File 0001-disable-run-time-fscaps-detection-bnc-728312.diff of Package permissions
From 94311258bfdf3ad86938bd50aaef4a83ca04eae5 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Mon, 7 Nov 2011 10:34:38 +0100
Subject: [PATCH] disable run time fscaps detection (bnc#728312)
PERMISSIONS_FSCAPS setting in /etc/sysconfig/security allows to enable
them again.
---
chkstat.8 | 5 +++--
chkstat.c | 40 ++++++++++++++++++++++++++++------------
2 files changed, 31 insertions(+), 14 deletions(-)
diff --git a/chkstat.8 b/chkstat.8
index 3492e21..364a237 100644
--- a/chkstat.8
+++ b/chkstat.8
@@ -52,8 +52,9 @@ Opposite of --set, ie warn only but don't make actual changes
Omit printing the output header lines.
.TP
.IR \-\-fscaps,\ \-\-no\-fscaps
-Force or disable use of fscaps. Default is to automatically
-determine whether the running kernel supports fscaps.
+Enable or disable use of fscaps. In system mode the setting of
+PERMISSIONS_FSCAPS determines whether fscaps are on or off when this
+option is not set.
.TP
.IR \-\-examine\ file
Check permissions for this file instead of all files listed in the permissions files.
diff --git a/chkstat.c b/chkstat.c
index e5c9b15..8682c3e 100644
--- a/chkstat.c
+++ b/chkstat.c
@@ -54,6 +54,7 @@ int nlevel;
char** level;
int do_set = -1;
int default_set = 1;
+int have_fscaps = -1;
char** permfiles = NULL;
int npermfiles = 0;
char* force_level;
@@ -281,6 +282,24 @@ parse_sysconf(const char* file)
//fprintf(stderr, "invalid value for CHECK_PERMISSIONS (must be 'set', 'warn' or 'no')\n");
}
}
+ else if (have_fscaps == -1 && !strncmp(p, "PERMISSIONS_FSCAPS=", 19))
+ {
+ p+=19;
+ if (isquote(*p))
+ ++p;
+ if (!strncmp(p, "yes", 3))
+ {
+ p+=3;
+ if (isquote(*p) || !*p)
+ have_fscaps=1;
+ }
+ else if (!strncmp(p, "no", 2))
+ {
+ p+=2;
+ if (isquote(*p) || !*p)
+ have_fscaps=0;
+ }
+ }
}
fclose(fp);
return 0;
@@ -515,18 +534,18 @@ check_fscaps_enabled()
{
FILE* fp;
char line[128];
- int have_fscaps = FSCAPS_DEFAULT_ENABLED;
+ int val = FSCAPS_DEFAULT_ENABLED;
if ((fp = fopen("/sys/kernel/fscaps", "r")) == 0)
{
goto out;
}
if (readline(fp, line, sizeof(line)))
{
- have_fscaps = atoi(line);
+ val = atoi(line);
}
fclose(fp);
out:
- return have_fscaps;
+ return val;
}
int
@@ -552,7 +571,6 @@ main(int argc, char **argv)
int fd, r;
int errors = 0;
cap_t caps = NULL;
- int have_fscaps = -1;
while (argc > 1)
{
@@ -692,9 +710,6 @@ main(int argc, char **argv)
break;
}
- if (have_fscaps == -1)
- have_fscaps = check_fscaps_enabled();
-
if (systemmode)
{
const char file[] = "/etc/sysconfig/security";
@@ -747,6 +762,11 @@ main(int argc, char **argv)
permfiles = &argv[1];
}
+ if (have_fscaps == 1 && !check_fscaps_enabled())
+ {
+ fprintf(stderr, "Warning: running kernel does not support fscaps\n");
+ }
+
if (do_set == -1)
do_set = 0;
@@ -802,7 +822,7 @@ main(int argc, char **argv)
}
if (!strncmp(p, "+capabilities ", 14))
{
- if (!have_fscaps)
+ if (have_fscaps != 1)
continue;
p += 14;
caps = cap_from_text(p);
@@ -900,10 +920,6 @@ main(int argc, char **argv)
printf("Checking permissions and ownerships - using the permissions files\n");
for (i = 0; i < npermfiles; i++)
printf("\t%s\n", permfiles[i]);
- if (!have_fscaps)
- {
- printf("kernel has fscaps support disabled.\n");
- }
if (rootl)
{
printf("Using root %s\n", root);
--
1.7.3.4
