summaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-security/libcap-ng
diff options
context:
space:
mode:
Diffstat (limited to 'meta-security/recipes-security/libcap-ng')
-rw-r--r--meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch79
-rw-r--r--meta-security/recipes-security/libcap-ng/libcap-ng/python.patch39
-rw-r--r--meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb39
3 files changed, 157 insertions, 0 deletions
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch
new file mode 100644
index 000000000..d7a868d2c
--- /dev/null
+++ b/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch
@@ -0,0 +1,79 @@
+Upstream-Status: Pending
+
+diff --git a/docs/capng_lock.3 b/docs/capng_lock.3
+index 7683119..a070c1e 100644
+--- a/docs/capng_lock.3
++++ b/docs/capng_lock.3
+@@ -8,12 +8,13 @@ int capng_lock(void);
+
+ .SH "DESCRIPTION"
+
+-capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.
++capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs. This should be called while possessing the CAP_SETPCAP capability in the kernel.
+
++This function will do the following if permitted by the kernel: If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it. Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. If both fail, it will return an error.
+
+ .SH "RETURN VALUE"
+
+-This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options.
++This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options.
+
+ .SH "SEE ALSO"
+
+diff --git a/src/cap-ng.c b/src/cap-ng.c
+index bd105ba..422f2bc 100644
+--- a/src/cap-ng.c
++++ b/src/cap-ng.c
+@@ -45,6 +45,7 @@
+ * 2.6.24 kernel XATTR_NAME_CAPS
+ * 2.6.25 kernel PR_CAPBSET_DROP, CAPABILITY_VERSION_2
+ * 2.6.26 kernel PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3
++ * 3.5 kernel PR_SET_NO_NEW_PRIVS
+ */
+
+ /* External syscall prototypes */
+@@ -122,6 +123,14 @@ extern int capget(cap_user_header_t header, const cap_user_data_t data);
+ #define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */
+ #endif
+
++/* prctl values that we use */
++#ifndef PR_SET_SECUREBITS
++#define PR_SET_SECUREBITS 28
++#endif
++#ifndef PR_SET_NO_NEW_PRIVS
++#define PR_SET_NO_NEW_PRIVS 38
++#endif
++
+ // States: new, allocated, initted, updated, applied
+ typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT,
+ CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t;
+@@ -663,15 +672,22 @@ int capng_change_id(int uid, int gid, capng_flags_t flag)
+
+ int capng_lock(void)
+ {
+-#ifdef PR_SET_SECUREBITS
+- int rc = prctl(PR_SET_SECUREBITS,
+- 1 << SECURE_NOROOT |
+- 1 << SECURE_NOROOT_LOCKED |
+- 1 << SECURE_NO_SETUID_FIXUP |
+- 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
++ int rc;
++
++ // On Linux 3.5 and up, we can directly prevent ourselves and
++ // our descendents from gaining privileges.
++ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
++ return 0;
++
++ // This kernel is too old or otherwise doesn't support
++ // PR_SET_NO_NEW_PRIVS. Fall back to using securebits.
++ rc = prctl(PR_SET_SECUREBITS,
++ 1 << SECURE_NOROOT |
++ 1 << SECURE_NOROOT_LOCKED |
++ 1 << SECURE_NO_SETUID_FIXUP |
++ 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
+ if (rc)
+ return -1;
+-#endif
+
+ return 0;
+ }
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch
new file mode 100644
index 000000000..d82ceb454
--- /dev/null
+++ b/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch
@@ -0,0 +1,39 @@
+configure.ac - Avoid an incorrect check for python.
+Makefile.am - avoid hard coded host include paths.
+
+Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
+
+--- libcap-ng-0.6.5/configure.ac.orig 2012-01-17 13:59:03.645898989 -0600
++++ libcap-ng-0.6.5/configure.ac 2012-01-17 13:59:46.353959252 -0600
+@@ -120,17 +120,8 @@
+ else
+ AC_MSG_RESULT(testing)
+ AM_PATH_PYTHON
+-if test -f /usr/include/python${am_cv_python_version}/Python.h ; then
+- python_found="yes"
+- AC_MSG_NOTICE(Python bindings will be built)
+-else
+- python_found="no"
+- if test x$use_python = xyes ; then
+- AC_MSG_ERROR([Python explicitly required and python headers found])
+- else
+- AC_MSG_WARN("Python headers not found - python bindings will not be made")
+- fi
+-fi
++python_found="yes"
++AC_MSG_NOTICE(Python bindings will be built)
+ fi
+ AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes")
+
+--- libcap-ng-0.6.5/bindings/python/Makefile.am.orig 2010-11-03 12:31:59.000000000 -0500
++++ libcap-ng-0.6.5/bindings/python/Makefile.am 2012-01-17 14:05:50.199834467 -0600
+@@ -24,7 +24,8 @@
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+ AM_CFLAGS = -fPIC -DPIC
+ PYLIBVER ?= python$(PYTHON_VERSION)
+-INCLUDES = -I. -I$(top_builddir) -I/usr/include/$(PYLIBVER)
++PYINC ?= /usr/include/$(PYLIBVER)
++INCLUDES = -I. -I$(top_builddir) -I$(PYINC)
+ LIBS = $(top_builddir)/src/libcap-ng.la
+ pyexec_PYTHON = capng.py
+ pyexec_LTLIBRARIES = _capng.la
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb b/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb
new file mode 100644
index 000000000..e729518e9
--- /dev/null
+++ b/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb
@@ -0,0 +1,39 @@
+SUMMARY = "An alternate posix capabilities library"
+DESCRIPTION = "The libcap-ng library is intended to make programming \
+with POSIX capabilities much easier than the traditional libcap library."
+HOMEPAGE = "http://freecode.com/projects/libcap-ng"
+SECTION = "base"
+LICENSE = "GPLv2+ & LGPLv2.1+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
+ file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06"
+
+SRC_URI = "http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-${PV}.tar.gz \
+ file://python.patch \
+ file://CVE-2014-3215.patch \
+ "
+
+inherit lib_package autotools pythonnative
+
+SRC_URI[md5sum] = "610afb774f80a8032b711281df126283"
+SRC_URI[sha256sum] = "5ca441c8d3a1e4cfe8a8151907977662679457311ccaa7eaac91447c33a35bb1"
+
+DEPENDS += "swig-native python"
+
+EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' PYINC='${STAGING_INCDIR}/${PYLIBVER}'"
+
+PACKAGES += "${PN}-python"
+
+FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
+FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
+
+BBCLASSEXTEND = "native"
+
+do_install_append() {
+ # Moving libcap-ng to base_libdir
+ if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then
+ mkdir -p ${D}/${base_libdir}/
+ mv -f ${D}${libdir}/libcap-ng.so.* ${D}${base_libdir}/
+ relpath=${@os.path.relpath("${base_libdir}", "${libdir}")}
+ ln -sf ${relpath}/libcap-ng.so.0.0.0 ${D}${libdir}/libcap-ng.so
+ fi
+}