diff --git a/bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.patch b/bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.patch new file mode 100644 index 0000000000000000000000000000000000000000..1fc75769da0bda4f0849aade8d422abbb9fa774f --- /dev/null +++ b/bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.patch @@ -0,0 +1,37 @@ +From 21d0826711b750367edaf01645aac1d03b3b7611 Mon Sep 17 00:00:00 2001 +From: Sami Kerola +Date: Wed, 3 Mar 2021 20:51:18 +0000 +Subject: [PATCH] rdisc: remove PrivateUsers=yes from systemd service file + +Quoting systemd.exec(5) manual page 'Specifically this means that the +process will have zero process capabilities on the host's user namespace'. +That does not combine will with CAP_NET_RAW that needs to take effect host's +namespace. + +Secondly add CapabilityBoundingSet that is will ensure capabilities are +limited to the one and only capability it needs. + +Fixes: https://github.com/iputils/iputils/issues/314 +Reference: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateUsers= +Signed-off-by: Sami Kerola +--- + systemd/rdisc.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/systemd/rdisc.service.in b/systemd/rdisc.service.in +index 4e2a1ec..6ef7fc3 100644 +--- a/systemd/rdisc.service.in ++++ b/systemd/rdisc.service.in +@@ -9,8 +9,8 @@ EnvironmentFile=-/etc/sysconfig/rdisc + ExecStart=@sbindir@/rdisc -f -t $OPTIONS $SEND_ADDRESS $RECEIVE_ADDRESS + + AmbientCapabilities=CAP_NET_RAW ++CapabilityBoundingSet=CAP_NET_RAW + PrivateTmp=yes +-PrivateUsers=yes + ProtectSystem=strict + ProtectHome=yes + ProtectControlGroups=yes +-- +2.23.0 + diff --git a/iputils.spec b/iputils.spec index 7f1cc154e622e8b47b9abd5f90376680fd747fdc..fa4531eff497a3fe712fece528a3157ee4ac2c7a 100644 --- a/iputils.spec +++ b/iputils.spec @@ -1,6 +1,6 @@ Name: iputils -Version: 20190709 -Release: 6 +Version: 20200821 +Release: 2 Summary: Network monitoring tools including ping License: BSD and GPLv2+ URL: https://github.com/iputils/iputils @@ -12,15 +12,12 @@ Source3: ninfod.service Source4: bsd.txt Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt -Patch100: iputils-ifenslave.patch - -Patch6000: 0001-iputils-arpings.patch -Patch6001: 0002-iputils-arpings-count.patch -Patch6002: bugfix-arpping-make-update-neighbours-work-again.patch - -Patch9000: bugfix-fix-ping-dead-loop.patch -Patch9001: bugfix-arping-w-does-not-take-effect.patch -Patch9002: bugfix-fix-update-problem.patch +Patch0000: iputils-ifenslave.patch +Patch0001: bugfix-arping-w-does-not-take-effect.patch +Patch0002: bugfix-arpping-make-update-neighbours-work-again.patch +Patch6000: 2583fb77dd57c5183998177a3fa13a680b573005.patch +Patch6001: 950d36f8ba5a669cbc34a7972db611b675725fb5.patch +Patch6002: bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.patch BuildRequires: gcc meson libidn2-devel openssl-devel libcap-devel libxslt BuildRequires: docbook5-style-xsl systemd glibc-kernheaders gettext @@ -103,7 +100,19 @@ install -cp ifenslave.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/ %{_mandir}/man8/*.8.gz %changelog -* Thu Dec 10 2020 lunankun - 20190709-6 +* Mon Mar 8 2021 xuxiaolong - 20200821-2 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix rdisc: remove PrivateUsers=yes from systemd service file + +* Thu Jan 28 2021 xihaochen - 20200821-1 +- Type:requirements +- ID:NA +- SUG:NA +- DESC: update iputils to 20200821 + +* Thu Dec 10 2020 lunankun - 20190709-7 - Type:bugfix - Id:NA - SUG:NA