Date: Thursday, November 19, 2020 @ 11:38:13 Author: heftig Revision: 401391
3.36.0-2: Fix start with new libcap-ng 0.8.1 Added: gnome-keyring/trunk/33.patch Modified: gnome-keyring/trunk/PKGBUILD ----------+ 33.patch | 109 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 14 ++++++- 2 files changed, 121 insertions(+), 2 deletions(-) Added: 33.patch =================================================================== --- 33.patch (rev 0) +++ 33.patch 2020-11-19 11:38:13 UTC (rev 401391) @@ -0,0 +1,109 @@ +From dad072e1f7f6d640f4d6b52408b485ea34229f15 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgr...@redhat.com> +Date: Thu, 29 Oct 2020 16:26:21 -0400 +Subject: [PATCH] Update libcap-ng capability handling + +There is a change coming in libcap-ng-0.8.1 that causes gnome-keyring to +not work correctly. The capng_apply function now returns an error if it +cannot change the bounding set. Previously this was ignored. Which means +now gnome-keyring exits when it shouldn't. + +The new patch adds troubleshooting info to the error message. And it checks +to see if we have CAP_SETPCAP. If we do not, then we cannot change the +capabilities so we just bypass the whole thing that was causing an error. +On the setuid side, it now drops the bounding set and clears any +supplemental groups that may be left over as an accident. +--- + daemon/gkd-capability.c | 44 +++++++++++++++++++++++------------------ + 1 file changed, 25 insertions(+), 19 deletions(-) + +diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c +index 9afe3039..9ceaecee 100644 +--- a/daemon/gkd-capability.c ++++ b/daemon/gkd-capability.c +@@ -1,7 +1,7 @@ + /* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 8; tab-width: 8 -*- */ + /* gkd-capability.c - the security-critical initial phase of the daemon + * +- * Copyright (C) 2011 Steve Grubb ++ * Copyright (C) 2011,2020 Steve Grubb + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as +@@ -35,9 +35,10 @@ + + /* No logging, no gettext */ + static void +-early_error (const char *err_string) ++early_error (const char *err_string, int rc) + { +- fprintf (stderr, "gnome-keyring-daemon: %s, aborting\n", err_string); ++ fprintf (stderr, "gnome-keyring-daemon: %s - %d, aborting\n", ++ err_string, rc); + exit (1); + } + +@@ -64,6 +65,8 @@ void + gkd_capability_obtain_capability_and_drop_privileges (void) + { + #ifdef HAVE_LIBCAPNG ++ int rc; ++ + capng_get_caps_process (); + switch (capng_have_capabilities (CAPNG_SELECT_CAPS)) + { +@@ -73,32 +76,35 @@ gkd_capability_obtain_capability_and_drop_privileges (void) + capng_update (CAPNG_ADD, + CAPNG_EFFECTIVE|CAPNG_PERMITTED, + CAP_IPC_LOCK); +- if (capng_change_id (getuid (), getgid (), 0)) +- early_error ("failed dropping capabilities"); ++ if ((rc = capng_change_id (getuid (), getgid (), ++ CAPNG_DROP_SUPP_GRP| ++ CAPNG_CLEAR_BOUNDING))) ++ early_error ("failed dropping capabilities", ++ rc); + break; + case CAPNG_FAIL: +- early_error ("error getting process capabilities"); ++ early_error ("error getting process capabilities", 0); + break; + case CAPNG_NONE: + early_warning ("insufficient process capabilities, insecure memory might get used"); + break; + case CAPNG_PARTIAL: /* File system based capabilities */ +- if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) { ++ if (!capng_have_capability (CAPNG_EFFECTIVE, ++ CAP_IPC_LOCK)) + early_warning ("insufficient process capabilities, insecure memory might get used"); +- /* Drop all capabilities */ ++ ++ /* If we don't have CAP_SETPCAP, we can't do anything */ ++ if (capng_have_capability (CAPNG_EFFECTIVE, ++ CAP_SETPCAP)) { ++ /* Drop all capabilities except ipc_lock */ + capng_clear (CAPNG_SELECT_BOTH); +- capng_apply (CAPNG_SELECT_BOTH); +- break; ++ if ((rc = capng_update (CAPNG_ADD, ++ CAPNG_EFFECTIVE|CAPNG_PERMITTED, ++ CAP_IPC_LOCK)) != 0) ++ early_error ("error updating process capabilities", rc); ++ if ((rc = capng_apply (CAPNG_SELECT_BOTH)) != 0) ++ early_error ("error dropping process capabilities", rc); + } +- +- /* Drop all capabilities except ipc_lock */ +- capng_clear (CAPNG_SELECT_BOTH); +- if (capng_update (CAPNG_ADD, +- CAPNG_EFFECTIVE|CAPNG_PERMITTED, +- CAP_IPC_LOCK) != 0) +- early_error ("error dropping process capabilities"); +- if (capng_apply (CAPNG_SELECT_BOTH) != 0) +- early_error ("error dropping process capabilities"); + break; + } + #endif /* HAVE_LIBCAPNG */ +-- +GitLab + Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-11-19 11:34:51 UTC (rev 401390) +++ PKGBUILD 2020-11-19 11:38:13 UTC (rev 401391) @@ -1,8 +1,9 @@ -# Maintainer: Jan De Groot <j...@archlinux.org> +# Maintainer: Jan Alexander Steffens (heftig) <hef...@archlinux.org> +# Contributor: Jan De Groot <j...@archlinux.org> pkgname=gnome-keyring pkgver=3.36.0 -pkgrel=1 +pkgrel=2 epoch=1 pkgdesc="Stores passwords and encryption keys" url="https://wiki.gnome.org/Projects/GnomeKeyring" @@ -15,8 +16,10 @@ install=gnome-keyring.install _commit=6cc50f97575d1d978cd7d24e6466f585d37947ed # tags/3.36.0^0 source=("git+https://gitlab.gnome.org/GNOME/gnome-keyring.git#commit=$_commit" + 33.patch add-cinnamon.diff) sha256sums=('SKIP' + '23294d6569bb7c8297cc2f95071576fac48ee82ec1ead1b818dd69fbbc72b069' 'd05210f5b0a7d4b22c0dff2854854af2eb5708aa2b296095e070dca68e9f815a') pkgver() { @@ -26,7 +29,14 @@ prepare() { cd $pkgname + + # https://bugs.archlinux.org/task/68664 + # https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/33 + git apply -3 ../33.patch + + # Autolaunch in Cinnamon git apply -3 ../add-cinnamon.diff + NOCONFIGURE=1 ./autogen.sh }