diff --git a/libreswan-4.12-libcap-ng.patch b/libreswan-4.12-libcap-ng.patch new file mode 100644 index 0000000..fa4193f --- /dev/null +++ b/libreswan-4.12-libcap-ng.patch @@ -0,0 +1,72 @@ +commit ad147f53bebf596474df27609a4a6542d0e17400 +Author: Paul Wouters +Date: Tue Sep 5 22:49:28 2023 -0400 + + pluto: check return code of libcap-ng functions + + Avoids "error: ignoring return value of ‘capng_apply’ ..." + +diff --git a/include/pluto_constants.h b/include/pluto_constants.h +index 1dd86ba372..f4487a2b0a 100644 +--- a/include/pluto_constants.h ++++ b/include/pluto_constants.h +@@ -1024,7 +1024,8 @@ enum pluto_exit_code { + PLUTO_EXIT_UNBOUND_FAIL = 9, + PLUTO_EXIT_LOCK_FAIL = 10, /* historic value */ + PLUTO_EXIT_SELINUX_FAIL = 11, +- PLUTO_EXIT_LEAVE_STATE = 12, /* leave kernel state and routes */ ++ PLUTO_EXIT_CAPNG_FAIL = 12, ++ PLUTO_EXIT_LEAVE_STATE = 13, /* leave kernel state and routes */ + /**/ + PLUTO_EXIT_GIT_BISECT_CAN_NOT_TEST = 125, + PLUTO_EXIT_SHELL_COMMAND_NOT_FOUND = 126, +diff --git a/lib/libswan/pluto_exit_code_names.c b/lib/libswan/pluto_exit_code_names.c +index bb4b3284a5..6d245d4642 100644 +--- a/lib/libswan/pluto_exit_code_names.c ++++ b/lib/libswan/pluto_exit_code_names.c +@@ -46,6 +46,7 @@ static const char *pluto_exit_code_name[] = { + S(PLUTO_EXIT_UNBOUND_FAIL), + S(PLUTO_EXIT_LOCK_FAIL), + S(PLUTO_EXIT_SELINUX_FAIL), ++ S(PLUTO_EXIT_CAPNG_FAIL), + S(PLUTO_EXIT_LEAVE_STATE), + #undef S + }; +diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c +index 565538ba18..efc287b8fc 100644 +--- a/programs/pluto/plutomain.c ++++ b/programs/pluto/plutomain.c +@@ -1708,13 +1708,16 @@ int main(int argc, char **argv) + */ + capng_clear(CAPNG_SELECT_BOTH); + +- capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, ++ if (capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, + CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW, + CAP_IPC_LOCK, CAP_AUDIT_WRITE, + /* for google authenticator pam */ + CAP_SETGID, CAP_SETUID, + CAP_DAC_READ_SEARCH, +- -1); ++ -1) != 0) { ++ fatal(PLUTO_EXIT_CAPNG_FAIL, logger, ++ "libcap-ng capng_updatev() failed"); ++ } + /* + * We need to retain some capabilities for our children (updown): + * CAP_NET_ADMIN to change routes +@@ -1725,7 +1728,13 @@ int main(int argc, char **argv) + */ + capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_NET_RAW, + CAP_DAC_READ_SEARCH, -1); +- capng_apply(CAPNG_SELECT_BOTH); ++ int ret = capng_apply(CAPNG_SELECT_BOUNDS); ++ if (ret != CAPNG_NONE) { ++ fatal(PLUTO_EXIT_CAPNG_FAIL, logger, ++ "libcap-ng capng_apply failed to apply changes, err=%d. see: man capng_apply", ++ ret); ++ } ++ + llog(RC_LOG, logger, "libcap-ng support [enabled]"); + #else + llog(RC_LOG, logger, "libcap-ng support [disabled]"); diff --git a/libreswan.spec b/libreswan.spec index bc48395..ec39731 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -44,6 +44,8 @@ Source4: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif +Patch1: libreswan-4.12-libcap-ng.patch + BuildRequires: audit-libs-devel BuildRequires: bison BuildRequires: curl-devel @@ -213,6 +215,7 @@ certutil -N -d sql:$tmpdir --empty-password %changelog * Tue Sep 05 2023 Paul Wouters