From 3c5cc435c97a9cf9631062f3168877c3443a5b0c Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Sat, 30 Jan 2021 10:08:45 -0500
Subject: [PATCH] Add syslog warning for bad use of capng_apply

---
 libcap-ng-0.8.2-apply-disable.patch | 48 ++++++++++++++++++++++++++---
 libcap-ng.spec                      |  5 ++-
 2 files changed, 48 insertions(+), 5 deletions(-)

diff --git a/libcap-ng-0.8.2-apply-disable.patch b/libcap-ng-0.8.2-apply-disable.patch
index 23c7eca..f28f20d 100644
--- a/libcap-ng-0.8.2-apply-disable.patch
+++ b/libcap-ng-0.8.2-apply-disable.patch
@@ -1,12 +1,50 @@
-diff -urp libcap-ng-0.8.2.orig/src/cap-ng.c libcap-ng-0.8.2/src/cap-ng.c
---- libcap-ng-0.8.2.orig/src/cap-ng.c	2020-11-20 15:04:09.000000000 -0500
-+++ libcap-ng-0.8.2/src/cap-ng.c	2020-11-20 16:04:55.425496426 -0500
-@@ -698,19 +698,19 @@ int capng_apply(capng_select_t set)
+diff -urp libcap-ng-0.8.3.orig/src/cap-ng.c libcap-ng-0.8.3/src/cap-ng.c
+--- libcap-ng-0.8.3.orig/src/cap-ng.c	2021-01-30 09:26:33.000000000 -0500
++++ libcap-ng-0.8.3/src/cap-ng.c	2021-01-30 09:52:43.507967643 -0500
+@@ -713,6 +713,36 @@ int capng_updatev(capng_act_t action, ca
+ 	return rc;
+ }
+ 
++#include <sys/param.h>
++static char *get_exename(char *exename, int size)
++{
++        char tmp[PATH_MAX+1];
++	int res;
++
++        /* get the name of the current executable */
++        if ((res = readlink("/proc/self/exe", tmp, PATH_MAX)) < -1)
++                strcpy(exename, "\"?\"");
++        else {
++                tmp[res] = '\0';
++                snprintf(exename, size, "\"%s\"", tmp);
++        }
++        return exename;
++}
++
++#include <syslog.h>
++static void log_problem(unsigned int msg)
++{
++	static const char *text[3] = {
++		"dropping bounding set",
++		"getting new bounding set",
++		"due to not having CAP_SETPCAP"
++	};
++	unsigned idx = msg - 2;
++	char exe[2048];
++	syslog(LOG_ERR, "libcap-ng used by %s failed %s in capng_apply",
++	       get_exename(exe, 2047), text[idx]);
++}
++
+ int capng_apply(capng_select_t set)
+ {
+ 	int rc = 0;
+@@ -733,19 +763,22 @@ int capng_apply(capng_select_t set)
  				if (capng_have_capability(CAPNG_BOUNDING_SET,
  								 i) == 0) {
  				    if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0) {
 -					rc = -2;
 +//					rc = -2;
++					log_problem(2);
  					goto try_caps;
  				    }
  				}
@@ -15,12 +53,14 @@ diff -urp libcap-ng-0.8.2.orig/src/cap-ng.c libcap-ng-0.8.2/src/cap-ng.c
  			if (get_bounding_set() < 0) {
 -				rc = -3;
 +//				rc = -3;
++				log_problem(3);
  				goto try_caps;
  			}
  		} else {
  			memcpy(&m, &state, sizeof(m)); /* restore state */
 -			rc = -4;
 +//			rc = -4;
++			log_problem(4);
  			goto try_caps;
  		}
  #endif
diff --git a/libcap-ng.spec b/libcap-ng.spec
index 21b10c5..7a91e5f 100644
--- a/libcap-ng.spec
+++ b/libcap-ng.spec
@@ -1,7 +1,7 @@
 Summary: Alternate posix capabilities library
 Name: libcap-ng
 Version: 0.8.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPLv2+
 URL: https://people.redhat.com/sgrubb/libcap-ng/
 Source0: https://people.redhat.com/sgrubb/libcap-ng/%{name}-%{version}.tar.gz
@@ -95,6 +95,9 @@ make check
 %attr(0644,root,root) %{_mandir}/man8/*
 
 %changelog
+* Sat Jan 30 2021 Steve Grubb <sgrubb@redhat.com> 0.8.2-3
+- Add syslog warning for bad use of capng_apply
+
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild