From 17e850f478def409f1e59522829f44eb0a7b0d7d Mon Sep 17 00:00:00 2001 From: konglidong Date: Tue, 23 Nov 2021 14:02:22 +0800 Subject: [PATCH] fix_capng_apply_for_libcap-ng-0.8.1 (cherry picked from commit 4f1a54450022f0b9a03d4abe477a164c122055a1) --- ...te-the-cap-bounding-set-only-when-CA.patch | 50 +++++++++++++++++++ ...e-the-cap-bounding-set-only-when-CAP.patch | 50 +++++++++++++++++++ cifs-utils.spec | 10 +++- 3 files changed, 108 insertions(+), 2 deletions(-) create mode 100644 1001-cifs.upcall-update-the-cap-bounding-set-only-when-CA.patch create mode 100644 1002-mount.cifs-update-the-cap-bounding-set-only-when-CAP.patch diff --git a/1001-cifs.upcall-update-the-cap-bounding-set-only-when-CA.patch b/1001-cifs.upcall-update-the-cap-bounding-set-only-when-CA.patch new file mode 100644 index 0000000..e889163 --- /dev/null +++ b/1001-cifs.upcall-update-the-cap-bounding-set-only-when-CA.patch @@ -0,0 +1,50 @@ +From 4205fdc411701ffc323769d41508e0875b9d63d4 Mon Sep 17 00:00:00 2001 +From: Jonas Witschel +Date: Sat, 21 Nov 2020 12:11:45 +0100 +Subject: [PATCH] cifs.upcall: update the cap bounding set only when + CAP_SETPCAP is given + +libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error +of -4 when trying to update the capability bounding set without having the +CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng +silently skipped updating the bounding set and only updated the normal +CAPNG_SELECT_CAPS capabilities instead. + +Check beforehand whether we have CAP_SETPCAP, in which case we can use +CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set. +Otherwise, we can at least update the normal capabilities, but refrain from +trying to update the bounding set to avoid getting an error. + +Signed-off-by: Jonas Witschel +--- + cifs.upcall.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index 1559434..af1a0b0 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -88,6 +88,8 @@ typedef enum _sectype { + static int + trim_capabilities(bool need_environ) + { ++ capng_select_t set = CAPNG_SELECT_CAPS; ++ + capng_clear(CAPNG_SELECT_BOTH); + + /* SETUID and SETGID to change uid, gid, and grouplist */ +@@ -105,7 +107,10 @@ trim_capabilities(bool need_environ) + return 1; + } + +- if (capng_apply(CAPNG_SELECT_BOTH)) { ++ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { ++ set = CAPNG_SELECT_BOTH; ++ } ++ if (capng_apply(set)) { + syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__); + return 1; + } +-- +2.27.0 + diff --git a/1002-mount.cifs-update-the-cap-bounding-set-only-when-CAP.patch b/1002-mount.cifs-update-the-cap-bounding-set-only-when-CAP.patch new file mode 100644 index 0000000..c735c45 --- /dev/null +++ b/1002-mount.cifs-update-the-cap-bounding-set-only-when-CAP.patch @@ -0,0 +1,50 @@ +From e406fb13e5b08b440100ec6215973060b7fdcff3 Mon Sep 17 00:00:00 2001 +From: Jonas Witschel +Date: Sat, 21 Nov 2020 12:11:44 +0100 +Subject: [PATCH] mount.cifs: update the cap bounding set only when CAP_SETPCAP + is given + +libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error +of -4 when trying to update the capability bounding set without having the +CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng +silently skipped updating the bounding set and only updated the normal +CAPNG_SELECT_CAPS capabilities instead. + +Check beforehand whether we have CAP_SETPCAP, in which case we can use +CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set. +Otherwise, we can at least update the normal capabilities, but refrain from +trying to update the bounding set to avoid getting an error. + +Signed-off-by: Jonas Witschel +--- + mount.cifs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index 81bdbc8..2474e98 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -347,6 +347,8 @@ static int set_password(struct parsed_mount_info *parsed_info, const char *src) + static int + drop_capabilities(int parent) + { ++ capng_select_t set = CAPNG_SELECT_CAPS; ++ + capng_setpid(getpid()); + capng_clear(CAPNG_SELECT_BOTH); + if (parent) { +@@ -364,7 +366,10 @@ drop_capabilities(int parent) + return EX_SYSERR; + } + } +- if (capng_apply(CAPNG_SELECT_BOTH)) { ++ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { ++ set = CAPNG_SELECT_BOTH; ++ } ++ if (capng_apply(set)) { + fprintf(stderr, "Unable to apply new capability set.\n"); + return EX_SYSERR; + } +-- +2.27.0 + diff --git a/cifs-utils.spec b/cifs-utils.spec index 377e487..4015717 100644 --- a/cifs-utils.spec +++ b/cifs-utils.spec @@ -1,13 +1,16 @@ Name: cifs-utils Version: 6.10 -Release: 3 +Release: 4 Summary: Utilities for doing and managing mounts of the Linux CIFS filesystem License: GPLv3+ URL: http://linux-cifs.samba.org/cifs-utils/ Source0: https://download.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}.tar.bz2 Patch0: 0001-CVE-2020-14342-mount.cifs-fix-shell-command-injectio.patch -Patch1: 0002-CVE-2021-20208.patch +Patch1: 0002-CVE-2021-20208.patch +Patch2: 1001-cifs.upcall-update-the-cap-bounding-set-only-when-CA.patch +Patch3: 1002-mount.cifs-update-the-cap-bounding-set-only-when-CAP.patch + BuildRequires: python3-docutils libcap-ng-devel libtalloc-devel krb5-devel keyutils-libs-devel autoconf BuildRequires: automake libwbclient-devel pam-devel python3-samba pkg-config fdupes gcc @@ -80,6 +83,9 @@ install -m 644 contrib/request-key.d/cifs.spnego.conf %{buildroot}%{_sysconfdir} %{_mandir}/man8/* %changelog +* Tue Nov 23 2021 konglidong - 6.10-4 +- sync patch from Upstream for fix capng apply for libcap-ng-0.8.1 + * Tue Aug 17 2021 haowenchao - 6.10-3 - DESC: delete -Sgit from %autosetup, and delete BuildRequires git -- Gitee