- Update libcap-ng patch, fix email addresses in changelog

2023-09-08 12:45:22 -04:00 · 2023-09-08 12:45:22 -04:00 · d609d0e8ad
commit d609d0e8ad
parent 9051f09a66
2 changed files with 171 additions and 65 deletions
--- a/libreswan-4.12-libcap-ng.patch
+++ b/libreswan-4.12-libcap-ng.patch
@ -1,72 +1,175 @@
 commit ad147f53bebf596474df27609a4a6542d0e17400
 Author: Paul Wouters <paul.wouters@aiven.io>
 Date:   Tue Sep 5 22:49:28 2023 -0400
    pluto: check return code of libcap-ng functions
    Avoids "error: ignoring return value of ‘capng_apply’ ..."
 diff --git a/include/pluto_constants.h b/include/pluto_constants.h
 index 1dd86ba372..f4487a2b0a 100644
 --- a/include/pluto_constants.h
 +++ b/include/pluto_constants.h
@@ -1024,7 +1024,8 @@ enum pluto_exit_code {
 	PLUTO_EXIT_UNBOUND_FAIL = 9,
 	PLUTO_EXIT_LOCK_FAIL = 10, /* historic value */
 	PLUTO_EXIT_SELINUX_FAIL = 11,
 -	PLUTO_EXIT_LEAVE_STATE = 12, /* leave kernel state and routes */
 +	PLUTO_EXIT_CAPNG_FAIL = 12,
 +	PLUTO_EXIT_LEAVE_STATE = 13, /* leave kernel state and routes */
 	/**/
 	PLUTO_EXIT_GIT_BISECT_CAN_NOT_TEST = 125,
 	PLUTO_EXIT_SHELL_COMMAND_NOT_FOUND = 126,
 diff --git a/lib/libswan/pluto_exit_code_names.c b/lib/libswan/pluto_exit_code_names.c
 index bb4b3284a5..6d245d4642 100644
 --- a/lib/libswan/pluto_exit_code_names.c
 +++ b/lib/libswan/pluto_exit_code_names.c
@@ -46,6 +46,7 @@ static const char *pluto_exit_code_name[] = {
 	S(PLUTO_EXIT_UNBOUND_FAIL),
 	S(PLUTO_EXIT_LOCK_FAIL),
 	S(PLUTO_EXIT_SELINUX_FAIL),
 +	S(PLUTO_EXIT_CAPNG_FAIL),
 	S(PLUTO_EXIT_LEAVE_STATE),
 #undef S
 };
 diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c
-index 565538ba18..efc287b8fc 100644
+index 953937ec02..4fc67d3b14 100644
 --- a/programs/pluto/plutomain.c
 +++ b/programs/pluto/plutomain.c
-@@ -1708,13 +1708,16 @@ int main(int argc, char **argv)
+@@ -1676,32 +1676,56 @@ int main(int argc, char **argv)
 	 */
 	capng_clear(CAPNG_SELECT_BOTH);
-	capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+ #ifdef HAVE_LIBCAP_NG
 +	if (capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
 		CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
 		CAP_IPC_LOCK, CAP_AUDIT_WRITE,
 		/* for google authenticator pam */
 		CAP_SETGID, CAP_SETUID,
 		CAP_DAC_READ_SEARCH,
 -		-1);
 +		-1) != 0) {
 +			fatal(PLUTO_EXIT_CAPNG_FAIL, logger,
 +				"libcap-ng capng_updatev() failed");
 +	}
 	/*
 +	 * If we don't have the capability to drop capailities, do nothing.
 +	 *
 	 * Drop capabilities - this generates a false positive valgrind warning
 	 * See: http://marc.info/?l=linux-security-module&m=125895232029657
 	 *
 	 * We drop these after creating the pluto socket or else we can't
 	 * create a socket if the parent dir is non-root (eg openstack)
 -	 */
 -	capng_clear(CAPNG_SELECT_BOTH);
 -
 -	capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
 -		CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
 -		CAP_IPC_LOCK, CAP_AUDIT_WRITE,
 -		/* for google authenticator pam */
 -		CAP_SETGID, CAP_SETUID,
 -		CAP_DAC_READ_SEARCH,
 -		-1);
 -	/*
 +	 *
 	 * We need to retain some capabilities for our children (updown):
 	 * CAP_NET_ADMIN to change routes
-@@ -1725,7 +1728,13 @@ int main(int argc, char **argv)
+ 	 * (we also need it for some setsockopt() calls in main process)
 	 * CAP_NET_RAW for iptables -t mangle
 	 * CAP_DAC_READ_SEARCH for pam / google authenticator
 -	 *
 +	 * CAP_SETGID, CAP_SETUID for pam / google authenticator
 	 */
- 	capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_NET_RAW,
+-	capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_NET_RAW,
- 			CAP_DAC_READ_SEARCH, -1);
+-			CAP_DAC_READ_SEARCH, -1);
 -	capng_apply(CAPNG_SELECT_BOTH);
-+	int ret = capng_apply(CAPNG_SELECT_BOUNDS);
+	if (capng_get_caps_process() == -1) {
 +		llog(RC_LOG_SERIOUS, logger, "failed to query pluto process for capng capabilities");
 +	} else {
 +		/* If we don't have CAP_SETPCAP, we cannot update the bounding set */
 +		capng_select_t set = CAPNG_SELECT_CAPS;
 +		if (capng_have_capability (CAPNG_EFFECTIVE, CAP_SETPCAP)) {
 +			set = CAPNG_SELECT_BOTH;
 +		}
 +
 +		capng_clear(CAPNG_SELECT_BOTH);
 +		if (capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
 +			CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
 +			CAP_IPC_LOCK, CAP_AUDIT_WRITE,
 +			CAP_SETGID, CAP_SETUID,
 +			CAP_DAC_READ_SEARCH,
 +			-1) != 0) {
 +				llog(RC_LOG_SERIOUS, logger,
 +					"libcap-ng capng_updatev() failed for CAPNG_EFFECTIVE | CAPNG_PERMITTED");
 +		}
 +
 +		if (capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN,
 +			CAP_NET_RAW, CAP_DAC_READ_SEARCH, CAP_SETPCAP,
 +			-1) != 0) {
 +				llog(RC_LOG_SERIOUS, logger,
 +					"libcap-ng capng_updatev() failed for CAPNG_BOUNDING_SET");
 +		}
 +
 +		int ret = capng_apply(set);
 +		if (ret != CAPNG_NONE) {
-+		fatal(PLUTO_EXIT_CAPNG_FAIL, logger,
+			llog(RC_LOG_SERIOUS, logger,
 +				"libcap-ng capng_apply failed to apply changes, err=%d. see: man capng_apply",
 +				ret);
 +		}
 +	}
 +
 	llog(RC_LOG, logger, "libcap-ng support [enabled]");
 #else
 	llog(RC_LOG, logger, "libcap-ng support [disabled]");
 diff --git a/testing/pluto/TESTLIST b/testing/pluto/TESTLIST
 index 75f5fcbdca..7826dc9100 100644
 --- a/testing/pluto/TESTLIST
 +++ b/testing/pluto/TESTLIST
@@ -842,7 +842,8 @@ kvmplutotest	algo-ikev2-aes-md5-esp-3des-sha1	good
 # CAP_DAC_OVERRIDE
 kvmplutotest	basic-pluto-06		good
 -
 +# libcab-ng test
 +kvmplutotest	capabilities-01		good
 #
 # a test case of PSK with aggressive mode
 diff --git a/testing/pluto/capabilities-01/description.txt b/testing/pluto/capabilities-01/description.txt
 new file mode 100644
 index 0000000000..abc1d6e90e
 --- /dev/null
 +++ b/testing/pluto/capabilities-01/description.txt
@@ -0,0 +1 @@
 +Basic test to see if pluto dropped capabilities
 diff --git a/testing/pluto/capabilities-01/west.conf b/testing/pluto/capabilities-01/west.conf
 new file mode 100644
 index 0000000000..c7b108eae7
 --- /dev/null
 +++ b/testing/pluto/capabilities-01/west.conf
@@ -0,0 +1,19 @@
 +# /etc/ipsec.conf - Libreswan IPsec configuration file
 +
 +version 2.0
 +
 +config setup
 +	# put the logs in /tmp for the UMLs, so that we can operate
 +	# without syslogd, which seems to break on UMLs
 +	logfile=/tmp/pluto.log
 +	logtime=no
 +	logappend=no
 +	plutodebug=all
 +	dumpdir=/tmp
 +	virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.0.1.0/24,%v6:!2001:db8:0:1::/64
 +
 +conn westnet-eastnet-ipv4-psk-ikev2
 +	also=westnet-eastnet-ipv4-psk
 +
 +include	/testing/baseconfigs/all/etc/ipsec.d/ipsec.conf.common
 +
 diff --git a/testing/pluto/capabilities-01/west.console.txt b/testing/pluto/capabilities-01/west.console.txt
 new file mode 100644
 index 0000000000..6f98855ad9
 --- /dev/null
 +++ b/testing/pluto/capabilities-01/west.console.txt
@@ -0,0 +1,22 @@
 +/testing/guestbin/swan-prep
 +west #
 + ipsec start
 +Redirecting to: [initsystem]
 +west #
 + ../../guestbin/wait-until-pluto-started
 +west #
 + echo "initdone"
 +initdone
 +west #
 + netcap | grep pluto | sed "s/^.*pluto/pluto/"
 +pluto            udp      500    dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write +
 +pluto            udp      500    dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write +
 +pluto            udp      500    dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write +
 +pluto            udp      4500   dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write +
 +pluto            udp      4500   dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write +
 +pluto            udp      4500   dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write +
 +west #
 + echo done
 +done
 +west #
 + 
 diff --git a/testing/pluto/capabilities-01/west.secrets b/testing/pluto/capabilities-01/west.secrets
 new file mode 100644
 index 0000000000..d3ed5698d0
 --- /dev/null
 +++ b/testing/pluto/capabilities-01/west.secrets
@@ -0,0 +1 @@
 +@west @east : PSK "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
 diff --git a/testing/pluto/capabilities-01/westinit.sh b/testing/pluto/capabilities-01/westinit.sh
 new file mode 100755
 index 0000000000..f803fcf070
 --- /dev/null
 +++ b/testing/pluto/capabilities-01/westinit.sh
@@ -0,0 +1,4 @@
 +/testing/guestbin/swan-prep
 +ipsec start
 +../../guestbin/wait-until-pluto-started
 +echo "initdone"
 diff --git a/testing/pluto/capabilities-01/westrun.sh b/testing/pluto/capabilities-01/westrun.sh
 new file mode 100755
 index 0000000000..379da39994
 --- /dev/null
 +++ b/testing/pluto/capabilities-01/westrun.sh
@@ -0,0 +1,2 @@
 +netcap | grep pluto | sed "s/^.*pluto/pluto/"
 +echo done
--- a/libreswan.spec
+++ b/libreswan.spec
@ -30,7 +30,7 @@ Name: libreswan
 Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
 # version is generated in the release script
 Version: 4.12
-Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
+Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
 # The code in lib/libswan/nss_copies.c is under MPL-2.0, while the
 # rest is under GPL-2.0-or-later
 License: GPL-2.0-or-later AND MPL-2.0
@ -213,30 +213,33 @@ certutil -N -d sql:$tmpdir --empty-password
 %doc %{_mandir}/*/*
 %changelog
-* Tue Sep 05 2023 Paul Wouters <paul.wouters@aiven.io - 4.12-2
+* Fri Sep 08 2023 Paul Wouters <paul.wouters@aiven.io> - 4.12-3
 - Update libcap-ng patch, fix email addresses in changelog
 * Tue Sep 05 2023 Paul Wouters <paul.wouters@aiven.io> - 4.12-2
 - Remove ipsec show and ipsec verify sub commands (not very useful, causes python requirement)
 - Patch for handling libcap-ng return values and fix capng_apply() call
-* Fri Aug 11 2023 Paul Wouters <paul.wouters@aiven.io - 4.12-1
+* Fri Aug 11 2023 Paul Wouters <paul.wouters@aiven.io> - 4.12-1
 - Update to 4.12 for CVE-2023-38710, CVE-2023-38711 and CVE-2023-38712
 - Resolves: rhbz#2230225 libreswan-4.12 is available
 * Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.11-1.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-* Thu May 04 2023 Paul Wouters <paul.wouters@aiven.io - 4.11-1
+* Thu May 04 2023 Paul Wouters <paul.wouters@aiven.io> - 4.11-1
 - Update to 4.11 for CVE-2023-30570
-* Wed Mar 01 2023 Paul Wouters <paul.wouters@aiven.io - 4.10-1
+* Wed Mar 01 2023 Paul Wouters <paul.wouters@aiven.io> - 4.10-1
 - Update to 4.10 for CVE-2023-23009
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.9-2.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-* Tue Jan 10 2023 Paul Wouters <paul.wouters@aiven.io - 4.9-2
+* Tue Jan 10 2023 Paul Wouters <paul.wouters@aiven.io> - 4.9-2
 - Use new GPG key location.
-* Thu Oct 13 2022 Paul Wouters <paul.wouters@aiven.io - 4.9-1
+* Thu Oct 13 2022 Paul Wouters <paul.wouters@aiven.io> - 4.9-1
 - Update to 4.9 (maxbytes/maxpackets support, raw ECDSA support, misc fixes)
 * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.7-1.1