From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] libcap: Update version to 2.56
Date: Mon, 06 Sep 2021 10:51:15 +0100 [thread overview]
Message-ID: <31CAF4B1-124E-4FF1-A0AE-24E9E1BEBC4E@ipfire.org> (raw)
In-Reply-To: <20210905204546.2785744-1-adolf.belka@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 10862 bytes --]
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
> On 5 Sep 2021, at 21:45, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>
> - Update from 2.50 to 2.56
> - Update rootfile
> - Delete libcap-2.50-install_capsh_again.patch as this is now built into source tarball
> - Changelog
> Release notes for 2.56
> Canonicalize the Makefile use (in collaboration with David Seifert)
> In the process fixed a bug in pam_cap/test_pam_cap (reported by David Seifert, Bug 214257)
> Doc fixes for cap_iab.3
> Added color support to captree, which helped make the following fix generate readable output:
> Fixed captree to not display duplicate copies of sub-trees if also exploring their ancestor (Bug 214269)
> Fixed contrib/sucap/su to correctly handle the Inheritable flag.
> Release notes for 2.55
> Two rounds of fixes for the results of some static analysis performed by Zoltan Fridrich
> Removed a clang compilation warning about memory allocation by rewriting the way cap_free() and the various libcap memory allocation mechanisms work. (Bug 214183)
> This generated a few broken builds until it was fixed.
> Cleanup of some man pages; some fixes and shorter URL to bugzilla link.
> Added libcap cap_proc_root() API function (to reach parity with the Go cap package).
> This is only potentially useful with the recently added cap_iab_get_pid() function
> Revamped what the GOLANG=yes builds install - used to install local copies of cap and psx, but these were effectively useless because of the Go module support in recent Go releases in favor of user controller GOPATH.
> Now make GOLANG=yes only installs the captree utility
> Added some features to captree and created a small article on it
> Added a man page for the captree utility
> Some small changes to the tests to account for the idiosyncrasies of some new testing environments I've accumulated.
> Included adding --has-b support to capsh
> Release notes for 2.54
> Fix for a corner case infinite loop handling long strings (patch provided by Samanta Navarro)
> Fixes to not ignore allocation failures (patch provided by Samanta Navarro)
> Evolving work from Samanta Navarro, found and fixed a memory leak in cap_iab_get_proc()
> More robust discovery of the name of the dynamic loader of the build target (patch provided by Arnout Vandecappelle)
> Revamped the Go capability comparison API for *cap.Set and *cap.IAB, and added cap.IABGetPID()
> Added libcap cap_iab_compare() and cap_iab_get_pid() APIs.
> Added a Go utility, captree, to display the process (and thread) graph along with the POSIX.1e and IAB capabilities of each PID{TID} tree.
> Extended getpcap to support the --iab command line argument, which outputs a PID's IAB tuple too (if non-default).
> Install *.so files as executable now that they are executable as binaries
> A feature of 2.52 but not extended to install rules at that time.
> Absorbed a lot of wisdom from a number of downstream package workarounds including wisdom from (Zhi Li and Arnout Vandecappelle and unknown others... Bugs 214023#c16, 214085)
> Support make FORCELINKPAM=yes or make FORCELINKPAM=no for those packagers that feel strongly about not letting this be dynamically discovered at build time.
> Fixed a compiler warnings from the GitHub build tester (Bug 214143)
> Release notes for 2.53
> The (C) cap_launch functionality was previously broken when launches failed (found and fixed by Samanta Navarro)
> Added a test case for this too.
> Lots of tyops fixed in code and documentation (also by Samanta Navarro)
> Support distributions that aggressively link shared objects (reported by David Runge; Bug 214023)
> These distributions failed to observe a runnable pam_cap.so and various make options failed.
> Support clang builds (again). (Reported by Johan Herland 214047)
> This used to work, but by accident. It broke with the advent of a runnable libcap.so , libpsx.so and pam_cap.so support. Fixed now, and added a build target to validate it still works at release time.
> Minor documentation updates including one for Slavi Marinov who was trying to get cap.LaunchFunc() to work.
> Worked up a couple of example modifications to goapps/web to demonstrate a different user per web query and enabling a custom chroot per web query.
> Release notes for 2.52
> Revived -std=c89 compilation for make all etc. (Bug 213541 reported by Byron Stanoszek.)
> The shared library objects: pam_cap.so, libcap.so and libpsx.so, are all now runnable as standalone binaries!
> The support is used to display some description information.
> To activate it, these binaries need to be installed executable (chmod +x ...)
> We also provided a write-up of how to enable this sort of feature in other .so files here.
> The module pam_cap.so now contains support for a default=<IAB> module argument. (Bug 213611).
> Enhanced capsh --suggest to also compare against the capability value names and not just their descriptions.
> Added capsh --current support.
> Minor documentation updates.
> Added a contrib/sucap/su.c pure-capabilities PAM implementation of su.
> This is primarily to demonstrate that such a thing is possible, and to validate that the pam_cap.so module is capable of adding any IAB tuple of inheritables per group or user.
> At this time, it relies on features only present in this version of libcap and HEAD of the Linux-PAM sources for the pam_unix.so module.
> Release notes for 2.51
> Fix capsh installation (Bug 213261 - reported by Jan Palus)
> Add an autoauth module flag to pam_cap.so (Bug 213279 - noted a feature request hidden in StackExchange)
> Unified libcap/cap (Go) and libcap (C) default generation of external format binary data (Bug 213375 - addressing an issue raised by Mike Schilling)
> This standard binary format should be forwards/backwards compatible with earlier libcap2 builds and libcap/cap packages
> API enhancement cap_fill() and (*cap.Set).Fill() - to permit copying one capability flag to another.
> This can be used to raise all the Permitted capabilities in a Set with one API call.
> In tree build/run/test of Go packages now uses Go module vendoring (Bug 212453).
> This is with an eye to the imminent golang change removing support for GOPATH based building.
> Minor compilation warning fixes
>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> config/rootfiles/common/libcap | 9 +++--
> lfs/libcap | 7 ++--
> .../libcap-2.50-install_capsh_again.patch | 38 -------------------
> 3 files changed, 9 insertions(+), 45 deletions(-)
> delete mode 100644 src/patches/libcap-2.50-install_capsh_again.patch
>
> diff --git a/config/rootfiles/common/libcap b/config/rootfiles/common/libcap
> index def30cb5a..95c62bdeb 100644
> --- a/config/rootfiles/common/libcap
> +++ b/config/rootfiles/common/libcap
> @@ -1,10 +1,10 @@
> #lib/libcap.a
> lib/libcap.so.2
> -lib/libcap.so.2.50
> +lib/libcap.so.2.56
> #lib/libpsx.a
> #lib/libpsx.so
> -#lib/libpsx.so.2
> -#lib/libpsx.so.2.50
> +lib/libpsx.so.2
> +lib/libpsx.so.2.56
> #lib/pkgconfig/libcap.pc
> #lib/pkgconfig/libpsx.pc
> lib/security/pam_cap.so
> @@ -36,8 +36,10 @@ usr/lib/libcap.so
> #usr/share/man/man3/cap_get_proc.3
> #usr/share/man/man3/cap_get_secbits.3
> #usr/share/man/man3/cap_iab.3
> +#usr/share/man/man3/cap_iab_compare.3
> #usr/share/man/man3/cap_iab_fill.3
> #usr/share/man/man3/cap_iab_from_text.3
> +#usr/share/man/man3/cap_iab_get_pid.3
> #usr/share/man/man3/cap_iab_get_proc.3
> #usr/share/man/man3/cap_iab_get_vector.3
> #usr/share/man/man3/cap_iab_init.3
> @@ -73,6 +75,7 @@ usr/lib/libcap.so
> #usr/share/man/man3/psx_syscall.3
> #usr/share/man/man3/psx_syscall3.3
> #usr/share/man/man3/psx_syscall6.3
> +#usr/share/man/man8/captree.8
> #usr/share/man/man8/getcap.8
> #usr/share/man/man8/getpcaps.8
> #usr/share/man/man8/setcap.8
> diff --git a/lfs/libcap b/lfs/libcap
> index 610ff474b..c814a6f73 100644
> --- a/lfs/libcap
> +++ b/lfs/libcap
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 2.50
> +VER = 2.56
>
> THISAPP = libcap-$(VER)
> DL_FILE = $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_MD5 = 66a561afa81666236ff973544ff4e864
> +$(DL_FILE)_MD5 = 095695b2e61ab5baf96609cdac9c15a7
>
> install : $(TARGET)
>
> @@ -70,13 +70,12 @@ $(subst %,%_MD5,$(objects)) :
> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> @$(PREBUILD)
> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libcap-2.50-install_capsh_again.patch
> # Prevent a static library from being installed
> cd $(DIR_APP) && sed -i '/install.*STALIBNAME/d' libcap/Makefile
> cd $(DIR_APP) && make GOLANG=no
> cd $(DIR_APP) && make install GOLANG=no
> rm -vf /lib/libcap.so
> - ln -svf /lib/libcap.so.2.50 /usr/lib/libcap.so
> + ln -svf /lib/libcap.so.2.56 /usr/lib/libcap.so
> chmod +x /lib/libcap.so.*
> @rm -rf $(DIR_APP)
> @$(POSTBUILD)
> diff --git a/src/patches/libcap-2.50-install_capsh_again.patch b/src/patches/libcap-2.50-install_capsh_again.patch
> deleted file mode 100644
> index 0ae7520dc..000000000
> --- a/src/patches/libcap-2.50-install_capsh_again.patch
> +++ /dev/null
> @@ -1,38 +0,0 @@
> -From 1f8d32942be54850a3a89c7b58ba5613b5525c58 Mon Sep 17 00:00:00 2001
> -From: "Andrew G. Morgan" <morgan(a)kernel.org>
> -Date: Fri, 28 May 2021 13:41:17 -0700
> -Subject: [PATCH] Make capsh an installed binary again
> -
> -Bug report from Jan Palus:
> -
> - https://bugzilla.kernel.org/show_bug.cgi?id=213261
> -
> -Signed-off-by: Andrew G. Morgan <morgan(a)kernel.org>
> ----
> - progs/Makefile | 4 ++--
> - 1 file changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/progs/Makefile b/progs/Makefile
> -index 313dc4d..3c3dc97 100644
> ---- a/progs/Makefile
> -+++ b/progs/Makefile
> -@@ -32,14 +32,14 @@ $(BUILD): %: %.o $(DEPS)
> -
> - install: all
> - mkdir -p -m 0755 $(FAKEROOT)$(SBINDIR)
> -- for p in $(PROGS) ; do \
> -+ for p in $(PROGS) capsh ; do \
> - install -m 0755 $$p $(FAKEROOT)$(SBINDIR) ; \
> - done
> - ifeq ($(RAISE_SETFCAP),yes)
> - $(FAKEROOT)$(SBINDIR)/setcap cap_setfcap=i $(FAKEROOT)$(SBINDIR)/setcap
> - endif
> -
> --test: $(PROGS)
> -+test: $(PROGS) capsh
> -
> - capshdoc.h.cf: capshdoc.h ./mkcapshdoc.sh
> - ./mkcapshdoc.sh > $@
> ---
> -2.32.0.rc2
> -
> --
> 2.33.0
>
prev parent reply other threads:[~2021-09-06 9:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-05 20:45 Adolf Belka
2021-09-06 9:51 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=31CAF4B1-124E-4FF1-A0AE-24E9E1BEBC4E@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox