From 657c90b7b52ae9cb228f277dba2a2113bb4ed068 Mon Sep 17 00:00:00 2001
From: David King <amigadave@amigadave.com>
Date: Fri, 5 Mar 2021 17:46:42 +0000
Subject: [PATCH] Apply upstream patch to fix capng usage (#1888978)

---
 gnome-keyring-3.36.0-capng.patch | 86 ++++++++++++++++++++++++++++++++
 gnome-keyring.spec               |  7 ++-
 2 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 gnome-keyring-3.36.0-capng.patch

diff --git a/gnome-keyring-3.36.0-capng.patch b/gnome-keyring-3.36.0-capng.patch
new file mode 100644
index 0000000..8b92b7f
--- /dev/null
+++ b/gnome-keyring-3.36.0-capng.patch
@@ -0,0 +1,86 @@
+diff -urp gnome-keyring-3.36.0.orig/daemon/gkd-capability.c gnome-keyring-3.36.0/daemon/gkd-capability.c
+--- gnome-keyring-3.36.0.orig/daemon/gkd-capability.c	2018-06-25 00:15:03.000000000 -0400
++++ gnome-keyring-3.36.0/daemon/gkd-capability.c	2020-10-16 11:33:02.244614471 -0400
+@@ -1,7 +1,7 @@
+ /* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 8; tab-width: 8 -*- */
+ /* gkd-capability.c - the security-critical initial phase of the daemon
+  *
+- * Copyright (C) 2011 Steve Grubb
++ * Copyright (C) 2011,2020 Steve Grubb
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU Lesser General Public License as
+@@ -35,9 +35,10 @@
+ 
+ /* No logging, no gettext */
+ static void
+-early_error (const char *err_string)
++early_error (const char *err_string, int rc)
+ {
+-	fprintf (stderr, "gnome-keyring-daemon: %s, aborting\n", err_string);
++	fprintf (stderr, "gnome-keyring-daemon: %s - %d, aborting\n",
++		err_string, rc);
+ 	exit (1);
+ }
+ 
+@@ -64,6 +65,8 @@ void
+ gkd_capability_obtain_capability_and_drop_privileges (void)
+ {
+ #ifdef HAVE_LIBCAPNG
++	int rc;
++
+ 	capng_get_caps_process ();
+ 	switch (capng_have_capabilities (CAPNG_SELECT_CAPS))
+ 	{
+@@ -73,32 +76,35 @@ gkd_capability_obtain_capability_and_dro
+ 			capng_update (CAPNG_ADD,
+ 					CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+ 					CAP_IPC_LOCK);
+-			if (capng_change_id (getuid (), getgid (), 0))
+-				early_error ("failed dropping capabilities");
++			if ((rc = capng_change_id (getuid (), getgid (),
++						   CAPNG_DROP_SUPP_GRP|
++						   CAPNG_CLEAR_BOUNDING)))
++				early_error ("failed dropping capabilities",
++					     rc);
+ 			break;
+ 		case CAPNG_FAIL:
+-			early_error ("error getting process capabilities");
++			early_error ("error getting process capabilities", 0);
+ 			break;
+ 		case CAPNG_NONE:
+ 			early_warning ("insufficient process capabilities, insecure memory might get used");
+ 			break;
+ 		case CAPNG_PARTIAL: /* File system based capabilities */
+-			if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
++			if (!capng_have_capability (CAPNG_EFFECTIVE,
++							    CAP_IPC_LOCK))
+ 				early_warning ("insufficient process capabilities, insecure memory might get used");
+-				/* Drop all capabilities */
++
++			/* If we don't have CAP_SETPCAP, we can't do anything */
++			if (capng_have_capability (CAPNG_EFFECTIVE,
++								CAP_SETPCAP)) {
++				 /* Drop all capabilities except ipc_lock */
+ 				capng_clear (CAPNG_SELECT_BOTH);
+-				capng_apply (CAPNG_SELECT_BOTH);
+-				break;
++				if ((rc = capng_update (CAPNG_ADD,
++						CAPNG_EFFECTIVE|CAPNG_PERMITTED,
++						CAP_IPC_LOCK)) != 0)
++					early_error ("error updating process capabilities", rc);
++				if ((rc = capng_apply (CAPNG_SELECT_BOTH)) != 0)
++					early_error ("error dropping process capabilities", rc);
+ 			}
+-
+-			/* Drop all capabilities except ipc_lock */
+-			capng_clear (CAPNG_SELECT_BOTH);
+-			if (capng_update (CAPNG_ADD,
+-					  CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+-					  CAP_IPC_LOCK) != 0)
+-				early_error ("error dropping process capabilities");
+-			if (capng_apply (CAPNG_SELECT_BOTH) != 0)
+-				early_error ("error dropping process capabilities");
+ 			break;
+ 	}
+ #endif /* HAVE_LIBCAPNG */
diff --git a/gnome-keyring.spec b/gnome-keyring.spec
index 9429cde..69d411d 100644
--- a/gnome-keyring.spec
+++ b/gnome-keyring.spec
@@ -4,12 +4,14 @@
 
 Name: gnome-keyring
 Version: 3.36.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 Summary: Framework for managing passwords and other secrets
 
 License: GPLv2+ and LGPLv2+
 URL:     https://wiki.gnome.org/Projects/GnomeKeyring
 Source0: https://download.gnome.org/sources/%{name}/3.36/%{name}-%{version}.tar.xz
+# https://bugzilla.redhat.com/show_bug.cgi?id=1888978
+Patch0:  gnome-keyring-3.36.0-capng.patch
 
 BuildRequires:  gcc
 BuildRequires: pkgconfig(gcr-3) >= %{gcr_version}
@@ -105,6 +107,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/gnome-keyring/devel/*.la
 
 
 %changelog
+* Fri Mar 05 2021 David King <amigadave@amigadave.com> - 3.36.0-6
+- Apply upstream patch to fix capng usage (#1888978)
+
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.36.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild