From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH v2] libcap: Update to version 2.59 Date: Mon, 27 Sep 2021 17:33:39 +0200 Message-ID: <20210927153339.1500575-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0902561152056502347==" List-Id: --===============0902561152056502347== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - v2 version extends the update from 2.56 to 2.59 - Update from 2.50 to 2.59 - Update rootfile - Changelog Release notes for 2.59 libcap-2.55 ... 2.58 would SIGSEGV if an operation was attempted on a NUL= L value for cap_t or cap_iab_t. Restore the more tolerant error return behavi= or last seen with libcap-2.54. (Bug 214525) More make -j13 fixes (missing dependency for make -C progs sudotest). Various minor documentation fixes. Release notes for 2.58 Fixed a potential libcap memory leak by adding a destructor (Bug 214373 r= eported by yan12125) Major improvement is that there is a path for Linux-PAM compliant applica= tions to support setting Ambient vector Capabilities via pam_cap.so now (Bug = 214377) In addition to the bug, related discussion is in two Github issues: h= ttps://github.com/shadow-maint/shadow/pull/408#issuecomment-919673098 and htt= ps://github.com/rra/pam-krb5/issues/21 Added support for RPM builds that generate the build-id that RPM expects = (see https://github.com/rpm-software-management/rpm/issues/367 for discussion) Minor contrib/sucap/su.c cleanups Clean up kdebug build rules More documentation cleanup Release notes for 2.57 capsh enhancements: --mode makes a guess at the libcap mode of the current process (Bug 2= 14319) --strict makes capsh less permissive and expects the user to perform = more deliberate capability transactions useful for learning all the steps; and helps this article be more= pedagogical. Build system fixes Preserve $(WARNINGS) (Fix from David Seifert) Don't ever build test binaries unless make test etc is invoked (speed= s builds on slower systems) Support make -j12 for all, test and sudotest targets getcap -r / now generates readable output (Bug 214317) Some documentation cleanup: more consistency. Release notes for 2.56 Canonicalize the Makefile use (in collaboration with David Seifert) In the process fixed a bug in pam_cap/test_pam_cap (reported by David= Seifert, Bug 214257) Doc fixes for cap_iab.3 Added color support to captree, which helped make the following fix gener= ate readable output: Fixed captree to not display duplicate copies of sub-trees if also ex= ploring their ancestor (Bug 214269) Fixed contrib/sucap/su to correctly handle the Inheritable flag. Release notes for 2.55 Two rounds of fixes for the results of some static analysis performed by = Zoltan Fridrich Removed a clang compilation warning about memory allocation by rewriting = the way cap_free() and the various libcap memory allocation mechanisms work. = (Bug 214183) This generated a few broken builds until it was fixed. Cleanup of some man pages; some fixes and shorter URL to bugzilla link. Added libcap cap_proc_root() API function (to reach parity with the Go ca= p package). This is only potentially useful with the recently added cap_iab_get_p= id() function Revamped what the GOLANG=3Dyes builds install - used to install local cop= ies of cap and psx, but these were effectively useless because of the Go modu= le support in recent Go releases in favor of user controller GOPATH. Now make GOLANG=3Dyes only installs the captree utility Added some features to captree and created a small article on it Added a man page for the captree utility Some small changes to the tests to account for the idiosyncrasies of some= new testing environments I've accumulated. Included adding --has-b support to capsh Release notes for 2.54 Fix for a corner case infinite loop handling long strings (patch provided= by Samanta Navarro) Fixes to not ignore allocation failures (patch provided by Samanta Navarr= o) Evolving work from Samanta Navarro, found and fixed a memory leak in cap_= iab_get_proc() More robust discovery of the name of the dynamic loader of the build targ= et (patch provided by Arnout Vandecappelle) Revamped the Go capability comparison API for *cap.Set and *cap.IAB, and = added cap.IABGetPID() Added libcap cap_iab_compare() and cap_iab_get_pid() APIs. Added a Go utility, captree, to display the process (and thread) graph al= ong with the POSIX.1e and IAB capabilities of each PID{TID} tree. Extended getpcap to support the --iab command line argument, which ou= tputs a PID's IAB tuple too (if non-default). Install *.so files as executable now that they are executable as binaries A feature of 2.52 but not extended to install rules at that time. Absorbed a lot of wisdom from a number of downstream package workarounds = including wisdom from (Zhi Li and Arnout Vandecappelle and unknown others... = Bugs 214023#c16, 214085) Support make FORCELINKPAM=3Dyes or make FORCELINKPAM=3Dno for those p= ackagers that feel strongly about not letting this be dynamically discovered = at build time. Fixed a compiler warnings from the GitHub build tester (Bug 214143) Release notes for 2.53 The (C) cap_launch functionality was previously broken when launches fail= ed (found and fixed by Samanta Navarro) Added a test case for this too. Lots of tyops fixed in code and documentation (also by Samanta Navarro) Support distributions that aggressively link shared objects (reported by = David Runge; Bug 214023) These distributions failed to observe a runnable pam_cap.so and vario= us make options failed. Support clang builds (again). (Reported by Johan Herland 214047) This used to work, but by accident. It broke with the advent of a run= nable libcap.so , libpsx.so and pam_cap.so support. Fixed now, and added a bu= ild target to validate it still works at release time. Minor documentation updates including one for Slavi Marinov who was tryin= g to get cap.LaunchFunc() to work. Worked up a couple of example modifications to goapps/web to demonstr= ate a different user per web query and enabling a custom chroot per web query. Release notes for 2.52 Revived -std=3Dc89 compilation for make all etc. (Bug 213541 reported by = Byron Stanoszek.) The shared library objects: pam_cap.so, libcap.so and libpsx.so, are all = now runnable as standalone binaries! The support is used to display some description information. To activate it, these binaries need to be installed executable (chmod= +x ...) We also provided a write-up of how to enable this sort of feature in = other .so files here. The module pam_cap.so now contains support for a default=3D module a= rgument. (Bug 213611). Enhanced capsh --suggest to also compare against the capability value nam= es and not just their descriptions. Added capsh --current support. Minor documentation updates. Added a contrib/sucap/su.c pure-capabilities PAM implementation of su. This is primarily to demonstrate that such a thing is possible, and t= o validate that the pam_cap.so module is capable of adding any IAB tuple of i= nheritables per group or user. At this time, it relies on features only present in this version of l= ibcap and HEAD of the Linux-PAM sources for the pam_unix.so module. Release notes for 2.51 Fix capsh installation (Bug 213261 - reported by Jan Palus) Add an autoauth module flag to pam_cap.so (Bug 213279 - noted a feature r= equest hidden in StackExchange) Unified libcap/cap (Go) and libcap (C) default generation of external for= mat binary data (Bug 213375 - addressing an issue raised by Mike Schilling) This standard binary format should be forwards/backwards compatible w= ith earlier libcap2 builds and libcap/cap packages API enhancement cap_fill() and (*cap.Set).Fill() - to permit copying one = capability flag to another. This can be used to raise all the Permitted capabilities in a Set wit= h one API call. In tree build/run/test of Go packages now uses Go module vendoring (Bug 2= 12453). This is with an eye to the imminent golang change removing support fo= r GOPATH based building. Minor compilation warning fixes Signed-off-by: Adolf Belka --- config/rootfiles/common/libcap | 9 +++-- lfs/libcap | 7 ++-- .../libcap-2.50-install_capsh_again.patch | 38 ------------------- 3 files changed, 9 insertions(+), 45 deletions(-) delete mode 100644 src/patches/libcap-2.50-install_capsh_again.patch diff --git a/config/rootfiles/common/libcap b/config/rootfiles/common/libcap index def30cb5a..31d307b94 100644 --- a/config/rootfiles/common/libcap +++ b/config/rootfiles/common/libcap @@ -1,10 +1,10 @@ #lib/libcap.a lib/libcap.so.2 -lib/libcap.so.2.50 +lib/libcap.so.2.59 #lib/libpsx.a #lib/libpsx.so -#lib/libpsx.so.2 -#lib/libpsx.so.2.50 +lib/libpsx.so.2 +lib/libpsx.so.2.59 #lib/pkgconfig/libcap.pc #lib/pkgconfig/libpsx.pc lib/security/pam_cap.so @@ -36,8 +36,10 @@ usr/lib/libcap.so #usr/share/man/man3/cap_get_proc.3 #usr/share/man/man3/cap_get_secbits.3 #usr/share/man/man3/cap_iab.3 +#usr/share/man/man3/cap_iab_compare.3 #usr/share/man/man3/cap_iab_fill.3 #usr/share/man/man3/cap_iab_from_text.3 +#usr/share/man/man3/cap_iab_get_pid.3 #usr/share/man/man3/cap_iab_get_proc.3 #usr/share/man/man3/cap_iab_get_vector.3 #usr/share/man/man3/cap_iab_init.3 @@ -73,6 +75,7 @@ usr/lib/libcap.so #usr/share/man/man3/psx_syscall.3 #usr/share/man/man3/psx_syscall3.3 #usr/share/man/man3/psx_syscall6.3 +#usr/share/man/man8/captree.8 #usr/share/man/man8/getcap.8 #usr/share/man/man8/getpcaps.8 #usr/share/man/man8/setcap.8 diff --git a/lfs/libcap b/lfs/libcap index 610ff474b..7dd65983b 100644 --- a/lfs/libcap +++ b/lfs/libcap @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 2.50 +VER =3D 2.59 =20 THISAPP =3D libcap-$(VER) DL_FILE =3D $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 66a561afa81666236ff973544ff4e864 +$(DL_FILE)_MD5 =3D 585540ad79ee2692722877c0c528d165 =20 install : $(TARGET) =20 @@ -70,13 +70,12 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libcap-2.50-install_c= apsh_again.patch # Prevent a static library from being installed cd $(DIR_APP) && sed -i '/install.*STALIBNAME/d' libcap/Makefile cd $(DIR_APP) && make GOLANG=3Dno cd $(DIR_APP) && make install GOLANG=3Dno rm -vf /lib/libcap.so - ln -svf /lib/libcap.so.2.50 /usr/lib/libcap.so + ln -svf /lib/libcap.so.2.59 /usr/lib/libcap.so chmod +x /lib/libcap.so.* @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/patches/libcap-2.50-install_capsh_again.patch b/src/patches/= libcap-2.50-install_capsh_again.patch deleted file mode 100644 index 0ae7520dc..000000000 --- a/src/patches/libcap-2.50-install_capsh_again.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 1f8d32942be54850a3a89c7b58ba5613b5525c58 Mon Sep 17 00:00:00 2001 -From: "Andrew G. Morgan" -Date: Fri, 28 May 2021 13:41:17 -0700 -Subject: [PATCH] Make capsh an installed binary again - -Bug report from Jan Palus: - - https://bugzilla.kernel.org/show_bug.cgi?id=3D213261 - -Signed-off-by: Andrew G. Morgan ---- - progs/Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/progs/Makefile b/progs/Makefile -index 313dc4d..3c3dc97 100644 ---- a/progs/Makefile -+++ b/progs/Makefile -@@ -32,14 +32,14 @@ $(BUILD): %: %.o $(DEPS) -=20 - install: all - mkdir -p -m 0755 $(FAKEROOT)$(SBINDIR) -- for p in $(PROGS) ; do \ -+ for p in $(PROGS) capsh ; do \ - install -m 0755 $$p $(FAKEROOT)$(SBINDIR) ; \ - done - ifeq ($(RAISE_SETFCAP),yes) - $(FAKEROOT)$(SBINDIR)/setcap cap_setfcap=3Di $(FAKEROOT)$(SBINDIR)/setcap - endif -=20 --test: $(PROGS) -+test: $(PROGS) capsh -=20 - capshdoc.h.cf: capshdoc.h ./mkcapshdoc.sh - ./mkcapshdoc.sh > $@ ---=20 -2.32.0.rc2 - --=20 2.33.0 --===============0902561152056502347==--