doc: mention `setpriv --no-new-privs` feature in runcon info

* doc/coreutils.texi (runcon invocation): Mention setpriv usage. Discussed at https://bugzilla.redhat.com/1360903
2017-05-30 09:39:28 +02:00 · 2017-05-30 09:39:28 +02:00 · 8d02212742
parent 6f16afd4a6
commit 8d02212742
2 changed files with 40 additions and 1 deletions
--- a/coreutils-8.27-runcon-doc.patch
+++ b/coreutils-8.27-runcon-doc.patch
@ -0,0 +1,33 @@
+From 76be8a7f9eb717b3d47009eb25d39fe7139a2c2d Mon Sep 17 00:00:00 2001
+From: Sebastian Kisela <skisela@redhat.com>
+Date: Tue, 30 May 2017 09:29:32 +0200
+Subject: [PATCH] doc: mention `setpriv --no-new-privs` feature in runcon info
+
+upstream commit: 6ebaf8195000d6d3590a2eac13f13b158e325452
+---
+ doc/coreutils.texi | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/doc/coreutils.texi b/doc/coreutils.texi
+index 68df075..e16e885 100644
+--- a/doc/coreutils.texi
+++ b/doc/coreutils.texi
+@@ -16583,7 +16583,14 @@ are interpreted as arguments to the command.
+ With neither @var{context} nor @var{command}, print the current
+ security context.
+ 
+-The program accepts the following options.  Also see @ref{Common options}.
+@cindex restricted security context
+@cindex NO_NEW_PRIVS
+Note also the @command{setpriv} command which can be used to set the
+NO_NEW_PRIVS bit using @command{setpriv --no-new-privs runcon ...},
+thus disallowing usage of a security context with more privileges
+than the process would normally have.
+
+@command{runcon} accepts the following options.  Also see @ref{Common options}.
+ 
+ @table @samp
+ 
+-- 
+2.9.4
+
--- a/coreutils.spec
+++ b/coreutils.spec
@ -1,7 +1,7 @@
 Summary: A set of basic GNU tools commonly used in shell scripts
 Name:    coreutils
 Version: 8.27
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: GPLv3+
 Group:   System Environment/Base
 Url:     https://www.gnu.org/software/coreutils/
@ -22,6 +22,9 @@ Patch2:   coreutils-8.27-CVE-2017-7476.patch
 # tail: revert to polling if a followed directory is replaced (#1283760)
 Patch3:   coreutils-8.27-tail-inotify-recreate.patch

+# doc: mention `setpriv --no-new-privs` feature in runcon info
+Patch4:   coreutils-8.27-runcon-doc.patch
+
 # disable the test-lock gnulib test prone to deadlock
 Patch100: coreutils-8.26-test-lock.patch

@ -288,6 +291,9 @@ fi
 %license COPYING

 %changelog
+* Tue May 30 2017 Sebastian Kisela <skisela@redhat.com> - 8.27-10
+- doc: mention `setpriv --no-new-privs` feature in runcon info
+
 * Tue May 16 2017 Kamil Dudka <kdudka@redhat.com> - 8.27-9
 - add coreutils-full provides for coreutils to make it explicitly installable