diff --git a/base/libcap/0001-upstream-fixes.patch b/base/libcap/0001-upstream-fixes.patch new file mode 100644 index 000000000..8a89b4adb --- /dev/null +++ b/base/libcap/0001-upstream-fixes.patch @@ -0,0 +1,111 @@ +# --- SDE-COPYRIGHT-NOTE-BEGIN --- +# This copyright note is auto-generated by ./scripts/Create-CopyPatch. +# +# Filename: package/.../libcap/0001-upstream-fixes.patch +# Copyright (C) 2013 The OpenSDE Project +# +# More information can be found in the files COPYING and README. +# +# This patch file is dual-licensed. It is available under the license the +# patched project is licensed under, as long as it is an OpenSource license +# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms +# of the GNU General Public License as published by the Free Software +# Foundation; either version 2 of the License, or (at your option) any later +# version. +# --- SDE-COPYRIGHT-NOTE-END --- + +Fixes found in the upstream repository + +https://git.kernel.org/cgit/linux/kernel/git/morgan/libcap.git/ + + +From 616a03da55bbaefce4055d4e47a81cd85f3161e2 Mon Sep 17 00:00:00 2001 +From: Andrew G. Morgan +Date: Sun, 31 Jul 2011 00:39:27 +0000 +Subject: Fix a compiler warning(error) for format mismatch. + +Signed-off-by: Andrew G. Morgan +--- +diff --git a/progs/capsh.c b/progs/capsh.c +index 52336d7..3ceadcd 100644 +--- a/progs/capsh.c ++++ b/progs/capsh.c +@@ -520,7 +520,8 @@ int main(int argc, char *argv[], char *envp[]) + if (set >= 0) { + const char *b; + b = binary(set); /* use verilog convention for binary string */ +- printf("Securebits: 0%o/0x%x/%u'b%s\n", set, set, strlen(b), b); ++ printf("Securebits: 0%o/0x%x/%u'b%s\n", set, set, ++ (unsigned) strlen(b), b); + printf(" secure-noroot: %s (%s)\n", + (set & 1) ? "yes":"no", + (set & 2) ? "locked":"unlocked"); +-- +cgit v0.9.2 +From 056ffb0bd25d91ffbcb83c521fc4d3d9904ec4d4 Mon Sep 17 00:00:00 2001 +From: Andrew G. Morgan +Date: Sun, 31 Jul 2011 01:22:21 +0000 +Subject: setcap: comment to help the user figure out why setcap is failing. + +The file capabilities are not as expressive as process capabilities +(for a reason - see the NOTES section of 'man 3 cap_set_file'). + +The effective bits on a file under linux are captured by a single +boolean. As such attempting to partially set effective bits via the +more fully expressive process capability representation (cap_from_text) +sometimes yields an error. From now on, suggest that when the user +attempts to do this and an error occurs, the error might be such a +mismatch between effective and the other capability bits. + +Signed-off-by: Andrew G. Morgan +--- +diff --git a/progs/setcap.c b/progs/setcap.c +index 0215fc4..83090ae 100644 +--- a/progs/setcap.c ++++ b/progs/setcap.c +@@ -26,7 +26,7 @@ static void usage(void) + + static int read_caps(int quiet, const char *filename, char *buffer) + { +- int i=MAXCAP; ++ int i = MAXCAP; + + if (!quiet) { + fprintf(stderr, "Please enter caps for file [empty line to end]:\n"); +@@ -170,10 +170,33 @@ int main(int argc, char **argv) + } + retval = cap_set_file(*++argv, cap_d); + if (retval != 0) { ++ int explained = 0; ++#ifdef linux ++ cap_value_t cap; ++ cap_flag_value_t per_state; ++ ++ for (cap = 0; ++ cap_get_flag(cap_d, cap, CAP_PERMITTED, &per_state) != -1; ++ cap++) { ++ cap_flag_value_t inh_state, eff_state; ++ ++ cap_get_flag(cap_d, cap, CAP_INHERITABLE, &inh_state); ++ cap_get_flag(cap_d, cap, CAP_EFFECTIVE, &eff_state); ++ if ((inh_state | per_state) != eff_state) { ++ fprintf(stderr, "NOTE: Under Linux, effective file capabilities must either be empty, or\n" ++ " exactly match the union of selected permitted and inheritable bits.\n"); ++ explained = 1; ++ break; ++ } ++ } ++#endif /* def linux */ ++ + fprintf(stderr, + "Failed to set capabilities on file `%s' (%s)\n", + argv[0], strerror(errno)); +- usage(); ++ if (!explained) { ++ usage(); ++ } + } + } + if (cap_d) { +-- +cgit v0.9.2