Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libcap for openSUSE:Factory checked
in at 2022-04-17 23:49:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libcap (Old)
and /work/SRC/openSUSE:Factory/.libcap.new.1941 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libcap"
Sun Apr 17 23:49:33 2022 rev:53 rq:969556 version:2.64
Changes:
--------
--- /work/SRC/openSUSE:Factory/libcap/libcap.changes 2022-02-27
22:42:44.710624380 +0100
+++ /work/SRC/openSUSE:Factory/.libcap.new.1941/libcap.changes 2022-04-17
23:49:35.098286062 +0200
@@ -1,0 +2,9 @@
+Tue Apr 12 19:46:17 UTC 2022 - Dirk M??ller <dmuel...@suse.com>
+
+- update to 2.64:
+ * Fix memory leak in libpsx at program exit.
+ * Be more resilient to CGo configuration with Go compiler when building
tests.
+ * Fix cap_*prctl() return code/errno handling.
+ * Minor clarification to cap_get_pid() man page concerning pid value within
namespaces.
+
+-------------------------------------------------------------------
Old:
----
libcap-2.63.tar.sign
libcap-2.63.tar.xz
New:
----
libcap-2.64.tar.sign
libcap-2.64.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libcap.spec ++++++
--- /var/tmp/diff_new_pack.SMTUh4/_old 2022-04-17 23:49:35.742286944 +0200
+++ /var/tmp/diff_new_pack.SMTUh4/_new 2022-04-17 23:49:35.750286955 +0200
@@ -17,7 +17,7 @@
Name: libcap
-Version: 2.63
+Version: 2.64
Release: 0
Summary: Library for Capabilities (linux-privs) Support
License: BSD-3-Clause OR GPL-2.0-only
++++++ libcap-2.63.tar.xz -> libcap-2.64.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.63/Make.Rules new/libcap-2.64/Make.Rules
--- old/libcap-2.63/Make.Rules 2022-01-24 01:45:25.000000000 +0100
+++ new/libcap-2.64/Make.Rules 2022-04-11 01:24:25.000000000 +0200
@@ -1,7 +1,7 @@
# Common version number defines for libcap
LIBTITLE=libcap
VERSION=2
-MINOR=63
+MINOR=64
#
## Optional prefixes:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.63/Makefile new/libcap-2.64/Makefile
--- old/libcap-2.63/Makefile 2022-01-24 01:45:25.000000000 +0100
+++ new/libcap-2.64/Makefile 2022-04-11 01:24:25.000000000 +0200
@@ -37,6 +37,9 @@
@echo "CONFIRM Go package cap has right version dependency on cap/psx:"
for x in $$(find . -name go.mod); do $(BUILD_FGREP) -v "module" $$x |
$(BUILD_FGREP) "kernel.org/pub/linux/libs/security/libcap" > /dev/null ||
continue ; $(BUILD_FGREP) "v$(GOMAJOR).$(VERSION).$(MINOR)" $$x > /dev/null &&
continue ; echo "$$x is not updated. Try running: ./gomods.sh
v$(GOMAJOR).$(VERSION).$(MINOR)" ; exit 1 ; done
@echo "ALL go.mod files updated"
+ @echo "Confirm headers export current version"
+ $(BUILD_FGREP) "#define LIBCAP_MAJOR $(VERSION)"
libcap/include/sys/capability.h
+ $(BUILD_FGREP) "#define LIBCAP_MINOR $(MINOR)"
libcap/include/sys/capability.h
@echo "Now validate that everything is checked in to a clean tree.."
test -z "$$(git status --ignored -s)"
@echo "All good!"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.63/cap/go.mod new/libcap-2.64/cap/go.mod
--- old/libcap-2.63/cap/go.mod 2022-01-24 01:45:25.000000000 +0100
+++ new/libcap-2.64/cap/go.mod 2022-04-11 01:24:25.000000000 +0200
@@ -2,4 +2,4 @@
go 1.11
-require kernel.org/pub/linux/libs/security/libcap/psx v1.2.63
+require kernel.org/pub/linux/libs/security/libcap/psx v1.2.64
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.63/contrib/seccomp/go.mod
new/libcap-2.64/contrib/seccomp/go.mod
--- old/libcap-2.63/contrib/seccomp/go.mod 2022-01-24 01:45:25.000000000
+0100
+++ new/libcap-2.64/contrib/seccomp/go.mod 2022-04-11 01:24:25.000000000
+0200
@@ -2,4 +2,4 @@
go 1.14
-require kernel.org/pub/linux/libs/security/libcap/psx v1.2.63
+require kernel.org/pub/linux/libs/security/libcap/psx v1.2.64
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.63/doc/cap_get_proc.3
new/libcap-2.64/doc/cap_get_proc.3
--- old/libcap-2.63/doc/cap_get_proc.3 2021-05-24 21:50:45.000000000 +0200
+++ new/libcap-2.64/doc/cap_get_proc.3 2022-04-10 23:56:23.000000000 +0200
@@ -76,7 +76,11 @@
is 0, then the calling process's capabilities are returned.)
This information can also be obtained from the
.I /proc/<pid>/status
-file.
+file. Note, when the caller is operating within a
+.RB ( CLONE_NEWPID )
+namespace, the numerical
+.I pid
+argument is interpreted in the range of that namespace.
.PP
.BR cap_get_bound ()
with a
@@ -392,5 +396,6 @@
.BR cap_from_text (3),
.BR cap_get_file (3),
.BR cap_init (3),
+.BR namespaces (7),
.BR psx_syscall (3),
.BR capabilities (7).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.63/go/Makefile new/libcap-2.64/go/Makefile
--- old/libcap-2.63/go/Makefile 2022-01-24 01:45:25.000000000 +0100
+++ new/libcap-2.64/go/Makefile 2022-04-10 23:56:23.000000000 +0200
@@ -55,7 +55,7 @@
# Compiles something with this package to compare it to libcap. This
# tests more when run under sudotest (see ../progs/quicktest.sh for that).
compare-cap: compare-cap.go CAPGOPACKAGE
- CC="$(CC)" $(CGO_LDFLAGS_ALLOW) CGO_CFLAGS="$(CGO_CFLAGS)"
CGO_LDFLAGS="$(CGO_LDFLAGS)" $(GO) build $(GO_BUILD_FLAGS) -mod=vendor $<
+ CC="$(CC)" CGO_ENABLED="1" $(CGO_LDFLAGS_ALLOW)
CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" $(GO) build
$(GO_BUILD_FLAGS) -mod=vendor $<
web: ../goapps/web/web.go CAPGOPACKAGE
CC="$(CC)" CGO_ENABLED="$(CGO_REQUIRED)" $(CGO_LDFLAGS_ALLOW) $(GO)
build $(GO_BUILD_FLAGS) -mod=vendor -o $@ $<
@@ -75,7 +75,7 @@
CC="$(CC)" CGO_ENABLED="$(CGO_REQUIRED)" $(CGO_LDFLAGS_ALLOW) $(GO)
build $(GO_BUILD_FLAGS) -mod=vendor -o $@ $<
ok: ok.go
- CC="$(CC)" CGO_ENABLED=0 $(GO) build $(GO_BUILD_FLAGS) -mod=vendor $<
+ CC="$(CC)" CGO_ENABLED="0" $(GO) build $(GO_BUILD_FLAGS) -mod=vendor $<
try-launching: try-launching.go CAPGOPACKAGE ok
CC="$(CC)" CGO_ENABLED="$(CGO_REQUIRED)" $(CGO_LDFLAGS_ALLOW) $(GO)
build $(GO_BUILD_FLAGS) -mod=vendor $<
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.63/go/go.mod new/libcap-2.64/go/go.mod
--- old/libcap-2.63/go/go.mod 2022-01-24 01:45:25.000000000 +0100
+++ new/libcap-2.64/go/go.mod 2022-04-11 01:24:25.000000000 +0200
@@ -3,6 +3,6 @@
go 1.11
require (
- kernel.org/pub/linux/libs/security/libcap/cap v1.2.63
- kernel.org/pub/linux/libs/security/libcap/psx v1.2.63
+ kernel.org/pub/linux/libs/security/libcap/cap v1.2.64
+ kernel.org/pub/linux/libs/security/libcap/psx v1.2.64
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.63/goapps/captree/go.mod
new/libcap-2.64/goapps/captree/go.mod
--- old/libcap-2.63/goapps/captree/go.mod 2022-01-24 01:45:25.000000000
+0100
+++ new/libcap-2.64/goapps/captree/go.mod 2022-04-11 01:24:25.000000000
+0200
@@ -2,4 +2,4 @@
go 1.16
-require kernel.org/pub/linux/libs/security/libcap/cap v1.2.63
+require kernel.org/pub/linux/libs/security/libcap/cap v1.2.64
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.63/goapps/gowns/go.mod
new/libcap-2.64/goapps/gowns/go.mod
--- old/libcap-2.63/goapps/gowns/go.mod 2022-01-24 01:45:25.000000000 +0100
+++ new/libcap-2.64/goapps/gowns/go.mod 2022-04-11 01:24:25.000000000 +0200
@@ -2,4 +2,4 @@
go 1.15
-require kernel.org/pub/linux/libs/security/libcap/cap v1.2.63
+require kernel.org/pub/linux/libs/security/libcap/cap v1.2.64
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.63/goapps/setid/go.mod
new/libcap-2.64/goapps/setid/go.mod
--- old/libcap-2.63/goapps/setid/go.mod 2022-01-24 01:45:25.000000000 +0100
+++ new/libcap-2.64/goapps/setid/go.mod 2022-04-11 01:24:25.000000000 +0200
@@ -3,6 +3,6 @@
go 1.11
require (
- kernel.org/pub/linux/libs/security/libcap/cap v1.2.63
- kernel.org/pub/linux/libs/security/libcap/psx v1.2.63
+ kernel.org/pub/linux/libs/security/libcap/cap v1.2.64
+ kernel.org/pub/linux/libs/security/libcap/psx v1.2.64
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.63/goapps/web/go.mod
new/libcap-2.64/goapps/web/go.mod
--- old/libcap-2.63/goapps/web/go.mod 2022-01-24 01:45:25.000000000 +0100
+++ new/libcap-2.64/goapps/web/go.mod 2022-04-11 01:24:25.000000000 +0200
@@ -2,4 +2,4 @@
go 1.11
-require kernel.org/pub/linux/libs/security/libcap/cap v1.2.63
+require kernel.org/pub/linux/libs/security/libcap/cap v1.2.64
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.63/libcap/cap_proc.c
new/libcap-2.64/libcap/cap_proc.c
--- old/libcap-2.63/libcap/cap_proc.c 2022-01-24 01:45:25.000000000 +0100
+++ new/libcap-2.64/libcap/cap_proc.c 2022-04-10 23:56:23.000000000 +0200
@@ -135,7 +135,13 @@
long int pr_cmd, long int arg1, long int arg2)
{
if (_libcap_overrode_syscalls) {
- return sc->three(SYS_prctl, pr_cmd, arg1, arg2);
+ int result;
+ result = sc->three(SYS_prctl, pr_cmd, arg1, arg2);
+ if (result >= 0) {
+ return result;
+ }
+ errno = -result;
+ return -1;
}
return prctl(pr_cmd, arg1, arg2, 0, 0, 0);
}
@@ -145,7 +151,13 @@
long int arg3, long int arg4, long int arg5)
{
if (_libcap_overrode_syscalls) {
- return sc->six(SYS_prctl, pr_cmd, arg1, arg2, arg3, arg4, arg5);
+ int result;
+ result = sc->six(SYS_prctl, pr_cmd, arg1, arg2, arg3, arg4, arg5);
+ if (result >= 0) {
+ return result;
+ }
+ errno = -result;
+ return -1;
}
return prctl(pr_cmd, arg1, arg2, arg3, arg4, arg5);
}
@@ -271,26 +283,12 @@
int cap_get_bound(cap_value_t cap)
{
- int result;
-
- result = prctl(PR_CAPBSET_READ, pr_arg(cap), pr_arg(0));
- if (result < 0) {
- errno = -result;
- return -1;
- }
- return result;
+ return prctl(PR_CAPBSET_READ, pr_arg(cap), pr_arg(0));
}
static int _cap_drop_bound(struct syscaller_s *sc, cap_value_t cap)
{
- int result;
-
- result = _libcap_wprctl3(sc, PR_CAPBSET_DROP, pr_arg(cap), pr_arg(0));
- if (result < 0) {
- errno = -result;
- return -1;
- }
- return result;
+ return _libcap_wprctl3(sc, PR_CAPBSET_DROP, pr_arg(cap), pr_arg(0));
}
/* drop a capability from the bounding set */
@@ -316,7 +314,7 @@
static int _cap_set_ambient(struct syscaller_s *sc,
cap_value_t cap, cap_flag_value_t set)
{
- int result, val;
+ int val;
switch (set) {
case CAP_SET:
val = PR_CAP_AMBIENT_RAISE;
@@ -328,13 +326,8 @@
errno = EINVAL;
return -1;
}
- result = _libcap_wprctl6(sc, PR_CAP_AMBIENT, pr_arg(val), pr_arg(cap),
- pr_arg(0), pr_arg(0), pr_arg(0));
- if (result < 0) {
- errno = -result;
- return -1;
- }
- return result;
+ return _libcap_wprctl6(sc, PR_CAP_AMBIENT, pr_arg(val), pr_arg(cap),
+ pr_arg(0), pr_arg(0), pr_arg(0));
}
/*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.63/libcap/cap_test.c
new/libcap-2.64/libcap/cap_test.c
--- old/libcap-2.63/libcap/cap_test.c 2021-12-12 00:00:00.000000000 +0100
+++ new/libcap-2.64/libcap/cap_test.c 2022-04-10 23:56:23.000000000 +0200
@@ -254,6 +254,21 @@
return retval;
}
+static int test_prctl(void)
+{
+ int ret, retval=0;
+ errno = 0;
+ ret = cap_get_bound((cap_value_t) -1);
+ if (ret != -1) {
+ printf("cap_get_bound(-1) did not return error: %d\n", ret);
+ retval = -1;
+ } else if (errno != EINVAL) {
+ perror("cap_get_bound(-1) errno != EINVAL");
+ retval = -1;
+ }
+ return retval;
+}
+
int main(int argc, char **argv) {
int result = 0;
@@ -269,6 +284,9 @@
printf("test_alloc: being called\n");
fflush(stdout);
result = test_alloc() | result;
+ printf("test_prctl: being called\n");
+ fflush(stdout);
+ result = test_prctl() | result;
printf("tested\n");
fflush(stdout);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.63/libcap/include/sys/capability.h
new/libcap-2.64/libcap/include/sys/capability.h
--- old/libcap-2.63/libcap/include/sys/capability.h 2022-01-24
01:45:25.000000000 +0100
+++ new/libcap-2.64/libcap/include/sys/capability.h 2022-04-11
01:24:25.000000000 +0200
@@ -15,6 +15,12 @@
#endif
/*
+ * Provide a programmatic way to #ifdef around features.
+ */
+#define LIBCAP_MAJOR 2
+#define LIBCAP_MINOR 64
+
+/*
* This file complements the kernel file by providing prototype
* information for the user library.
*/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.63/psx/psx.c new/libcap-2.64/psx/psx.c
--- old/libcap-2.63/psx/psx.c 2022-01-24 01:30:38.000000000 +0100
+++ new/libcap-2.64/psx/psx.c 2022-04-11 01:24:25.000000000 +0200
@@ -29,6 +29,26 @@
#include "psx_syscall.h"
+#ifdef _PSX_DEBUG_MEMORY
+
+static void *_psx_calloc(const char *file, const int line,
+ size_t nmemb, size_t size) {
+ void *ptr = calloc(nmemb, size);
+ fprintf(stderr, "psx:%d:%s:%d: calloc(%ld, %ld) -> %p\n", gettid(),
+ file, line, (long int)nmemb, (long int)size, ptr);
+ return ptr;
+}
+
+static void _psx_free(const char *file, const int line, void *ptr) {
+ fprintf(stderr, "psx:%d:%s:%d: free(%p)\n", gettid(), file, line, ptr);
+ return free(ptr);
+}
+
+#define calloc(a, b) _psx_calloc(__FILE__, __LINE__, a, b)
+#define free(a) _psx_free(__FILE__, __LINE__, a)
+
+#endif /* def _PSX_DEBUG_MEMORY */
+
/*
* psx_load_syscalls() can be weakly defined in dependent libraries to
* provide a mechanism for a library to optionally leverage this psx
@@ -177,6 +197,7 @@
* Some forward declarations for the initialization
* psx_syscall_start() routine.
*/
+static void _psx_cleanup(void);
static void _psx_prepare_fork(void);
static void _psx_fork_completed(void);
static void _psx_forked_child(void);
@@ -240,6 +261,7 @@
psx_confirm_sigaction();
psx_do_registration(); /* register the main thread. */
+ atexit(_psx_cleanup);
psx_tracker.initialized = 1;
}
@@ -265,7 +287,9 @@
}
/*
- * under lock perform a state transition.
+ * under lock perform a state transition. Changing state is generally
+ * done via this function. However, there is a single exception in
+ * _psx_cleanup().
*/
static void psx_new_state(psx_tracker_state_t was, psx_tracker_state_t is)
{
@@ -329,7 +353,7 @@
*
* We do this because the glibc man page for fork() suggests that
* only a subset of things will work post fork(). Specifically,
- * only a "async-signal-safe functions (see signal- safety(7))
+ * only a "async-signal-safe functions (see signal-safety(7))
* until such time as it calls execve(2)" can be relied upon. That
* man page suggests that you can't expect mutexes to work: "not
* async-signal-safe because it uses pthread_mutex_lock(3)
@@ -420,7 +444,7 @@
pthread_sigmask(SIG_SETMASK, &orig_sigbits, NULL);
/*
- * Allow the rest of the psx system carry on as per normal.
+ * Allow the rest of the psx system to carry on as per normal.
*/
psx_new_state(_PSX_EXITING, _PSX_IDLE);
}
@@ -700,6 +724,31 @@
}
/*
+ * _psx_cleanup its called when the program exits. It is used to free
+ * any memory used by the thread tracker.
+ */
+static void _psx_cleanup(void) {
+ registered_thread_t *ref, *next;
+
+ /*
+ * We enter the exiting state. Unlike exiting a single thread we
+ * never leave this state since this cleanup is only done at
+ * program exit.
+ */
+ psx_lock();
+ while (psx_tracker.state != _PSX_IDLE && psx_tracker.state != _PSX_INFORK)
{
+ pthread_cond_wait(&psx_tracker.cond, &psx_tracker.state_mu);
+ }
+ psx_tracker.state = _PSX_EXITING;
+ psx_unlock();
+
+ for (ref = psx_tracker.root; ref; ref = next) {
+ next = ref->next;
+ psx_do_unregister(ref);
+ }
+}
+
+/*
* Change the PSX sensitivity level. If the threads appear to have
* diverged in behavior, this can cause the library to notify the
* user.
