Date: Saturday, November 21, 2020 @ 19:53:56 Author: heftig Revision: 401650
3.36.0-3: replace patch with cherry-pick Modified: gnome-keyring/trunk/PKGBUILD Deleted: gnome-keyring/trunk/33.patch ----------+ 33.patch | 109 ------------------------------------------------------------- PKGBUILD | 7 +-- 2 files changed, 2 insertions(+), 114 deletions(-) Deleted: 33.patch =================================================================== --- 33.patch 2020-11-21 19:48:48 UTC (rev 401649) +++ 33.patch 2020-11-21 19:53:56 UTC (rev 401650) @@ -1,109 +0,0 @@ -From dad072e1f7f6d640f4d6b52408b485ea34229f15 Mon Sep 17 00:00:00 2001 -From: Steve Grubb <[email protected]> -Date: Thu, 29 Oct 2020 16:26:21 -0400 -Subject: [PATCH] Update libcap-ng capability handling - -There is a change coming in libcap-ng-0.8.1 that causes gnome-keyring to -not work correctly. The capng_apply function now returns an error if it -cannot change the bounding set. Previously this was ignored. Which means -now gnome-keyring exits when it shouldn't. - -The new patch adds troubleshooting info to the error message. And it checks -to see if we have CAP_SETPCAP. If we do not, then we cannot change the -capabilities so we just bypass the whole thing that was causing an error. -On the setuid side, it now drops the bounding set and clears any -supplemental groups that may be left over as an accident. ---- - daemon/gkd-capability.c | 44 +++++++++++++++++++++++------------------ - 1 file changed, 25 insertions(+), 19 deletions(-) - -diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c -index 9afe3039..9ceaecee 100644 ---- a/daemon/gkd-capability.c -+++ b/daemon/gkd-capability.c -@@ -1,7 +1,7 @@ - /* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 8; tab-width: 8 -*- */ - /* gkd-capability.c - the security-critical initial phase of the daemon - * -- * Copyright (C) 2011 Steve Grubb -+ * Copyright (C) 2011,2020 Steve Grubb - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as -@@ -35,9 +35,10 @@ - - /* No logging, no gettext */ - static void --early_error (const char *err_string) -+early_error (const char *err_string, int rc) - { -- fprintf (stderr, "gnome-keyring-daemon: %s, aborting\n", err_string); -+ fprintf (stderr, "gnome-keyring-daemon: %s - %d, aborting\n", -+ err_string, rc); - exit (1); - } - -@@ -64,6 +65,8 @@ void - gkd_capability_obtain_capability_and_drop_privileges (void) - { - #ifdef HAVE_LIBCAPNG -+ int rc; -+ - capng_get_caps_process (); - switch (capng_have_capabilities (CAPNG_SELECT_CAPS)) - { -@@ -73,32 +76,35 @@ gkd_capability_obtain_capability_and_drop_privileges (void) - capng_update (CAPNG_ADD, - CAPNG_EFFECTIVE|CAPNG_PERMITTED, - CAP_IPC_LOCK); -- if (capng_change_id (getuid (), getgid (), 0)) -- early_error ("failed dropping capabilities"); -+ if ((rc = capng_change_id (getuid (), getgid (), -+ CAPNG_DROP_SUPP_GRP| -+ CAPNG_CLEAR_BOUNDING))) -+ early_error ("failed dropping capabilities", -+ rc); - break; - case CAPNG_FAIL: -- early_error ("error getting process capabilities"); -+ early_error ("error getting process capabilities", 0); - break; - case CAPNG_NONE: - early_warning ("insufficient process capabilities, insecure memory might get used"); - break; - case CAPNG_PARTIAL: /* File system based capabilities */ -- if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) { -+ if (!capng_have_capability (CAPNG_EFFECTIVE, -+ CAP_IPC_LOCK)) - early_warning ("insufficient process capabilities, insecure memory might get used"); -- /* Drop all capabilities */ -+ -+ /* If we don't have CAP_SETPCAP, we can't do anything */ -+ if (capng_have_capability (CAPNG_EFFECTIVE, -+ CAP_SETPCAP)) { -+ /* Drop all capabilities except ipc_lock */ - capng_clear (CAPNG_SELECT_BOTH); -- capng_apply (CAPNG_SELECT_BOTH); -- break; -+ if ((rc = capng_update (CAPNG_ADD, -+ CAPNG_EFFECTIVE|CAPNG_PERMITTED, -+ CAP_IPC_LOCK)) != 0) -+ early_error ("error updating process capabilities", rc); -+ if ((rc = capng_apply (CAPNG_SELECT_BOTH)) != 0) -+ early_error ("error dropping process capabilities", rc); - } -- -- /* Drop all capabilities except ipc_lock */ -- capng_clear (CAPNG_SELECT_BOTH); -- if (capng_update (CAPNG_ADD, -- CAPNG_EFFECTIVE|CAPNG_PERMITTED, -- CAP_IPC_LOCK) != 0) -- early_error ("error dropping process capabilities"); -- if (capng_apply (CAPNG_SELECT_BOTH) != 0) -- early_error ("error dropping process capabilities"); - break; - } - #endif /* HAVE_LIBCAPNG */ --- -GitLab - Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-11-21 19:48:48 UTC (rev 401649) +++ PKGBUILD 2020-11-21 19:53:56 UTC (rev 401650) @@ -3,7 +3,7 @@ pkgname=gnome-keyring pkgver=3.36.0 -pkgrel=2 +pkgrel=3 epoch=1 pkgdesc="Stores passwords and encryption keys" url="https://wiki.gnome.org/Projects/GnomeKeyring"; @@ -16,10 +16,8 @@ install=gnome-keyring.install _commit=6cc50f97575d1d978cd7d24e6466f585d37947ed # tags/3.36.0^0 source=("git+https://gitlab.gnome.org/GNOME/gnome-keyring.git#commit=$_commit"; - 33.patch add-cinnamon.diff) sha256sums=('SKIP' - '23294d6569bb7c8297cc2f95071576fac48ee82ec1ead1b818dd69fbbc72b069' 'd05210f5b0a7d4b22c0dff2854854af2eb5708aa2b296095e070dca68e9f815a') pkgver() { @@ -31,8 +29,7 @@ cd $pkgname # https://bugs.archlinux.org/task/68664 - # https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/33 - git apply -3 ../33.patch + git cherry-pick -n ebc7bc9efacc17049e54da8d96a4a29943621113 # Autolaunch in Cinnamon git apply -3 ../add-cinnamon.diff
