main/libcap-ng: upgrade to 0.8.2

692ffb1a · Michał Polański · 2f328446 · 692ffb1a · 2f328446
Commit 692ffb1a authored 4 years ago by Michał Polański
--- a/main/libcap-ng/APKBUILD
+++ b/main/libcap-ng/APKBUILD
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libcap-ng
-pkgver=0.8.1
-pkgrel=1
+pkgver=0.8.2
+pkgrel=0
 pkgdesc="POSIX capabilities library"
 url="http://people.redhat.com/sgrubb/libcap-ng/index.html"
 arch="all"
@@ -10,7 +10,6 @@ depends_dev="linux-headers"
 makedepends_host="$depends_dev"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-utils"
 source="https://people.redhat.com/sgrubb/libcap-ng/libcap-ng-$pkgver.tar.gz
-	apply.patch
 	apply-disable.patch
 	"

@@ -40,10 +39,8 @@ package() {
 utils() {
 	pkgdesc="posix capabilities utils"

-	mkdir -p "$subpkgdir"/usr/bin
-	mv "$pkgdir"/usr/bin/* "$subpkgdir"/usr/bin/
+	amove usr/bin
 }

-sha512sums="cd28ceb43e2cf5d3a0140fddbd2ea13dfda8eeea8a6de1817f3cc3b38df874ab8653917dbd405ad7aaaa71bcb9ec246d995079aa3cb0af1cffbdb37dfdd99232  libcap-ng-0.8.1.tar.gz
-47b6d7a61de15a9fc9c80ff8cd471723c74a010574ef3446c8895fb6e80b980672f16025ee94955a77f6088fcccf84b52e760a400c5239b637364caad391c0f7  apply.patch
+sha512sums="0ac6e55c03b1fba3a849048b721e250951afb59190d9646704d4fd9938eccc3bd0767380fbddc42f186b4f55695475e31f34f537ae91c04a37662577a5b7a19b  libcap-ng-0.8.2.tar.gz
 5f362d5d3f791d1bddc5d9ef3b31e5089c54f852904e12bc3b58dcd22fa87086766cfc095ae8b485bee1b3c4fd854575b89821052b77967a6fdca4ff7e0a0397  apply-disable.patch"
--- a/main/libcap-ng/apply.patch
+++ b/main/libcap-ng/apply.patch
-From fda0224fea4f01b77bd07ac195b3baaaf1a28fca Mon Sep 17 00:00:00 2001
-From: Steve Grubb <sgrubb@redhat.com>
-Date: Fri, 20 Nov 2020 14:01:33 -0500
-Subject: [PATCH] In capng_apply, allow continuing in spite of errors
-
-In capng_apply, if we blow up trying to adjust the bounding set without
-proper permissions, continue into the capabilities in case they called
-with SELECT_BOTH and they don't bother checking the return code. This
-will at least leave the application in a potentially safer state.
---
- src/cap-ng.c | 56 +++++++++++++++++++++++++++++++++++++++-------------
- 1 file changed, 42 insertions(+), 14 deletions(-)
-
-diff --git a/src/cap-ng.c b/src/cap-ng.c
-index a9de370..1474326 100644
--- a/src/cap-ng.c
-+++ b/src/cap-ng.c
-@@ -680,6 +680,8 @@ int capng_updatev(capng_act_t action, capng_type_t type,
- 
- int capng_apply(capng_select_t set)
- {
-+	int rc = 0;
-+
- 	// Before updating, we expect that the data is initialized to something
- 	if (m.state < CAPNG_INIT)
- 		return -1;
-@@ -695,52 +697,78 @@ int capng_apply(capng_select_t set)
- 			for (i=0; i <= last_cap; i++) {
- 				if (capng_have_capability(CAPNG_BOUNDING_SET,
- 								 i) == 0) {
-				    if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0)
-					return -2;
-+				    if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0) {
-+					rc = -2;
-+					goto try_caps;
-+				    }
- 				}
- 			}
- 			m.state = CAPNG_APPLIED;
-			if (get_bounding_set() < 0)
-				return -3;
-+			if (get_bounding_set() < 0) {
-+				rc = -3;
-+				goto try_caps;
-+			}
- 		} else {
- 			memcpy(&m, &state, sizeof(m)); /* restore state */
-			return -4;
-+			rc = -4;
-+			goto try_caps;
- 		}
- #endif
- 	}
-+
-+	// Try caps is here so that if someone had SELECT_BOTH and we blew up
-+	// doing the bounding set, we at least try to set any capabilities
-+	// before returning in case the caller also doesn't bother checking
-+	// the return code.
-+try_caps:
- 	if (set & CAPNG_SELECT_CAPS) {
- 		if (capset((cap_user_header_t)&m.hdr,
- 				(cap_user_data_t)&m.data) == 0)
- 			m.state = CAPNG_APPLIED;
- 		else
-			return -5;
-+			rc = -5;
- 	}
-	// Put ambient last so that inheritable and permitted are set
-+
-+	// Most programs do not and should not mess with ambient capabilities.
-+	// Instead of returning here if rc is set, we'll let it try to
-+	// do something with ambient capabilities in hopes that it's lowering
-+	// capabilities. Again, this is for people that don't check their
-+	// return codes.
-+	//
-+	// Do ambient last so that inheritable and permitted are set by the
-+	// time we get here.
- 	if (set & CAPNG_SELECT_AMBIENT) {
- #ifdef PR_CAP_AMBIENT
- 		if (capng_have_capabilities(CAPNG_SELECT_AMBIENT) ==
- 								CAPNG_NONE) {
- 			if (prctl(PR_CAP_AMBIENT,
-				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0)
-				return -6;
-+				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
-+				rc = -6;
-+				goto out;
-+			}
- 		} else {
- 			unsigned int i;
- 
- 			// Clear them all
- 			if (prctl(PR_CAP_AMBIENT,
-				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0)
-				return -7;
-+				   PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
-+				rc = -7;
-+				goto out;
-+			}
- 			for (i=0; i <= last_cap; i++) {
- 				if (capng_have_capability(CAPNG_AMBIENT, i))
- 					if (prctl(PR_CAP_AMBIENT,
-					    PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
-						return -8;
-+					    PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0){
-+						rc = -8;
-+						goto out;
-+					}
- 			}
- 		}
- 		m.state = CAPNG_APPLIED;
- #endif
- 	}
-	return 0;
-+out:
-+	return rc;
- }
- 
- #ifdef VFS_CAP_U32