[arch-commits] Commit in gnome-keyring/repos (5 files)

Jan Steffens heftig at archlinux.org
Thu Nov 19 11:38:24 UTC 2020


    Date: Thursday, November 19, 2020 @ 11:38:24
  Author: heftig
Revision: 401392

archrelease: copy trunk to testing-x86_64

Added:
  gnome-keyring/repos/testing-x86_64/
  gnome-keyring/repos/testing-x86_64/33.patch
    (from rev 401391, gnome-keyring/trunk/33.patch)
  gnome-keyring/repos/testing-x86_64/PKGBUILD
    (from rev 401391, gnome-keyring/trunk/PKGBUILD)
  gnome-keyring/repos/testing-x86_64/add-cinnamon.diff
    (from rev 401391, gnome-keyring/trunk/add-cinnamon.diff)
  gnome-keyring/repos/testing-x86_64/gnome-keyring.install
    (from rev 401391, gnome-keyring/trunk/gnome-keyring.install)

-----------------------+
 33.patch              |  109 ++++++++++++++++++++++++++++++++++++++++++++++++
 PKGBUILD              |   65 ++++++++++++++++++++++++++++
 add-cinnamon.diff     |   44 +++++++++++++++++++
 gnome-keyring.install |    7 +++
 4 files changed, 225 insertions(+)

Copied: gnome-keyring/repos/testing-x86_64/33.patch (from rev 401391, gnome-keyring/trunk/33.patch)
===================================================================
--- testing-x86_64/33.patch	                        (rev 0)
+++ testing-x86_64/33.patch	2020-11-19 11:38:24 UTC (rev 401392)
@@ -0,0 +1,109 @@
+From dad072e1f7f6d640f4d6b52408b485ea34229f15 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb at redhat.com>
+Date: Thu, 29 Oct 2020 16:26:21 -0400
+Subject: [PATCH] Update libcap-ng capability handling
+
+There is a change coming in libcap-ng-0.8.1 that causes gnome-keyring to
+not work correctly. The capng_apply function now returns an error if it
+cannot change the bounding set. Previously this was ignored. Which means
+now gnome-keyring exits when it shouldn't.
+
+The new patch adds troubleshooting info to the error message. And it checks
+to see if we have CAP_SETPCAP. If we do not, then we cannot change the
+capabilities so we just bypass the whole thing that was causing an error.
+On the setuid side, it now drops the bounding set and clears any
+supplemental groups that may be left over as an accident.
+---
+ daemon/gkd-capability.c | 44 +++++++++++++++++++++++------------------
+ 1 file changed, 25 insertions(+), 19 deletions(-)
+
+diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c
+index 9afe3039..9ceaecee 100644
+--- a/daemon/gkd-capability.c
++++ b/daemon/gkd-capability.c
+@@ -1,7 +1,7 @@
+ /* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 8; tab-width: 8 -*- */
+ /* gkd-capability.c - the security-critical initial phase of the daemon
+  *
+- * Copyright (C) 2011 Steve Grubb
++ * Copyright (C) 2011,2020 Steve Grubb
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU Lesser General Public License as
+@@ -35,9 +35,10 @@
+ 
+ /* No logging, no gettext */
+ static void
+-early_error (const char *err_string)
++early_error (const char *err_string, int rc)
+ {
+-	fprintf (stderr, "gnome-keyring-daemon: %s, aborting\n", err_string);
++	fprintf (stderr, "gnome-keyring-daemon: %s - %d, aborting\n",
++		err_string, rc);
+ 	exit (1);
+ }
+ 
+@@ -64,6 +65,8 @@ void
+ gkd_capability_obtain_capability_and_drop_privileges (void)
+ {
+ #ifdef HAVE_LIBCAPNG
++	int rc;
++
+ 	capng_get_caps_process ();
+ 	switch (capng_have_capabilities (CAPNG_SELECT_CAPS))
+ 	{
+@@ -73,32 +76,35 @@ gkd_capability_obtain_capability_and_drop_privileges (void)
+ 			capng_update (CAPNG_ADD,
+ 					CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+ 					CAP_IPC_LOCK);
+-			if (capng_change_id (getuid (), getgid (), 0))
+-				early_error ("failed dropping capabilities");
++			if ((rc = capng_change_id (getuid (), getgid (),
++						   CAPNG_DROP_SUPP_GRP|
++						   CAPNG_CLEAR_BOUNDING)))
++				early_error ("failed dropping capabilities",
++					     rc);
+ 			break;
+ 		case CAPNG_FAIL:
+-			early_error ("error getting process capabilities");
++			early_error ("error getting process capabilities", 0);
+ 			break;
+ 		case CAPNG_NONE:
+ 			early_warning ("insufficient process capabilities, insecure memory might get used");
+ 			break;
+ 		case CAPNG_PARTIAL: /* File system based capabilities */
+-			if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
++			if (!capng_have_capability (CAPNG_EFFECTIVE,
++							    CAP_IPC_LOCK))
+ 				early_warning ("insufficient process capabilities, insecure memory might get used");
+-				/* Drop all capabilities */
++
++			/* If we don't have CAP_SETPCAP, we can't do anything */
++			if (capng_have_capability (CAPNG_EFFECTIVE,
++								CAP_SETPCAP)) {
++				 /* Drop all capabilities except ipc_lock */
+ 				capng_clear (CAPNG_SELECT_BOTH);
+-				capng_apply (CAPNG_SELECT_BOTH);
+-				break;
++				if ((rc = capng_update (CAPNG_ADD,
++						CAPNG_EFFECTIVE|CAPNG_PERMITTED,
++						CAP_IPC_LOCK)) != 0)
++					early_error ("error updating process capabilities", rc);
++				if ((rc = capng_apply (CAPNG_SELECT_BOTH)) != 0)
++					early_error ("error dropping process capabilities", rc);
+ 			}
+-
+-			/* Drop all capabilities except ipc_lock */
+-			capng_clear (CAPNG_SELECT_BOTH);
+-			if (capng_update (CAPNG_ADD,
+-					  CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+-					  CAP_IPC_LOCK) != 0)
+-				early_error ("error dropping process capabilities");
+-			if (capng_apply (CAPNG_SELECT_BOTH) != 0)
+-				early_error ("error dropping process capabilities");
+ 			break;
+ 	}
+ #endif /* HAVE_LIBCAPNG */
+-- 
+GitLab
+

Copied: gnome-keyring/repos/testing-x86_64/PKGBUILD (from rev 401391, gnome-keyring/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD	                        (rev 0)
+++ testing-x86_64/PKGBUILD	2020-11-19 11:38:24 UTC (rev 401392)
@@ -0,0 +1,65 @@
+# Maintainer: Jan Alexander Steffens (heftig) <heftig at archlinux.org>
+# Contributor: Jan De Groot <jgc at archlinux.org>
+
+pkgname=gnome-keyring
+pkgver=3.36.0
+pkgrel=2
+epoch=1
+pkgdesc="Stores passwords and encryption keys"
+url="https://wiki.gnome.org/Projects/GnomeKeyring"
+arch=(x86_64)
+license=(GPL LGPL)
+depends=(gcr libcap-ng pam openssh)
+makedepends=(git docbook-xsl python)
+provides=(org.freedesktop.secrets)
+groups=(gnome)
+install=gnome-keyring.install
+_commit=6cc50f97575d1d978cd7d24e6466f585d37947ed  # tags/3.36.0^0
+source=("git+https://gitlab.gnome.org/GNOME/gnome-keyring.git#commit=$_commit"
+        33.patch
+        add-cinnamon.diff)
+sha256sums=('SKIP'
+            '23294d6569bb7c8297cc2f95071576fac48ee82ec1ead1b818dd69fbbc72b069'
+            'd05210f5b0a7d4b22c0dff2854854af2eb5708aa2b296095e070dca68e9f815a')
+
+pkgver() {
+  cd $pkgname
+  git describe --tags | sed 's/-/+/g'
+}
+
+prepare() {
+  cd $pkgname
+
+  # https://bugs.archlinux.org/task/68664
+  # https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/33
+  git apply -3 ../33.patch
+
+  # Autolaunch in Cinnamon
+  git apply -3 ../add-cinnamon.diff
+
+  NOCONFIGURE=1 ./autogen.sh
+}
+
+build() {
+  cd $pkgname
+  ./configure --prefix=/usr \
+    --sysconfdir=/etc \
+    --localstatedir=/var \
+    --libexecdir=/usr/lib \
+    --with-pam-dir=/usr/lib/security \
+    --disable-static \
+    --disable-schemas-compile
+  sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
+  make
+}
+
+check() {
+  cd $pkgname
+  # Secure memory tests fail
+  dbus-run-session make -k check || :
+}
+
+package() {
+  cd $pkgname
+  make DESTDIR="$pkgdir" install
+}

Copied: gnome-keyring/repos/testing-x86_64/add-cinnamon.diff (from rev 401391, gnome-keyring/trunk/add-cinnamon.diff)
===================================================================
--- testing-x86_64/add-cinnamon.diff	                        (rev 0)
+++ testing-x86_64/add-cinnamon.diff	2020-11-19 11:38:24 UTC (rev 401392)
@@ -0,0 +1,44 @@
+ daemon/gnome-keyring-pkcs11.desktop.in.in  | 2 +-
+ daemon/gnome-keyring-secrets.desktop.in.in | 2 +-
+ daemon/gnome-keyring-ssh.desktop.in.in     | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git c/daemon/gnome-keyring-pkcs11.desktop.in.in i/daemon/gnome-keyring-pkcs11.desktop.in.in
+index b43e1e9d..80434cbd 100644
+--- c/daemon/gnome-keyring-pkcs11.desktop.in.in
++++ i/daemon/gnome-keyring-pkcs11.desktop.in.in
+@@ -3,7 +3,7 @@ Type=Application
+ Name=Certificate and Key Storage
+ Comment=GNOME Keyring: PKCS#11 Component
+ Exec=@bindir@/gnome-keyring-daemon --start --components=pkcs11
+-OnlyShowIn=GNOME;Unity;MATE;
++OnlyShowIn=GNOME;Unity;MATE;Cinnamon;
+ NoDisplay=true
+ X-GNOME-Autostart-Phase=PreDisplayServer
+ X-GNOME-AutoRestart=false
+diff --git c/daemon/gnome-keyring-secrets.desktop.in.in i/daemon/gnome-keyring-secrets.desktop.in.in
+index dd9deec7..b6d7b2d0 100644
+--- c/daemon/gnome-keyring-secrets.desktop.in.in
++++ i/daemon/gnome-keyring-secrets.desktop.in.in
+@@ -3,7 +3,7 @@ Type=Application
+ Name=Secret Storage Service
+ Comment=GNOME Keyring: Secret Service
+ Exec=@bindir@/gnome-keyring-daemon --start --components=secrets
+-OnlyShowIn=GNOME;Unity;MATE;
++OnlyShowIn=GNOME;Unity;MATE;Cinnamon;
+ NoDisplay=true
+ X-GNOME-Autostart-Phase=PreDisplayServer
+ X-GNOME-AutoRestart=false
+diff --git c/daemon/gnome-keyring-ssh.desktop.in.in i/daemon/gnome-keyring-ssh.desktop.in.in
+index 38aa24cb..163ff554 100644
+--- c/daemon/gnome-keyring-ssh.desktop.in.in
++++ i/daemon/gnome-keyring-ssh.desktop.in.in
+@@ -3,7 +3,7 @@ Type=Application
+ Name=SSH Key Agent
+ Comment=GNOME Keyring: SSH Agent
+ Exec=@bindir@/gnome-keyring-daemon --start --components=ssh
+-OnlyShowIn=GNOME;Unity;MATE;
++OnlyShowIn=GNOME;Unity;MATE;Cinnamon;
+ X-GNOME-Autostart-Phase=PreDisplayServer
+ X-GNOME-AutoRestart=false
+ X-GNOME-Autostart-Notify=true

Copied: gnome-keyring/repos/testing-x86_64/gnome-keyring.install (from rev 401391, gnome-keyring/trunk/gnome-keyring.install)
===================================================================
--- testing-x86_64/gnome-keyring.install	                        (rev 0)
+++ testing-x86_64/gnome-keyring.install	2020-11-19 11:38:24 UTC (rev 401392)
@@ -0,0 +1,7 @@
+post_install() {
+  setcap cap_ipc_lock+ep usr/bin/gnome-keyring-daemon
+}
+
+post_upgrade() {
+  post_install
+}


More information about the arch-commits mailing list