[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfire-development
Subject: [PATCH v2] libcap: Update to version 2.59
From: Adolf Belka <adolf.belka () ipfire ! org>
Date: 2021-09-27 15:33:39
Message-ID: 20210927153339.1500575-1-adolf.belka () ipfire ! org
[Download RAW message or body]
- v2 version extends the update from 2.56 to 2.59
- Update from 2.50 to 2.59
- Update rootfile
- Changelog
Release notes for 2.59
libcap-2.55 ... 2.58 would SIGSEGV if an operation was attempted on a NULL value \
for cap_t or cap_iab_t. Restore the more tolerant error return behavior last seen \
with libcap-2.54. (Bug 214525) More make -j13 fixes (missing dependency for make -C \
progs sudotest). Various minor documentation fixes.
Release notes for 2.58
Fixed a potential libcap memory leak by adding a destructor (Bug 214373 reported \
by yan12125) Major improvement is that there is a path for Linux-PAM compliant \
applications to support setting Ambient vector Capabilities via pam_cap.so now (Bug \
214377) In addition to the bug, related discussion is in two Github issues: \
https://github.com/shadow-maint/shadow/pull/408#issuecomment-919673098 and \
https://github.com/rra/pam-krb5/issues/21 Added support for RPM builds that generate \
the build-id that RPM expects (see \
https://github.com/rpm-software-management/rpm/issues/367 for discussion) Minor \
contrib/sucap/su.c cleanups Clean up kdebug build rules
More documentation cleanup
Release notes for 2.57
capsh enhancements:
--mode makes a guess at the libcap mode of the current process (Bug 214319)
--strict makes capsh less permissive and expects the user to perform more \
deliberate capability transactions
useful for learning all the steps; and helps this article be more \
pedagogical. Build system fixes
Preserve $(WARNINGS) (Fix from David Seifert)
Don't ever build test binaries unless make test etc is invoked (speeds builds \
on slower systems) Support make -j12 for all, test and sudotest targets
getcap -r / now generates readable output (Bug 214317)
Some documentation cleanup: more consistency.
Release notes for 2.56
Canonicalize the Makefile use (in collaboration with David Seifert)
In the process fixed a bug in pam_cap/test_pam_cap (reported by David \
Seifert, Bug 214257) Doc fixes for cap_iab.3
Added color support to captree, which helped make the following fix generate \
readable output:
Fixed captree to not display duplicate copies of sub-trees if also exploring \
their ancestor (Bug 214269) Fixed contrib/sucap/su to correctly handle the \
Inheritable flag. Release notes for 2.55
Two rounds of fixes for the results of some static analysis performed by Zoltan \
Fridrich Removed a clang compilation warning about memory allocation by rewriting \
the way cap_free() and the various libcap memory allocation mechanisms work. (Bug \
214183) This generated a few broken builds until it was fixed.
Cleanup of some man pages; some fixes and shorter URL to bugzilla link.
Added libcap cap_proc_root() API function (to reach parity with the Go cap \
package).
This is only potentially useful with the recently added cap_iab_get_pid() \
function Revamped what the GOLANG=yes builds install - used to install local copies \
of cap and psx, but these were effectively useless because of the Go module support \
in recent Go releases in favor of user controller GOPATH. Now make GOLANG=yes only \
installs the captree utility Added some features to captree and created a small \
article on it Added a man page for the captree utility
Some small changes to the tests to account for the idiosyncrasies of some new \
testing environments I've accumulated. Included adding --has-b support to capsh
Release notes for 2.54
Fix for a corner case infinite loop handling long strings (patch provided by \
Samanta Navarro) Fixes to not ignore allocation failures (patch provided by Samanta \
Navarro) Evolving work from Samanta Navarro, found and fixed a memory leak in \
cap_iab_get_proc() More robust discovery of the name of the dynamic loader of the \
build target (patch provided by Arnout Vandecappelle) Revamped the Go capability \
comparison API for *cap.Set and *cap.IAB, and added cap.IABGetPID() Added libcap \
cap_iab_compare() and cap_iab_get_pid() APIs. Added a Go utility, captree, to \
display the process (and thread) graph along with the POSIX.1e and IAB capabilities \
of each PID{TID} tree.
Extended getpcap to support the --iab command line argument, which outputs a \
PID's IAB tuple too (if non-default). Install *.so files as executable now that they \
are executable as binaries A feature of 2.52 but not extended to install rules at \
that time. Absorbed a lot of wisdom from a number of downstream package workarounds \
including wisdom from (Zhi Li and Arnout Vandecappelle and unknown others... Bugs \
214023#c16, 214085)
Support make FORCELINKPAM=yes or make FORCELINKPAM=no for those packagers \
that feel strongly about not letting this be dynamically discovered at build time. \
Fixed a compiler warnings from the GitHub build tester (Bug 214143) Release notes \
for 2.53 The (C) cap_launch functionality was previously broken when launches failed \
(found and fixed by Samanta Navarro) Added a test case for this too.
Lots of tyops fixed in code and documentation (also by Samanta Navarro)
Support distributions that aggressively link shared objects (reported by David \
Runge; Bug 214023)
These distributions failed to observe a runnable pam_cap.so and various make \
options failed. Support clang builds (again). (Reported by Johan Herland 214047)
This used to work, but by accident. It broke with the advent of a runnable \
libcap.so , libpsx.so and pam_cap.so support. Fixed now, and added a build target to \
validate it still works at release time. Minor documentation updates including one \
for Slavi Marinov who was trying to get cap.LaunchFunc() to work.
Worked up a couple of example modifications to goapps/web to demonstrate a \
different user per web query and enabling a custom chroot per web query. Release \
notes for 2.52 Revived -std=c89 compilation for make all etc. (Bug 213541 reported \
by Byron Stanoszek.) The shared library objects: pam_cap.so, libcap.so and \
libpsx.so, are all now runnable as standalone binaries! The support is used to \
display some description information.
To activate it, these binaries need to be installed executable (chmod +x ...)
We also provided a write-up of how to enable this sort of feature in other \
.so files here. The module pam_cap.so now contains support for a default=<IAB> \
module argument. (Bug 213611). Enhanced capsh --suggest to also compare against the \
capability value names and not just their descriptions. Added capsh --current \
support. Minor documentation updates.
Added a contrib/sucap/su.c pure-capabilities PAM implementation of su.
This is primarily to demonstrate that such a thing is possible, and to \
validate that the pam_cap.so module is capable of adding any IAB tuple of \
inheritables per group or user.
At this time, it relies on features only present in this version of libcap \
and HEAD of the Linux-PAM sources for the pam_unix.so module. Release notes for 2.51
Fix capsh installation (Bug 213261 - reported by Jan Palus)
Add an autoauth module flag to pam_cap.so (Bug 213279 - noted a feature request \
hidden in StackExchange) Unified libcap/cap (Go) and libcap (C) default generation \
of external format binary data (Bug 213375 - addressing an issue raised by Mike \
Schilling)
This standard binary format should be forwards/backwards compatible with \
earlier libcap2 builds and libcap/cap packages API enhancement cap_fill() and \
(*cap.Set).Fill() - to permit copying one capability flag to another.
This can be used to raise all the Permitted capabilities in a Set with one \
API call. In tree build/run/test of Go packages now uses Go module vendoring (Bug \
212453).
This is with an eye to the imminent golang change removing support for GOPATH \
based building. Minor compilation warning fixes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/common/libcap | 9 +++--
lfs/libcap | 7 ++--
.../libcap-2.50-install_capsh_again.patch | 38 -------------------
3 files changed, 9 insertions(+), 45 deletions(-)
delete mode 100644 src/patches/libcap-2.50-install_capsh_again.patch
diff --git a/config/rootfiles/common/libcap b/config/rootfiles/common/libcap
index def30cb5a..31d307b94 100644
--- a/config/rootfiles/common/libcap
+++ b/config/rootfiles/common/libcap
@@ -1,10 +1,10 @@
#lib/libcap.a
lib/libcap.so.2
-lib/libcap.so.2.50
+lib/libcap.so.2.59
#lib/libpsx.a
#lib/libpsx.so
-#lib/libpsx.so.2
-#lib/libpsx.so.2.50
+lib/libpsx.so.2
+lib/libpsx.so.2.59
#lib/pkgconfig/libcap.pc
#lib/pkgconfig/libpsx.pc
lib/security/pam_cap.so
@@ -36,8 +36,10 @@ usr/lib/libcap.so
#usr/share/man/man3/cap_get_proc.3
#usr/share/man/man3/cap_get_secbits.3
#usr/share/man/man3/cap_iab.3
+#usr/share/man/man3/cap_iab_compare.3
#usr/share/man/man3/cap_iab_fill.3
#usr/share/man/man3/cap_iab_from_text.3
+#usr/share/man/man3/cap_iab_get_pid.3
#usr/share/man/man3/cap_iab_get_proc.3
#usr/share/man/man3/cap_iab_get_vector.3
#usr/share/man/man3/cap_iab_init.3
@@ -73,6 +75,7 @@ usr/lib/libcap.so
#usr/share/man/man3/psx_syscall.3
#usr/share/man/man3/psx_syscall3.3
#usr/share/man/man3/psx_syscall6.3
+#usr/share/man/man8/captree.8
#usr/share/man/man8/getcap.8
#usr/share/man/man8/getpcaps.8
#usr/share/man/man8/setcap.8
diff --git a/lfs/libcap b/lfs/libcap
index 610ff474b..7dd65983b 100644
--- a/lfs/libcap
+++ b/lfs/libcap
@@ -24,7 +24,7 @@
include Config
-VER = 2.50
+VER = 2.59
THISAPP = libcap-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 66a561afa81666236ff973544ff4e864
+$(DL_FILE)_MD5 = 585540ad79ee2692722877c0c528d165
install : $(TARGET)
@@ -70,13 +70,12 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 -i \
$(DIR_SRC)/src/patches/libcap-2.50-install_capsh_again.patch # Prevent a static \
library from being installed cd $(DIR_APP) && sed -i '/install.*STALIBNAME/d' \
libcap/Makefile cd $(DIR_APP) && make GOLANG=no
cd $(DIR_APP) && make install GOLANG=no
rm -vf /lib/libcap.so
- ln -svf /lib/libcap.so.2.50 /usr/lib/libcap.so
+ ln -svf /lib/libcap.so.2.59 /usr/lib/libcap.so
chmod +x /lib/libcap.so.*
@rm -rf $(DIR_APP)
@$(POSTBUILD)
diff --git a/src/patches/libcap-2.50-install_capsh_again.patch \
b/src/patches/libcap-2.50-install_capsh_again.patch deleted file mode 100644
index 0ae7520dc..000000000
--- a/src/patches/libcap-2.50-install_capsh_again.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 1f8d32942be54850a3a89c7b58ba5613b5525c58 Mon Sep 17 00:00:00 2001
-From: "Andrew G. Morgan" <morgan@kernel.org>
-Date: Fri, 28 May 2021 13:41:17 -0700
-Subject: [PATCH] Make capsh an installed binary again
-
-Bug report from Jan Palus:
-
- https://bugzilla.kernel.org/show_bug.cgi?id=213261
-
-Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
----
- progs/Makefile | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/progs/Makefile b/progs/Makefile
-index 313dc4d..3c3dc97 100644
---- a/progs/Makefile
-+++ b/progs/Makefile
-@@ -32,14 +32,14 @@ $(BUILD): %: %.o $(DEPS)
-
- install: all
- mkdir -p -m 0755 $(FAKEROOT)$(SBINDIR)
-- for p in $(PROGS) ; do \
-+ for p in $(PROGS) capsh ; do \
- install -m 0755 $$p $(FAKEROOT)$(SBINDIR) ; \
- done
- ifeq ($(RAISE_SETFCAP),yes)
- $(FAKEROOT)$(SBINDIR)/setcap cap_setfcap=i $(FAKEROOT)$(SBINDIR)/setcap
- endif
-
--test: $(PROGS)
-+test: $(PROGS) capsh
-
- capshdoc.h.cf: capshdoc.h ./mkcapshdoc.sh
- ./mkcapshdoc.sh > $@
---
-2.32.0.rc2
-
--
2.33.0
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic