diff --git a/kinit.spec b/kinit.spec index 8e04b10..c8e2622 100644 --- a/kinit.spec +++ b/kinit.spec @@ -33,12 +33,15 @@ BuildRequires: pkgconfig(Qt5DBus) >= 5.2.0 BuildRequires: pkgconfig(Qt5Gui) >= 5.2.0 BuildRequires: pkgconfig(Qt5Widgets) >= 5.2.0 BuildRequires: pkgconfig(x11) +BuildRequires: libcap-devel PreReq: permissions +PreReq: libcap-progs Summary: Helper library to speed up start of applications on KDE workspaces License: LGPL-2.1+ Group: System/GUI/KDE Url: http://www.kde.org Source0: kinit-%{version}.tar.xz +Patch0: use-capabilities.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -57,6 +60,7 @@ booting UNIX. Development files. %prep %setup -q +%patch0 -p1 %build %cmake_kf5 -d build -- -DCMAKE_CXX_FLAGS="%{optflags} -fpie" -DCMAKE_C_FLAGS="%{optflags} -fpie" -DCMAKE_SHARED_LINKER_FLAGS="-pie" -DCMAKE_EXE_LINKER_FLAGS="-pie" -DCMAKE_MODULE_LINKER_FLAGS="-pie" @@ -90,7 +94,7 @@ echo "setBadness('permissions-file-setuid-bit', 998)" > $RPM_SOURCE_DIR/%name-rp %{_kf5_libdir}/libkdeinit5_klauncher.so %{_kf5_libexecdir}/klauncher %{_kf5_bindir}/kshell5 -%verify(not mode caps) %attr(4755,root,root) %{_kf5_libexecdir}/start_kdeinit +%caps(cap_sys_resource=ep) %{_kf5_libexecdir}/start_kdeinit %{_kf5_libexecdir}/start_kdeinit_wrapper %files devel diff --git a/use-capabilities.patch b/use-capabilities.patch new file mode 100644 index 0000000..80ce0bc --- /dev/null +++ b/use-capabilities.patch @@ -0,0 +1,62 @@ +diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake +index c53e1de..f29ec47 100644 +--- a/ConfigureChecks.cmake ++++ b/ConfigureChecks.cmake +@@ -13,3 +13,4 @@ check_include_files(sys/exec.h HAVE_SYS_EXEC_H) + check_function_exists(pstat HAVE_PSTAT) + check_function_exists(setproctitle HAVE_SETPROCTITLE) + check_library_exists(socket connect "" HAVE_SOCKET_LIBRARY) ++check_library_exists(cap cap_init "" HAVE_CAPABILITIES) +diff --git a/src/start_kdeinit/CMakeLists.txt b/src/start_kdeinit/CMakeLists.txt +index 6bfc496..0c513de 100644 +--- a/src/start_kdeinit/CMakeLists.txt ++++ b/src/start_kdeinit/CMakeLists.txt +@@ -9,6 +9,6 @@ if (CMAKE_SYSTEM_NAME MATCHES Linux) + set(KDEINIT_OOM_PROTECT 1) + install(CODE " + set(START_KDEINIT_PATH \"\$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${LIBEXEC_INSTALL_DIR}/start_kdeinit\") +- EXECUTE_PROCESS(COMMAND sh -c \"chown 0 '\${START_KDEINIT_PATH}' && chmod u+s '\${START_KDEINIT_PATH}'\") ++ EXECUTE_PROCESS(COMMAND sh -c \"setcap 'CAP_SYS_RESOURCE=+ep' '\${START_KDEINIT_PATH}'\") + ") + endif () +diff --git a/src/start_kdeinit/start_kdeinit.c b/src/start_kdeinit/start_kdeinit.c +index 3c733e7..26d2843 100644 +--- a/src/start_kdeinit/start_kdeinit.c ++++ b/src/start_kdeinit/start_kdeinit.c +@@ -27,6 +27,10 @@ + #include + #include + #include ++#ifdef HAVE_CAPABILITIES ++#include ++#endif ++ + + #define EXECUTE CMAKE_INSTALL_PREFIX"/"BIN_INSTALL_DIR "/kdeinit5" + +@@ -98,6 +102,10 @@ int main(int argc, char **argv) + unsigned i; + char **orig_environ = NULL; + char header[ 7 ]; ++#ifdef HAVE_CAPABILITIES ++ cap_t caps; ++#endif ++ + if (pipe(pipes) < 0) { + perror("pipe()"); + return 1; +@@ -111,6 +119,14 @@ int main(int argc, char **argv) + perror("fork()"); + return 1; + default: /* parent, drop privileges and exec */ ++#ifdef HAVE_CAPABILITIES ++ caps = cap_init(); ++ if (cap_set_proc(caps) < 0) { ++ perror("cap_set_proc()"); ++ return 1; ++ } ++ cap_free(caps); ++#endif + if (setgid(getgid())) { + perror("setgid()"); + return 1;