drop all unnecessary capabilities (#517728)

2009-08-21 11:02:44 +00:00 · 2009-08-21 11:02:44 +00:00 · 1a8b53a669
commit 1a8b53a669
parent 4cad88fcee
2 changed files with 59 additions and 1 deletions
--- a/smartmontools-5.38-lowcap.patch
+++ b/smartmontools-5.38-lowcap.patch
@ -0,0 +1,53 @@
 diff -urp smartmontools-5.38.orig/configure.in smartmontools-5.38/configure.in
 --- smartmontools-5.38.orig/configure.in	2009-08-16 07:42:57.000000000 -0400
 +++ smartmontools-5.38/configure.in	2009-08-16 08:07:53.000000000 -0400
@@ -143,6 +143,8 @@ if test "$with_selinux" = "yes"; then
 	AC_DEFINE(WITH_SELINUX, [1], [Define to 1 if SELinux support is enabled])
 fi
 +LIBCAP_NG_PATH
 +
 if test "$prefix" = "NONE"; then
     dnl no prefix and no mandir, so use ${prefix}/share/man as default
     if test "$mandir" = '${prefix}/man'; then
 diff -urp smartmontools-5.38.orig/Makefile.am smartmontools-5.38/Makefile.am
 --- smartmontools-5.38.orig/Makefile.am	2009-08-16 07:42:57.000000000 -0400
 +++ smartmontools-5.38/Makefile.am	2009-08-16 08:07:53.000000000 -0400
@@ -35,7 +35,7 @@ smartd_SOURCES =  smartd.cpp      \
                   utility.cpp     \
                   utility.h
 -smartd_LDADD = @os_deps@ @os_libs@
 +smartd_LDADD = @os_deps@ @os_libs@ @CAPNG_LDADD@
 smartd_DEPENDENCIES = @os_deps@
 EXTRA_smartd_SOURCES = os_darwin.cpp    \
 diff -urp smartmontools-5.38.orig/smartd.cpp smartmontools-5.38/smartd.cpp
 --- smartmontools-5.38.orig/smartd.cpp	2009-08-16 07:42:57.000000000 -0400
 +++ smartmontools-5.38/smartd.cpp	2009-08-16 08:08:27.000000000 -0400
@@ -74,6 +74,10 @@ extern "C" int __stdcall FreeConsole(voi
 #include <io.h> // setmode()
 #endif // __CYGWIN__
 +#ifdef HAVE_LIBCAP_NG
 +#include <cap-ng.h>
 +#endif //LIBCAP_NG
 +
 // locally included files
 #include "int64.h"
 #include "atacmds.h"
@@ -4408,6 +4412,14 @@ static int smartd_main(int argc, char **
   // don't exit on bad checksums
   con->checksumfail=0;
 +
 +#ifdef HAVE_LIBCAP_NG
 +  // Drop capabilities
 +  capng_clear(CAPNG_SELECT_BOTH);
 +  capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE|CAPNG_PERMITTED),
 +               CAP_SYS_ADMIN);
 +  capng_apply(CAPNG_SELECT_BOTH);
 +#endif
   // the main loop of the code
   while (1){
--- a/smartmontools.spec
+++ b/smartmontools.spec
@ -1,7 +1,7 @@
 Summary:	Tools for monitoring SMART capable hard disks
 Name:		smartmontools
 Version:	5.38
-Release: 	13%{?dist}
+Release: 	14%{?dist}
 Epoch:		1
 Group:		System Environment/Base
 License:	GPLv2+
@ -14,6 +14,7 @@ Patch2:     smartmontools-5.37-addrinfo.patch
 Patch3:     smartmontools-5.38-perc.patch
 Patch4:     smartmontools-5.38-selinux.patch
 Patch5:     smartmontools-5.38-defaultconf.patch
 Patch6:     smartmontools-5.38-lowcap.patch
 BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 Requires:	fileutils mailx chkconfig initscripts
 BuildRequires: readline-devel ncurses-devel /usr/bin/aclocal util-linux groff gettext
@ -34,6 +35,7 @@ failure.
 %patch3 -p1 -b .perc
 %patch4 -p1 -b .selinux
 %patch5 -p1 -b .defaultconf
 %patch6 -p1 -b .lowcap
 %build
 %configure --with-selinux
@ -75,6 +77,9 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/smartmontools
 %changelog
 * Fri Aug 21 2009 Michal Hlavinka <mhlavink@redhat.com> - 1:5.38-14
 - drop all unnecessary capabilities (#517728)
 * Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:5.38-13
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild