Hello community, here is the log from the commit of package libcap-ng for openSUSE:Factory checked in at 2020-05-13 22:55:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libcap-ng (Old) and /work/SRC/openSUSE:Factory/.libcap-ng.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libcap-ng" Wed May 13 22:55:00 2020 rev:29 rq:802992 version:0.7.10 Changes: -------- --- /work/SRC/openSUSE:Factory/libcap-ng/libcap-ng-python.changes 2018-02-23 15:28:02.234339551 +0100 +++ /work/SRC/openSUSE:Factory/.libcap-ng.new.2738/libcap-ng-python.changes 2020-05-13 22:55:01.378884986 +0200 @@ -1,0 +2,12 @@ +Tue May 12 12:33:10 UTC 2020 - Paolo Stivanin <[email protected]> + +- Update to 0.7.10: + * Update capng_change_id man page + * Add capng_have_permitted_capabilities function + * Update filecap to output which set the capabilities are in + * Fix filecap to not output an error when a file has no capabilities + * Add udplite support to netcap + * Fix usage of pthread_atfork (Joe Orton) + * Mark processes in child user namespaces with * (Danila Kiver) + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/libcap-ng/libcap-ng.changes 2019-08-19 20:46:27.397110455 +0200 +++ /work/SRC/openSUSE:Factory/.libcap-ng.new.2738/libcap-ng.changes 2020-05-13 22:55:01.414885055 +0200 @@ -1,0 +2,12 @@ +Tue May 12 12:31:39 UTC 2020 - Paolo Stivanin <[email protected]> + +- Update to 0.7.10: + * Update capng_change_id man page + * Add capng_have_permitted_capabilities function + * Update filecap to output which set the capabilities are in + * Fix filecap to not output an error when a file has no capabilities + * Add udplite support to netcap + * Fix usage of pthread_atfork (Joe Orton) + * Mark processes in child user namespaces with * (Danila Kiver) + +------------------------------------------------------------------- Old: ---- libcap-ng-0.7.9.tar.gz New: ---- libcap-ng-0.7.10.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libcap-ng-python.spec ++++++ --- /var/tmp/diff_new_pack.3UlJvD/_old 2020-05-13 22:55:02.218886624 +0200 +++ /var/tmp/diff_new_pack.3UlJvD/_new 2020-05-13 22:55:02.222886633 +0200 @@ -1,7 +1,7 @@ # # spec file for package libcap-ng-python # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,12 +20,12 @@ %bcond_without python2 %{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: libcap-ng-python -Version: 0.7.9 +Version: 0.7.10 Release: 0 Summary: An alternate Linux/POSIX capabilities library License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ -Url: https://people.redhat.com/sgrubb/libcap-ng +URL: https://people.redhat.com/sgrubb/libcap-ng Source0: https://people.redhat.com/sgrubb/libcap-ng/libcap-ng-%{version}.tar.gz Source1: baselibs.conf Source99: libcap-ng.rpmlintrc ++++++ libcap-ng.spec ++++++ --- /var/tmp/diff_new_pack.3UlJvD/_old 2020-05-13 22:55:02.246886679 +0200 +++ /var/tmp/diff_new_pack.3UlJvD/_new 2020-05-13 22:55:02.250886687 +0200 @@ -1,7 +1,7 @@ # # spec file for package libcap-ng # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,12 +18,12 @@ %define sover 0 Name: libcap-ng -Version: 0.7.9 +Version: 0.7.10 Release: 0 Summary: An alternate Linux/POSIX capabilities library License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ -Url: https://people.redhat.com/sgrubb/libcap-ng +URL: https://people.redhat.com/sgrubb/libcap-ng Source0: https://people.redhat.com/sgrubb/%{name}/%{name}-%{version}.tar.gz Source1: baselibs.conf Source99: libcap-ng.rpmlintrc @@ -70,6 +70,7 @@ %setup -q %build +export LDFLAGS="$LDFLAGS -lpthread" %configure \ --disable-static \ --without-python ++++++ libcap-ng-0.7.9.tar.gz -> libcap-ng-0.7.10.tar.gz ++++++ ++++ 6987 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/ChangeLog new/libcap-ng-0.7.10/ChangeLog --- old/libcap-ng-0.7.9/ChangeLog 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/ChangeLog 2019-10-01 20:29:23.000000000 +0200 @@ -1,3 +1,12 @@ +0.7.10 +- Update capng_change_id man page +- Add capng_have_permitted_capabilities function +- Update filecap to output which set the capabilities are in +- Fix filecap to not output an error when a file has no capabilities +- Add udplite support to netcap +- Fix usage of pthread_atfork (Joe Orton) +- Mark processes in child user namespaces with * (Danila Kiver) + 0.7.9 - Fix byte compiling python3 bindings - Detect and output a couple errors in filecap diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/TODO new/libcap-ng-0.7.10/TODO --- old/libcap-ng-0.7.9/TODO 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-ng-0.7.10/TODO 2019-10-01 20:29:23.000000000 +0200 @@ -0,0 +1,2 @@ +* Support v3 fs capability +* Look into ambient capability support diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/bindings/python/capng.py new/libcap-ng-0.7.10/bindings/python/capng.py --- old/libcap-ng-0.7.9/bindings/python/capng.py 2018-02-07 18:54:07.000000000 +0100 +++ new/libcap-ng-0.7.10/bindings/python/capng.py 2019-10-01 20:29:32.000000000 +0200 @@ -202,6 +202,10 @@ return _capng.capng_have_capabilities(set) capng_have_capabilities = _capng.capng_have_capabilities +def capng_have_permitted_capabilities(): + return _capng.capng_have_permitted_capabilities() +capng_have_permitted_capabilities = _capng.capng_have_permitted_capabilities + def capng_have_capability(which, capability): return _capng.capng_have_capability(which, capability) capng_have_capability = _capng.capng_have_capability diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/bindings/python3/capng.py new/libcap-ng-0.7.10/bindings/python3/capng.py --- old/libcap-ng-0.7.9/bindings/python3/capng.py 2018-02-07 18:54:07.000000000 +0100 +++ new/libcap-ng-0.7.10/bindings/python3/capng.py 2019-10-01 20:29:32.000000000 +0200 @@ -203,6 +203,10 @@ return _capng.capng_have_capabilities(set) capng_have_capabilities = _capng.capng_have_capabilities +def capng_have_permitted_capabilities() -> "capng_results_t": + return _capng.capng_have_permitted_capabilities() +capng_have_permitted_capabilities = _capng.capng_have_permitted_capabilities + def capng_have_capability(which: 'capng_type_t', capability: 'unsigned int') -> "int": return _capng.capng_have_capability(which, capability) capng_have_capability = _capng.capng_have_capability diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/compile new/libcap-ng-0.7.10/compile --- old/libcap-ng-0.7.9/compile 2018-02-07 18:54:04.000000000 +0100 +++ new/libcap-ng-0.7.10/compile 2019-10-01 20:29:28.000000000 +0200 @@ -1,9 +1,9 @@ #! /bin/sh # Wrapper for compilers which do not understand '-c -o'. -scriptversion=2016-01-11.22; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2017 Free Software Foundation, Inc. +# Copyright (C) 1999-2018 Free Software Foundation, Inc. # Written by Tom Tromey <[email protected]>. # # This program is free software; you can redistribute it and/or modify @@ -17,7 +17,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# along with this program. If not, see <https://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -340,7 +340,7 @@ # Local Variables: # mode: shell-script # sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC0" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/config.h.in new/libcap-ng-0.7.10/config.h.in --- old/libcap-ng-0.7.9/config.h.in 2018-02-07 18:54:07.000000000 +0100 +++ new/libcap-ng-0.7.10/config.h.in 2019-10-01 20:29:28.000000000 +0200 @@ -18,6 +18,9 @@ /* Define to 1 if you have the <memory.h> header file. */ #undef HAVE_MEMORY_H +/* Define to 1 if you have the <pthread.h> header file. */ +#undef HAVE_PTHREAD_H + /* Define to 1 if you have the <stdint.h> header file. */ #undef HAVE_STDINT_H diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/configure.ac new/libcap-ng-0.7.10/configure.ac --- old/libcap-ng-0.7.9/configure.ac 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/configure.ac 2019-10-01 20:29:23.000000000 +0200 @@ -1,7 +1,7 @@ dnl define([AC_INIT_NOTICE], [### Generated automatically using autoconf version] AC_ACVERSION [ -### Copyright 2009-2017 Steve Grubb <[email protected]> +### Copyright 2009-2019 Steve Grubb <[email protected]> ### ### Permission is hereby granted, free of charge, to any person obtaining a ### copy of this software and associated documentation files (the "Software"), @@ -29,7 +29,7 @@ ]) AC_REVISION($Revision: 1.3 $)dnl -AC_INIT(libcap-ng,0.7.9) +AC_INIT(libcap-ng,0.7.10) AC_PREREQ(2.12)dnl AM_CONFIG_HEADER(config.h) AC_CONFIG_MACRO_DIR([m4]) @@ -56,6 +56,7 @@ AC_CHECK_HEADERS(attr/xattr.h, [], [AC_MSG_WARN(attr/xattr.h not found, disabling file system capabilities.)]) ]) AC_CHECK_HEADERS(linux/securebits.h, [], []) +AC_CHECK_HEADERS(pthread.h, [], [AC_MSG_WARN(pthread.h not found, disabling pthread_atfork.)]) AC_C_CONST AC_C_INLINE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/docs/capng_change_id.3 new/libcap-ng-0.7.10/docs/capng_change_id.3 --- old/libcap-ng-0.7.9/docs/capng_change_id.3 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/docs/capng_change_id.3 2019-10-01 20:29:23.000000000 +0200 @@ -1,4 +1,4 @@ -.TH "CAPNG_CHANGE_ID" "3" "Feb 2013" "Red Hat" "Libcap-ng API" +.TH "CAPNG_CHANGE_ID" "3" "Feb 2018" "Red Hat" "Libcap-ng API" .SH NAME capng_change_id \- change the credentials retaining capabilities .SH "SYNOPSIS" @@ -8,7 +8,9 @@ .SH "DESCRIPTION" -This function will change uid and gid to the ones given while retaining the capabilities previously specified in capng_update. It is not necessary and perhaps better if capng_apply has not been called prior to this function so that all necessary privileges are still intact. The caller is required to have CAP_SETPCAP capability still active before calling this function. +This function will change uid and gid to the ones given while retaining the capabilities previously specified in capng_update. It is also possible to specify -1 for either the uid or gid in which case the function will not change the uid or gid and leave it "as is". This is useful if you just want the flag options to be applied (assuming the option doesn't require more privileges that you currently have). + +It is not necessary and perhaps better if capng_apply has not been called prior to this function so that all necessary privileges are still intact. The caller may be required to have CAP_SETPCAP capability still active before calling this function or capabilities cannot be changed. This function also takes a flag parameter that helps to tailor the exact actions performed by the function to secure the environment. The option may be or'ed together. The legal values are: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/docs/capng_have_capabilities.3 new/libcap-ng-0.7.10/docs/capng_have_capabilities.3 --- old/libcap-ng-0.7.9/docs/capng_have_capabilities.3 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/docs/capng_have_capabilities.3 2019-10-01 20:29:23.000000000 +0200 @@ -1,14 +1,20 @@ -.TH "CAPNG_HAVE_CAPABILITIES" "3" "June 2009" "Red Hat" "Libcap-ng API" +.TH "CAPNG_HAVE_CAPABILITIES" "3" "Aug 2018" "Red Hat" "Libcap-ng API" .SH NAME -capng_have_capabilities \- general check for capabilities +.nf +capng_have_capabilities, capng_have_permitted_capabilities \- check for capabilities .SH "SYNOPSIS" .B #include <cap-ng.h> .sp capng_results_t capng_have_capabilities(capng_select_t set); +capng_results_t capng_have_permitted_capabilities(void); .SH "DESCRIPTION" -capng_have_capabilities will check the selected internal capabilities sets to see what the status is. The capabilities sets must be previously setup with calls to capng_get_caps_process, capng_get_caps_fd, or in some other way setup. The options are CAPNG_SELECT_CAPS for the traditional capabilities, CAPNG_SELECT_BOUNDS for the bounding set, or CAPNG_SELECT_BOTH if clearing both is desired. +capng_have_capabilities will check the selected internal capabilities sets to see what the status is. The capabilities sets must be previously setup with calls to capng_get_caps_process, capng_get_caps_fd, or in some other way setup. The options are CAPNG_SELECT_CAPS for the traditional capabilities, CAPNG_SELECT_BOUNDS for the bounding set, or CAPNG_SELECT_BOTH if clearing both is desired. When capabilities are checked, it will only look at the effective capabilities. + +If, however, the source of capabilities comes from a file, then you may need to additionally check the permitted capabilities. It's for this reason that +.B capng_have_permitted_capabilities +was created. It takes no arguments because it simply checks the permitted set. .SH "RETURN VALUE" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/docs/capng_print_caps_numeric.3 new/libcap-ng-0.7.10/docs/capng_print_caps_numeric.3 --- old/libcap-ng-0.7.9/docs/capng_print_caps_numeric.3 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/docs/capng_print_caps_numeric.3 2019-10-01 20:29:23.000000000 +0200 @@ -18,7 +18,7 @@ .SH "SEE ALSO" -.BR capabilities (7) +.BR capng_print_caps_text (3) , capabilities (7) .SH AUTHOR Steve Grubb diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/docs/capng_print_caps_text.3 new/libcap-ng-0.7.10/docs/capng_print_caps_text.3 --- old/libcap-ng-0.7.9/docs/capng_print_caps_text.3 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/docs/capng_print_caps_text.3 2019-10-01 20:29:23.000000000 +0200 @@ -18,7 +18,7 @@ .SH "SEE ALSO" -.BR capabilities (7) +.BR capng_print_caps_numeric (3) , capabilities (7) .SH AUTHOR Steve Grubb diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/libcap-ng.spec new/libcap-ng-0.7.10/libcap-ng.spec --- old/libcap-ng-0.7.9/libcap-ng.spec 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/libcap-ng.spec 2019-10-01 20:29:23.000000000 +0200 @@ -2,7 +2,7 @@ Summary: An alternate posix capabilities library Name: libcap-ng -Version: 0.7.9 +Version: 0.7.10 Release: 1 License: LGPLv2+ Group: System Environment/Libraries @@ -132,6 +132,6 @@ %attr(0644,root,root) %{_mandir}/man8/* %changelog -* Wed Feb 07 2018 Steve Grubb <[email protected]> 0.7.9-1 +* Tue Oct 01 2019 Steve Grubb <[email protected]> 0.7.10-1 - New upstream release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/missing new/libcap-ng-0.7.10/missing --- old/libcap-ng-0.7.9/missing 2018-02-07 18:54:04.000000000 +0100 +++ new/libcap-ng-0.7.10/missing 2019-10-01 20:29:28.000000000 +0200 @@ -1,9 +1,9 @@ #! /bin/sh # Common wrapper for a few potentially missing GNU programs. -scriptversion=2016-01-11.22; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2017 Free Software Foundation, Inc. +# Copyright (C) 1996-2018 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <[email protected]>, 1996. # This program is free software; you can redistribute it and/or modify @@ -17,7 +17,7 @@ # GNU General Public License for more details. # You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# along with this program. If not, see <https://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -101,9 +101,9 @@ exit $st fi -perl_URL=http://www.perl.org/ -flex_URL=http://flex.sourceforge.net/ -gnu_software_URL=http://www.gnu.org/software +perl_URL=https://www.perl.org/ +flex_URL=https://github.com/westes/flex +gnu_software_URL=https://www.gnu.org/software program_details () { @@ -207,7 +207,7 @@ exit $st # Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC0" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/py-compile new/libcap-ng-0.7.10/py-compile --- old/libcap-ng-0.7.9/py-compile 2018-02-07 18:54:04.000000000 +0100 +++ new/libcap-ng-0.7.10/py-compile 2019-10-01 20:29:28.000000000 +0200 @@ -1,9 +1,9 @@ #!/bin/sh # py-compile - Compile a Python program -scriptversion=2016-01-11.22; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 2000-2017 Free Software Foundation, Inc. +# Copyright (C) 2000-2018 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -16,7 +16,7 @@ # GNU General Public License for more details. # You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# along with this program. If not, see <https://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -162,7 +162,7 @@ # Local Variables: # mode: shell-script # sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC0" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/src/cap-ng.c new/libcap-ng-0.7.10/src/cap-ng.c --- old/libcap-ng-0.7.9/src/cap-ng.c 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/src/cap-ng.c 2019-10-01 20:29:23.000000000 +0200 @@ -34,7 +34,9 @@ #include <errno.h> #include <fcntl.h> #include <byteswap.h> +#ifdef HAVE_PTHREAD_H #include <pthread.h> // For pthread_atfork +#endif #ifdef HAVE_SYSCALL_H #include <sys/syscall.h> #endif @@ -153,15 +155,6 @@ CAPNG_NEW, {0, 0} }; - -/* - * The pthread_atfork function is being made weak so that we can use it - * if the program is linked with pthreads and not requiring it for - * everything that uses libcap-ng. - */ -extern int __attribute__((weak)) pthread_atfork(void (*prepare)(void), - void (*parent)(void), void (*child)(void)); - /* * Reset the state so that init gets called to erase everything */ @@ -173,8 +166,7 @@ static void init_lib(void) __attribute__ ((constructor)); static void init_lib(void) { - if (pthread_atfork) - pthread_atfork(NULL, NULL, deinit); + pthread_atfork(NULL, NULL, deinit); } static void init(void) @@ -777,10 +769,10 @@ full = 1; else return CAPNG_PARTIAL; - if ((m.data.v3[1].effective & UPPER_MASK) == 0) + if ((m.data.v3[1].effective & UPPER_MASK) == 0 && !full) empty = 1; else if ((m.data.v3[1].effective & UPPER_MASK) == - UPPER_MASK) + UPPER_MASK && !empty) full = 1; else return CAPNG_PARTIAL; @@ -805,6 +797,40 @@ if (empty == 1 && full == 0) return CAPNG_NONE; + else if (empty == 0 && full == 1) + return CAPNG_FULL; + + return CAPNG_PARTIAL; +} + +// -1 - error, 0 - no caps, 1 partial caps, 2 full caps +capng_results_t capng_have_permitted_capabilities(void) +{ + int empty = 0, full = 0; + + // First, try to init with current set + if (m.state < CAPNG_INIT) + capng_get_caps_process(); + + // If we still don't have anything, error out + if (m.state < CAPNG_INIT) + return CAPNG_FAIL; + + if (m.data.v3[0].permitted == 0) + empty = 1; + else if (m.data.v3[0].permitted == 0xFFFFFFFFU) + full = 1; + else + return CAPNG_PARTIAL; + if ((m.data.v3[1].permitted & UPPER_MASK) == 0 && !full) + empty = 1; + else if ((m.data.v3[1].permitted & UPPER_MASK) == UPPER_MASK && !empty) + full = 1; + else + return CAPNG_PARTIAL; + + if (empty == 1 && full == 0) + return CAPNG_NONE; else if (empty == 0 && full == 1) return CAPNG_FULL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/src/cap-ng.h new/libcap-ng-0.7.10/src/cap-ng.h --- old/libcap-ng-0.7.9/src/cap-ng.h 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/src/cap-ng.h 2019-10-01 20:29:23.000000000 +0200 @@ -63,6 +63,7 @@ // These functions check capability bits capng_results_t capng_have_capabilities(capng_select_t set); +capng_results_t capng_have_permitted_capabilities(void); int capng_have_capability(capng_type_t which, unsigned int capability); // These functions printout capabilities diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/src/lookup_table.c new/libcap-ng-0.7.10/src/lookup_table.c --- old/libcap-ng-0.7.9/src/lookup_table.c 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/src/lookup_table.c 2019-10-01 20:29:23.000000000 +0200 @@ -25,6 +25,7 @@ #include <linux/capability.h> #include <strings.h> #include <stdio.h> +#include <stdlib.h> // free #define hidden __attribute__ ((visibility ("hidden"))) @@ -105,6 +106,7 @@ CAP_NG_CAPABILITY_NAMES, name); } +static char *ptr2 = NULL; const char *capng_capability_to_name(unsigned int capability) { char *ptr; @@ -114,10 +116,13 @@ ptr = capng_lookup_number(captab, captab_msgstr.str, CAP_NG_CAPABILITY_NAMES, capability); - if (ptr == NULL) // This leaks memory, but should almost never be used - if (asprintf(&ptr, "cap_%d", capability) < 0) + if (ptr == NULL) { // This leaks memory, but should almost never be used + free(ptr2); + if (asprintf(&ptr2, "cap_%u", capability) < 0) ptr = NULL; - + else + ptr = ptr2; + } return ptr; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/test-driver new/libcap-ng-0.7.10/test-driver --- old/libcap-ng-0.7.9/test-driver 2018-02-07 18:54:04.000000000 +0100 +++ new/libcap-ng-0.7.10/test-driver 2019-10-01 20:29:28.000000000 +0200 @@ -1,9 +1,9 @@ #! /bin/sh # test-driver - basic testsuite driver script. -scriptversion=2016-01-11.22; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 2011-2017 Free Software Foundation, Inc. +# Copyright (C) 2011-2018 Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -16,7 +16,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# along with this program. If not, see <https://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -140,7 +140,7 @@ # Local Variables: # mode: shell-script # sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC0" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/utils/captest.c new/libcap-ng-0.7.10/utils/captest.c --- old/libcap-ng-0.7.9/utils/captest.c 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/utils/captest.c 2019-10-01 20:29:23.000000000 +0200 @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; see the file COPYING. If not, write to the - * Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. * * Authors: * Steve Grubb <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/utils/filecap.8 new/libcap-ng-0.7.10/utils/filecap.8 --- old/libcap-ng-0.7.9/utils/filecap.8 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/utils/filecap.8 2019-10-01 20:29:23.000000000 +0200 @@ -1,10 +1,10 @@ -.TH FILECAP: "8" "March 2009" "Red Hat" "System Administration Utilities" +.TH FILECAP: "8" "Aug 2018" "Red Hat" "System Administration Utilities" .SH NAME filecap \- a program to see capabilities .SH SYNOPSIS .B filecap [ \-a | \-d | /dir | /dir/file [cap1 cap2 ...] ] .SH DESCRIPTION -\fBfilecap\fP is a program that prints out a report of programs with file based capabilities. If a file is not in the report or there is no report at all, no capabilities were found. For expedience, the default is to check only the directories in the PATH environmental variable. If the \-a command line option is given, then all directories will be checked. If a directory is passed, it will recursively check that directory. If a path to a file is given, it will only check that file. If the path to the file includes capabilities, then they are written to the file. +\fBfilecap\fP is a program that prints out a report of programs with file based capabilities. If a file is not in the report or there is no report at all, no capabilities were found. For expedience, the default is to check only the directories in the PATH environmental variable. If the \-a command line option is given, then all directories will be checked. If a directory is passed, it will recursively check that directory. If a path to a file is given, it will only check that file. If a file is given followed by capabilities, then the capabilities are written to the file. .SH OPTIONS .TP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/utils/filecap.c new/libcap-ng-0.7.10/utils/filecap.c --- old/libcap-ng-0.7.9/utils/filecap.c 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/utils/filecap.c 2019-10-01 20:29:23.000000000 +0200 @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; see the file COPYING. If not, write to the - * Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. * * Authors: * Steve Grubb <[email protected]> @@ -59,21 +60,27 @@ int fd = open(fpath, O_RDONLY|O_CLOEXEC); if (fd >= 0) { capng_results_t rc; + int permitted = 0; capng_clear(CAPNG_SELECT_BOTH); - if (capng_get_caps_fd(fd) < 0) { + if (capng_get_caps_fd(fd) < 0 && errno != ENODATA) { fprintf(stderr, "Unable to get capabilities of %s: %s\n", fpath, strerror(errno)); if (single_file) ret = 1; } rc = capng_have_capabilities(CAPNG_SELECT_CAPS); + if (rc == CAPNG_NONE) { + permitted = 1; + rc = capng_have_permitted_capabilities(); + } if (rc > CAPNG_NONE) { if (header == 0) { header = 1; - printf("%-20s capabilities\n", "file"); + printf("%-9s %-20s capabilities\n", "set", "file"); } - printf("%s ", fpath); + printf("%s %s ", + permitted ? "permitted" : "effective", fpath); if (rc == CAPNG_FULL) printf("full"); else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/utils/netcap.c new/libcap-ng-0.7.10/utils/netcap.c --- old/libcap-ng-0.7.9/utils/netcap.c 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/utils/netcap.c 2019-10-01 20:29:23.000000000 +0200 @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; see the file COPYING. If not, write to the - * Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. * * Authors: * Steve Grubb <[email protected]> @@ -232,7 +233,7 @@ // And print out anything with capabilities if (header == 0) { - printf("%-5s %-5s %-10s %-16s %-4s %-6s %s\n", + printf("%-5s %-5s %-10s %-16s %-8s %-6s %s\n", "ppid", "pid", "acct", "command", "type", "port", "capabilities"); header = 1; @@ -253,7 +254,7 @@ printf("%-5d %-5d %-10s", n->ppid, n->pid, tacct); } else printf("%-5d %-5d %-10d", n->ppid, n->pid, last_uid); - printf(" %-16s %-4s", n->cmd, type); + printf(" %-16s %-8s", n->cmd, type); if (ifc) printf(" %-6s", ifc); else @@ -449,6 +450,8 @@ // Next udp sockets... read_udp("/proc/net/udp", "udp"); read_udp("/proc/net/udp6", "udp6"); + read_udp("/proc/net/udplite", "udplite"); + read_udp("/proc/net/udplite6", "udplite6"); // Next, raw sockets... read_raw("/proc/net/raw", "raw"); @@ -457,6 +460,8 @@ // And last, read packet sockets read_packet(); + // Could also do icmp,netlink,unix + list_clear(&l); return 0; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/utils/proc-llist.c new/libcap-ng-0.7.10/utils/proc-llist.c --- old/libcap-ng-0.7.9/utils/proc-llist.c 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/utils/proc-llist.c 2019-10-01 20:29:23.000000000 +0200 @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; see the file COPYING. If not, write to the -* Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +* Boston, MA 02110-1335, USA. * * Authors: * Steve Grubb <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/utils/proc-llist.h new/libcap-ng-0.7.10/utils/proc-llist.h --- old/libcap-ng-0.7.9/utils/proc-llist.h 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/utils/proc-llist.h 2019-10-01 20:29:23.000000000 +0200 @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; see the file COPYING. If not, write to the -* Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +* Boston, MA 02110-1335, USA. * * Authors: * Steve Grubb <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/utils/pscap.8 new/libcap-ng-0.7.10/utils/pscap.8 --- old/libcap-ng-0.7.9/utils/pscap.8 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/utils/pscap.8 2019-10-01 20:29:23.000000000 +0200 @@ -6,6 +6,8 @@ .SH DESCRIPTION \fBpscap\fP is a program that prints out a report of process capabilities. If the application has any capabilities, it will be in the report with the exception of init. By giving the \-a command line option, init will be included, too. If a process is not in the report, it has dropped all capabilities. If the process has partial capabilities, it is further examined to see if it has an open-ended bounding set. If this is found to be true, a '+' symbol is added. +The command name in the output may be followed by an asterisk mark (*). This mark denotes processes which run in child user namespaces (relative to the user namespace of pscap itself). + .SH "SEE ALSO" .BR netcap (8), .BR filecap (8), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libcap-ng-0.7.9/utils/pscap.c new/libcap-ng-0.7.10/utils/pscap.c --- old/libcap-ng-0.7.9/utils/pscap.c 2018-02-07 18:53:59.000000000 +0100 +++ new/libcap-ng-0.7.10/utils/pscap.c 2019-10-01 20:29:23.000000000 +0200 @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; see the file COPYING. If not, write to the - * Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. * * Authors: * Steve Grubb <[email protected]> @@ -31,8 +32,12 @@ #include <dirent.h> #include <fcntl.h> #include <pwd.h> +#include <stdbool.h> +#include <sys/stat.h> #include "cap-ng.h" +#define CMD_LEN 16 +#define USERNS_MARK_LEN 2 static void usage(void) { @@ -40,6 +45,34 @@ exit(1); } +/* + * Precise recursive checks for parent-child relation between namespaces + * using ioctl() were avoided, because there didn't seem to be any case when + * we may dereference the namespace symlink in /proc/PID/ns for processes in + * user namespaces other than the current or child ones. Thus, the check just + * tries to dereference the link and checks that it does not point to the + * current NS. + */ +static bool in_child_userns(int pid) +{ + char ns_file_path[32]; + struct stat statbuf; + ino_t own_ns_inode; + dev_t own_ns_dev; + + if (stat("/proc/self/ns/user", &statbuf) < 0) + return false; + + own_ns_inode = statbuf.st_ino; + own_ns_dev = statbuf.st_dev; + + snprintf(ns_file_path, 32, "/proc/%d/ns/user", pid); + if (stat(ns_file_path, &statbuf) < 0) + return false; + + return statbuf.st_ino != own_ns_inode || statbuf.st_dev != own_ns_dev; +} + int main(int argc, char *argv[]) { DIR *d; @@ -66,7 +99,7 @@ while (( ent = readdir(d) )) { int pid, ppid, uid = -1, euid = -1; char buf[100]; - char *tmp, cmd[16], state, *name = NULL; + char *tmp, cmd[CMD_LEN + USERNS_MARK_LEN], state, *name = NULL; int fd, len; struct passwd *p; @@ -143,7 +176,7 @@ } if (header == 0) { - printf("%-5s %-5s %-10s %-16s %s\n", + printf("%-5s %-5s %-10s %-18s %s\n", "ppid", "pid", "name", "command", "capabilities"); header = 1; @@ -160,11 +193,15 @@ name = p->pw_name; // If not taking this branch, use last val } + + if (in_child_userns(pid)) + strcat(cmd, " *"); + if (name) { - printf("%-5d %-5d %-10s %-16s ", ppid, pid, + printf("%-5d %-5d %-10s %-18s ", ppid, pid, name, cmd); } else - printf("%-5d %-5d %-10d %-16s ", ppid, pid, + printf("%-5d %-5d %-10d %-18s ", ppid, pid, uid, cmd); if (caps == CAPNG_PARTIAL) { capng_print_caps_text(CAPNG_PRINT_STDOUT,
