[icecream] regenerate patches

Michal Schmidt michich at fedoraproject.org
Mon Sep 2 16:49:42 UTC 2013 

commit 8c1f0584efc2068e0211a55bfb81ecb03f163171
Author: Michal Schmidt <mschmidt at redhat.com>
Date:   Mon Sep 2 18:31:55 2013 +0200

    regenerate patches

 ...-dist-hook-work-also-with-srcdir-builddir.patch |    2 +-
 0002-handle-HOME-not-being-set.patch               |    2 +-
 ...Ubuntu-uses-docbook2x-man-instead-of-docb.patch |    2 +-
 ...has-docbook2man-instead-of-docbook-to-man.patch |    2 +-
 ...-chmod-chown-envs-dir-when-preparing-this.patch |    2 +-
 ...main-do-not-create-run-icecc-by-ourselves.patch |    4 +-
 ...reate-env-avoid-tar-looking-at-etc-passwd.patch |    6 +-
 0008-daemon-improve-capabilities-dropping.patch    |   44 ++++++++++++++++++++
 0008-daemon-set-capability-bounding-set.patch      |   34 ---------------
 icecream.spec                                      |    6 +-
 10 files changed, 57 insertions(+), 47 deletions(-)
---
diff --git a/0001-make-dist-hook-work-also-with-srcdir-builddir.patch b/0001-make-dist-hook-work-also-with-srcdir-builddir.patch
index 94d5d95..e1e3599 100644
--- a/0001-make-dist-hook-work-also-with-srcdir-builddir.patch
+++ b/0001-make-dist-hook-work-also-with-srcdir-builddir.patch
@@ -1,7 +1,7 @@
 From 5abe21688caea8dcfbe1d747102e52830fa352d8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Lubo=C5=A1=20Lu=C5=88=C3=A1k?= <l.lunak at suse.cz>
 Date: Thu, 11 Jul 2013 15:40:13 +0200
-Subject: [PATCH 1/4] make dist-hook work also with srcdir != builddir
+Subject: [PATCH 1/8] make dist-hook work also with srcdir != builddir
 
 ---
  Makefile.am | 2 +-
diff --git a/0002-handle-HOME-not-being-set.patch b/0002-handle-HOME-not-being-set.patch
index 8d93985..fbe1717 100644
--- a/0002-handle-HOME-not-being-set.patch
+++ b/0002-handle-HOME-not-being-set.patch
@@ -1,7 +1,7 @@
 From 6f79da339b3fd946b46932d61f30a117918de7b7 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Lubo=C5=A1=20Lu=C5=88=C3=A1k?= <l.lunak at suse.cz>
 Date: Tue, 16 Jul 2013 15:46:06 +0200
-Subject: [PATCH 2/4] handle $HOME not being set
+Subject: [PATCH 2/8] handle $HOME not being set
 
 ---
  client/main.cpp |  2 +-
diff --git a/0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch b/0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch
index df08bbf..5bc17f2 100644
--- a/0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch
+++ b/0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch
@@ -1,7 +1,7 @@
 From 059b0aaa9b54ab4a8866cdaf40eb4200a2797feb Mon Sep 17 00:00:00 2001
 From: Rodrigo Belem <rodrigo.belem at gmail.com>
 Date: Mon, 8 Apr 2013 15:55:49 -0400
-Subject: [PATCH 3/4] Debian and Ubuntu uses docbook2x-man instead of
+Subject: [PATCH 3/8] Debian and Ubuntu uses docbook2x-man instead of
  docbook-to-man
 
 Signed-off-by: Rodrigo Belem <rodrigo.belem at gmail.com>
diff --git a/0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch b/0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch
index fbe69fb..721f505 100644
--- a/0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch
+++ b/0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch
@@ -1,7 +1,7 @@
 From 50e25516be288526f6251502900c7cc887b40294 Mon Sep 17 00:00:00 2001
 From: Eike Ziller <github at eikeziller.de>
 Date: Tue, 18 Jun 2013 22:55:36 +0200
-Subject: [PATCH 4/4] Mac/brew has docbook2man instead of docbook-to-man
+Subject: [PATCH 4/8] Mac/brew has docbook2man instead of docbook-to-man
 
 (cherry picked from commit a40bae096bd51f328d6ff299077c5530729b0580)
 ---
diff --git a/0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch b/0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch
index 63e9344..1e3d05d 100644
--- a/0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch
+++ b/0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch
@@ -1,7 +1,7 @@
 From bade4de1155e41809205ede25ffb99211c72547c Mon Sep 17 00:00:00 2001
 From: Michal Schmidt <mschmidt at redhat.com>
 Date: Mon, 26 Aug 2013 17:08:52 +0200
-Subject: [PATCH 5/5] Revert "chmod/chown envs dir when preparing this"
+Subject: [PATCH 5/8] Revert "chmod/chown envs dir when preparing this"
 
 This reverts commit 137e683760707c690df496516432d72d8f7a81d3.
 ---
diff --git a/0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch b/0006-daemon-main-do-not-create-run-icecc-by-ourselves.patch
similarity index 88%
rename from 0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch
rename to 0006-daemon-main-do-not-create-run-icecc-by-ourselves.patch
index 8619deb..b156cb9 100644
--- a/0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch
+++ b/0006-daemon-main-do-not-create-run-icecc-by-ourselves.patch
@@ -1,7 +1,7 @@
-From b67c1d823282b062c9804772756487f78a599ade Mon Sep 17 00:00:00 2001
+From ab65771358f581d55889eba5e3feab283ab55717 Mon Sep 17 00:00:00 2001
 From: Michal Schmidt <mschmidt at redhat.com>
 Date: Thu, 29 Aug 2013 18:12:02 +0200
-Subject: [PATCH 7/7] daemon/main: do not create /run/icecc by ourselves
+Subject: [PATCH 6/8] daemon/main: do not create /run/icecc by ourselves
 
 In order to be able to restrict the daemon's SELinux policy even more,
 let's rely on tmpfiles.d to create the /run/icecc directory for us
diff --git a/0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch b/0007-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
similarity index 82%
rename from 0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
rename to 0007-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
index e142b90..22b4ea8 100644
--- a/0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
+++ b/0007-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
@@ -1,11 +1,11 @@
-From 26461a88508f277c33d95f5c5eb52cdd8d7c7737 Mon Sep 17 00:00:00 2001
+From 318786fede24b6dbeb2c8be4706d432dbf6585af Mon Sep 17 00:00:00 2001
 From: Michal Schmidt <mschmidt at redhat.com>
 Date: Thu, 29 Aug 2013 15:54:19 +0200
-Subject: [PATCH 6/6] icecc-create-env: avoid tar looking at /etc/passwd
+Subject: [PATCH 7/8] icecc-create-env: avoid tar looking at /etc/passwd
 
 If we invoke tar with --numeric-owner, it won't try to read /etc/passwd.
 This has the minor benefit of not having to worry about this access in
-the SELinux policy.
+the SELinux policy (or other MAC policies).
 ---
  client/icecc-create-env | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/0008-daemon-improve-capabilities-dropping.patch b/0008-daemon-improve-capabilities-dropping.patch
new file mode 100644
index 0000000..ac40964
--- /dev/null
+++ b/0008-daemon-improve-capabilities-dropping.patch
@@ -0,0 +1,44 @@
+From 4c2bce95802f47383f6f57245a447183da4de7c9 Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt at redhat.com>
+Date: Fri, 30 Aug 2013 21:25:47 +0200
+Subject: [PATCH 8/8] daemon: improve capabilities dropping
+
+This fixes issues in the usage of libcap-ng to drop capabilities:
+- capng_change_id() already applies the selected capabilities. Calling
+  capng_apply() afterwards is pointless.
+- In order to apply the bounding set, CAPNG_CLEAR_BOUNDING must therefore
+  be passed to capng_change_id(). Might as well add CAPNG_DROP_SUPP_GRP
+  to drop any supplementary groups.
+- The return value of capng_change_id() must be checked to prevent
+  continuing to run with unwanted capabilities in case of an error.
+
+I have checked that with this patch applied iceccd runs with a bounding
+set defined (pscap does not show the '+' sign anymore).
+---
+ daemon/main.cpp | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/daemon/main.cpp b/daemon/main.cpp
+index 387d4e2..34ad342 100644
+--- a/daemon/main.cpp
++++ b/daemon/main.cpp
+@@ -1803,9 +1803,13 @@ int main( int argc, char ** argv )
+ 
+ #ifdef HAVE_LIBCAP_NG
+         capng_clear(CAPNG_SELECT_BOTH);
+-        capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE|CAPNG_PERMITTED), CAP_SYS_CHROOT);
+-        capng_change_id(d.user_uid, d.user_gid, CAPNG_NO_FLAG);
+-        capng_apply(CAPNG_SELECT_BOTH);
++        capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_SYS_CHROOT);
++        int r = capng_change_id(d.user_uid, d.user_gid,
++                                (capng_flags_t)(CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING));
++        if (r) {
++            log_error() << "Error: capng_change_id failed: " << r << endl;
++            exit(EXIT_SETUID_FAILED);
++        }
+ #endif
+     } else {
+         d.noremote = true;
+-- 
+1.8.3.1
+
diff --git a/icecream.spec b/icecream.spec
index c8f1949..7c379ad 100644
--- a/icecream.spec
+++ b/icecream.spec
@@ -27,9 +27,9 @@ Patch0002:	0002-handle-HOME-not-being-set.patch
 Patch0003:	0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch
 Patch0004:	0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch
 Patch0005:	0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch
-Patch0006:	0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
-Patch0007:	0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch
-Patch0008:	0008-daemon-set-capability-bounding-set.patch
+Patch0006:	0006-daemon-main-do-not-create-run-icecc-by-ourselves.patch
+Patch0007:	0007-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
+Patch0008:	0008-daemon-improve-capabilities-dropping.patch
 
 Patch10000:	%{name}-cleanup-conffile.patch

More information about the scm-commits mailing list