[arch-commits] Commit in gnome-keyring/trunk (33.patch PKGBUILD)
Jan Steffens
heftig at archlinux.org
Sat Nov 21 19:53:56 UTC 2020
Date: Saturday, November 21, 2020 @ 19:53:56
Author: heftig
Revision: 401650
3.36.0-3: replace patch with cherry-pick
Modified:
gnome-keyring/trunk/PKGBUILD
Deleted:
gnome-keyring/trunk/33.patch
----------+
33.patch | 109 -------------------------------------------------------------
PKGBUILD | 7 +--
2 files changed, 2 insertions(+), 114 deletions(-)
Deleted: 33.patch
===================================================================
--- 33.patch 2020-11-21 19:48:48 UTC (rev 401649)
+++ 33.patch 2020-11-21 19:53:56 UTC (rev 401650)
@@ -1,109 +0,0 @@
-From dad072e1f7f6d640f4d6b52408b485ea34229f15 Mon Sep 17 00:00:00 2001
-From: Steve Grubb <sgrubb at redhat.com>
-Date: Thu, 29 Oct 2020 16:26:21 -0400
-Subject: [PATCH] Update libcap-ng capability handling
-
-There is a change coming in libcap-ng-0.8.1 that causes gnome-keyring to
-not work correctly. The capng_apply function now returns an error if it
-cannot change the bounding set. Previously this was ignored. Which means
-now gnome-keyring exits when it shouldn't.
-
-The new patch adds troubleshooting info to the error message. And it checks
-to see if we have CAP_SETPCAP. If we do not, then we cannot change the
-capabilities so we just bypass the whole thing that was causing an error.
-On the setuid side, it now drops the bounding set and clears any
-supplemental groups that may be left over as an accident.
----
- daemon/gkd-capability.c | 44 +++++++++++++++++++++++------------------
- 1 file changed, 25 insertions(+), 19 deletions(-)
-
-diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c
-index 9afe3039..9ceaecee 100644
---- a/daemon/gkd-capability.c
-+++ b/daemon/gkd-capability.c
-@@ -1,7 +1,7 @@
- /* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 8; tab-width: 8 -*- */
- /* gkd-capability.c - the security-critical initial phase of the daemon
- *
-- * Copyright (C) 2011 Steve Grubb
-+ * Copyright (C) 2011,2020 Steve Grubb
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as
-@@ -35,9 +35,10 @@
-
- /* No logging, no gettext */
- static void
--early_error (const char *err_string)
-+early_error (const char *err_string, int rc)
- {
-- fprintf (stderr, "gnome-keyring-daemon: %s, aborting\n", err_string);
-+ fprintf (stderr, "gnome-keyring-daemon: %s - %d, aborting\n",
-+ err_string, rc);
- exit (1);
- }
-
-@@ -64,6 +65,8 @@ void
- gkd_capability_obtain_capability_and_drop_privileges (void)
- {
- #ifdef HAVE_LIBCAPNG
-+ int rc;
-+
- capng_get_caps_process ();
- switch (capng_have_capabilities (CAPNG_SELECT_CAPS))
- {
-@@ -73,32 +76,35 @@ gkd_capability_obtain_capability_and_drop_privileges (void)
- capng_update (CAPNG_ADD,
- CAPNG_EFFECTIVE|CAPNG_PERMITTED,
- CAP_IPC_LOCK);
-- if (capng_change_id (getuid (), getgid (), 0))
-- early_error ("failed dropping capabilities");
-+ if ((rc = capng_change_id (getuid (), getgid (),
-+ CAPNG_DROP_SUPP_GRP|
-+ CAPNG_CLEAR_BOUNDING)))
-+ early_error ("failed dropping capabilities",
-+ rc);
- break;
- case CAPNG_FAIL:
-- early_error ("error getting process capabilities");
-+ early_error ("error getting process capabilities", 0);
- break;
- case CAPNG_NONE:
- early_warning ("insufficient process capabilities, insecure memory might get used");
- break;
- case CAPNG_PARTIAL: /* File system based capabilities */
-- if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
-+ if (!capng_have_capability (CAPNG_EFFECTIVE,
-+ CAP_IPC_LOCK))
- early_warning ("insufficient process capabilities, insecure memory might get used");
-- /* Drop all capabilities */
-+
-+ /* If we don't have CAP_SETPCAP, we can't do anything */
-+ if (capng_have_capability (CAPNG_EFFECTIVE,
-+ CAP_SETPCAP)) {
-+ /* Drop all capabilities except ipc_lock */
- capng_clear (CAPNG_SELECT_BOTH);
-- capng_apply (CAPNG_SELECT_BOTH);
-- break;
-+ if ((rc = capng_update (CAPNG_ADD,
-+ CAPNG_EFFECTIVE|CAPNG_PERMITTED,
-+ CAP_IPC_LOCK)) != 0)
-+ early_error ("error updating process capabilities", rc);
-+ if ((rc = capng_apply (CAPNG_SELECT_BOTH)) != 0)
-+ early_error ("error dropping process capabilities", rc);
- }
--
-- /* Drop all capabilities except ipc_lock */
-- capng_clear (CAPNG_SELECT_BOTH);
-- if (capng_update (CAPNG_ADD,
-- CAPNG_EFFECTIVE|CAPNG_PERMITTED,
-- CAP_IPC_LOCK) != 0)
-- early_error ("error dropping process capabilities");
-- if (capng_apply (CAPNG_SELECT_BOTH) != 0)
-- early_error ("error dropping process capabilities");
- break;
- }
- #endif /* HAVE_LIBCAPNG */
---
-GitLab
-
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2020-11-21 19:48:48 UTC (rev 401649)
+++ PKGBUILD 2020-11-21 19:53:56 UTC (rev 401650)
@@ -3,7 +3,7 @@
pkgname=gnome-keyring
pkgver=3.36.0
-pkgrel=2
+pkgrel=3
epoch=1
pkgdesc="Stores passwords and encryption keys"
url="https://wiki.gnome.org/Projects/GnomeKeyring"
@@ -16,10 +16,8 @@
install=gnome-keyring.install
_commit=6cc50f97575d1d978cd7d24e6466f585d37947ed # tags/3.36.0^0
source=("git+https://gitlab.gnome.org/GNOME/gnome-keyring.git#commit=$_commit"
- 33.patch
add-cinnamon.diff)
sha256sums=('SKIP'
- '23294d6569bb7c8297cc2f95071576fac48ee82ec1ead1b818dd69fbbc72b069'
'd05210f5b0a7d4b22c0dff2854854af2eb5708aa2b296095e070dca68e9f815a')
pkgver() {
@@ -31,8 +29,7 @@
cd $pkgname
# https://bugs.archlinux.org/task/68664
- # https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/33
- git apply -3 ../33.patch
+ git cherry-pick -n ebc7bc9efacc17049e54da8d96a4a29943621113
# Autolaunch in Cinnamon
git apply -3 ../add-cinnamon.diff
More information about the arch-commits
mailing list