RHEL-9.0.0 ERRATUM

- Fix ambient capabilities for non-root users Resolves: rhbz#2037215
2022-01-05 13:21:02 +01:00 · 2022-01-05 13:21:02 +01:00 · c475283dde
commit c475283dde
parent bd991b676f
4 changed files with 336 additions and 1 deletions
--- a/libcap-disable-golang.patch
+++ b/libcap-disable-golang.patch
@ -0,0 +1,12 @@
 diff --color -ru a/Make.Rules b/Make.Rules
 --- a/Make.Rules	2022-01-04 16:57:52.071890314 +0100
 +++ b/Make.Rules	2022-01-04 16:59:33.171786150 +0100
@@ -104,7 +104,7 @@
 ifeq ($(PTHREADS),yes)
 GO ?= go
 -GOLANG ?= $(shell if [ -n "$(shell $(GO) version 2>/dev/null)" ]; then echo yes ; else echo no ; fi)
 +GOLANG ?= no
 ifeq ($(GOLANG),yes)
 GOROOT ?= $(shell $(GO) env GOROOT)
 GOCGO ?= $(shell if [ "$(shell $(GO) env CGO_ENABLED)" = 1 ]; then echo yes ; else echo no ; fi)
--- a/libcap-fix-ambient-caps.patch
+++ b/libcap-fix-ambient-caps.patch
@ -0,0 +1,147 @@
 diff --color -ru a/libcap/cap_proc.c b/libcap/cap_proc.c
 --- a/libcap/cap_proc.c	2021-12-22 12:33:20.739126763 +0100
 +++ b/libcap/cap_proc.c	2021-12-22 12:33:53.195733115 +0100
@@ -406,6 +406,29 @@
 }
 /*
 + * cap_prctl performs a prctl() 6 argument call on the current
 + * thread. Use cap_prctlw() if you want to perform a POSIX semantics
 + * prctl() system call.
 + */
 +int cap_prctl(long int pr_cmd, long int arg1, long int arg2,
 +             long int arg3, long int arg4, long int arg5)
 +{
 +    return prctl(pr_cmd, arg1, arg2, arg3, arg4, arg5);
 +}
 +
 +/*
 + * cap_prctlw performs a POSIX semantics prctl() call. That is a 6 arg
 + * prctl() call that executes on all available threads when libpsx is
 + * linked. The suffix 'w' refers to the fact one only ever needs to
 + * invoke this is if the call will write some kernel state.
 + */
 +int cap_prctlw(long int pr_cmd, long int arg1, long int arg2,
 +              long int arg3, long int arg4, long int arg5)
 +{
 +    return _libcap_wprctl6(&multithread, pr_cmd, arg1, arg2, arg3, arg4, arg5);
 +}
 +
 +/*
  * Some predefined constants
  */
 #define CAP_SECURED_BITS_BASIC                                 \
 diff --color -ru a/libcap/include/sys/capability.h b/libcap/include/sys/capability.h
 --- a/libcap/include/sys/capability.h	2021-02-05 06:52:17.000000000 +0100
 +++ b/libcap/include/sys/capability.h	2021-12-22 12:33:53.196733134 +0100
@@ -175,6 +175,11 @@
 extern unsigned cap_get_secbits(void);
 extern int cap_set_secbits(unsigned bits);
 +extern int cap_prctl(long int pr_cmd, long int arg1, long int arg2,
 +		    long int arg3, long int arg4, long int arg5);
 +extern int cap_prctlw(long int pr_cmd, long int arg1, long int arg2,
 +		     long int arg3, long int arg4, long int arg5);
 +
 extern int cap_setuid(uid_t uid);
 extern int cap_setgroups(gid_t gid, size_t ngroups, const gid_t groups[]);
 diff --color -ru a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
 --- a/pam_cap/pam_cap.c	2021-12-22 12:33:20.740126781 +0100
 +++ b/pam_cap/pam_cap.c	2021-12-22 12:33:53.196733134 +0100
@@ -21,6 +21,7 @@
 #include <string.h>
 #include <syslog.h>
 #include <sys/capability.h>
 +#include <sys/prctl.h>
 #include <sys/types.h>
 #include <linux/limits.h>
@@ -33,8 +34,11 @@
 struct pam_cap_s {
     int debug;
 +    int keepcaps;
 +    int defer;
     const char *user;
     const char *conf_filename;
 +    pam_handle_t *pamh;
 };
 /*
@@ -178,6 +182,33 @@
 }
 /*
 + * This is the "defer" cleanup function that actually applies the IAB
 + * tuple. This happens really late in the PAM session, hopefully after
 + * the application has performed its setuid() function.
 + */
 +static void iab_apply(pam_handle_t *pamh, void *data, int error_status)
 +{
 +    cap_iab_t iab = data;
 +    int retval = error_status & ~(PAM_DATA_REPLACE|PAM_DATA_SILENT);
 +
 +    data = NULL;
 +    if (error_status & PAM_DATA_REPLACE) {
 +	goto done;
 +    }
 +
 +    if (retval != PAM_SUCCESS || !(error_status & PAM_DATA_SILENT)) {
 +	goto done;
 +    }
 +
 +    if (cap_iab_set_proc(iab) != 0) {
 +	D(("IAB setting failed"));
 +    }
 +
 +done:
 +    cap_free(iab);
 +}
 +
 +/*
  * Set capabilities for current process to match the current
  * permitted+executable sets combined with the configured inheritable
  * set.
@@ -230,12 +261,21 @@
 	goto cleanup_conf;
     }
 -    if (!cap_iab_set_proc(iab)) {
 +    if (cs->defer) {
 +	D(("configured to delay applying IAB"));
 +	pam_set_data(cs->pamh, "pam_cap_iab", iab, iab_apply);
 +	iab = NULL;
 +    } else if (!cap_iab_set_proc(iab)) {
 	D(("able to set the IAB [%s] value", conf_caps));
 	ok = 1;
     }
     cap_free(iab);
 +    if (cs->keepcaps) {
 +	D(("setting keepcaps"));
 +	(void) cap_prctlw(PR_SET_KEEPCAPS, 1, 0, 0, 0, 0);
 +    }
 +
 cleanup_conf:
     memset(conf_caps, 0, conf_caps_length);
     _pam_drop(conf_caps);
@@ -268,6 +308,10 @@
 	    pcs->debug = 1;
 	} else if (!strncmp(*argv, "config=", 7)) {
 	    pcs->conf_filename = 7 + *argv;
 +	} else if (!strcmp(*argv, "keepcaps")) {
 +	    pcs->keepcaps = 1;
 +	} else if (!strcmp(*argv, "defer")) {
 +	    pcs->defer = 1;
 	} else {
 	    _pam_log(LOG_ERR, "unknown option; %s", *argv);
 	}
@@ -353,6 +397,7 @@
 	return PAM_AUTH_ERR;
     }
 +    pcs.pamh = pamh;
     retval = set_capabilities(&pcs);
     memset(&pcs, 0, sizeof(pcs));
--- a/libcap-static-analysis-fix-3.patch
+++ b/libcap-static-analysis-fix-3.patch
@ -0,0 +1,169 @@
 diff --color -ru a/libcap/_makenames.c b/libcap/_makenames.c
 --- a/libcap/_makenames.c	2022-01-28 14:41:38.357147972 +0100
 +++ b/libcap/_makenames.c	2022-01-28 14:42:45.681379827 +0100
@@ -45,7 +45,7 @@
 	if (maxcaps <= list[i].index) {
 	    maxcaps = list[i].index + 1;
 	}
 -        if (list[i].index >= pointers_avail) {
 +        if (pointers == NULL || list[i].index >= pointers_avail) {
 	    int was = pointers_avail * sizeof(char *);
 	    pointers_avail = 2 * list[i].index + 1;
 	    pointers = recalloc(pointers, was, pointers_avail * sizeof(char *));
 diff --color -ru a/progs/capsh.c b/progs/capsh.c
 --- a/progs/capsh.c	2022-01-28 14:41:38.359148009 +0100
 +++ b/progs/capsh.c	2022-01-28 14:42:45.682379846 +0100
@@ -34,6 +34,35 @@
 #define MAX_GROUPS       100   /* max number of supplementary groups for user */
 +/* parse a non-negative integer with some error handling */
 +static unsigned long nonneg_uint(const char *text, const char *prefix, int *ok)
 +{
 +    char *remains;
 +    unsigned long value;
 +    ssize_t len = strlen(text);
 +
 +    if (len == 0 || *text == '-') {
 +	goto fail;
 +    }
 +    value = strtoul(text, &remains, 0);
 +    if (*remains) {
 +	goto fail;
 +    }
 +    if (ok != NULL) {
 +	*ok = 1;
 +    }
 +    return value;
 +
 +fail:
 +    if (ok == NULL) {
 +	fprintf(stderr, "%s: want non-negative integer, got \"%s\"\n",
 +		prefix, text);
 +	exit(1);
 +    }
 +    *ok = 0;
 +    return 0;
 +}
 +
 static char *binary(unsigned long value)
 {
     static char string[8*sizeof(unsigned long) + 1];
@@ -362,7 +391,7 @@
     parts = strdup(path);
     if (parts == NULL) {
 -        fprintf(stderr, "insufficient memory for parts of path\n");
 +	fprintf(stderr, "insufficient memory for parts of path\n");
 	exit(1);
     }
@@ -610,7 +639,7 @@
 	    unsigned value;
 	    int set;
 -	    value = strtoul(argv[i]+7, NULL, 0);
 +	    value = nonneg_uint(argv[i]+7, "invalid --keep value", NULL);
 	    set = prctl(PR_SET_KEEPCAPS, value);
 	    if (set < 0) {
 		fprintf(stderr, "prctl(PR_SET_KEEPCAPS, %u) failed: %s\n",
@@ -667,7 +696,7 @@
 	} else if (!strncmp("--secbits=", argv[i], 10)) {
 	    unsigned value;
 	    int status;
 -	    value = strtoul(argv[i]+10, NULL, 0);
 +	    value = nonneg_uint(argv[i]+10, "invalid --secbits value", NULL);
 	    status = cap_set_secbits(value);
 	    if (status < 0) {
 		fprintf(stderr, "failed to set securebits to 0%o/0x%x\n",
@@ -680,7 +709,7 @@
 		fprintf(stderr, "already forked\n");
 		exit(1);
 	    }
 -	    value = strtoul(argv[i]+10, NULL, 0);
 +	    value = nonneg_uint(argv[i]+10, "invalid --forkfor value", NULL);
 	    if (value == 0) {
 		goto usage;
 	    }
@@ -696,7 +725,8 @@
 	    pid_t result;
 	    unsigned value;
 -	    value = strtoul(argv[i]+9, NULL, 0);
 +	    value = nonneg_uint(argv[i]+9, "invalid --killit signo value",
 +				NULL);
 	    if (!child) {
 		fprintf(stderr, "no forked process to kill\n");
 		exit(1);
@@ -722,7 +752,7 @@
 	    unsigned value;
 	    int status;
 -	    value = strtoul(argv[i]+6, NULL, 0);
 +	    value = nonneg_uint(argv[i]+6, "invalid --uid value", NULL);
 	    status = setuid(value);
 	    if (status < 0) {
 		fprintf(stderr, "Failed to set uid=%u: %s\n",
@@ -733,7 +763,7 @@
 	    unsigned value;
 	    int status;
 -	    value = strtoul(argv[i]+10, NULL, 0);
 +	    value = nonneg_uint(argv[i]+10, "invalid --cap-uid value", NULL);
 	    status = cap_setuid(value);
 	    if (status < 0) {
 		fprintf(stderr, "Failed to cap_setuid(%u): %s\n",
@@ -744,7 +774,7 @@
 	    unsigned value;
 	    int status;
 -	    value = strtoul(argv[i]+6, NULL, 0);
 +	    value = nonneg_uint(argv[i]+6, "invalid --gid value", NULL);
 	    status = setgid(value);
 	    if (status < 0) {
 		fprintf(stderr, "Failed to set gid=%u: %s\n",
@@ -924,7 +954,7 @@
 	} else if (!strncmp("--is-uid=", argv[i], 9)) {
 	    unsigned value;
 	    uid_t uid;
 -	    value = strtoul(argv[i]+9, NULL, 0);
 +	    value = nonneg_uint(argv[i]+9, "invalid --is-uid value", NULL);
 	    uid = getuid();
 	    if (uid != value) {
 		fprintf(stderr, "uid: got=%d, want=%d\n", uid, value);
@@ -933,7 +963,7 @@
 	} else if (!strncmp("--is-gid=", argv[i], 9)) {
 	    unsigned value;
 	    gid_t gid;
 -	    value = strtoul(argv[i]+9, NULL, 0);
 +	    value = nonneg_uint(argv[i]+9, "invalid --is-gid value", NULL);
 	    gid = getgid();
 	    if (gid != value) {
 		fprintf(stderr, "gid: got=%d, want=%d\n", gid, value);
 diff --color -ru a/tests/libcap_psx_test.c b/tests/libcap_psx_test.c
 --- a/tests/libcap_psx_test.c	2022-01-28 14:41:38.360148027 +0100
 +++ b/tests/libcap_psx_test.c	2022-01-28 14:42:45.683379864 +0100
@@ -21,7 +21,10 @@
 	exit(1);
     }
     if (pid == 0) {
 -	cap_set_proc(start);
 +	if (cap_set_proc(start)) {
 +	    perror("setting empty caps failed");
 +	    exit(1);
 +	}
 	exit(0);
     }
     int res;
@@ -51,7 +54,10 @@
     for (i = 0; i < 10; i++) {
 	printf(".");     /* because of fork, this may print double */
 	fflush(stdout);  /* try to limit the above effect */
 -	cap_set_proc(start);
 +	if (cap_set_proc(start)) {
 +	    perror("failed to set proc");
 +	    exit(1);
 +	}
 	usleep(1000);
     }
     printf(" PASSED\n");
--- a/libcap.spec
+++ b/libcap.spec
@ -1,6 +1,6 @@
 Name: libcap
 Version: 2.48
-Release: 7%{?dist}
+Release: 8%{?dist}
 Summary: Library for getting and setting POSIX.1e capabilities
 URL: https://sites.google.com/site/fullycapable/
 License: BSD or GPLv2
@ -9,6 +9,9 @@ Source: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/snapshot/%{name}-%
 Patch0: libcap-use-compiler-flag-options.patch
 Patch1: libcap-static-analysis-fix.patch
 Patch2: libcap-static-analysis-fix-2.patch
 Patch3: libcap-static-analysis-fix-3.patch
 Patch4: libcap-disable-golang.patch
 Patch5: libcap-fix-ambient-caps.patch
 BuildRequires: libattr-devel pam-devel perl-interpreter gcc
 BuildRequires: make
@ -85,6 +88,10 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
 %changelog
 * Fri Jan 28 2022 Zoltan Fridrich <zfridric@redhat.com> - 2.48-8
 - Fix ambient capabilities for non-root users
  Related: rhbz#2037215
 * Fri Aug 27 2021 Zoltan Fridrich <zfridric@redhat.com> - 2.48-7
 - Fix issues detected by static analyzers
  Related: rhbz#1985346