- Patch for handling libcap-ng return values and fix capng_apply() call

libreswan-4.12-libcap-ng.patch

@@ -0,0 +1,72 @@
+commit ad147f53bebf596474df27609a4a6542d0e17400
+Author: Paul Wouters <paul.wouters@aiven.io>
+Date:   Tue Sep 5 22:49:28 2023 -0400
+
+    pluto: check return code of libcap-ng functions
+    
+    Avoids "error: ignoring return value of ‘capng_apply’ ..."
+
+diff --git a/include/pluto_constants.h b/include/pluto_constants.h
+index 1dd86ba372..f4487a2b0a 100644
+--- a/include/pluto_constants.h
++++ b/include/pluto_constants.h
+@@ -1024,7 +1024,8 @@ enum pluto_exit_code {
+ 	PLUTO_EXIT_UNBOUND_FAIL = 9,
+ 	PLUTO_EXIT_LOCK_FAIL = 10, /* historic value */
+ 	PLUTO_EXIT_SELINUX_FAIL = 11,
+-	PLUTO_EXIT_LEAVE_STATE = 12, /* leave kernel state and routes */
++	PLUTO_EXIT_CAPNG_FAIL = 12,
++	PLUTO_EXIT_LEAVE_STATE = 13, /* leave kernel state and routes */
+ 	/**/
+ 	PLUTO_EXIT_GIT_BISECT_CAN_NOT_TEST = 125,
+ 	PLUTO_EXIT_SHELL_COMMAND_NOT_FOUND = 126,
+diff --git a/lib/libswan/pluto_exit_code_names.c b/lib/libswan/pluto_exit_code_names.c
+index bb4b3284a5..6d245d4642 100644
+--- a/lib/libswan/pluto_exit_code_names.c
++++ b/lib/libswan/pluto_exit_code_names.c
+@@ -46,6 +46,7 @@ static const char *pluto_exit_code_name[] = {
+ 	S(PLUTO_EXIT_UNBOUND_FAIL),
+ 	S(PLUTO_EXIT_LOCK_FAIL),
+ 	S(PLUTO_EXIT_SELINUX_FAIL),
++	S(PLUTO_EXIT_CAPNG_FAIL),
+ 	S(PLUTO_EXIT_LEAVE_STATE),
+ #undef S
+ };
+diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c
+index 565538ba18..efc287b8fc 100644
+--- a/programs/pluto/plutomain.c
++++ b/programs/pluto/plutomain.c
+@@ -1708,13 +1708,16 @@ int main(int argc, char **argv)
+ 	 */
+ 	capng_clear(CAPNG_SELECT_BOTH);
+ 
+-	capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
++	if (capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+ 		CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
+ 		CAP_IPC_LOCK, CAP_AUDIT_WRITE,
+ 		/* for google authenticator pam */
+ 		CAP_SETGID, CAP_SETUID,
+ 		CAP_DAC_READ_SEARCH,
+-		-1);
++		-1) != 0) {
++			fatal(PLUTO_EXIT_CAPNG_FAIL, logger,
++				"libcap-ng capng_updatev() failed");
++	}
+ 	/*
+ 	 * We need to retain some capabilities for our children (updown):
+ 	 * CAP_NET_ADMIN to change routes
+@@ -1725,7 +1728,13 @@ int main(int argc, char **argv)
+ 	 */
+ 	capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_NET_RAW,
+ 			CAP_DAC_READ_SEARCH, -1);
+-	capng_apply(CAPNG_SELECT_BOTH);
++	int ret = capng_apply(CAPNG_SELECT_BOUNDS);
++	if (ret != CAPNG_NONE) {
++		fatal(PLUTO_EXIT_CAPNG_FAIL, logger,
++			"libcap-ng capng_apply failed to apply changes, err=%d. see: man capng_apply",
++			ret);
++	}
++
+ 	llog(RC_LOG, logger, "libcap-ng support [enabled]");
+ #else
+ 	llog(RC_LOG, logger, "libcap-ng support [disabled]");

libreswan.spec

@@ -44,6 +44,8 @@ Source4: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
 Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif
 
+Patch1: libreswan-4.12-libcap-ng.patch
+
 BuildRequires: audit-libs-devel
 BuildRequires: bison
 BuildRequires: curl-devel
@@ -213,6 +215,7 @@ certutil -N -d sql:$tmpdir --empty-password
 %changelog
 * Tue Sep 05 2023 Paul Wouters <paul.wouters@aiven.io - 4.12-2
 - Remove ipsec show and ipsec verify sub commands (not very useful, causes python requirement)
+- Patch for handling libcap-ng return values and fix capng_apply() call
 
 * Fri Aug 11 2023 Paul Wouters <paul.wouters@aiven.io - 4.12-1
 - Update to 4.12 for CVE-2023-38710, CVE-2023-38711 and CVE-2023-38712