From 8c1f0584efc2068e0211a55bfb81ecb03f163171 Mon Sep 17 00:00:00 2001 From: Michal Schmidt Date: Sep 02 2013 16:31:55 +0000 Subject: regenerate patches --- diff --git a/0001-make-dist-hook-work-also-with-srcdir-builddir.patch b/0001-make-dist-hook-work-also-with-srcdir-builddir.patch index 94d5d95..e1e3599 100644 --- a/0001-make-dist-hook-work-also-with-srcdir-builddir.patch +++ b/0001-make-dist-hook-work-also-with-srcdir-builddir.patch @@ -1,7 +1,7 @@ From 5abe21688caea8dcfbe1d747102e52830fa352d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Lu=C5=88=C3=A1k?= Date: Thu, 11 Jul 2013 15:40:13 +0200 -Subject: [PATCH 1/4] make dist-hook work also with srcdir != builddir +Subject: [PATCH 1/8] make dist-hook work also with srcdir != builddir --- Makefile.am | 2 +- diff --git a/0002-handle-HOME-not-being-set.patch b/0002-handle-HOME-not-being-set.patch index 8d93985..fbe1717 100644 --- a/0002-handle-HOME-not-being-set.patch +++ b/0002-handle-HOME-not-being-set.patch @@ -1,7 +1,7 @@ From 6f79da339b3fd946b46932d61f30a117918de7b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Lu=C5=88=C3=A1k?= Date: Tue, 16 Jul 2013 15:46:06 +0200 -Subject: [PATCH 2/4] handle $HOME not being set +Subject: [PATCH 2/8] handle $HOME not being set --- client/main.cpp | 2 +- diff --git a/0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch b/0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch index df08bbf..5bc17f2 100644 --- a/0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch +++ b/0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch @@ -1,7 +1,7 @@ From 059b0aaa9b54ab4a8866cdaf40eb4200a2797feb Mon Sep 17 00:00:00 2001 From: Rodrigo Belem Date: Mon, 8 Apr 2013 15:55:49 -0400 -Subject: [PATCH 3/4] Debian and Ubuntu uses docbook2x-man instead of +Subject: [PATCH 3/8] Debian and Ubuntu uses docbook2x-man instead of docbook-to-man Signed-off-by: Rodrigo Belem diff --git a/0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch b/0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch index fbe69fb..721f505 100644 --- a/0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch +++ b/0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch @@ -1,7 +1,7 @@ From 50e25516be288526f6251502900c7cc887b40294 Mon Sep 17 00:00:00 2001 From: Eike Ziller Date: Tue, 18 Jun 2013 22:55:36 +0200 -Subject: [PATCH 4/4] Mac/brew has docbook2man instead of docbook-to-man +Subject: [PATCH 4/8] Mac/brew has docbook2man instead of docbook-to-man (cherry picked from commit a40bae096bd51f328d6ff299077c5530729b0580) --- diff --git a/0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch b/0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch index 63e9344..1e3d05d 100644 --- a/0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch +++ b/0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch @@ -1,7 +1,7 @@ From bade4de1155e41809205ede25ffb99211c72547c Mon Sep 17 00:00:00 2001 From: Michal Schmidt Date: Mon, 26 Aug 2013 17:08:52 +0200 -Subject: [PATCH 5/5] Revert "chmod/chown envs dir when preparing this" +Subject: [PATCH 5/8] Revert "chmod/chown envs dir when preparing this" This reverts commit 137e683760707c690df496516432d72d8f7a81d3. --- diff --git a/0006-daemon-main-do-not-create-run-icecc-by-ourselves.patch b/0006-daemon-main-do-not-create-run-icecc-by-ourselves.patch new file mode 100644 index 0000000..b156cb9 --- /dev/null +++ b/0006-daemon-main-do-not-create-run-icecc-by-ourselves.patch @@ -0,0 +1,30 @@ +From ab65771358f581d55889eba5e3feab283ab55717 Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Thu, 29 Aug 2013 18:12:02 +0200 +Subject: [PATCH 6/8] daemon/main: do not create /run/icecc by ourselves + +In order to be able to restrict the daemon's SELinux policy even more, +let's rely on tmpfiles.d to create the /run/icecc directory for us +instead of creating it from the daemon. +--- + daemon/main.cpp | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/daemon/main.cpp b/daemon/main.cpp +index e08b1e1..387d4e2 100644 +--- a/daemon/main.cpp ++++ b/daemon/main.cpp +@@ -1801,10 +1801,6 @@ int main( int argc, char ** argv ) + logfile = "/var/log/icecc/iceccd.log"; + } + +- mkdir("/var/run/icecc", S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); +- chmod("/var/run/icecc", S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); +- chown("/var/run/icecc", d.user_uid, d.user_gid); +- + #ifdef HAVE_LIBCAP_NG + capng_clear(CAPNG_SELECT_BOTH); + capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE|CAPNG_PERMITTED), CAP_SYS_CHROOT); +-- +1.8.3.1 + diff --git a/0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch b/0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch deleted file mode 100644 index e142b90..0000000 --- a/0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 26461a88508f277c33d95f5c5eb52cdd8d7c7737 Mon Sep 17 00:00:00 2001 -From: Michal Schmidt -Date: Thu, 29 Aug 2013 15:54:19 +0200 -Subject: [PATCH 6/6] icecc-create-env: avoid tar looking at /etc/passwd - -If we invoke tar with --numeric-owner, it won't try to read /etc/passwd. -This has the minor benefit of not having to worry about this access in -the SELinux policy. ---- - client/icecc-create-env | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/client/icecc-create-env b/client/icecc-create-env -index 029e351..1379ce1 100755 ---- a/client/icecc-create-env -+++ b/client/icecc-create-env -@@ -337,7 +337,7 @@ md5=`for i in $target_files; do $md5sum $tempdir/$i; done | sed -e 's/ .*$//' | - echo "creating $md5.tar.gz" - mydir=`pwd` - cd $tempdir --tar -czhf "$mydir/$md5".tar.gz $target_files || { -+tar -czh --numeric-owner -f "$mydir/$md5".tar.gz $target_files || { - echo "Couldn't create archive" - exit 3 - } --- -1.8.3.1 - diff --git a/0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch b/0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch deleted file mode 100644 index 8619deb..0000000 --- a/0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch +++ /dev/null @@ -1,30 +0,0 @@ -From b67c1d823282b062c9804772756487f78a599ade Mon Sep 17 00:00:00 2001 -From: Michal Schmidt -Date: Thu, 29 Aug 2013 18:12:02 +0200 -Subject: [PATCH 7/7] daemon/main: do not create /run/icecc by ourselves - -In order to be able to restrict the daemon's SELinux policy even more, -let's rely on tmpfiles.d to create the /run/icecc directory for us -instead of creating it from the daemon. ---- - daemon/main.cpp | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/daemon/main.cpp b/daemon/main.cpp -index e08b1e1..387d4e2 100644 ---- a/daemon/main.cpp -+++ b/daemon/main.cpp -@@ -1801,10 +1801,6 @@ int main( int argc, char ** argv ) - logfile = "/var/log/icecc/iceccd.log"; - } - -- mkdir("/var/run/icecc", S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); -- chmod("/var/run/icecc", S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); -- chown("/var/run/icecc", d.user_uid, d.user_gid); -- - #ifdef HAVE_LIBCAP_NG - capng_clear(CAPNG_SELECT_BOTH); - capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE|CAPNG_PERMITTED), CAP_SYS_CHROOT); --- -1.8.3.1 - diff --git a/0007-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch b/0007-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch new file mode 100644 index 0000000..22b4ea8 --- /dev/null +++ b/0007-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch @@ -0,0 +1,28 @@ +From 318786fede24b6dbeb2c8be4706d432dbf6585af Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Thu, 29 Aug 2013 15:54:19 +0200 +Subject: [PATCH 7/8] icecc-create-env: avoid tar looking at /etc/passwd + +If we invoke tar with --numeric-owner, it won't try to read /etc/passwd. +This has the minor benefit of not having to worry about this access in +the SELinux policy (or other MAC policies). +--- + client/icecc-create-env | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/client/icecc-create-env b/client/icecc-create-env +index 029e351..1379ce1 100755 +--- a/client/icecc-create-env ++++ b/client/icecc-create-env +@@ -337,7 +337,7 @@ md5=`for i in $target_files; do $md5sum $tempdir/$i; done | sed -e 's/ .*$//' | + echo "creating $md5.tar.gz" + mydir=`pwd` + cd $tempdir +-tar -czhf "$mydir/$md5".tar.gz $target_files || { ++tar -czh --numeric-owner -f "$mydir/$md5".tar.gz $target_files || { + echo "Couldn't create archive" + exit 3 + } +-- +1.8.3.1 + diff --git a/0008-daemon-improve-capabilities-dropping.patch b/0008-daemon-improve-capabilities-dropping.patch new file mode 100644 index 0000000..ac40964 --- /dev/null +++ b/0008-daemon-improve-capabilities-dropping.patch @@ -0,0 +1,44 @@ +From 4c2bce95802f47383f6f57245a447183da4de7c9 Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Fri, 30 Aug 2013 21:25:47 +0200 +Subject: [PATCH 8/8] daemon: improve capabilities dropping + +This fixes issues in the usage of libcap-ng to drop capabilities: +- capng_change_id() already applies the selected capabilities. Calling + capng_apply() afterwards is pointless. +- In order to apply the bounding set, CAPNG_CLEAR_BOUNDING must therefore + be passed to capng_change_id(). Might as well add CAPNG_DROP_SUPP_GRP + to drop any supplementary groups. +- The return value of capng_change_id() must be checked to prevent + continuing to run with unwanted capabilities in case of an error. + +I have checked that with this patch applied iceccd runs with a bounding +set defined (pscap does not show the '+' sign anymore). +--- + daemon/main.cpp | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/daemon/main.cpp b/daemon/main.cpp +index 387d4e2..34ad342 100644 +--- a/daemon/main.cpp ++++ b/daemon/main.cpp +@@ -1803,9 +1803,13 @@ int main( int argc, char ** argv ) + + #ifdef HAVE_LIBCAP_NG + capng_clear(CAPNG_SELECT_BOTH); +- capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE|CAPNG_PERMITTED), CAP_SYS_CHROOT); +- capng_change_id(d.user_uid, d.user_gid, CAPNG_NO_FLAG); +- capng_apply(CAPNG_SELECT_BOTH); ++ capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_SYS_CHROOT); ++ int r = capng_change_id(d.user_uid, d.user_gid, ++ (capng_flags_t)(CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING)); ++ if (r) { ++ log_error() << "Error: capng_change_id failed: " << r << endl; ++ exit(EXIT_SETUID_FAILED); ++ } + #endif + } else { + d.noremote = true; +-- +1.8.3.1 + diff --git a/0008-daemon-set-capability-bounding-set.patch b/0008-daemon-set-capability-bounding-set.patch deleted file mode 100644 index 1472723..0000000 --- a/0008-daemon-set-capability-bounding-set.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 69e7fd2d9db8bf17d357c12a36b7a31f9db42d8d Mon Sep 17 00:00:00 2001 -From: Michal Schmidt -Date: Fri, 30 Aug 2013 21:25:47 +0200 -Subject: [PATCH 8/8] daemon: set capability bounding set - ---- - daemon/main.cpp | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/daemon/main.cpp b/daemon/main.cpp -index 387d4e2..11d1d2c 100644 ---- a/daemon/main.cpp -+++ b/daemon/main.cpp -@@ -1802,10 +1802,15 @@ int main( int argc, char ** argv ) - } - - #ifdef HAVE_LIBCAP_NG -+ int r; - capng_clear(CAPNG_SELECT_BOTH); - capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE|CAPNG_PERMITTED), CAP_SYS_CHROOT); -- capng_change_id(d.user_uid, d.user_gid, CAPNG_NO_FLAG); -- capng_apply(CAPNG_SELECT_BOTH); -+ r = capng_change_id(d.user_uid, d.user_gid, -+ (capng_flags_t)(CAPNG_DROP_SUPP_GRP|CAPNG_CLEAR_BOUNDING)); -+ if (r) { -+ log_error() << "Error: capng_change_id failed: " << r << endl; -+ exit(EXIT_SETUID_FAILED); -+ } - #endif - } else { - d.noremote = true; --- -1.8.3.1 - diff --git a/icecream.spec b/icecream.spec index c8f1949..7c379ad 100644 --- a/icecream.spec +++ b/icecream.spec @@ -27,9 +27,9 @@ Patch0002: 0002-handle-HOME-not-being-set.patch Patch0003: 0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch Patch0004: 0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch Patch0005: 0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch -Patch0006: 0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch -Patch0007: 0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch -Patch0008: 0008-daemon-set-capability-bounding-set.patch +Patch0006: 0006-daemon-main-do-not-create-run-icecc-by-ourselves.patch +Patch0007: 0007-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch +Patch0008: 0008-daemon-improve-capabilities-dropping.patch Patch10000: %{name}-cleanup-conffile.patch