From 94ed6c971085d22c2a544227879b672266b4af90 Mon Sep 17 00:00:00 2001 From: Nicolás Reynolds Date: Sat, 4 Jan 2014 03:38:30 +0000 Subject: Sat Jan 4 03:36:23 UTC 2014 --- core/dbus/PKGBUILD | 37 +++- core/grep/PKGBUILD | 6 +- core/libcap/PKGBUILD | 18 +- core/libcap/libcap-2.23-header.patch | 350 +++++++++++++++++++++++++++++++++++ 4 files changed, 393 insertions(+), 18 deletions(-) create mode 100644 core/libcap/libcap-2.23-header.patch (limited to 'core') diff --git a/core/dbus/PKGBUILD b/core/dbus/PKGBUILD index f347e17d3..6b6282c1d 100644 --- a/core/dbus/PKGBUILD +++ b/core/dbus/PKGBUILD @@ -1,21 +1,17 @@ -# $Id: PKGBUILD 200253 2013-11-23 20:09:30Z tomegun $ +# $Id: PKGBUILD 203073 2014-01-03 11:02:50Z tomegun $ # Maintainer: Tom Gundersen # Maintainer: Jan de Groot # Contributor: Link Dupont # -pkgname=dbus +pkgbase=dbus +pkgname=('dbus' 'libdbus') pkgver=1.6.18 -pkgrel=1 +pkgrel=3 pkgdesc="Freedesktop.org message bus system" url="http://www.freedesktop.org/Software/dbus" arch=(i686 x86_64) license=('GPL' 'custom') -depends=('expat' 'coreutils' 'filesystem') makedepends=('libx11' 'systemd') -optdepends=('libx11: dbus-launch support') -provides=('dbus-core') -conflicts=('dbus-core') -replaces=('dbus-core') source=(http://dbus.freedesktop.org/releases/dbus/dbus-$pkgver.tar.gz 30-dbus systemd-user-session.patch memleak.patch) md5sums=('b02e9c95027a416987b81f9893831061' @@ -44,7 +40,13 @@ build() { make } -package(){ +package_dbus(){ + depends=('libdbus' 'expat') + optdepends=('libx11: dbus-launch support') + provides=('dbus-core') + conflicts=('dbus-core') + replaces=('dbus-core') + cd dbus-$pkgver make DESTDIR="$pkgdir" install @@ -53,4 +55,21 @@ package(){ install -Dm755 ../30-dbus "$pkgdir/etc/X11/xinit/xinitrc.d/30-dbus" install -Dm644 COPYING "$pkgdir/usr/share/licenses/dbus/COPYING" + + # split out libdbus-1 + rm -rf "$srcdir/_libdbus" + install -dm755 "$srcdir"/_libdbus/usr/lib/dbus-1.0 + mv "$pkgdir"/usr/include "$srcdir"/_libdbus/usr/ + mv "$pkgdir"/usr/lib/pkgconfig "$srcdir"/_libdbus/usr/lib/ + mv "$pkgdir"/usr/lib/libdbus* "$srcdir"/_libdbus/usr/lib/ + mv "$pkgdir"/usr/lib/dbus-1.0/include "$srcdir"/_libdbus/usr/lib/dbus-1.0/ + install -Dm644 COPYING "$srcdir"/_libdbus/usr/share/licenses/libdbus/COPYING +} + +package_libdbus(){ + pkgdesc="DBus library" + depends=('glibc') + + + mv "$srcdir"/_libdbus/* "$pkgdir" } diff --git a/core/grep/PKGBUILD b/core/grep/PKGBUILD index 888f83f1a..1823febb6 100644 --- a/core/grep/PKGBUILD +++ b/core/grep/PKGBUILD @@ -1,9 +1,9 @@ -# $Id: PKGBUILD 197799 2013-10-30 10:37:55Z allan $ +# $Id: PKGBUILD 203054 2014-01-03 00:30:46Z allan $ # Maintainer: Allan McRae # Contributor: judd pkgname=grep -pkgver=2.15 +pkgver=2.16 pkgrel=1 pkgdesc="A string search utility" arch=('i686' 'x86_64') @@ -14,7 +14,7 @@ depends=('glibc' 'pcre' 'sh') makedepends=('texinfo') install=${pkgname}.install source=(ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz{,.sig}) -md5sums=('8cab8ca52bcae735af40278423c7c942' +md5sums=('502350a6c8f7c2b12ee58829e760b44d' 'SKIP') build() { diff --git a/core/libcap/PKGBUILD b/core/libcap/PKGBUILD index bf3e12c95..e12d59559 100644 --- a/core/libcap/PKGBUILD +++ b/core/libcap/PKGBUILD @@ -1,25 +1,31 @@ -#$Id: PKGBUILD 185557 2013-05-15 05:24:44Z allan $ +#$Id: PKGBUILD 203064 2014-01-03 09:18:41Z allan $ # Maintainer: Allan McRae # Contributor: Hugo Doria pkgname=libcap -pkgver=2.22 -pkgrel=5 +pkgver=2.23 +pkgrel=2 pkgdesc="POSIX 1003.1e capabilities" arch=('i686' 'x86_64') url="http://sites.google.com/site/fullycapable/" license=('GPL2') depends=('glibc' 'attr') options=('!staticlibs') -source=(ftp://ftp.archlinux.org/other/${pkgname}/${pkgname}-${pkgver}.tar.gz{,.asc}) -md5sums=('b4896816b626bea445f0b3849bdd4077' - '9d0983e25e5a251d098507f9561d2b27') +source=(https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.23.tar.xz + libcap-2.23-header.patch) +md5sums=('09a185e4b0aa8a81a51c1e4d0eba7db0' + '945984c4bf5e601c24a7c80f001fb2c6') prepare() { cd ${srcdir}/${pkgname}-${pkgver} # install into /usr/bin sed -i "/SBINDIR/s#sbin#bin#" Make.Rules + + # fix header path issues + patch -p1 -i $srcdir/libcap-2.23-header.patch + # and fix the build with that patch + sed -i "s#uapi/##" libcap/Makefile } build() { diff --git a/core/libcap/libcap-2.23-header.patch b/core/libcap/libcap-2.23-header.patch new file mode 100644 index 000000000..74c45e0a4 --- /dev/null +++ b/core/libcap/libcap-2.23-header.patch @@ -0,0 +1,350 @@ +From c3290668646b767058e55b29f7b8f4be4af2e660 Mon Sep 17 00:00:00 2001 +From: Andrew G Morgan +Date: Thu, 02 Jan 2014 01:56:31 +0000 +Subject: Fix up the uapi/linux include scheme. + +In adopting this uapi header file (without kernel internals), I previously +messed up on the apparent location of the files. Thanks to Tom Gundersen for +the clarification. Also, delete the non-uapi copies of things since they +are no longer needed to build the library and tools. + +Signed-off-by: Andrew G Morgan +--- +diff --git a/Make.Rules b/Make.Rules +index 9ca6c89..5b58c59 100644 +--- a/Make.Rules ++++ b/Make.Rules +@@ -45,8 +45,8 @@ MINOR=23 + + # Compilation specifics + +-KERNEL_HEADERS := $(topdir)/libcap/include +-IPATH += -fPIC -I$(topdir)/libcap/include -I$(KERNEL_HEADERS) ++KERNEL_HEADERS := $(topdir)/libcap/include/uapi ++IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include + + CC := gcc + CFLAGS := -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 +diff --git a/libcap/include/linux/capability.h b/libcap/include/linux/capability.h +deleted file mode 100644 +index a6ee1f9..0000000 +--- a/libcap/include/linux/capability.h ++++ /dev/null +@@ -1,219 +0,0 @@ +-/* +- * This is +- * +- * Andrew G. Morgan +- * Alexander Kjeldaas +- * with help from Aleph1, Roland Buresund and Andrew Main. +- * +- * See here for the libcap library ("POSIX draft" compliance): +- * +- * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ +- */ +-#ifndef _LINUX_CAPABILITY_H +-#define _LINUX_CAPABILITY_H +- +-#include +- +- +-#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3 +-#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3 +- +-extern int file_caps_enabled; +- +-typedef struct kernel_cap_struct { +- __u32 cap[_KERNEL_CAPABILITY_U32S]; +-} kernel_cap_t; +- +-/* exact same as vfs_cap_data but in cpu endian and always filled completely */ +-struct cpu_vfs_cap_data { +- __u32 magic_etc; +- kernel_cap_t permitted; +- kernel_cap_t inheritable; +-}; +- +-#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct)) +-#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t)) +- +- +-struct file; +-struct inode; +-struct dentry; +-struct user_namespace; +- +-struct user_namespace *current_user_ns(void); +- +-extern const kernel_cap_t __cap_empty_set; +-extern const kernel_cap_t __cap_init_eff_set; +- +-/* +- * Internal kernel functions only +- */ +- +-#define CAP_FOR_EACH_U32(__capi) \ +- for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi) +- +-/* +- * CAP_FS_MASK and CAP_NFSD_MASKS: +- * +- * The fs mask is all the privileges that fsuid==0 historically meant. +- * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE. +- * +- * It has never meant setting security.* and trusted.* xattrs. +- * +- * We could also define fsmask as follows: +- * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions +- * 2. The security.* and trusted.* xattrs are fs-related MAC permissions +- */ +- +-# define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \ +- | CAP_TO_MASK(CAP_MKNOD) \ +- | CAP_TO_MASK(CAP_DAC_OVERRIDE) \ +- | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \ +- | CAP_TO_MASK(CAP_FOWNER) \ +- | CAP_TO_MASK(CAP_FSETID)) +- +-# define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE)) +- +-#if _KERNEL_CAPABILITY_U32S != 2 +-# error Fix up hand-coded capability macro initializers +-#else /* HAND-CODED capability initializers */ +- +-# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }}) +-# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }}) +-# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ +- | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \ +- CAP_FS_MASK_B1 } }) +-# define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ +- | CAP_TO_MASK(CAP_SYS_RESOURCE), \ +- CAP_FS_MASK_B1 } }) +- +-#endif /* _KERNEL_CAPABILITY_U32S != 2 */ +- +-# define cap_clear(c) do { (c) = __cap_empty_set; } while (0) +- +-#define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag)) +-#define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag)) +-#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag)) +- +-#define CAP_BOP_ALL(c, a, b, OP) \ +-do { \ +- unsigned __capi; \ +- CAP_FOR_EACH_U32(__capi) { \ +- c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \ +- } \ +-} while (0) +- +-#define CAP_UOP_ALL(c, a, OP) \ +-do { \ +- unsigned __capi; \ +- CAP_FOR_EACH_U32(__capi) { \ +- c.cap[__capi] = OP a.cap[__capi]; \ +- } \ +-} while (0) +- +-static inline kernel_cap_t cap_combine(const kernel_cap_t a, +- const kernel_cap_t b) +-{ +- kernel_cap_t dest; +- CAP_BOP_ALL(dest, a, b, |); +- return dest; +-} +- +-static inline kernel_cap_t cap_intersect(const kernel_cap_t a, +- const kernel_cap_t b) +-{ +- kernel_cap_t dest; +- CAP_BOP_ALL(dest, a, b, &); +- return dest; +-} +- +-static inline kernel_cap_t cap_drop(const kernel_cap_t a, +- const kernel_cap_t drop) +-{ +- kernel_cap_t dest; +- CAP_BOP_ALL(dest, a, drop, &~); +- return dest; +-} +- +-static inline kernel_cap_t cap_invert(const kernel_cap_t c) +-{ +- kernel_cap_t dest; +- CAP_UOP_ALL(dest, c, ~); +- return dest; +-} +- +-static inline int cap_isclear(const kernel_cap_t a) +-{ +- unsigned __capi; +- CAP_FOR_EACH_U32(__capi) { +- if (a.cap[__capi] != 0) +- return 0; +- } +- return 1; +-} +- +-/* +- * Check if "a" is a subset of "set". +- * return 1 if ALL of the capabilities in "a" are also in "set" +- * cap_issubset(0101, 1111) will return 1 +- * return 0 if ANY of the capabilities in "a" are not in "set" +- * cap_issubset(1111, 0101) will return 0 +- */ +-static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set) +-{ +- kernel_cap_t dest; +- dest = cap_drop(a, set); +- return cap_isclear(dest); +-} +- +-/* Used to decide between falling back on the old suser() or fsuser(). */ +- +-static inline int cap_is_fs_cap(int cap) +-{ +- const kernel_cap_t __cap_fs_set = CAP_FS_SET; +- return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]); +-} +- +-static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a) +-{ +- const kernel_cap_t __cap_fs_set = CAP_FS_SET; +- return cap_drop(a, __cap_fs_set); +-} +- +-static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a, +- const kernel_cap_t permitted) +-{ +- const kernel_cap_t __cap_fs_set = CAP_FS_SET; +- return cap_combine(a, +- cap_intersect(permitted, __cap_fs_set)); +-} +- +-static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a) +-{ +- const kernel_cap_t __cap_fs_set = CAP_NFSD_SET; +- return cap_drop(a, __cap_fs_set); +-} +- +-static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a, +- const kernel_cap_t permitted) +-{ +- const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET; +- return cap_combine(a, +- cap_intersect(permitted, __cap_nfsd_set)); +-} +- +-extern bool has_capability(struct task_struct *t, int cap); +-extern bool has_ns_capability(struct task_struct *t, +- struct user_namespace *ns, int cap); +-extern bool has_capability_noaudit(struct task_struct *t, int cap); +-extern bool has_ns_capability_noaudit(struct task_struct *t, +- struct user_namespace *ns, int cap); +-extern bool capable(int cap); +-extern bool ns_capable(struct user_namespace *ns, int cap); +-extern bool inode_capable(const struct inode *inode, int cap); +-extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap); +- +-/* audit system wants to get cap info from files as well */ +-extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps); +- +-#endif /* !_LINUX_CAPABILITY_H */ +diff --git a/libcap/include/sys/capability.h b/libcap/include/sys/capability.h +index 56fc7fd..64ac50e 100644 +--- a/libcap/include/sys/capability.h ++++ b/libcap/include/sys/capability.h +@@ -26,7 +26,7 @@ extern "C" { + #ifndef __user + #define __user + #endif +-#include ++#include + #include + + /* +diff --git a/libcap/include/linux/prctl.h b/libcap/include/uapi/linux/prctl.h +index a3baeb2..289760f 100644 +--- a/libcap/include/linux/prctl.h ++++ b/libcap/include/uapi/linux/prctl.h +@@ -102,4 +102,51 @@ + + #define PR_MCE_KILL_GET 34 + ++/* ++ * Tune up process memory map specifics. ++ */ ++#define PR_SET_MM 35 ++# define PR_SET_MM_START_CODE 1 ++# define PR_SET_MM_END_CODE 2 ++# define PR_SET_MM_START_DATA 3 ++# define PR_SET_MM_END_DATA 4 ++# define PR_SET_MM_START_STACK 5 ++# define PR_SET_MM_START_BRK 6 ++# define PR_SET_MM_BRK 7 ++# define PR_SET_MM_ARG_START 8 ++# define PR_SET_MM_ARG_END 9 ++# define PR_SET_MM_ENV_START 10 ++# define PR_SET_MM_ENV_END 11 ++# define PR_SET_MM_AUXV 12 ++# define PR_SET_MM_EXE_FILE 13 ++ ++/* ++ * Set specific pid that is allowed to ptrace the current task. ++ * A value of 0 mean "no process". ++ */ ++#define PR_SET_PTRACER 0x59616d61 ++# define PR_SET_PTRACER_ANY ((unsigned long)-1) ++ ++#define PR_SET_CHILD_SUBREAPER 36 ++#define PR_GET_CHILD_SUBREAPER 37 ++ ++/* ++ * If no_new_privs is set, then operations that grant new privileges (i.e. ++ * execve) will either fail or not grant them. This affects suid/sgid, ++ * file capabilities, and LSMs. ++ * ++ * Operations that merely manipulate or drop existing privileges (setresuid, ++ * capset, etc.) will still work. Drop those privileges if you want them gone. ++ * ++ * Changing LSM security domain is considered a new privilege. So, for example, ++ * asking selinux for a specific new context (e.g. with runcon) will result ++ * in execve returning -EPERM. ++ * ++ * See Documentation/prctl/no_new_privs.txt for more details. ++ */ ++#define PR_SET_NO_NEW_PRIVS 38 ++#define PR_GET_NO_NEW_PRIVS 39 ++ ++#define PR_GET_TID_ADDRESS 40 ++ + #endif /* _LINUX_PRCTL_H */ +diff --git a/libcap/include/linux/securebits.h b/libcap/include/uapi/linux/securebits.h +index 3340617..985aac9 100644 +--- a/libcap/include/linux/securebits.h ++++ b/libcap/include/uapi/linux/securebits.h +@@ -1,14 +1,11 @@ +-#ifndef _LINUX_SECUREBITS_H +-#define _LINUX_SECUREBITS_H 1 ++#ifndef _UAPI_LINUX_SECUREBITS_H ++#define _UAPI_LINUX_SECUREBITS_H + + /* Each securesetting is implemented using two bits. One bit specifies + whether the setting is on or off. The other bit specify whether the + setting is locked or not. A setting which is locked cannot be + changed from user-level. */ + #define issecure_mask(X) (1 << (X)) +-#ifdef __KERNEL__ +-#define issecure(X) (issecure_mask(X) & current_cred_xxx(securebits)) +-#endif + + #define SECUREBITS_DEFAULT 0x00000000 + +@@ -51,4 +48,4 @@ + issecure_mask(SECURE_KEEP_CAPS)) + #define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1) + +-#endif /* !_LINUX_SECUREBITS_H */ ++#endif /* _UAPI_LINUX_SECUREBITS_H */ +-- +cgit v0.9.2 -- cgit v1.2.3-54-g00ecf