From 9686d2cccc28a8bc9cd5e407d08798426f47e52e6a34018c960be887dff9c8df Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <lnussel@suse.com>
Date: Mon, 7 Nov 2011 09:46:24 +0000
Subject: [PATCH] - disable run time fscaps detection (bnc#728312)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=72
---
 ...-run-time-fscaps-detection-bnc-728312.diff | 140 ++++++++++++++++++
 permissions.changes                           |   5 +
 permissions.spec                              |   2 +
 3 files changed, 147 insertions(+)
 create mode 100644 0001-disable-run-time-fscaps-detection-bnc-728312.diff

diff --git a/0001-disable-run-time-fscaps-detection-bnc-728312.diff b/0001-disable-run-time-fscaps-detection-bnc-728312.diff
new file mode 100644
index 0000000..e402189
--- /dev/null
+++ b/0001-disable-run-time-fscaps-detection-bnc-728312.diff
@@ -0,0 +1,140 @@
+From 94311258bfdf3ad86938bd50aaef4a83ca04eae5 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Mon, 7 Nov 2011 10:34:38 +0100
+Subject: [PATCH] disable run time fscaps detection (bnc#728312)
+
+PERMISSIONS_FSCAPS setting in /etc/sysconfig/security allows to enable
+them again.
+---
+ chkstat.8 |    5 +++--
+ chkstat.c |   40 ++++++++++++++++++++++++++++------------
+ 2 files changed, 31 insertions(+), 14 deletions(-)
+
+diff --git a/chkstat.8 b/chkstat.8
+index 3492e21..364a237 100644
+--- a/chkstat.8
++++ b/chkstat.8
+@@ -52,8 +52,9 @@ Opposite of --set, ie warn only but don't make actual changes
+ Omit printing the output header lines.
+ .TP
+ .IR \-\-fscaps,\ \-\-no\-fscaps
+-Force or disable use of fscaps. Default is to automatically
+-determine whether the running kernel supports fscaps.
++Enable or disable use of fscaps. In system mode the setting of
++PERMISSIONS_FSCAPS determines whether fscaps are on or off when this
++option is not set.
+ .TP
+ .IR \-\-examine\ file
+ Check permissions for this file instead of all files listed in the permissions files.
+diff --git a/chkstat.c b/chkstat.c
+index e5c9b15..8682c3e 100644
+--- a/chkstat.c
++++ b/chkstat.c
+@@ -54,6 +54,7 @@ int nlevel;
+ char** level;
+ int do_set = -1;
+ int default_set = 1;
++int have_fscaps = -1;
+ char** permfiles = NULL;
+ int npermfiles = 0;
+ char* force_level;
+@@ -281,6 +282,24 @@ parse_sysconf(const char* file)
+ 	      //fprintf(stderr, "invalid value for CHECK_PERMISSIONS (must be 'set', 'warn' or 'no')\n");
+ 	    }
+ 	}
++      else if (have_fscaps == -1 && !strncmp(p, "PERMISSIONS_FSCAPS=", 19))
++	{
++	  p+=19;
++	  if (isquote(*p))
++	    ++p;
++	  if (!strncmp(p, "yes", 3))
++	    {
++	      p+=3;
++	      if (isquote(*p) || !*p)
++		have_fscaps=1;
++	    }
++	  else if (!strncmp(p, "no", 2))
++	    {
++	      p+=2;
++	      if (isquote(*p) || !*p)
++		have_fscaps=0;
++	    }
++	}
+     }
+   fclose(fp);
+   return 0;
+@@ -515,18 +534,18 @@ check_fscaps_enabled()
+ {
+   FILE* fp;
+   char line[128];
+-  int have_fscaps = FSCAPS_DEFAULT_ENABLED;
++  int val = FSCAPS_DEFAULT_ENABLED;
+   if ((fp = fopen("/sys/kernel/fscaps", "r")) == 0)
+     {
+       goto out;
+     }
+   if (readline(fp, line, sizeof(line)))
+     {
+-      have_fscaps = atoi(line);
++      val = atoi(line);
+     }
+   fclose(fp);
+ out:
+-  return have_fscaps;
++  return val;
+ }
+ 
+ int
+@@ -552,7 +571,6 @@ main(int argc, char **argv)
+   int fd, r;
+   int errors = 0;
+   cap_t caps = NULL;
+-  int have_fscaps = -1;
+ 
+   while (argc > 1)
+     {
+@@ -692,9 +710,6 @@ main(int argc, char **argv)
+       break;
+     }
+ 
+-  if (have_fscaps == -1)
+-      have_fscaps = check_fscaps_enabled();
+-
+   if (systemmode)
+     {
+       const char file[] = "/etc/sysconfig/security";
+@@ -747,6 +762,11 @@ main(int argc, char **argv)
+       permfiles = &argv[1];
+     }
+ 
++  if (have_fscaps == 1 && !check_fscaps_enabled())
++    {
++      fprintf(stderr, "Warning: running kernel does not support fscaps\n");
++    }
++
+   if  (do_set == -1)
+     do_set = 0;
+ 
+@@ -802,7 +822,7 @@ main(int argc, char **argv)
+ 		}
+ 	      if (!strncmp(p, "+capabilities ", 14))
+ 		{
+-		  if (!have_fscaps)
++		  if (have_fscaps != 1)
+ 		    continue;
+ 		  p += 14;
+ 		  caps = cap_from_text(p);
+@@ -900,10 +920,6 @@ main(int argc, char **argv)
+ 	  printf("Checking permissions and ownerships - using the permissions files\n");
+ 	  for (i = 0; i < npermfiles; i++)
+ 	    printf("\t%s\n", permfiles[i]);
+-	  if (!have_fscaps)
+-	    {
+-	      printf("kernel has fscaps support disabled.\n");
+-	    }
+ 	  if (rootl)
+ 	    {
+ 	      printf("Using root %s\n", root);
+-- 
+1.7.3.4
+
diff --git a/permissions.changes b/permissions.changes
index 5652069..4e83ca3 100644
--- a/permissions.changes
+++ b/permissions.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Nov  7 09:39:43 UTC 2011 - lnussel@suse.de
+
+- disable run time fscaps detection (bnc#728312)
+
 -------------------------------------------------------------------
 Fri Sep 23 08:37:21 UTC 2011 - lnussel@suse.de
 
diff --git a/permissions.spec b/permissions.spec
index 2dfbfc8..4bb7bed 100644
--- a/permissions.spec
+++ b/permissions.spec
@@ -30,6 +30,7 @@ Provides:       aaa_base:/etc/permissions
 PreReq:         %fillup_prereq
 Summary:        SUSE Linux Default Permissions
 Source:         permissions-%{version}.tar.bz2
+Patch0:         0001-disable-run-time-fscaps-detection-bnc-728312.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Url:            http://gitorious.org/opensuse/permissions
 
@@ -48,6 +49,7 @@ Authors:
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 make %{?_smp_mflags} CFLAGS="-W -Wall $RPM_OPT_FLAGS" FSCAPS_DEFAULT_ENABLED=0