diff --git a/libreswan-4.12-libcap-ng.patch b/libreswan-4.12-libcap-ng.patch index fa4193f..1c3c0a7 100644 --- a/libreswan-4.12-libcap-ng.patch +++ b/libreswan-4.12-libcap-ng.patch @@ -1,72 +1,175 @@ -commit ad147f53bebf596474df27609a4a6542d0e17400 -Author: Paul Wouters -Date: Tue Sep 5 22:49:28 2023 -0400 - - pluto: check return code of libcap-ng functions - - Avoids "error: ignoring return value of ‘capng_apply’ ..." - -diff --git a/include/pluto_constants.h b/include/pluto_constants.h -index 1dd86ba372..f4487a2b0a 100644 ---- a/include/pluto_constants.h -+++ b/include/pluto_constants.h -@@ -1024,7 +1024,8 @@ enum pluto_exit_code { - PLUTO_EXIT_UNBOUND_FAIL = 9, - PLUTO_EXIT_LOCK_FAIL = 10, /* historic value */ - PLUTO_EXIT_SELINUX_FAIL = 11, -- PLUTO_EXIT_LEAVE_STATE = 12, /* leave kernel state and routes */ -+ PLUTO_EXIT_CAPNG_FAIL = 12, -+ PLUTO_EXIT_LEAVE_STATE = 13, /* leave kernel state and routes */ - /**/ - PLUTO_EXIT_GIT_BISECT_CAN_NOT_TEST = 125, - PLUTO_EXIT_SHELL_COMMAND_NOT_FOUND = 126, -diff --git a/lib/libswan/pluto_exit_code_names.c b/lib/libswan/pluto_exit_code_names.c -index bb4b3284a5..6d245d4642 100644 ---- a/lib/libswan/pluto_exit_code_names.c -+++ b/lib/libswan/pluto_exit_code_names.c -@@ -46,6 +46,7 @@ static const char *pluto_exit_code_name[] = { - S(PLUTO_EXIT_UNBOUND_FAIL), - S(PLUTO_EXIT_LOCK_FAIL), - S(PLUTO_EXIT_SELINUX_FAIL), -+ S(PLUTO_EXIT_CAPNG_FAIL), - S(PLUTO_EXIT_LEAVE_STATE), - #undef S - }; diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c -index 565538ba18..efc287b8fc 100644 +index 953937ec02..4fc67d3b14 100644 --- a/programs/pluto/plutomain.c +++ b/programs/pluto/plutomain.c -@@ -1708,13 +1708,16 @@ int main(int argc, char **argv) - */ - capng_clear(CAPNG_SELECT_BOTH); +@@ -1676,32 +1676,56 @@ int main(int argc, char **argv) -- capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, -+ if (capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, - CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW, - CAP_IPC_LOCK, CAP_AUDIT_WRITE, - /* for google authenticator pam */ - CAP_SETGID, CAP_SETUID, - CAP_DAC_READ_SEARCH, -- -1); -+ -1) != 0) { -+ fatal(PLUTO_EXIT_CAPNG_FAIL, logger, -+ "libcap-ng capng_updatev() failed"); -+ } + #ifdef HAVE_LIBCAP_NG /* ++ * If we don't have the capability to drop capailities, do nothing. ++ * + * Drop capabilities - this generates a false positive valgrind warning + * See: http://marc.info/?l=linux-security-module&m=125895232029657 + * + * We drop these after creating the pluto socket or else we can't + * create a socket if the parent dir is non-root (eg openstack) +- */ +- capng_clear(CAPNG_SELECT_BOTH); +- +- capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, +- CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW, +- CAP_IPC_LOCK, CAP_AUDIT_WRITE, +- /* for google authenticator pam */ +- CAP_SETGID, CAP_SETUID, +- CAP_DAC_READ_SEARCH, +- -1); +- /* ++ * * We need to retain some capabilities for our children (updown): * CAP_NET_ADMIN to change routes -@@ -1725,7 +1728,13 @@ int main(int argc, char **argv) + * (we also need it for some setsockopt() calls in main process) + * CAP_NET_RAW for iptables -t mangle + * CAP_DAC_READ_SEARCH for pam / google authenticator +- * ++ * CAP_SETGID, CAP_SETUID for pam / google authenticator */ - capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_NET_RAW, - CAP_DAC_READ_SEARCH, -1); +- capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_NET_RAW, +- CAP_DAC_READ_SEARCH, -1); - capng_apply(CAPNG_SELECT_BOTH); -+ int ret = capng_apply(CAPNG_SELECT_BOUNDS); -+ if (ret != CAPNG_NONE) { -+ fatal(PLUTO_EXIT_CAPNG_FAIL, logger, -+ "libcap-ng capng_apply failed to apply changes, err=%d. see: man capng_apply", -+ ret); ++ if (capng_get_caps_process() == -1) { ++ llog(RC_LOG_SERIOUS, logger, "failed to query pluto process for capng capabilities"); ++ } else { ++ /* If we don't have CAP_SETPCAP, we cannot update the bounding set */ ++ capng_select_t set = CAPNG_SELECT_CAPS; ++ if (capng_have_capability (CAPNG_EFFECTIVE, CAP_SETPCAP)) { ++ set = CAPNG_SELECT_BOTH; ++ } ++ ++ capng_clear(CAPNG_SELECT_BOTH); ++ if (capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, ++ CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW, ++ CAP_IPC_LOCK, CAP_AUDIT_WRITE, ++ CAP_SETGID, CAP_SETUID, ++ CAP_DAC_READ_SEARCH, ++ -1) != 0) { ++ llog(RC_LOG_SERIOUS, logger, ++ "libcap-ng capng_updatev() failed for CAPNG_EFFECTIVE | CAPNG_PERMITTED"); ++ } ++ ++ if (capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, ++ CAP_NET_RAW, CAP_DAC_READ_SEARCH, CAP_SETPCAP, ++ -1) != 0) { ++ llog(RC_LOG_SERIOUS, logger, ++ "libcap-ng capng_updatev() failed for CAPNG_BOUNDING_SET"); ++ } ++ ++ int ret = capng_apply(set); ++ if (ret != CAPNG_NONE) { ++ llog(RC_LOG_SERIOUS, logger, ++ "libcap-ng capng_apply failed to apply changes, err=%d. see: man capng_apply", ++ ret); ++ } + } + llog(RC_LOG, logger, "libcap-ng support [enabled]"); #else llog(RC_LOG, logger, "libcap-ng support [disabled]"); +diff --git a/testing/pluto/TESTLIST b/testing/pluto/TESTLIST +index 75f5fcbdca..7826dc9100 100644 +--- a/testing/pluto/TESTLIST ++++ b/testing/pluto/TESTLIST +@@ -842,7 +842,8 @@ kvmplutotest algo-ikev2-aes-md5-esp-3des-sha1 good + + # CAP_DAC_OVERRIDE + kvmplutotest basic-pluto-06 good +- ++# libcab-ng test ++kvmplutotest capabilities-01 good + + # + # a test case of PSK with aggressive mode +diff --git a/testing/pluto/capabilities-01/description.txt b/testing/pluto/capabilities-01/description.txt +new file mode 100644 +index 0000000000..abc1d6e90e +--- /dev/null ++++ b/testing/pluto/capabilities-01/description.txt +@@ -0,0 +1 @@ ++Basic test to see if pluto dropped capabilities +diff --git a/testing/pluto/capabilities-01/west.conf b/testing/pluto/capabilities-01/west.conf +new file mode 100644 +index 0000000000..c7b108eae7 +--- /dev/null ++++ b/testing/pluto/capabilities-01/west.conf +@@ -0,0 +1,19 @@ ++# /etc/ipsec.conf - Libreswan IPsec configuration file ++ ++version 2.0 ++ ++config setup ++ # put the logs in /tmp for the UMLs, so that we can operate ++ # without syslogd, which seems to break on UMLs ++ logfile=/tmp/pluto.log ++ logtime=no ++ logappend=no ++ plutodebug=all ++ dumpdir=/tmp ++ virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.0.1.0/24,%v6:!2001:db8:0:1::/64 ++ ++conn westnet-eastnet-ipv4-psk-ikev2 ++ also=westnet-eastnet-ipv4-psk ++ ++include /testing/baseconfigs/all/etc/ipsec.d/ipsec.conf.common ++ +diff --git a/testing/pluto/capabilities-01/west.console.txt b/testing/pluto/capabilities-01/west.console.txt +new file mode 100644 +index 0000000000..6f98855ad9 +--- /dev/null ++++ b/testing/pluto/capabilities-01/west.console.txt +@@ -0,0 +1,22 @@ ++/testing/guestbin/swan-prep ++west # ++ ipsec start ++Redirecting to: [initsystem] ++west # ++ ../../guestbin/wait-until-pluto-started ++west # ++ echo "initdone" ++initdone ++west # ++ netcap | grep pluto | sed "s/^.*pluto/pluto/" ++pluto udp 500 dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write + ++pluto udp 500 dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write + ++pluto udp 500 dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write + ++pluto udp 4500 dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write + ++pluto udp 4500 dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write + ++pluto udp 4500 dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write + ++west # ++ echo done ++done ++west # ++ +diff --git a/testing/pluto/capabilities-01/west.secrets b/testing/pluto/capabilities-01/west.secrets +new file mode 100644 +index 0000000000..d3ed5698d0 +--- /dev/null ++++ b/testing/pluto/capabilities-01/west.secrets +@@ -0,0 +1 @@ ++@west @east : PSK "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890" +diff --git a/testing/pluto/capabilities-01/westinit.sh b/testing/pluto/capabilities-01/westinit.sh +new file mode 100755 +index 0000000000..f803fcf070 +--- /dev/null ++++ b/testing/pluto/capabilities-01/westinit.sh +@@ -0,0 +1,4 @@ ++/testing/guestbin/swan-prep ++ipsec start ++../../guestbin/wait-until-pluto-started ++echo "initdone" +diff --git a/testing/pluto/capabilities-01/westrun.sh b/testing/pluto/capabilities-01/westrun.sh +new file mode 100755 +index 0000000000..379da39994 +--- /dev/null ++++ b/testing/pluto/capabilities-01/westrun.sh +@@ -0,0 +1,2 @@ ++netcap | grep pluto | sed "s/^.*pluto/pluto/" ++echo done diff --git a/libreswan.spec b/libreswan.spec index ec39731..06f6075 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -30,7 +30,7 @@ Name: libreswan Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec # version is generated in the release script Version: 4.12 -Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} +Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist} # The code in lib/libswan/nss_copies.c is under MPL-2.0, while the # rest is under GPL-2.0-or-later License: GPL-2.0-or-later AND MPL-2.0 @@ -213,30 +213,33 @@ certutil -N -d sql:$tmpdir --empty-password %doc %{_mandir}/*/* %changelog -* Tue Sep 05 2023 Paul Wouters - 4.12-3 +- Update libcap-ng patch, fix email addresses in changelog + +* Tue Sep 05 2023 Paul Wouters - 4.12-2 - Remove ipsec show and ipsec verify sub commands (not very useful, causes python requirement) - Patch for handling libcap-ng return values and fix capng_apply() call -* Fri Aug 11 2023 Paul Wouters - 4.12-1 - Update to 4.12 for CVE-2023-38710, CVE-2023-38711 and CVE-2023-38712 - Resolves: rhbz#2230225 libreswan-4.12 is available * Thu Jul 20 2023 Fedora Release Engineering - 4.11-1.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild -* Thu May 04 2023 Paul Wouters - 4.11-1 - Update to 4.11 for CVE-2023-30570 -* Wed Mar 01 2023 Paul Wouters - 4.10-1 - Update to 4.10 for CVE-2023-23009 * Thu Jan 19 2023 Fedora Release Engineering - 4.9-2.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild -* Tue Jan 10 2023 Paul Wouters - 4.9-2 - Use new GPG key location. -* Thu Oct 13 2022 Paul Wouters - 4.9-1 - Update to 4.9 (maxbytes/maxpackets support, raw ECDSA support, misc fixes) * Thu Jul 21 2022 Fedora Release Engineering - 4.7-1.1