { - fprintf(stderr, "Failed to identify gid for group [%s]\n", ptr); - exit(1); - } -@@ -835,6 +903,7 @@ - argv[argc] = NULL; - execve(argv[i], argv+i, envp); - fprintf(stderr, "execve '%s' failed!\n", argv[i]); -+ free(argv[i]); - exit(1); - } else if (!strncmp("--shell=", argv[i], 8)) { - shell = argv[i]+8; -@@ -885,7 +954,7 @@ - } else if (!strncmp("--is-uid=", argv[i], 9)) { - unsigned value; - uid_t uid; -- value = strtoul(argv[i]+9, NULL, 0); -+ value = nonneg_uint(argv[i]+9, "invalid --is-uid value", NULL); - uid = getuid(); - if (uid != value) { - fprintf(stderr, "uid: got=%d, want=%d\n", uid, value); -@@ -894,7 +963,7 @@ - } else if (!strncmp("--is-gid=", argv[i], 9)) { - unsigned value; - gid_t gid; -- value = strtoul(argv[i]+9, NULL, 0); -+ value = nonneg_uint(argv[i]+9, "invalid --is-gid value", NULL); - gid = getgid(); - if (gid != value) { - fprintf(stderr, "gid: got=%d, want=%d\n", gid, value); -diff --color -ru a/progs/getcap.c b/progs/getcap.c ---- a/progs/getcap.c 2021-02-05 06:52:17.000000000 +0100 -+++ b/progs/getcap.c 2022-01-28 12:44:05.009936148 +0100 -@@ -110,11 +110,11 @@ - - for (i=optind; argv[i] != NULL; i++) { - struct stat stbuf; -- -- if (lstat(argv[i], &stbuf) != 0) { -- fprintf(stderr, "%s (%s)\n", argv[i], strerror(errno)); -+ char *arg = argv[i]; -+ if (lstat(arg, &stbuf) != 0) { -+ fprintf(stderr, "%s (%s)\n", arg, strerror(errno)); - } else if (recursive) { -- nftw(argv[i], do_getcap, 20, FTW_PHYS); -+ nftw(arg, do_getcap, 20, FTW_PHYS); - } else { - int tflag = S_ISREG(stbuf.st_mode) ? FTW_F : - (S_ISLNK(stbuf.st_mode) ? FTW_SL : FTW_NS); -diff --color -ru a/progs/setcap.c b/progs/setcap.c ---- a/progs/setcap.c 2021-02-05 06:52:17.000000000 +0100 -+++ b/progs/setcap.c 2022-01-28 12:44:05.009936148 +0100 -@@ -166,9 +166,12 @@ - } - - cap_on_file = cap_get_file(*++argv); -- - if (cap_on_file == NULL) { - cap_on_file = cap_from_text("="); -+ if (cap_on_file == NULL) { -+ perror("unable to use missing capability"); -+ exit(1); -+ } - } - - cmp = cap_compare(cap_on_file, cap_d); -diff --color -ru a/psx/psx.c b/psx/psx.c ---- a/psx/psx.c 2021-02-05 06:52:17.000000000 +0100 -+++ b/psx/psx.c 2022-01-28 12:44:05.009936148 +0100 -@@ -107,6 +107,10 @@ - */ - static void *psx_do_registration(void) { - registered_thread_t *node = calloc(1, sizeof(registered_thread_t)); -+ if (node == NULL) { -+ perror("unable to register psx handler"); -+ exit(1); -+ } - pthread_mutex_init(&node->mu, NULL); - node->thread = pthread_self(); - pthread_setspecific(psx_action_key, node); -@@ -454,6 +458,10 @@ - int __wrap_pthread_create(pthread_t *thread, const pthread_attr_t *attr, - void *(*start_routine) (void *), void *arg) { - psx_starter_t *starter = calloc(1, sizeof(psx_starter_t)); -+ if (starter == NULL) { -+ perror("failed at thread creation"); -+ exit(1); -+ } - starter->fn = start_routine; - starter->arg = arg; - /* -diff --color -ru a/tests/libcap_launch_test.c b/tests/libcap_launch_test.c ---- a/tests/libcap_launch_test.c 2021-02-05 06:52:17.000000000 +0100 -+++ b/tests/libcap_launch_test.c 2022-01-28 12:44:05.010936167 +0100 -@@ -93,6 +93,10 @@ - printf("[%d] test should %s\n", i, - v->result ? "generate error" : "work"); - cap_launch_t attr = cap_new_launcher(v->args[0], v->args, v->envp); -+ if (attr == NULL) { -+ perror("failed to obtain launcher"); -+ exit(1); -+ } - if (v->chroot) { - cap_launcher_set_chroot(attr, v->chroot); - } -diff --color -ru a/tests/libcap_psx_test.c b/tests/libcap_psx_test.c ---- a/tests/libcap_psx_test.c 2021-02-05 06:52:17.000000000 +0100 -+++ b/tests/libcap_psx_test.c 2022-01-28 12:55:55.887807887 +0100 -@@ -16,8 +16,15 @@ - usleep(1234); - pid_t pid = fork(); - cap_t start = cap_get_proc(); -+ if (start == NULL) { -+ perror("FAILED: unable to start"); -+ exit(1); -+ } - if (pid == 0) { -- cap_set_proc(start); -+ if (cap_set_proc(start)) { -+ perror("setting empty caps failed"); -+ exit(1); -+ } - exit(0); - } - int res; -@@ -27,6 +34,7 @@ - exit(1); - } - cap_set_proc(start); -+ cap_free(start); - return NULL; - } - -@@ -35,6 +43,10 @@ - printf("hello libcap and libpsx "); - fflush(stdout); - cap_t start = cap_get_proc(); -+ if (start == NULL) { -+ perror("FAILED: to actually start"); -+ exit(1); -+ } - pthread_t ignored[10]; - for (i = 0; i < 10; i++) { - pthread_create(&ignored[i], NULL, thread_fork_exit, NULL); -@@ -42,7 +54,10 @@ - for (i = 0; i < 10; i++) { - printf("."); /* because of fork, this may print double */ - fflush(stdout); /* try to limit the above effect */ -- cap_set_proc(start); -+ if (cap_set_proc(start)) { -+ perror("failed to set proc"); -+ exit(1); -+ } - usleep(1000); - } - printf(" PASSED\n"); diff --git a/libcap-2.69.tar.sign b/libcap-2.69.tar.sign new file mode 100644 index 0000000..bcc372c --- /dev/null +++ b/libcap-2.69.tar.sign @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEOKZEaYxpeHNE6VTOKe6EiuLM8/QFAmRhl6YACgkQKe6EiuLM +8/Q0gg/8DrMJ0FugNk6jE4YprJHq1kNjrXgNJ1v2aAKchghnUn0S6po3f0YVeB9q +UDSoRxBWmz/BwJ8PMRwiX2DWpoD0+F3UjSP37rfTqp3Y7//xP0WkYuKBCBiXwtKG +MBGw3QGoUmWy77JVBLvlqvgjk8pwLsbVLRGAc0p78CKKE8A02f9U3WCEmFwoP3Ko +rAiPTWzu1bz1G6nbmEdIqIDffzCt90Ygyop/NVpMQS2QLMvcF2pu/J5AQV8rcEGi +1G7bvAl/2EtUf4JDrWA+SZXp8uJ0Wx6B+K06D8JYf1NTocVbef+4FQCVtD1KDYXQ +j4NgyCMBuhKMZ98rqWMQmJ6nWyksTA/IFzOTOY0ywCDtFvxq3W2JS2f0dvty2ea9 +hkWo+S/CQNCbH7X7JvfRUen0844y488uFCoIbnPTcNH0C1N5KBBymT85vXOsDDra +3OF9us/EyOPBnItmOLB8+ot+v2bpx3JdjEalWkmwkrIbaFLpR6LhNPQRo6LI2lw4 +eLRGA5Oigpxnwz5VYhNFkl7AK1Ni2lfVGsk2mbaz2aq1+6+II2WM6jgC/mt73pv0 +3822hBI76qJIoThTvAdtrWWRd7jCNs57lfONUKdETAbs0XOxcyHrNComtbWb1kyN +zclCere20HUtYxtdixx30V9DFSmrBLAYgusu6oJp1oEolRugoA4= +=Qw3r +-----END PGP SIGNATURE----- diff --git a/SPECS/libcap.spec b/libcap.spec similarity index 61% rename from SPECS/libcap.spec rename to libcap.spec index c5343a2..faa17f9 100644 --- a/SPECS/libcap.spec +++ b/libcap.spec @@ -1,23 +1,31 @@ Name: libcap -Version: 2.48 -Release: 6%{?dist} +Version: 2.69 +Release: 7%{?dist} Summary: Library for getting and setting POSIX.1e capabilities URL: https://sites.google.com/site/fullycapable/ -License: BSD or GPLv2 -Group: System Environment/Libraries +License: BSD-3-Clause OR GPL-2.0-only -Source: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/snapshot/%{name}-%{version}.tar.gz -Patch0: %{name}-2.48-buildflags.patch -Patch1: %{name}-abi-compatibility.patch -Patch2: %{name}-static-analysis.patch -Patch3: %{name}-fix-ambient-caps.patch -Patch4: %{name}-fix-prctl-usage.patch -Patch5: %{name}-check-allocation.patch -Patch6: %{name}-cve-2023-2603.patch -Patch7: %{name}-cve-2023-2602.patch +Source0: https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.gz +Source1: https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.sign +Source2: https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git/plain/keys/29EE848AE2CCF3F4.asc +Patch0: 0001-doc-document-pam_cap-and-its-conf.patch +Patch1: 0002-doc-document-the-use-of-to-refer-to-all-users.patch -BuildRequires: libattr-devel pam-devel perl-interpreter +BuildRequires: pam-devel gcc BuildRequires: make +BuildRequires: glibc-static +BuildRequires: gnupg2 + +%ifarch %{golang_arches} +BuildRequires: golang >= 1.22 +%endif + +%if "%{_sbindir}" == "%{_bindir}" +# Compat symlinks for Requires in other packages. +# We rely on filesystem to create the symlinks for us. +Requires: filesystem(unmerged-sbin-symlinks) +Provides: /usr/sbin/setcap +%endif %description libcap is a library for getting and setting POSIX.1e (formerly POSIX 6) @@ -25,7 +33,6 @@ draft 15 capabilities. %package static Summary: Static libraries for libcap development -Group: Development/Libraries Requires: %{name} = %{version}-%{release} %description static @@ -37,7 +44,6 @@ draft 15 capabilities. %package devel Summary: Development files for libcap -Group: Development/Libraries Requires: %{name} = %{version}-%{release} %description devel @@ -50,21 +56,19 @@ Install libcap-devel if you want to develop or compile applications using libcap. %prep +gzip -cd %{SOURCE0} | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data=- %autosetup -p1 %build -# libcap can not be build with _smp_mflags: -make prefix=%{_prefix} lib=%{_lib} LIBDIR=%{_libdir} SBINDIR=%{_sbindir} \ - INCDIR=%{_includedir} MANDIR=%{_mandir} PKGCONFIGDIR=%{_libdir}/pkgconfig/ +%make_build prefix=%{_prefix} lib=%{_lib} SBINDIR=%{_sbindir} CGO_REQUIRED=1 CGO_CFLAGS="${CFLAGS}" CGO_LDFLAGS="${LDFLAGS}" GO_BUILD_FLAGS="-buildmode=pie -a -v -x -ldflags='-compressdwarf=false -B gobuildid'" all + +%check +make test %install -make install RAISE_SETFCAP=no \ - DESTDIR=%{buildroot} \ - LIBDIR=%{_libdir} \ - SBINDIR=%{_sbindir} \ - PKGCONFIGDIR=%{_libdir}/pkgconfig/ +%make_install prefix=%{_prefix} lib=%{_lib} SBINDIR=%{_sbindir} CGO_REQUIRED=1 CGO_CFLAGS="${CFLAGS}" CGO_LDFLAGS="${LDFLAGS}" GO_BUILD_FLAGS="-buildmode=pie -a -v -x -ldflags='-compressdwarf=false -B gobuildid'" -mkdir -p %{buildroot}/%{_mandir}/man{2,3,8} +mkdir -p %{buildroot}/%{_mandir}/man{2,3,5,8} mv -f doc/*.3 %{buildroot}/%{_mandir}/man3/ chmod +x %{buildroot}/%{_libdir}/*.so.* @@ -72,73 +76,125 @@ chmod +x %{buildroot}/%{_libdir}/*.so.* %ldconfig_scriptlets %files -%{!?_licensedir:%global license %%doc} %license License -%doc doc/capability.notes -%{_libdir}/*.so.* -%{_sbindir}/* -%{_mandir}/man1/* -%{_mandir}/man8/* +%doc doc/capability.md +%{_libdir}/libcap.so.2{,.*} +%{_libdir}/libpsx.so.2{,.*} +%{_sbindir}/{capsh,getcap,getpcaps,setcap} +%{_mandir}/man1/capsh.1* +%{_mandir}/man5/capability.conf.5* +%{_mandir}/man8/{getcap,getpcaps,setcap,pam_cap}.8* %{_libdir}/security/pam_cap.so +%exclude %{_mandir}/man8/captree.8* +# Exclude unwanted captree +%exclude %{_libdir}/captree* +%exclude %{_sbindir}/captree* %files static %{_libdir}/libcap.a %{_libdir}/libpsx.a %files devel -%{_includedir}/* -%{_libdir}/*.so -%{_mandir}/man3/* -%{_libdir}/pkgconfig/libcap.pc -%{_libdir}/pkgconfig/libpsx.pc +%{_includedir}/sys/capability.h +%{_includedir}/sys/psx_syscall.h +%{_libdir}/libcap.so +%{_libdir}/libpsx.so +%{_mandir}/man3/cap*.3* +%{_mandir}/man3/libcap.3* +%{_mandir}/man3/libpsx.3* +%{_mandir}/man3/psx_*.3* +%{_mandir}/man3/__psx_syscall.3* +%{_libdir}/pkgconfig/{libcap,libpsx}.pc %changelog -* Wed Dec 13 2023 Anderson Toshiyuki Sasaki - 2.48-6 -- Bump release version to restore upgrade path - Resolves: RHEL-19362 +* Tue Oct 29 2024 Troy Dawson - 2.69-7 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 -* Mon Jun 26 2023 Anderson Toshiyuki Sasaki - 2.48-5 -- Fix integer overflow in _libcap_strdup() (CVE-2023-2603) - Resolves: rhbz#2210637 -- Correctly check pthread_create() return value to avoid memory leak (CVE-2023-2602) - Resolves: rhbz#2210644 +* Tue Aug 13 2024 Anderson Toshiyuki Sasaki - 2.69-6 +- Remove unwanted subpackage captree -* Tue May 17 2022 Anderson Toshiyuki Sasaki - 2.48-4 -- check for successful memory allocation - related: rhbz#2062648 +* Mon Jun 24 2024 Troy Dawson - 2.69-5 +- Bump release for June 2024 mass rebuild -* Mon May 16 2022 Anderson Toshiyuki Sasaki - 2.48-3 -- avoid overwriting errno set by prctl - resolves: rhbz#2062648 +* Thu May 30 2024 Anderson Toshiyuki Sasaki - 2.69-4 +- Add manpages for pam_cap and capability.conf (by Carlos Rodriguez-Fernandez ) +- Fix incompatibility of the build with go 1.22 (by Carlos Rodriguez-Fernandez ) +- Reenable PIE in the captree tool (by Carlos Rodriguez-Fernandez ) +- Use sbindir location provided by rpm (by Zbigniew Jędrzejewski-Szmek ) +- Include hardening flags by setting CGO_CFLAGS=CFLAGS and CGO_LDFLAGS=LDFLAGS -* Fri Jan 28 2022 Zoltan Fridrich - 2.48-2 -- rebase to 2.48 - resolves: rhbz#2032813 -- fix ambient capabilities for non-root users - resolves: rhbz#1950187 +* Thu Jan 25 2024 Fedora Release Engineering - 2.69-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Thu Jun 10 2021 Zoltan Fridrich - 2.26-5 -- added CAP_PERFMON, CAP_BPF and CAP_CHECKPOINT_RESTORE capabilities - resolves: rhbz#1946982 rhbz#1921576 +* Sun Jan 21 2024 Fedora Release Engineering - 2.69-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Fri May 22 2020 Jiri Vymazal - 2.26-4 -- added patch implementing support for ambient capabilities - resolves: rhbz#1487388 +* Mon Nov 06 2023 Carlos Rodriguez-Fernandez - 2.69-1 +- Update to 2.69 (with contribs from Yanko Kaneti , and Andrew G. Morgan ) +- Update license to SPDX (by Anderson Toshiyuki Sasaki ) +- Make file lists more explicit to avoid accidental ABI changes (Dominik Mierzejewski ) -* Tue Oct 15 2019 Marek Tamaskovic - 2.26-3 -- changed url +* Thu Jul 20 2023 Fedora Release Engineering - 2.48-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild -* Wed May 22 2019 Karsten Hopp - 2.26-2 +* Thu Jan 19 2023 Fedora Release Engineering - 2.48-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Jul 21 2022 Fedora Release Engineering - 2.48-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jan 20 2022 Fedora Release Engineering - 2.48-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Jul 22 2021 Fedora Release Engineering - 2.48-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Sun Feb 14 2021 Peter Robinson - 2.48-2 +- Rebase distro flags patch + +* Wed Feb 10 2021 Giuseppe Scrivano - 2.48-1 +- Update to 0.2.48 + +* Tue Jan 26 2021 Fedora Release Engineering - 2.46-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Sun Jan 17 2021 Peter Robinson - 2.46-1 +- Update to 0.2.46 + +* Wed Oct 21 2020 Karsten Hopp - 2.44-1 +- update to 2.44 +- remove additional getpcaps manpage as it now included in the sources + +* Tue Jul 28 2020 Fedora Release Engineering - 2.26-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jan 29 2020 Fedora Release Engineering - 2.26-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Jul 25 2019 Fedora Release Engineering - 2.26-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Feb 04 2019 Karsten Hopp - 2.26-5 +- enable gating + +* Mon Feb 04 2019 Karsten Hopp - 2.26-4 +- bump release + +* Fri Feb 01 2019 Fedora Release Engineering - 2.26-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 28 2019 Karsten Hopp - 2.26-2 +- add CI tests using the standard test interface (astepano) + +* Fri Jul 13 2018 Fedora Release Engineering - 2.25-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 02 2018 Karsten Hopp - 2.25-11 - rebuild -* Fri Apr 12 2019 Karsten Hopp - 2.26-1 -- update to 2.26 - -* Thu Apr 11 2019 Karsten Hopp - 2.25-11 -- rebuild - -* Thu Apr 11 2019 Karsten Hopp - 2.25-10 -- rebuild +* Wed Feb 21 2018 Karsten Hopp - 2.25-10 +- buildrequire gcc * Wed Feb 07 2018 Fedora Release Engineering - 2.25-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/sources b/sources new file mode 100644 index 0000000..7435c0d --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (libcap-2.69.tar.gz) = 75ee0fe8e1ac835f29cb76d233f731dcf126b73eed5229a130bbe4308a42441934d4e9cefeaaab45f774de2ed6859c752fbbfb9908e792f2f9f3d0f841e01aee