drop all unnecessary capabilities (#517728)

2009-08-21 11:02:44 +00:00 · 2009-08-21 11:02:44 +00:00 · 1a8b53a669
commit 1a8b53a669
parent 4cad88fcee
2 changed files with 59 additions and 1 deletions
--- a/smartmontools-5.38-lowcap.patch
+++ b/smartmontools-5.38-lowcap.patch
@ -0,0 +1,53 @@
+diff -urp smartmontools-5.38.orig/configure.in smartmontools-5.38/configure.in
+--- smartmontools-5.38.orig/configure.in	2009-08-16 07:42:57.000000000 -0400
+++ smartmontools-5.38/configure.in	2009-08-16 08:07:53.000000000 -0400
+@@ -143,6 +143,8 @@ if test "$with_selinux" = "yes"; then
+ 	AC_DEFINE(WITH_SELINUX, [1], [Define to 1 if SELinux support is enabled])
+ fi
+ 
+LIBCAP_NG_PATH
+
+ if test "$prefix" = "NONE"; then
+     dnl no prefix and no mandir, so use ${prefix}/share/man as default
+     if test "$mandir" = '${prefix}/man'; then
+diff -urp smartmontools-5.38.orig/Makefile.am smartmontools-5.38/Makefile.am
+--- smartmontools-5.38.orig/Makefile.am	2009-08-16 07:42:57.000000000 -0400
+++ smartmontools-5.38/Makefile.am	2009-08-16 08:07:53.000000000 -0400
+@@ -35,7 +35,7 @@ smartd_SOURCES =  smartd.cpp      \
+                   utility.cpp     \
+                   utility.h
+ 
+-smartd_LDADD = @os_deps@ @os_libs@
+smartd_LDADD = @os_deps@ @os_libs@ @CAPNG_LDADD@
+ smartd_DEPENDENCIES = @os_deps@
+ 
+ EXTRA_smartd_SOURCES = os_darwin.cpp    \
+diff -urp smartmontools-5.38.orig/smartd.cpp smartmontools-5.38/smartd.cpp
+--- smartmontools-5.38.orig/smartd.cpp	2009-08-16 07:42:57.000000000 -0400
+++ smartmontools-5.38/smartd.cpp	2009-08-16 08:08:27.000000000 -0400
+@@ -74,6 +74,10 @@ extern "C" int __stdcall FreeConsole(voi
+ #include <io.h> // setmode()
+ #endif // __CYGWIN__
+ 
+#ifdef HAVE_LIBCAP_NG
+#include <cap-ng.h>
+#endif //LIBCAP_NG
+
+ // locally included files
+ #include "int64.h"
+ #include "atacmds.h"
+@@ -4408,6 +4412,14 @@ static int smartd_main(int argc, char **
+   
+   // don't exit on bad checksums
+   con->checksumfail=0;
+
+#ifdef HAVE_LIBCAP_NG
+  // Drop capabilities
+  capng_clear(CAPNG_SELECT_BOTH);
+  capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE|CAPNG_PERMITTED),
+               CAP_SYS_ADMIN);
+  capng_apply(CAPNG_SELECT_BOTH);
+#endif
+   
+   // the main loop of the code
+   while (1){
--- a/smartmontools.spec
+++ b/smartmontools.spec
@ -1,7 +1,7 @@
 Summary:	Tools for monitoring SMART capable hard disks
 Name:		smartmontools
 Version:	5.38
-Release: 	13%{?dist}
+Release: 	14%{?dist}
 Epoch:		1
 Group:		System Environment/Base
 License:	GPLv2+
@ -14,6 +14,7 @@ Patch2:     smartmontools-5.37-addrinfo.patch
 Patch3:     smartmontools-5.38-perc.patch
 Patch4:     smartmontools-5.38-selinux.patch
 Patch5:     smartmontools-5.38-defaultconf.patch
+Patch6:     smartmontools-5.38-lowcap.patch
 BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 Requires:	fileutils mailx chkconfig initscripts
 BuildRequires: readline-devel ncurses-devel /usr/bin/aclocal util-linux groff gettext
@ -34,6 +35,7 @@ failure.
 %patch3 -p1 -b .perc
 %patch4 -p1 -b .selinux
 %patch5 -p1 -b .defaultconf
+%patch6 -p1 -b .lowcap

 %build
 %configure --with-selinux
@ -75,6 +77,9 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/smartmontools

 %changelog
+* Fri Aug 21 2009 Michal Hlavinka <mhlavink@redhat.com> - 1:5.38-14
+- drop all unnecessary capabilities (#517728)
+
 * Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:5.38-13
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild