From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] libcap: Update version to 2.56
Date: Mon, 06 Sep 2021 10:51:15 +0100
Message-ID: <31CAF4B1-124E-4FF1-A0AE-24E9E1BEBC4E@ipfire.org>
In-Reply-To: <20210905204546.2785744-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4630007975063405292=="
List-Id: <development.lists.ipfire.org>

--===============4630007975063405292==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 5 Sep 2021, at 21:45, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>=20
> - Update from 2.50 to 2.56
> - Update rootfile
> - Delete libcap-2.50-install_capsh_again.patch as this is now built into so=
urce tarball
> - Changelog
>  Release notes for 2.56
>    Canonicalize the Makefile use (in collaboration with David Seifert)
>        In the process fixed a bug in pam_cap/test_pam_cap (reported by Davi=
d Seifert, Bug 214257)
>    Doc fixes for cap_iab.3
>    Added color support to captree, which helped make the following fix gene=
rate readable output:
>        Fixed captree to not display duplicate copies of sub-trees if also e=
xploring their ancestor (Bug 214269)
>    Fixed contrib/sucap/su to correctly handle the Inheritable flag.
>   Release notes for 2.55
>    Two rounds of fixes for the results of some static analysis performed by=
 Zoltan Fridrich
>    Removed a clang compilation warning about memory allocation by rewriting=
 the way cap_free() and the various libcap memory allocation mechanisms work.=
 (Bug 214183)
>        This generated a few broken builds until it was fixed.
>    Cleanup of some man pages; some fixes and shorter URL to bugzilla link.
>    Added libcap cap_proc_root() API function (to reach parity with the Go c=
ap package).
>        This is only potentially useful with the recently added cap_iab_get_=
pid() function
>    Revamped what the GOLANG=3Dyes builds install - used to install local co=
pies of cap and psx, but these were effectively useless because of the Go mod=
ule support in recent Go releases in favor of user controller GOPATH.
>        Now make GOLANG=3Dyes only installs the captree utility
>        Added some features to captree and created a small article on it
>        Added a man page for the captree utility
>    Some small changes to the tests to account for the idiosyncrasies of som=
e new testing environments I've accumulated.
>        Included adding --has-b support to capsh
>  Release notes for 2.54
>    Fix for a corner case infinite loop handling long strings (patch provide=
d by Samanta Navarro)
>    Fixes to not ignore allocation failures (patch provided by Samanta Navar=
ro)
>    Evolving work from Samanta Navarro, found and fixed a memory leak in cap=
_iab_get_proc()
>    More robust discovery of the name of the dynamic loader of the build tar=
get (patch provided by Arnout Vandecappelle)
>    Revamped the Go capability comparison API for *cap.Set and *cap.IAB, and=
 added cap.IABGetPID()
>    Added libcap cap_iab_compare() and cap_iab_get_pid() APIs.
>    Added a Go utility, captree, to display the process (and thread) graph a=
long with the POSIX.1e and IAB capabilities of each PID{TID} tree.
>        Extended getpcap to support the --iab command line argument, which o=
utputs a PID's IAB tuple too (if non-default).
>    Install *.so files as executable now that they are executable as binaries
>        A feature of 2.52 but not extended to install rules at that time.
>    Absorbed a lot of wisdom from a number of downstream package workarounds=
 including wisdom from (Zhi Li and Arnout Vandecappelle and unknown others...=
 Bugs 214023#c16, 214085)
>        Support make FORCELINKPAM=3Dyes or make FORCELINKPAM=3Dno for those =
packagers that feel strongly about not letting this be dynamically discovered=
 at build time.
>    Fixed a compiler warnings from the GitHub build tester (Bug 214143)
>  Release notes for 2.53
>    The (C) cap_launch functionality was previously broken when launches fai=
led (found and fixed by Samanta Navarro)
>        Added a test case for this too.
>    Lots of tyops fixed in code and documentation (also by Samanta Navarro)
>    Support distributions that aggressively link shared objects (reported by=
 David Runge; Bug 214023)
>        These distributions failed to observe a runnable pam_cap.so and vari=
ous make options failed.
>    Support clang builds (again). (Reported by Johan Herland 214047)
>        This used to work, but by accident. It broke with the advent of a ru=
nnable libcap.so , libpsx.so and pam_cap.so support. Fixed now, and added a b=
uild target to validate it still works at release time.
>    Minor documentation updates including one for Slavi Marinov who was tryi=
ng to get cap.LaunchFunc() to work.
>        Worked up a couple of example modifications to goapps/web to demonst=
rate a different user per web query and enabling a custom chroot per web quer=
y.
>  Release notes for 2.52
>    Revived -std=3Dc89 compilation for make all etc. (Bug 213541 reported by=
 Byron Stanoszek.)
>    The shared library objects: pam_cap.so, libcap.so and libpsx.so, are all=
 now runnable as standalone binaries!
>        The support is used to display some description information.
>        To activate it, these binaries need to be installed executable (chmo=
d +x ...)
>        We also provided a write-up of how to enable this sort of feature in=
 other .so files here.
>    The module pam_cap.so now contains support for a default=3D<IAB> module =
argument. (Bug 213611).
>    Enhanced capsh --suggest to also compare against the capability value na=
mes and not just their descriptions.
>    Added capsh --current support.
>    Minor documentation updates.
>    Added a contrib/sucap/su.c pure-capabilities PAM implementation of su.
>        This is primarily to demonstrate that such a thing is possible, and =
to validate that the pam_cap.so module is capable of adding any IAB tuple of =
inheritables per group or user.
>        At this time, it relies on features only present in this version of =
libcap and HEAD of the Linux-PAM sources for the pam_unix.so module.
>  Release notes for 2.51
>    Fix capsh installation (Bug 213261 - reported by Jan Palus)
>    Add an autoauth module flag to pam_cap.so (Bug 213279 - noted a feature =
request hidden in StackExchange)
>    Unified libcap/cap (Go) and libcap (C) default generation of external fo=
rmat binary data (Bug 213375 - addressing an issue raised by Mike Schilling)
>        This standard binary format should be forwards/backwards compatible =
with earlier libcap2 builds and libcap/cap packages
>    API enhancement cap_fill() and (*cap.Set).Fill() - to permit copying one=
 capability flag to another.
>        This can be used to raise all the Permitted capabilities in a Set wi=
th one API call.
>    In tree build/run/test of Go packages now uses Go module vendoring (Bug =
212453).
>        This is with an eye to the imminent golang change removing support f=
or GOPATH based building.
>    Minor compilation warning fixes
>=20
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> config/rootfiles/common/libcap                |  9 +++--
> lfs/libcap                                    |  7 ++--
> .../libcap-2.50-install_capsh_again.patch     | 38 -------------------
> 3 files changed, 9 insertions(+), 45 deletions(-)
> delete mode 100644 src/patches/libcap-2.50-install_capsh_again.patch
>=20
> diff --git a/config/rootfiles/common/libcap b/config/rootfiles/common/libcap
> index def30cb5a..95c62bdeb 100644
> --- a/config/rootfiles/common/libcap
> +++ b/config/rootfiles/common/libcap
> @@ -1,10 +1,10 @@
> #lib/libcap.a
> lib/libcap.so.2
> -lib/libcap.so.2.50
> +lib/libcap.so.2.56
> #lib/libpsx.a
> #lib/libpsx.so
> -#lib/libpsx.so.2
> -#lib/libpsx.so.2.50
> +lib/libpsx.so.2
> +lib/libpsx.so.2.56
> #lib/pkgconfig/libcap.pc
> #lib/pkgconfig/libpsx.pc
> lib/security/pam_cap.so
> @@ -36,8 +36,10 @@ usr/lib/libcap.so
> #usr/share/man/man3/cap_get_proc.3
> #usr/share/man/man3/cap_get_secbits.3
> #usr/share/man/man3/cap_iab.3
> +#usr/share/man/man3/cap_iab_compare.3
> #usr/share/man/man3/cap_iab_fill.3
> #usr/share/man/man3/cap_iab_from_text.3
> +#usr/share/man/man3/cap_iab_get_pid.3
> #usr/share/man/man3/cap_iab_get_proc.3
> #usr/share/man/man3/cap_iab_get_vector.3
> #usr/share/man/man3/cap_iab_init.3
> @@ -73,6 +75,7 @@ usr/lib/libcap.so
> #usr/share/man/man3/psx_syscall.3
> #usr/share/man/man3/psx_syscall3.3
> #usr/share/man/man3/psx_syscall6.3
> +#usr/share/man/man8/captree.8
> #usr/share/man/man8/getcap.8
> #usr/share/man/man8/getpcaps.8
> #usr/share/man/man8/setcap.8
> diff --git a/lfs/libcap b/lfs/libcap
> index 610ff474b..c814a6f73 100644
> --- a/lfs/libcap
> +++ b/lfs/libcap
> @@ -24,7 +24,7 @@
>=20
> include Config
>=20
> -VER        =3D 2.50
> +VER        =3D 2.56
>=20
> THISAPP    =3D libcap-$(VER)
> DL_FILE    =3D $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
>=20
> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>=20
> -$(DL_FILE)_MD5 =3D 66a561afa81666236ff973544ff4e864
> +$(DL_FILE)_MD5 =3D 095695b2e61ab5baf96609cdac9c15a7
>=20
> install : $(TARGET)
>=20
> @@ -70,13 +70,12 @@ $(subst %,%_MD5,$(objects)) :
> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> 	@$(PREBUILD)
> 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
> -	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libcap-2.50-install=
_capsh_again.patch
> 	# Prevent a static library from being installed
> 	cd $(DIR_APP) && sed -i '/install.*STALIBNAME/d' libcap/Makefile
> 	cd $(DIR_APP) && make GOLANG=3Dno
> 	cd $(DIR_APP) && make install GOLANG=3Dno
> 	rm -vf /lib/libcap.so
> -	ln -svf /lib/libcap.so.2.50 /usr/lib/libcap.so
> +	ln -svf /lib/libcap.so.2.56 /usr/lib/libcap.so
> 	chmod +x /lib/libcap.so.*
> 	@rm -rf $(DIR_APP)
> 	@$(POSTBUILD)
> diff --git a/src/patches/libcap-2.50-install_capsh_again.patch b/src/patche=
s/libcap-2.50-install_capsh_again.patch
> deleted file mode 100644
> index 0ae7520dc..000000000
> --- a/src/patches/libcap-2.50-install_capsh_again.patch
> +++ /dev/null
> @@ -1,38 +0,0 @@
> -From 1f8d32942be54850a3a89c7b58ba5613b5525c58 Mon Sep 17 00:00:00 2001
> -From: "Andrew G. Morgan" <morgan(a)kernel.org>
> -Date: Fri, 28 May 2021 13:41:17 -0700
> -Subject: [PATCH] Make capsh an installed binary again
> -
> -Bug report from Jan Palus:
> -
> -  https://bugzilla.kernel.org/show_bug.cgi?id=3D213261
> -
> -Signed-off-by: Andrew G. Morgan <morgan(a)kernel.org>
> ----
> - progs/Makefile | 4 ++--
> - 1 file changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/progs/Makefile b/progs/Makefile
> -index 313dc4d..3c3dc97 100644
> ---- a/progs/Makefile
> -+++ b/progs/Makefile
> -@@ -32,14 +32,14 @@ $(BUILD): %: %.o $(DEPS)
> -=20
> - install: all
> - 	mkdir -p -m 0755 $(FAKEROOT)$(SBINDIR)
> --	for p in $(PROGS) ; do \
> -+	for p in $(PROGS) capsh ; do \
> - 		install -m 0755 $$p $(FAKEROOT)$(SBINDIR) ; \
> - 	done
> - ifeq ($(RAISE_SETFCAP),yes)
> - 	$(FAKEROOT)$(SBINDIR)/setcap cap_setfcap=3Di $(FAKEROOT)$(SBINDIR)/setcap
> - endif
> -=20
> --test: $(PROGS)
> -+test: $(PROGS) capsh
> -=20
> - capshdoc.h.cf: capshdoc.h ./mkcapshdoc.sh
> - 	./mkcapshdoc.sh > $@
> ---=20
> -2.32.0.rc2
> -
> --=20
> 2.33.0
>=20


--===============4630007975063405292==--