When dropping capabilities only include AUDIT caps if we have them wrt #405975. This makes audit/selinux enabled D-Bus work in a Linux container. Thanks to Jory A. Pratt and Hinnerk van Bruinehsen.

Package-Manager: portage-2.2.0_alpha108/cvs/Linux x86_64
author: Samuli Suominen <ssuominen@gentoo.org> 2012-05-29 15:21:15 +0000
committer: Samuli Suominen <ssuominen@gentoo.org> 2012-05-29 15:21:15 +0000
commit: 6b9ba71c8d5f57b116974cf3b721947dc1b32ece (patch)
tree: 8dec2bcba31a94988cff3030740d633f425694da /sys-apps
parent: Marking nano-2.3.1-r1 ppc64 for bug 413897 (diff)
download: historical-6b9ba71c8d5f57b116974cf3b721947dc1b32ece.tar.gz
historical-6b9ba71c8d5f57b116974cf3b721947dc1b32ece.tar.bz2
historical-6b9ba71c8d5f57b116974cf3b721947dc1b32ece.zip
5 files changed, 252 insertions, 18 deletions
diff --git a/sys-apps/dbus/ChangeLog b/sys-apps/dbus/ChangeLog
index 7379712b9532..ece26c1d5ccc 100644
--- a/sys-apps/dbus/ChangeLog
+++ b/sys-apps/dbus/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for sys-apps/dbus
 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/dbus/ChangeLog,v 1.339 2012/05/24 04:21:00 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/dbus/ChangeLog,v 1.340 2012/05/29 15:21:15 ssuominen Exp $
+
+*dbus-1.5.12-r1 (29 May 2012)
+
+  29 May 2012; Samuli Suominen <ssuominen@gentoo.org> dbus-1.4.20.ebuild,
+  +dbus-1.5.12-r1.ebuild,
+  +files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch:
+  When dropping capabilities only include AUDIT caps if we have them wrt
+  #405975. This makes audit/selinux enabled D-Bus work in a Linux container.
+  Thanks to Jory A. Pratt and Hinnerk van Bruinehsen.
 
   24 May 2012; Mike Frysinger <vapier@gentoo.org> dbus-1.4.16-r2.ebuild,
   dbus-1.4.16.ebuild, dbus-1.4.18.ebuild, dbus-1.4.20.ebuild,
diff --git a/sys-apps/dbus/Manifest b/sys-apps/dbus/Manifest
index 573c6878271d..4f78e44705ad 100644
--- a/sys-apps/dbus/Manifest
+++ b/sys-apps/dbus/Manifest
@@ -3,6 +3,7 @@ Hash: SHA1
 
 AUX 80-dbus 341 RMD160 3b7f55906289d91a1f0ed87edec7902ddac076c5 SHA1 df1f96934fbe164dc4f4e2e4d4b4cdeaf8cef2b5 SHA256 76ce25ce8769cdfcb0d7b7e52e5a7e6474448fc34e8ad9393afac1eca1e07fd2
 AUX dbus-1.4.0-asneeded.patch 3696 RMD160 360f21c06d268116884ed441e7b91478829f1be5 SHA1 a15445bcc5d811276c681b543d0bcd14df9db32f SHA256 f785afd7943b3220ebcf2603b1c059a2dec46bdbfba376e60d8373ba3f933562
+AUX dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch 1320 RMD160 cd92add87762ea32da3273abfc1f34ec78a41fcc SHA1 5c2915426aa48de58a05721753a94dadbd18a678 SHA256 ab3398f4fb46ec9a134581a825180422b2b8f5e8dd250bca3127c31a39d923a7
 AUX dbus.init-1.0 1176 RMD160 1ad53e5859c94794b4dfcb0455bb63a0b858b83b SHA1 85a284e2f714f0b9e7f77d74be4325e2ac088e54 SHA256 2db2b6ea36854997f93ee0d0dfc470a1d1c792d355944a1272ba45b219ab61dd
 AUX dbus.initd 1185 RMD160 ddb4df28657c7cbceb20c67c95d78a982106759f SHA1 21cc5f013e061311d181b2eb6975f0fff48744da SHA256 98e37b8b6ed25004e48c5855d74c9361eea06d3fee13cefcc0ed10ccf452aa01
 DIST dbus-1.4.16.tar.gz 1889465 RMD160 8a63492090acd717e6a58f63026181e78ae089f0 SHA1 d6e6538cfc1ed71992f6786a6da55d815d995b5b SHA256 1d8ee6262f8cc2148f06578eee522c755ba0896206b3464ca9bdc84f411b29c6
@@ -12,24 +13,19 @@ DIST dbus-1.5.12.tar.gz 1925770 RMD160 f65bccf6a22ce2e05df4e7388c064b54256ce7fa
 EBUILD dbus-1.4.16-r2.ebuild 4845 RMD160 11a3fb19b611d6de43113b516b48797a5205a3f9 SHA1 7cfcd8f4729a0ebfa4b6921fe799a133b443ac51 SHA256 3907a11e3c0f029694f6453578275048f7397ba4b94383aa8249ca58d391fe78
 EBUILD dbus-1.4.16.ebuild 4866 RMD160 d63951e0c261abab562a87c6fb5f8d4a2d6c445a SHA1 b223ab0f416af8875c801a2ed7da84bbe180c5ff SHA256 36a2c944cd2350a3efbd89dbe3fbcab573379ccdc533312cc04277f828308260
 EBUILD dbus-1.4.18.ebuild 4708 RMD160 71f5d4696faa659db32b79b045662c9f52cb8e29 SHA1 0391f36b665430ac6cdc7400f6ff55afbce3abc0 SHA256 0a8516a43d346d036ced7b6dad3b869553fce6cfee5ac3283cba2fe147b2b707
-EBUILD dbus-1.4.20.ebuild 4901 RMD160 ec849941ff7e0157a4406c117808b2bb89cbe0e2 SHA1 749d1a9682c8df991a52a7b9da86fb8e75d2bf22 SHA256 42ddc1e2e36f897e06f2987cbfb6283a175e30e231fcd22e76a3c1a4072ef2ec
+EBUILD dbus-1.4.20.ebuild 4998 RMD160 63d945ae94c83721113390a9d06a4e34d1b280a4 SHA1 6acbf44ae719016ef7baaa3b1d054afc056896e7 SHA256 aa500f213e51615111b2758cf41ca6ebfe698665f31c472fd8c6a7b888c5d39f
+EBUILD dbus-1.5.12-r1.ebuild 5021 RMD160 2ad390863fe6902df1c2d2ea6c852cf7e40549f2 SHA1 9f18fc3c2de35d6b0fe5ab732d85a95f00736d59 SHA256 56bfe3001e0b2ed7f80cc2dad0719765a3527bdf40c572f1cc552a8e94b1c80e
 EBUILD dbus-1.5.12.ebuild 4921 RMD160 6a2e1a374f93223f1945eff8135b029d49b7e41d SHA1 ec56a2e5341ceb4d61701ad30209706a69e99820 SHA256 f3fed59126f67178441db464af3fee97ad248f623c03a6a0e8bb321a9337e897
-MISC ChangeLog 50104 RMD160 877aec07b353725279d9f442bae34bc62991c30b SHA1 bf1a63da34a77b735caebf5e7824f5263f94d7a8 SHA256 ab1027723372ddd1186322f390d7ec64fabc3203015bad6be142b1644fb89fc7
+MISC ChangeLog 50524 RMD160 2f066e2d26bdd4947d7602d8c23cb3347b7f640f SHA1 488ca92617619ac285bd8f42b9a2423892adfd8f SHA256 9d1e7b7597a7623781b2238252f3ea7ddf4b94bf7d5a1d206acec49133bc9657
 MISC metadata.xml 342 RMD160 8bf3f4bd6851d805afa364a4269170d7fad0d3d9 SHA1 e08553006779cbdea6aadb15a9280bdf4cb62e2b SHA256 5db8eac45a8872150729ee08297c2a19468336c3b9412e9f8e64ca2a2f5406c3
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
-iQIcBAEBAgAGBQJPvbeBAAoJELEHsLL7fEFW+nMQAJQPZoUoOb7JcMuZNKZcxiZg
-gguYz1rIUFdlvhUml7jaK583X4Cy0b2p5ixoSOLCy/s/hH5qd9lFpz0cvT7Ac4pD
-Rww5N7Gnbs4Jk5G6vfDiAXJRYk49lg76xBFhId1+vV4s80eRS5ztMGRCuxGRDbAS
-OYLxxUqIOtLRTZWHO11DLDV3Wf8HEBatgB4u62sPJuVbcPvYStVqIT0BxT+Niw9R
-bgrqeHs7173MIotPy7qU8WUbzCWEU2ODE2leV66lvSq5bJEjRO8IJ6hvjrcB0cJo
-lcjc1PV7H0W3cjLy+pZEW8sFyQy4Zp3bB8695QAS9ntBqRl+Rh5fTU9G/S5uZ4SO
-uWVMPVtpBIqtrkQHFATQh8PVmIWGaw224tCgoV1NW8RJ4iBcry2npV8wUuqK/gL5
-5O0X+ZGqAXao+i5KjJsazcsBnU9dNm18Y7RciOb5AUMQGDzaccmS6+p3Kpahdz+N
-Dgy79B2wq5uIvudEsHRDRNMMCE3VKA0sDGItyYDoLsdE0R9PyEMgV2JvQlIc2bNl
-1RGsYFVTNz1rQIjmc+mRZv5ahXTQfH3n9EwoyUoUHSNlmPinnh0NPXhVuW19XDwp
-oGXLBUDUQKmOcvMJ8KF3k3QEtkr8xv0CEkd6j8ES4L2u1Id60RLBxsyU+Pk4hCLb
-daOoZzVZkXXbKCyM2XFM
-=pePQ
+iQEcBAEBAgAGBQJPxOiZAAoJEEdUh39IaPFNZ40H/iGEQtH7alda0iFXGs38DDR3
+uDMRgUxYDespP9EpF+RG8HfRKumtu9ExTujYRtSq9C3fDCRwk7bHJE2aSzhsGrnU
+AFxQU+wTTHYtFOLhx95ote8W0mKHwAY7QIQDkmj8Q7LvfoSSHczIXHEICtTnCpqS
+Pr0w9xl+n+jhCr22UVnB5QyLKDHzTB37mYRfmNnLKwWSGgy2T+1ExUoAqWuPrtcz
+Tl5JspDvd+TF4Amih8aNPewTCmS7Qm/BXD0WMssfR42aHAsJEeO9IgYb4H5ziPJP
+/8WytZT2JWOt1HDTuVQJhdjZQ1VeSC6HCPKd1ljhDikVQdpTHfwtRav2aMWjZoA=
+=iNZC
 -----END PGP SIGNATURE-----
diff --git a/sys-apps/dbus/dbus-1.4.20.ebuild b/sys-apps/dbus/dbus-1.4.20.ebuild
index 63c44d9fa00c..9d90cae66215 100644
--- a/sys-apps/dbus/dbus-1.4.20.ebuild
+++ b/sys-apps/dbus/dbus-1.4.20.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2012 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/dbus/dbus-1.4.20.ebuild,v 1.10 2012/05/24 04:21:00 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/dbus/dbus-1.4.20.ebuild,v 1.11 2012/05/29 15:21:15 ssuominen Exp $
 
 EAPI=4
 inherit autotools eutils multilib flag-o-matic python systemd virtualx user
@@ -58,7 +58,9 @@ src_prepare() {
 		-e '/"dispatch"/d' \
 		bus/test-main.c || die
 
-	epatch "${FILESDIR}"/${PN}-1.4.0-asneeded.patch
+	epatch \
+		"${FILESDIR}"/${PN}-1.4.0-asneeded.patch \
+		"${FILESDIR}"/${PN}-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch
 
 	# required for asneeded patch but also for bug 263909, cross-compile so
 	# don't remove eautoreconf
diff --git a/sys-apps/dbus/dbus-1.5.12-r1.ebuild b/sys-apps/dbus/dbus-1.5.12-r1.ebuild
new file mode 100644
index 000000000000..a564e26066d3
--- /dev/null
+++ b/sys-apps/dbus/dbus-1.5.12-r1.ebuild
@@ -0,0 +1,188 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/dbus/dbus-1.5.12-r1.ebuild,v 1.1 2012/05/29 15:21:15 ssuominen Exp $
+
+EAPI=4
+inherit autotools eutils linux-info flag-o-matic python systemd virtualx user
+
+DESCRIPTION="A message bus system, a simple way for applications to talk to each other"
+HOMEPAGE="http://dbus.freedesktop.org/"
+SRC_URI="http://dbus.freedesktop.org/releases/dbus/${P}.tar.gz"
+
+LICENSE="|| ( AFL-2.1 GPL-2 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd"
+IUSE="debug doc selinux static-libs systemd test X"
+
+RDEPEND=">=dev-libs/expat-2
+	selinux? (
+		sec-policy/selinux-dbus
+		sys-libs/libselinux
+		)
+	systemd? ( >=sys-apps/systemd-32 )
+	X? (
+		x11-libs/libX11
+		x11-libs/libXt
+		)"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig
+	doc? (
+		app-doc/doxygen
+		app-text/docbook-xml-dtd:4.1.2
+		app-text/xmlto
+		)
+	test? (
+		>=dev-libs/glib-2.24
+		dev-lang/python:2.7
+		)"
+
+# out of sources build directory
+BD=${WORKDIR}/${P}-build
+# out of sources build dir for make check
+TBD=${WORKDIR}/${P}-tests-build
+
+pkg_setup() {
+	enewgroup messagebus
+	enewuser messagebus -1 -1 -1 messagebus
+
+	if use test; then
+		python_set_active_version 2
+		python_pkg_setup
+	fi
+
+	if use kernel_linux; then
+		CONFIG_CHECK="~EPOLL"
+		linux-info_pkg_setup
+	fi
+}
+
+src_prepare() {
+	epatch "${FILESDIR}"/${P}-selinux-when-dropping-capabilities-only-include-AUDI.patch
+
+	# Tests were restricted because of this
+	sed -i \
+		-e 's/.*bus_dispatch_test.*/printf ("Disabled due to excess noise\\n");/' \
+		-e '/"dispatch"/d' \
+		bus/test-main.c || die
+
+	# required for asneeded patch but also for bug 263909, cross-compile so
+	# don't remove eautoreconf
+	eautoreconf
+}
+
+src_configure() {
+	local myconf
+
+	# so we can get backtraces from apps
+	append-flags -rdynamic
+
+	# libaudit is *only* used in DBus wrt SELinux support, so disable it, if
+	# not on an SELinux profile.
+	myconf=(
+		--localstatedir=/var
+		--docdir=/usr/share/doc/${PF}
+		--htmldir=/usr/share/doc/${PF}/html
+		$(use_enable static-libs static)
+		$(use_enable debug verbose-mode)
+		--disable-asserts
+		--disable-checks
+		$(use_enable selinux)
+		$(use_enable selinux libaudit)
+		$(use_enable kernel_linux inotify)
+		$(use_enable kernel_FreeBSD kqueue)
+		$(use_enable systemd)
+		--disable-embedded-tests
+		--disable-modular-tests
+		$(use_enable debug stats)
+		--with-xml=expat
+		--with-session-socket-dir=/tmp
+		--with-system-pid-file=/var/run/dbus.pid
+		--with-system-socket=/var/run/dbus/system_bus_socket
+		--with-dbus-user=messagebus
+		$(use_with X x)
+		"$(systemd_with_unitdir)"
+		)
+
+	mkdir "${BD}"
+	cd "${BD}"
+	einfo "Running configure in ${BD}"
+	ECONF_SOURCE="${S}" econf "${myconf[@]}" \
+		$(use_enable doc xml-docs) \
+		$(use_enable doc doxygen-docs)
+
+	if use test; then
+		mkdir "${TBD}"
+		cd "${TBD}"
+		einfo "Running configure in ${TBD}"
+		ECONF_SOURCE="${S}" econf "${myconf[@]}" \
+			$(use_enable test asserts) \
+			$(use_enable test checks) \
+			$(use_enable test embedded-tests) \
+			$(has_version dev-libs/dbus-glib && echo --enable-modular-tests)
+	fi
+}
+
+src_compile() {
+	# after the compile, it uses a selinuxfs interface to
+	# check if the SELinux policy has the right support
+	use selinux && addwrite /selinux/access
+
+	cd "${BD}"
+	einfo "Running make in ${BD}"
+	emake
+
+	if use test; then
+		cd "${TBD}"
+		einfo "Running make in ${TBD}"
+		emake
+	fi
+}
+
+src_test() {
+	cd "${TBD}"
+	DBUS_VERBOSE=1 Xemake -j1 check
+}
+
+src_install() {
+	newinitd "${FILESDIR}"/dbus.initd dbus
+
+	if use X; then
+		# dbus X session script (#77504)
+		# turns out to only work for GDM (and startx). has been merged into
+		# other desktop (kdm and such scripts)
+		exeinto /etc/X11/xinit/xinitrc.d
+		doexe "${FILESDIR}"/80-dbus
+	fi
+
+	# needs to exist for dbus sessions to launch
+	keepdir /usr/share/dbus-1/services
+	keepdir /etc/dbus-1/{session,system}.d
+	# machine-id symlink from pkg_postinst()
+	keepdir /var/lib/dbus
+
+	dodoc AUTHORS ChangeLog HACKING NEWS README doc/TODO
+
+	cd "${BD}"
+	emake DESTDIR="${D}" install
+
+	find "${ED}" -type f -name '*.la' -exec rm -f {} +
+}
+
+pkg_postinst() {
+	elog "To start the D-Bus system-wide messagebus by default"
+	elog "you should add it to the default runlevel :"
+	elog "\`rc-update add dbus default\`"
+	elog
+	elog "Some applications require a session bus in addition to the system"
+	elog "bus. Please see \`man dbus-launch\` for more information."
+	elog
+	ewarn "You must restart D-Bus \`/etc/init.d/dbus restart\` to run"
+	ewarn "the new version of the daemon."
+	ewarn "Don't do this while X is running because it will restart your X as well."
+
+	# Ensure unique id is generated and put it in /etc wrt #370451 but symlink
+	# for DBUS_MACHINE_UUID_FILE (see tools/dbus-launch.c) and reverse
+	# dependencies with hardcoded paths (although the known ones got fixed already)
+	dbus-uuidgen --ensure="${EROOT}"/etc/machine-id
+	ln -sf "${EROOT}"/etc/machine-id "${EROOT}"/var/lib/dbus/machine-id
+}
diff --git a/sys-apps/dbus/files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch b/sys-apps/dbus/files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch
new file mode 100644
index 000000000000..45d610c5ef1d
--- /dev/null
+++ b/sys-apps/dbus/files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch
@@ -0,0 +1,39 @@
+http://bugs.gentoo.org/405975
+
+From e1b83fb58eadfd02227673db9a7e2833d29b0c98 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 23 Apr 2012 00:32:43 +0200
+Subject: [PATCH] selinux: when dropping capabilities only include AUDIT caps
+ if we have them
+
+When we drop capabilities we shouldn't assume we can keep
+CAP_AUDIT_WRITE unconditionally, since it will not be available when
+running in containers.
+
+This patch only adds CAP_AUDIT_WRITE to the list of caps we keep if we
+actually have it in the first place.
+
+This makes audit/selinux enabled D-Bus work in a Linux container.
+---
+ bus/selinux.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/bus/selinux.c b/bus/selinux.c
+index 36287e9..1bfc791 100644
+--- a/bus/selinux.c
++++ b/bus/selinux.c
+@@ -1053,8 +1053,9 @@ _dbus_change_to_daemon_user  (const char    *user,
+       int rc;
+ 
+       capng_clear (CAPNG_SELECT_BOTH);
+-      capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+-                    CAP_AUDIT_WRITE);
++      if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE))
++        capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
++                      CAP_AUDIT_WRITE);
+       rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
+       if (rc)
+         {
+-- 
+1.7.10
+
author	Samuli Suominen <ssuominen@gentoo.org>	2012-05-29 15:21:15 +0000
committer	Samuli Suominen <ssuominen@gentoo.org>	2012-05-29 15:21:15 +0000
commit	6b9ba71c8d5f57b116974cf3b721947dc1b32ece (patch)
tree	8dec2bcba31a94988cff3030740d633f425694da /sys-apps
parent	Marking nano-2.3.1-r1 ppc64 for bug 413897 (diff)
download	historical-6b9ba71c8d5f57b116974cf3b721947dc1b32ece.tar.gz historical-6b9ba71c8d5f57b116974cf3b721947dc1b32ece.tar.bz2 historical-6b9ba71c8d5f57b116974cf3b721947dc1b32ece.zip