From 79859968bbda4a5db88b246922a66f0c3b83695f Mon Sep 17 00:00:00 2001
From: Jiří Popelka <jpopelka@fedoraproject.org>
Date: Feb 02 2010 12:30:33 +0000
Subject: - Fix capability patch (#546765)


---

diff --git a/dhcp-4.1.1-capability.patch b/dhcp-4.1.1-capability.patch
index 6c638ae..92cef42 100644
--- a/dhcp-4.1.1-capability.patch
+++ b/dhcp-4.1.1-capability.patch
@@ -1,6 +1,6 @@
 diff -up dhcp-4.1.1/client/dhclient.c.capability dhcp-4.1.1/client/dhclient.c
---- dhcp-4.1.1/client/dhclient.c.capability	2010-01-20 17:39:07.000000000 +0100
-+++ dhcp-4.1.1/client/dhclient.c	2010-01-20 17:39:07.000000000 +0100
+--- dhcp-4.1.1/client/dhclient.c.capability	2010-02-02 11:58:29.000000000 +0100
++++ dhcp-4.1.1/client/dhclient.c	2010-02-02 12:04:39.000000000 +0100
 @@ -37,6 +37,9 @@
  #include <sys/time.h>
  #include <sys/wait.h>
@@ -11,17 +11,42 @@ diff -up dhcp-4.1.1/client/dhclient.c.capability dhcp-4.1.1/client/dhclient.c
  
  /*
   * Defined in stdio.h when _GNU_SOURCE is set, but we don't want to define
-@@ -424,6 +427,15 @@ main(int argc, char **argv) {
+@@ -89,6 +92,9 @@ int wanted_ia_ta = 0;
+ int wanted_ia_pd = 0;
+ char *mockup_relay = NULL;
+ int bootp_broadcast_always = 0;
++#ifdef HAVE_LIBCAP_NG
++static int keep_capabilities = 0;
++#endif
+ 
+ extern u_int32_t default_requested_options[];
+ 
+@@ -376,6 +382,10 @@ main(int argc, char **argv) {
+ 			}
+ 
+ 			dhclient_request_options = argv[i];
++#ifdef HAVE_LIBCAP_NG
++		} else if (!strcmp(argv[i], "-nc")) {
++			keep_capabilities = 1;
++#endif
+ 		} else if (argv[i][0] == '-') {
+ 		    usage();
+ 		} else if (interfaces_requested < 0) {
+@@ -424,6 +434,19 @@ main(int argc, char **argv) {
  		path_dhclient_script = s;
  	}
  
 +#ifdef HAVE_LIBCAP_NG
 +	/* Drop capabilities */
-+	capng_clear(CAPNG_SELECT_BOTH);
-+	capng_updatev(CAPNG_ADD,
-+			CAPNG_EFFECTIVE|CAPNG_PERMITTED|CAPNG_BOUNDING_SET,
-+			CAP_NET_ADMIN, CAP_NET_RAW, CAP_NET_BIND_SERVICE, -1);
-+	capng_apply(CAPNG_SELECT_BOTH);
++	if (!keep_capabilities) {
++		capng_clear(CAPNG_SELECT_CAPS);
++		capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
++				CAP_DAC_OVERRIDE); // Drop this someday
++		capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
++				CAP_NET_ADMIN, CAP_NET_RAW,
++				CAP_NET_BIND_SERVICE, CAP_SYS_ADMIN, -1);
++		capng_apply(CAPNG_SELECT_CAPS);
++	}
 +#endif
 +
  	/* Set up the initial dhcp option universe. */
@@ -29,7 +54,7 @@ diff -up dhcp-4.1.1/client/dhclient.c.capability dhcp-4.1.1/client/dhclient.c
  
 diff -up dhcp-4.1.1/client/Makefile.am.capability dhcp-4.1.1/client/Makefile.am
 --- dhcp-4.1.1/client/Makefile.am.capability	2008-11-18 23:33:22.000000000 +0100
-+++ dhcp-4.1.1/client/Makefile.am	2010-01-20 17:39:07.000000000 +0100
++++ dhcp-4.1.1/client/Makefile.am	2010-02-02 12:05:31.000000000 +0100
 @@ -5,7 +5,7 @@ dhclient_SOURCES = clparse.c dhclient.c 
  		   scripts/netbsd scripts/nextstep scripts/openbsd \
  		   scripts/solaris scripts/openwrt
@@ -40,14 +65,46 @@ diff -up dhcp-4.1.1/client/Makefile.am.capability dhcp-4.1.1/client/Makefile.am
  EXTRA_DIST = $(man_MANS)
  
 diff -up dhcp-4.1.1/configure.ac.capability dhcp-4.1.1/configure.ac
---- dhcp-4.1.1/configure.ac.capability	2010-01-20 17:39:07.000000000 +0100
-+++ dhcp-4.1.1/configure.ac	2010-01-20 17:39:07.000000000 +0100
-@@ -419,6 +419,9 @@ AC_TRY_LINK(
+--- dhcp-4.1.1/configure.ac.capability	2010-02-02 11:58:29.000000000 +0100
++++ dhcp-4.1.1/configure.ac	2010-02-02 12:07:04.000000000 +0100
+@@ -419,6 +419,41 @@ AC_TRY_LINK(
  # Look for optional headers.
  AC_CHECK_HEADERS(sys/socket.h net/if_dl.h net/if6.h regex.h)
  
 +# look for capabilities library
-+LIBCAP_NG_PATH
++AC_ARG_WITH(libcap-ng,
++    [  --with-libcap-ng=[auto/yes/no]  Add Libcap-ng support [default=auto]],,
++    with_libcap_ng=auto)
++
++# Check for Libcap-ng API
++#
++# libcap-ng detection
++if test x$with_libcap_ng = xno ; then
++    have_libcap_ng=no;
++else
++    # Start by checking for header file
++    AC_CHECK_HEADER(cap-ng.h, capng_headers=yes, capng_headers=no)
++
++    # See if we have libcap-ng library
++    AC_CHECK_LIB(cap-ng, capng_clear,
++                 CAPNG_LDADD=-lcap-ng,)
++
++    # Check results are usable
++    if test x$with_libcap_ng = xyes -a x$CAPNG_LDADD = x ; then
++       AC_MSG_ERROR(libcap-ng support was requested and the library was not found)
++    fi
++    if test x$CAPNG_LDADD != x -a $capng_headers = no ; then
++       AC_MSG_ERROR(libcap-ng libraries found but headers are missing)
++    fi
++fi
++AC_SUBST(CAPNG_LDADD)
++AC_MSG_CHECKING(whether to use libcap-ng)
++if test x$CAPNG_LDADD != x ; then
++    AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support])
++    AC_MSG_RESULT(yes)
++else
++    AC_MSG_RESULT(no)
++fi
 +
  # find an MD5 library
  AC_SEARCH_LIBS(MD5_Init, [crypto])
diff --git a/dhcp.spec b/dhcp.spec
index f953f7d..951dcba 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -200,7 +200,7 @@ libdhcpctl and libomapi static libraries are also included in this package.
 # Ensure 64-bit platforms parse lease file dates & times correctly (#448615)
 %patch19 -p1 -b .64-bit_lease_parse
 
-# Drop unnecessary capabilities in dhclient (#517649)
+# Drop unnecessary capabilities in dhclient (#517649, #546765)
 %patch20 -p1 -b .capability
 
 # dhclient logs its pid to make troubleshooting NM managed systems