rpms/libcap
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI libcap-2.69-7.el10

Browse Source
This commit is contained in:
eabdullin 2025-05-14 17:20:49 +00:00
parent abfbac5c9b
commit 889fb37dec
16 changed files with 456 additions and 1022 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libcap-2.48.tar.gz
libcap-2.69.tar.gz

1
.libcap.metadata
View File

@ -1 +0,0 @@
c81102815c481257e53168e83b8849bc9f154d54 SOURCES/libcap-2.48.tar.gz

179
0001-doc-document-pam_cap-and-its-conf.patch Normal file
View File

@ -0,0 +1,179 @@
From 7787f4019a86b962ef3b44305cde5888a14cfe52 Mon Sep 17 00:00:00 2001
From: Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com>
Date: Wed, 3 Apr 2024 11:57:14 -0700
Subject: [PATCH] doc: document pam_cap and its conf
Signed-off-by: Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com>
---
doc/Makefile | 8 ++--
doc/capability.conf.5 | 85 +++++++++++++++++++++++++++++++++++++++++++
doc/pam_cap.8 | 35 ++++++++++++++++++
3 files changed, 125 insertions(+), 3 deletions(-)
create mode 100644 doc/capability.conf.5
create mode 100644 doc/pam_cap.8
diff --git a/doc/Makefile b/doc/Makefile
index 6919488..9d1574c 100644
--- a/doc/Makefile
+++ b/doc/Makefile
@@ -32,9 +32,10 @@ MAN3S = cap_init.3 cap_free.3 cap_dup.3 \
psx_syscall.3 psx_syscall3.3 psx_syscall6.3 psx_set_sensitivity.3 \
psx_load_syscalls.3 __psx_syscall.3 \
libpsx.3
-MAN8S = getcap.8 setcap.8 getpcaps.8 captree.8
+MAN5S = capability.conf.5
+MAN8S = getcap.8 setcap.8 getpcaps.8 captree.8 pam_cap.8
-MANS = $(MAN1S) $(MAN3S) $(MAN8S)
+MANS = $(MAN1S) $(MAN3S) $(MAN5S) $(MAN8S)
all: $(MANS)
@@ -54,10 +55,11 @@ html:
done
install:
- mkdir -p -m 755 $(FAKEROOT)$(MANDIR)/man1 $(FAKEROOT)$(MANDIR)/man3 $(FAKEROOT)$(MANDIR)/man8
+ mkdir -p -m 755 $(FAKEROOT)$(MANDIR)/man1 $(FAKEROOT)$(MANDIR)/man3 $(FAKEROOT)$(MANDIR)/man5 $(FAKEROOT)$(MANDIR)/man8
for man in \
$(FAKEROOT)$(MANDIR)/man1 $(MAN1S) \
$(FAKEROOT)$(MANDIR)/man3 $(MAN3S) \
+ $(FAKEROOT)$(MANDIR)/man5 $(MAN5S) \
$(FAKEROOT)$(MANDIR)/man8 $(MAN8S) \
; \
do \
diff --git a/doc/capability.conf.5 b/doc/capability.conf.5
new file mode 100644
index 0000000..10ff63b
--- /dev/null
+++ b/doc/capability.conf.5
@@ -0,0 +1,85 @@
+.\" generated with Ronn-NG/v0.9.1
+.\" http://github.com/apjanke/ronn-ng/tree/0.9.1
+.TH "CAPABILITY\.CONF" "5" "April 2024" ""
+.SH "NAME"
+\fBcapability\.conf\fR \- pam_cap module configuration file
+.SH "SYNOPSIS"
+\fB/etc/security/capability\.conf\fR
+.SH "DESCRIPTION"
+The syntax for lines in this configuration file is:
+.P
+\fB# <\-\- \'#\' precedes a comment\fR
+.P
+\fB<IAB><SPACE><WHO>\fR
+.P
+Where \fB<IAB>\fR refers to the text format for an inheritable IAB capability tuple, or the words \fBall\fR or \fBnone\fR\.
+.P
+The reserved word \fBall\fR does \fInot\fR grant \fIall the inheritable capabilities\fR, but acts as a simple \fIpass\-through\fR for any prevailing IAB tuple capabilities\. The reserved word \fBnone\fR refers to an empty \fIInheritable\fR capability set (and by extension an empty \fIAmbient\fR vector)\.
+.P
+Here \fB<WHO>\fR refers to the space separated PAM username values that will be granted the specified \fIIAB\fR tuple\. A name prefixed with the character \fB@\fR refers to the locally defined \fB/etc/group\fR \fIetc\fR users listed under that group name\.
+.P
+The parsing of the file chooses the first line that applies to the authenticating user, and attempts to apply that and only that\.
+.P
+Examples of valid syntax are:
+.IP "" 4
+.nf
+# only root gets to keep what it had
+
+all root
+
+
+# this should fire for user beta only, who will have
+
+# cap_chown dropped from their bounding set\.
+
+!cap_chown beta
+
+
+# the next one should snag the members of the \'three\' group
+
+# granting them cap_setuid and cap_chown
+
+cap_setuid,cap_chown @three
+
+
+# this would apply to beta and gamma, but beta is already
+
+# granted a lack of cap_chown above\. Further, if gamma is
+
+# in the \'three\' group, it would not reach this line\.
+
+cap_chown beta gamma
+
+
+# members of the \'one\' group are granted the cap_setuid Inheritable
+
+# capability, but cap_chown is dropped from their bounding set\.
+
+!cap_chown,cap_setuid @one
+
+
+# user alpha gets an ambient capability (unless it is also
+
+# a member of the groups \'one\' or \'three\')\.
+
+^cap_setuid alpha
+
+
+# user delta (if not a member of groups \'one\' and \'three\') will get
+
+# cap_chown and cap_setgid Ambient capabilities, but have cap_setuid
+
+# dropped from its bounding set\.
+
+^cap_chown,^cap_setgid,!cap_setuid delta
+
+
+# any remaining members of group \'four\' will get the cap_setuid
+
+# Inheritable capability\.
+
+cap_setuid @four
+.fi
+.IP "" 0
+.SH "SEE ALSO"
+pam_cap(8)
diff --git a/doc/pam_cap.8 b/doc/pam_cap.8
new file mode 100644
index 0000000..93c1a71
--- /dev/null
+++ b/doc/pam_cap.8
@@ -0,0 +1,35 @@
+.\" generated with Ronn-NG/v0.9.1
+.\" http://github.com/apjanke/ronn-ng/tree/0.9.1
+.TH "PAM_CAP" "8" "April 2024" ""
+.SH "NAME"
+\fBpam_cap\fR \- Capabilities PAM module
+.SH "SYNOPSIS"
+[service\-name] \fBauth\fR control\-flag \fBpam_cap\fR [options]
+.SH "DESCRIPTION"
+The \fBpam_so\fR module can be used to specify \fIInheritable\fR capabilities to process trees rooted in the PAM application\. The module also supports blocking \fIBounding\fR vector capabilities and adding \fIAmbient\fR vector capabilities\.
+.P
+For general PAM apps to work correctly, the application must be run with at least \fBCAP_SETPCAP\fR raised in its \fIPermitted\fR capability flag\. Many PAM applications run as \fIroot\fR, which has all of the bits in the \fIBounding\fR set raised, so this requirement is typically met\. To grant an \fIAmbient\fR vector capability, the corresponding Permitted bit must be available to the application too\.
+.P
+The \fBpam_so\fR module is a Linux\-PAM \fIauth\fR module\. It provides functionality to back \fBpam_sm_authenticate()\fR and \fBpam_sm_setcred()\fR\. It is the latter that actually modifies the inheritable 3\-tuple of capability vectors: the configured \fIIAB\fR\. In a typical application configuration you might have a line like this:
+.IP "" 4
+.nf
+auth optional pam_cap\.so
+.fi
+.IP "" 0
+.P
+The module arguments are:
+.IP "\[ci]" 4
+\fBdebug\fR: While supported, this is a no\-op at present\.
+.IP "\[ci]" 4
+\fBconfig=\fR\fI/path/to/file\fR: Override the default config for the module\. The unspecified default value for this file is \fB/etc/security/capability\.conf\fR\. Note, \fBconfig=/dev/null\fR is a valid value\. See \fBdefault=\fR below for situations in which this might be appropriate\.
+.IP "\[ci]" 4
+\fBkeepcaps\fR: This is as much as the \fBpam_cap\.so\fR module can do to help an application support use of the \fIAmbient\fR capability vector\. The application support for the \fIAmbient\fR set is poor at the present time\.
+.IP "\[ci]" 4
+\fBautoauth\fR: This argument causes the \fBpam_cap\.so\fR module to return \fBPAM_SUCCESS\fR if the \fBPAM_USER\fR being authenticated exists\. The absence of this argument will cause \fBpam_cap\.so\fR to only return \fBPAM_SUCCESS\fR if the \fBPAM_USER\fR is covered by a specific rule in the prevailing config file\.
+.IP "\[ci]" 4
+\fBdefault=\fR\fIIAB\fR: This argument is ignored if the prevailing configuration file contains a "\fB*\fR" rule\. If there is no such rule, the \fIIAB\fR 3\-tuple is inserted at the end of the config file and applies to all \fBPAM_USER\fRs not covered by an earlier rule\. Note, if you want all \fBPAM_USER\fRs to be covered by this default rule, you can supply the module argument \fBconfig=/dev/null\fR\.
+.IP "\[ci]" 4
+\fBdefer\fR: This argument arranges for the \fIIAB\fR capabilities granted to a user to be added sufficiently late in the Linux\-PAM authentication stack that they stick\. That is, \fIafter\fR the application does its \fBsetuid(UID)\fR call\. As such, in conjunction with the \fBkeepcaps\fR module argument, such compliant applications can support granting \fIAmbient\fR vector capabilities with \fBpam_cap\.so\fR\.
+.IP "" 0
+.SH "SEE ALSO"
+pam\.conf(5), capability\.conf(5), pam(8)
--
2.44.0

26
0002-doc-document-the-use-of-to-refer-to-all-users.patch Normal file
View File

@ -0,0 +1,26 @@
From 70783bddc65628a1afc3dd2f8b4b3f03fc839b8e Mon Sep 17 00:00:00 2001
From: Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com>
Date: Fri, 5 Apr 2024 16:37:30 -0700
Subject: [PATCH] doc: document the use of `*` to refer to all users
Signed-off-by: Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com>
---
doc/capability.conf.5 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/capability.conf.5 b/doc/capability.conf.5
index 10ff63b..15535f4 100644
--- a/doc/capability.conf.5
+++ b/doc/capability.conf.5
@@ -16,7 +16,7 @@ Where \fB<IAB>\fR refers to the text format for an inheritable IAB capability tu
.P
The reserved word \fBall\fR does \fInot\fR grant \fIall the inheritable capabilities\fR, but acts as a simple \fIpass\-through\fR for any prevailing IAB tuple capabilities\. The reserved word \fBnone\fR refers to an empty \fIInheritable\fR capability set (and by extension an empty \fIAmbient\fR vector)\.
.P
-Here \fB<WHO>\fR refers to the space separated PAM username values that will be granted the specified \fIIAB\fR tuple\. A name prefixed with the character \fB@\fR refers to the locally defined \fB/etc/group\fR \fIetc\fR users listed under that group name\.
+Here \fB<WHO>\fR refers to the space separated PAM username values that will be granted the specified \fIIAB\fR tuple\. A name prefixed with the character \fB@\fR refers to the locally defined \fB/etc/group\fR \fIetc\fR users listed under that group name\. An asterisk "\fB*\fR" can be used to denote all users\.
.P
The parsing of the file chooses the first line that applies to the authenticating user, and attempts to apply that and only that\.
.P
--
2.44.0

105
29EE848AE2CCF3F4.asc Normal file
View File

@ -0,0 +1,105 @@
pub rsa4096 2011-10-07 [SC]
38A644698C69787344E954CE29EE848AE2CCF3F4
uid Andrew G. Morgan <morgan@kernel.org>
uid Andrew G. Morgan (Work Address) <agm@google.com>
sub rsa4096 2011-10-07 [E]
E8BBFE9EBCE94FB48D2F98FC61B996743B143E89
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBE6OiBIBEADpdtUxC8Fmhn5UK6UCZdU7mFgZwN8U9cabFUPfUIkMqXULhCD0
hG2/amuiiUoLollPjOopNqk4cc8LcZfszOdBFAYj7MeWzNySVw4KkWrVCEH/bZ0Q
QzZH2qmoMT5CIrtcNxCAvukYsZLhyZYO0HdfuE05mVhVjtX9Btfxr7Ndvb7L4MRS
3Qb6+nHTgfn/Oow92/koIWvi0YvskKdZypeU888TQL99E8xdgL2n2Ip3xYwBHRR2
GPb5MGOuEItF3tJ0kkILW5mzkJq/iLzRphzKjdF76I9QVRP8dZ+uWHPubWePm/5c
1H9lnlw00ZZ/ucQvSwTesUYk2aKkxzgm6X8fCdJXBLGgW5K6CkynpjN3qJ9KpcNY
H55smUgp8BaiWuoHe4pLvuBhnN2wiYOe2j9UvGX1OaRstMXFx7YbBvkGgdoZthUe
VPGAa4K+dnI2oy4wukzl/unAKrlMCBRsRoW2qjy3TDSXqwJhd34ilHzrdAdchrh/
acBfbBtRzVlcDTnGltDNMuRTXzujaY9C3B0L2E+Jfrds8WcM8ASO4mHwJUTMrBwM
b5sFSG+/X9Ufg/c2G086HQ7xMERUA5oz66P5ReHCph8WHQN2L5vtZwL7//hZB9hn
G0K1210YEDXpFPijpis/54MKUSkWEFOLjUbiSPbwEfb79A00CcHojQQinwARAQAB
tCRBbmRyZXcgRy4gTW9yZ2FuIDxtb3JnYW5Aa2VybmVsLm9yZz6JAhwEEAECAAYF
Ak6YnFgACgkQINBOWnE2YKdO8Q//fwzZuxAacpWE2wByvuwM7hiYOtzxX9tSsaMA
NaYtxb8rYwM5YtkjCaBnWoyJ8de7L82HJff/GnxVpw0CWm5Dyj9Pvs/VAIvC4+75
+5cs6YWQIhIV5NbmD92lKFni2xNcBomzttB1CexjemtmXQIwm0i06HBbfg8Nkv3l
WnZlHHzgOffnkodR56rJCOq75wTPZPmx9WP87bDW2B5ZwzGs4jcBEP8qz4J5agVk
97OrYrhy2RrtD6a4f3/VYJq12mvJ/lImgEwNoLsZfMZ6B6wpCvfmx80z1dE/VOmG
YKpDPhU5v6y0gQm/UOpz0tzgRJw7CYRK3mbM/Ctnc4n6y0UpbVAmAStRvnlM1DgL
3nuuh3EJ6s1r2m2l1SRT09va+lK6s1GARMD+6tmQE7+89DwwSB0lJtWCHRGP/M8W
ePdqRAVz3xTkqbRMgcnuvpL6qPveK1Qzv2MxUomB7A8QDxzKzQAIugzm5E1irfmZ
jg54/8R2bo0uIp8PS6wx8RD7TYHxGpe4cEAkBr/5/5TfMaTDbrx/f/XqRm/89Mx9
04TLVyMqVDcsXAgd+fIGtv/e8cBVMDIRsE9aZQsSOil168Q8qYrJbYRcWmEGaM4d
KCGYhEPE7ZaZK4jxshSwfiirozCoAmkTmvOt4E0s2HlljjLPDecAlvoFvn2bSS3Z
8coir4CJAjsEEwECACUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJOmRGP
AhkBAAoJECnuhIrizPP0wK0P/RMvjmzeXbgoa36cBDvDKReAiC56Au4qGXkNah39
84tNPT1hVUKCiwiUmULoNJbEI4qFJTtwsMi5QzE+daCA7t+ALJiC+PKiKFG1LDz7
mxfhmBeS3XcYuqZdjyKrATUFr0SHbsJxtRCslawGD2gKczLknFeBXL0997TfJS9i
pLibqCtmvyryHn4EbZfoJqcpj/RBN/izVGHNYI8BsZpO5F6z7vXoncDL0dKh65nd
GaIbhVDUPsDBvzg3i+EzhB51hYTTNKK0QpWbmsXfJBnvztinfLUsnO9HV8aRaygO
I/DAKAtT7YPXORA1oFYtx69bzulqC+TXUmeV8YW8bETH4xHM9mQb0oNLPibR2nK2
FSDiLp0/eEM5vgzfPVUX7WzBJUPsf0ah/e1yrXqudGUUZ0R+3VMOdxMryZBKLymk
zyvu6a5DcLarqAt8y9ciRH67HKNnE1gvHf5K2Q37gwSecwmXCjpMlbVJnIarLKBc
VRcYKtxgPxCv6483I8heSKF7PB/IFBmzT1cX7lhln9+62Ks/0Gs0pA0iNLaD+POP
iqWrAwZsFvKjD9PDaCBDFRWjFqZLyJMsMi1qmP8jWsdQqPdUskQC0ftvw3Z6Siyy
rriSAzglCjmmAcfdt+w4b/EO4SzSZUnd/ApkHkZx1Lbta15WKxGi7S8/5zNdaK72
1nUdiQIzBBABCAAdFiEEIHnICkX+vZuglRryyyMS4ez3P1cFAl0PDA8ACgkQyyMS
4ez3P1eHXg//ceYbw0RGvvkpBn41t2D2OEDnowyAqgdrByFoub4mam3lxjKZob6F
nIVcp0aY6TTOW0Peo0ZMigLh2DkEpF0JZrtTu5Om2tZpn+16d2c9ThROEasTERqI
AnUHMmpXupRZDSdHJTSD+HdlBSvO9Ve2vtIv/F9AW8pIQqZby3rJeFwsaQl9GUuw
T6teyBG5GZVFLDvNM2r64moTGvxsZdOEz/2KSZNMONEIFWYJPbBtaKZjlNJebh+i
YwOda6YqGwmyBpudtMtyHUT5gXBIaaMfKW40CxxTesOuV7YWg52ZkJe8tsURnIUi
55wCaLnNM+bsqjRIDZ5tAvCqTCj+T5hg6uJbmWOhCHW4VMp3PKEgmajMSZVAfzcW
iryAT/xol531qwer+3LRRS21qha3lfAJNaDy6rTHBqeDXyo7oeBQwoFIJFA5w9Ia
DVRfWXiKnHjsma0CEg1JXXnL1eb2Bzh8qInUQEgm92B/w2tJgNDDNPIDQDlbWgQw
24Wzx5QGOfr4CJM3WMhSdUEn8jyyFj+GmCfCAtRTEPhGIf4op6rZfH5Q8O0UJ865
iIvshNNLoWtkVx2MTU4juXsz666Vq+HFzyIw2xPeabVIKVzF25+vbTTRQIhohuU9
FV36IqXOGGwYAlnu8/2NFDWbUIhaCaB0N2AeVH8kQcO9L0OEHB0MJy+0MEFuZHJl
dyBHLiBNb3JnYW4gKFdvcmsgQWRkcmVzcykgPGFnbUBnb29nbGUuY29tPokCOAQT
AQIAIgUCTpUPggIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQKe6EiuLM
8/TM2hAAwOPHeKi+9/SukBgW+8Cg9vOERdwnjX9P6lrFY4mbxISDt9edQeBd5PBb
dEk8ins+C5y0+iC8pBX7sZxTkNyDXcNk7icytKy8iewtCR94NVT/OXYy4cU60Eyk
OnqIZxTCNLRthu+XTd8+Ptlcgwv4js5LI16hn+fbO0j1SIgEei+wepmpibh3tU6L
idWPVj8ZqT32zDdwu9TCr1/eLyKg3PKeoFPuMD4ZYVp5Um4as4IEEGC4i7QSSDjY
0BnYBHfbBA/l4S2VICrwiX1FnN7BrW/viWgM0k6X6Rbn+NArq0aPYD2+VOpXMdQO
Y9n2foOzuHfCjaDeDNhfVy4zeylb1SwDxdQM1jbI0VgML0iwAjT27Xw3t/z2Kwb/
JiHkxmknPZ/Htx5we3BJW6RMYcOxqgdNcyV+NCZVTl585FklroHHRORpILB5x6be
r7c5x2BbxfA9aKT/la/wHd0mikwfUzDelGGKu1N3r/zzE3IuQlK2m0ENm9uq8Hac
yZKKqCHSY96yWfC5vEnn/gVs/3OUs3vOnj1FkcoOX/wQxJcYKOYbpRPFbojdikp1
zj7IR3X39RS3GpA59uAW+Vxt6xDkgu8s7NmJ2RLvLS/iL2tkF78cTLd4bzPizl2W
gGulIG8rJLCpa65IOfe0yrDgHPYF7cWC1gDhOc3LuyFwVHYEwWiJAjMEEAEIAB0W
IQQgecgKRf69m6CVGvLLIxLh7Pc/VwUCXQ8MGwAKCRDLIxLh7Pc/V0F9EACHKNqF
l5xXDHe/0nlZ+J/OFRNIE8ObZAxQLaPfK3gRkFn/SbKQzkzB84X2il7A/W221Lzi
me5eTFPhTX3RxUcoSQdrtCCov5gCeuiUbhuJ28zuJxslxLE8bhnmNfpLmFFGtbMI
kXq+y0uqc08Yj8frPXKgx7KvOoovpm0X/igiAkiuKLhbq8xIwaIN0NL4slFlx+ZP
Ed0KA6qOvlLr0T/lLVptAeMrzfi2gqY1utSqE5IVrbtU6Kptw3zfURsGFFIaKjIr
hzu25Cdpg/NxYGqo2GqD0lZ+OeWSy0WI5sxCSDqr0to9lvsJGv2Nc06ixIjH7vG2
Hc/cC0QyHdBM6GwaLmUH9hrcSCLR5kxTzAW0Cf6lrAZUL36Ivl5l+zoLdJqSgZLY
YXqMdQf75Y5TRFzry5pWRef3ba4/sgui89W11Uccdq/pGe4OKo0I/vq3bv35/3cZ
aMGjj3x6v67kk8GWbKg6CPBnzb1dY7VDA5RWOt2lPZr4omUNFwRpxAfZADUz2Q4S
tMQVE018SSH1i6G9EB8KVQEBeD4qgaWs1z9sqA7K5wlBzGarTa2RspH0GMmYwxBY
hXtYpKm/47Dkg8j3N01VVwky0XGPFHCVgFbeXGknL1O3thOGs5XPO05jtBcbYI1u
vvK+h/CNn1yuTG13BSG4pgRF1Sy6CFLHme0d/rkCDQROjogSARAAtLny8nlyr8fy
YGAocQz0S47a99n/X0Vmgwo1trJsCXWbOrpztznY8IFRK/dRnRHiMwBxWQ4CvdUk
2p0MweUiOjpEN7bUm92jeFXMr0hpQKf+O4DMExHS4hxLwArnKFuAk2ejRQGXBcEo
Mv11LiUwuzFbWdXqMsA1TbuA+WvEBnFUYM/6xNiJeRIUIiGydhG1yaw8HrNWLHnh
hcOfT6z5AO69hZZiJacp9pU/+jnep/M42p4J17x81+ESpJeladwR0Qxc0qxOyWid
N7oO5hSiBEwU6lYQjdQ23pa7tN1o90P9jyN2nFBEdBu2D/mi4DV/+VXUYHNEy3uN
hmmLGwMoPVWiZveRmG74+ne7MVyxwb9EIF3IenS4T65ee1dlZvaoMxUlUe8htEK0
ChrQZOfITs9MyjUwoTiLUVo3kQeMli9HJEQXPRjHqkkZ7W65LhkEVnHSPHWtttRS
DkuZYtze+he142GzDSQA3dF2zy/tLpBb5CA29ITcQTspgV7AuV8YQqDZ4XWHsR9A
m5334N83EXk2oouqxl7mKUB0Vg6tujNCBSRn6A3CUaA29w/MyTg4z6Yw6HD3il1J
8PcWEoOzqlUoPd8tA5pcZCcKngkXndpXgsZCgoCgvx9WNU+LUrHBfhC3TLLsI7iG
O1JvLghkesKTARF3O2hS3xAhfGZxn8MAEQEAAYkCHwQYAQIACQUCTo6IEgIbDAAK
CRAp7oSK4szz9HSYD/9hmEsJuSgAGwx/OPweYuDGkA25ajDAu59LpzTbjB/yOU1r
DVUu3cMH+UEyaEGlhbneGvHF2DsEC9il/8fVL4eaE9EWpopIonYndBE91+YiGHPT
oiyKcdp0KuQMwm2ENAiEf/qErrB2NLna4wfZUx5lzvEOEk3cNPmNz2ERyMPXIeei
Q9VKp3MzopWhvBItAyIzzuydKKvJAKzDoTOEL4w60slAphj8rVCsW45k2AurWUH7
VFM8ezXunieLeygCGb+YJZAet6yVXD3UwnNcWCGQ+xKSPuyKrn4xKG0N5gzxnGIh
/S/7IOjRaNR5X+pfWd6YzN9qURUfiXmuLSPRHK4Flfam4gMMHul9wL6XBayFo2NU
PBaxg4U9ACAgSJxgCTNPCKwnovecOsRmIESKtT1F3hbZRRgRGj/TDepJQNfHSyk/
ZQfuoJggBMQLJKzGII42rb0W90QLMk0SyCzeb3LO3yyNiKpluNpJsl2IqdBJE5t1
LxhKDnju6JlFyPcGJnP/doTuDTjjL0V+guPAGVbuq0g2hku+ZlJwjMStNwHPWxei
fuDJbQVIp0xZbI5djdHC8hVJX+d09J5eq0PlgMEidc4F+Vv+mmGJl0GiNfhmTaAC
SRzbI25/bhvj2xhx8A2LEOuU/+nzYgQzPcFpawiUP1wBnTqi+maxKx5/9ifyrw==
=6WX5
-----END PGP PUBLIC KEY BLOCK-----

34
SOURCES/libcap-2.48-buildflags.patch
View File

@ -1,34 +0,0 @@
diff --color -ru a/Make.Rules b/Make.Rules
--- a/Make.Rules 2021-02-05 06:52:17.000000000 +0100
+++ b/Make.Rules 2021-12-13 17:09:11.225308225 +0100
@@ -56,10 +56,10 @@
CC := $(CROSS_COMPILE)gcc
DEFINES := -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
-COPTS ?= -O2
+COPTS ?= $(RPM_OPT_FLAGS)
CFLAGS ?= $(COPTS) $(DEFINES)
BUILD_CC ?= $(CC)
-BUILD_COPTS ?= -O2
+BUILD_COPTS ?= $(RPM_OPT_FLAGS)
BUILD_CFLAGS ?= $(BUILD_COPTS) $(DEFINES) $(IPATH)
AR := $(CROSS_COMPILE)ar
RANLIB := $(CROSS_COMPILE)ranlib
@@ -69,7 +69,7 @@
-Wstrict-prototypes -Wmissing-prototypes \
-Wnested-externs -Winline -Wshadow
LD=$(CC) -Wl,-x -shared
-LDFLAGS ?= #-g
+LDFLAGS ?= $(RPM_LD_FLAGS)
LIBCAPLIB := -L$(topdir)/libcap -lcap
PSXLINKFLAGS := -lpthread -Wl,-wrap,pthread_create
LIBPSXLIB := -L$(topdir)/libcap -lpsx $(PSXLINKFLAGS)
@@ -104,7 +104,7 @@
ifeq ($(PTHREADS),yes)
GO ?= go
-GOLANG ?= $(shell if [ -n "$(shell $(GO) version 2>/dev/null)" ]; then echo yes ; else echo no ; fi)
+GOLANG ?= no
ifeq ($(GOLANG),yes)
GOROOT ?= $(shell $(GO) env GOROOT)
GOCGO ?= $(shell if [ "$(shell $(GO) env CGO_ENABLED)" = 1 ]; then echo yes ; else echo no ; fi)

37
SOURCES/libcap-abi-compatibility.patch
View File

@ -1,37 +0,0 @@
diff --color -ru a/libcap/cap_text.c b/libcap/cap_text.c
--- a/libcap/cap_text.c 2021-02-05 06:52:17.000000000 +0100
+++ b/libcap/cap_text.c 2021-12-15 13:03:44.993774400 +0100
@@ -15,7 +15,7 @@
#define LIBCAP_PLEASE_INCLUDE_ARRAY
#include "libcap.h"
-static char const *_cap_names[__CAP_BITS] = LIBCAP_CAP_NAMES;
+extern char const *_cap_names[__CAP_BITS];
#include <ctype.h>
#include <limits.h>
diff --color -ru a/libcap/_makenames.c b/libcap/_makenames.c
--- a/libcap/_makenames.c 2021-02-05 06:52:17.000000000 +0100
+++ b/libcap/_makenames.c 2021-12-15 12:47:07.921408357 +0100
@@ -66,17 +66,17 @@
"#define __CAP_NAME_SIZE %d\n"
"\n"
"#ifdef LIBCAP_PLEASE_INCLUDE_ARRAY\n"
- "#define LIBCAP_CAP_NAMES { \\\n", maxcaps, maxlength+1);
+ " char const *_cap_names[__CAP_BITS] = {\n", maxcaps, maxlength+1);
for (i=0; i<maxcaps; ++i) {
if (pointers[i]) {
- printf(" /* %d */\t\"%s\", \\\n", i, pointers[i]);
+ printf(" /* %d */\t\"%s\",\n", i, pointers[i]);
} else {
- printf(" /* %d */\tNULL,\t\t/* - presently unused */ \\\n", i);
+ printf(" /* %d */\tNULL,\t\t/* - presently unused */\n", i);
}
}
- printf(" }\n"
+ printf(" };\n"
"#endif /* LIBCAP_PLEASE_INCLUDE_ARRAY */\n"
"\n"
"/* END OF FILE */\n");

54
SOURCES/libcap-check-allocation.patch
View File

@ -1,54 +0,0 @@
--- a/libcap/cap_alloc.c 2021-02-05 06:52:17.000000000 +0100
+++ b/libcap/cap_alloc.c 2022-05-17 20:06:53.570560396 +0200
@@ -123,6 +123,10 @@
cap_iab_t cap_iab_init(void) {
__u32 *base = calloc(1, sizeof(__u32) + sizeof(struct cap_iab_s));
+ if (base == NULL) {
+ _cap_debug("out of memory");
+ return NULL;
+ }
*(base++) = CAP_IAB_MAGIC;
return (cap_iab_t) base;
}
@@ -138,6 +142,10 @@
const char * const *envp)
{
__u32 *data = calloc(1, sizeof(__u32) + sizeof(struct cap_launch_s));
+ if (data == NULL) {
+ _cap_debug("out of memory");
+ return NULL;
+ }
*(data++) = CAP_LAUNCH_MAGIC;
struct cap_launch_s *attr = (struct cap_launch_s *) data;
attr->arg0 = arg0;
--- a/libcap/cap_proc.c 2022-05-17 20:07:36.301803359 +0200
+++ b/libcap/cap_proc.c 2022-05-17 20:06:59.238592623 +0200
@@ -677,9 +677,25 @@
*/
cap_iab_t cap_iab_get_proc(void)
{
- cap_iab_t iab = cap_iab_init();
- cap_t current = cap_get_proc();
+ cap_iab_t iab;
+ cap_t current;
+
+ iab = cap_iab_init();
+ if (iab == NULL) {
+ _cap_debug("no memory for IAB tuple");
+ return NULL;
+ }
+
+ current = cap_get_proc();
+ if (current == NULL) {
+ _cap_debug("no memory for cap_t");
+ cap_free(iab);
+ return NULL;
+ }
+
cap_iab_fill(iab, CAP_IAB_INH, current, CAP_INHERITABLE);
+ cap_free(current);
+
cap_value_t c;
for (c = cap_max_bits(); c; ) {
--c;

36
SOURCES/libcap-cve-2023-2602.patch
View File

@ -1,36 +0,0 @@
commit bc6b36682f188020ee4770fae1d41bde5b2c97bb
Author: Andrew G. Morgan <morgan@kernel.org>
Date: Wed May 3 19:18:36 2023 -0700
Correct the check of pthread_create()'s return value.
This function returns a positive number (errno) on error, so the code
wasn't previously freeing some memory in this situation.
Discussion:
https://stackoverflow.com/a/3581020/14760867
Credit for finding this bug in libpsx goes to David Gstir of
X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security
audit of the libcap source code in April of 2023. The audit
was sponsored by the Open Source Technology Improvement Fund
(https://ostif.org/).
Audit ref: LCAP-CR-23-01 (CVE-2023-2602)
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
diff --git a/psx/psx.c b/psx/psx.c
index d9c0485..65eb2aa 100644
--- a/psx/psx.c
+++ b/psx/psx.c
@@ -516,7 +516,7 @@ int __wrap_pthread_create(pthread_t *thread, const pthread_attr_t *attr,
pthread_sigmask(SIG_BLOCK, &sigbit, NULL);
int ret = __real_pthread_create(thread, attr, _psx_start_fn, starter);
- if (ret == -1) {
+ if (ret > 0) {
psx_new_state(_PSX_CREATE, _PSX_IDLE);
memset(starter, 0, sizeof(*starter));
free(starter);

18
SOURCES/libcap-cve-2023-2603.patch
View File

@ -1,18 +0,0 @@
--- a/libcap/cap_alloc.c 2023-06-26 18:42:42.295817583 +0200
+++ b/libcap/cap_alloc.c 2023-06-26 18:40:32.485375859 +0200
@@ -82,7 +82,14 @@
return NULL;
}
- raw_data = malloc( sizeof(__u32) + strlen(old) + 1 );
+ size_t len = strlen(old);
+ if ((len & 0x3fffffff) != len) {
+ _cap_debug("len is too long for libcap to manage");
+ errno = EINVAL;
+ return NULL;
+ }
+ len += 1 + sizeof(__u32);
+ raw_data = calloc(1, len);
if (raw_data == NULL) {
errno = ENOMEM;
return NULL;

147
SOURCES/libcap-fix-ambient-caps.patch
View File

@ -1,147 +0,0 @@
diff --color -ru a/libcap/cap_proc.c b/libcap/cap_proc.c
--- a/libcap/cap_proc.c 2021-12-22 12:33:20.739126763 +0100
+++ b/libcap/cap_proc.c 2021-12-22 12:33:53.195733115 +0100
@@ -406,6 +406,29 @@
}
/*
+ * cap_prctl performs a prctl() 6 argument call on the current
+ * thread. Use cap_prctlw() if you want to perform a POSIX semantics
+ * prctl() system call.
+ */
+int cap_prctl(long int pr_cmd, long int arg1, long int arg2,
+ long int arg3, long int arg4, long int arg5)
+{
+ return prctl(pr_cmd, arg1, arg2, arg3, arg4, arg5);
+}
+
+/*
+ * cap_prctlw performs a POSIX semantics prctl() call. That is a 6 arg
+ * prctl() call that executes on all available threads when libpsx is
+ * linked. The suffix 'w' refers to the fact one only ever needs to
+ * invoke this is if the call will write some kernel state.
+ */
+int cap_prctlw(long int pr_cmd, long int arg1, long int arg2,
+ long int arg3, long int arg4, long int arg5)
+{
+ return _libcap_wprctl6(&multithread, pr_cmd, arg1, arg2, arg3, arg4, arg5);
+}
+
+/*
* Some predefined constants
*/
#define CAP_SECURED_BITS_BASIC \
diff --color -ru a/libcap/include/sys/capability.h b/libcap/include/sys/capability.h
--- a/libcap/include/sys/capability.h 2021-02-05 06:52:17.000000000 +0100
+++ b/libcap/include/sys/capability.h 2021-12-22 12:33:53.196733134 +0100
@@ -175,6 +175,11 @@
extern unsigned cap_get_secbits(void);
extern int cap_set_secbits(unsigned bits);
+extern int cap_prctl(long int pr_cmd, long int arg1, long int arg2,
+ long int arg3, long int arg4, long int arg5);
+extern int cap_prctlw(long int pr_cmd, long int arg1, long int arg2,
+ long int arg3, long int arg4, long int arg5);
+
extern int cap_setuid(uid_t uid);
extern int cap_setgroups(gid_t gid, size_t ngroups, const gid_t groups[]);
diff --color -ru a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
--- a/pam_cap/pam_cap.c 2021-12-22 12:33:20.740126781 +0100
+++ b/pam_cap/pam_cap.c 2021-12-22 12:33:53.196733134 +0100
@@ -21,6 +21,7 @@
#include <string.h>
#include <syslog.h>
#include <sys/capability.h>
+#include <sys/prctl.h>
#include <sys/types.h>
#include <linux/limits.h>
@@ -33,8 +34,11 @@
struct pam_cap_s {
int debug;
+ int keepcaps;
+ int defer;
const char *user;
const char *conf_filename;
+ pam_handle_t *pamh;
};
/*
@@ -178,6 +182,33 @@
}
/*
+ * This is the "defer" cleanup function that actually applies the IAB
+ * tuple. This happens really late in the PAM session, hopefully after
+ * the application has performed its setuid() function.
+ */
+static void iab_apply(pam_handle_t *pamh, void *data, int error_status)
+{
+ cap_iab_t iab = data;
+ int retval = error_status & ~(PAM_DATA_REPLACE|PAM_DATA_SILENT);
+
+ data = NULL;
+ if (error_status & PAM_DATA_REPLACE) {
+ goto done;
+ }
+
+ if (retval != PAM_SUCCESS || !(error_status & PAM_DATA_SILENT)) {
+ goto done;
+ }
+
+ if (cap_iab_set_proc(iab) != 0) {
+ D(("IAB setting failed"));
+ }
+
+done:
+ cap_free(iab);
+}
+
+/*
* Set capabilities for current process to match the current
* permitted+executable sets combined with the configured inheritable
* set.
@@ -230,12 +261,21 @@
goto cleanup_conf;
}
- if (!cap_iab_set_proc(iab)) {
+ if (cs->defer) {
+ D(("configured to delay applying IAB"));
+ pam_set_data(cs->pamh, "pam_cap_iab", iab, iab_apply);
+ iab = NULL;
+ } else if (!cap_iab_set_proc(iab)) {
D(("able to set the IAB [%s] value", conf_caps));
ok = 1;
}
cap_free(iab);
+ if (cs->keepcaps) {
+ D(("setting keepcaps"));
+ (void) cap_prctlw(PR_SET_KEEPCAPS, 1, 0, 0, 0, 0);
+ }
+
cleanup_conf:
memset(conf_caps, 0, conf_caps_length);
_pam_drop(conf_caps);
@@ -268,6 +308,10 @@
pcs->debug = 1;
} else if (!strncmp(*argv, "config=", 7)) {
pcs->conf_filename = 7 + *argv;
+ } else if (!strcmp(*argv, "keepcaps")) {
+ pcs->keepcaps = 1;
+ } else if (!strcmp(*argv, "defer")) {
+ pcs->defer = 1;
} else {
_pam_log(LOG_ERR, "unknown option; %s", *argv);
}
@@ -353,6 +397,7 @@
return PAM_AUTH_ERR;
}
+ pcs.pamh = pamh;
retval = set_capabilities(&pcs);
memset(&pcs, 0, sizeof(pcs));

128
SOURCES/libcap-fix-prctl-usage.patch
View File

@ -1,128 +0,0 @@
diff --git a/libcap/cap_proc.c b/libcap/cap_proc.c
--- a/libcap/cap_proc.c
+++ b/libcap/cap_proc.c
@@ -135,7 +135,13 @@ static int _libcap_wprctl3(struct syscaller_s *sc,
long int pr_cmd, long int arg1, long int arg2)
{
if (_libcap_overrode_syscalls) {
- return sc->three(SYS_prctl, pr_cmd, arg1, arg2);
+ int result;
+ result = sc->three(SYS_prctl, pr_cmd, arg1, arg2);
+ if (result >= 0) {
+ return result;
+ }
+ errno = -result;
+ return -1;
}
return prctl(pr_cmd, arg1, arg2, 0, 0, 0);
}
@@ -145,7 +151,13 @@ static int _libcap_wprctl6(struct syscaller_s *sc,
long int arg3, long int arg4, long int arg5)
{
if (_libcap_overrode_syscalls) {
- return sc->six(SYS_prctl, pr_cmd, arg1, arg2, arg3, arg4, arg5);
+ int result;
+ result = sc->six(SYS_prctl, pr_cmd, arg1, arg2, arg3, arg4, arg5);
+ if (result >= 0) {
+ return result;
+ }
+ errno = -result;
+ return -1;
}
return prctl(pr_cmd, arg1, arg2, arg3, arg4, arg5);
}
@@ -271,26 +283,12 @@ int capsetp(pid_t pid, cap_t cap_d)
int cap_get_bound(cap_value_t cap)
{
- int result;
-
- result = prctl(PR_CAPBSET_READ, pr_arg(cap), pr_arg(0));
- if (result < 0) {
- errno = -result;
- return -1;
- }
- return result;
+ return prctl(PR_CAPBSET_READ, pr_arg(cap), pr_arg(0));
}
static int _cap_drop_bound(struct syscaller_s *sc, cap_value_t cap)
{
- int result;
-
- result = _libcap_wprctl3(sc, PR_CAPBSET_DROP, pr_arg(cap), pr_arg(0));
- if (result < 0) {
- errno = -result;
- return -1;
- }
- return result;
+ return _libcap_wprctl3(sc, PR_CAPBSET_DROP, pr_arg(cap), pr_arg(0));
}
/* drop a capability from the bounding set */
@@ -316,7 +314,7 @@ int cap_get_ambient(cap_value_t cap)
static int _cap_set_ambient(struct syscaller_s *sc,
cap_value_t cap, cap_flag_value_t set)
{
- int result, val;
+ int val;
switch (set) {
case CAP_SET:
val = PR_CAP_AMBIENT_RAISE;
@@ -328,13 +326,8 @@ static int _cap_set_ambient(struct syscaller_s *sc,
errno = EINVAL;
return -1;
}
- result = _libcap_wprctl6(sc, PR_CAP_AMBIENT, pr_arg(val), pr_arg(cap),
- pr_arg(0), pr_arg(0), pr_arg(0));
- if (result < 0) {
- errno = -result;
- return -1;
- }
- return result;
+ return _libcap_wprctl6(sc, PR_CAP_AMBIENT, pr_arg(val), pr_arg(cap),
+ pr_arg(0), pr_arg(0), pr_arg(0));
}
/*
diff --git a/libcap/cap_test.c b/libcap/cap_test.c
--- a/libcap/cap_test.c 2021-02-05 06:52:17.000000000 +0100
+++ b/libcap/cap_test.c 2022-05-16 18:24:55.754193142 +0200
@@ -29,11 +29,36 @@
return failed;
}
+static int test_prctl(void)
+{
+ int ret, retval=0;
+ errno = 0;
+ ret = cap_get_bound((cap_value_t) -1);
+ if (ret != -1) {
+ printf("cap_get_bound(-1) did not return error: %d\n", ret);
+ retval = -1;
+ } else if (errno != EINVAL) {
+ perror("cap_get_bound(-1) errno != EINVAL");
+ retval = -1;
+ }
+ return retval;
+}
+
int main(int argc, char **argv) {
int result = 0;
+ printf("test_cap_bits: being called\n");
+ fflush(stdout);
result = test_cap_bits() | result;
+ printf("test_prctl: being called\n");
+ fflush(stdout);
+ result = test_prctl() | result;
+ printf("tested\n");
+ fflush(stdout);
+
if (result) {
- printf("test FAILED\n");
+ printf("cap_test FAILED\n");
exit(1);
}
+ printf("cap_test PASS\n");
+ exit(0);
}

494
SOURCES/libcap-static-analysis.patch
View File

@ -1,494 +0,0 @@
diff --color -ru a/libcap/cap_proc.c b/libcap/cap_proc.c
--- a/libcap/cap_proc.c 2022-01-28 12:42:39.726331628 +0100
+++ b/libcap/cap_proc.c 2022-01-28 12:44:05.007936110 +0100
@@ -712,6 +712,10 @@
cap_value_t c;
int raising = 0;
+ if (temp == NULL) {
+ return -1;
+ }
+
for (i = 0; i < _LIBCAP_CAPABILITY_U32S; i++) {
__u32 newI = iab->i[i];
__u32 oldIP = temp->u[i].flat[CAP_INHERITABLE] |
diff --color -ru a/libcap/cap_text.c b/libcap/cap_text.c
--- a/libcap/cap_text.c 2022-01-28 12:42:39.725331609 +0100
+++ b/libcap/cap_text.c 2022-01-28 12:44:05.008936129 +0100
@@ -160,6 +160,7 @@
cap_blks = _LINUX_CAPABILITY_U32S_3;
break;
default:
+ cap_free(res);
errno = EINVAL;
return NULL;
}
@@ -398,6 +399,9 @@
for (n = 0; n < cmb; n++) {
if (getstateflags(caps, n) == t) {
char *this_cap_name = cap_to_name(n);
+ if (this_cap_name == NULL) {
+ return NULL;
+ }
if ((strlen(this_cap_name) + (p - buf)) > CAP_TEXT_SIZE) {
cap_free(this_cap_name);
errno = ERANGE;
@@ -450,6 +454,9 @@
for (n = cmb; n < __CAP_MAXBITS; n++) {
if (getstateflags(caps, n) == t) {
char *this_cap_name = cap_to_name(n);
+ if (this_cap_name == NULL) {
+ return NULL;
+ }
if ((strlen(this_cap_name) + (p - buf)) > CAP_TEXT_SIZE) {
cap_free(this_cap_name);
errno = ERANGE;
@@ -549,6 +556,9 @@
cap_iab_t cap_iab_from_text(const char *text)
{
cap_iab_t iab = cap_iab_init();
+ if (iab == NULL) {
+ return iab;
+ }
if (text != NULL) {
unsigned flags;
for (flags = 0; *text; text++) {
diff --color -ru a/libcap/_makenames.c b/libcap/_makenames.c
--- a/libcap/_makenames.c 2022-01-28 12:42:39.725331609 +0100
+++ b/libcap/_makenames.c 2022-01-28 13:07:28.700817691 +0100
@@ -45,10 +45,14 @@
if (maxcaps <= list[i].index) {
maxcaps = list[i].index + 1;
}
- if (list[i].index >= pointers_avail) {
+ if (pointers == NULL || list[i].index >= pointers_avail) {
int was = pointers_avail * sizeof(char *);
pointers_avail = 2 * list[i].index + 1;
pointers = recalloc(pointers, was, pointers_avail * sizeof(char *));
+ if (pointers == NULL) {
+ perror("unable to continue");
+ exit(1);
+ }
}
pointers[list[i].index] = list[i].name;
int n = strlen(list[i].name);
diff --color -ru a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
--- a/pam_cap/pam_cap.c 2022-01-28 12:42:39.726331628 +0100
+++ b/pam_cap/pam_cap.c 2022-01-28 12:44:05.009936148 +0100
@@ -64,6 +64,9 @@
}
*groups = calloc(ngrps, sizeof(char *));
+ if (*groups == NULL) {
+ return -1;
+ }
int g_n = 0, i;
for (i = 0; i < ngrps; i++) {
const struct group *g = getgrgid(grps[i]);
@@ -249,7 +252,7 @@
if (!cap_set_proc(cap_s)) {
ok = 1;
}
- goto cleanup_cap_s;
+ goto cleanup_conf;
}
iab = cap_iab_from_text(conf_caps);
@@ -278,10 +281,9 @@
_pam_drop(conf_caps);
cleanup_cap_s:
- if (cap_s) {
- cap_free(cap_s);
- cap_s = NULL;
- }
+ cap_free(cap_s);
+ cap_s = NULL;
+
return ok;
}
diff --color -ru a/progs/capsh.c b/progs/capsh.c
--- a/progs/capsh.c 2021-02-05 06:52:17.000000000 +0100
+++ b/progs/capsh.c 2022-01-28 13:06:15.803465885 +0100
@@ -34,6 +34,35 @@
#define MAX_GROUPS 100 /* max number of supplementary groups for user */
+/* parse a non-negative integer with some error handling */
+static unsigned long nonneg_uint(const char *text, const char *prefix, int *ok)
+{
+ char *remains;
+ unsigned long value;
+ ssize_t len = strlen(text);
+
+ if (len == 0 || *text == '-') {
+ goto fail;
+ }
+ value = strtoul(text, &remains, 0);
+ if (*remains) {
+ goto fail;
+ }
+ if (ok != NULL) {
+ *ok = 1;
+ }
+ return value;
+
+fail:
+ if (ok == NULL) {
+ fprintf(stderr, "%s: want non-negative integer, got \"%s\"\n",
+ prefix, text);
+ exit(1);
+ }
+ *ok = 0;
+ return 0;
+}
+
static char *binary(unsigned long value)
{
static char string[8*sizeof(unsigned long) + 1];
@@ -100,7 +129,16 @@
display_prctl_set("Bounding", cap_get_bound);
display_prctl_set("Ambient", cap_get_ambient);
iab = cap_iab_get_proc();
+ if (iab == NULL) {
+ perror("failed to get IAB for process");
+ exit(1);
+ }
text = cap_iab_to_text(iab);
+ if (text == NULL) {
+ perror("failed to obtain text for IAB");
+ cap_free(iab);
+ exit(1);
+ }
printf("Current IAB: %s\n", text);
cap_free(text);
cap_free(iab);
@@ -336,8 +374,8 @@
*/
static char *find_self(const char *arg0)
{
- int i;
- char *parts, *dir, *scratch;
+ int i, status=1;
+ char *p = NULL, *parts, *dir, *scratch;
const char *path;
for (i = strlen(arg0)-1; i >= 0 && arg0[i] != '/'; i--);
@@ -352,21 +390,45 @@
}
parts = strdup(path);
+ if (parts == NULL) {
+ fprintf(stderr, "insufficient memory for parts of path\n");
+ exit(1);
+ }
+
scratch = malloc(2+strlen(path)+strlen(arg0));
- if (parts == NULL || scratch == NULL) {
+ if (scratch == NULL) {
fprintf(stderr, "insufficient memory for path building\n");
- exit(1);
+ goto free_parts;
}
- for (i=0; (dir = strtok(parts, ":")); parts = NULL) {
+ for (p = parts; (dir = strtok(p, ":")); p = NULL) {
sprintf(scratch, "%s/%s", dir, arg0);
if (access(scratch, X_OK) == 0) {
- return scratch;
+ status = 0;
+ break;
}
}
+ if (status) {
+ fprintf(stderr, "unable to find executable '%s' in PATH\n", arg0);
+ free(scratch);
+ }
- fprintf(stderr, "unable to find executable '%s' in PATH\n", arg0);
- exit(1);
+free_parts:
+ free(parts);
+ if (status) {
+ exit(status);
+ }
+ return scratch;
+}
+
+static long safe_sysconf(int name)
+{
+ long ans = sysconf(name);
+ if (ans <= 0) {
+ fprintf(stderr, "sysconf(%d) returned a non-positive number: %ld\n", name, ans);
+ exit(1);
+ }
+ return ans;
}
int main(int argc, char *argv[], char *envp[])
@@ -378,6 +440,10 @@
child = 0;
char *temp_name = cap_to_name(cap_max_bits() - 1);
+ if (temp_name == NULL) {
+ perror("obtaining highest capability name");
+ exit(1);
+ }
if (temp_name[0] != 'c') {
printf("WARNING: libcap needs an update (cap=%d should have a name).\n",
cap_max_bits() - 1);
@@ -573,7 +639,7 @@
unsigned value;
int set;
- value = strtoul(argv[i]+7, NULL, 0);
+ value = nonneg_uint(argv[i]+7, "invalid --keep value", NULL);
set = prctl(PR_SET_KEEPCAPS, value);
if (set < 0) {
fprintf(stderr, "prctl(PR_SET_KEEPCAPS, %u) failed: %s\n",
@@ -617,7 +683,9 @@
* Given we are now in a new directory tree, its good practice
* to start off in a sane location
*/
- status = chdir("/");
+ if (status == 0) {
+ status = chdir("/");
+ }
cap_free(orig);
@@ -628,7 +696,7 @@
} else if (!strncmp("--secbits=", argv[i], 10)) {
unsigned value;
int status;
- value = strtoul(argv[i]+10, NULL, 0);
+ value = nonneg_uint(argv[i]+10, "invalid --secbits value", NULL);
status = cap_set_secbits(value);
if (status < 0) {
fprintf(stderr, "failed to set securebits to 0%o/0x%x\n",
@@ -641,7 +709,7 @@
fprintf(stderr, "already forked\n");
exit(1);
}
- value = strtoul(argv[i]+10, NULL, 0);
+ value = nonneg_uint(argv[i]+10, "invalid --forkfor value", NULL);
if (value == 0) {
goto usage;
}
@@ -657,7 +725,8 @@
pid_t result;
unsigned value;
- value = strtoul(argv[i]+9, NULL, 0);
+ value = nonneg_uint(argv[i]+9, "invalid --killit signo value",
+ NULL);
if (!child) {
fprintf(stderr, "no forked process to kill\n");
exit(1);
@@ -683,7 +752,7 @@
unsigned value;
int status;
- value = strtoul(argv[i]+6, NULL, 0);
+ value = nonneg_uint(argv[i]+6, "invalid --uid value", NULL);
status = setuid(value);
if (status < 0) {
fprintf(stderr, "Failed to set uid=%u: %s\n",
@@ -694,7 +763,7 @@
unsigned value;
int status;
- value = strtoul(argv[i]+10, NULL, 0);
+ value = nonneg_uint(argv[i]+10, "invalid --cap-uid value", NULL);
status = cap_setuid(value);
if (status < 0) {
fprintf(stderr, "Failed to cap_setuid(%u): %s\n",
@@ -705,7 +774,7 @@
unsigned value;
int status;
- value = strtoul(argv[i]+6, NULL, 0);
+ value = nonneg_uint(argv[i]+6, "invalid --gid value", NULL);
status = setgid(value);
if (status < 0) {
fprintf(stderr, "Failed to set gid=%u: %s\n",
@@ -718,14 +787,14 @@
gid_t *group_list;
int g_count;
- length = sysconf(_SC_GETGR_R_SIZE_MAX);
+ length = safe_sysconf(_SC_GETGR_R_SIZE_MAX);
buf = calloc(1, length);
if (NULL == buf) {
fprintf(stderr, "No memory for [%s] operation\n", argv[i]);
exit(1);
}
- max_groups = sysconf(_SC_NGROUPS_MAX);
+ max_groups = safe_sysconf(_SC_NGROUPS_MAX);
group_list = calloc(max_groups, sizeof(gid_t));
if (NULL == group_list) {
fprintf(stderr, "No memory for gid list\n");
@@ -741,8 +810,7 @@
}
if (!isdigit(*ptr)) {
struct group *g, grp;
- getgrnam_r(ptr, &grp, buf, length, &g);
- if (NULL == g) {
+ if (getgrnam_r(ptr, &grp, buf, length, &g) || NULL == g) {
fprintf(stderr, "Failed to identify gid for group [%s]\n", ptr);
exit(1);
}
@@ -835,6 +903,7 @@
argv[argc] = NULL;
execve(argv[i], argv+i, envp);
fprintf(stderr, "execve '%s' failed!\n", argv[i]);
+ free(argv[i]);
exit(1);
} else if (!strncmp("--shell=", argv[i], 8)) {
shell = argv[i]+8;
@@ -885,7 +954,7 @@
} else if (!strncmp("--is-uid=", argv[i], 9)) {
unsigned value;
uid_t uid;
- value = strtoul(argv[i]+9, NULL, 0);
+ value = nonneg_uint(argv[i]+9, "invalid --is-uid value", NULL);
uid = getuid();
if (uid != value) {
fprintf(stderr, "uid: got=%d, want=%d\n", uid, value);
@@ -894,7 +963,7 @@
} else if (!strncmp("--is-gid=", argv[i], 9)) {
unsigned value;
gid_t gid;
- value = strtoul(argv[i]+9, NULL, 0);
+ value = nonneg_uint(argv[i]+9, "invalid --is-gid value", NULL);
gid = getgid();
if (gid != value) {
fprintf(stderr, "gid: got=%d, want=%d\n", gid, value);
diff --color -ru a/progs/getcap.c b/progs/getcap.c
--- a/progs/getcap.c 2021-02-05 06:52:17.000000000 +0100
+++ b/progs/getcap.c 2022-01-28 12:44:05.009936148 +0100
@@ -110,11 +110,11 @@
for (i=optind; argv[i] != NULL; i++) {
struct stat stbuf;
-
- if (lstat(argv[i], &stbuf) != 0) {
- fprintf(stderr, "%s (%s)\n", argv[i], strerror(errno));
+ char *arg = argv[i];
+ if (lstat(arg, &stbuf) != 0) {
+ fprintf(stderr, "%s (%s)\n", arg, strerror(errno));
} else if (recursive) {
- nftw(argv[i], do_getcap, 20, FTW_PHYS);
+ nftw(arg, do_getcap, 20, FTW_PHYS);
} else {
int tflag = S_ISREG(stbuf.st_mode) ? FTW_F :
(S_ISLNK(stbuf.st_mode) ? FTW_SL : FTW_NS);
diff --color -ru a/progs/setcap.c b/progs/setcap.c
--- a/progs/setcap.c 2021-02-05 06:52:17.000000000 +0100
+++ b/progs/setcap.c 2022-01-28 12:44:05.009936148 +0100
@@ -166,9 +166,12 @@
}
cap_on_file = cap_get_file(*++argv);
-
if (cap_on_file == NULL) {
cap_on_file = cap_from_text("=");
+ if (cap_on_file == NULL) {
+ perror("unable to use missing capability");
+ exit(1);
+ }
}
cmp = cap_compare(cap_on_file, cap_d);
diff --color -ru a/psx/psx.c b/psx/psx.c
--- a/psx/psx.c 2021-02-05 06:52:17.000000000 +0100
+++ b/psx/psx.c 2022-01-28 12:44:05.009936148 +0100
@@ -107,6 +107,10 @@
*/
static void *psx_do_registration(void) {
registered_thread_t *node = calloc(1, sizeof(registered_thread_t));
+ if (node == NULL) {
+ perror("unable to register psx handler");
+ exit(1);
+ }
pthread_mutex_init(&node->mu, NULL);
node->thread = pthread_self();
pthread_setspecific(psx_action_key, node);
@@ -454,6 +458,10 @@
int __wrap_pthread_create(pthread_t *thread, const pthread_attr_t *attr,
void *(*start_routine) (void *), void *arg) {
psx_starter_t *starter = calloc(1, sizeof(psx_starter_t));
+ if (starter == NULL) {
+ perror("failed at thread creation");
+ exit(1);
+ }
starter->fn = start_routine;
starter->arg = arg;
/*
diff --color -ru a/tests/libcap_launch_test.c b/tests/libcap_launch_test.c
--- a/tests/libcap_launch_test.c 2021-02-05 06:52:17.000000000 +0100
+++ b/tests/libcap_launch_test.c 2022-01-28 12:44:05.010936167 +0100
@@ -93,6 +93,10 @@
printf("[%d] test should %s\n", i,
v->result ? "generate error" : "work");
cap_launch_t attr = cap_new_launcher(v->args[0], v->args, v->envp);
+ if (attr == NULL) {
+ perror("failed to obtain launcher");
+ exit(1);
+ }
if (v->chroot) {
cap_launcher_set_chroot(attr, v->chroot);
}
diff --color -ru a/tests/libcap_psx_test.c b/tests/libcap_psx_test.c
--- a/tests/libcap_psx_test.c 2021-02-05 06:52:17.000000000 +0100
+++ b/tests/libcap_psx_test.c 2022-01-28 12:55:55.887807887 +0100
@@ -16,8 +16,15 @@
usleep(1234);
pid_t pid = fork();
cap_t start = cap_get_proc();
+ if (start == NULL) {
+ perror("FAILED: unable to start");
+ exit(1);
+ }
if (pid == 0) {
- cap_set_proc(start);
+ if (cap_set_proc(start)) {
+ perror("setting empty caps failed");
+ exit(1);
+ }
exit(0);
}
int res;
@@ -27,6 +34,7 @@
exit(1);
}
cap_set_proc(start);
+ cap_free(start);
return NULL;
}
@@ -35,6 +43,10 @@
printf("hello libcap and libpsx ");
fflush(stdout);
cap_t start = cap_get_proc();
+ if (start == NULL) {
+ perror("FAILED: to actually start");
+ exit(1);
+ }
pthread_t ignored[10];
for (i = 0; i < 10; i++) {
pthread_create(&ignored[i], NULL, thread_fork_exit, NULL);
@@ -42,7 +54,10 @@
for (i = 0; i < 10; i++) {
printf("."); /* because of fork, this may print double */
fflush(stdout); /* try to limit the above effect */
- cap_set_proc(start);
+ if (cap_set_proc(start)) {
+ perror("failed to set proc");
+ exit(1);
+ }
usleep(1000);
}
printf(" PASSED\n");

16
libcap-2.69.tar.sign Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEOKZEaYxpeHNE6VTOKe6EiuLM8/QFAmRhl6YACgkQKe6EiuLM
8/Q0gg/8DrMJ0FugNk6jE4YprJHq1kNjrXgNJ1v2aAKchghnUn0S6po3f0YVeB9q
UDSoRxBWmz/BwJ8PMRwiX2DWpoD0+F3UjSP37rfTqp3Y7//xP0WkYuKBCBiXwtKG
MBGw3QGoUmWy77JVBLvlqvgjk8pwLsbVLRGAc0p78CKKE8A02f9U3WCEmFwoP3Ko
rAiPTWzu1bz1G6nbmEdIqIDffzCt90Ygyop/NVpMQS2QLMvcF2pu/J5AQV8rcEGi
1G7bvAl/2EtUf4JDrWA+SZXp8uJ0Wx6B+K06D8JYf1NTocVbef+4FQCVtD1KDYXQ
j4NgyCMBuhKMZ98rqWMQmJ6nWyksTA/IFzOTOY0ywCDtFvxq3W2JS2f0dvty2ea9
hkWo+S/CQNCbH7X7JvfRUen0844y488uFCoIbnPTcNH0C1N5KBBymT85vXOsDDra
3OF9us/EyOPBnItmOLB8+ot+v2bpx3JdjEalWkmwkrIbaFLpR6LhNPQRo6LI2lw4
eLRGA5Oigpxnwz5VYhNFkl7AK1Ni2lfVGsk2mbaz2aq1+6+II2WM6jgC/mt73pv0
3822hBI76qJIoThTvAdtrWWRd7jCNs57lfONUKdETAbs0XOxcyHrNComtbWb1kyN
zclCere20HUtYxtdixx30V9DFSmrBLAYgusu6oJp1oEolRugoA4=
=Qw3r
-----END PGP SIGNATURE-----

200
SPECS/libcap.spec → libcap.spec
View File

@ -1,23 +1,31 @@
Name: libcap
Version: 2.48
Release: 6%{?dist}
Version: 2.69
Release: 7%{?dist}
Summary: Library for getting and setting POSIX.1e capabilities
URL: https://sites.google.com/site/fullycapable/
License: BSD or GPLv2
Group: System Environment/Libraries
License: BSD-3-Clause OR GPL-2.0-only
Source: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/snapshot/%{name}-%{version}.tar.gz
Patch0: %{name}-2.48-buildflags.patch
Patch1: %{name}-abi-compatibility.patch
Patch2: %{name}-static-analysis.patch
Patch3: %{name}-fix-ambient-caps.patch
Patch4: %{name}-fix-prctl-usage.patch
Patch5: %{name}-check-allocation.patch
Patch6: %{name}-cve-2023-2603.patch
Patch7: %{name}-cve-2023-2602.patch
Source0: https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.gz
Source1: https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.sign
Source2: https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git/plain/keys/29EE848AE2CCF3F4.asc
Patch0: 0001-doc-document-pam_cap-and-its-conf.patch
Patch1: 0002-doc-document-the-use-of-to-refer-to-all-users.patch
BuildRequires: libattr-devel pam-devel perl-interpreter
BuildRequires: pam-devel gcc
BuildRequires: make
BuildRequires: glibc-static
BuildRequires: gnupg2
%ifarch %{golang_arches}
BuildRequires: golang >= 1.22
%endif
%if "%{_sbindir}" == "%{_bindir}"
# Compat symlinks for Requires in other packages.
# We rely on filesystem to create the symlinks for us.
Requires: filesystem(unmerged-sbin-symlinks)
Provides: /usr/sbin/setcap
%endif
%description
libcap is a library for getting and setting POSIX.1e (formerly POSIX 6)
@ -25,7 +33,6 @@ draft 15 capabilities.
%package static
Summary: Static libraries for libcap development
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description static
@ -37,7 +44,6 @@ draft 15 capabilities.
%package devel
Summary: Development files for libcap
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
@ -50,21 +56,19 @@ Install libcap-devel if you want to develop or compile applications using
libcap.
%prep
gzip -cd %{SOURCE0} | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data=-
%autosetup -p1
%build
# libcap can not be build with _smp_mflags:
make prefix=%{_prefix} lib=%{_lib} LIBDIR=%{_libdir} SBINDIR=%{_sbindir} \
INCDIR=%{_includedir} MANDIR=%{_mandir} PKGCONFIGDIR=%{_libdir}/pkgconfig/
%make_build prefix=%{_prefix} lib=%{_lib} SBINDIR=%{_sbindir} CGO_REQUIRED=1 CGO_CFLAGS="${CFLAGS}" CGO_LDFLAGS="${LDFLAGS}" GO_BUILD_FLAGS="-buildmode=pie -a -v -x -ldflags='-compressdwarf=false -B gobuildid'" all
%check
make test
%install
make install RAISE_SETFCAP=no \
DESTDIR=%{buildroot} \
LIBDIR=%{_libdir} \
SBINDIR=%{_sbindir} \
PKGCONFIGDIR=%{_libdir}/pkgconfig/
%make_install prefix=%{_prefix} lib=%{_lib} SBINDIR=%{_sbindir} CGO_REQUIRED=1 CGO_CFLAGS="${CFLAGS}" CGO_LDFLAGS="${LDFLAGS}" GO_BUILD_FLAGS="-buildmode=pie -a -v -x -ldflags='-compressdwarf=false -B gobuildid'"
mkdir -p %{buildroot}/%{_mandir}/man{2,3,8}
mkdir -p %{buildroot}/%{_mandir}/man{2,3,5,8}
mv -f doc/*.3 %{buildroot}/%{_mandir}/man3/
chmod +x %{buildroot}/%{_libdir}/*.so.*
@ -72,73 +76,125 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
%ldconfig_scriptlets
%files
%{!?_licensedir:%global license %%doc}
%license License
%doc doc/capability.notes
%{_libdir}/*.so.*
%{_sbindir}/*
%{_mandir}/man1/*
%{_mandir}/man8/*
%doc doc/capability.md
%{_libdir}/libcap.so.2{,.*}
%{_libdir}/libpsx.so.2{,.*}
%{_sbindir}/{capsh,getcap,getpcaps,setcap}
%{_mandir}/man1/capsh.1*
%{_mandir}/man5/capability.conf.5*
%{_mandir}/man8/{getcap,getpcaps,setcap,pam_cap}.8*
%{_libdir}/security/pam_cap.so
%exclude %{_mandir}/man8/captree.8*
# Exclude unwanted captree
%exclude %{_libdir}/captree*
%exclude %{_sbindir}/captree*
%files static
%{_libdir}/libcap.a
%{_libdir}/libpsx.a
%files devel
%{_includedir}/*
%{_libdir}/*.so
%{_mandir}/man3/*
%{_libdir}/pkgconfig/libcap.pc
%{_libdir}/pkgconfig/libpsx.pc
%{_includedir}/sys/capability.h
%{_includedir}/sys/psx_syscall.h
%{_libdir}/libcap.so
%{_libdir}/libpsx.so
%{_mandir}/man3/cap*.3*
%{_mandir}/man3/libcap.3*
%{_mandir}/man3/libpsx.3*
%{_mandir}/man3/psx_*.3*
%{_mandir}/man3/__psx_syscall.3*
%{_libdir}/pkgconfig/{libcap,libpsx}.pc
%changelog
* Wed Dec 13 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 2.48-6
- Bump release version to restore upgrade path
Resolves: RHEL-19362
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.69-7
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon Jun 26 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 2.48-5
- Fix integer overflow in _libcap_strdup() (CVE-2023-2603)
Resolves: rhbz#2210637
- Correctly check pthread_create() return value to avoid memory leak (CVE-2023-2602)
Resolves: rhbz#2210644
* Tue Aug 13 2024 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 2.69-6
- Remove unwanted subpackage captree
* Tue May 17 2022 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 2.48-4
- check for successful memory allocation
related: rhbz#2062648
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.69-5
- Bump release for June 2024 mass rebuild
* Mon May 16 2022 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 2.48-3
- avoid overwriting errno set by prctl
resolves: rhbz#2062648
* Thu May 30 2024 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 2.69-4
- Add manpages for pam_cap and capability.conf (by Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com>)
- Fix incompatibility of the build with go 1.22 (by Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com>)
- Reenable PIE in the captree tool (by Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com>)
- Use sbindir location provided by rpm (by Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>)
- Include hardening flags by setting CGO_CFLAGS=CFLAGS and CGO_LDFLAGS=LDFLAGS
* Fri Jan 28 2022 Zoltan Fridrich <zfridric@redhat.com> - 2.48-2
- rebase to 2.48
resolves: rhbz#2032813
- fix ambient capabilities for non-root users
resolves: rhbz#1950187
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.69-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Jun 10 2021 Zoltan Fridrich <zfridric@redhat.com> - 2.26-5
- added CAP_PERFMON, CAP_BPF and CAP_CHECKPOINT_RESTORE capabilities
resolves: rhbz#1946982 rhbz#1921576
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.69-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri May 22 2020 Jiri Vymazal <jvymazal@redhat.com> - 2.26-4
- added patch implementing support for ambient capabilities
resolves: rhbz#1487388
* Mon Nov 06 2023 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 2.69-1
- Update to 2.69 (with contribs from Yanko Kaneti <yaneti@declera.com>, and Andrew G. Morgan <morgan@kernel.org>)
- Update license to SPDX (by Anderson Toshiyuki Sasaki <ansasaki@redhat.com>)
- Make file lists more explicit to avoid accidental ABI changes (Dominik Mierzejewski <dominik@greysector.net>)
* Tue Oct 15 2019 Marek Tamaskovic <mtamasko@redhat.com> - 2.26-3
- changed url
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed May 22 2019 Karsten Hopp <karsten@redhat.com> - 2.26-2
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Sun Feb 14 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 2.48-2
- Rebase distro flags patch
* Wed Feb 10 2021 Giuseppe Scrivano <gscrivan@redhat.com> - 2.48-1
- Update to 0.2.48
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.46-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sun Jan 17 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 2.46-1
- Update to 0.2.46
* Wed Oct 21 2020 Karsten Hopp <karsten@fedoraproject.org> - 2.44-1
- update to 2.44
- remove additional getpcaps manpage as it now included in the sources
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Feb 04 2019 Karsten Hopp <karsten@redhat.com> - 2.26-5
- enable gating
* Mon Feb 04 2019 Karsten Hopp <karsten@redhat.com> - 2.26-4
- bump release
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 28 2019 Karsten Hopp <karsten@redhat.com> - 2.26-2
- add CI tests using the standard test interface (astepano)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jul 02 2018 Karsten Hopp <karsten@redhat.com> - 2.25-11
- rebuild
* Fri Apr 12 2019 Karsten Hopp <karsten@redhat.com> - 2.26-1
- update to 2.26
* Thu Apr 11 2019 Karsten Hopp <karsten@redhat.com> - 2.25-11
- rebuild
* Thu Apr 11 2019 Karsten Hopp <karsten@redhat.com> - 2.25-10
- rebuild
* Wed Feb 21 2018 Karsten Hopp <karsten@redhat.com> - 2.25-10
- buildrequire gcc
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (libcap-2.69.tar.gz) = 75ee0fe8e1ac835f29cb76d233f731dcf126b73eed5229a130bbe4308a42441934d4e9cefeaaab45f774de2ed6859c752fbbfb9908e792f2f9f3d0f841e01aee