From c8b3078055aa3028a11a446c96439b8301fe4567 Mon Sep 17 00:00:00 2001 From: sgrubb Date: May 01 2014 02:07:42 +0000 Subject: Remove PR_SET_NO_NEW_PRIVS call in capng_lock --- diff --git a/libcap-ng-0.7.5-no-no_new_privs.patch b/libcap-ng-0.7.5-no-no_new_privs.patch new file mode 100644 index 0000000..43477cc --- /dev/null +++ b/libcap-ng-0.7.5-no-no_new_privs.patch @@ -0,0 +1,14 @@ +diff -urp libcap-ng-0.7.5.orig/src/cap-ng.c libcap-ng-0.7.5/src/cap-ng.c +--- libcap-ng-0.7.5.orig/src/cap-ng.c 2014-04-30 21:44:23.000000000 -0400 ++++ libcap-ng-0.7.5/src/cap-ng.c 2014-04-30 22:04:31.225062310 -0400 +@@ -710,10 +710,6 @@ int capng_lock(void) + 1 << SECURE_NOROOT_LOCKED | + 1 << SECURE_NO_SETUID_FIXUP | + 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0); +-#ifdef PR_SET_NO_NEW_PRIVS +- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) +- return -1; +-#endif + if (rc) + return -1; + #endif diff --git a/libcap-ng.spec b/libcap-ng.spec index f928d9a..b6ce860 100644 --- a/libcap-ng.spec +++ b/libcap-ng.spec @@ -3,11 +3,12 @@ Summary: An alternate posix capabilities library Name: libcap-ng Version: 0.7.4 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2+ Group: System Environment/Libraries URL: http://people.redhat.com/sgrubb/libcap-ng Source0: http://people.redhat.com/sgrubb/libcap-ng/%{name}-%{version}.tar.gz +Patch1: libcap-ng-0.7.5-no-no_new_privs.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: kernel-headers >= 2.6.11 @@ -50,6 +51,7 @@ lets you set the file system based capabilities. %prep %setup -q +%patch1 -p1 %build %configure --libdir=/%{_lib} @@ -111,6 +113,9 @@ rm -rf $RPM_BUILD_ROOT %attr(0644,root,root) %{_mandir}/man8/* %changelog +* Wed Apr 30 2014 Steve Grubb 0.7.4-2 +- Remove PR_SET_NO_NEW_PRIVS call in capng_lock + * Thu Apr 24 2014 Steve Grubb 0.7.4-1 - New upstream release