[icecream] set cap bounding set properly and check for capng errors
Michal Schmidt
michich at fedoraproject.org
Mon Sep 2 16:49:32 UTC 2013
commit 97af90e7a51f0f14e3a02ef7482a09494c30bfc9
Author: Michal Schmidt <mschmidt at redhat.com>
Date: Fri Aug 30 22:49:15 2013 +0200
set cap bounding set properly and check for capng errors
0008-daemon-set-capability-bounding-set.patch | 34 +++++++++++++++++++++++++
icecream.spec | 2 +
2 files changed, 36 insertions(+), 0 deletions(-)
---
diff --git a/0008-daemon-set-capability-bounding-set.patch b/0008-daemon-set-capability-bounding-set.patch
new file mode 100644
index 0000000..1472723
--- /dev/null
+++ b/0008-daemon-set-capability-bounding-set.patch
@@ -0,0 +1,34 @@
+From 69e7fd2d9db8bf17d357c12a36b7a31f9db42d8d Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt at redhat.com>
+Date: Fri, 30 Aug 2013 21:25:47 +0200
+Subject: [PATCH 8/8] daemon: set capability bounding set
+
+---
+ daemon/main.cpp | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/daemon/main.cpp b/daemon/main.cpp
+index 387d4e2..11d1d2c 100644
+--- a/daemon/main.cpp
++++ b/daemon/main.cpp
+@@ -1802,10 +1802,15 @@ int main( int argc, char ** argv )
+ }
+
+ #ifdef HAVE_LIBCAP_NG
++ int r;
+ capng_clear(CAPNG_SELECT_BOTH);
+ capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE|CAPNG_PERMITTED), CAP_SYS_CHROOT);
+- capng_change_id(d.user_uid, d.user_gid, CAPNG_NO_FLAG);
+- capng_apply(CAPNG_SELECT_BOTH);
++ r = capng_change_id(d.user_uid, d.user_gid,
++ (capng_flags_t)(CAPNG_DROP_SUPP_GRP|CAPNG_CLEAR_BOUNDING));
++ if (r) {
++ log_error() << "Error: capng_change_id failed: " << r << endl;
++ exit(EXIT_SETUID_FAILED);
++ }
+ #endif
+ } else {
+ d.noremote = true;
+--
+1.8.3.1
+
diff --git a/icecream.spec b/icecream.spec
index 81b75f3..c8f1949 100644
--- a/icecream.spec
+++ b/icecream.spec
@@ -29,6 +29,7 @@ Patch0004: 0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch
Patch0005: 0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch
Patch0006: 0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
Patch0007: 0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch
+Patch0008: 0008-daemon-set-capability-bounding-set.patch
Patch10000: %{name}-cleanup-conffile.patch
@@ -84,6 +85,7 @@ This package contains development files for %{name}.
%patch0005 -p1
%patch0006 -p1
%patch0007 -p1
+%patch0008 -p1
%patch10000 -p0
sed -e 's|@LIBDIR@|%{_libdir}|g;s|@LIBEXECDIR@|%{_libexecdir}|g' %{SOURCE1} > icecream.sh
sed -e 's|@LIBDIR@|%{_libdir}|g;s|@LIBEXECDIR@|%{_libexecdir}|g' %{SOURCE2} > icecream.csh
More information about the scm-commits
mailing list