From 262e80c618c6ed8657007525c929fb5d8a3d4bbec87ef561b9d500481da2e2f4 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Mon, 16 May 2022 08:32:13 +0000
Subject: [PATCH] Accepting request 975729 from
 home:polslinux:branches:security

- Update to 0.8.3:
  * Add vararg support to python bindings for capng_updatev
  * Add support for ambient capabilities
  * Add support for V3 filesystem capabilities
  * If procfs is not available, leave last_cap as CAP_LAST_CAP
  * If bounding and ambient not found in status, try prctl method
  * In capng_apply, move ambient caps to the end of the transaction
  * In capng_apply, return errors more aggressively.
  * In capng_apply, if the action includes the bounding set,resync with the kernel
  * Fix signed/unsigned warning in cap-ng.c
  * In capng_apply, return a unique error code to diagnose any failure
  * In capng_have_capability, return 0 for failure
  * Add the libdrop_ambient admin tool
  * In capng_apply, if we blew up in bounding set, allow setting capabilities
  * If PR_CAP_AMBIENT is not available, do not build libdrop_ambient
  * Improve last_cap check
  * Fix parameters to capng_updatev python bindings to be signed
  * Detect capability options at runtime to make containerization easier (ntkme)
  * Initialize the library when linked statically
  * Add gcc function attributes for deallocation

- Update to 0.8.3:
  * Add vararg support to python bindings for capng_updatev
  * Add support for ambient capabilities
  * Add support for V3 filesystem capabilities
  * If procfs is not available, leave last_cap as CAP_LAST_CAP
  * If bounding and ambient not found in status, try prctl method
  * In capng_apply, move ambient caps to the end of the transaction
  * In capng_apply, return errors more aggressively.
  * In capng_apply, if the action includes the bounding set,resync with the kernel

OBS-URL: https://build.opensuse.org/request/show/975729
OBS-URL: https://build.opensuse.org/package/show/security/libcap-ng?expand=0&rev=40
---
 libcap-ng-0.7.11.tar.gz  |  3 ---
 libcap-ng-0.8.3.tar.gz   |  3 +++
 libcap-ng-python.changes | 24 ++++++++++++++++++++++++
 libcap-ng-python.spec    |  4 ++--
 libcap-ng.changes        | 24 ++++++++++++++++++++++++
 libcap-ng.spec           | 36 ++++++++++++++++++++++++++++++++++--
 6 files changed, 87 insertions(+), 7 deletions(-)
 delete mode 100644 libcap-ng-0.7.11.tar.gz
 create mode 100644 libcap-ng-0.8.3.tar.gz

diff --git a/libcap-ng-0.7.11.tar.gz b/libcap-ng-0.7.11.tar.gz
deleted file mode 100644
index 958c6de..0000000
--- a/libcap-ng-0.7.11.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:85815c711862d01a440db471f12fba462c9949e923966f5859607e652d9c0ae9
-size 450541
diff --git a/libcap-ng-0.8.3.tar.gz b/libcap-ng-0.8.3.tar.gz
new file mode 100644
index 0000000..bf19d59
--- /dev/null
+++ b/libcap-ng-0.8.3.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bed6f6848e22bb2f83b5f764b2aef0ed393054e803a8e3a8711cb2a39e6b492d
+size 455383
diff --git a/libcap-ng-python.changes b/libcap-ng-python.changes
index b7b8bff..23a0e8e 100644
--- a/libcap-ng-python.changes
+++ b/libcap-ng-python.changes
@@ -1,3 +1,27 @@
+-------------------------------------------------------------------
+Mon May  9 06:59:13 UTC 2022 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 0.8.3:
+  * Add vararg support to python bindings for capng_updatev
+  * Add support for ambient capabilities
+  * Add support for V3 filesystem capabilities
+  * If procfs is not available, leave last_cap as CAP_LAST_CAP
+  * If bounding and ambient not found in status, try prctl method
+  * In capng_apply, move ambient caps to the end of the transaction
+  * In capng_apply, return errors more aggressively.
+  * In capng_apply, if the action includes the bounding set,resync with the kernel
+  * Fix signed/unsigned warning in cap-ng.c
+  * In capng_apply, return a unique error code to diagnose any failure
+  * In capng_have_capability, return 0 for failure
+  * Add the libdrop_ambient admin tool
+  * In capng_apply, if we blew up in bounding set, allow setting capabilities
+  * If PR_CAP_AMBIENT is not available, do not build libdrop_ambient
+  * Improve last_cap check
+  * Fix parameters to capng_updatev python bindings to be signed
+  * Detect capability options at runtime to make containerization easier (ntkme)
+  * Initialize the library when linked statically
+  * Add gcc function attributes for deallocation
+
 -------------------------------------------------------------------
 Thu Dec  9 22:05:19 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>
 
diff --git a/libcap-ng-python.spec b/libcap-ng-python.spec
index 45f0abd..057bcec 100644
--- a/libcap-ng-python.spec
+++ b/libcap-ng-python.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package libcap-ng-python
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
 %bcond_without python2
 %{?!python_module:%define python_module() python-%{**} python3-%{**}}
 Name:           libcap-ng-python
-Version:        0.7.11
+Version:        0.8.3
 Release:        0
 Summary:        An alternate Linux/POSIX capabilities library
 License:        LGPL-2.1-or-later
diff --git a/libcap-ng.changes b/libcap-ng.changes
index 51ccd08..7894952 100644
--- a/libcap-ng.changes
+++ b/libcap-ng.changes
@@ -1,3 +1,27 @@
+-------------------------------------------------------------------
+Mon May  9 06:59:02 UTC 2022 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 0.8.3:
+  * Add vararg support to python bindings for capng_updatev
+  * Add support for ambient capabilities
+  * Add support for V3 filesystem capabilities
+  * If procfs is not available, leave last_cap as CAP_LAST_CAP
+  * If bounding and ambient not found in status, try prctl method
+  * In capng_apply, move ambient caps to the end of the transaction
+  * In capng_apply, return errors more aggressively.
+  * In capng_apply, if the action includes the bounding set,resync with the kernel
+  * Fix signed/unsigned warning in cap-ng.c
+  * In capng_apply, return a unique error code to diagnose any failure
+  * In capng_have_capability, return 0 for failure
+  * Add the libdrop_ambient admin tool
+  * In capng_apply, if we blew up in bounding set, allow setting capabilities
+  * If PR_CAP_AMBIENT is not available, do not build libdrop_ambient
+  * Improve last_cap check
+  * Fix parameters to capng_updatev python bindings to be signed
+  * Detect capability options at runtime to make containerization easier (ntkme)
+  * Initialize the library when linked statically
+  * Add gcc function attributes for deallocation
+
 -------------------------------------------------------------------
 Thu Dec  9 22:05:19 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>
 
diff --git a/libcap-ng.spec b/libcap-ng.spec
index 2703cc3..45067cd 100644
--- a/libcap-ng.spec
+++ b/libcap-ng.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package libcap-ng
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,8 +17,10 @@
 
 
 %define sover  0
+%define ambient_sover 0
+
 Name:           libcap-ng
-Version:        0.7.11
+Version:        0.8.3
 Release:        0
 Summary:        An alternate Linux/POSIX capabilities library
 License:        LGPL-2.1-or-later
@@ -66,6 +68,25 @@ The libcap-ng-utils package contains applications to analyse the
 Linux process capabilities of programs running on a system. It also
 lets you set the filesystem-based capabilities.
 
+%package -n libdrop_ambient%{ambient_sover}
+Summary:        Library for dropping ambient capabilities
+License:        LGPL-2.1-or-later
+Requires:       %{name}%{sover} = %{version}
+
+%description -n libdrop_ambient%{ambient_sover}
+This library can be used via LD_PRELOAD to force an application started with ambient capabilities to drop them.
+It leaves other capabilities intact. This can also be linked against and automatically does the right thing.
+You do not need to make any calls into the library because all the work is done in the constructor which runs before main() is called.
+
+%package -n libdrop_ambient-devel
+Summary:        Devel package for libdrop_ambient%{ambient_sover}
+License:        LGPL-2.1-or-later
+Requires:       libdrop_ambient%{ambient_sover}
+
+%description -n libdrop_ambient-devel
+This package contains the files needed for developing
+applications that need to use the libdrop_ambient library.
+
 %prep
 %setup -q
 
@@ -83,11 +104,22 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %post -n %{name}%{sover} -p /sbin/ldconfig
 %postun -n %{name}%{sover} -p /sbin/ldconfig
 
+%post -n libdrop_ambient%{ambient_sover} -p /sbin/ldconfig
+%postun -n libdrop_ambient%{ambient_sover} -p /sbin/ldconfig
+
 %files -n %{name}%{sover}
 %license COPYING.LIB
 %{_libdir}/%{name}.so.%{sover}
 %{_libdir}/%{name}.so.%{sover}.*
 
+%files -n libdrop_ambient%{ambient_sover}
+%{_libdir}/libdrop_ambient.so.%{ambient_sover}
+%{_libdir}/libdrop_ambient.so.%{ambient_sover}.*
+
+%files -n libdrop_ambient-devel
+%{_libdir}/libdrop_ambient.so
+%{_mandir}/man7/libdrop_ambient.7%{ext_man}
+
 %files devel
 %{_mandir}/man3/*.3%{ext_man}
 %{_includedir}/cap-ng.h