[icecream] regenerate patches
Michal Schmidt
michich at fedoraproject.org
Mon Sep 2 16:49:42 UTC 2013
commit 8c1f0584efc2068e0211a55bfb81ecb03f163171
Author: Michal Schmidt <mschmidt at redhat.com>
Date: Mon Sep 2 18:31:55 2013 +0200
regenerate patches
...-dist-hook-work-also-with-srcdir-builddir.patch | 2 +-
0002-handle-HOME-not-being-set.patch | 2 +-
...Ubuntu-uses-docbook2x-man-instead-of-docb.patch | 2 +-
...has-docbook2man-instead-of-docbook-to-man.patch | 2 +-
...-chmod-chown-envs-dir-when-preparing-this.patch | 2 +-
...main-do-not-create-run-icecc-by-ourselves.patch | 4 +-
...reate-env-avoid-tar-looking-at-etc-passwd.patch | 6 +-
0008-daemon-improve-capabilities-dropping.patch | 44 ++++++++++++++++++++
0008-daemon-set-capability-bounding-set.patch | 34 ---------------
icecream.spec | 6 +-
10 files changed, 57 insertions(+), 47 deletions(-)
---
diff --git a/0001-make-dist-hook-work-also-with-srcdir-builddir.patch b/0001-make-dist-hook-work-also-with-srcdir-builddir.patch
index 94d5d95..e1e3599 100644
--- a/0001-make-dist-hook-work-also-with-srcdir-builddir.patch
+++ b/0001-make-dist-hook-work-also-with-srcdir-builddir.patch
@@ -1,7 +1,7 @@
From 5abe21688caea8dcfbe1d747102e52830fa352d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Lu=C5=88=C3=A1k?= <l.lunak at suse.cz>
Date: Thu, 11 Jul 2013 15:40:13 +0200
-Subject: [PATCH 1/4] make dist-hook work also with srcdir != builddir
+Subject: [PATCH 1/8] make dist-hook work also with srcdir != builddir
---
Makefile.am | 2 +-
diff --git a/0002-handle-HOME-not-being-set.patch b/0002-handle-HOME-not-being-set.patch
index 8d93985..fbe1717 100644
--- a/0002-handle-HOME-not-being-set.patch
+++ b/0002-handle-HOME-not-being-set.patch
@@ -1,7 +1,7 @@
From 6f79da339b3fd946b46932d61f30a117918de7b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Lu=C5=88=C3=A1k?= <l.lunak at suse.cz>
Date: Tue, 16 Jul 2013 15:46:06 +0200
-Subject: [PATCH 2/4] handle $HOME not being set
+Subject: [PATCH 2/8] handle $HOME not being set
---
client/main.cpp | 2 +-
diff --git a/0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch b/0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch
index df08bbf..5bc17f2 100644
--- a/0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch
+++ b/0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch
@@ -1,7 +1,7 @@
From 059b0aaa9b54ab4a8866cdaf40eb4200a2797feb Mon Sep 17 00:00:00 2001
From: Rodrigo Belem <rodrigo.belem at gmail.com>
Date: Mon, 8 Apr 2013 15:55:49 -0400
-Subject: [PATCH 3/4] Debian and Ubuntu uses docbook2x-man instead of
+Subject: [PATCH 3/8] Debian and Ubuntu uses docbook2x-man instead of
docbook-to-man
Signed-off-by: Rodrigo Belem <rodrigo.belem at gmail.com>
diff --git a/0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch b/0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch
index fbe69fb..721f505 100644
--- a/0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch
+++ b/0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch
@@ -1,7 +1,7 @@
From 50e25516be288526f6251502900c7cc887b40294 Mon Sep 17 00:00:00 2001
From: Eike Ziller <github at eikeziller.de>
Date: Tue, 18 Jun 2013 22:55:36 +0200
-Subject: [PATCH 4/4] Mac/brew has docbook2man instead of docbook-to-man
+Subject: [PATCH 4/8] Mac/brew has docbook2man instead of docbook-to-man
(cherry picked from commit a40bae096bd51f328d6ff299077c5530729b0580)
---
diff --git a/0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch b/0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch
index 63e9344..1e3d05d 100644
--- a/0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch
+++ b/0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch
@@ -1,7 +1,7 @@
From bade4de1155e41809205ede25ffb99211c72547c Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt at redhat.com>
Date: Mon, 26 Aug 2013 17:08:52 +0200
-Subject: [PATCH 5/5] Revert "chmod/chown envs dir when preparing this"
+Subject: [PATCH 5/8] Revert "chmod/chown envs dir when preparing this"
This reverts commit 137e683760707c690df496516432d72d8f7a81d3.
---
diff --git a/0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch b/0006-daemon-main-do-not-create-run-icecc-by-ourselves.patch
similarity index 88%
rename from 0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch
rename to 0006-daemon-main-do-not-create-run-icecc-by-ourselves.patch
index 8619deb..b156cb9 100644
--- a/0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch
+++ b/0006-daemon-main-do-not-create-run-icecc-by-ourselves.patch
@@ -1,7 +1,7 @@
-From b67c1d823282b062c9804772756487f78a599ade Mon Sep 17 00:00:00 2001
+From ab65771358f581d55889eba5e3feab283ab55717 Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt at redhat.com>
Date: Thu, 29 Aug 2013 18:12:02 +0200
-Subject: [PATCH 7/7] daemon/main: do not create /run/icecc by ourselves
+Subject: [PATCH 6/8] daemon/main: do not create /run/icecc by ourselves
In order to be able to restrict the daemon's SELinux policy even more,
let's rely on tmpfiles.d to create the /run/icecc directory for us
diff --git a/0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch b/0007-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
similarity index 82%
rename from 0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
rename to 0007-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
index e142b90..22b4ea8 100644
--- a/0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
+++ b/0007-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
@@ -1,11 +1,11 @@
-From 26461a88508f277c33d95f5c5eb52cdd8d7c7737 Mon Sep 17 00:00:00 2001
+From 318786fede24b6dbeb2c8be4706d432dbf6585af Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt at redhat.com>
Date: Thu, 29 Aug 2013 15:54:19 +0200
-Subject: [PATCH 6/6] icecc-create-env: avoid tar looking at /etc/passwd
+Subject: [PATCH 7/8] icecc-create-env: avoid tar looking at /etc/passwd
If we invoke tar with --numeric-owner, it won't try to read /etc/passwd.
This has the minor benefit of not having to worry about this access in
-the SELinux policy.
+the SELinux policy (or other MAC policies).
---
client/icecc-create-env | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/0008-daemon-improve-capabilities-dropping.patch b/0008-daemon-improve-capabilities-dropping.patch
new file mode 100644
index 0000000..ac40964
--- /dev/null
+++ b/0008-daemon-improve-capabilities-dropping.patch
@@ -0,0 +1,44 @@
+From 4c2bce95802f47383f6f57245a447183da4de7c9 Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt at redhat.com>
+Date: Fri, 30 Aug 2013 21:25:47 +0200
+Subject: [PATCH 8/8] daemon: improve capabilities dropping
+
+This fixes issues in the usage of libcap-ng to drop capabilities:
+- capng_change_id() already applies the selected capabilities. Calling
+ capng_apply() afterwards is pointless.
+- In order to apply the bounding set, CAPNG_CLEAR_BOUNDING must therefore
+ be passed to capng_change_id(). Might as well add CAPNG_DROP_SUPP_GRP
+ to drop any supplementary groups.
+- The return value of capng_change_id() must be checked to prevent
+ continuing to run with unwanted capabilities in case of an error.
+
+I have checked that with this patch applied iceccd runs with a bounding
+set defined (pscap does not show the '+' sign anymore).
+---
+ daemon/main.cpp | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/daemon/main.cpp b/daemon/main.cpp
+index 387d4e2..34ad342 100644
+--- a/daemon/main.cpp
++++ b/daemon/main.cpp
+@@ -1803,9 +1803,13 @@ int main( int argc, char ** argv )
+
+ #ifdef HAVE_LIBCAP_NG
+ capng_clear(CAPNG_SELECT_BOTH);
+- capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE|CAPNG_PERMITTED), CAP_SYS_CHROOT);
+- capng_change_id(d.user_uid, d.user_gid, CAPNG_NO_FLAG);
+- capng_apply(CAPNG_SELECT_BOTH);
++ capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_SYS_CHROOT);
++ int r = capng_change_id(d.user_uid, d.user_gid,
++ (capng_flags_t)(CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING));
++ if (r) {
++ log_error() << "Error: capng_change_id failed: " << r << endl;
++ exit(EXIT_SETUID_FAILED);
++ }
+ #endif
+ } else {
+ d.noremote = true;
+--
+1.8.3.1
+
diff --git a/icecream.spec b/icecream.spec
index c8f1949..7c379ad 100644
--- a/icecream.spec
+++ b/icecream.spec
@@ -27,9 +27,9 @@ Patch0002: 0002-handle-HOME-not-being-set.patch
Patch0003: 0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch
Patch0004: 0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch
Patch0005: 0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch
-Patch0006: 0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
-Patch0007: 0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch
-Patch0008: 0008-daemon-set-capability-bounding-set.patch
+Patch0006: 0006-daemon-main-do-not-create-run-icecc-by-ourselves.patch
+Patch0007: 0007-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
+Patch0008: 0008-daemon-improve-capabilities-dropping.patch
Patch10000: %{name}-cleanup-conffile.patch
More information about the scm-commits
mailing list