!22 fixed issue I38XSC

From: @xxllp Reviewed-by: @zengwefeng Signed-off-by: @zengwefeng
2021-03-11 09:25:40 +08:00 · 2021-03-11 09:25:40 +08:00 · 118b718035
commit 118b718035
parent 4bdc01a29e 46c8722200
2 changed files with 47 additions and 3 deletions
--- a/bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.patch
+++ b/bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.patch
@ -0,0 +1,37 @@
+From 21d0826711b750367edaf01645aac1d03b3b7611 Mon Sep 17 00:00:00 2001
+From: Sami Kerola <kerolasa@iki.fi>
+Date: Wed, 3 Mar 2021 20:51:18 +0000
+Subject: [PATCH] rdisc: remove PrivateUsers=yes from systemd service file
+
+Quoting systemd.exec(5) manual page 'Specifically this means that the
+process will have zero process capabilities on the host's user namespace'.
+That does not combine will with CAP_NET_RAW that needs to take effect host's
+namespace.
+
+Secondly add CapabilityBoundingSet that is will ensure capabilities are
+limited to the one and only capability it needs.
+
+Fixes: https://github.com/iputils/iputils/issues/314
+Reference: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateUsers=
+Signed-off-by: Sami Kerola <kerolasa@iki.fi>
+---
+ systemd/rdisc.service.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/systemd/rdisc.service.in b/systemd/rdisc.service.in
+index 4e2a1ec..6ef7fc3 100644
+--- a/systemd/rdisc.service.in
+++ b/systemd/rdisc.service.in
+@@ -9,8 +9,8 @@ EnvironmentFile=-/etc/sysconfig/rdisc
+ ExecStart=@sbindir@/rdisc -f -t $OPTIONS $SEND_ADDRESS $RECEIVE_ADDRESS
+ 
+ AmbientCapabilities=CAP_NET_RAW
+CapabilityBoundingSet=CAP_NET_RAW
+ PrivateTmp=yes
+-PrivateUsers=yes
+ ProtectSystem=strict
+ ProtectHome=yes
+ ProtectControlGroups=yes
+-- 
+2.23.0
+
--- a/iputils.spec
+++ b/iputils.spec
@ -1,6 +1,6 @@
 Name:            iputils
 Version:         20200821
-Release:         1
+Release:         2
 Summary:         Network monitoring tools including ping
 License:         BSD and GPLv2+
 URL:             https://github.com/iputils/iputils
@ -15,8 +15,9 @@ Source5:         https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
 Patch0000:       iputils-ifenslave.patch
 Patch0001:       bugfix-arping-w-does-not-take-effect.patch
 Patch0002:       bugfix-arpping-make-update-neighbours-work-again.patch
-Patch6000: 2583fb77dd57c5183998177a3fa13a680b573005.patch
-Patch6001: 950d36f8ba5a669cbc34a7972db611b675725fb5.patch
+Patch6000:       2583fb77dd57c5183998177a3fa13a680b573005.patch
+Patch6001:       950d36f8ba5a669cbc34a7972db611b675725fb5.patch
+Patch6002:       bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.patch

 BuildRequires:   gcc meson libidn2-devel openssl-devel libcap-devel libxslt
 BuildRequires:   docbook5-style-xsl systemd glibc-kernheaders gettext
@ -93,6 +94,12 @@ install -cp ifenslave.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
 %{_mandir}/man8/*.8.gz

 %changelog
+* Mon Mar 8 2021 xuxiaolong <xuxiaolong23@huawei.com> - 20200821-2
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix rdisc: remove PrivateUsers=yes from systemd service file 
+
 * Thu Jan 28 2021 xihaochen <xihaochen@huawei.com> - 20200821-1
 - Type:requirements
 - ID:NA