Hello community, here is the log from the commit of package permissions for openSUSE:Factory checked in at 2011-11-07 14:28:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/permissions (Old) and /work/SRC/openSUSE:Factory/.permissions.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "permissions", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/permissions/permissions.changes 2011-09-26 10:10:13.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.permissions.new/permissions.changes 2011-11-07 14:28:56.000000000 +0100 @@ -1,0 +2,5 @@ +Mon Nov 7 09:39:43 UTC 2011 - [email protected] + +- disable run time fscaps detection (bnc#728312) + +------------------------------------------------------------------- New: ---- 0001-disable-run-time-fscaps-detection-bnc-728312.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ permissions.spec ++++++ --- /var/tmp/diff_new_pack.yLcL1T/_old 2011-11-07 14:28:57.000000000 +0100 +++ /var/tmp/diff_new_pack.yLcL1T/_new 2011-11-07 14:28:57.000000000 +0100 @@ -30,6 +30,7 @@ PreReq: %fillup_prereq Summary: SUSE Linux Default Permissions Source: permissions-%{version}.tar.bz2 +Patch0: 0001-disable-run-time-fscaps-detection-bnc-728312.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: http://gitorious.org/opensuse/permissions @@ -48,6 +49,7 @@ %prep %setup -q +%patch0 -p1 %build make %{?_smp_mflags} CFLAGS="-W -Wall $RPM_OPT_FLAGS" FSCAPS_DEFAULT_ENABLED=0 ++++++ 0001-disable-run-time-fscaps-detection-bnc-728312.diff ++++++ >From 94311258bfdf3ad86938bd50aaef4a83ca04eae5 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <[email protected]> Date: Mon, 7 Nov 2011 10:34:38 +0100 Subject: [PATCH] disable run time fscaps detection (bnc#728312) PERMISSIONS_FSCAPS setting in /etc/sysconfig/security allows to enable them again. --- chkstat.8 | 5 +++-- chkstat.c | 40 ++++++++++++++++++++++++++++------------ 2 files changed, 31 insertions(+), 14 deletions(-) diff --git a/chkstat.8 b/chkstat.8 index 3492e21..364a237 100644 --- a/chkstat.8 +++ b/chkstat.8 @@ -52,8 +52,9 @@ Opposite of --set, ie warn only but don't make actual changes Omit printing the output header lines. .TP .IR \-\-fscaps,\ \-\-no\-fscaps -Force or disable use of fscaps. Default is to automatically -determine whether the running kernel supports fscaps. +Enable or disable use of fscaps. In system mode the setting of +PERMISSIONS_FSCAPS determines whether fscaps are on or off when this +option is not set. .TP .IR \-\-examine\ file Check permissions for this file instead of all files listed in the permissions files. diff --git a/chkstat.c b/chkstat.c index e5c9b15..8682c3e 100644 --- a/chkstat.c +++ b/chkstat.c @@ -54,6 +54,7 @@ int nlevel; char** level; int do_set = -1; int default_set = 1; +int have_fscaps = -1; char** permfiles = NULL; int npermfiles = 0; char* force_level; @@ -281,6 +282,24 @@ parse_sysconf(const char* file) //fprintf(stderr, "invalid value for CHECK_PERMISSIONS (must be 'set', 'warn' or 'no')\n"); } } + else if (have_fscaps == -1 && !strncmp(p, "PERMISSIONS_FSCAPS=", 19)) + { + p+=19; + if (isquote(*p)) + ++p; + if (!strncmp(p, "yes", 3)) + { + p+=3; + if (isquote(*p) || !*p) + have_fscaps=1; + } + else if (!strncmp(p, "no", 2)) + { + p+=2; + if (isquote(*p) || !*p) + have_fscaps=0; + } + } } fclose(fp); return 0; @@ -515,18 +534,18 @@ check_fscaps_enabled() { FILE* fp; char line[128]; - int have_fscaps = FSCAPS_DEFAULT_ENABLED; + int val = FSCAPS_DEFAULT_ENABLED; if ((fp = fopen("/sys/kernel/fscaps", "r")) == 0) { goto out; } if (readline(fp, line, sizeof(line))) { - have_fscaps = atoi(line); + val = atoi(line); } fclose(fp); out: - return have_fscaps; + return val; } int @@ -552,7 +571,6 @@ main(int argc, char **argv) int fd, r; int errors = 0; cap_t caps = NULL; - int have_fscaps = -1; while (argc > 1) { @@ -692,9 +710,6 @@ main(int argc, char **argv) break; } - if (have_fscaps == -1) - have_fscaps = check_fscaps_enabled(); - if (systemmode) { const char file[] = "/etc/sysconfig/security"; @@ -747,6 +762,11 @@ main(int argc, char **argv) permfiles = &argv[1]; } + if (have_fscaps == 1 && !check_fscaps_enabled()) + { + fprintf(stderr, "Warning: running kernel does not support fscaps\n"); + } + if (do_set == -1) do_set = 0; @@ -802,7 +822,7 @@ main(int argc, char **argv) } if (!strncmp(p, "+capabilities ", 14)) { - if (!have_fscaps) + if (have_fscaps != 1) continue; p += 14; caps = cap_from_text(p); @@ -900,10 +920,6 @@ main(int argc, char **argv) printf("Checking permissions and ownerships - using the permissions files\n"); for (i = 0; i < npermfiles; i++) printf("\t%s\n", permfiles[i]); - if (!have_fscaps) - { - printf("kernel has fscaps support disabled.\n"); - } if (rootl) { printf("Using root %s\n", root); -- 1.7.3.4 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
