Projects
openEuler:Mainline
util-linux
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 4
View file
_service:tar_scm:util-linux.spec
Changed
@@ -3,7 +3,7 @@ Name: util-linux Version: 2.37.2 -Release: 19 +Release: 20 Summary: A random collection of Linux utilities License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain URL: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git @@ -104,6 +104,8 @@ Patch6083: backport-wrap-return-in-else-directive-to-avoid-dead-code.patch Patch6084: backport-sulogin-ignore-none-existing-console-devices.patch Patch6085: backport-sulogin-fix-KDGKBMODE-ifdef.patch +Patch6086: backport-unshare-Move-implementation-of-keep-caps-option-to-l.patch +Patch6087: backport-lib-caputils-fix-integer-handling-issues-coverity-sc.patch Patch9000: Add-check-to-resolve-uname26-version-test-failed.patch Patch9001: SKIPPED-no-root-permissions-test.patch @@ -475,6 +477,14 @@ %{_mandir}/man8/{swapoff.8*,swapon.8*,switch_root.8*,umount.8*,wdctl.8.gz,wipefs.8*,zramctl.8*} %changelog +* Thu Jun 15 2023 zhangyao <zhangyao108@huawei.com> - 2.37.2-20 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:sync community patches + addbackport-lib-caputils-fix-integer-handling-issues-coverity-sc.patch + backport-unshare-Move-implementation-of-keep-caps-option-to-l.patch + * Mon Jun 5 2023 zhangyao <zhangyao108@huawei.com> - 2.37.2-19 - Type:bugfix - CVE:NA
View file
_service:tar_scm:backport-lib-caputils-fix-integer-handling-issues-coverity-sc.patch
Added
@@ -0,0 +1,26 @@ +From 01a0a556018694bfaf6b01a5a40f8d0d10641a1f Mon Sep 17 00:00:00 2001 +From: Karel Zak <kzak@redhat.com> +Date: Thu, 18 May 2023 10:26:02 +0200 +Subject: PATCH lib/caputils: fix integer handling issues coverity scan + +Signed-off-by: Karel Zak <kzak@redhat.com> +--- + lib/caputils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/caputils.c b/lib/caputils.c +index 3041c3078..23866c071 100644 +--- a/lib/caputils.c ++++ b/lib/caputils.c +@@ -119,7 +119,7 @@ void cap_permitted_to_ambient(void) + if (cap > (uint64_t) cap_last_cap()) + continue; + +- if ((effective & (1 << cap)) ++ if ((effective & (1ULL << cap)) + && prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) < 0) + err(EXIT_FAILURE, _("prctl(PR_CAP_AMBIENT) failed")); + } +-- +2.33.0 +
View file
_service:tar_scm:backport-unshare-Move-implementation-of-keep-caps-option-to-l.patch
Added
@@ -0,0 +1,136 @@ +From acb72212eb41ca862b8bc29b0106a46a83297fcb Mon Sep 17 00:00:00 2001 +From: David Gibson <david@gibson.dropbear.id.au> +Date: Wed, 29 Mar 2023 13:36:15 +1100 +Subject: PATCH unshare: Move implementation of --keep-caps option to library + function + +unshare.c open codes some logic to copy the permitted capability set to the +ambient set in order to implement the --keep-caps option. Move this logic +to lib/caputils.c so that we can reuse it in nsenter. + +Signed-off-by: David Gibson <david@gibson.dropbear.id.au> +--- + include/caputils.h | 2 ++ + lib/caputils.c | 38 ++++++++++++++++++++++++++++++++++++++ + sys-utils/unshare.c | 38 ++------------------------------------ + 3 files changed, 42 insertions(+), 36 deletions(-) + +diff --git a/include/caputils.h b/include/caputils.h +index 852903a..8fc214e 100644 +--- a/include/caputils.h ++++ b/include/caputils.h +@@ -31,4 +31,6 @@ extern int capget(cap_user_header_t header, const cap_user_data_t data); + + extern int cap_last_cap(void); + ++extern void cap_permitted_to_ambient(void); ++ + #endif /* CAPUTILS_H */ +diff --git a/lib/caputils.c b/lib/caputils.c +index 13a376b..e01a74e 100644 +--- a/lib/caputils.c ++++ b/lib/caputils.c +@@ -24,6 +24,7 @@ + #include "caputils.h" + #include "procutils.h" + #include "pathnames.h" ++#include "nls.h" + + static int test_cap(unsigned int cap) + { +@@ -87,6 +88,43 @@ int cap_last_cap(void) + return cap; + } + ++void cap_permitted_to_ambient(void) ++{ ++ /* We use capabilities system calls to propagate the permitted ++ * capabilities into the ambient set because we may have ++ * already forked so be in async-signal-safe context. */ ++ struct __user_cap_header_struct header = { ++ .version = _LINUX_CAPABILITY_VERSION_3, ++ .pid = 0, ++ }; ++ struct __user_cap_data_struct payload_LINUX_CAPABILITY_U32S_3 = {{ 0 }}; ++ uint64_t effective, cap; ++ ++ if (capget(&header, payload) < 0) ++ err(EXIT_FAILURE, _("capget failed")); ++ ++ /* In order the make capabilities ambient, we first need to ensure ++ * that they are all inheritable. */ ++ payload0.inheritable = payload0.permitted; ++ payload1.inheritable = payload1.permitted; ++ ++ if (capset(&header, payload) < 0) ++ err(EXIT_FAILURE, _("capset failed")); ++ ++ effective = ((uint64_t)payload1.effective << 32) | (uint64_t)payload0.effective; ++ ++ for (cap = 0; cap < (sizeof(effective) * 8); cap++) { ++ /* This is the same check as cap_valid(), but using ++ * the runtime value for the last valid cap. */ ++ if (cap > (uint64_t) cap_last_cap()) ++ continue; ++ ++ if ((effective & (1 << cap)) ++ && prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) < 0) ++ err(EXIT_FAILURE, _("prctl(PR_CAP_AMBIENT) failed")); ++ } ++} ++ + #ifdef TEST_PROGRAM_CAPUTILS + int main(int argc, char *argv) + { +diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c +index 820691b..e914aa1 100644 +--- a/sys-utils/unshare.c ++++ b/sys-utils/unshare.c +@@ -668,42 +668,8 @@ int main(int argc, char *argv) + if (force_uid && setuid(uid) < 0) /* change UID */ + err(EXIT_FAILURE, _("setuid failed")); + +- /* We use capabilities system calls to propagate the permitted +- * capabilities into the ambient set because we have already +- * forked so are in async-signal-safe context. */ +- if (keepcaps && (unshare_flags & CLONE_NEWUSER)) { +- struct __user_cap_header_struct header = { +- .version = _LINUX_CAPABILITY_VERSION_3, +- .pid = 0, +- }; +- +- struct __user_cap_data_struct payload_LINUX_CAPABILITY_U32S_3 = {{ 0 }}; +- uint64_t effective, cap; +- +- if (capget(&header, payload) < 0) +- err(EXIT_FAILURE, _("capget failed")); +- +- /* In order the make capabilities ambient, we first need to ensure +- * that they are all inheritable. */ +- payload0.inheritable = payload0.permitted; +- payload1.inheritable = payload1.permitted; +- +- if (capset(&header, payload) < 0) +- err(EXIT_FAILURE, _("capset failed")); +- +- effective = ((uint64_t)payload1.effective << 32) | (uint64_t)payload0.effective; +- +- for (cap = 0; cap < (sizeof(effective) * 8); cap++) { +- /* This is the same check as cap_valid(), but using +- * the runtime value for the last valid cap. */ +- if (cap > (uint64_t) cap_last_cap()) +- continue; +- +- if ((effective & (1 << cap)) +- && prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) < 0) +- err(EXIT_FAILURE, _("prctl(PR_CAP_AMBIENT) failed")); +- } +- } ++ if (keepcaps && (unshare_flags & CLONE_NEWUSER)) ++ cap_permitted_to_ambient(); + + if (optind < argc) { + execvp(argvoptind, argv + optind); +-- +2.33.0 +
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2