Accepting request 975729 from home:polslinux:branches:security

- Update to 0.8.3:
  * Add vararg support to python bindings for capng_updatev
  * Add support for ambient capabilities
  * Add support for V3 filesystem capabilities
  * If procfs is not available, leave last_cap as CAP_LAST_CAP
  * If bounding and ambient not found in status, try prctl method
  * In capng_apply, move ambient caps to the end of the transaction
  * In capng_apply, return errors more aggressively.
  * In capng_apply, if the action includes the bounding set,resync with the kernel
  * Fix signed/unsigned warning in cap-ng.c
  * In capng_apply, return a unique error code to diagnose any failure
  * In capng_have_capability, return 0 for failure
  * Add the libdrop_ambient admin tool
  * In capng_apply, if we blew up in bounding set, allow setting capabilities
  * If PR_CAP_AMBIENT is not available, do not build libdrop_ambient
  * Improve last_cap check
  * Fix parameters to capng_updatev python bindings to be signed
  * Detect capability options at runtime to make containerization easier (ntkme)
  * Initialize the library when linked statically
  * Add gcc function attributes for deallocation

- Update to 0.8.3:
  * Add vararg support to python bindings for capng_updatev
  * Add support for ambient capabilities
  * Add support for V3 filesystem capabilities
  * If procfs is not available, leave last_cap as CAP_LAST_CAP
  * If bounding and ambient not found in status, try prctl method
  * In capng_apply, move ambient caps to the end of the transaction
  * In capng_apply, return errors more aggressively.
  * In capng_apply, if the action includes the bounding set,resync with the kernel

OBS-URL: https://build.opensuse.org/request/show/975729
OBS-URL: https://build.opensuse.org/package/show/security/libcap-ng?expand=0&rev=40

libcap-ng-0.7.11.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:85815c711862d01a440db471f12fba462c9949e923966f5859607e652d9c0ae9
-size 450541

libcap-ng-python.changes

@@ -1,3 +1,27 @@
+-------------------------------------------------------------------
+Mon May  9 06:59:13 UTC 2022 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 0.8.3:
+  * Add vararg support to python bindings for capng_updatev
+  * Add support for ambient capabilities
+  * Add support for V3 filesystem capabilities
+  * If procfs is not available, leave last_cap as CAP_LAST_CAP
+  * If bounding and ambient not found in status, try prctl method
+  * In capng_apply, move ambient caps to the end of the transaction
+  * In capng_apply, return errors more aggressively.
+  * In capng_apply, if the action includes the bounding set,resync with the kernel
+  * Fix signed/unsigned warning in cap-ng.c
+  * In capng_apply, return a unique error code to diagnose any failure
+  * In capng_have_capability, return 0 for failure
+  * Add the libdrop_ambient admin tool
+  * In capng_apply, if we blew up in bounding set, allow setting capabilities
+  * If PR_CAP_AMBIENT is not available, do not build libdrop_ambient
+  * Improve last_cap check
+  * Fix parameters to capng_updatev python bindings to be signed
+  * Detect capability options at runtime to make containerization easier (ntkme)
+  * Initialize the library when linked statically
+  * Add gcc function attributes for deallocation
+
 -------------------------------------------------------------------
 Thu Dec  9 22:05:19 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>
 

libcap-ng-python.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libcap-ng-python
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
 %bcond_without python2
 %{?!python_module:%define python_module() python-%{**} python3-%{**}}
 Name:           libcap-ng-python
-Version:        0.7.11
+Version:        0.8.3
 Release:        0
 Summary:        An alternate Linux/POSIX capabilities library
 License:        LGPL-2.1-or-later

libcap-ng.changes

@@ -1,3 +1,27 @@
+-------------------------------------------------------------------
+Mon May  9 06:59:02 UTC 2022 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 0.8.3:
+  * Add vararg support to python bindings for capng_updatev
+  * Add support for ambient capabilities
+  * Add support for V3 filesystem capabilities
+  * If procfs is not available, leave last_cap as CAP_LAST_CAP
+  * If bounding and ambient not found in status, try prctl method
+  * In capng_apply, move ambient caps to the end of the transaction
+  * In capng_apply, return errors more aggressively.
+  * In capng_apply, if the action includes the bounding set,resync with the kernel
+  * Fix signed/unsigned warning in cap-ng.c
+  * In capng_apply, return a unique error code to diagnose any failure
+  * In capng_have_capability, return 0 for failure
+  * Add the libdrop_ambient admin tool
+  * In capng_apply, if we blew up in bounding set, allow setting capabilities
+  * If PR_CAP_AMBIENT is not available, do not build libdrop_ambient
+  * Improve last_cap check
+  * Fix parameters to capng_updatev python bindings to be signed
+  * Detect capability options at runtime to make containerization easier (ntkme)
+  * Initialize the library when linked statically
+  * Add gcc function attributes for deallocation
+
 -------------------------------------------------------------------
 Thu Dec  9 22:05:19 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>
 

libcap-ng.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libcap-ng
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,8 +17,10 @@
 
 
 %define sover  0
+%define ambient_sover 0
+
 Name:           libcap-ng
-Version:        0.7.11
+Version:        0.8.3
 Release:        0
 Summary:        An alternate Linux/POSIX capabilities library
 License:        LGPL-2.1-or-later
@@ -66,6 +68,25 @@ The libcap-ng-utils package contains applications to analyse the
 Linux process capabilities of programs running on a system. It also
 lets you set the filesystem-based capabilities.
 
+%package -n libdrop_ambient%{ambient_sover}
+Summary:        Library for dropping ambient capabilities
+License:        LGPL-2.1-or-later
+Requires:       %{name}%{sover} = %{version}
+
+%description -n libdrop_ambient%{ambient_sover}
+This library can be used via LD_PRELOAD to force an application started with ambient capabilities to drop them.
+It leaves other capabilities intact. This can also be linked against and automatically does the right thing.
+You do not need to make any calls into the library because all the work is done in the constructor which runs before main() is called.
+
+%package -n libdrop_ambient-devel
+Summary:        Devel package for libdrop_ambient%{ambient_sover}
+License:        LGPL-2.1-or-later
+Requires:       libdrop_ambient%{ambient_sover}
+
+%description -n libdrop_ambient-devel
+This package contains the files needed for developing
+applications that need to use the libdrop_ambient library.
+
 %prep
 %setup -q
 
@@ -83,11 +104,22 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %post -n %{name}%{sover} -p /sbin/ldconfig
 %postun -n %{name}%{sover} -p /sbin/ldconfig
 
+%post -n libdrop_ambient%{ambient_sover} -p /sbin/ldconfig
+%postun -n libdrop_ambient%{ambient_sover} -p /sbin/ldconfig
+
 %files -n %{name}%{sover}
 %license COPYING.LIB
 %{_libdir}/%{name}.so.%{sover}
 %{_libdir}/%{name}.so.%{sover}.*
 
+%files -n libdrop_ambient%{ambient_sover}
+%{_libdir}/libdrop_ambient.so.%{ambient_sover}
+%{_libdir}/libdrop_ambient.so.%{ambient_sover}.*
+
+%files -n libdrop_ambient-devel
+%{_libdir}/libdrop_ambient.so
+%{_mandir}/man7/libdrop_ambient.7%{ext_man}
+
 %files devel
 %{_mandir}/man3/*.3%{ext_man}
 %{_includedir}/cap-ng.h