From cba54626cb2fe3aaa7ebc964a97ff08c7209d400 Mon Sep 17 00:00:00 2001
From: Tomas Bzatek <tbzatek@redhat.com>
Date: Mon, 9 May 2011 18:36:35 +0200
Subject: [PATCH] Update to 3.1.1

---
 .gitignore                              |   1 +
 file-caps.patch                         | 186 ------------------------
 gnome-keyring-2.91.93-pam-selinux.patch | 101 -------------
 gnome-keyring.spec                      |  15 +-
 sources                                 |   2 +-
 5 files changed, 6 insertions(+), 299 deletions(-)
 delete mode 100644 file-caps.patch
 delete mode 100644 gnome-keyring-2.91.93-pam-selinux.patch

diff --git a/.gitignore b/.gitignore
index 959a155..654ee11 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@ gnome-keyring-2.31.4.tar.bz2
 /gnome-keyring-2.91.93.tar.bz2
 /gnome-keyring-3.0.0.tar.bz2
 /gnome-keyring-3.0.1.tar.bz2
+/gnome-keyring-3.1.1.tar.bz2
diff --git a/file-caps.patch b/file-caps.patch
deleted file mode 100644
index de99c34..0000000
--- a/file-caps.patch
+++ /dev/null
@@ -1,186 +0,0 @@
-diff -urp gnome-keyring-2.91.4.orig/configure.in gnome-keyring-2.91.4/configure.in
---- gnome-keyring-2.91.4.orig/configure.in	2011-01-13 08:24:04.000000000 -0500
-+++ gnome-keyring-2.91.4/configure.in	2011-01-13 09:29:54.000000000 -0500
-@@ -447,19 +447,19 @@ if test "$ASN1PARSER" = "no" ; then
- fi
- 
- # -------------------------------------------------------------------
--# libcap2
-+# libcap-ng
- #
- 
--AC_CHECK_LIB([cap], [cap_get_proc], have_libcap="yes", have_libcap="no")
-+AC_CHECK_LIB([cap-ng], [capng_clear], have_libcapng="yes", have_libcapng="no")
- 
--if test $have_libcap = yes; then
--   AC_DEFINE(HAVE_LIBCAP, 1, [Have libcap2 package, libcap library])
--   DAEMON_LIBS="$DAEMON_LIBS -lcap"
-+if test $have_libcapng = yes; then
-+   AC_DEFINE(HAVE_LIBCAPNG, 1, [Have libcap-ng package, libcap-ng library])
-+   DAEMON_LIBS="$DAEMON_LIBS -lcap-ng"
- else
--   AC_MSG_WARN([libcap2 (or development headers) is not installed])
-+   AC_MSG_WARN([libcap-ng (or development headers) is not installed])
- fi
- 
--libcap_status=$have_libcap
-+libcapng_status=$have_libcapng
- 
- # --------------------------------------------------------------------
- # Debug mode
-@@ -748,7 +748,7 @@ ui/tests/Makefile
- echo
- echo "OPTIONAL DEPENDENCIES"
- echo "  PAM:                  $pam_status"
--echo "  Linux capabilities:   $libcap_status"
-+echo "  Linux capabilities:   $libcapng_status"
- echo
- echo "CONFIGURATION"
- echo "  SSH Agent:            $ssh_status"
-diff -urp gnome-keyring-2.91.4.orig/daemon/gkd-capability.c gnome-keyring-2.91.4/daemon/gkd-capability.c
---- gnome-keyring-2.91.4.orig/daemon/gkd-capability.c	2011-01-13 08:24:04.000000000 -0500
-+++ gnome-keyring-2.91.4/daemon/gkd-capability.c	2011-01-13 09:30:12.000000000 -0500
-@@ -1,7 +1,7 @@
- /* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 8; tab-width: 8 -*- */
- /* gkd-capability.c - the security-critical initial phase of the daemon
-  *
-- * Copyright (C) 2010 Yaron Sheffer
-+ * Copyright (C) 2011 Steve Grubb
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU Lesser General Public License as
-@@ -18,102 +18,62 @@
-  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-  * 02111-1307, USA.
-  *
-- * Author: Yaron Sheffer <yaronf@gmx.com>
-- * Author: Stef Walter <stef@thewalter.net>
-+ * Author: Steve Grubb <sgrubb@redhat.com>
-  */
- 
- #include "config.h"
- 
- #include "gkd-capability.h"
- 
--#ifdef HAVE_LIBCAP
--#include <sys/capability.h>
-+#ifdef HAVE_LIBCAPNG
-+#include <cap-ng.h>
- #endif
- 
- #include <stdio.h>
--#include <unistd.h>
--#include <sys/types.h>
- #include <stdlib.h>
- 
--/* Security note: this portion of the code is extremely sensitive.
-- * DO NOT add any other include files.
-- */
--
- /*
-  * No logging, no gettext
-  */
- static void
- early_error (const char *err_string)
- {
--	fprintf (stderr, "gnome-keyring-daemon: %s\n", err_string);
--}
--
--static void
--drop_privileges (void)
--{
--	uid_t orig_uid;
--	gid_t orig_gid;
--
--	orig_uid = getuid ();
--	orig_gid = getgid ();
--
--	/* This is permanent, you cannot go back to root */
--	setgid (orig_gid);
--	setuid (orig_uid);
--
--	/*
--	 * Check that the switch was ok
--	 * We do not allow programs to run without the drop being
--	 * successful as this would possibly run the program
--	 * using root-privs, when that is not what we want
--	 */
--	if ((getegid () != orig_gid) || (geteuid () != orig_uid)) {
--		early_error ("failed to drop privileges, aborting");
--		exit (1);
--	}
-+	fprintf (stderr, "gnome-keyring-daemon: %s, aborting\n", err_string);
-+	exit (1);
- }
- 
- /*
-- * Try to obtain the CAP_IPC_LOCK Linux capability.
-- * Then, whether or not this is successful, drop root
-- * privileges to run as the invoking user. The application is aborted
-- * if for any reason we are unable to drop privileges. Note: even gettext
-- * is unavailable!
-+ * This program needs the CAP_IPC_LOCK posix capability.
-+ * We want to allow either setuid root or file system based capabilies
-+ * to work. If file system based capabilities, this is a no-op unless
-+ * the root user is running the program. In that case we just drop
-+ * capabilities down to IPC_LOCK. If we are setuid root, then change to the
-+ * invoking user retaining just the IPC_LOCK capability. The application
-+ * is aborted if for any reason we are unable to drop privileges.
-+ * Note: even gettext is unavailable!
-  */
- void
- gkd_capability_obtain_capability_and_drop_privileges (void)
- {
--#ifdef HAVE_LIBCAP
--	cap_t caps;
--	cap_value_t cap_list[1];
--
--	caps = cap_get_proc ();
--	if (caps == NULL) {
--		early_error ("capability state cannot be allocated");
--		goto drop;
--	}
--
--	cap_list[0] = CAP_IPC_LOCK;
--	if (cap_set_flag (caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET) == -1) {
--		early_error ("error when manipulating capability sets");
--		goto drop;
--	}
--
--	if (cap_set_proc (caps) == -1) {
--		/* Only warn when it's root that's running */
--		if (getuid () == 0)
--			early_error ("cannot apply capabilities to process");
--		goto drop;
--	}
--
--	if (cap_free (caps) == -1) {
--		early_error ("failed to free capability structure");
--		goto drop;
-+#ifdef HAVE_LIBCAPNG
-+	capng_get_caps_process ();
-+	switch (capng_have_capabilities (CAPNG_SELECT_CAPS))
-+	{
-+		case CAPNG_FULL:
-+			/* We are either setuid root or the root user */
-+			capng_clear (CAPNG_SELECT_CAPS);
-+			capng_update (CAPNG_ADD,
-+					CAPNG_EFFECTIVE|CAPNG_PERMITTED,
-+					CAP_IPC_LOCK);
-+			if (capng_change_id (getuid (), getgid (), 0)) 
-+				early_error ("failed dropping capabilities");
-+			break;
-+		case CAPNG_FAIL:
-+		case CAPNG_NONE:
-+			early_error ("error getting process capabilities");
-+			break;
-+		case CAPNG_PARTIAL: /* File system based capabilities */
-+                        break;
- 	}
--drop:
--
- #endif
--	/* Now finally drop the suid by becoming the invoking user */
--	if (geteuid () != getuid() || getegid () != getgid ())
--		drop_privileges ();
- }
diff --git a/gnome-keyring-2.91.93-pam-selinux.patch b/gnome-keyring-2.91.93-pam-selinux.patch
deleted file mode 100644
index ae05fa5..0000000
--- a/gnome-keyring-2.91.93-pam-selinux.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-diff --git a/configure.in b/configure.in
-index a5a434d..1d3801e 100644
---- a/configure.in
-+++ b/configure.in
-@@ -572,6 +572,24 @@ AC_SUBST(GCOV)
- AC_SUBST(GENHTML)
- 
- # ----------------------------------------------------------------------
-+# selinux
-+
-+LIBSELINUX=""
-+selinux_status="no"
-+AC_ARG_ENABLE([selinux],
-+        AC_HELP_STRING([--disable-selinux],[do not use SELinux]))
-+if test "x$enable_selinux" != "xno"; then
-+    AC_CHECK_LIB([selinux],[getfilecon],
-+        [AC_CHECK_LIB([selinux],[setexeccon],
-+            [AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in])
-+             LIBSELINUX="-lselinux"
-+             selinux_status="yes"])
-+        ])
-+fi
-+AC_SUBST(LIBSELINUX)
-+AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"])
-+
-+# ----------------------------------------------------------------------
- # Valgrind
- 
- AC_ARG_ENABLE(valgrind,
-@@ -742,6 +760,7 @@ echo
- echo "OPTIONAL DEPENDENCIES"
- echo "  PAM:                  $pam_status"
- echo "  Linux capabilities:   $libcapng_status"
-+echo "  SELinux:              $selinux_status"
- echo
- echo "CONFIGURATION"
- echo "  SSH Agent:            $ssh_status"
-diff --git a/pam/Makefile.am b/pam/Makefile.am
-index 81bda13..2e6362d 100644
---- a/pam/Makefile.am
-+++ b/pam/Makefile.am
-@@ -16,6 +16,7 @@ pam_gnome_keyring_la_LIBADD = \
- 	$(top_builddir)/egg/libegg-buffer.la \
- 	$(top_builddir)/egg/libegg-creds.la \
- 	$(top_builddir)/egg/libegg-secure.la \
-+	$(LIBSELINUX) \
- 	-lpam
- 	
- pam_gnome_keyring_la_LDFLAGS = \
-diff --git a/pam/gkr-pam-module.c b/pam/gkr-pam-module.c
-index e63c917..8ad814c 100644
---- a/pam/gkr-pam-module.c
-+++ b/pam/gkr-pam-module.c
-@@ -317,6 +317,36 @@ cleanup_free_password (pam_handle_t *ph, void *data, int pam_end_status)
- 	free_password (data);
- }
- 
-+#ifdef WITH_SELINUX
-+#include  <selinux/flask.h>
-+#include  <selinux/selinux.h>
-+/* Attempt to set SELinux Context. We are ignoring failure and just going
-+   with default behaviour default behaviour
-+*/
-+static void setup_selinux_context(const char *command) {
-+	security_context_t fcon = NULL, newcon = NULL, execcon = NULL;
-+
-+	if (is_selinux_enabled() != 1) return;
-+
-+	int ret = getexeccon(&execcon);
-+	if ((ret < 0) || (! execcon)) goto err;
-+
-+	ret = getfilecon(command, &fcon);
-+	if (ret < 0) goto err;
-+
-+	ret = security_compute_create(execcon, fcon, SECCLASS_PROCESS, &newcon);
-+	if (ret < 0) goto err;
-+
-+	setexeccon(newcon);
-+
-+err:
-+	freecon(newcon);
-+	freecon(fcon);
-+	freecon(execcon);
-+	return;
-+}
-+#endif
-+
- static void
- setup_child (int inp[2], int outp[2], int errp[2], pam_handle_t *ph, struct passwd *pwd)
- {
-@@ -329,6 +359,10 @@ setup_child (int inp[2], int outp[2], int errp[2], pam_handle_t *ph, struct pass
- 	char *args[] = { GNOME_KEYRING_DAEMON, "--daemonize", "--login", NULL};
- #endif
- 	
-+#ifdef WITH_SELINUX
-+	setup_selinux_context(GNOME_KEYRING_DAEMON);
-+#endif
-+
- 	assert (pwd);
- 	assert (pwd->pw_dir);
- 
diff --git a/gnome-keyring.spec b/gnome-keyring.spec
index 87c9b4e..f8891ab 100644
--- a/gnome-keyring.spec
+++ b/gnome-keyring.spec
@@ -7,7 +7,7 @@
 
 Summary: Framework for managing passwords and other secrets
 Name: gnome-keyring
-Version: 3.0.1
+Version: 3.1.1
 Release: 1%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Libraries
@@ -15,14 +15,6 @@ Group: System Environment/Libraries
 Source: http://download.gnome.org/sources/gnome-keyring/3.0/gnome-keyring-%{version}.tar.bz2
 URL: http://www.gnome.org
 
-# why is gnome-keyring-daemon setuid root?
-# https://bugzilla.redhat.com/show_bug.cgi?id=668831
-Patch4: file-caps.patch
-
-# gnome keyring pam module is starting gnome-keyring with the wrong SELinux context.
-# https://bugzilla.redhat.com/show_bug.cgi?id=684225
-Patch5: gnome-keyring-2.91.93-pam-selinux.patch
-
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: gtk3-devel >= %{gtk3_version}
 BuildRequires: dbus-devel >= %{dbus_version}
@@ -73,8 +65,6 @@ automatically unlock the "login" keyring when the user logs in.
 
 %prep
 %setup -q -n gnome-keyring-%{version}
-%patch4 -p1 -b .file-caps
-%patch5 -p1 -b .pam-selinux
 
 %build
 autoreconf -i -f
@@ -148,6 +138,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas
 
 
 %changelog
+* Mon May  9 2011 Tomas Bzatek <tbzatek@redhat.com> - 3.1.1-1
+- Update to 3.1.1
+
 * Mon Apr 25 2011 Matthias Clasen <mclasen@redhat.com> - 3.0.1-1
 - Update to 3.0.1
 
diff --git a/sources b/sources
index a3d8daf..56b6860 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-9d65defd527919107c72e298f6660473  gnome-keyring-3.0.1.tar.bz2
+38e163106401d1685079a4ef54798944  gnome-keyring-3.1.1.tar.bz2