- Update libcap-ng patch, fix email addresses in changelog

2023-09-08 12:45:22 -04:00 · 2023-09-08 12:45:22 -04:00 · d609d0e8ad
commit d609d0e8ad
parent 9051f09a66
2 changed files with 171 additions and 65 deletions
--- a/libreswan-4.12-libcap-ng.patch
+++ b/libreswan-4.12-libcap-ng.patch
@ -1,72 +1,175 @@
-commit ad147f53bebf596474df27609a4a6542d0e17400
-Author: Paul Wouters <paul.wouters@aiven.io>
-Date:   Tue Sep 5 22:49:28 2023 -0400
-
-    pluto: check return code of libcap-ng functions
-    
-    Avoids "error: ignoring return value of ‘capng_apply’ ..."
-
-diff --git a/include/pluto_constants.h b/include/pluto_constants.h
-index 1dd86ba372..f4487a2b0a 100644
--- a/include/pluto_constants.h
-+++ b/include/pluto_constants.h
-@@ -1024,7 +1024,8 @@ enum pluto_exit_code {
- 	PLUTO_EXIT_UNBOUND_FAIL = 9,
- 	PLUTO_EXIT_LOCK_FAIL = 10, /* historic value */
- 	PLUTO_EXIT_SELINUX_FAIL = 11,
-	PLUTO_EXIT_LEAVE_STATE = 12, /* leave kernel state and routes */
-+	PLUTO_EXIT_CAPNG_FAIL = 12,
-+	PLUTO_EXIT_LEAVE_STATE = 13, /* leave kernel state and routes */
- 	/**/
- 	PLUTO_EXIT_GIT_BISECT_CAN_NOT_TEST = 125,
- 	PLUTO_EXIT_SHELL_COMMAND_NOT_FOUND = 126,
-diff --git a/lib/libswan/pluto_exit_code_names.c b/lib/libswan/pluto_exit_code_names.c
-index bb4b3284a5..6d245d4642 100644
--- a/lib/libswan/pluto_exit_code_names.c
-+++ b/lib/libswan/pluto_exit_code_names.c
-@@ -46,6 +46,7 @@ static const char *pluto_exit_code_name[] = {
- 	S(PLUTO_EXIT_UNBOUND_FAIL),
- 	S(PLUTO_EXIT_LOCK_FAIL),
- 	S(PLUTO_EXIT_SELINUX_FAIL),
-+	S(PLUTO_EXIT_CAPNG_FAIL),
- 	S(PLUTO_EXIT_LEAVE_STATE),
- #undef S
- };
 diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c
-index 565538ba18..efc287b8fc 100644
+index 953937ec02..4fc67d3b14 100644
 --- a/programs/pluto/plutomain.c
 +++ b/programs/pluto/plutomain.c
-@@ -1708,13 +1708,16 @@ int main(int argc, char **argv)
- 	 */
- 	capng_clear(CAPNG_SELECT_BOTH);
+@@ -1676,32 +1676,56 @@ int main(int argc, char **argv)
 
-	capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
-+	if (capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
- 		CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
- 		CAP_IPC_LOCK, CAP_AUDIT_WRITE,
- 		/* for google authenticator pam */
- 		CAP_SETGID, CAP_SETUID,
- 		CAP_DAC_READ_SEARCH,
-		-1);
-+		-1) != 0) {
-+			fatal(PLUTO_EXIT_CAPNG_FAIL, logger,
-+				"libcap-ng capng_updatev() failed");
-+	}
+ #ifdef HAVE_LIBCAP_NG
 	/*
+	 * If we don't have the capability to drop capailities, do nothing.
+	 *
+ 	 * Drop capabilities - this generates a false positive valgrind warning
+ 	 * See: http://marc.info/?l=linux-security-module&m=125895232029657
+ 	 *
+ 	 * We drop these after creating the pluto socket or else we can't
+ 	 * create a socket if the parent dir is non-root (eg openstack)
+-	 */
+-	capng_clear(CAPNG_SELECT_BOTH);
+-
+-	capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+-		CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
+-		CAP_IPC_LOCK, CAP_AUDIT_WRITE,
+-		/* for google authenticator pam */
+-		CAP_SETGID, CAP_SETUID,
+-		CAP_DAC_READ_SEARCH,
+-		-1);
+-	/*
+	 *
 	 * We need to retain some capabilities for our children (updown):
 	 * CAP_NET_ADMIN to change routes
-@@ -1725,7 +1728,13 @@ int main(int argc, char **argv)
+ 	 * (we also need it for some setsockopt() calls in main process)
+ 	 * CAP_NET_RAW for iptables -t mangle
+ 	 * CAP_DAC_READ_SEARCH for pam / google authenticator
+-	 *
+	 * CAP_SETGID, CAP_SETUID for pam / google authenticator
 	 */
- 	capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_NET_RAW,
- 			CAP_DAC_READ_SEARCH, -1);
+-	capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_NET_RAW,
+-			CAP_DAC_READ_SEARCH, -1);
 -	capng_apply(CAPNG_SELECT_BOTH);
-+	int ret = capng_apply(CAPNG_SELECT_BOUNDS);
+	if (capng_get_caps_process() == -1) {
+		llog(RC_LOG_SERIOUS, logger, "failed to query pluto process for capng capabilities");
+	} else {
+		/* If we don't have CAP_SETPCAP, we cannot update the bounding set */
+		capng_select_t set = CAPNG_SELECT_CAPS;
+		if (capng_have_capability (CAPNG_EFFECTIVE, CAP_SETPCAP)) {
+			set = CAPNG_SELECT_BOTH;
+		}
+
+		capng_clear(CAPNG_SELECT_BOTH);
+		if (capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+			CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
+			CAP_IPC_LOCK, CAP_AUDIT_WRITE,
+			CAP_SETGID, CAP_SETUID,
+			CAP_DAC_READ_SEARCH,
+			-1) != 0) {
+				llog(RC_LOG_SERIOUS, logger,
+					"libcap-ng capng_updatev() failed for CAPNG_EFFECTIVE | CAPNG_PERMITTED");
+		}
+
+		if (capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN,
+			CAP_NET_RAW, CAP_DAC_READ_SEARCH, CAP_SETPCAP,
+			-1) != 0) {
+				llog(RC_LOG_SERIOUS, logger,
+					"libcap-ng capng_updatev() failed for CAPNG_BOUNDING_SET");
+		}
+
+		int ret = capng_apply(set);
 +		if (ret != CAPNG_NONE) {
-+		fatal(PLUTO_EXIT_CAPNG_FAIL, logger,
+			llog(RC_LOG_SERIOUS, logger,
 +				"libcap-ng capng_apply failed to apply changes, err=%d. see: man capng_apply",
 +				ret);
 +		}
+	}
 +
 	llog(RC_LOG, logger, "libcap-ng support [enabled]");
 #else
 	llog(RC_LOG, logger, "libcap-ng support [disabled]");
+diff --git a/testing/pluto/TESTLIST b/testing/pluto/TESTLIST
+index 75f5fcbdca..7826dc9100 100644
+--- a/testing/pluto/TESTLIST
+++ b/testing/pluto/TESTLIST
+@@ -842,7 +842,8 @@ kvmplutotest	algo-ikev2-aes-md5-esp-3des-sha1	good
+ 
+ # CAP_DAC_OVERRIDE
+ kvmplutotest	basic-pluto-06		good
+-
+# libcab-ng test
+kvmplutotest	capabilities-01		good
+ 
+ #
+ # a test case of PSK with aggressive mode
+diff --git a/testing/pluto/capabilities-01/description.txt b/testing/pluto/capabilities-01/description.txt
+new file mode 100644
+index 0000000000..abc1d6e90e
+--- /dev/null
+++ b/testing/pluto/capabilities-01/description.txt
+@@ -0,0 +1 @@
+Basic test to see if pluto dropped capabilities
+diff --git a/testing/pluto/capabilities-01/west.conf b/testing/pluto/capabilities-01/west.conf
+new file mode 100644
+index 0000000000..c7b108eae7
+--- /dev/null
+++ b/testing/pluto/capabilities-01/west.conf
+@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - Libreswan IPsec configuration file
+
+version 2.0
+
+config setup
+	# put the logs in /tmp for the UMLs, so that we can operate
+	# without syslogd, which seems to break on UMLs
+	logfile=/tmp/pluto.log
+	logtime=no
+	logappend=no
+	plutodebug=all
+	dumpdir=/tmp
+	virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.0.1.0/24,%v6:!2001:db8:0:1::/64
+
+conn westnet-eastnet-ipv4-psk-ikev2
+	also=westnet-eastnet-ipv4-psk
+
+include	/testing/baseconfigs/all/etc/ipsec.d/ipsec.conf.common
+
+diff --git a/testing/pluto/capabilities-01/west.console.txt b/testing/pluto/capabilities-01/west.console.txt
+new file mode 100644
+index 0000000000..6f98855ad9
+--- /dev/null
+++ b/testing/pluto/capabilities-01/west.console.txt
+@@ -0,0 +1,22 @@
+/testing/guestbin/swan-prep
+west #
+ ipsec start
+Redirecting to: [initsystem]
+west #
+ ../../guestbin/wait-until-pluto-started
+west #
+ echo "initdone"
+initdone
+west #
+ netcap | grep pluto | sed "s/^.*pluto/pluto/"
+pluto            udp      500    dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write +
+pluto            udp      500    dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write +
+pluto            udp      500    dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write +
+pluto            udp      4500   dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write +
+pluto            udp      4500   dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write +
+pluto            udp      4500   dac_read_search, setgid, setuid, net_bind_service, net_admin, net_raw, ipc_lock, audit_write +
+west #
+ echo done
+done
+west #
+ 
+diff --git a/testing/pluto/capabilities-01/west.secrets b/testing/pluto/capabilities-01/west.secrets
+new file mode 100644
+index 0000000000..d3ed5698d0
+--- /dev/null
+++ b/testing/pluto/capabilities-01/west.secrets
+@@ -0,0 +1 @@
+@west @east : PSK "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
+diff --git a/testing/pluto/capabilities-01/westinit.sh b/testing/pluto/capabilities-01/westinit.sh
+new file mode 100755
+index 0000000000..f803fcf070
+--- /dev/null
+++ b/testing/pluto/capabilities-01/westinit.sh
+@@ -0,0 +1,4 @@
+/testing/guestbin/swan-prep
+ipsec start
+../../guestbin/wait-until-pluto-started
+echo "initdone"
+diff --git a/testing/pluto/capabilities-01/westrun.sh b/testing/pluto/capabilities-01/westrun.sh
+new file mode 100755
+index 0000000000..379da39994
+--- /dev/null
+++ b/testing/pluto/capabilities-01/westrun.sh
+@@ -0,0 +1,2 @@
+netcap | grep pluto | sed "s/^.*pluto/pluto/"
+echo done
--- a/libreswan.spec
+++ b/libreswan.spec
@ -30,7 +30,7 @@ Name: libreswan
 Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
 # version is generated in the release script
 Version: 4.12
-Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
+Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
 # The code in lib/libswan/nss_copies.c is under MPL-2.0, while the
 # rest is under GPL-2.0-or-later
 License: GPL-2.0-or-later AND MPL-2.0
@ -213,30 +213,33 @@ certutil -N -d sql:$tmpdir --empty-password
 %doc %{_mandir}/*/*

 %changelog
-* Tue Sep 05 2023 Paul Wouters <paul.wouters@aiven.io - 4.12-2
+* Fri Sep 08 2023 Paul Wouters <paul.wouters@aiven.io> - 4.12-3
+- Update libcap-ng patch, fix email addresses in changelog
+
+* Tue Sep 05 2023 Paul Wouters <paul.wouters@aiven.io> - 4.12-2
 - Remove ipsec show and ipsec verify sub commands (not very useful, causes python requirement)
 - Patch for handling libcap-ng return values and fix capng_apply() call

-* Fri Aug 11 2023 Paul Wouters <paul.wouters@aiven.io - 4.12-1
+* Fri Aug 11 2023 Paul Wouters <paul.wouters@aiven.io> - 4.12-1
 - Update to 4.12 for CVE-2023-38710, CVE-2023-38711 and CVE-2023-38712
 - Resolves: rhbz#2230225 libreswan-4.12 is available

 * Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.11-1.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild

-* Thu May 04 2023 Paul Wouters <paul.wouters@aiven.io - 4.11-1
+* Thu May 04 2023 Paul Wouters <paul.wouters@aiven.io> - 4.11-1
 - Update to 4.11 for CVE-2023-30570

-* Wed Mar 01 2023 Paul Wouters <paul.wouters@aiven.io - 4.10-1
+* Wed Mar 01 2023 Paul Wouters <paul.wouters@aiven.io> - 4.10-1
 - Update to 4.10 for CVE-2023-23009

 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.9-2.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild

-* Tue Jan 10 2023 Paul Wouters <paul.wouters@aiven.io - 4.9-2
+* Tue Jan 10 2023 Paul Wouters <paul.wouters@aiven.io> - 4.9-2
 - Use new GPG key location.

-* Thu Oct 13 2022 Paul Wouters <paul.wouters@aiven.io - 4.9-1
+* Thu Oct 13 2022 Paul Wouters <paul.wouters@aiven.io> - 4.9-1
 - Update to 4.9 (maxbytes/maxpackets support, raw ECDSA support, misc fixes)

 * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.7-1.1