Date: Thursday, November 19, 2020 @ 11:38:13
Author: heftig
Revision: 401391
3.36.0-2: Fix start with new libcap-ng 0.8.1
Added:
gnome-keyring/trunk/33.patch
Modified:
gnome-keyring/trunk/PKGBUILD
----------+
33.patch | 109 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PKGBUILD | 14 ++++++-
2 files changed, 121 insertions(+), 2 deletions(-)
Added: 33.patch
===================================================================
--- 33.patch (rev 0)
+++ 33.patch 2020-11-19 11:38:13 UTC (rev 401391)
@@ -0,0 +1,109 @@
+From dad072e1f7f6d640f4d6b52408b485ea34229f15 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgr...@redhat.com>
+Date: Thu, 29 Oct 2020 16:26:21 -0400
+Subject: [PATCH] Update libcap-ng capability handling
+
+There is a change coming in libcap-ng-0.8.1 that causes gnome-keyring to
+not work correctly. The capng_apply function now returns an error if it
+cannot change the bounding set. Previously this was ignored. Which means
+now gnome-keyring exits when it shouldn't.
+
+The new patch adds troubleshooting info to the error message. And it checks
+to see if we have CAP_SETPCAP. If we do not, then we cannot change the
+capabilities so we just bypass the whole thing that was causing an error.
+On the setuid side, it now drops the bounding set and clears any
+supplemental groups that may be left over as an accident.
+---
+ daemon/gkd-capability.c | 44 +++++++++++++++++++++++------------------
+ 1 file changed, 25 insertions(+), 19 deletions(-)
+
+diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c
+index 9afe3039..9ceaecee 100644
+--- a/daemon/gkd-capability.c
++++ b/daemon/gkd-capability.c
+@@ -1,7 +1,7 @@
+ /* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 8; tab-width: 8 -*- */
+ /* gkd-capability.c - the security-critical initial phase of the daemon
+ *
+- * Copyright (C) 2011 Steve Grubb
++ * Copyright (C) 2011,2020 Steve Grubb
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+@@ -35,9 +35,10 @@
+
+ /* No logging, no gettext */
+ static void
+-early_error (const char *err_string)
++early_error (const char *err_string, int rc)
+ {
+- fprintf (stderr, "gnome-keyring-daemon: %s, aborting\n", err_string);
++ fprintf (stderr, "gnome-keyring-daemon: %s - %d, aborting\n",
++ err_string, rc);
+ exit (1);
+ }
+
+@@ -64,6 +65,8 @@ void
+ gkd_capability_obtain_capability_and_drop_privileges (void)
+ {
+ #ifdef HAVE_LIBCAPNG
++ int rc;
++
+ capng_get_caps_process ();
+ switch (capng_have_capabilities (CAPNG_SELECT_CAPS))
+ {
+@@ -73,32 +76,35 @@ gkd_capability_obtain_capability_and_drop_privileges (void)
+ capng_update (CAPNG_ADD,
+ CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+ CAP_IPC_LOCK);
+- if (capng_change_id (getuid (), getgid (), 0))
+- early_error ("failed dropping capabilities");
++ if ((rc = capng_change_id (getuid (), getgid (),
++ CAPNG_DROP_SUPP_GRP|
++ CAPNG_CLEAR_BOUNDING)))
++ early_error ("failed dropping capabilities",
++ rc);
+ break;
+ case CAPNG_FAIL:
+- early_error ("error getting process capabilities");
++ early_error ("error getting process capabilities", 0);
+ break;
+ case CAPNG_NONE:
+ early_warning ("insufficient process capabilities,
insecure memory might get used");
+ break;
+ case CAPNG_PARTIAL: /* File system based capabilities */
+- if (!capng_have_capability (CAPNG_EFFECTIVE,
CAP_IPC_LOCK)) {
++ if (!capng_have_capability (CAPNG_EFFECTIVE,
++ CAP_IPC_LOCK))
+ early_warning ("insufficient process
capabilities, insecure memory might get used");
+- /* Drop all capabilities */
++
++ /* If we don't have CAP_SETPCAP, we can't do anything */
++ if (capng_have_capability (CAPNG_EFFECTIVE,
++ CAP_SETPCAP)) {
++ /* Drop all capabilities except ipc_lock */
+ capng_clear (CAPNG_SELECT_BOTH);
+- capng_apply (CAPNG_SELECT_BOTH);
+- break;
++ if ((rc = capng_update (CAPNG_ADD,
++ CAPNG_EFFECTIVE|CAPNG_PERMITTED,
++ CAP_IPC_LOCK)) != 0)
++ early_error ("error updating process
capabilities", rc);
++ if ((rc = capng_apply (CAPNG_SELECT_BOTH)) != 0)
++ early_error ("error dropping process
capabilities", rc);
+ }
+-
+- /* Drop all capabilities except ipc_lock */
+- capng_clear (CAPNG_SELECT_BOTH);
+- if (capng_update (CAPNG_ADD,
+- CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+- CAP_IPC_LOCK) != 0)
+- early_error ("error dropping process
capabilities");
+- if (capng_apply (CAPNG_SELECT_BOTH) != 0)
+- early_error ("error dropping process
capabilities");
+ break;
+ }
+ #endif /* HAVE_LIBCAPNG */
+--
+GitLab
+
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2020-11-19 11:34:51 UTC (rev 401390)
+++ PKGBUILD 2020-11-19 11:38:13 UTC (rev 401391)
@@ -1,8 +1,9 @@
-# Maintainer: Jan De Groot <j...@archlinux.org>
+# Maintainer: Jan Alexander Steffens (heftig) <hef...@archlinux.org>
+# Contributor: Jan De Groot <j...@archlinux.org>
pkgname=gnome-keyring
pkgver=3.36.0
-pkgrel=1
+pkgrel=2
epoch=1
pkgdesc="Stores passwords and encryption keys"
url="https://wiki.gnome.org/Projects/GnomeKeyring";
@@ -15,8 +16,10 @@
install=gnome-keyring.install
_commit=6cc50f97575d1d978cd7d24e6466f585d37947ed # tags/3.36.0^0
source=("git+https://gitlab.gnome.org/GNOME/gnome-keyring.git#commit=$_commit";
+ 33.patch
add-cinnamon.diff)
sha256sums=('SKIP'
+ '23294d6569bb7c8297cc2f95071576fac48ee82ec1ead1b818dd69fbbc72b069'
'd05210f5b0a7d4b22c0dff2854854af2eb5708aa2b296095e070dca68e9f815a')
pkgver() {
@@ -26,7 +29,14 @@
prepare() {
cd $pkgname
+
+ # https://bugs.archlinux.org/task/68664
+ # https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/33
+ git apply -3 ../33.patch
+
+ # Autolaunch in Cinnamon
git apply -3 ../add-cinnamon.diff
+
NOCONFIGURE=1 ./autogen.sh
}
