- disable run time fscaps detection (bnc#728312)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=72
2011-11-07 09:46:24 +00:00 · 2011-11-07 09:46:24 +00:00 · 9686d2cccc
commit 9686d2cccc
parent a10a942129
3 changed files with 147 additions and 0 deletions
--- a/0001-disable-run-time-fscaps-detection-bnc-728312.diff
+++ b/0001-disable-run-time-fscaps-detection-bnc-728312.diff
@ -0,0 +1,140 @@
+From 94311258bfdf3ad86938bd50aaef4a83ca04eae5 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Mon, 7 Nov 2011 10:34:38 +0100
+Subject: [PATCH] disable run time fscaps detection (bnc#728312)
+
+PERMISSIONS_FSCAPS setting in /etc/sysconfig/security allows to enable
+them again.
+---
+ chkstat.8 |    5 +++--
+ chkstat.c |   40 ++++++++++++++++++++++++++++------------
+ 2 files changed, 31 insertions(+), 14 deletions(-)
+
+diff --git a/chkstat.8 b/chkstat.8
+index 3492e21..364a237 100644
+--- a/chkstat.8
+++ b/chkstat.8
+@@ -52,8 +52,9 @@ Opposite of --set, ie warn only but don't make actual changes
+ Omit printing the output header lines.
+ .TP
+ .IR \-\-fscaps,\ \-\-no\-fscaps
+-Force or disable use of fscaps. Default is to automatically
+-determine whether the running kernel supports fscaps.
+Enable or disable use of fscaps. In system mode the setting of
+PERMISSIONS_FSCAPS determines whether fscaps are on or off when this
+option is not set.
+ .TP
+ .IR \-\-examine\ file
+ Check permissions for this file instead of all files listed in the permissions files.
+diff --git a/chkstat.c b/chkstat.c
+index e5c9b15..8682c3e 100644
+--- a/chkstat.c
+++ b/chkstat.c
+@@ -54,6 +54,7 @@ int nlevel;
+ char** level;
+ int do_set = -1;
+ int default_set = 1;
+int have_fscaps = -1;
+ char** permfiles = NULL;
+ int npermfiles = 0;
+ char* force_level;
+@@ -281,6 +282,24 @@ parse_sysconf(const char* file)
+ 	      //fprintf(stderr, "invalid value for CHECK_PERMISSIONS (must be 'set', 'warn' or 'no')\n");
+ 	    }
+ 	}
+      else if (have_fscaps == -1 && !strncmp(p, "PERMISSIONS_FSCAPS=", 19))
+	{
+	  p+=19;
+	  if (isquote(*p))
+	    ++p;
+	  if (!strncmp(p, "yes", 3))
+	    {
+	      p+=3;
+	      if (isquote(*p) || !*p)
+		have_fscaps=1;
+	    }
+	  else if (!strncmp(p, "no", 2))
+	    {
+	      p+=2;
+	      if (isquote(*p) || !*p)
+		have_fscaps=0;
+	    }
+	}
+     }
+   fclose(fp);
+   return 0;
+@@ -515,18 +534,18 @@ check_fscaps_enabled()
+ {
+   FILE* fp;
+   char line[128];
+-  int have_fscaps = FSCAPS_DEFAULT_ENABLED;
+  int val = FSCAPS_DEFAULT_ENABLED;
+   if ((fp = fopen("/sys/kernel/fscaps", "r")) == 0)
+     {
+       goto out;
+     }
+   if (readline(fp, line, sizeof(line)))
+     {
+-      have_fscaps = atoi(line);
+      val = atoi(line);
+     }
+   fclose(fp);
+ out:
+-  return have_fscaps;
+  return val;
+ }
+ 
+ int
+@@ -552,7 +571,6 @@ main(int argc, char **argv)
+   int fd, r;
+   int errors = 0;
+   cap_t caps = NULL;
+-  int have_fscaps = -1;
+ 
+   while (argc > 1)
+     {
+@@ -692,9 +710,6 @@ main(int argc, char **argv)
+       break;
+     }
+ 
+-  if (have_fscaps == -1)
+-      have_fscaps = check_fscaps_enabled();
+-
+   if (systemmode)
+     {
+       const char file[] = "/etc/sysconfig/security";
+@@ -747,6 +762,11 @@ main(int argc, char **argv)
+       permfiles = &argv[1];
+     }
+ 
+  if (have_fscaps == 1 && !check_fscaps_enabled())
+    {
+      fprintf(stderr, "Warning: running kernel does not support fscaps\n");
+    }
+
+   if  (do_set == -1)
+     do_set = 0;
+ 
+@@ -802,7 +822,7 @@ main(int argc, char **argv)
+ 		}
+ 	      if (!strncmp(p, "+capabilities ", 14))
+ 		{
+-		  if (!have_fscaps)
+		  if (have_fscaps != 1)
+ 		    continue;
+ 		  p += 14;
+ 		  caps = cap_from_text(p);
+@@ -900,10 +920,6 @@ main(int argc, char **argv)
+ 	  printf("Checking permissions and ownerships - using the permissions files\n");
+ 	  for (i = 0; i < npermfiles; i++)
+ 	    printf("\t%s\n", permfiles[i]);
+-	  if (!have_fscaps)
+-	    {
+-	      printf("kernel has fscaps support disabled.\n");
+-	    }
+ 	  if (rootl)
+ 	    {
+ 	      printf("Using root %s\n", root);
+-- 
+1.7.3.4
+
--- a/permissions.changes
+++ b/permissions.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Nov  7 09:39:43 UTC 2011 - lnussel@suse.de
+
+- disable run time fscaps detection (bnc#728312)
+
 -------------------------------------------------------------------
 Fri Sep 23 08:37:21 UTC 2011 - lnussel@suse.de

--- a/permissions.spec
+++ b/permissions.spec
@ -30,6 +30,7 @@ Provides:       aaa_base:/etc/permissions
 PreReq:         %fillup_prereq
 Summary:        SUSE Linux Default Permissions
 Source:         permissions-%{version}.tar.bz2
+Patch0:         0001-disable-run-time-fscaps-detection-bnc-728312.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Url:            http://gitorious.org/opensuse/permissions

@ -48,6 +49,7 @@ Authors:

 %prep
 %setup -q
+%patch0 -p1

 %build
 make %{?_smp_mflags} CFLAGS="-W -Wall $RPM_OPT_FLAGS" FSCAPS_DEFAULT_ENABLED=0