moritzruth/void-packages
1
0
Fork 0
Code Releases Activity Actions 2

gnome-keyring: update to 40.0.

Browse source
This commit is contained in:
Enno Boland 2021-04-03 15:02:48 +02:00
parent 317df31e96
commit 9763cbe975
No known key found for this signature in database
GPG key ID: 5A7B9F1D0DFEB55D
2 changed files with 3 additions and 118 deletions
Download patch file Download diff file Expand all files Collapse all files

115
srcpkgs/gnome-keyring/patches/libcap-ng-fix.patch
View file

@ -1,115 +0,0 @@
From ebc7bc9efacc17049e54da8d96a4a29943621113 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Fri, 20 Nov 2020 11:52:14 -0500
Subject: [PATCH] Update libcap-ng capability handling
There is a change in libcap-ng-0.8.1 that causes gnome-keyring to not
work correctly. The capng_apply function now returns an error if it
cannot change the bounding set. Previously this was ignored. Which means
now gnome-keyring exits when it shouldn't.
The new patch adds troubleshooting info to the error messages. And it checks
to see if we have CAP_SETPCAP. If we do not, then we cannot change the
bounding set and just set capabilities. On the setuid side, it now drops
the bounding set and clears any supplemental groups that may be left over
as an accident.
---
daemon/gkd-capability.c | 54 ++++++++++++++++++++++++++---------------
1 file changed, 34 insertions(+), 20 deletions(-)
diff --git daemon/gkd-capability.c daemon/gkd-capability.c
index 9afe3039..6eb7ed75 100644
--- daemon/gkd-capability.c
+++ daemon/gkd-capability.c
@@ -1,7 +1,7 @@
/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 8; tab-width: 8 -*- */
/* gkd-capability.c - the security-critical initial phase of the daemon
*
- * Copyright (C) 2011 Steve Grubb
+ * Copyright (C) 2011,2020 Steve Grubb
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
@@ -35,9 +35,10 @@
/* No logging, no gettext */
static void
-early_error (const char *err_string)
+early_error (const char *err_string, int rc)
{
- fprintf (stderr, "gnome-keyring-daemon: %s, aborting\n", err_string);
+ fprintf (stderr, "gnome-keyring-daemon: %s - %d, aborting\n",
+ err_string, rc);
exit (1);
}
@@ -64,6 +65,8 @@ void
gkd_capability_obtain_capability_and_drop_privileges (void)
{
#ifdef HAVE_LIBCAPNG
+ int rc;
+
capng_get_caps_process ();
switch (capng_have_capabilities (CAPNG_SELECT_CAPS))
{
@@ -73,32 +76,43 @@ gkd_capability_obtain_capability_and_drop_privileges (void)
capng_update (CAPNG_ADD,
CAPNG_EFFECTIVE|CAPNG_PERMITTED,
CAP_IPC_LOCK);
- if (capng_change_id (getuid (), getgid (), 0))
- early_error ("failed dropping capabilities");
+ if ((rc = capng_change_id (getuid (), getgid (),
+ CAPNG_DROP_SUPP_GRP|
+ CAPNG_CLEAR_BOUNDING))) {
+ early_error ("failed dropping capabilities",
+ rc);
+ }
break;
case CAPNG_FAIL:
- early_error ("error getting process capabilities");
+ early_error ("error getting process capabilities", 0);
break;
case CAPNG_NONE:
- early_warning ("insufficient process capabilities, insecure memory might get used");
+ early_warning ("no process capabilities, insecure memory might get used");
break;
- case CAPNG_PARTIAL: /* File system based capabilities */
- if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
+ case CAPNG_PARTIAL: { /* File system based capabilities */
+ capng_select_t set = CAPNG_SELECT_CAPS;
+ if (!capng_have_capability (CAPNG_EFFECTIVE,
+ CAP_IPC_LOCK)) {
early_warning ("insufficient process capabilities, insecure memory might get used");
- /* Drop all capabilities */
- capng_clear (CAPNG_SELECT_BOTH);
- capng_apply (CAPNG_SELECT_BOTH);
- break;
}
- /* Drop all capabilities except ipc_lock */
+ /* If we don't have CAP_SETPCAP, we can't update the
+ * bounding set */
+ if (capng_have_capability (CAPNG_EFFECTIVE,
+ CAP_SETPCAP)) {
+ set = CAPNG_SELECT_BOTH;
+ }
+
+ /* Drop all capabilities except ipc_lock */
capng_clear (CAPNG_SELECT_BOTH);
- if (capng_update (CAPNG_ADD,
- CAPNG_EFFECTIVE|CAPNG_PERMITTED,
- CAP_IPC_LOCK) != 0)
- early_error ("error dropping process capabilities");
- if (capng_apply (CAPNG_SELECT_BOTH) != 0)
- early_error ("error dropping process capabilities");
+ if ((rc = capng_update (CAPNG_ADD,
+ CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+ CAP_IPC_LOCK)) != 0) {
+ early_error ("error updating process capabilities", rc);
+ }
+ if ((rc = capng_apply (set)) != 0) {
+ early_error ("error dropping process capabilities", rc);
+ }} /* Extra brace for local variable declaration */
break;
}
#endif /* HAVE_LIBCAPNG */

6
srcpkgs/gnome-keyring/template
View file

@ -1,7 +1,7 @@
# Template file for 'gnome-keyring' # Template file for 'gnome-keyring'
pkgname=gnome-keyring pkgname=gnome-keyring
version=3.36.0 version=40.0
revision=2 revision=1
build_style=gnu-configure build_style=gnu-configure
configure_args="--with-pam-dir=/usr/lib/security --disable-schemas-compile" configure_args="--with-pam-dir=/usr/lib/security --disable-schemas-compile"
hostmakedepends="autoconf docbook-xsl glib-devel intltool libtasn1-tools libxslt hostmakedepends="autoconf docbook-xsl glib-devel intltool libtasn1-tools libxslt
@ -15,7 +15,7 @@ license="GPL-2.0-or-later, LGPL-2.1-or-later"
#changelog="https://raw.githubusercontent.com/GNOME/gnome-keyring/gnome-3-28/NEWS" #changelog="https://raw.githubusercontent.com/GNOME/gnome-keyring/gnome-3-28/NEWS"
homepage="https://www.gnome.org" homepage="https://www.gnome.org"
distfiles="${GNOME_SITE}/$pkgname/${version%.*}/$pkgname-$version.tar.xz" distfiles="${GNOME_SITE}/$pkgname/${version%.*}/$pkgname-$version.tar.xz"
checksum=a264b57a8d1a71fdf0d66e8cd6033d013fb828be279c35766545eb9bb3734f87 checksum=a3d24db08ee2fdf240fbbf0971a98c8ee295aa0e1a774537f4ea938038a3b931
lib32disabled=yes lib32disabled=yes
do_check() { do_check() {