ports

recipes for building multiple softwares
git clone git://z3bra.org/ports
Log | Files | Refs

commit fbe787db537188548604677bbe2e1eb62bd056a5
parent 0f44c84e5c05119b53e04c111a3f1f9a9cd3e6fc
Author: z3bra <willyatmailoodotorg>
Date:   Tue Sep 22 21:51:13 2015

libcap: new port

Diffstat:
 libcap/libcap-2.24/CHANGELOG                              |  17 +-
 libcap/libcap-2.24/License                                | 385 ++++++++++-
 libcap/libcap-2.24/Make.Rules                             |  87 ++-
 libcap/libcap-2.24/Makefile                               |  37 +-
 libcap/libcap-2.24/README                                 |  29 +-
 libcap/libcap-2.24/contrib/Makefile                       |   3 +-
 libcap/libcap-2.24/contrib/bug400591/Makefile             |   9 +-
 libcap/libcap-2.24/contrib/bug400591/bug.c                |  43 +-
 libcap/libcap-2.24/contrib/pcaps4convenience              | 209 +++++-
 libcap/libcap-2.24/contrib/pcaps4server                   | 369 +++++++++-
 libcap/libcap-2.24/contrib/pcaps4suid0                    | 227 ++++++-
 libcap/libcap-2.24/doc/Makefile                           |  50 +-
 libcap/libcap-2.24/doc/cap_clear.3                        | 133 +++-
 libcap/libcap-2.24/doc/cap_clear_flag.3                   |   1 +-
 libcap/libcap-2.24/doc/cap_compare.3                      |   1 +-
 libcap/libcap-2.24/doc/cap_copy_ext.3                     | 104 +++-
 libcap/libcap-2.24/doc/cap_copy_int.3                     |   1 +-
 libcap/libcap-2.24/doc/cap_drop_bound.3                   |   1 +-
 libcap/libcap-2.24/doc/cap_dup.3                          |   1 +-
 libcap/libcap-2.24/doc/cap_free.3                         |   1 +-
 libcap/libcap-2.24/doc/cap_from_name.3                    |   1 +-
 libcap/libcap-2.24/doc/cap_from_text.3                    | 233 ++++++-
 libcap/libcap-2.24/doc/cap_get_bound.3                    |   1 +-
 libcap/libcap-2.24/doc/cap_get_fd.3                       |   1 +-
 libcap/libcap-2.24/doc/cap_get_file.3                     | 124 +++-
 libcap/libcap-2.24/doc/cap_get_flag.3                     |   1 +-
 libcap/libcap-2.24/doc/cap_get_pid.3                      |   1 +-
 libcap/libcap-2.24/doc/cap_get_proc.3                     | 204 +++++-
 libcap/libcap-2.24/doc/cap_init.3                         |  86 ++-
 libcap/libcap-2.24/doc/cap_set_fd.3                       |   1 +-
 libcap/libcap-2.24/doc/cap_set_file.3                     |   1 +-
 libcap/libcap-2.24/doc/cap_set_flag.3                     |   1 +-
 libcap/libcap-2.24/doc/cap_set_proc.3                     |   1 +-
 libcap/libcap-2.24/doc/cap_size.3                         |   1 +-
 libcap/libcap-2.24/doc/cap_to_name.3                      |   1 +-
 libcap/libcap-2.24/doc/cap_to_text.3                      |   1 +-
 libcap/libcap-2.24/doc/capability.notes                   |  58 +-
 libcap/libcap-2.24/doc/capgetp.3                          |   1 +-
 libcap/libcap-2.24/doc/capsetp.3                          |   1 +-
 libcap/libcap-2.24/doc/capsh.1                            | 173 ++++-
 libcap/libcap-2.24/doc/getcap.8                           |  29 +-
 libcap/libcap-2.24/doc/libcap.3                           | 114 +++-
 libcap/libcap-2.24/doc/old/README                         |   1 +-
 libcap/libcap-2.24/doc/old/_fgetfilecap.2                 |   1 +-
 libcap/libcap-2.24/doc/old/_fsetfilecap.2                 |   1 +-
 libcap/libcap-2.24/doc/old/_getfilecap.2                  |   1 +-
 libcap/libcap-2.24/doc/old/_getproccap.2                  |   1 +-
 libcap/libcap-2.24/doc/old/_setfilecap.2                  | 117 +++-
 libcap/libcap-2.24/doc/old/_setproccap.2                  |  52 +-
 libcap/libcap-2.24/doc/setcap.8                           |  49 +-
 libcap/libcap-2.24/libcap/Makefile                        |  91 ++-
 libcap/libcap-2.24/libcap/_makenames.c                    |  61 ++-
 libcap/libcap-2.24/libcap/cap_alloc.c                     | 139 ++++-
 libcap/libcap-2.24/libcap/cap_alloc.o                     | Bin 0 -> 11168 bytes
 libcap/libcap-2.24/libcap/cap_extint.c                    | 123 +++-
 libcap/libcap-2.24/libcap/cap_extint.o                    | Bin 0 -> 11264 bytes
 libcap/libcap-2.24/libcap/cap_file.c                      | 321 ++++++++-
 libcap/libcap-2.24/libcap/cap_file.o                      | Bin 0 -> 19568 bytes
 libcap/libcap-2.24/libcap/cap_flag.c                      | 150 ++++-
 libcap/libcap-2.24/libcap/cap_flag.o                      | Bin 0 -> 11352 bytes
 libcap/libcap-2.24/libcap/cap_proc.c                      | 126 +++-
 libcap/libcap-2.24/libcap/cap_proc.o                      | Bin 0 -> 12056 bytes
 libcap/libcap-2.24/libcap/cap_text.c                      | 429 +++++++++++-
 libcap/libcap-2.24/libcap/cap_text.o                      | Bin 0 -> 38424 bytes
 libcap/libcap-2.24/libcap/include/sys/capability.h        | 127 +++-
 libcap/libcap-2.24/libcap/include/sys/securebits.h        |  22 +-
 libcap/libcap-2.24/libcap/include/uapi/linux/capability.h | 358 +++++++++-
 libcap/libcap-2.24/libcap/include/uapi/linux/prctl.h      | 152 ++++-
 libcap/libcap-2.24/libcap/include/uapi/linux/securebits.h |  51 +-
 libcap/libcap-2.24/libcap/libcap.h                        | 209 +++++-
 libcap/libcap-2.24/libcap/libcap.pc                       |  11 +-
 libcap/libcap-2.24/libcap/libcap.pc.in                    |  11 +-
 libcap/libcap-2.24/pam_cap/License                        |  41 +-
 libcap/libcap-2.24/pam_cap/Makefile                       |  29 +-
 libcap/libcap-2.24/pam_cap/capability.conf                |  45 +-
 libcap/libcap-2.24/pam_cap/pam_cap.c                      | 310 ++++++++-
 libcap/libcap-2.24/pam_cap/test.c                         |  12 +-
 libcap/libcap-2.24/pgp.keys.asc                           | 278 +++++++-
 libcap/libcap-2.24/progs/Makefile                         |  38 +-
 libcap/libcap-2.24/progs/capsh.c                          | 594 +++++++++++++++-
 libcap/libcap-2.24/progs/capsh.o                          | Bin 0 -> 87496 bytes
 libcap/libcap-2.24/progs/getcap.c                         | 108 +++-
 libcap/libcap-2.24/progs/getcap.o                         | Bin 0 -> 21192 bytes
 libcap/libcap-2.24/progs/getpcaps.c                       |  56 +-
 libcap/libcap-2.24/progs/getpcaps.o                       | Bin 0 -> 12832 bytes
 libcap/libcap-2.24/progs/old/README                       |   1 +-
 libcap/libcap-2.24/progs/old/execcap.c                    |  68 ++-
 libcap/libcap-2.24/progs/old/setpcaps.c                   | 124 +++-
 libcap/libcap-2.24/progs/old/sucap.c                      | 199 +++++-
 libcap/libcap-2.24/progs/quicktest.sh                     | 148 ++++-
 libcap/libcap-2.24/progs/setcap.c                         | 208 +++++-
 libcap/libcap-2.24/progs/setcap.o                         | Bin 0 -> 29864 bytes
 libcap/libcap-2.24/template.c                             |   6 +-
 libcap/makeme                                             |  15 +-
 94 files changed, 7627 insertions(+), 0 deletions(-)

diff --git a/libcap/libcap-2.24/CHANGELOG b/libcap/libcap-2.24/CHANGELOG @@ -0,0 +1,17 @@ +For release notes and other info pointers: + + http://sites.google.com/site/fullycapable/ + +See GIT repository for detailed source history + + https://git.kernel.org/cgit/linux/kernel/git/morgan/libcap.git/ + +Or simply download the source: + + git clone git://git.kernel.org/pub/scm/linux/kernel/git/morgan/libcap.git + +The license for this library is here: + + https://git.kernel.org/cgit/linux/kernel/git/morgan/libcap.git/tree/License + +please submit patches compatible with this to morgan at kernel.org. diff --git a/libcap/libcap-2.24/License b/libcap/libcap-2.24/License @@ -0,0 +1,385 @@ +Unless otherwise *explicitly* stated, the following text describes the +licensed conditions under which the contents of this libcap release +may be used and distributed: + +------------------------------------------------------------------------- +Redistribution and use in source and binary forms of libcap, with +or without modification, are permitted provided that the following +conditions are met: + +1. Redistributions of source code must retain any existing copyright + notice, and this entire permission notice in its entirety, + including the disclaimer of warranties. + +2. Redistributions in binary form must reproduce all prior and current + copyright notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + +3. The name of any author may not be used to endorse or promote + products derived from this software without their specific prior + written permission. + +ALTERNATIVELY, this product may be distributed under the terms of the +GNU General Public License (v2.0 - see below), in which case the +provisions of the GNU GPL are required INSTEAD OF the above +restrictions. (This clause is necessary due to a potential conflict +between the GNU GPL and the restrictions contained in a BSD-style +copyright.) + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS +OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR +TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH +DAMAGE. +------------------------------------------------------------------------- + +------------------------- +Full text of gpl-2.0.txt: +------------------------- + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + <one line to give the program's name and a brief idea of what it does.> + Copyright (C) <year> <name of author> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + <signature of Ty Coon>, 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/libcap/libcap-2.24/Make.Rules b/libcap/libcap-2.24/Make.Rules @@ -0,0 +1,87 @@ +# +## Optional prefixes: +# + +# common 'packaging' directoty + +FAKEROOT=$(DESTDIR) + +# Autoconf-style prefixes are activated when $(prefix) is defined. +# Otherwise binaries and libraries are installed in /{lib,sbin}/, +# header files in /usr/include/ and documentation in /usr/man/man?/. +# These choices are motivated by the fact that getcap and setcap are +# administrative operations that could be needed to recover a system. + +ifndef lib +lib=$(shell ldd /usr/bin/ld|egrep "ld-linux|ld.so"|cut -d/ -f2) +endif + +ifdef prefix +exec_prefix=$(prefix) +lib_prefix=$(exec_prefix) +inc_prefix=$(lib_prefix) +man_prefix=$(prefix)/share +else +prefix=/usr +exec_prefix= +lib_prefix=$(exec_prefix) +inc_prefix=$(prefix) +man_prefix=$(prefix)/share +endif + +# Target directories + +MANDIR=$(FAKEROOT)$(man_prefix)/man +SBINDIR=$(FAKEROOT)$(exec_prefix)/sbin +INCDIR=$(FAKEROOT)$(inc_prefix)/include +LIBDIR=$(FAKEROOT)$(lib_prefix)/$(lib) +PKGCONFIGDIR=$(FAKEROOT)$(prefix)/$(lib)/pkgconfig + +# common defines for libcap +LIBTITLE=libcap +VERSION=2 +MINOR=24 +# + +# Compilation specifics + +KERNEL_HEADERS := $(topdir)/libcap/include/uapi +IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include + +CC := gcc +CFLAGS := -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 +BUILD_CC := $(CC) +BUILD_CFLAGS := $(CFLAGS) $(IPATH) +AR := ar +RANLIB := ranlib +DEBUG = -g #-DDEBUG +WARNINGS=-Wall -Wwrite-strings \ + -Wpointer-arith -Wcast-qual -Wcast-align \ + -Wstrict-prototypes -Wmissing-prototypes \ + -Wnested-externs -Winline -Wshadow +LD=$(CC) -Wl,-x -shared +LDFLAGS := #-g + +SYSTEM_HEADERS = /usr/include +INCS=$(topdir)/libcap/include/sys/capability.h +LDFLAGS += -L$(topdir)/libcap +CFLAGS += -Dlinux $(WARNINGS) $(DEBUG) +PAM_CAP := $(shell if [ -f /usr/include/security/pam_modules.h ]; then echo yes ; else echo no ; fi) +INDENT := $(shell if [ -n "$(which indent 2>/dev/null)" ]; then echo "| indent -kr" ; fi) +DYNAMIC := $(shell if [ ! -d "$(topdir)/.git" ]; then echo yes; fi) +LIBATTR := yes + +# When installing setcap, set its inheritable bit to be able to place +# capabilities on files. It can be used in conjunction with pam_cap +# (associated with su and certain users say) to make it useful for +# specially blessed users. If you wish to drop this install feature, +# use this command when running install +# +# make RAISE_SETFCAP=no install +# +RAISE_SETFCAP := $(LIBATTR) + +# Global cleanup stuff + +LOCALCLEAN=rm -f *~ core +DISTCLEAN=@find . \( -name '*.orig' -o -name '*.rej' \) | xargs rm -f diff --git a/libcap/libcap-2.24/Makefile b/libcap/libcap-2.24/Makefile @@ -0,0 +1,37 @@ +# +# Makefile for libcap +# +topdir=$(shell pwd) +include Make.Rules + +# +# flags +# + +all install clean: %: %-here + $(MAKE) -C libcap $@ +ifneq ($(PAM_CAP),no) + $(MAKE) -C pam_cap $@ +endif + $(MAKE) -C progs $@ + $(MAKE) -C doc $@ + +all-here: + +install-here: + +clean-here: + $(LOCALCLEAN) + +distclean: clean + $(DISTCLEAN) + +release: distclean + cd .. && ln -s libcap libcap-$(VERSION).$(MINOR) && tar cvf libcap-$(VERSION).$(MINOR).tar libcap-$(VERSION).$(MINOR)/* && rm libcap-$(VERSION).$(MINOR) + cd .. && gpg -sba -u E2CCF3F4 libcap-$(VERSION).$(MINOR).tar + +tagrelease: distclean + @echo "sign the tag twice: older DSA key; and newer RSA kernel.org key" + git tag -u D41A6DF2 -s libcap-$(VERSION).$(MINOR) + git tag -u E2CCF3F4 -s libcap-korg-$(VERSION).$(MINOR) + make release diff --git a/libcap/libcap-2.24/README b/libcap/libcap-2.24/README @@ -0,0 +1,29 @@ +This is a library for getting and setting POSIX.1e (formerly POSIX 6) +draft 15 capabilities. + +This library would not have been possible without the help of + + Aleph1, Roland Buresund and Andrew Main, Alexander Kjeldaas. + +More information on capabilities in the Linux kernel can be found at + + http://sites.google.com/site/fullycapable/ + +# INSTALLATION + + Linux-Caps % make + + builds the library and the programs + + Linux-Caps % make install + + installs the library libcap.XX.Y in /lib[64]/ + the binaries in /sbin/ + the <sys/capability.h> file in /usr/include + the libcap.pc file in /usr/lib[64]/pkgconfig + +* for some example programs look in progs. + +Cheers + +Andrew G. Morgan <morgan@kernel.org> diff --git a/libcap/libcap-2.24/contrib/Makefile b/libcap/libcap-2.24/contrib/Makefile @@ -0,0 +1,3 @@ +.PHONY: all clean +all clean: + for x in bug* ; do make -C $$x $@ || exit 1 ; done diff --git a/libcap/libcap-2.24/contrib/bug400591/Makefile b/libcap/libcap-2.24/contrib/bug400591/Makefile @@ -0,0 +1,9 @@ +all: bug + +bug: bug.c ../../libcap Makefile + make -C ../../libcap + cc -g -I../../libcap/include --static -o $@ $< -L../../libcap -lcap + ./bug + +clean: + rm -f bug.o bug diff --git a/libcap/libcap-2.24/contrib/bug400591/bug.c b/libcap/libcap-2.24/contrib/bug400591/bug.c @@ -0,0 +1,43 @@ +#include <assert.h> +#include <stdlib.h> +#include <sys/capability.h> + +/* + * Original from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=400591 + * + * Modified to test more functions.. AGM - 2008/07/06. + */ + +int main (int argc, char *argv[]) +{ + cap_t caps, caps2; + ssize_t size, copy_size; + void *buffer; + char *text1, *text2; + + assert((caps = cap_get_pid(1))); + + text1 = cap_to_text(caps, NULL); + assert(text1); + + size = cap_size (caps); + assert (size>0 && size<1024); + + buffer = malloc (size); + assert (buffer); + + copy_size = cap_copy_ext (buffer, caps, size); + assert (copy_size == size); + + caps2 = cap_copy_int(buffer); + assert (caps2); + + text2 = cap_to_text(caps2, NULL); + assert(text2); + + assert(strcmp(text1, text2) == 0); + + assert(cap_compare(caps, caps2) == 0); + + return 0; +} diff --git a/libcap/libcap-2.24/contrib/pcaps4convenience b/libcap/libcap-2.24/contrib/pcaps4convenience @@ -0,0 +1,209 @@ +#!/bin/bash +# vim:expandtab:tabstop=4 +# +# author: chris friedhoff - chris@friedhoff.org +# version: pcaps4convenience 2 Tue Mar 11 2008 +# +# +# changelog: +# 1 - initial release pcaps4convenience +# 2 - changed 'attr -S -r' to 'setcap -r' and removed attr code +# +# +# the user has the necessary POSIX Capabilities in his Inheritance +# set and the applications are accepting the needed PCaps through +# their Inheritance set. +# a user who has not the PCaps in his Inheritance set CAN NOT +# successfully execute the apps +# --> SET=ie +# (if SET=pe than you relax the security level of your machine) +# +# +# + + +##HERE WE ADD APPS +################## + +## these apps uses their POSIX Caps +################################### +# see /usr/include/linux/capability.h +# adjust - if needed and wanted - /etc/security/capability.conf +#eject=cap_dac_read_search,cap_sys_rawio +eject=2,17 +#killall=cap_kill +killall=5 +#modprobe=cap_sys_module +modprobe=16 +#ntpdate=cap_net_bind_service,cap_sys_time +ntpdate=10,25 +#qemu=cap_net_admin +qemu=12 +#route=cap_net_admin +route=12 + + +# this apps were converted/reverted +################################### +APPSARRAY=( eject killall modprobe ntpdate qemu route ) + + +# we put it into this set +######################### +SET=ie + + +##FROM HERE ONLY LOGIC +###################### + +#save assumption!? +export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin + +p4c_test(){ + # are we sane? + WICH=`which which 2>/dev/null` + if [ $WICH == "" ]; then + # thats bad + echo "Sorry, I haven't found which" + exit + fi + + # we needt his apps + SETCAP=`which setcap 2>/dev/null` + if [ "$SETCAP" == "" ]; then + echo "Sorry, I'm missing setcap !" + exit + fi + + # checking setcap for SET_SETFCAP PCap ? + # for now we stick to root + if [ "$( id -u )" != "0" ]; then + echo "Sorry, you must be root !" + exit 1 + fi +} + + + +p4c_app_convert(){ + # convert a single app + # $1 is app name; $2 is POSIX Caps + # well symlinks to apps, so we use -a ... + APP=`which -a $1 2>/dev/null` + if [ "$APP" != "" ]; then + FOUND=no + for i in $APP; do + # ... and are looking for symlinks + if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then + echo "converting $i" + setcap $2=$SET $i + FOUND=yes + fi + done + if [ "$FOUND" == "no" ]; then + # 'which' found only symlinks + echo "1 haven't found $1" + fi + else + # 'which' hasn't anything given back + echo "haven't found $1" + fi +} + + + +p4c_app_revert(){ + # revert a singel app + # $1 is app name + APP=`which -a $1 2>/dev/null` + if [ "$APP" != "" ]; then + FOUND=no + for i in $APP; do + if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then + echo "reverting $i" + setcap -r $i 2>/dev/null + FOUND=yes + fi + done + if [ "$FOUND" == "no" ]; then + echo "1 haven't found $1" + fi + else + echo "haven't found $1" + fi +} + + + +p4c_convert(){ + # we go throug the APPSARRAY and call s2p_app_convert to do the job + COUNTER=0 + let UPPER=${#APPSARRAY[*]}-1 + until [ $COUNTER == $UPPER ]; do + p4c_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]} + let COUNTER+=1 + done +} + + + +p4c_revert(){ + COUNTER=0 + let UPPER=${#APPSARRAY[*]}-1 + until [ $COUNTER == $UPPER ]; do + p4c_app_revert ${APPSARRAY[$COUNTER]} + let COUNTER+=1 + done + +} + + + +p4c_usage(){ + echo + echo "pcaps4convenience" + echo + echo "pcaps4convenience stores the needed POSIX Capabilities for binaries to" + echo "run successful into their Inheritance and Effective Set." + echo "The user who wants to execute this binaries successful has to have the" + echo "necessary POSIX Capabilities in his Inheritable Set. This might be done" + echo "through the PAM module pam_cap.so." + echo "A user who has not the needed PCaps in his Inheritance Set CAN NOT execute" + echo "these binaries successful." + echo "(well, still per sudo or su -c - but thats not the point here)" + echo + echo "You need and I will check fot the utilities which and setcap." + echo + echo "Your Filesystem has to support extended attributes and your kernel must have" + echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." + echo + echo "Usage: pcaps4convenience [con(vert)|rev(ert)|help]" + echo + echo " con|convert - from setuid0 to POSIX Capabilities" + echo " rev|revert - from POSIX Capabilities back to setui0" + echo " help - this help message" + echo +} + + + +case "$1" in + con|convert) + p4c_test + p4c_convert + exit 0 + ;; + rev|revert) + p4c_test + p4c_revert + exit 0 + ;; + help) + p4c_usage + exit 0 + ;; + *) + echo "Try 'pcaps4convenience help' for more information" + exit 1 + ;; +esac diff --git a/libcap/libcap-2.24/contrib/pcaps4server b/libcap/libcap-2.24/contrib/pcaps4server @@ -0,0 +1,369 @@ +#!/bin/sh +# vim: tabstop=4 +# +# author: chris friedhoff - chris@friedhoff.org +# version: pcaps4server 5 Tue Mar 11 2008 +# +# +# changelog: +# 1 - initial release pcaps4convenience +# 1 - 2007.02.15 - initial release +# 2 - 2007.11.02 - changed to new setfcaps api; each app is now callable; supressed error of id +# 3 - 2007.12.28 - changed to libcap2 package setcap/getcap +# 4 - renamed to pcaps4server +# removed suid0 and convenience files, +# they are now in pcaps4suid0 resp. pcaps4convenience +# 5 - changed 'attr -S -r' to 'setcap -r' and removed attr code +# +# +########################################################################### +# change the installation of different server to be able not to run as root +# and have their own unpriviledged user. The binary has the needed POSIX +# Capabilities. +# to ensure that the server is really started as his respective user, we set +# the suid bit (BUT NOT 0)! +# paths are hard coded and derive from a slackware system +# change it to your needs !! +########################################################################### + + + +VERBOSE="-v" +#VERBOSE="" +APPS="" + +message(){ + printRedMessage "$1" +} + +printRedMessage(){ + # print message red and turn back to white + echo -e "\n\033[00;31m $1 ...\033[00;00m\n" +} + +printGreenMessage(){ + # print message red and turn back to white + echo -e "\033[00;32m $1 ...\033[00;00m\n" + sleep 0.5 +} + +checkReturnCode(){ + if [ "$?" != "0" ]; then + printRedMessage "!! I'M HAVING A PROBLEM !! THE RETURNCODE IS NOT 0 !! I STOP HERE !!" + exit 1 + else + printGreenMessage ":-)" + sleep 0.5 + fi +} + + + +p4r_test(){ + #for now, we work with root + if [ "$( id -u )" != "0" ]; then + echo "Sorry, you must be root !" + exit + fi +} + + + + +# apache 1.3 +######## +#APPS="$APPS apache1" +apache1_convert(){ + message "converting apache1" + if [ "$( id -g apache 2>/dev/null )" == "" ]; then + groupadd -g 60 apache + fi + if [ "$( id -u apache 2>/dev/null )" == "" ]; then + useradd -g apache -d / -u 600 apache + fi + sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/apache/httpd.conf + chown $VERBOSE -R apache:apache /var/run/apache/ + chown $VERBOSE -R apache:apache /etc/apache/ + chown $VERBOSE -R apache:apache /var/log/apache/ + chown $VERBOSE apache:apache /usr/sbin/httpd + chmod $VERBOSE u+s /usr/sbin/httpd + setcap cap_net_bind_service=ep /usr/sbin/httpd + checkReturnCode +} +apache1_revert(){ + message "reverting apache1" + chown $VERBOSE -R root:root /var/run/apache/ + chown $VERBOSE -R root:root /etc/apache/ + chown $VERBOSE -R root:root /var/log/apache/ + chown $VERBOSE root:root /usr/sbin/httpd + chmod $VERBOSE u-s /usr/sbin/httpd + setcap -r /usr/sbin/httpd + checkReturnCode + sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/apache/httpd.conf + userdel apache + groupdel apache +} + + +# apache 2.x +######## +APPS="$APPS apache2" +apache2_convert(){ + message "converting apache2" + if [ "$( id -g apache 2>/dev/null )" == "" ]; then + groupadd -g 60 apache + fi + if [ "$( id -u apache 2>/dev/null )" == "" ]; then + useradd -g apache -d / -u 600 apache + fi + sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/httpd/httpd.conf + chown $VERBOSE -R apache:apache /var/run/httpd/ + chown $VERBOSE -R apache:apache /etc/httpd/ + chown $VERBOSE -R apache:apache /var/log/httpd/ + chown $VERBOSE apache:apache /usr/sbin/httpd + chmod $VERBOSE u+s /usr/sbin/httpd + #setfcaps -c cap_net_bind_service=p -e /usr/sbin/httpd + setcap cap_net_bind_service=ep /usr/sbin/httpd + checkReturnCode +} +apache2_revert(){ + message "reverting apache2" + chown $VERBOSE -R root:root /var/run/httpd/ + chown $VERBOSE -R root:root /etc/httpd/ + chown $VERBOSE -R root:root /var/log/httpd/ + chown $VERBOSE root:root /usr/sbin/httpd + chmod $VERBOSE u-s /usr/sbin/httpd + setcap -r /usr/sbin/httpd + checkReturnCode + sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/httpd/httpd.conf + userdel apache + groupdel apache +} + + +# samba +####### +APPS="$APPS samba" +samba_convert(){ + message "converting samba" + if [ "$( id -g samba 2>/dev/null )" == "" ]; then + groupadd -g 61 samba + fi + if [ "$( id -u samba 2>/dev/null )" == "" ]; then + useradd -g samba -d / -u 610 samba + fi + chown $VERBOSE -R samba:samba /var/log/samba + chown $VERBOSE -R samba:samba /etc/samba + chown $VERBOSE -R samba:samba /var/run/samba + chown $VERBOSE -R samba:samba /var/cache/samba + chown $VERBOSE samba:samba /usr/sbin/smbd /usr/sbin/nmbd + chmod $VERBOSE u+s /usr/sbin/smbd /usr/sbin/nmbd + setcap cap_net_bind_service,cap_sys_resource,cap_dac_override=ep /usr/sbin/smbd + checkReturnCode + setcap cap_net_bind_service=ep /usr/sbin/nmbd + checkReturnCode +} + +samba_revert(){ + message "reverting samba" + chown $VERBOSE -R root:root /var/log/samba + chown $VERBOSE -R root:root /etc/samba + chown $VERBOSE -R root:root /var/run/samba + chown $VERBOSE -R root:root /var/cache/samba + chown $VERBOSE root:root /usr/sbin/smbd /usr/sbin/nmbd + chmod $VERBOSE u-s /usr/sbin/smbd /usr/sbin/nmbd + setcap -r /usr/sbin/smbd + checkReturnCode + setcap -r /usr/sbin/nmbd + checkReturnCode + userdel samba + groupdel samba +} + + +# bind +###### +APPS="$APPS bind" +bind_convert(){ + message "converting bind" + if [ "$( id -g bind 2>/dev/null )" == "" ]; then + groupadd -g 62 bind + fi + if [ "$( id -u bind 2>/dev/null )" == "" ]; then + useradd -g bind -d / -u 620 bind + fi + chown $VERBOSE -R bind:bind /var/run/named + chown $VERBOSE -R bind:bind /var/named + chown $VERBOSE bind:bind /etc/rndc.key + chown $VERBOSE bind:bind /usr/sbin/named + chmod $VERBOSE u+s /usr/sbin/named + setcap cap_net_bind_service=ep /usr/sbin/named + checkReturnCode +} +bind_revert(){ + message "reverting bind" + chown $VERBOSE -R root:root /var/run/named + chown $VERBOSE -R root:root /var/named + chown $VERBOSE root:root /etc/rndc.key + chown $VERBOSE root:root /usr/sbin/named + chmod $VERBOSE u-s /usr/sbin/named + setcap -r /usr/sbin/named + checkReturnCode + userdel bind + groupdel bind +} + + +# dhcpd +####### +APPS="$APPS dhcpd" +dhcpd_convert(){ + message "converting dhcpd" + if [ "$( id -g dhcpd 2>/dev/null )" == "" ]; then + groupadd -g 63 dhcpd + fi + if [ "$( id -u dhcpd 2>/dev/null )" == "" ]; then + useradd -g dhcpd -d / -u 630 dhcpd + fi + chown $VERBOSE dhcpd:dhcpd /var/run/dhcpd + chown $VERBOSE dhcpd:dhcpd /etc/dhcpd.conf + chown $VERBOSE -R dhcpd:dhcpd /var/state/dhcp/ + chown $VERBOSE dhcpd:dhcpd /usr/sbin/dhcpd + chmod $VERBOSE u+s /usr/sbin/dhcpd + setcap cap_net_bind_service,cap_net_raw=ep /usr/sbin/dhcpd + checkReturnCode +} +dhcpd_revert(){ + message "reverting dhcpd" + chown $VERBOSE root:root /var/run/dhcpd + chown $VERBOSE root:root /etc/dhcpd.conf + chown $VERBOSE -R root:root /var/state/dhcp/ + chown $VERBOSE root:root /usr/sbin/dhcpd + chmod $VERBOSE u-s /usr/sbin/dhcpd + setcap -r /usr/sbin/dhcpd + checkReturnCode + userdel dhcpd + groupdel dhcpd +} + + +# cupsd +####### +APPS="$APPS cupsd" +cupsd_convert(){ + message "converting cupsd" + if [ "$( id -g cupsd 2>/dev/null )" == "" ]; then + groupadd -g 64 cupsd + fi + if [ "$( id -u cupsd 2>/dev/null )" == "" ]; then + useradd -g cupsd -d / -u 640 cupsd + fi + sed -i -e "{s|^\(User\).*|\1 cupsd|; s|^\(Group\) .*|\1 cupsd|}" /etc/cups/cupsd.conf + chown $VERBOSE -R cupsd:cupsd /etc/cups + chown $VERBOSE -R cupsd:cupsd /var/cache/cups + chown $VERBOSE -R cupsd:cupsd /var/log/cups + chown $VERBOSE -R cupsd:cupsd /var/spool/cups + chown $VERBOSE -R cupsd:cupsd /var/run/cups + chown $VERBOSE cupsd:cupsd /usr/sbin/cupsd + chmod $VERBOSE u+s /usr/sbin/cupsd + setcap cap_net_bind_service,cap_dac_read_search=ep /usr/sbin/cupsd + checkReturnCode +} +cupsd_revert(){ + message "reverting cupsd" + chown $VERBOSE -R root:root /etc/cups + chown $VERBOSE -R root:lp /var/cache/cups + chown $VERBOSE -R root:root /var/log/cups + chown $VERBOSE -R root:root /var/spool/cups + chown $VERBOSE root:lp /var/run/cups + chown $VERBOSE lp:sys /var/run/cups/certs + chmod $VERBOSE 750 /var/run/cups/certs + chown $VERBOSE root:root /usr/sbin/cupsd + chmod $VERBOSE u-s /usr/sbin/cupsd + setcap -r /usr/sbin/cupsd + checkReturnCode + sed -i -e "{s|^\(User\).*|\1 lp|; s|^\(Group\) .*|\1 sys|}" /etc/cups/cupsd.conf + userdel cupsd + groupdel cupsd +} + + +usage_message(){ + echo "Try 'pcaps4server help' for more information" +} + + +p4r_usage(){ + echo + echo "pcaps4server" + echo + echo "pcaps4server stores the needed POSIX Capabilities for server binaries to" + echo "run successful into their Permitted and Effective Set." + echo "The server are now able to run as an unpriviledged user." + echo "For each server software an unpriviledged user is added the system." + echo "The ownership of all the respective paths are changed to this user." + echo "To ensure that the server is starting as this unpriviledgesd user, the" + echo "suid bit (NOT 0) is set." + echo "Effectively this means every user can start this server daemons (for now)." + echo "All paths are hard coded!" + echo "You have been warned. Enjoy!" + echo + echo "Your Filesystem has to support extended attributes and your kernel must have" + echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." + echo + echo "Usage: pcaps4server [PROG] [con(vert)|rev(ert)|help]" + echo + echo " con|convert - from setuid0 to POSIX Capabilities" + echo " rev|revert - from POSIX Capabilities back to setui0" + echo " help - this help message" + echo + echo " PROG: $APPS" + echo +} + + + + +case "$1" in + con|convert) + p4r_test + for j in $APPS; do + ${j}_convert + done + exit + ;; + rev|renvert) + p4r_test + for j in $APPS; do + ${j}_revert + done + exit + ;; + help) + p4r_usage + exit + ;; +esac + +for i in ${APPS}; do + if [ "$1" == "$i" ]; then + case "$2" in + con|convert) + p4r_test + ${i}_convert + exit + ;; + rev|revert) + p4r_test + ${i}_revert + exit + ;; + *) + usage_message + exit 1 + ;; + esac + fi +done + +usage_message diff --git a/libcap/libcap-2.24/contrib/pcaps4suid0 b/libcap/libcap-2.24/contrib/pcaps4suid0 @@ -0,0 +1,227 @@ +#!/bin/bash +# vim:expandtab:tabstop=4 +# +# author: chris friedhoff - chris@friedhoff.org +# version: pcaps4suid0 3 Tue Mar 11 2008 +# +# +# changelog: +# 1 - initial release suid02pcaps +# 2 - renamend to pcaps4suid0 +# implement idea of change between permitted/effective set +# or iherited/effective set (pam_cap.so) +# 3 - changed 'attr -S -r' to 'setcap -r' and removed attr code +# +# +# +# change different suid-0 binaries away from suid-0 to using +# POSIX Capabilities through their Permitted and Effective Set +# --> legacy support +# --> use SET=pe +# +# +# OR change different suid-0 binaries away from suid-0 to using +# POSIX Capabilities through their Inherited and Effective Set +# --> PAM support to set Inheritance set through pam_cap.so +# --> use SET=ie +# +# +# +# +############################################################### +# for example use this find call: +# find {,/usr}{/bin,/sbin} -perm -4000 -uid 0 -exec ls -l {} \; +############################################################### + + + +##HERE WE ADD APPS +################## + +## these apps uses their POSIX Caps +################################### +# see /usr/include/linux/capability.h +#ping=cap_net_raw +ping=13 +#traceroute=cap_net_raw +traceroute=13 +chsh=0,2,4,7 +chfn=0,2,4,7 +Xorg=1,6,7,17,21,26 +chage=2 +#passwd=0,2,4,7 +#passwd 0,1 +passwd=0,1,3 #PAM +unix_chkpwd=1 +mount=1,21 +umount=1,21 + +# this apps were converted/reverted +################################### +APPSARRAY=( ping traceroute chsh chfn Xorg chage passwd unix_chkpwd mount umount ) + + +# we put it into this set +######################### +#SET=pe +SET=ie + + +##FROM HERE ONLY LOGIC +###################### + +#save assumption!? +export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin + +p4s_test(){ + # are we sane? + WICH=`which which 2>/dev/null` + if [ $WICH == "" ]; then + # thats bad + echo "Sorry, I haven't found which" + exit + fi + + # we needt his apps + CHMOD=`which chmod 2>/dev/null` + SETCAP=`which setcap 2>/dev/null` + if [ "$CHMOD" == "" -o "$SETCAP" == "" ]; then + echo "Sorry, I'm missing chmod or setcap !" + exit + fi + + # checking setcap for SET_SETFCAP PCap ? + # for now we stick to root + if [ "$( id -u )" != "0" ]; then + echo "Sorry, you must be root !" + exit 1 + fi +} + + + +p4s_app_convert(){ + # convert a single app + # $1 is app name; $2 is POSIX Caps + # well symlinks to apps, so we use -a ... + APP=`which -a $1 2>/dev/null` + if [ "$APP" != "" ]; then + FOUND=no + for i in $APP; do + # ... and are looking for symlinks + if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then + echo "converting $i" + chmod u-s $i + setcap $2=$SET $i + FOUND=yes + fi + done + if [ "$FOUND" == "no" ]; then + # 'which' found only symlinks + echo "1 haven't found $1" + fi + else + # 'which' hasn't anything given back + echo "haven't found $1" + fi +} + + + +p4s_app_revert(){ + # revert a singel app + # $1 is app name + APP=`which -a $1 2>/dev/null` + if [ "$APP" != "" ]; then + FOUND=no + for i in $APP; do + if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then + echo "reverting $i" + chmod u+s $i + setcap -r $i 2>/dev/null + FOUND=yes + fi + done + if [ "$FOUND" == "no" ]; then + echo "1 haven't found $1" + fi + else + echo "haven't found $1" + fi +} + + + +p4s_convert(){ + # we go throug the APPSARRAY and call s2p_app_convert to do the job + COUNTER=0 + let UPPER=${#APPSARRAY[*]}-1 + until [ $COUNTER == $UPPER ]; do + p4s_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]} + let COUNTER+=1 + done +} + + + +p4s_revert(){ + COUNTER=0 + let UPPER=${#APPSARRAY[*]}-1 + until [ $COUNTER == $UPPER ]; do + p4s_app_revert ${APPSARRAY[$COUNTER]} + let COUNTER+=1 + done + +} + + + +p4s_usage(){ + echo + echo "pcaps4suid0" + echo + echo "pcaps4suid0 changes the file system entry of binaries from using setuid-0" + echo "to using POSIX Capabilities by granting the necessary Privileges" + echo "This is done by storing the needed POSIX Capabilities into the extended" + echo "attribute capability through setcap." + echo "Following the idea of setuid - granting a binary the privilege regardless" + echo "of the user, the POSIX Capabilities are stored into the Permitted and" + echo "Effective set." + echo "If you are using pam_cap.so, you might want to change the set into the" + echo "Inherited and Effective set (check for the SET var)." + echo + echo "You need and I will check fot the utilities which, chmod and setcap." + echo + echo "Your Filesystem has to support extended attributes and your kernel must have" + echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)." + echo + echo "Usage: pcaps4suid0 [con(vert)|rev(ert)|help]" + echo + echo " con|convert - from setuid0 to POSIX Capabilities" + echo " rev|revert - from POSIX Capabilities back to setui0" + echo " help - this help message" + echo +} + + + +case "$1" in + con|convert) + p4s_test + p4s_convert + exit 0 + ;; + rev|revert) + p4s_test + p4s_revert + exit 0 + ;; + help) + p4s_usage + exit 0 + ;; + *) + echo "Try 'pcaps4suid0 help' for more information" + exit 1 + ;; +esac diff --git a/libcap/libcap-2.24/doc/Makefile b/libcap/libcap-2.24/doc/Makefile @@ -0,0 +1,50 @@ +# +# Makefile for libcap documentation +# + +topdir=$(shell pwd)/.. +include $(topdir)/Make.Rules + +MAN1S = capsh.1 +MAN3S = cap_init.3 cap_free.3 cap_dup.3 \ + cap_clear.3 cap_clear_flag.3 cap_get_flag.3 cap_set_flag.3 \ + cap_compare.3 cap_get_proc.3 cap_get_pid.3 cap_set_proc.3 \ + cap_get_file.3 cap_get_fd.3 cap_set_file.3 cap_set_fd.3 \ + cap_copy_ext.3 cap_size.3 cap_copy_int.3 \ + cap_from_text.3 cap_to_text.3 cap_from_name.3 cap_to_name.3 \ + capsetp.3 capgetp.3 libcap.3 \ + cap_get_bound.3 cap_drop_bound.3 +MAN8S = getcap.8 setcap.8 + +MANS = $(MAN1S) $(MAN3S) $(MAN8S) + +all: $(MANS) + +.PHONY: html +html: + mkdir -p html + for man in $(MANS) ; \ + do \ + egrep '^\.so man' $$man > /dev/null || \ + groff -man -Thtml $$man > html/$$man.html ; \ + done + +install: + mkdir -p -m 755 $(MANDIR)/man1 $(MANDIR)/man3 $(MANDIR)/man8 + for man in \ + $(MANDIR)/man1 $(MAN1S) \ + $(MANDIR)/man3 $(MAN3S) \ + $(MANDIR)/man8 $(MAN8S) \ + ; \ + do \ + case $$man in \ + /*) sub=$$man ; continue ;; \ + esac; \ + install -m 644 $$man $$sub ; \ + done + +clean: + $(LOCALCLEAN) + rm -rf html + + diff --git a/libcap/libcap-2.24/doc/cap_clear.3 b/libcap/libcap-2.24/doc/cap_clear.3 @@ -0,0 +1,133 @@ +.TH CAP_CLEAR 3 "2008-05-11" "" "Linux Programmer's Manual" +.SH NAME +cap_clear, cap_clear_flag, cap_get_flag, cap_set_flag, cap_compare \- capability data object manipulation +.SH SYNOPSIS +.nf +.B #include <sys/capability.h> +.sp +.BI "int cap_clear(cap_t " cap_p ); +.sp +.BI "int cap_clear_flag(cap_t " cap_p ", cap_flag_t " flag ");" +.sp +.BI "int cap_get_flag(cap_t " cap_p ", cap_value_t " cap , +.BI " cap_flag_t " flag ", cap_flag_value_t *" value_p ");" +.sp +.BI "int cap_set_flag(cap_t " cap_p ", cap_flag_t " flag ", int " ncap , +.BI " const cap_value_t *" caps \ +", cap_flag_value_t " value ");" +.sp +.BI "int cap_compare(cap_t " cap_a ", cap_t " cap_b ");" +.sp +Link with \fI-lcap\fP. +.fi +.SH DESCRIPTION +These functions work on a capability state held in working storage. +A +.I cap_t +holds information about the capabilities in each of the three sets, +Permitted, Inheritable, and Effective. +Each capability in a set may be clear (disabled, 0) or set (enabled, 1). +.PP +These functions work with the following data types: +.TP 18 +.I cap_value_t +identifies a capability, such as +.BR CAP_CHOWN . +.TP +.I cap_flag_t +identifies one of the three flags associated with a capability +(i.e., it identifies one of the three capability sets). +Valid values for this type are +.BR CAP_EFFECTIVE , +.B CAP_INHERITABLE +or +.BR CAP_PERMITTED . +.TP +.I cap_flag_value_t +identifies the setting of a particular capability flag +(i.e, the value of a capability in a set). +Valid values for this type are +.B CAP_CLEAR +(0) or +.B CAP_SET +(1). +.PP +.BR cap_clear () +initializes the capability state in working storage identified by +.I cap_p +so that all capability flags are cleared. +.PP +.BR cap_clear_flag () +clears all of the capabilities of the specified capability flag, +.IR flag . +.PP +.BR cap_get_flag () +obtains the current value of the capability flag, +.IR flag , +of the capability, +.IR cap , +from the capability state identified by +.I cap_p +and places it in the location pointed to by +.IR value_p . +.PP +.BR cap_set_flag () +sets the flag, +.IR flag , +of each capability in the array +.I caps +in the capability state identified by +.I cap_p +to +.IR value . +The argument, +.IR ncap , +is used to specify the number of capabilities in the array, +.IR caps . +.PP +.BR cap_compare () +compares two full capability sets and, in the spirit of +.BR memcmp (), +returns zero if the two capability sets are identical. A positive +return value, +.BR status , +indicates there is a difference between them. The +returned value carries further information about which of three sets, +.I cap_flag_t +.BR flag , +differ. Specifically, the macro +.B CAP_DIFFERS +.RI ( status ", " flag ) +evaluates to non-zero if the returned status differs in its +.I flag +components. +.SH "RETURN VALUE" +.BR cap_clear (), +.BR cap_clear_flag (), +.BR cap_get_flag () +.BR cap_set_flag () +and +.BR cap_compare () +return zero on success, and \-1 on failure. Other return values for +.BR cap_compare () +are described above. +.PP +On failure, +.I errno +is set to +.BR EINVAL , +indicating that one of the arguments is invalid. +.SH "CONFORMING TO" +These functions are as per the withdrawn POSIX.1e draft specification. +.BR cap_clear_flag () +and +.BR cap_compare () +are Linux extensions. +.SH "SEE ALSO" +.BR libcap (3), +.BR cap_copy_ext (3), +.BR cap_from_text (3), +.BR cap_get_file (3), +.BR cap_get_proc (3), +.BR cap_init (3), +.BR capabilities (7) diff --git a/libcap/libcap-2.24/doc/cap_clear_flag.3 b/libcap/libcap-2.24/doc/cap_clear_flag.3 @@ -0,0 +1 @@ +.so man3/cap_clear.3 diff --git a/libcap/libcap-2.24/doc/cap_compare.3 b/libcap/libcap-2.24/doc/cap_compare.3 @@ -0,0 +1 @@ +.so man3/cap_clear.3 diff --git a/libcap/libcap-2.24/doc/cap_copy_ext.3 b/libcap/libcap-2.24/doc/cap_copy_ext.3 @@ -0,0 +1,104 @@ +.TH CAP_COPY_EXT 3 "2008-05-11" "" "Linux Programmer's Manual" +.SH NAME +cap_copy_ext, cap_size, cap_copy_int \- capability state +external representation translation +.SH SYNOPSIS +.B #include <sys/capability.h> +.sp +.BI "ssize_t cap_size(cap_t " cap_p ); +.sp +.BI "ssize_t cap_copy_ext(void *" ext_p ", cap_t " cap_p ", ssize_t " size ); +.sp +.BI "cap_t cap_copy_int(const void *" ext_p ); +.sp +Link with \fI-lcap\fP. +.SH DESCRIPTION +These functions translate between internal and external +representations of a capability state. The external representation is +an exportable, contiguous, persistent representation of a capability +state in user-managed space. The internal representation is managed +by the capability functions in working storage. +.PP +.BR cap_size () +returns the total length (in bytes) that the capability state in working +storage identified by +.I cap_p +would require when converted by +.BR cap_copy_ext (). +This function is used primarily to determine the amount of buffer space that +must be provided to the +.BR cap_copy_ext () +function in order to hold the capability data record created from +.IR cap_p . +.PP +.BR cap_copy_ext () +copies a capability state in working storage, identified by +.IR cap_p , +from system managed space to user-managed space (pointed to by +.IR ext_p ) +and returns the length of the resulting data record. The size parameter +represents the maximum size, in bytes, of the resulting data record. The +.BR cap_copy_ext () +function will do any conversions necessary to convert the capability +state from the undefined internal format to an exportable, contiguous, +persistent data record. It is the responsibility of the user to +allocate a buffer large enough to hold the copied data. The buffer +length required to hold the copied data may be obtained by a call to +the +.BR cap_size () +function. +.PP +.BR cap_copy_int () +copies a capability state from a capability data record in user-managed +space to a new capability state in working storage, allocating any +memory necessary, and returning a pointer to the newly created capability +state. The function initializes the capability state and then copies +the capability state from the record pointed to by +.I ext_p +into the capability state, converting, if necessary, the data from a +contiguous, persistent format to an undefined, internal format. Once +copied into internal format, the object can be manipulated by the capability +state manipulation functions (see +.BR cap_clear (3)). +Note that the record pointed to by +.I ext_p +must have been obtained from a previous, successful call to +.BR cap_copy_ext () +for this function to work successfully. The caller should free any +releasable memory, when the capability state in working storage is no +longer required, by calling +.BR cap_free () +with the +.I cap_t +as an argument. +.SH "RETURN VALUE" +.BR cap_size () +returns the length required to hold a capability data record on success, +and -1 on failure. +.PP +.BR cap_copy_ext () +returns the number of bytes placed in the user managed space pointed to by +.I ext_p +on success, and -1 on failure. +.PP +.BR cap_copy_int () +returns a pointer to the newly created capability state in working storage +on success, and NULL on failure. +.PP +On failure, +.BR errno +is set to +.BR EINVAL , +.BR ENOMEM , +or +.BR ERANGE . +.SH "CONFORMING TO" +These functions are specified in the withdrawn POSIX.1e draft specification. +.SH "SEE ALSO" +.BR libcap (3), +.BR cap_clear (3), +.BR cap_from_text (3), +.BR cap_get_file (3), +.BR cap_get_proc (3), +.BR cap_init (3), +.BR capabilities (7) diff --git a/libcap/libcap-2.24/doc/cap_copy_int.3 b/libcap/libcap-2.24/doc/cap_copy_int.3 @@ -0,0 +1 @@ +.so man3/cap_copy_ext.3 diff --git a/libcap/libcap-2.24/doc/cap_drop_bound.3 b/libcap/libcap-2.24/doc/cap_drop_bound.3 @@ -0,0 +1 @@ +.so man3/cap_get_proc.3 diff --git a/libcap/libcap-2.24/doc/cap_dup.3 b/libcap/libcap-2.24/doc/cap_dup.3 @@ -0,0 +1 @@ +.so man3/cap_init.3 diff --git a/libcap/libcap-2.24/doc/cap_free.3 b/libcap/libcap-2.24/doc/cap_free.3 @@ -0,0 +1 @@ +.so man3/cap_init.3 diff --git a/libcap/libcap-2.24/doc/cap_from_name.3 b/libcap/libcap-2.24/doc/cap_from_name.3 @@ -0,0 +1 @@ +.so man3/cap_from_text.3 diff --git a/libcap/libcap-2.24/doc/cap_from_text.3 b/libcap/libcap-2.24/doc/cap_from_text.3 @@ -0,0 +1,233 @@ +.\" +.\" written by Andrew Main <zefram@dcs.warwick.ac.uk> +.\" +.TH CAP_FROM_TEXT 3 "2008-05-10" "" "Linux Programmer's Manual" +.SH NAME +cap_from_text, cap_to_text, cap_to_name, cap_from_name \- capability +state textual representation translation +.SH SYNOPSIS +.B #include <sys/capability.h> +.sp +.BI "cap_t cap_from_text(const char *" buf_p ); +.sp +.BI "char *cap_to_text(cap_t " caps ", ssize_t *" length_p ); +.sp +.BI "int cap_from_name(const char *" name ", cap_value_t *" cap_p ); +.sp +.BI "char *cap_to_name(cap_value_t " cap ); +.sp +Link with \fI-lcap\fP. +.SH DESCRIPTION +These functions translate a capability state between +an internal representation and a textual one. +The internal representation is managed by the capability +functions in working storage. The textual representation is a structured, +human-readable string suitable for display. +.PP +.BR cap_from_text () +allocates and initializes a capability state in working storage. It +then sets the contents of this newly created capability state to the +state represented by a human-readable, nul-terminated character +string pointed to by +.IR buf_p . +It returns a pointer to the newly created capability state. +When the capability state in working storage is no longer required, +the caller should free any releasable memory +by calling +.BR cap_free () +with +.I cap_t +as an argument. The function returns an error if it cannot parse the +contents of the string pointed to by +.I buf_p +or does not recognize any +.I capability_name +or flag character as valid. The function also returns an error if any flag +is both set and cleared within a single clause. +.PP +.BR cap_to_text () +converts the capability state in working storage identified by +.I cap_p +into a nul-terminated human-readable string. This function allocates +any memory necessary to contain the string, and returns a pointer to +the string. If the pointer +.I len_p +is not NULL, +the function shall also return the full length of the string (not including +the nul terminator) in the location pointed to by +.IR len_p . +The capability state in working storage, identified by +.IR cap_p , +is completely represented in the character string. +When the capability state in working storage is no longer required, +the caller should free any releasable memory by calling +.BR cap_free () +with the returned string pointer as an argument. +.PP +.BR cap_from_name () +converts a text representation of a capability, such as "cap_chown", +to its numerical representation +.RB ( CAP_CHOWN=0 ), +writing the decoded value into +.IR *cap_p . +If +.I cap_p +is NULL +no result is written, but the return code of the function indicates +whether or not the specified capability can be represented by the +library. +.PP +.BR cap_to_name () +converts a capability index value, +.IR cap , +to a libcap-allocated textual string. This string should be +deallocated with +.BR cap_free (). +.SH "TEXTUAL REPRESENTATION" +A textual representation of capability sets consists of one or more +whitespace-separated +.IR clauses . +Each clause specifies some operations on a capability set; the set +starts out with all capabilities lowered, and the meaning of the +string is the state of the capability set after all the clauses have +been applied in order. +.PP +Each clause consists of a list of comma-separated capability names +(or the word +.RB ` all '), +followed by an +.IR action-list . +An action-list consists of a sequence of +.I operator flag +pairs. Legal operators are: +.RB ` = "', '" + "', and `" - "'." +Legal flags are: +.RB ` e "', `" i "', and `" p "'." +These flags are case-sensitive and specify the Effective, Inheritable +and Permitted sets respectively. +.PP +In the capability name lists, all names are case-insensitive. The +special name +.RB ` all ' +specifies all capabilities; it is equivalent to a list naming every +capability individually. +.PP +Unnamed capabilities can also be specified by number. This feature +ensures that libcap can support capabilities that were not allocated +at the time libcap was compiled. However, generally upgrading libcap +will add names for recently allocated capabilities. +.PP +The +.RB ` = ' +operator indicates that the listed capabilities are first reset in +all three capability sets. The subsequent flags (which are optional +when associated with this operator) indicate that the listed +capabilities for the corresponding set are to be raised. For example: +"all=p" means lower every capability in the Effective and Inheritable +sets but raise all of the Permitted capabilities; +or, "cap_fowner=ep" means raise the Effective and Permitted +override-file-ownership capability, while lowering this Inheritable +capability. +.PP +In the case that the leading operator is +.RB ` = ', +and no list of capabilities is provided, the action-list is assumed to +refer to `all' capabilities. For example, the following three +clauses are equivalent to each other (and indicate a completely empty +capability set): "all="; "="; "cap_chown,<every-other-capability>=". +.PP +The operators, `+' and `-' both require an explicit preceding +capability list and one or more explicit trailing flags. The `+' +operator will raise all of the listed capabilities in the flagged +capability sets. The `-' operator will lower all of the listed +capabilities in the flagged capability sets. For example: +"all+p" will raise all of the Permitted capabilities; "cap_fowner+p-i" +will raise the override-file-ownership capability in the Permitted +capability set and lower this Inheritable capability; +"cap_fowner+pe-i" and "cap_fowner=+pe" are equivalent. +.SH "RETURN VALUE" +.BR cap_from_text (), +.BR cap_to_text () +and +.BR cap_to_name () +return a non-NULL value on success, and NULL on failure. +.BR cap_from_name () +returns 0 for success, and -1 on failure (unknown capability). +.PP +On failure, +.I errno +is set to +.BR EINVAL , +or +.BR ENOMEM . +.SH "CONFORMING TO" +.BR cap_from_text () +and +.BR cap_to_text () +are specified by the withdrawn POSIX.1e draft specification. +.BR cap_from_name () +and +.BR cap_to_name () +are Linux extensions. +.SH EXAMPLE +The example program below demonstrates the use of +.BR cap_from_text () +and +.BR cap_to_text (). +The following shell session shows a some example runs: +.in +4n +.nf + +$ ./a.out "cap_chown=p cap_chown+e" +caps_to_text() returned "= cap_chown+ep" +$ ./a.out "all=pe cap_chown-e cap_kill-pe" +caps_to_text() returned "=ep cap_chown-e cap_kill-ep" + +.fi +.in +The source code of the program is as follows: +.nf + +#include <stdlib.h> +#include <stdio.h> +#include <sys/capability.h> + +#define handle_error(msg) \\ + do { perror(msg); exit(EXIT_FAILURE); } while (0) + +int +main(int argc, char *argv[]) +{ + cap_t caps; + char *txt_caps; + + if (argc != 2) { + fprintf(stderr, "%s <textual\-cap\-set>\\n", argv[0]); + exit(EXIT_FAILURE); + } + + caps = cap_from_text(argv[1]); + if (caps == NULL) + handle_error("cap_from_text"); + + txt_caps = cap_to_text(caps, NULL); + if (txt_caps == NULL) + handle_error("cap_to_text"); + + printf("caps_to_text() returned \\"%s\\"\\n", txt_caps); + + if (cap_free(txt_caps) != 0 || cap_free(caps) != 0) + handle_error("cap_free"); + + exit(EXIT_SUCCESS); +} +.fi +.SH "SEE ALSO" +.BR libcap (3), +.BR cap_clear (3), +.BR cap_compare (3), +.BR cap_copy_ext (3), +.BR cap_get_file (3), +.BR cap_get_proc (3), +.BR cap_init (3), +.BR capabilities (7) diff --git a/libcap/libcap-2.24/doc/cap_get_bound.3 b/libcap/libcap-2.24/doc/cap_get_bound.3 @@ -0,0 +1 @@ +.so man3/cap_get_proc.3 diff --git a/libcap/libcap-2.24/doc/cap_get_fd.3 b/libcap/libcap-2.24/doc/cap_get_fd.3 @@ -0,0 +1 @@ +.so man3/cap_get_file.3 diff --git a/libcap/libcap-2.24/doc/cap_get_file.3 b/libcap/libcap-2.24/doc/cap_get_file.3 @@ -0,0 +1,124 @@ +.\" +.\" written by Andrew Main <zefram@dcs.warwick.ac.uk> +.\" +.TH CAP_GET_FILE 3 "2008-05-11" "" "Linux Programmer's Manual" +.SH NAME +cap_get_file, cap_set_file, cap_get_fd, cap_set_fd \- capability +manipulation on files +.SH SYNOPSIS +.B +.sp +.B #include <sys/capability.h> +.sp +.BI "cap_t cap_get_file(const char *" path_p ); +.sp +.BI "int cap_set_file(const char *" path_p ", cap_t " cap_p ); +.sp +.BI "cap_t cap_get_fd(int " fd ); +.sp +.BI "int cap_set_fd(int " fd ", cap_t " caps ); +.sp +Link with \fI-lcap\fP. +.SH DESCRIPTION +.BR cap_get_file () +and +.BR cap_get_fd () +allocate a capability state in working storage and set it to represent the +capability state of the pathname pointed to by +.I path_p +or the file open on descriptor +.IR fd . +These functions return a pointer to the newly created capability +state. The effects of reading the capability state from any file +other than a regular file is undefined. The caller should free any +releasable memory, when the capability state in working storage is no +longer required, by calling +.BR cap_free () +with the used +.I cap_t +as an argument. +.PP +.BR cap_set_file () +and +.BR cap_set_fd () +set the values for all capability flags for all capabilities for the pathname +pointed to by +.I path_p +or the file open on descriptor +.IR fd , +with the capability state identified by +.IR cap_p . +The new capability state of the file is completely determined by the +contents of +.IR cap_p . +A NULL value for +.IR cap_p +is used to indicate that capabilities for the file should be deleted. +For these functions to succeed, the calling process must have the +effective capability, +.BR CAP_SETFCAP , +enabled and either the effective user ID of the process must match the +file owner or the calling process must have the +.B CAP_FOWNER +flag in its effective capability set. The effects of writing the +capability state to any file type other than a regular file are +undefined. +.SH "RETURN VALUE" +.BR cap_get_file () +and +.BR cap_get_fd () +return a non-NULL value on success, and NULL on failure. +.PP +.BR cap_set_file () +and +.BR cap_set_fd () +return zero on success, and \-1 on failure. +.PP +On failure, +.I errno +is set to +.BR EACCES , +.BR EBADFD , +.BR ENAMETOOLONG , +.BR ENOENT , +.BR ENOMEM , +.BR ENOTDIR , +.BR EPERM , +or +.BR EROFS . +.SH "CONFORMING TO" +These functions are specified by withdrawn POSIX.1e draft specification. +.SH NOTES +Support for file capabilities is provided on Linux since version 2.6.24. + +On Linux, the file Effective set is a single bit. +If it is enabled, then all Permitted capabilities are enabled +in the Effective set of the calling process when the file is executed; +otherwise, no capabilities are enabled in the process's Effective set +following an +.BR execve (2). +Because the file Effective set is a single bit, +if any capability is enabled in the Effective set of the +.I cap_t +given to +.BR cap_set_file () +or +.BR cap_set_fd (), +then all capabilities whose Permitted or Inheritable flag +is enabled must also have the Effective flag enabled. +Conversely, if the Effective bit is enabled on a file, then the +.I cap_t +returned by +.BR cap_get_file() +and +.BR cap_get_fd() +will have the Effective flag enabled for each capability that has the +Permitted or Inheritable flag enabled. +.SH "SEE ALSO" +.BR libcap (3), +.BR cap_clear (3), +.BR cap_copy_ext (3), +.BR cap_from_text (3), +.BR cap_get_proc (3), +.BR cap_init (3), +.BR capabilities (7) diff --git a/libcap/libcap-2.24/doc/cap_get_flag.3 b/libcap/libcap-2.24/doc/cap_get_flag.3 @@ -0,0 +1 @@ +.so man3/cap_clear.3 diff --git a/libcap/libcap-2.24/doc/cap_get_pid.3 b/libcap/libcap-2.24/doc/cap_get_pid.3 @@ -0,0 +1 @@ +.so man3/cap_get_proc.3 diff --git a/libcap/libcap-2.24/doc/cap_get_proc.3 b/libcap/libcap-2.24/doc/cap_get_proc.3 @@ -0,0 +1,204 @@ +.\" +.\" $Id: cap_get_proc.3,v 1.1.1.1 1999/04/17 22:16:31 morgan Exp $ +.\" +.TH CAP_GET_PROC 3 "2008-05-11" "" "Linux Programmer's Manual" +.SH NAME +cap_get_proc, cap_set_proc, capgetp, cap_get_bound, cap_drop_bound \- +capability manipulation on processes +.SH SYNOPSIS +.B #include <sys/capability.h> +.sp +.B "cap_t cap_get_proc(void);" +.sp +.BI "int cap_set_proc(cap_t " cap_p ); +.sp +.BI "int cap_get_bound(cap_value_t " cap ); +.sp +.BI "CAP_IS_SUPPORTED(cap_value_t " cap ); +.sp +.BI "int cap_drop_bound(cap_value_t " cap ); +.sp +.B #include <sys/types.h> +.sp +.BI "cap_t cap_get_pid(pid_t " pid ); +.sp +Link with \fI-lcap\fP. +.SH DESCRIPTION +.BR cap_get_proc () +allocates a capability state in working storage, sets its state to +that of the calling process, and returns a pointer to this newly +created capability state. The caller should free any releasable +memory, when the capability state in working storage is no longer +required, by calling +.BR cap_free () +with the +.I cap_t +as an argument. +.PP +.BR cap_set_proc () +sets the values for all capability flags for all capabilities to the +capability state identified by +.IR cap_p . +The new capability state of the process will be completely determined by +the contents of +.I cap_p +upon successful return from this function. If any flag in +.I cap_p +is set for any capability not currently permitted for the calling process, +the function will fail, and the capability state of the process will remain +unchanged. +.PP +.BR cap_get_pid () +returns +.IR cap_d , +see +.BR cap_init (3), +with the process capabilities of the process indicated by +.IR pid . +This information can also be obtained from the +.I /proc/<pid>/status +file. +.PP +.BR cap_get_bound () +with a +.I cap +as an argument returns the current value of this bounding set +capability flag in effect for the current process. This operation is +unpriveged. Note, a macro function +.BI "CAP_IS_SUPPORTED(cap_value_t " cap ) +is provided that evaluates to true (1) if the system supports the +specified capability, +.IR cap . +If the system does not support the capability, this function returns +0. This macro works by testing for an error condition with +.BR cap_get_bound (). +.PP +.BR cap_drop_bound () +can be used to lower the specified bounding set capability, +.BR cap , +To complete successfully, the prevailing +.I effective +capability set must have a raised +.BR CAP_SETPCAP . +.SH "RETURN VALUE" +The functions +.BR cap_get_proc () +and +.BR cap_get_pid () +return a non-NULL value on success, and NULL on failure. +.PP +The function +.BR cap_get_bound () +returns -1 if the requested capability is unknown, otherwise the +return value reflects the current state of that capability in the +prevailing bounding set. Note, a macro function, +.PP +The functions +.BR cap_set_proc () +and +.BR cap_drop_bound () +return zero for success, and \-1 on failure. +.PP +On failure, +.I errno +is set to +.BR EINVAL , +.BR EPERM, +or +.BR ENOMEM . +.SH "CONFORMING TO" +.BR cap_set_proc () +and +.BR cap_get_proc () +are specified in the withdrawn POSIX.1e draft specification. +.BR cap_get_pid () +is a Linux extension. +.SH "NOTES" +The library also supports the deprecated functions: +.PP +.BI "int capgetp(pid_t " pid ", cap_t " cap_d ); +.PP +.BI "int capsetp(pid_t " pid ", cap_t " cap_d ); +.PP +.BR capgetp () +attempts to obtain the capabilities of some other process; storing the +capabilities in a pre-allocated +.IR cap_d . See +.BR cap_init () +for information on allocating an empty capability set. This function, +.BR capgetp (), +is deprecated, you should use +.BR cap_get_pid (). +.PP +.BR capsetp () +attempts to set the capabilities of some other process(es), +.IR pid . +If +.I pid +is positive it refers to a specific process; if it is zero, it refers +to the current process; -1 refers to all processes other than the +current process and process '1' (typically +.BR init (8)); +other negative values refer to the +.I -pid +process group. In order to use this function, the kernel must support +it and the current process must have +.B CAP_SETPCAP +raised in its Effective capability set. The capabilities set in the +target process(es) are those contained in +.IR cap_d . +Kernels that support filesystem capabilities redefine the semantics of +.B CAP_SETPCAP +and on such systems this function will always fail for any target not +equal to the current process. +.BR capsetp () +returns zero for success, and \-1 on failure. + +Where supported by the kernel, the function +.BR capsetp () +should be used with care. It existed, primarily, to overcome an early +lack of support for capabilities in the filesystems supported by +Linux. Note that, by default, the only processes that have +.B CAP_SETPCAP +available to them are processes started as a kernel thread. +(Typically this includes +.BR init (8), +kflushd and kswapd). You will need to recompile the kernel to modify +this default. +.SH EXAMPLE +The code segment below raises the +.B CAP_FOWNER +and +.B CAP_SETFCAP +effective capabilities for the caller: +.nf + + cap_t caps; + cap_value_t cap_list[2]; + + if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) + /* handle error */ + + caps = cap_get_proc(); + if (caps == NULL) + /* handle error */; + + cap_list[0] = CAP_FOWNER; + cap_list[1] = CAP_SETFCAP; + if (cap_set_flag(caps, CAP_EFFECTIVE, 2, cap_list, CAP_SET) == -1) + /* handle error */; + + if (cap_set_proc(caps) == -1) + /* handle error */; + + if (cap_free(caps) == -1) + /* handle error */; +.fi +.SH "SEE ALSO" +.BR libcap (3), +.BR cap_clear (3), +.BR cap_copy_ext (3), +.BR cap_from_text (3), +.BR cap_get_file (3), +.BR cap_init (3), +.BR capabilities (7) diff --git a/libcap/libcap-2.24/doc/cap_init.3 b/libcap/libcap-2.24/doc/cap_init.3 @@ -0,0 +1,86 @@ +.\" +.\" written by Andrew Main <zefram@dcs.warwick.ac.uk> +.\" +.TH CAP_INIT 3 "2008-05-11" "" "Linux Programmer's Manual" +.SH NAME +cap_init, cap_free, cap_dup \- capability data object storage management +.SH SYNOPSIS +.B #include <sys/capability.h> +.sp +.B cap_t cap_init(void); +.sp +.BI "int cap_free(void *" obj_d ); +.sp +.BI "cap_t cap_dup(cap_t " cap_p ); +.sp +Link with \fI-lcap\fP. +.SH DESCRIPTION +The capabilities associated with a file or process are never edited +directly. Instead, working storage is allocated to contain a +representation of the capability state. Capabilities are edited and +manipulated only within this working storage area. Once editing of +the capability state is complete, the updated capability state is used +to replace the capability state associated with the file or process. +.PP +.BR cap_init () +creates a capability state in working storage and returns a pointer to +the capability state. The initial value of all flags are cleared. The +caller should free any releasable memory, when the capability state in +working storage is no longer required, by calling +.BR cap_free () +with the +.I cap_t +as an argument. +.PP +.BR cap_free () +liberates any releasable memory that has been allocated to the +capability state identified by +.IR obj_d . +The +.I obj_d +argument may identify either a +.I cap_t +entity, or a +.I char * +entity allocated by the +.BR cap_to_text () +function. +.PP +.BR cap_dup () +returns a duplicate capability state in working storage given by the +source object +.IR cap_p , +allocating any memory necessary, and returning a +pointer to the newly created capability state. Once duplicated, no +operation on either capability state affects the other in any way. +When the duplicated capability state in working storage is no longer required, +the caller should free any releasable memory by calling +.BR cap_free () +with the +.I cap_t +as an argument. +.SH "RETURN VALUE" +.BR cap_init () +and +.BR cap_dup () +return a non-NULL value on success, and NULL on failure. +.PP +.BR cap_free () +returns zero on success, and \-1 on failure. +.PP +On failure, +.I errno +is set to +.BR EINVAL +or +.BR ENOMEM . +.SH "CONFORMING TO" +These functions are specified in the withdrawn POSIX.1e draft specification. +.SH "SEE ALSO" +.BR libcap (3), +.BR cap_clear (3), +.BR cap_copy_ext (3), +.BR cap_from_text (3), +.BR cap_get_file (3), +.BR cap_get_proc (3), +.BR capabilities (7) diff --git a/libcap/libcap-2.24/doc/cap_set_fd.3 b/libcap/libcap-2.24/doc/cap_set_fd.3 @@ -0,0 +1 @@ +.so man3/cap_get_file.3 diff --git a/libcap/libcap-2.24/doc/cap_set_file.3 b/libcap/libcap-2.24/doc/cap_set_file.3 @@ -0,0 +1 @@ +.so man3/cap_get_file.3 diff --git a/libcap/libcap-2.24/doc/cap_set_flag.3 b/libcap/libcap-2.24/doc/cap_set_flag.3 @@ -0,0 +1 @@ +.so man3/cap_clear.3 diff --git a/libcap/libcap-2.24/doc/cap_set_proc.3 b/libcap/libcap-2.24/doc/cap_set_proc.3 @@ -0,0 +1 @@ +.so man3/cap_get_proc.3 diff --git a/libcap/libcap-2.24/doc/cap_size.3 b/libcap/libcap-2.24/doc/cap_size.3 @@ -0,0 +1 @@ +.so man3/cap_copy_ext.3 diff --git a/libcap/libcap-2.24/doc/cap_to_name.3 b/libcap/libcap-2.24/doc/cap_to_name.3 @@ -0,0 +1 @@ +.so man3/cap_from_text.3 diff --git a/libcap/libcap-2.24/doc/cap_to_text.3 b/libcap/libcap-2.24/doc/cap_to_text.3 @@ -0,0 +1 @@ +.so man3/cap_from_text.3 diff --git a/libcap/libcap-2.24/doc/capability.notes b/libcap/libcap-2.24/doc/capability.notes @@ -0,0 +1,58 @@ +Overview +-------- + +As of Linux 2.2.0, the power of the superuser has been partitioned +into a set of discrete capabilities (in other places, these +capabilities are know as privileges). + +The contents of the libcap package are a library and a number of +simple programs that are intended to show how an application/daemon +can be protected (with wrappers) or rewritten to take advantage of +this fine grained approach to constraining the danger to your system +from programs running as 'root'. + +Notes on securing your system +----------------------------- + +Adopting a role approach to system security: + +changing all of the system binaries and directories to be owned by +some user that cannot log on. You might like to create a user with +the name 'system' who's account is locked with a '*' password. This +user can be made the owner of all of the system directories on your +system and critical system binaries too. + +Why is this a good idea? In a simple case, the CAP_FUSER capabilty is +required for the superuser to delete files owned by a non-root user in +a 'sticky-bit' protected non-root owned directory. Thus, the sticky +bit can help you protect the /lib/ directory from an compromized +daemon where the directory and the files it contains are owned by the +system user. It can be protected by using a wrapper like execcap to +ensure that the daemon is not running with the CAP_FUSER capability... + + +Limiting the damage: + +If your daemon only needs to be setuid-root in order to bind to a low +numbered port. You should restrict it to only having access to the +CAP_NET_BIND_SERVICE capability. Coupled with not having any files on +the system owned by root, it becomes significantly harder for such a +daemon to damage your system. + +Note, you should think of this kind of trick as making things harder +for a potential attacker to exploit a hole in a daemon of this +type. Being able to bind to any privileged port is still a formidable +privilege and can lead to difficult but 'interesting' man in the +middle attacks -- hijack the telnet port for example and masquerade as +the login program... Collecting passwords for another day. + + +The /proc/ filesystem: + +This Linux-specific directory tree holds most of the state of the +system in a form that can sometimes be manipulated by file +read/writes. Take care to ensure that the filesystem is not mounted +with uid=0, since root (with no capabilities) would still be able to +read sensitive files in the /proc/ tree - kcore for example. + +[Patch is available for 2.2.1 - I just wrote it!] diff --git a/libcap/libcap-2.24/doc/capgetp.3 b/libcap/libcap-2.24/doc/capgetp.3 @@ -0,0 +1 @@ +.so man3/cap_get_proc.3 diff --git a/libcap/libcap-2.24/doc/capsetp.3 b/libcap/libcap-2.24/doc/capsetp.3 @@ -0,0 +1 @@ +.so man3/cap_get_proc.3 diff --git a/libcap/libcap-2.24/doc/capsh.1 b/libcap/libcap-2.24/doc/capsh.1 @@ -0,0 +1,173 @@ +.\" +.\" capsh.1 Man page added 2009-12-23 Andrew G. Morgan <morgan@kernel.org> +.\" +.TH CAPSH 1 "2011-04-24" "libcap 2" "User Commands" +.SH NAME +capsh \- capability shell wrapper +.SH SYNOPSIS +.B capsh +[\fIOPTION\fR]... +.SH DESCRIPTION +Linux capability support and use can be explored and constrained with +this tool. This tool provides a handy wrapper for certain types +of capability testing and environment creation. It also provides some +debugging features useful for summarizing capability state. +.SH OPTIONS +The tool takes a number of optional arguments, acting on them in the +order they are provided. They are as follows: +.TP 22 +.B --print +Display prevailing capability and related state. +.TP +.BI -- " [args]" +Execute +.B /bin/bash +with trailing arguments. Note, you can use +.B -c 'command to execute' +for specific commands. +.TP +.B == +Execute +.B capsh +again with remaining arguments. Useful for testing +.BR exec () +behavior. +.TP +.BI --caps= cap-set +Set the prevailing process capabilities to those specified by +.IR cap-set . +Where +.I cap-set +is a text-representation of capability state as per +.BR cap_from_text (3). +.TP +.BI --drop= cap-list +Remove the listed capabilities from the prevailing bounding set. The +capabilites are a comma separated list of capabilities as recognized +by the +.BR cap_from_name (3) +function. Use of this feature requires that the capsh program is +operating with +.B CAP_SETPCAP +in its effective set. +.TP +.BI --inh= cap-list +Set the inheritable set of capabilities for the current process to +equal those provided in the comma separated list. For this action to +succeed, the prevailing process should already have each of these +capabilities in the union of the current inheritable and permitted +capability sets, or the capsh program is operating with +.B CAP_SETPCAP +in its effective set. +.TP +.BI --user= username +Assume the identity of the named user. That is, look up the user's +.IR uid " and " gid +with +.BR getpwuid (3) +and their group memberships with +.BR getgrouplist (3) +and set them all. +.TP +.BI --uid= id +Force all +.B uid +values to equal +.I id +using the +.BR setuid (2) +system call. +.TP +.BI --gid= <id> +Force all +.B gid +values to equal +.I id +using the +.BR setgid (2) +system call. +.TP +.BI --groups= <id-list> +Set the supplementary groups to the numerical list provided. The +groups are set with the +.BR setgroups (2) +system call. +.TP +.BI --keep= <0|1> +In a non-pure capability mode, the kernel provides liberal privilege +to the super-user. However, it is normally the case that when the +super-user changes +.I uid +to some lesser user, then capabilities are dropped. For these +situations, the kernel can permit the process to retain its +capabilities after a +.BR setuid (2) +system call. This feature is known as +.I keep-caps +support. The way to activate it using this script is with this +argument. Setting the value to 1 will cause +.I keep-caps +to be active. Setting it to 0 will cause keep-caps to deactivate for +the current process. In all cases, +.I keep-caps +is deactivated when an +.BR exec () +is performed. See +.B --secbits +for ways to disable this feature. +.TP +.BI --secbits= N +XXX - need to document this feature. +.TP +.BI --chroot= path +Execute the +.BR chroot (2) +system call with the new root-directory (/) equal to +.IR path . +This operation requires +.B CAP_SYS_CHROOT +to be in effect. +.TP +.BI --forkfor= sec +.TP +.BI --killit= sig +.TP +.BI --decode= N +This is a convenience feature. If you look at +.B /proc/1/status +there are some capability related fields of the following form: + + CapInh: 0000000000000000 + CapPrm: ffffffffffffffff + CapEff: fffffffffffffeff + CapBnd: ffffffffffffffff + +This option provides a quick way to decode a capability vector +represented in this form. For example, the missing capability from +this effective set is 0x0100. By running: + + capsh --decode=0x0100 + +we observe that the missing capability is: +.BR cap_setpcap . +.TP +.BI --supports= xxx +As the kernel evolves, more capabilities are added. This option can be used +to verify the existence of a capability on the system. For example, +.BI --supports= cap_syslog +will cause capsh to promptly exit with a status of 1 when run on +kernel 2.6.27. However, when run on kernel 2.6.38 it will silently +succeed. +.TP +.SH "EXIT STATUS" +Following successful execution the tool exits with status 0. Following +an error, the tool immediately exits with status 1. +.SH AUTHOR +Written by Andrew G. Morgan <morgan@kernel.org>. +.SH "REPORTING BUGS" +Please report bugs to the author. +.SH "SEE ALSO" +.BR libcap (3), +.BR getcap (8), setcap (8) +and +.BR capabilities (7). diff --git a/libcap/libcap-2.24/doc/getcap.8 b/libcap/libcap-2.24/doc/getcap.8 @@ -0,0 +1,29 @@ +.\" +.\" $Id: getcap.8,v 1.1.1.1 1999/04/17 22:16:31 morgan Exp $ +.\" written by Andrew Main <zefram@dcs.warwick.ac.uk> +.\" +.TH GETCAP 8 "12 Nov 2007" +.SH NAME +getcap \- examine file capabilities +.SH SYNOPSIS +\fBgetcap\fP [-v] [-r] [-h] \fIfilename\fP [ ... ] +.SH DESCRIPTION +.B getcap +displays the name and capabilities of each specified +.SH OPTIONS +.TP 4 +.B -r +enables recursive search. +.TP 4 +.B -v +enables to display all searched entries, even if it has no file-capabilities. +.TP 4 +.B -h +prints quick usage. +.TP 4 +.IR filename +One file per line. +.SH "SEE ALSO" +.BR cap_get_file (3), +.BR cap_to_text (3), +.BR setcap (8) diff --git a/libcap/libcap-2.24/doc/libcap.3 b/libcap/libcap-2.24/doc/libcap.3 @@ -0,0 +1,114 @@ +.TH LIBCAP 3 "2008-07-29" "" "Linux Programmer's Manual" +.SH NAME +cap_clear, cap_clear_flag, cap_compare, cap_copy_ext, cap_copy_int, \ +cap_free, cap_from_name, cap_from_text, cap_get_fd, cap_get_file, \ +cap_get_flag, cap_get_pid, cap_get_proc, cap_set_fd, cap_set_file, \ +cap_set_flag, cap_set_proc, cap_size, cap_to_name, cap_to_text, \ +cap_get_pid, cap_dup \- capability data object manipulation +.SH SYNOPSIS +.nf +.B #include <sys/capability.h> +.sp +.BI "int cap_clear(cap_t " cap_p ); +.sp +.BI "int cap_clear_flag(cap_t " cap_p ", cap_flag_t " flag ");" +.sp +.BI "int cap_compare(cap_t " cap_a ", cap_t " cap_b ");" +.sp +.BI "ssize_t cap_copy_ext(void *" ext_p ", cap_t " cap_p ", ssize_t " size ); +.sp +.BI "cap_t cap_copy_int(const void *" ext_p ); +.sp +.BI "int cap_free(void *" obj_d ); +.sp +.BI "int cap_from_name(const char *" name ", cap_value_t *" cap_p ); +.sp +.BI "cap_t cap_from_text(const char *" buf_p ); +.sp +.BI "cap_t cap_get_fd(int " fd ); +.sp +.BI "cap_t cap_get_file(const char *" path_p ); +.sp +.BI "int cap_get_flag(cap_t " cap_p ", cap_value_t " cap , +.BI " cap_flag_t " flag ", cap_flag_value_t *" value_p ");" +.sp +.B #include <sys/types.h> +.BI "cap_t cap_get_pid(pid_t " pid ); +.sp +.B "cap_t cap_get_proc(void);" +.sp +.BI "int cap_set_fd(int " fd ", cap_t " caps ); +.sp +.BI "int cap_set_file(const char *" path_p ", cap_t " cap_p ); +.sp +.sp +.BI "int cap_set_flag(cap_t " cap_p ", cap_flag_t " flag ", int " ncap , +.BI " const cap_value_t *" caps ", cap_flag_value_t " value ");" +.BI "int cap_set_proc(cap_t " cap_p ); +.sp +.BI "ssize_t cap_size(cap_t " cap_p ); +.sp +.BI "char *cap_to_name(cap_value_t " cap ); +.sp +.BI "char *cap_to_text(cap_t " caps ", ssize_t *" length_p ); +.sp +.BI "cap_t cap_get_pid(pid_t " pid ); +.sp +.BI "cap_t cap_dup(cap_t " cap_p ); +.sp +Link with \fI-lcap\fP. +.fi +.SH DESCRIPTION +These functions work on a capability state held in working storage. +A +.I cap_t +holds information about the capabilities in each of the three sets, +Permitted, Inheritable, and Effective. +Each capability in a set may be clear (disabled, 0) or set (enabled, 1). +.PP +These functions work with the following data types: +.TP 18 +.I cap_value_t +identifies a capability, such as +.BR CAP_CHOWN . +.TP +.I cap_flag_t +identifies one of the three flags associated with a capability +(i.e., it identifies one of the three capability sets). +Valid values for this type are +.BR CAP_EFFECTIVE , +.B CAP_INHERITABLE +or +.BR CAP_PERMITTED . +.TP +.I cap_flag_value_t +identifies the setting of a particular capability flag +(i.e, the value of a capability in a set). +Valid values for this type are +.BR CAP_CLEAR (0) +or +.BR CAP_SET (1). +.SH "RETURN VALUE" +The return value is generally specific to the individual function called. +On failure, +.I errno +is set appropriately. +.SH "CONFORMING TO" +These functions are as per the withdrawn POSIX.1e draft specification. +The following functions are Linux extensions: +.BR cap_clear_flag (), +.BR cap_compare (), +.BR cap_from_name (), +.BR cap_to_name (), +and +.BR cap_compare (). +.SH "SEE ALSO" +.BR cap_clear (3), +.BR cap_copy_ext (3), +.BR cap_from_text (3), +.BR cap_get_file (3), +.BR cap_get_proc (3), +.BR cap_init (3), +.BR capabilities (7), +.BR getpid (2) +.BR capsh (1) diff --git a/libcap/libcap-2.24/doc/old/README b/libcap/libcap-2.24/doc/old/README @@ -0,0 +1 @@ +these files are not relevant to this release diff --git a/libcap/libcap-2.24/doc/old/_fgetfilecap.2 b/libcap/libcap-2.24/doc/old/_fgetfilecap.2 @@ -0,0 +1 @@ +.so man2/_setfilecap.2 diff --git a/libcap/libcap-2.24/doc/old/_fsetfilecap.2 b/libcap/libcap-2.24/doc/old/_fsetfilecap.2 @@ -0,0 +1 @@ +.so man2/_setfilecap.2 diff --git a/libcap/libcap-2.24/doc/old/_getfilecap.2 b/libcap/libcap-2.24/doc/old/_getfilecap.2 @@ -0,0 +1 @@ +.so man2/_setfilecap.2 diff --git a/libcap/libcap-2.24/doc/old/_getproccap.2 b/libcap/libcap-2.24/doc/old/_getproccap.2 @@ -0,0 +1 @@ +.so man2/_setproccap.2 diff --git a/libcap/libcap-2.24/doc/old/_setfilecap.2 b/libcap/libcap-2.24/doc/old/_setfilecap.2 @@ -0,0 +1,117 @@ +.\" +.\" $Id: _setfilecap.2,v 1.1.1.1 1999/04/17 22:16:31 morgan Exp $ +.\" written by Andrew Main <zefram@dcs.warwick.ac.uk> +.\" +.TH _SETFILECAP 2 "26th April 1997" "Linux 2.1" "Linux Programmer's Manual" +.SH NAME +_setfilecap, _getfilecap, _fsetfilecap, _fgetfilecap \- set/get file capabilities +.SH SYNOPSIS +.B #include <sys/capability.h> +.sp +.BI "int _setfilecap(char const *" filename ", size_t " usize ", __cap_s const *" iset ", __cap_s const *" pset ", __cap_s const *" eset ); +.sp +.BI "int _getproccap(char const *" filename ", size_t " usize ", __cap_s *" iset ", __cap_s *" pset ", __cap_s *" eset ); +.sp +.BI "int _fsetfilecap(int " fd ", size_t " usize ", __cap_s const *" iset ", __cap_s const *" pset ", __cap_s const *" eset ); +.sp +.BI "int _fgetproccap(int " fd ", size_t " usize ", __cap_s *" iset ", __cap_s *" pset ", __cap_s *" eset ); +.SH USAGE +.br +.B cc ... -lcap +.SH DESCRIPTION +.B _setfilecap +sets the specified +.IR filename 's +Inheritable, Permitted and Effective capabilities to the sets specified. +A NULL pointer specifies that a set should not be changed. +.PP +.B _fsetfilecap +does the same thing to the file referenced by file descriptor +.IR fd . +.PP +.B _getfilecap +and +.B _fgetfilecap +copy the file's capability sets into the sets provided. +A NULL pointer specifies that a set should not be returned. +.PP +The +.I usize +argument specifies the size of the user-space capability sets, in bytes. +If the kernel uses a different size internally, it will truncate or +zero-fill as required. +.PP +Files don't actually have a proper Effective capability set. Instead they +have a single-bit flag, that indicates that the set is either full or +empty. When setting a file's capabilities, that flag will be set if +and only if the Effective set specified has at least one bit set. +.SH "RETURN VALUE" +On success, zero is returned. On error, -1 is returned, and +.I errno +is set appropriately. +.SH ERRORS +.TP +.SB EFAULT +One of the capability arguments or the filename was an invalid data pointer. +.TP +.SB EPERM +An attempt was made to set non-empty capabilities on a file, +and the caller does not have the +.SB CAP_FSETCAP +capability raised. +.TP +.SB EPERM +An attempt was made to set capabilities on a file, and +the effective UID does not match the owner of the file, and the caller +does not have the +.SB CAP_FOWNER +capability raised. +.TP +.SB EINVAL +An attempt was made to set non-empty capabilities on a file +residing on a file system that does not support them. +.TP +.SB EROFS +An attempt was made to set capabilities on a file residing +on a read-only file system. +.TP +.SB ENAMETOOLONG +.I filename +is too long. +.TP +.SB ENOENT +The file specified does not exist. +.TP +.SB ENOMEM +Insufficient kernel memory was available. +.TP +.SB ENOTDIR +A component of the path prefix is not a directory. +.TP +.SB EACCES +Search permission is denied on a component of the path prefix. +.TP +.SB ELOOP +.I filename +containes a circular reference (via symlinks). +.TP +.SB EBADF +.I fd +is not a valid file descriptor. +.TP +.SB EIO +A hard error occurred while reading or writing the file system. +.TP +.SB ENOSYS +The POSIX.1e capability system was not configured into the kernel. +.SH "CONFORMING TO" +These system calls are specific to Linux. +The portable interfaces are +.IR cap_set_file (3), +.IR cap_get_file (3), +.IR cap_set_fd (3), +and +.IR cap_get_fd (3). +.SH "SEE ALSO" +.IR _setproccap (2). + diff --git a/libcap/libcap-2.24/doc/old/_setproccap.2 b/libcap/libcap-2.24/doc/old/_setproccap.2 @@ -0,0 +1,52 @@ +.\" +.\" $Id: _setproccap.2,v 1.1.1.1 1999/04/17 22:16:31 morgan Exp $ +.\" written by Andrew Main <zefram@dcs.warwick.ac.uk> +.\" +.TH _SETPROCCAP 2 "26th April 1997" "Linux 2.1" "Linux Programmer's Manual" +.SH NAME +_setproccap, _getproccap \- set/get process capabilities +.SH SYNOPSIS +.B #include <sys/capability.h> +.sp +.BI "int _setproccap(size_t " usize ", __cap_s const *" iset ", __cap_s const *" pset ", __cap_s const *" eset ); +.sp +.BI "int _getproccap(size_t " usize ", __cap_s *" iset ", __cap_s *" pset ", __cap_s *" eset ); +.SH DESCRIPTION +.B _setproccap +sets the calling process' +Inheritable, Permitted and Effective capabilities to the sets specified. +A NULL pointer specifies that a set should not be changed. +.PP +.B _getproccap +copies the process' capability sets into the sets provided. +A NULL pointer specifies that a set should not be returned. +.PP +The +.I usize +argument specifies the size of the user-space capability sets, in bytes. +If the kernel uses a different size internally, it will truncate or +zero-fill as required. +.SH "RETURN VALUE" +On success, zero is returned. On error, -1 is returned, and +.I errno +is set appropriately. +.SH ERRORS +.TP +.SB EFAULT +One of the capability arguments was an invalid data pointer. +.TP +.SB EPERM +An attempt was made to add a capability to the Permitted set, or to set +a capability in the Effective or Inheritable sets that is not in the +Permitted set. +.TP +.SB ENOSYS +The POSIX.1e capability system was not configured into the kernel. +.SH "CONFORMING TO" +These system calls are specific to Linux. +The portable interfaces are +.IR cap_set_proc (3) +and +.IR cap_get_proc (3). +.SH "SEE ALSO" +.IR _setfilecap (2). diff --git a/libcap/libcap-2.24/doc/setcap.8 b/libcap/libcap-2.24/doc/setcap.8 @@ -0,0 +1,49 @@ +.\" +.\" $Id: setcap.8,v 1.1.1.1 1999/04/17 22:16:31 morgan Exp $ +.\" +.TH SETCAP 8 "24th October 2008" +.SH NAME +setcap \- set file capabilities +.SH SYNOPSIS +\fBsetcap\fP [-q] [-v] (\fIcapabilities|-|-r) filename\fP [ ... \fIcapabilitiesN\fP \fIfileN\fP ] +.SH DESCRIPTION +In the absence of the +.B -v +(verify) option +.B setcap +sets the capabilities of each specified +.I filename +to the +.I capabilities +specified. The +.B -v +option is used to verify that the specified capabilities are currently +associated with the file. +.PP +The +.I capabilities +are specified in the form described in +.IR cap_from_text (3). +.PP +The special capability string, +.BR '-' , +can be used to indicate that capabilities are read from the standard +input. In such cases, the capability set is terminated with a blank +line. +.PP +The special capability string, +.BR '-r' , +is used to remove a capability set from a file. +.PP +The +.B -q +flag is used to make the program less verbose in its output. +.SH "EXIT CODE" +The +.B setcap +program will exit with a 0 exit code if successful. On failure, the +exit code is 1. +.SH "SEE ALSO" +.BR cap_from_text (3), +.BR cap_set_file (3), +.BR getcap (8) diff --git a/libcap/libcap-2.24/libcap/Makefile b/libcap/libcap-2.24/libcap/Makefile @@ -0,0 +1,91 @@ +# +# defines +# +topdir=$(shell pwd)/.. +include ../Make.Rules +# +# Library version +# +LIBNAME=$(LIBTITLE).so +STALIBNAME=$(LIBTITLE).a +# + +FILES=cap_alloc cap_proc cap_extint cap_flag cap_text + +# make including file support something you can override (no libattr +# no support). +ifeq ($(LIBATTR),yes) +FILES += cap_file +LDFLAGS += -lattr +DEPS = -lattr +endif + +INCLS=libcap.h cap_names.h $(INCS) +OBJS=$(addsuffix .o, $(FILES)) +MAJLIBNAME=$(LIBNAME).$(VERSION) +MINLIBNAME=$(MAJLIBNAME).$(MINOR) +GPERF_OUTPUT = _caps_output.gperf + +all: $(MINLIBNAME) $(STALIBNAME) libcap.pc + +ifeq ($(shell gperf --version > /dev/null 2>&1 && echo yes),yes) +USE_GPERF_OUTPUT = $(GPERF_OUTPUT) +INCLUDE_GPERF_OUTPUT = -include $(GPERF_OUTPUT) +endif + +libcap.pc: libcap.pc.in + sed -e 's,@prefix@,$(prefix),' \ + -e 's,@exec_prefix@,$(exec_prefix),' \ + -e 's,@libdir@,$(lib_prefix)/$(lib),' \ + -e 's,@includedir@,$(inc_prefix)/include,' \ + -e 's,@VERSION@,$(VERSION).$(MINOR),' \ + -e 's,@deps@,$(DEPS),' \ + $< >$@ + +_makenames: _makenames.c cap_names.list.h + $(BUILD_CC) $(BUILD_CFLAGS) $< -o $@ + +cap_names.h: _makenames + ./_makenames > cap_names.h + +$(GPERF_OUTPUT): cap_names.list.h + perl -e 'print "struct __cap_token_s { const char *name; int index; };\n%{\nconst struct __cap_token_s *__cap_lookup_name(const char *, unsigned int);\n%}\n%%\n"; while ($$l = <>) { $$l =~ s/[\{\"]//g; $$l =~ s/\}.*// ; print $$l; }' < $< | gperf --ignore-case --language=ANSI-C --readonly --null-strings --global-table --hash-function-name=__cap_hash_name --lookup-function-name="__cap_lookup_name" -c -t -m20 $(INDENT) > $@ + +cap_names.list.h: Makefile $(KERNEL_HEADERS)/linux/capability.h + @echo "=> making $@ from $(KERNEL_HEADERS)/linux/capability.h" + perl -e 'while ($$l=<>) { if ($$l =~ /^\#define[ \t](CAP[_A-Z]+)[ \t]+([0-9]+)\s+$$/) { $$tok=$$1; $$val=$$2; $$tok =~ tr/A-Z/a-z/; print "{\"$$tok\",$$val},\n"; } }' $(KERNEL_HEADERS)/linux/capability.h | fgrep -v 0x > $@ + +$(STALIBNAME): $(OBJS) + $(AR) rcs $@ $^ + $(RANLIB) $@ + +$(MINLIBNAME): $(OBJS) + $(LD) $(CFLAGS) $(LDFLAGS) -Wl,-soname,$(MAJLIBNAME) -o $@ $^ + ln -sf $(MINLIBNAME) $(MAJLIBNAME) + ln -sf $(MAJLIBNAME) $(LIBNAME) + +%.o: %.c $(INCLS) + $(CC) $(CFLAGS) $(IPATH) -c $< -o $@ + +cap_text.o: cap_text.c $(USE_GPERF_OUTPUT) $(INCLS) + $(CC) $(CFLAGS) $(IPATH) $(INCLUDE_GPERF_OUTPUT) -c $< -o $@ + +install: all + mkdir -p -m 0755 $(INCDIR)/sys + install -m 0644 include/sys/capability.h $(INCDIR)/sys + mkdir -p -m 0755 $(LIBDIR) + install -m 0644 $(STALIBNAME) $(LIBDIR)/$(STALIBNAME) + install -m 0644 $(MINLIBNAME) $(LIBDIR)/$(MINLIBNAME) + ln -sf $(MINLIBNAME) $(LIBDIR)/$(MAJLIBNAME) + ln -sf $(MAJLIBNAME) $(LIBDIR)/$(LIBNAME) +ifeq ($(FAKEROOT),) + -/sbin/ldconfig +endif + mkdir -p -m 0755 $(PKGCONFIGDIR) + install -m 0644 libcap.pc $(PKGCONFIGDIR)/libcap.pc + +clean: + $(LOCALCLEAN) + rm -f $(OBJS) $(LIBNAME)* $(STALIBNAME) libcap.pc + rm -f cap_names.h cap_names.list.h _makenames $(GPERF_OUTPUT) + cd include/sys && $(LOCALCLEAN) diff --git a/libcap/libcap-2.24/libcap/_makenames.c b/libcap/libcap-2.24/libcap/_makenames.c @@ -0,0 +1,61 @@ +/* + * Copyright (c) 1997-8 Andrew G. Morgan <morgan@kernel.org> + * + * This is a file to make the capability <-> string mappings for + * libcap. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <sys/capability.h> + +/* + * #include 'sed' generated array + */ + +struct { + const char *name; + int index; +} const list[] = { +#include "cap_names.list.h" + {NULL, -1} +}; + +/* this should be more than big enough (factor of three at least) */ +const char *pointers[8*sizeof(struct __user_cap_data_struct)]; + +int main(void) +{ + int i, maxcaps=0; + + for ( i=0; list[i].index >= 0 && list[i].name; ++i ) { + if (maxcaps <= list[i].index) { + maxcaps = list[i].index + 1; + } + pointers[list[i].index] = list[i].name; + } + + printf("/*\n" + " * DO NOT EDIT: this file is generated automatically from\n" + " *\n" + " * <linux/capability.h>\n" + " */\n" + "#define __CAP_BITS %d\n" + "\n" + "#ifdef LIBCAP_PLEASE_INCLUDE_ARRAY\n" + " char const *_cap_names[__CAP_BITS] = {\n", maxcaps); + + for (i=0; i<maxcaps; ++i) { + if (pointers[i]) + printf(" /* %d */\t\"%s\",\n", i, pointers[i]); + else + printf(" /* %d */\tNULL,\t\t/* - presently unused */\n", i); + } + + printf(" };\n" + "#endif /* LIBCAP_PLEASE_INCLUDE_ARRAY */\n" + "\n" + "/* END OF FILE */\n"); + + exit(0); +} diff --git a/libcap/libcap-2.24/libcap/cap_alloc.c b/libcap/libcap-2.24/libcap/cap_alloc.c @@ -0,0 +1,139 @@ +/* + * Copyright (c) 1997-8 Andrew G Morgan <morgan@kernel.org> + * + * This file deals with allocation and deallocation of internal + * capability sets as specified by POSIX.1e (formerlly, POSIX 6). + */ + +#include "libcap.h" + +/* + * Obtain a blank set of capabilities + */ + +cap_t cap_init(void) +{ + __u32 *raw_data; + cap_t result; + + raw_data = malloc( sizeof(__u32) + sizeof(*result) ); + + if (raw_data == NULL) { + _cap_debug("out of memory"); + errno = ENOMEM; + return NULL; + } + + *raw_data = CAP_T_MAGIC; + result = (cap_t) (raw_data + 1); + memset(result, 0, sizeof(*result)); + + result->head.version = _LIBCAP_CAPABILITY_VERSION; + capget(&result->head, NULL); /* load the kernel-capability version */ + + switch (result->head.version) { +#ifdef _LINUX_CAPABILITY_VERSION_1 + case _LINUX_CAPABILITY_VERSION_1: + break; +#endif +#ifdef _LINUX_CAPABILITY_VERSION_2 + case _LINUX_CAPABILITY_VERSION_2: + break; +#endif +#ifdef _LINUX_CAPABILITY_VERSION_3 + case _LINUX_CAPABILITY_VERSION_3: + break; +#endif + default: /* No idea what to do */ + cap_free(result); + result = NULL; + break; + } + + return result; +} + +/* + * This is an internal library function to duplicate a string and + * tag the result as something cap_free can handle. + */ + +char *_libcap_strdup(const char *old) +{ + __u32 *raw_data; + + if (old == NULL) { + errno = EINVAL; + return NULL; + } + + raw_data = malloc( sizeof(__u32) + strlen(old) + 1 ); + if (raw_data == NULL) { + errno = ENOMEM; + return NULL; + } + + *(raw_data++) = CAP_S_MAGIC; + strcpy((char *) raw_data, old); + + return ((char *) raw_data); +} + +/* + * This function duplicates an internal capability set with + * malloc()'d memory. It is the responsibility of the user to call + * cap_free() to liberate it. + */ + +cap_t cap_dup(cap_t cap_d) +{ + cap_t result; + + if (!good_cap_t(cap_d)) { + _cap_debug("bad argument"); + errno = EINVAL; + return NULL; + } + + result = cap_init(); + if (result == NULL) { + _cap_debug("out of memory"); + return NULL; + } + + memcpy(result, cap_d, sizeof(*cap_d)); + + return result; +} + + +/* + * Scrub and then liberate an internal capability set. + */ + +int cap_free(void *data_p) +{ + if ( !data_p ) + return 0; + + if ( good_cap_t(data_p) ) { + data_p = -1 + (__u32 *) data_p; + memset(data_p, 0, sizeof(__u32) + sizeof(struct _cap_struct)); + free(data_p); + data_p = NULL; + return 0; + } + + if ( good_cap_string(data_p) ) { + size_t length = strlen(data_p) + sizeof(__u32); + data_p = -1 + (__u32 *) data_p; + memset(data_p, 0, length); + free(data_p); + data_p = NULL; + return 0; + } + + _cap_debug("don't recognize what we're supposed to liberate"); + errno = EINVAL; + return -1; +} diff --git a/libcap/libcap-2.24/libcap/cap_alloc.o b/libcap/libcap-2.24/libcap/cap_alloc.o Binary files differ diff --git a/libcap/libcap-2.24/libcap/cap_extint.c b/libcap/libcap-2.24/libcap/cap_extint.c @@ -0,0 +1,123 @@ +/* + * Copyright (c) 1997-8 Andrew G Morgan <morgan@kernel.org> + * + * This file deals with exchanging internal and external + * representations of capability sets. + */ + +#include "libcap.h" + +/* + * External representation for capabilities. (exported as a fixed + * length) + */ +#define CAP_EXT_MAGIC "\220\302\001\121" +#define CAP_EXT_MAGIC_SIZE 4 +const static __u8 external_magic[CAP_EXT_MAGIC_SIZE+1] = CAP_EXT_MAGIC; + +struct cap_ext_struct { + __u8 magic[CAP_EXT_MAGIC_SIZE]; + __u8 length_of_capset; + /* + * note, we arrange these so the caps are stacked with byte-size + * resolution + */ + __u8 bytes[CAP_SET_SIZE][NUMBER_OF_CAP_SETS]; +}; + +/* + * return size of external capability set + */ + +ssize_t cap_size(cap_t caps) +{ + return ssizeof(struct cap_ext_struct); +} + +/* + * Copy the internal (cap_d) capability set into an external + * representation. The external representation is portable to other + * Linux architectures. + */ + +ssize_t cap_copy_ext(void *cap_ext, cap_t cap_d, ssize_t length) +{ + struct cap_ext_struct *result = (struct cap_ext_struct *) cap_ext; + int i; + + /* valid arguments? */ + if (!good_cap_t(cap_d) || length < ssizeof(struct cap_ext_struct) + || cap_ext == NULL) { + errno = EINVAL; + return -1; + } + + /* fill external capability set */ + memcpy(&result->magic, external_magic, CAP_EXT_MAGIC_SIZE); + result->length_of_capset = CAP_SET_SIZE; + + for (i=0; i<NUMBER_OF_CAP_SETS; ++i) { + size_t j; + for (j=0; j<CAP_SET_SIZE; ) { + __u32 val; + + val = cap_d->u[j/sizeof(__u32)].flat[i]; + + result->bytes[j++][i] = val & 0xFF; + result->bytes[j++][i] = (val >>= 8) & 0xFF; + result->bytes[j++][i] = (val >>= 8) & 0xFF; + result->bytes[j++][i] = (val >> 8) & 0xFF; + } + } + + /* All done: return length of external representation */ + return (ssizeof(struct cap_ext_struct)); +} + +/* + * Import an external representation to produce an internal rep. + * the internal rep should be liberated with cap_free(). + */ + +cap_t cap_copy_int(const void *cap_ext) +{ + const struct cap_ext_struct *export = + (const struct cap_ext_struct *) cap_ext; + cap_t cap_d; + int set, blen; + + /* Does the external representation make sense? */ + if ((export == NULL) + || memcmp(export->magic, external_magic, CAP_EXT_MAGIC_SIZE)) { + errno = EINVAL; + return NULL; + } + + /* Obtain a new internal capability set */ + if (!(cap_d = cap_init())) + return NULL; + + blen = export->length_of_capset; + for (set=0; set<NUMBER_OF_CAP_SETS; ++set) { + unsigned blk; + int bno = 0; + for (blk=0; blk<(CAP_SET_SIZE/sizeof(__u32)); ++blk) { + __u32 val = 0; + + if (bno != blen) + val = export->bytes[bno++][set]; + if (bno != blen) + val |= export->bytes[bno++][set] << 8; + if (bno != blen) + val |= export->bytes[bno++][set] << 16; + if (bno != blen) + val |= export->bytes[bno++][set] << 24; + + cap_d->u[blk].flat[set] = val; + } + } + + /* all done */ + return cap_d; +} + diff --git a/libcap/libcap-2.24/libcap/cap_extint.o b/libcap/libcap-2.24/libcap/cap_extint.o Binary files differ diff --git a/libcap/libcap-2.24/libcap/cap_file.c b/libcap/libcap-2.24/libcap/cap_file.c @@ -0,0 +1,321 @@ +/* + * Copyright (c) 1997,2007 Andrew G Morgan <morgan@kernel.org> + * + * This file deals with setting capabilities on files. + */ + +#include <sys/types.h> +#include <sys/xattr.h> +#include <byteswap.h> +#include <sys/stat.h> +#include <unistd.h> + +#define XATTR_SECURITY_PREFIX "security." + +#include "libcap.h" + +#ifdef VFS_CAP_U32 + +#if VFS_CAP_U32 != __CAP_BLKS +# error VFS representation of capabilities is not the same size as kernel +#endif + +#if __BYTE_ORDER == __BIG_ENDIAN +#define FIXUP_32BITS(x) bswap_32(x) +#else +#define FIXUP_32BITS(x) (x) +#endif + +static cap_t _fcaps_load(struct vfs_cap_data *rawvfscap, cap_t result, + int bytes) +{ + __u32 magic_etc; + unsigned tocopy, i; + + magic_etc = FIXUP_32BITS(rawvfscap->magic_etc); + switch (magic_etc & VFS_CAP_REVISION_MASK) { +#ifdef VFS_CAP_REVISION_1 + case VFS_CAP_REVISION_1: + tocopy = VFS_CAP_U32_1; + bytes -= XATTR_CAPS_SZ_1; + break; +#endif + +#ifdef VFS_CAP_REVISION_2 + case VFS_CAP_REVISION_2: + tocopy = VFS_CAP_U32_2; + bytes -= XATTR_CAPS_SZ_2; + break; +#endif + + default: + cap_free(result); + result = NULL; + return result; + } + + /* + * Verify that we loaded exactly the right number of bytes + */ + if (bytes != 0) { + cap_free(result); + result = NULL; + return result; + } + + for (i=0; i < tocopy; i++) { + result->u[i].flat[CAP_INHERITABLE] + = FIXUP_32BITS(rawvfscap->data[i].inheritable); + result->u[i].flat[CAP_PERMITTED] + = FIXUP_32BITS(rawvfscap->data[i].permitted); + if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) { + result->u[i].flat[CAP_EFFECTIVE] + = result->u[i].flat[CAP_INHERITABLE] + | result->u[i].flat[CAP_PERMITTED]; + } + } + while (i < __CAP_BLKS) { + result->u[i].flat[CAP_INHERITABLE] + = result->u[i].flat[CAP_PERMITTED] + = result->u[i].flat[CAP_EFFECTIVE] = 0; + i++; + } + + return result; +} + +static int _fcaps_save(struct vfs_cap_data *rawvfscap, cap_t cap_d, + int *bytes_p) +{ + __u32 eff_not_zero, magic; + unsigned tocopy, i; + + if (!good_cap_t(cap_d)) { + errno = EINVAL; + return -1; + } + + switch (cap_d->head.version) { +#ifdef _LINUX_CAPABILITY_VERSION_1 + case _LINUX_CAPABILITY_VERSION_1: + magic = VFS_CAP_REVISION_1; + tocopy = VFS_CAP_U32_1; + *bytes_p = XATTR_CAPS_SZ_1; + break; +#endif + +#ifdef _LINUX_CAPABILITY_VERSION_2 + case _LINUX_CAPABILITY_VERSION_2: + magic = VFS_CAP_REVISION_2; + tocopy = VFS_CAP_U32_2; + *bytes_p = XATTR_CAPS_SZ_2; + break; +#endif + +#ifdef _LINUX_CAPABILITY_VERSION_3 + case _LINUX_CAPABILITY_VERSION_3: + magic = VFS_CAP_REVISION_2; + tocopy = VFS_CAP_U32_2; + *bytes_p = XATTR_CAPS_SZ_2; + break; +#endif + + default: + errno = EINVAL; + return -1; + } + + _cap_debug("setting named file capabilities"); + + for (eff_not_zero = 0, i = 0; i < tocopy; i++) { + eff_not_zero |= cap_d->u[i].flat[CAP_EFFECTIVE]; + } + while (i < __CAP_BLKS) { + if ((cap_d->u[i].flat[CAP_EFFECTIVE] + || cap_d->u[i].flat[CAP_INHERITABLE] + || cap_d->u[i].flat[CAP_PERMITTED])) { + /* + * System does not support these capabilities + */ + errno = EINVAL; + return -1; + } + i++; + } + + for (i=0; i < tocopy; i++) { + rawvfscap->data[i].permitted + = FIXUP_32BITS(cap_d->u[i].flat[CAP_PERMITTED]); + rawvfscap->data[i].inheritable + = FIXUP_32BITS(cap_d->u[i].flat[CAP_INHERITABLE]); + + if (eff_not_zero + && ((~(cap_d->u[i].flat[CAP_EFFECTIVE])) + & (cap_d->u[i].flat[CAP_PERMITTED] + | cap_d->u[i].flat[CAP_INHERITABLE]))) { + errno = EINVAL; + return -1; + } + } + + if (eff_not_zero == 0) { + rawvfscap->magic_etc = FIXUP_32BITS(magic); + } else { + rawvfscap->magic_etc = FIXUP_32BITS(magic|VFS_CAP_FLAGS_EFFECTIVE); + } + + return 0; /* success */ +} + +/* + * Get the capabilities of an open file, as specified by its file + * descriptor. + */ + +cap_t cap_get_fd(int fildes) +{ + cap_t result; + + /* allocate a new capability set */ + result = cap_init(); + if (result) { + struct vfs_cap_data rawvfscap; + int sizeofcaps; + + _cap_debug("getting fildes capabilities"); + + /* fill the capability sets via a system call */ + sizeofcaps = fgetxattr(fildes, XATTR_NAME_CAPS, + &rawvfscap, sizeof(rawvfscap)); + if (sizeofcaps < ssizeof(rawvfscap.magic_etc)) { + cap_free(result); + result = NULL; + } else { + result = _fcaps_load(&rawvfscap, result, sizeofcaps); + } + } + + return result; +} + +/* + * Get the capabilities from a named file. + */ + +cap_t cap_get_file(const char *filename) +{ + cap_t result; + + /* allocate a new capability set */ + result = cap_init(); + if (result) { + struct vfs_cap_data rawvfscap; + int sizeofcaps; + + _cap_debug("getting filename capabilities"); + + /* fill the capability sets via a system call */ + sizeofcaps = getxattr(filename, XATTR_NAME_CAPS, + &rawvfscap, sizeof(rawvfscap)); + if (sizeofcaps < ssizeof(rawvfscap.magic_etc)) { + cap_free(result); + result = NULL; + } else { + result = _fcaps_load(&rawvfscap, result, sizeofcaps); + } + } + + return result; +} + +/* + * Set the capabilities of an open file, as specified by its file + * descriptor. + */ + +int cap_set_fd(int fildes, cap_t cap_d) +{ + struct vfs_cap_data rawvfscap; + int sizeofcaps; + struct stat buf; + + if (fstat(fildes, &buf) != 0) { + _cap_debug("unable to stat file descriptor %d", fildes); + return -1; + } + if (S_ISLNK(buf.st_mode) || !S_ISREG(buf.st_mode)) { + _cap_debug("file descriptor %d for non-regular file", fildes); + errno = EINVAL; + return -1; + } + + if (cap_d == NULL) { + _cap_debug("deleting fildes capabilities"); + return fremovexattr(fildes, XATTR_NAME_CAPS); + } else if (_fcaps_save(&rawvfscap, cap_d, &sizeofcaps) != 0) { + return -1; + } + + _cap_debug("setting fildes capabilities"); + + return fsetxattr(fildes, XATTR_NAME_CAPS, &rawvfscap, sizeofcaps, 0); +} + +/* + * Set the capabilities of a named file. + */ + +int cap_set_file(const char *filename, cap_t cap_d) +{ + struct vfs_cap_data rawvfscap; + int sizeofcaps; + struct stat buf; + + if (lstat(filename, &buf) != 0) { + _cap_debug("unable to stat file [%s]", filename); + return -1; + } + if (S_ISLNK(buf.st_mode) || !S_ISREG(buf.st_mode)) { + _cap_debug("file [%s] is not a regular file", filename); + errno = EINVAL; + return -1; + } + + if (cap_d == NULL) { + _cap_debug("removing filename capabilities"); + return removexattr(filename, XATTR_NAME_CAPS); + } else if (_fcaps_save(&rawvfscap, cap_d, &sizeofcaps) != 0) { + return -1; + } + + _cap_debug("setting filename capabilities"); + return setxattr(filename, XATTR_NAME_CAPS, &rawvfscap, sizeofcaps, 0); +} + +#else /* ie. ndef VFS_CAP_U32 */ + +cap_t cap_get_fd(int fildes) +{ + errno = EINVAL; + return NULL; +} + +cap_t cap_get_file(const char *filename) +{ + errno = EINVAL; + return NULL; +} + +int cap_set_fd(int fildes, cap_t cap_d) +{ + errno = EINVAL; + return -1; +} + +int cap_set_file(const char *filename, cap_t cap_d) +{ + errno = EINVAL; + return -1; +} + +#endif /* def VFS_CAP_U32 */ diff --git a/libcap/libcap-2.24/libcap/cap_file.o b/libcap/libcap-2.24/libcap/cap_file.o Binary files differ diff --git a/libcap/libcap-2.24/libcap/cap_flag.c b/libcap/libcap-2.24/libcap/cap_flag.c @@ -0,0 +1,150 @@ +/* + * Copyright (c) 1997-8,2008 Andrew G. Morgan <morgan@kernel.org> + * + * This file deals with flipping of capabilities on internal + * capability sets as specified by POSIX.1e (formerlly, POSIX 6). + */ + +#include "libcap.h" + +/* + * Return the state of a specified capability flag. The state is + * returned as the contents of *raised. The capability is from one of + * the sets stored in cap_d as specified by set and value + */ + +int cap_get_flag(cap_t cap_d, cap_value_t value, cap_flag_t set, + cap_flag_value_t *raised) +{ + /* + * Do we have a set and a place to store its value? + * Is it a known capability? + */ + + if (raised && good_cap_t(cap_d) && value >= 0 && value < __CAP_BITS + && set >= 0 && set < NUMBER_OF_CAP_SETS) { + *raised = isset_cap(cap_d,value,set) ? CAP_SET:CAP_CLEAR; + return 0; + } else { + _cap_debug("invalid arguments"); + errno = EINVAL; + return -1; + } +} + +/* + * raise/lower a selection of capabilities + */ + +int cap_set_flag(cap_t cap_d, cap_flag_t set, + int no_values, const cap_value_t *array_values, + cap_flag_value_t raise) +{ + /* + * Do we have a set and a place to store its value? + * Is it a known capability? + */ + + if (good_cap_t(cap_d) && no_values > 0 && no_values <= __CAP_BITS + && (set >= 0) && (set < NUMBER_OF_CAP_SETS) + && (raise == CAP_SET || raise == CAP_CLEAR) ) { + int i; + for (i=0; i<no_values; ++i) { + if (array_values[i] < 0 || array_values[i] >= __CAP_BITS) { + _cap_debug("weird capability (%d) - skipped", array_values[i]); + } else { + int value = array_values[i]; + + if (raise == CAP_SET) { + cap_d->raise_cap(value,set); + } else { + cap_d->lower_cap(value,set); + } + } + } + return 0; + + } else { + + _cap_debug("invalid arguments"); + errno = EINVAL; + return -1; + + } +} + +/* + * Reset the capability to be empty (nothing raised) + */ + +int cap_clear(cap_t cap_d) +{ + if (good_cap_t(cap_d)) { + + memset(&(cap_d->u), 0, sizeof(cap_d->u)); + return 0; + + } else { + + _cap_debug("invalid pointer"); + errno = EINVAL; + return -1; + + } +} + +/* + * Reset the all of the capability bits for one of the flag sets + */ + +int cap_clear_flag(cap_t cap_d, cap_flag_t flag) +{ + switch (flag) { + case CAP_EFFECTIVE: + case CAP_PERMITTED: + case CAP_INHERITABLE: + if (good_cap_t(cap_d)) { + unsigned i; + + for (i=0; i<_LIBCAP_CAPABILITY_U32S; i++) { + cap_d->u[i].flat[flag] = 0; + } + return 0; + } + /* + * fall through + */ + + default: + _cap_debug("invalid pointer"); + errno = EINVAL; + return -1; + } +} + +/* + * Compare two capability sets + */ + +int cap_compare(cap_t a, cap_t b) +{ + unsigned i; + int result; + + if (!(good_cap_t(a) && good_cap_t(b))) { + _cap_debug("invalid arguments"); + errno = EINVAL; + return -1; + } + + for (i=0, result=0; i<_LIBCAP_CAPABILITY_U32S; i++) { + result |= + ((a->u[i].flat[CAP_EFFECTIVE] != b->u[i].flat[CAP_EFFECTIVE]) + ? LIBCAP_EFF : 0) + | ((a->u[i].flat[CAP_INHERITABLE] != b->u[i].flat[CAP_INHERITABLE]) + ? LIBCAP_INH : 0) + | ((a->u[i].flat[CAP_PERMITTED] != b->u[i].flat[CAP_PERMITTED]) + ? LIBCAP_PER : 0); + } + return result; +} diff --git a/libcap/libcap-2.24/libcap/cap_flag.o b/libcap/libcap-2.24/libcap/cap_flag.o Binary files differ diff --git a/libcap/libcap-2.24/libcap/cap_proc.c b/libcap/libcap-2.24/libcap/cap_proc.c @@ -0,0 +1,126 @@ +/* + * Copyright (c) 1997-8,2007,2011 Andrew G Morgan <morgan@kernel.org> + * + * This file deals with getting and setting capabilities on processes. + */ + +#include <sys/prctl.h> + +#include "libcap.h" + +cap_t cap_get_proc(void) +{ + cap_t result; + + /* allocate a new capability set */ + result = cap_init(); + if (result) { + _cap_debug("getting current process' capabilities"); + + /* fill the capability sets via a system call */ + if (capget(&result->head, &result->u[0].set)) { + cap_free(result); + result = NULL; + } + } + + return result; +} + +int cap_set_proc(cap_t cap_d) +{ + int retval; + + if (!good_cap_t(cap_d)) { + errno = EINVAL; + return -1; + } + + _cap_debug("setting process capabilities"); + retval = capset(&cap_d->head, &cap_d->u[0].set); + + return retval; +} + +/* the following two functions are not required by POSIX */ + +/* read the caps on a specific process */ + +int capgetp(pid_t pid, cap_t cap_d) +{ + int error; + + if (!good_cap_t(cap_d)) { + errno = EINVAL; + return -1; + } + + _cap_debug("getting process capabilities for proc %d", pid); + + cap_d->head.pid = pid; + error = capget(&cap_d->head, &cap_d->u[0].set); + cap_d->head.pid = 0; + + return error; +} + +/* allocate space for and return capabilities of target process */ + +cap_t cap_get_pid(pid_t pid) +{ + cap_t result; + + result = cap_init(); + if (result) { + if (capgetp(pid, result) != 0) { + int my_errno; + + my_errno = errno; + cap_free(result); + errno = my_errno; + result = NULL; + } + } + + return result; +} + +/* set the caps on a specific process/pg etc.. */ + +int capsetp(pid_t pid, cap_t cap_d) +{ + int error; + + if (!good_cap_t(cap_d)) { + errno = EINVAL; + return -1; + } + + _cap_debug("setting process capabilities for proc %d", pid); + cap_d->head.pid = pid; + error = capset(&cap_d->head, &cap_d->u[0].set); + cap_d->head.version = _LIBCAP_CAPABILITY_VERSION; + cap_d->head.pid = 0; + + return error; +} + +/* get a capability from the bounding set */ + +int cap_get_bound(cap_value_t cap) +{ + int result; + + result = prctl(PR_CAPBSET_READ, cap); + return result; +} + +/* drop a capability from the bounding set */ + +int cap_drop_bound(cap_value_t cap) +{ + int result; + + result = prctl(PR_CAPBSET_DROP, cap); + return result; +} diff --git a/libcap/libcap-2.24/libcap/cap_proc.o b/libcap/libcap-2.24/libcap/cap_proc.o Binary files differ diff --git a/libcap/libcap-2.24/libcap/cap_text.c b/libcap/libcap-2.24/libcap/cap_text.c @@ -0,0 +1,429 @@ +/* + * Copyright (c) 1997-8,2007-8 Andrew G Morgan <morgan@kernel.org> + * Copyright (c) 1997 Andrew Main <zefram@dcs.warwick.ac.uk> + * + * This file deals with exchanging internal and textual + * representations of capability sets. + */ + +#define _GNU_SOURCE +#include <stdio.h> + +#define LIBCAP_PLEASE_INCLUDE_ARRAY +#include "libcap.h" + +#include <ctype.h> +#include <limits.h> + +/* Maximum output text length (16 per cap) */ +#define CAP_TEXT_SIZE (16*__CAP_MAXBITS) + +/* + * Parse a textual representation of capabilities, returning an internal + * representation. + */ + +#define raise_cap_mask(flat, c) (flat)[CAP_TO_INDEX(c)] |= CAP_TO_MASK(c) + +static void setbits(cap_t a, const __u32 *b, cap_flag_t set, unsigned blks) +{ + int n; + for (n = blks; n--; ) { + a->u[n].flat[set] |= b[n]; + } +} + +static void clrbits(cap_t a, const __u32 *b, cap_flag_t set, unsigned blks) +{ + int n; + for (n = blks; n--; ) + a->u[n].flat[set] &= ~b[n]; +} + +static char const *namcmp(char const *str, char const *nam) +{ + while (*nam && tolower((unsigned char)*str) == *nam) { + str++; + nam++; + } + if (*nam || isalnum((unsigned char)*str) || *str == '_') + return NULL; + return str; +} + +static void forceall(__u32 *flat, __u32 value, unsigned blks) +{ + unsigned n; + + for (n = blks; n--; flat[n] = value); + + return; +} + +static int lookupname(char const **strp) +{ + union { + char const *constp; + char *p; + } str; + + str.constp = *strp; + if (isdigit(*str.constp)) { + unsigned long n = strtoul(str.constp, &str.p, 0); + if (n >= __CAP_MAXBITS) + return -1; + *strp = str.constp; + return n; + } else { + int c; + unsigned len; + + for (len=0; (c = str.constp[len]); ++len) { + if (!(isalpha(c) || (c == '_'))) { + break; + } + } + +#ifdef GPERF_DOWNCASE + const struct __cap_token_s *token_info; + + token_info = __cap_lookup_name(str.constp, len); + if (token_info != NULL) { + *strp = str.constp + len; + return token_info->index; + } +#else /* ie., ndef GPERF_DOWNCASE */ + char const *s; + unsigned n; + + for (n = __CAP_BITS; n--; ) + if (_cap_names[n] && (s = namcmp(str.constp, _cap_names[n]))) { + *strp = s; + return n; + } +#endif /* def GPERF_DOWNCASE */ + + return -1; /* No definition available */ + } +} + +cap_t cap_from_text(const char *str) +{ + cap_t res; + int n; + unsigned cap_blks; + + if (str == NULL) { + _cap_debug("bad argument"); + errno = EINVAL; + return NULL; + } + + if (!(res = cap_init())) + return NULL; + + switch (res->head.version) { + case _LINUX_CAPABILITY_VERSION_1: + cap_blks = _LINUX_CAPABILITY_U32S_1; + break; + case _LINUX_CAPABILITY_VERSION_2: + cap_blks = _LINUX_CAPABILITY_U32S_2; + break; + case _LINUX_CAPABILITY_VERSION_3: + cap_blks = _LINUX_CAPABILITY_U32S_3; + break; + default: + errno = EINVAL; + return NULL; + } + + _cap_debug("%s", str); + + for (;;) { + __u32 list[__CAP_BLKS]; + char op; + int flags = 0, listed=0; + + forceall(list, 0, __CAP_BLKS); + + /* skip leading spaces */ + while (isspace((unsigned char)*str)) + str++; + if (!*str) { + _cap_debugcap("e = ", *res, CAP_EFFECTIVE); + _cap_debugcap("i = ", *res, CAP_INHERITABLE); + _cap_debugcap("p = ", *res, CAP_PERMITTED); + + return res; + } + + /* identify caps specified by this clause */ + if (isalnum((unsigned char)*str) || *str == '_') { + for (;;) { + if (namcmp(str, "all")) { + str += 3; + forceall(list, ~0, cap_blks); + } else { + n = lookupname(&str); + if (n == -1) + goto bad; + raise_cap_mask(list, n); + } + if (*str != ',') + break; + if (!isalnum((unsigned char)*++str) && *str != '_') + goto bad; + } + listed = 1; + } else if (*str == '+' || *str == '-') { + goto bad; /* require a list of capabilities */ + } else { + forceall(list, ~0, cap_blks); + } + + /* identify first operation on list of capabilities */ + op = *str++; + if (op == '=' && (*str == '+' || *str == '-')) { + if (!listed) + goto bad; + op = (*str++ == '+' ? 'P':'M'); /* skip '=' and take next op */ + } else if (op != '+' && op != '-' && op != '=') + goto bad; + + /* cycle through list of actions */ + do { + _cap_debug("next char = `%c'", *str); + if (*str && !isspace(*str)) { + switch (*str++) { /* Effective, Inheritable, Permitted */ + case 'e': + flags |= LIBCAP_EFF; + break; + case 'i': + flags |= LIBCAP_INH; + break; + case 'p': + flags |= LIBCAP_PER; + break; + default: + goto bad; + } + } else if (op != '=') { + _cap_debug("only '=' can be followed by space"); + goto bad; + } + + _cap_debug("how to read?"); + switch (op) { /* how do we interpret the caps? */ + case '=': + case 'P': /* =+ */ + case 'M': /* =- */ + clrbits(res, list, CAP_EFFECTIVE, cap_blks); + clrbits(res, list, CAP_PERMITTED, cap_blks); + clrbits(res, list, CAP_INHERITABLE, cap_blks); + if (op == 'M') + goto minus; + /* fall through */ + case '+': + if (flags & LIBCAP_EFF) + setbits(res, list, CAP_EFFECTIVE, cap_blks); + if (flags & LIBCAP_PER) + setbits(res, list, CAP_PERMITTED, cap_blks); + if (flags & LIBCAP_INH) + setbits(res, list, CAP_INHERITABLE, cap_blks); + break; + case '-': + minus: + if (flags & LIBCAP_EFF) + clrbits(res, list, CAP_EFFECTIVE, cap_blks); + if (flags & LIBCAP_PER) + clrbits(res, list, CAP_PERMITTED, cap_blks); + if (flags & LIBCAP_INH) + clrbits(res, list, CAP_INHERITABLE, cap_blks); + break; + } + + /* new directive? */ + if (*str == '+' || *str == '-') { + if (!listed) { + _cap_debug("for + & - must list capabilities"); + goto bad; + } + flags = 0; /* reset the flags */ + op = *str++; + if (!isalpha(*str)) + goto bad; + } + } while (*str && !isspace(*str)); + _cap_debug("next clause"); + } + +bad: + cap_free(res); + res = NULL; + errno = EINVAL; + return res; +} + +/* + * lookup a capability name and return its numerical value + */ +int cap_from_name(const char *name, cap_value_t *value_p) +{ + int n; + + if (((n = lookupname(&name)) >= 0) && (value_p != NULL)) { + *value_p = (unsigned) n; + } + return -(n < 0); +} + +/* + * Convert a single capability index number into a string representation + */ +char *cap_to_name(cap_value_t cap) +{ + if ((cap < 0) || (cap >= __CAP_BITS)) { +#if UINT_MAX != 4294967295U +# error Recompile with correctly sized numeric array +#endif + char *tmp, *result; + + asprintf(&tmp, "%u", cap); + result = _libcap_strdup(tmp); + free(tmp); + + return result; + } else { + return _libcap_strdup(_cap_names[cap]); + } +} + +/* + * Convert an internal representation to a textual one. The textual + * representation is stored in static memory. It will be overwritten + * on the next occasion that this function is called. + */ + +static int getstateflags(cap_t caps, int capno) +{ + int f = 0; + + if (isset_cap(caps, capno, CAP_EFFECTIVE)) { + f |= LIBCAP_EFF; + } + if (isset_cap(caps, capno, CAP_PERMITTED)) { + f |= LIBCAP_PER; + } + if (isset_cap(caps, capno, CAP_INHERITABLE)) { + f |= LIBCAP_INH; + } + + return f; +} + +#define CAP_TEXT_BUFFER_ZONE 100 + +char *cap_to_text(cap_t caps, ssize_t *length_p) +{ + char buf[CAP_TEXT_SIZE+CAP_TEXT_BUFFER_ZONE]; + char *p; + int histo[8]; + int m, t; + unsigned n; + unsigned cap_maxbits, cap_blks; + + /* Check arguments */ + if (!good_cap_t(caps)) { + errno = EINVAL; + return NULL; + } + + switch (caps->head.version) { + case _LINUX_CAPABILITY_VERSION_1: + cap_blks = _LINUX_CAPABILITY_U32S_1; + break; + case _LINUX_CAPABILITY_VERSION_2: + cap_blks = _LINUX_CAPABILITY_U32S_2; + break; + case _LINUX_CAPABILITY_VERSION_3: + cap_blks = _LINUX_CAPABILITY_U32S_3; + break; + default: + errno = EINVAL; + return NULL; + } + + cap_maxbits = 32 * cap_blks; + + _cap_debugcap("e = ", *caps, CAP_EFFECTIVE); + _cap_debugcap("i = ", *caps, CAP_INHERITABLE); + _cap_debugcap("p = ", *caps, CAP_PERMITTED); + + memset(histo, 0, sizeof(histo)); + + /* default prevailing state to the upper - unnamed bits */ + for (n = cap_maxbits-1; n > __CAP_BITS; n--) + histo[getstateflags(caps, n)]++; + + /* find which combination of capability sets shares the most bits + we bias to preferring non-set (m=0) with the >= 0 test. Failing + to do this causes strange things to happen with older systems + that don't know about bits 32+. */ + for (m=t=7; t--; ) + if (histo[t] >= histo[m]) + m = t; + + /* capture remaining bits - selecting m from only the unnamed bits, + we maximize the likelihood that we won't see numeric capability + values in the text output. */ + while (n--) + histo[getstateflags(caps, n)]++; + + /* blank is not a valid capability set */ + p = sprintf(buf, "=%s%s%s", + (m & LIBCAP_EFF) ? "e" : "", + (m & LIBCAP_INH) ? "i" : "", + (m & LIBCAP_PER) ? "p" : "" ) + buf; + + for (t = 8; t--; ) + if (t != m && histo[t]) { + *p++ = ' '; + for (n = 0; n < cap_maxbits; n++) + if (getstateflags(caps, n) == t) { + char *this_cap_name; + + this_cap_name = cap_to_name(n); + if ((strlen(this_cap_name) + (p - buf)) > CAP_TEXT_SIZE) { + cap_free(this_cap_name); + errno = ERANGE; + return NULL; + } + p += sprintf(p, "%s,", this_cap_name); + cap_free(this_cap_name); + } + p--; + n = t & ~m; + if (n) + p += sprintf(p, "+%s%s%s", + (n & LIBCAP_EFF) ? "e" : "", + (n & LIBCAP_INH) ? "i" : "", + (n & LIBCAP_PER) ? "p" : ""); + n = ~t & m; + if (n) + p += sprintf(p, "-%s%s%s", + (n & LIBCAP_EFF) ? "e" : "", + (n & LIBCAP_INH) ? "i" : "", + (n & LIBCAP_PER) ? "p" : ""); + if (p - buf > CAP_TEXT_SIZE) { + errno = ERANGE; + return NULL; + } + } + + _cap_debug("%s", buf); + if (length_p) { + *length_p = p - buf; + } + + return (_libcap_strdup(buf)); +} diff --git a/libcap/libcap-2.24/libcap/cap_text.o b/libcap/libcap-2.24/libcap/cap_text.o Binary files differ diff --git a/libcap/libcap-2.24/libcap/include/sys/capability.h b/libcap/libcap-2.24/libcap/include/sys/capability.h @@ -0,0 +1,127 @@ +/* + * <sys/capability.h> + * + * Copyright (C) 1997 Aleph One + * Copyright (C) 1997-8,2008 Andrew G. Morgan <morgan@kernel.org> + * + * defunct POSIX.1e Standard: 25.2 Capabilities <sys/capability.h> + */ + +#ifndef _SYS_CAPABILITY_H +#define _SYS_CAPABILITY_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * This file complements the kernel file by providing prototype + * information for the user library. + */ + +#include <sys/types.h> +#include <stdint.h> +#include <linux/types.h> + +#ifndef __user +#define __user +#endif +#include <linux/capability.h> +#include <linux/xattr.h> + +/* + * POSIX capability types + */ + +/* + * Opaque capability handle (defined internally by libcap) + * internal capability representation + */ +typedef struct _cap_struct *cap_t; + +/* "external" capability representation is a (void *) */ + +/* + * This is the type used to identify capabilities + */ + +typedef int cap_value_t; + +/* + * Set identifiers + */ +typedef enum { + CAP_EFFECTIVE=0, /* Specifies the effective flag */ + CAP_PERMITTED=1, /* Specifies the permitted flag */ + CAP_INHERITABLE=2 /* Specifies the inheritable flag */ +} cap_flag_t; + +/* + * These are the states available to each capability + */ +typedef enum { + CAP_CLEAR=0, /* The flag is cleared/disabled */ + CAP_SET=1 /* The flag is set/enabled */ +} cap_flag_value_t; + +/* + * User-space capability manipulation routines + */ + +/* libcap/cap_alloc.c */ +extern cap_t cap_dup(cap_t); +extern int cap_free(void *); +extern cap_t cap_init(void); + +/* libcap/cap_flag.c */ +extern int cap_get_flag(cap_t, cap_value_t, cap_flag_t, cap_flag_value_t *); +extern int cap_set_flag(cap_t, cap_flag_t, int, const cap_value_t *, + cap_flag_value_t); +extern int cap_clear(cap_t); +extern int cap_clear_flag(cap_t, cap_flag_t); + +/* libcap/cap_file.c */ +extern cap_t cap_get_fd(int); +extern cap_t cap_get_file(const char *); +extern int cap_set_fd(int, cap_t); +extern int cap_set_file(const char *, cap_t); + +/* libcap/cap_proc.c */ +extern cap_t cap_get_proc(void); +extern cap_t cap_get_pid(pid_t); +extern int cap_set_proc(cap_t); + +extern int cap_get_bound(cap_value_t); +extern int cap_drop_bound(cap_value_t); + +#define CAP_IS_SUPPORTED(cap) (cap_get_bound(cap) >= 0) + +/* libcap/cap_extint.c */ +extern ssize_t cap_size(cap_t); +extern ssize_t cap_copy_ext(void *, cap_t, ssize_t); +extern cap_t cap_copy_int(const void *); + +/* libcap/cap_text.c */ +extern cap_t cap_from_text(const char *); +extern char * cap_to_text(cap_t, ssize_t *); +extern int cap_from_name(const char *, cap_value_t *); +extern char * cap_to_name(cap_value_t); + +#define CAP_DIFFERS(result, flag) (((result) & (1 << (flag))) != 0) +extern int cap_compare(cap_t, cap_t); + +/* system calls - look to libc for function to system call mapping */ +extern int capset(cap_user_header_t header, cap_user_data_t data); +extern int capget(cap_user_header_t header, const cap_user_data_t data); + +/* deprecated - use cap_get_pid() */ +extern int capgetp(pid_t pid, cap_t cap_d); + +/* not valid with filesystem capability support - use cap_set_proc() */ +extern int capsetp(pid_t pid, cap_t cap_d); + +#ifdef __cplusplus +} +#endif + +#endif /* _SYS_CAPABILITY_H */ diff --git a/libcap/libcap-2.24/libcap/include/sys/securebits.h b/libcap/libcap-2.24/libcap/include/sys/securebits.h @@ -0,0 +1,22 @@ +/* + * <sys/securebits.h> + * Copyright (C) 2010 Serge Hallyn <serue@us.ibm.com> + */ + +#ifndef _SYS_SECUREBITS_H +#define _SYS_SECUREBITS_H + +#ifdef __cplusplus +extern "C" { +#endif + +#ifndef __user +#define __user +#endif +#include <linux/securebits.h> + +#ifdef __cplusplus +} +#endif + +#endif /* _SYS_SECUREBITS_H */ diff --git a/libcap/libcap-2.24/libcap/include/uapi/linux/capability.h b/libcap/libcap-2.24/libcap/include/uapi/linux/capability.h @@ -0,0 +1,358 @@ +/* + * This is <linux/capability.h> + * + * Andrew G. Morgan <morgan@kernel.org> + * Alexander Kjeldaas <astor@guardian.no> + * with help from Aleph1, Roland Buresund and Andrew Main. + * + * See here for the libcap library ("POSIX draft" compliance): + * + * http://www.kernel.org/pub/linux/libs/security/linux-privs/ + */ + +#ifndef _UAPI_LINUX_CAPABILITY_H +#define _UAPI_LINUX_CAPABILITY_H + +#include <linux/types.h> + +struct task_struct; + +/* User-level do most of the mapping between kernel and user + capabilities based on the version tag given by the kernel. The + kernel might be somewhat backwards compatible, but don't bet on + it. */ + +/* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to + a set of three capability sets. The transposition of 3*the + following structure to such a composite is better handled in a user + library since the draft standard requires the use of malloc/free + etc.. */ + +#define _LINUX_CAPABILITY_VERSION_1 0x19980330 +#define _LINUX_CAPABILITY_U32S_1 1 + +#define _LINUX_CAPABILITY_VERSION_2 0x20071026 /* deprecated - use v3 */ +#define _LINUX_CAPABILITY_U32S_2 2 + +#define _LINUX_CAPABILITY_VERSION_3 0x20080522 +#define _LINUX_CAPABILITY_U32S_3 2 + +typedef struct __user_cap_header_struct { + __u32 version; + int pid; +} __user *cap_user_header_t; + +typedef struct __user_cap_data_struct { + __u32 effective; + __u32 permitted; + __u32 inheritable; +} __user *cap_user_data_t; + + +#define VFS_CAP_REVISION_MASK 0xFF000000 +#define VFS_CAP_REVISION_SHIFT 24 +#define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK +#define VFS_CAP_FLAGS_EFFECTIVE 0x000001 + +#define VFS_CAP_REVISION_1 0x01000000 +#define VFS_CAP_U32_1 1 +#define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1)) + +#define VFS_CAP_REVISION_2 0x02000000 +#define VFS_CAP_U32_2 2 +#define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2)) + +#define XATTR_CAPS_SZ XATTR_CAPS_SZ_2 +#define VFS_CAP_U32 VFS_CAP_U32_2 +#define VFS_CAP_REVISION VFS_CAP_REVISION_2 + +struct vfs_cap_data { + __le32 magic_etc; /* Little endian */ + struct { + __le32 permitted; /* Little endian */ + __le32 inheritable; /* Little endian */ + } data[VFS_CAP_U32]; +}; + +#ifndef __KERNEL__ + +/* + * Backwardly compatible definition for source code - trapped in a + * 32-bit world. If you find you need this, please consider using + * libcap to untrap yourself... + */ +#define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1 +#define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1 + +#endif + + +/** + ** POSIX-draft defined capabilities. + **/ + +/* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this + overrides the restriction of changing file ownership and group + ownership. */ + +#define CAP_CHOWN 0 + +/* Override all DAC access, including ACL execute access if + [_POSIX_ACL] is defined. Excluding DAC access covered by + CAP_LINUX_IMMUTABLE. */ + +#define CAP_DAC_OVERRIDE 1 + +/* Overrides all DAC restrictions regarding read and search on files + and directories, including ACL restrictions if [_POSIX_ACL] is + defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */ + +#define CAP_DAC_READ_SEARCH 2 + +/* Overrides all restrictions about allowed operations on files, where + file owner ID must be equal to the user ID, except where CAP_FSETID + is applicable. It doesn't override MAC and DAC restrictions. */ + +#define CAP_FOWNER 3 + +/* Overrides the following restrictions that the effective user ID + shall match the file owner ID when setting the S_ISUID and S_ISGID + bits on that file; that the effective group ID (or one of the + supplementary group IDs) shall match the file owner ID when setting + the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are + cleared on successful return from chown(2) (not implemented). */ + +#define CAP_FSETID 4 + +/* Overrides the restriction that the real or effective user ID of a + process sending a signal must match the real or effective user ID + of the process receiving the signal. */ + +#define CAP_KILL 5 + +/* Allows setgid(2) manipulation */ +/* Allows setgroups(2) */ +/* Allows forged gids on socket credentials passing. */ + +#define CAP_SETGID 6 + +/* Allows set*uid(2) manipulation (including fsuid). */ +/* Allows forged pids on socket credentials passing. */ + +#define CAP_SETUID 7 + + +/** + ** Linux-specific capabilities + **/ + +/* Without VFS support for capabilities: + * Transfer any capability in your permitted set to any pid, + * remove any capability in your permitted set from any pid + * With VFS support for capabilities (neither of above, but) + * Add any capability from current's capability bounding set + * to the current process' inheritable set + * Allow taking bits out of capability bounding set + * Allow modification of the securebits for a process + */ + +#define CAP_SETPCAP 8 + +/* Allow modification of S_IMMUTABLE and S_APPEND file attributes */ + +#define CAP_LINUX_IMMUTABLE 9 + +/* Allows binding to TCP/UDP sockets below 1024 */ +/* Allows binding to ATM VCIs below 32 */ + +#define CAP_NET_BIND_SERVICE 10 + +/* Allow broadcasting, listen to multicast */ + +#define CAP_NET_BROADCAST 11 + +/* Allow interface configuration */ +/* Allow administration of IP firewall, masquerading and accounting */ +/* Allow setting debug option on sockets */ +/* Allow modification of routing tables */ +/* Allow setting arbitrary process / process group ownership on + sockets */ +/* Allow binding to any address for transparent proxying (also via NET_RAW) */ +/* Allow setting TOS (type of service) */ +/* Allow setting promiscuous mode */ +/* Allow clearing driver statistics */ +/* Allow multicasting */ +/* Allow read/write of device-specific registers */ +/* Allow activation of ATM control sockets */ + +#define CAP_NET_ADMIN 12 + +/* Allow use of RAW sockets */ +/* Allow use of PACKET sockets */ +/* Allow binding to any address for transparent proxying (also via NET_ADMIN) */ + +#define CAP_NET_RAW 13 + +/* Allow locking of shared memory segments */ +/* Allow mlock and mlockall (which doesn't really have anything to do + with IPC) */ + +#define CAP_IPC_LOCK 14 + +/* Override IPC ownership checks */ + +#define CAP_IPC_OWNER 15 + +/* Insert and remove kernel modules - modify kernel without limit */ +#define CAP_SYS_MODULE 16 + +/* Allow ioperm/iopl access */ +/* Allow sending USB messages to any device via /proc/bus/usb */ + +#define CAP_SYS_RAWIO 17 + +/* Allow use of chroot() */ + +#define CAP_SYS_CHROOT 18 + +/* Allow ptrace() of any process */ + +#define CAP_SYS_PTRACE 19 + +/* Allow configuration of process accounting */ + +#define CAP_SYS_PACCT 20 + +/* Allow configuration of the secure attention key */ +/* Allow administration of the random device */ +/* Allow examination and configuration of disk quotas */ +/* Allow setting the domainname */ +/* Allow setting the hostname */ +/* Allow calling bdflush() */ +/* Allow mount() and umount(), setting up new smb connection */ +/* Allow some autofs root ioctls */ +/* Allow nfsservctl */ +/* Allow VM86_REQUEST_IRQ */ +/* Allow to read/write pci config on alpha */ +/* Allow irix_prctl on mips (setstacksize) */ +/* Allow flushing all cache on m68k (sys_cacheflush) */ +/* Allow removing semaphores */ +/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores + and shared memory */ +/* Allow locking/unlocking of shared memory segment */ +/* Allow turning swap on/off */ +/* Allow forged pids on socket credentials passing */ +/* Allow setting readahead and flushing buffers on block devices */ +/* Allow setting geometry in floppy driver */ +/* Allow turning DMA on/off in xd driver */ +/* Allow administration of md devices (mostly the above, but some + extra ioctls) */ +/* Allow tuning the ide driver */ +/* Allow access to the nvram device */ +/* Allow administration of apm_bios, serial and bttv (TV) device */ +/* Allow manufacturer commands in isdn CAPI support driver */ +/* Allow reading non-standardized portions of pci configuration space */ +/* Allow DDI debug ioctl on sbpcd driver */ +/* Allow setting up serial ports */ +/* Allow sending raw qic-117 commands */ +/* Allow enabling/disabling tagged queuing on SCSI controllers and sending + arbitrary SCSI commands */ +/* Allow setting encryption key on loopback filesystem */ +/* Allow setting zone reclaim policy */ + +#define CAP_SYS_ADMIN 21 + +/* Allow use of reboot() */ + +#define CAP_SYS_BOOT 22 + +/* Allow raising priority and setting priority on other (different + UID) processes */ +/* Allow use of FIFO and round-robin (realtime) scheduling on own + processes and setting the scheduling algorithm used by another + process. */ +/* Allow setting cpu affinity on other processes */ + +#define CAP_SYS_NICE 23 + +/* Override resource limits. Set resource limits. */ +/* Override quota limits. */ +/* Override reserved space on ext2 filesystem */ +/* Modify data journaling mode on ext3 filesystem (uses journaling + resources) */ +/* NOTE: ext2 honors fsuid when checking for resource overrides, so + you can override using fsuid too */ +/* Override size restrictions on IPC message queues */ +/* Allow more than 64hz interrupts from the real-time clock */ +/* Override max number of consoles on console allocation */ +/* Override max number of keymaps */ + +#define CAP_SYS_RESOURCE 24 + +/* Allow manipulation of system clock */ +/* Allow irix_stime on mips */ +/* Allow setting the real-time clock */ + +#define CAP_SYS_TIME 25 + +/* Allow configuration of tty devices */ +/* Allow vhangup() of tty */ + +#define CAP_SYS_TTY_CONFIG 26 + +/* Allow the privileged aspects of mknod() */ + +#define CAP_MKNOD 27 + +/* Allow taking of leases on files */ + +#define CAP_LEASE 28 + +#define CAP_AUDIT_WRITE 29 + +#define CAP_AUDIT_CONTROL 30 + +#define CAP_SETFCAP 31 + +/* Override MAC access. + The base kernel enforces no MAC policy. + An LSM may enforce a MAC policy, and if it does and it chooses + to implement capability based overrides of that policy, this is + the capability it should use to do so. */ + +#define CAP_MAC_OVERRIDE 32 + +/* Allow MAC configuration or state changes. + The base kernel requires no MAC configuration. + An LSM may enforce a MAC policy, and if it does and it chooses + to implement capability based checks on modifications to that + policy or the data required to maintain it, this is the + capability it should use to do so. */ + +#define CAP_MAC_ADMIN 33 + +/* Allow configuring the kernel's syslog (printk behaviour) */ + +#define CAP_SYSLOG 34 + +/* Allow triggering something that will wake the system */ + +#define CAP_WAKE_ALARM 35 + +/* Allow preventing system suspends */ + +#define CAP_BLOCK_SUSPEND 36 + +#define CAP_LAST_CAP CAP_BLOCK_SUSPEND + +#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) + +/* + * Bit location of each capability (used by user-space library and kernel) + */ + +#define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ +#define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */ + + +#endif /* _UAPI_LINUX_CAPABILITY_H */ diff --git a/libcap/libcap-2.24/libcap/include/uapi/linux/prctl.h b/libcap/libcap-2.24/libcap/include/uapi/linux/prctl.h @@ -0,0 +1,152 @@ +#ifndef _LINUX_PRCTL_H +#define _LINUX_PRCTL_H + +/* Values to pass as first argument to prctl() */ + +#define PR_SET_PDEATHSIG 1 /* Second arg is a signal */ +#define PR_GET_PDEATHSIG 2 /* Second arg is a ptr to return the signal */ + +/* Get/set current->mm->dumpable */ +#define PR_GET_DUMPABLE 3 +#define PR_SET_DUMPABLE 4 + +/* Get/set unaligned access control bits (if meaningful) */ +#define PR_GET_UNALIGN 5 +#define PR_SET_UNALIGN 6 +# define PR_UNALIGN_NOPRINT 1 /* silently fix up unaligned user accesses */ +# define PR_UNALIGN_SIGBUS 2 /* generate SIGBUS on unaligned user access */ + +/* Get/set whether or not to drop capabilities on setuid() away from + * uid 0 (as per security/commoncap.c) */ +#define PR_GET_KEEPCAPS 7 +#define PR_SET_KEEPCAPS 8 + +/* Get/set floating-point emulation control bits (if meaningful) */ +#define PR_GET_FPEMU 9 +#define PR_SET_FPEMU 10 +# define PR_FPEMU_NOPRINT 1 /* silently emulate fp operations accesses */ +# define PR_FPEMU_SIGFPE 2 /* don't emulate fp operations, send SIGFPE instead */ + +/* Get/set floating-point exception mode (if meaningful) */ +#define PR_GET_FPEXC 11 +#define PR_SET_FPEXC 12 +# define PR_FP_EXC_SW_ENABLE 0x80 /* Use FPEXC for FP exception enables */ +# define PR_FP_EXC_DIV 0x010000 /* floating point divide by zero */ +# define PR_FP_EXC_OVF 0x020000 /* floating point overflow */ +# define PR_FP_EXC_UND 0x040000 /* floating point underflow */ +# define PR_FP_EXC_RES 0x080000 /* floating point inexact result */ +# define PR_FP_EXC_INV 0x100000 /* floating point invalid operation */ +# define PR_FP_EXC_DISABLED 0 /* FP exceptions disabled */ +# define PR_FP_EXC_NONRECOV 1 /* async non-recoverable exc. mode */ +# define PR_FP_EXC_ASYNC 2 /* async recoverable exception mode */ +# define PR_FP_EXC_PRECISE 3 /* precise exception mode */ + +/* Get/set whether we use statistical process timing or accurate timestamp + * based process timing */ +#define PR_GET_TIMING 13 +#define PR_SET_TIMING 14 +# define PR_TIMING_STATISTICAL 0 /* Normal, traditional, + statistical process timing */ +# define PR_TIMING_TIMESTAMP 1 /* Accurate timestamp based + process timing */ + +#define PR_SET_NAME 15 /* Set process name */ +#define PR_GET_NAME 16 /* Get process name */ + +/* Get/set process endian */ +#define PR_GET_ENDIAN 19 +#define PR_SET_ENDIAN 20 +# define PR_ENDIAN_BIG 0 +# define PR_ENDIAN_LITTLE 1 /* True little endian mode */ +# define PR_ENDIAN_PPC_LITTLE 2 /* "PowerPC" pseudo little endian */ + +/* Get/set process seccomp mode */ +#define PR_GET_SECCOMP 21 +#define PR_SET_SECCOMP 22 + +/* Get/set the capability bounding set (as per security/commoncap.c) */ +#define PR_CAPBSET_READ 23 +#define PR_CAPBSET_DROP 24 + +/* Get/set the process' ability to use the timestamp counter instruction */ +#define PR_GET_TSC 25 +#define PR_SET_TSC 26 +# define PR_TSC_ENABLE 1 /* allow the use of the timestamp counter */ +# define PR_TSC_SIGSEGV 2 /* throw a SIGSEGV instead of reading the TSC */ + +/* Get/set securebits (as per security/commoncap.c) */ +#define PR_GET_SECUREBITS 27 +#define PR_SET_SECUREBITS 28 + +/* + * Get/set the timerslack as used by poll/select/nanosleep + * A value of 0 means "use default" + */ +#define PR_SET_TIMERSLACK 29 +#define PR_GET_TIMERSLACK 30 + +#define PR_TASK_PERF_EVENTS_DISABLE 31 +#define PR_TASK_PERF_EVENTS_ENABLE 32 + +/* + * Set early/late kill mode for hwpoison memory corruption. + * This influences when the process gets killed on a memory corruption. + */ +#define PR_MCE_KILL 33 +# define PR_MCE_KILL_CLEAR 0 +# define PR_MCE_KILL_SET 1 + +# define PR_MCE_KILL_LATE 0 +# define PR_MCE_KILL_EARLY 1 +# define PR_MCE_KILL_DEFAULT 2 + +#define PR_MCE_KILL_GET 34 + +/* + * Tune up process memory map specifics. + */ +#define PR_SET_MM 35 +# define PR_SET_MM_START_CODE 1 +# define PR_SET_MM_END_CODE 2 +# define PR_SET_MM_START_DATA 3 +# define PR_SET_MM_END_DATA 4 +# define PR_SET_MM_START_STACK 5 +# define PR_SET_MM_START_BRK 6 +# define PR_SET_MM_BRK 7 +# define PR_SET_MM_ARG_START 8 +# define PR_SET_MM_ARG_END 9 +# define PR_SET_MM_ENV_START 10 +# define PR_SET_MM_ENV_END 11 +# define PR_SET_MM_AUXV 12 +# define PR_SET_MM_EXE_FILE 13 + +/* + * Set specific pid that is allowed to ptrace the current task. + * A value of 0 mean "no process". + */ +#define PR_SET_PTRACER 0x59616d61 +# define PR_SET_PTRACER_ANY ((unsigned long)-1) + +#define PR_SET_CHILD_SUBREAPER 36 +#define PR_GET_CHILD_SUBREAPER 37 + +/* + * If no_new_privs is set, then operations that grant new privileges (i.e. + * execve) will either fail or not grant them. This affects suid/sgid, + * file capabilities, and LSMs. + * + * Operations that merely manipulate or drop existing privileges (setresuid, + * capset, etc.) will still work. Drop those privileges if you want them gone. + * + * Changing LSM security domain is considered a new privilege. So, for example, + * asking selinux for a specific new context (e.g. with runcon) will result + * in execve returning -EPERM. + * + * See Documentation/prctl/no_new_privs.txt for more details. + */ +#define PR_SET_NO_NEW_PRIVS 38 +#define PR_GET_NO_NEW_PRIVS 39 + +#define PR_GET_TID_ADDRESS 40 + +#endif /* _LINUX_PRCTL_H */ diff --git a/libcap/libcap-2.24/libcap/include/uapi/linux/securebits.h b/libcap/libcap-2.24/libcap/include/uapi/linux/securebits.h @@ -0,0 +1,51 @@ +#ifndef _UAPI_LINUX_SECUREBITS_H +#define _UAPI_LINUX_SECUREBITS_H + +/* Each securesetting is implemented using two bits. One bit specifies + whether the setting is on or off. The other bit specify whether the + setting is locked or not. A setting which is locked cannot be + changed from user-level. */ +#define issecure_mask(X) (1 << (X)) + +#define SECUREBITS_DEFAULT 0x00000000 + +/* When set UID 0 has no special privileges. When unset, we support + inheritance of root-permissions and suid-root executable under + compatibility mode. We raise the effective and inheritable bitmasks + *of the executable file* if the effective uid of the new process is + 0. If the real uid is 0, we raise the effective (legacy) bit of the + executable file. */ +#define SECURE_NOROOT 0 +#define SECURE_NOROOT_LOCKED 1 /* make bit-0 immutable */ + +#define SECBIT_NOROOT (issecure_mask(SECURE_NOROOT)) +#define SECBIT_NOROOT_LOCKED (issecure_mask(SECURE_NOROOT_LOCKED)) + +/* When set, setuid to/from uid 0 does not trigger capability-"fixup". + When unset, to provide compatiblility with old programs relying on + set*uid to gain/lose privilege, transitions to/from uid 0 cause + capabilities to be gained/lost. */ +#define SECURE_NO_SETUID_FIXUP 2 +#define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */ + +#define SECBIT_NO_SETUID_FIXUP (issecure_mask(SECURE_NO_SETUID_FIXUP)) +#define SECBIT_NO_SETUID_FIXUP_LOCKED \ + (issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)) + +/* When set, a process can retain its capabilities even after + transitioning to a non-root user (the set-uid fixup suppressed by + bit 2). Bit-4 is cleared when a process calls exec(); setting both + bit 4 and 5 will create a barrier through exec that no exec()'d + child can use this feature again. */ +#define SECURE_KEEP_CAPS 4 +#define SECURE_KEEP_CAPS_LOCKED 5 /* make bit-4 immutable */ + +#define SECBIT_KEEP_CAPS (issecure_mask(SECURE_KEEP_CAPS)) +#define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED)) + +#define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \ + issecure_mask(SECURE_NO_SETUID_FIXUP) | \ + issecure_mask(SECURE_KEEP_CAPS)) +#define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1) + +#endif /* _UAPI_LINUX_SECUREBITS_H */ diff --git a/libcap/libcap-2.24/libcap/libcap.h b/libcap/libcap-2.24/libcap/libcap.h @@ -0,0 +1,209 @@ +/* + * Copyright (c) 1997 Andrew G Morgan <morgan@kernel.org> + * + * This file contains internal definitions for the various functions in + * this small capability library. + */ + +#ifndef LIBCAP_H +#define LIBCAP_H + +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <stdint.h> +#include <sys/capability.h> + +#ifndef __u8 +#define __u8 uint8_t +#endif /* __8 */ + +#ifndef __u32 +#define __u32 uint32_t +#endif /* __u32 */ + +/* include the names for the caps and a definition of __CAP_BITS */ +#include "cap_names.h" + +#ifndef _LINUX_CAPABILITY_U32S_1 +# define _LINUX_CAPABILITY_U32S_1 1 +#endif /* ndef _LINUX_CAPABILITY_U32S */ + +/* + * Do we match the local kernel? + */ + +#if !defined(_LINUX_CAPABILITY_VERSION) + +# error Kernel <linux/capability.h> does not support library +# error file "libcap.h" --> fix and recompile libcap + +#elif !defined(_LINUX_CAPABILITY_VERSION_2) + +# warning Kernel <linux/capability.h> does not support 64-bit capabilities +# warning and libcap is being built with no support for 64-bit capabilities + +# ifndef _LINUX_CAPABILITY_VERSION_1 +# define _LINUX_CAPABILITY_VERSION_1 0x19980330 +# endif + +# _LIBCAP_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1 +# _LIBCAP_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1 + +#elif defined(_LINUX_CAPABILITY_VERSION_3) + +# if (_LINUX_CAPABILITY_VERSION_3 != 0x20080522) +# error Kernel <linux/capability.h> v3 does not match library +# error file "libcap.h" --> fix and recompile libcap +# else +# define _LIBCAP_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3 +# define _LIBCAP_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3 +# endif + +#elif (_LINUX_CAPABILITY_VERSION_2 != 0x20071026) + +# error Kernel <linux/capability.h> does not match library +# error file "libcap.h" --> fix and recompile libcap + +#else + +# define _LIBCAP_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_2 +# define _LIBCAP_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_2 + +#endif + +#undef _LINUX_CAPABILITY_VERSION +#undef _LINUX_CAPABILITY_U32S + +/* + * This is a pointer to a struct containing three consecutive + * capability sets in the order of the cap_flag_t type: the are + * effective,inheritable and permitted. This is the type that the + * user-space routines think of as 'internal' capabilities - this is + * the type that is passed to the kernel with the system calls related + * to processes. + */ + +#if defined(VFS_CAP_REVISION_MASK) && !defined(VFS_CAP_U32) +# define VFS_CAP_U32_1 1 +# define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1)) +# define VFS_CAP_U32 VFS_CAP_U32_1 +struct _cap_vfs_cap_data { + __le32 magic_etc; + struct { + __le32 permitted; + __le32 inheritable; + } data[VFS_CAP_U32_1]; +}; +# define vfs_cap_data _cap_vfs_cap_data +#endif + +#ifndef CAP_TO_INDEX +# define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ +#endif /* ndef CAP_TO_INDEX */ + +#ifndef CAP_TO_MASK +# define CAP_TO_MASK(x) (1 << ((x) & 31)) +#endif /* ndef CAP_TO_MASK */ + +#define NUMBER_OF_CAP_SETS 3 /* effective, inheritable, permitted */ +#define __CAP_BLKS (_LIBCAP_CAPABILITY_U32S) +#define CAP_SET_SIZE (__CAP_BLKS * sizeof(__u32)) + +#define CAP_T_MAGIC 0xCA90D0 +struct _cap_struct { + struct __user_cap_header_struct head; + union { + struct __user_cap_data_struct set; + __u32 flat[NUMBER_OF_CAP_SETS]; + } u[_LIBCAP_CAPABILITY_U32S]; +}; + +/* the maximum bits supportable */ +#define __CAP_MAXBITS (__CAP_BLKS * 32) + +/* string magic for cap_free */ +#define CAP_S_MAGIC 0xCA95D0 + +/* + * kernel API cap set abstraction + */ + +#define raise_cap(x,set) u[(x)>>5].flat[set] |= (1<<((x)&31)) +#define lower_cap(x,set) u[(x)>>5].flat[set] &= ~(1<<((x)&31)) +#define isset_cap(y,x,set) ((y)->u[(x)>>5].flat[set] & (1<<((x)&31))) + +/* + * Private definitions for internal use by the library. + */ + +#define __libcap_check_magic(c,magic) ((c) && *(-1+(__u32 *)(c)) == (magic)) +#define good_cap_t(c) __libcap_check_magic(c, CAP_T_MAGIC) +#define good_cap_string(c) __libcap_check_magic(c, CAP_S_MAGIC) + +/* + * These match CAP_DIFFERS() expectations + */ +#define LIBCAP_EFF (1 << CAP_EFFECTIVE) +#define LIBCAP_INH (1 << CAP_INHERITABLE) +#define LIBCAP_PER (1 << CAP_PERMITTED) + +/* + * library debugging + */ +#ifdef DEBUG + +#include <stdio.h> +# define _cap_debug(f, x...) do { \ + fprintf(stderr, "%s(%s:%d): ", __FUNCTION__, __FILE__, __LINE__); \ + fprintf(stderr, f, ## x); \ + fprintf(stderr, "\n"); \ +} while (0) + +# define _cap_debugcap(s, c, set) do { \ + unsigned _cap_index; \ + fprintf(stderr, "%s(%s:%d): %s", __FUNCTION__, __FILE__, __LINE__, s); \ + for (_cap_index=_LIBCAP_CAPABILITY_U32S; _cap_index-- > 0; ) { \ + fprintf(stderr, "%08x", (c).u[_cap_index].flat[set]); \ + } \ + fprintf(stderr, "\n"); \ +} while (0) + +#else /* !DEBUG */ + +# define _cap_debug(f, x...) +# define _cap_debugcap(s, c, set) + +#endif /* DEBUG */ + +extern char *_libcap_strdup(const char *text); + +/* + * These are semi-public prototypes, they will only be defined in + * <sys/capability.h> if _POSIX_SOURCE is not #define'd, so we + * place them here too. + */ + +extern int capset(cap_user_header_t header, cap_user_data_t data); +extern int capget(cap_user_header_t header, const cap_user_data_t data); +extern int capgetp(pid_t pid, cap_t cap_d); +extern int capsetp(pid_t pid, cap_t cap_d); + +/* prctl based API for altering character of current process */ +#define PR_GET_KEEPCAPS 7 +#define PR_SET_KEEPCAPS 8 +#define PR_CAPBSET_READ 23 +#define PR_CAPBSET_DROP 24 +#define PR_GET_SECUREBITS 27 +#define PR_SET_SECUREBITS 28 + +/* + * The library compares sizeof() with integer return values. To avoid + * signed/unsigned comparisons, leading to unfortunate + * misinterpretations of -1, we provide a convenient cast-to-signed-integer + * version of sizeof(). + */ +#define ssizeof(x) ((ssize_t) sizeof(x)) + +#endif /* LIBCAP_H */ diff --git a/libcap/libcap-2.24/libcap/libcap.pc b/libcap/libcap-2.24/libcap/libcap.pc @@ -0,0 +1,11 @@ +prefix=/usr +exec_prefix= +libdir=/lib +includedir=/usr/include + +Name: libcap +Description: libcap +Version: 2.24 +Libs: -L${libdir} -lcap +Libs.private: -lattr +Cflags: -I${includedir} diff --git a/libcap/libcap-2.24/libcap/libcap.pc.in b/libcap/libcap-2.24/libcap/libcap.pc.in @@ -0,0 +1,11 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: libcap +Description: libcap +Version: @VERSION@ +Libs: -L${libdir} -lcap +Libs.private: @deps@ +Cflags: -I${includedir} diff --git a/libcap/libcap-2.24/pam_cap/License b/libcap/libcap-2.24/pam_cap/License @@ -0,0 +1,41 @@ +Unless otherwise *explicitly* stated the following text describes the +licensed conditions under which the contents of this module release +may be distributed: + +------------------------------------------------------------------------- +Redistribution and use in source and binary forms of this module, with +or without modification, are permitted provided that the following +conditions are met: + +1. Redistributions of source code must retain any existing copyright + notice, and this entire permission notice in its entirety, + including the disclaimer of warranties. + +2. Redistributions in binary form must reproduce all prior and current + copyright notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + +3. The name of any author may not be used to endorse or promote + products derived from this software without their specific prior + written permission. + +ALTERNATIVELY, this product may be distributed under the terms of the +GNU Library General Public License, in which case the provisions of +the GNU LGPL are required INSTEAD OF the above restrictions. (This +clause is necessary due to a potential conflict between the GNU LGPL +and the restrictions contained in a BSD-style copyright.) + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS +OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR +TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH +DAMAGE. +------------------------------------------------------------------------- + diff --git a/libcap/libcap-2.24/pam_cap/Makefile b/libcap/libcap-2.24/pam_cap/Makefile @@ -0,0 +1,29 @@ +# simple make file for the pam_cap module + +topdir=$(shell pwd)/.. +include ../Make.Rules + +# Note (as the author of much of the Linux-PAM library, I am confident +# that this next line does *not* require -lpam on it.) If you think it +# does, *verify that it does*, and if you observe that it fails as +# written (and you know why it fails), email me and explain why. Thanks! +LDLIBS += -L../libcap -lcap + +all: pam_cap.so + $(MAKE) testcompile + +install: all + mkdir -p -m 0755 $(LIBDIR)/security + install -m 0755 pam_cap.so $(LIBDIR)/security + +pam_cap.so: pam_cap.o + $(LD) $(LDFLAGS) -o pam_cap.so $< $(LDLIBS) + +pam_cap.o: pam_cap.c + $(CC) $(CFLAGS) $(IPATH) -c $< -o $@ + +testcompile: test.c pam_cap.o + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $+ -lpam -ldl $(LDLIBS) + +clean: + rm -f *.o *.so testcompile *~ diff --git a/libcap/libcap-2.24/pam_cap/capability.conf b/libcap/libcap-2.24/pam_cap/capability.conf @@ -0,0 +1,45 @@ +# +# /etc/security/capability.conf +# +# this is a sample capability file (to be used in conjunction with +# the pam_cap.so module) +# +# In order to use this module, it must have been linked with libcap +# and thus you'll know about Linux's capability support. +# [If you don't know about libcap, the sources for it are here: +# +# http://www.kernel.org/pub/linux/libs/security/linux-privs/ +# +# .] +# +# Here are some sample lines (remove the preceding '#' if you want to +# use them + +## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!) +#cap_setfcap morgan + +## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!) +#cap_dac_override luser + +## 'everyone else' gets no inheritable capabilities (restrictive config) +none * + +## if there is no '*' entry, all users not explicitly mentioned will +## get all available capabilities. This is a permissive default, and +## possibly not what you want... On first reading, you might think this +## is a security problem waiting to happen, but it defaults to not being +## so in this sample file! Further, by 'get', we mean 'get in their inheritable +## set'. That is, if you look at a random process, even one run by root, +## you will see it has no inheritable capabilities (by default): +## +## $ /sbin/capsh --decode=$(grep CapInh /proc/1/status|awk '{print $2}') +## 0000000000000000= +## +## The pam_cap module simply alters the value of this capability +## set. Including the 'none *' forces use of this module with an +## unspecified user to have their inheritable set forced to zero. +## +## Omitting the line will cause the inheritable set to be unmodified +## from what the parent process had (which is generally 0 unless the +## invoking user was bestowed with some inheritable capabilities by a +## previous invocation). diff --git a/libcap/libcap-2.24/pam_cap/pam_cap.c b/libcap/libcap-2.24/pam_cap/pam_cap.c @@ -0,0 +1,310 @@ +/* + * Copyright (c) 1999,2007 Andrew G. Morgan <morgan@kernel.org> + * + * The purpose of this module is to enforce inheritable capability sets + * for a specified user. + */ + +/* #define DEBUG */ + +#include <stdio.h> +#include <string.h> +#include <errno.h> +#include <stdarg.h> +#include <stdlib.h> +#include <syslog.h> + +#include <sys/capability.h> + +#include <security/pam_modules.h> +#include <security/_pam_macros.h> + +#define USER_CAP_FILE "/etc/security/capability.conf" +#define CAP_FILE_BUFFER_SIZE 4096 +#define CAP_FILE_DELIMITERS " \t\n" +#define CAP_COMBINED_FORMAT "%s all-i %s+i" +#define CAP_DROP_ALL "%s all-i" + +struct pam_cap_s { + int debug; + const char *user; + const char *conf_filename; +}; + +/* obtain the inheritable capabilities for the current user */ + +static char *read_capabilities_for_user(const char *user, const char *source) +{ + char *cap_string = NULL; + char buffer[CAP_FILE_BUFFER_SIZE], *line; + FILE *cap_file; + + cap_file = fopen(source, "r"); + if (cap_file == NULL) { + D(("failed to open capability file")); + return NULL; + } + + while ((line = fgets(buffer, CAP_FILE_BUFFER_SIZE, cap_file))) { + int found_one = 0; + const char *cap_text; + + cap_text = strtok(line, CAP_FILE_DELIMITERS); + + if (cap_text == NULL) { + D(("empty line")); + continue; + } + if (*cap_text == '#') { + D(("comment line")); + continue; + } + + while ((line = strtok(NULL, CAP_FILE_DELIMITERS))) { + + if (strcmp("*", line) == 0) { + D(("wildcard matched")); + found_one = 1; + cap_string = strdup(cap_text); + break; + } + + if (strcmp(user, line) == 0) { + D(("exact match for user")); + found_one = 1; + cap_string = strdup(cap_text); + break; + } + + D(("user is not [%s] - skipping", line)); + } + + cap_text = NULL; + line = NULL; + + if (found_one) { + D(("user [%s] matched - caps are [%s]", user, cap_string)); + break; + } + } + + fclose(cap_file); + + memset(buffer, 0, CAP_FILE_BUFFER_SIZE); + + return cap_string; +} + +/* + * Set capabilities for current process to match the current + * permitted+executable sets combined with the configured inheritable + * set. + */ + +static int set_capabilities(struct pam_cap_s *cs) +{ + cap_t cap_s; + ssize_t length = 0; + char *conf_icaps; + char *proc_epcaps; + char *combined_caps; + int ok = 0; + + cap_s = cap_get_proc(); + if (cap_s == NULL) { + D(("your kernel is capability challenged - upgrade: %s", + strerror(errno))); + return 0; + } + + conf_icaps = + read_capabilities_for_user(cs->user, + cs->conf_filename + ? cs->conf_filename:USER_CAP_FILE ); + if (conf_icaps == NULL) { + D(("no capabilities found for user [%s]", cs->user)); + goto cleanup_cap_s; + } + + proc_epcaps = cap_to_text(cap_s, &length); + if (proc_epcaps == NULL) { + D(("unable to convert process capabilities to text")); + goto cleanup_icaps; + } + + /* + * This is a pretty inefficient way to combine + * capabilities. However, it seems to be the most straightforward + * one, given the limitations of the POSIX.1e draft spec. The spec + * is optimized for applications that know the capabilities they + * want to manipulate at compile time. + */ + + combined_caps = malloc(1+strlen(CAP_COMBINED_FORMAT) + +strlen(proc_epcaps)+strlen(conf_icaps)); + if (combined_caps == NULL) { + D(("unable to combine capabilities into one string - no memory")); + goto cleanup_epcaps; + } + + if (!strcmp(conf_icaps, "none")) { + sprintf(combined_caps, CAP_DROP_ALL, proc_epcaps); + } else if (!strcmp(conf_icaps, "all")) { + /* no change */ + sprintf(combined_caps, "%s", proc_epcaps); + } else { + sprintf(combined_caps, CAP_COMBINED_FORMAT, proc_epcaps, conf_icaps); + } + D(("combined_caps=[%s]", combined_caps)); + + cap_free(cap_s); + cap_s = cap_from_text(combined_caps); + _pam_overwrite(combined_caps); + _pam_drop(combined_caps); + +#ifdef DEBUG + { + char *temp = cap_to_text(cap_s, NULL); + D(("abbreviated caps for process will be [%s]", temp)); + cap_free(temp); + } +#endif /* DEBUG */ + + if (cap_s == NULL) { + D(("no capabilies to set")); + } else if (cap_set_proc(cap_s) == 0) { + D(("capabilities were set correctly")); + ok = 1; + } else { + D(("failed to set specified capabilities: %s", strerror(errno))); + } + +cleanup_epcaps: + cap_free(proc_epcaps); + +cleanup_icaps: + _pam_overwrite(conf_icaps); + _pam_drop(conf_icaps); + +cleanup_cap_s: + if (cap_s) { + cap_free(cap_s); + cap_s = NULL; + } + + return ok; +} + +/* log errors */ + +static void _pam_log(int err, const char *format, ...) +{ + va_list args; + + va_start(args, format); + openlog("pam_cap", LOG_CONS|LOG_PID, LOG_AUTH); + vsyslog(err, format, args); + va_end(args); + closelog(); +} + +static void parse_args(int argc, const char **argv, struct pam_cap_s *pcs) +{ + int ctrl=0; + + /* step through arguments */ + for (ctrl=0; argc-- > 0; ++argv) { + + if (!strcmp(*argv, "debug")) { + pcs->debug = 1; + } else if (!memcmp(*argv, "config=", 7)) { + pcs->conf_filename = 7 + *argv; + } else { + _pam_log(LOG_ERR, "unknown option; %s", *argv); + } + + } +} + +int pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + int retval; + struct pam_cap_s pcs; + char *conf_icaps; + + memset(&pcs, 0, sizeof(pcs)); + + parse_args(argc, argv, &pcs); + + retval = pam_get_user(pamh, &pcs.user, NULL); + + if (retval == PAM_CONV_AGAIN) { + D(("user conversation is not available yet")); + memset(&pcs, 0, sizeof(pcs)); + return PAM_INCOMPLETE; + } + + if (retval != PAM_SUCCESS) { + D(("pam_get_user failed: %s", pam_strerror(pamh, retval))); + memset(&pcs, 0, sizeof(pcs)); + return PAM_AUTH_ERR; + } + + conf_icaps = + read_capabilities_for_user(pcs.user, + pcs.conf_filename + ? pcs.conf_filename:USER_CAP_FILE ); + + memset(&pcs, 0, sizeof(pcs)); + + if (conf_icaps) { + D(("it appears that there are capabilities for this user [%s]", + conf_icaps)); + + /* We could also store this as a pam_[gs]et_data item for use + by the setcred call to follow. As it is, there is a small + race associated with a redundant read. Oh well, if you + care, send me a patch.. */ + + _pam_overwrite(conf_icaps); + _pam_drop(conf_icaps); + + return PAM_SUCCESS; + + } else { + + D(("there are no capabilities restrctions on this user")); + return PAM_IGNORE; + + } +} + +int pam_sm_setcred(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + int retval; + struct pam_cap_s pcs; + + if (!(flags & PAM_ESTABLISH_CRED)) { + D(("we don't handle much in the way of credentials")); + return PAM_IGNORE; + } + + memset(&pcs, 0, sizeof(pcs)); + + parse_args(argc, argv, &pcs); + + retval = pam_get_item(pamh, PAM_USER, (const void **)&pcs.user); + if ((retval != PAM_SUCCESS) || (pcs.user == NULL) || !(pcs.user[0])) { + + D(("user's name is not set")); + return PAM_AUTH_ERR; + } + + retval = set_capabilities(&pcs); + + memset(&pcs, 0, sizeof(pcs)); + + return (retval ? PAM_SUCCESS:PAM_IGNORE ); +} diff --git a/libcap/libcap-2.24/pam_cap/test.c b/libcap/libcap-2.24/pam_cap/test.c @@ -0,0 +1,12 @@ +#include <stdio.h> +#include <stdlib.h> +#include <security/pam_modules.h> + +int main(int argc, char **argv) +{ + if (pam_sm_authenticate(NULL, 0, 0, NULL) != PAM_SUCCESS) { + printf("failed to authenticate\n"); + exit(1); + } + exit(0); +} diff --git a/libcap/libcap-2.24/pgp.keys.asc b/libcap/libcap-2.24/pgp.keys.asc @@ -0,0 +1,278 @@ +morgan@kernel.org upload/signature key. + +pub 4096R/E2CCF3F4 2011-10-07 Andrew G. Morgan (Work Address) <agm@google.com> +uid Andrew G. Morgan <morgan@kernel.org> +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.15 (GNU/Linux) + +mQINBE6OiBIBEADpdtUxC8Fmhn5UK6UCZdU7mFgZwN8U9cabFUPfUIkMqXULhCD0 +hG2/amuiiUoLollPjOopNqk4cc8LcZfszOdBFAYj7MeWzNySVw4KkWrVCEH/bZ0Q +QzZH2qmoMT5CIrtcNxCAvukYsZLhyZYO0HdfuE05mVhVjtX9Btfxr7Ndvb7L4MRS +3Qb6+nHTgfn/Oow92/koIWvi0YvskKdZypeU888TQL99E8xdgL2n2Ip3xYwBHRR2 +GPb5MGOuEItF3tJ0kkILW5mzkJq/iLzRphzKjdF76I9QVRP8dZ+uWHPubWePm/5c +1H9lnlw00ZZ/ucQvSwTesUYk2aKkxzgm6X8fCdJXBLGgW5K6CkynpjN3qJ9KpcNY +H55smUgp8BaiWuoHe4pLvuBhnN2wiYOe2j9UvGX1OaRstMXFx7YbBvkGgdoZthUe +VPGAa4K+dnI2oy4wukzl/unAKrlMCBRsRoW2qjy3TDSXqwJhd34ilHzrdAdchrh/ +acBfbBtRzVlcDTnGltDNMuRTXzujaY9C3B0L2E+Jfrds8WcM8ASO4mHwJUTMrBwM +b5sFSG+/X9Ufg/c2G086HQ7xMERUA5oz66P5ReHCph8WHQN2L5vtZwL7//hZB9hn +G0K1210YEDXpFPijpis/54MKUSkWEFOLjUbiSPbwEfb79A00CcHojQQinwARAQAB +tDBBbmRyZXcgRy4gTW9yZ2FuIChXb3JrIEFkZHJlc3MpIDxhZ21AZ29vZ2xlLmNv +bT6JAjgEEwECACIFAk6VD4ICGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ +ECnuhIrizPP0zNoQAMDjx3iovvf0rpAYFvvAoPbzhEXcJ41/T+paxWOJm8SEg7fX +nUHgXeTwW3RJPIp7PguctPogvKQV+7GcU5Dcg13DZO4nMrSsvInsLQkfeDVU/zl2 +MuHFOtBMpDp6iGcUwjS0bYbvl03fPj7ZXIML+I7OSyNeoZ/n2ztI9UiIBHovsHqZ +qYm4d7VOi4nVj1Y/Gak99sw3cLvUwq9f3i8ioNzynqBT7jA+GWFaeVJuGrOCBBBg +uIu0Ekg42NAZ2AR32wQP5eEtlSAq8Il9RZzewa1v74loDNJOl+kW5/jQK6tGj2A9 +vlTqVzHUDmPZ9n6Ds7h3wo2g3gzYX1cuM3spW9UsA8XUDNY2yNFYDC9IsAI09u18 +N7f89isG/yYh5MZpJz2fx7cecHtwSVukTGHDsaoHTXMlfjQmVU5efORZJa6Bx0Tk +aSCwecem3q+3OcdgW8XwPWik/5Wv8B3dJopMH1Mw3pRhirtTd6/88xNyLkJStptB +DZvbqvB2nMmSiqgh0mPeslnwubxJ5/4FbP9zlLN7zp49RZHKDl/8EMSXGCjmG6UT +xW6I3YpKdc4+yEd19/UUtxqQOfbgFvlcbesQ5ILvLOzZidkS7y0v4i9rZBe/HEy3 +eG8z4s5dloBrpSBvKySwqWuuSDn3tMqw4Bz2Be3FgtYA4TnNy7shcFR2BMFotCRB +bmRyZXcgRy4gTW9yZ2FuIDxtb3JnYW5Aa2VybmVsLm9yZz6JAjsEEwECACUCGwMG +CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJOmRGPAhkBAAoJECnuhIrizPP0wK0P +/RMvjmzeXbgoa36cBDvDKReAiC56Au4qGXkNah3984tNPT1hVUKCiwiUmULoNJbE +I4qFJTtwsMi5QzE+daCA7t+ALJiC+PKiKFG1LDz7mxfhmBeS3XcYuqZdjyKrATUF +r0SHbsJxtRCslawGD2gKczLknFeBXL0997TfJS9ipLibqCtmvyryHn4EbZfoJqcp +j/RBN/izVGHNYI8BsZpO5F6z7vXoncDL0dKh65ndGaIbhVDUPsDBvzg3i+EzhB51 +hYTTNKK0QpWbmsXfJBnvztinfLUsnO9HV8aRaygOI/DAKAtT7YPXORA1oFYtx69b +zulqC+TXUmeV8YW8bETH4xHM9mQb0oNLPibR2nK2FSDiLp0/eEM5vgzfPVUX7WzB +JUPsf0ah/e1yrXqudGUUZ0R+3VMOdxMryZBKLymkzyvu6a5DcLarqAt8y9ciRH67 +HKNnE1gvHf5K2Q37gwSecwmXCjpMlbVJnIarLKBcVRcYKtxgPxCv6483I8heSKF7 +PB/IFBmzT1cX7lhln9+62Ks/0Gs0pA0iNLaD+POPiqWrAwZsFvKjD9PDaCBDFRWj +FqZLyJMsMi1qmP8jWsdQqPdUskQC0ftvw3Z6SiyyrriSAzglCjmmAcfdt+w4b/EO +4SzSZUnd/ApkHkZx1Lbta15WKxGi7S8/5zNdaK721nUdiEYEEBECAAYFAk6Oi/kA +CgkQQheEq9QabfJhdwCdEhWd2WbjrypMC2jEqWUswmf7fsQAn3LwZyeVJK5LApOF +7NimHkCQV9z7iQIcBBABAgAGBQJOl+CHAAoJEO2/8mhZLMbY4ywP/2qX0+QrilRC +eqk8cOmljLB+sxiA2Jc5YINAXipg6PSQzF7IlMnSNSW69ARLPW5iyDTljXTtD85W +/yWhm3vsouWldBa1Wb6xVb8iA8H8fUUKCY7ngCSjHJxPa1KRsTrMKCkLHR2MP7Qi +ar0dvquomtlx5chkhXmY+0cxcA/cMB/A/fbfDvvbYD5HYiB90AylPmLbM9XiLF0F +RSJt7iokGidS1W80ZCg5p1R02dQV5H7/111Xx1QIggPcNPWGwCK61Q3tPV0xc0oQ +dZpQk2hnPVHF7BMmCyB/iNRofF9mpC/QZGFRQkb3XgdIdK/O23VQntSGctrtnL1M +rcrgQUIrMaU3LKFbIE7DBwMUzUaTO/t14ZQQUZJTAKLSVCfvGvgh6/dqaXpssQxL +D2S5J1sWs1ZVInOhjo2OZnVl3SEmQT9h6NB93QRoGfbfy+AJgReRcfCep5zDMrud +5HPym9itvMLVVzw267Yn0ATBhrESAY8LqBBRbigM/TL+jNPfsQzhEzHXFsQL/dKh +V4N8IURnpCqHzY2BSnTX1K8ipl+iRGpMVfkYQnM660AIJhAReT2rwzuhGRKHbOXz +UrzoEg1PEw/+69ZmcGUZH1VtSrOw0r6eub+rg7Q0R4r6c8kF2vS2XSQn/MZ2Wqjk +hW4fWCqqogIvCkqk1Jt3OCRIWbVC0bKKiQIcBBABAgAGBQJOmJxYAAoJECDQTlpx +NmCnTvEP/38M2bsQGnKVhNsAcr7sDO4YmDrc8V/bUrGjADWmLcW/K2MDOWLZIwmg +Z1qMifHXuy/NhyX3/xp8VacNAlpuQ8o/T77P1QCLwuPu+fuXLOmFkCISFeTW5g/d +pShZ4tsTXAaJs7bQdQnsY3prZl0CMJtItOhwW34PDZL95Vp2ZRx84Dn355KHUeeq +yQjqu+cEz2T5sfVj/O2w1tgeWcMxrOI3ARD/Ks+CeWoFZPezq2K4ctka7Q+muH9/ +1WCatdpryf5SJoBMDaC7GXzGegesKQr35sfNM9XRP1TphmCqQz4VOb+stIEJv1Dq +c9Lc4EScOwmESt5mzPwrZ3OJ+stFKW1QJgErUb55TNQ4C957rodxCerNa9ptpdUk +U9Pb2vpSurNRgETA/urZkBO/vPQ8MEgdJSbVgh0Rj/zPFnj3akQFc98U5Km0TIHJ +7r6S+qj73itUM79jMVKJgewPEA8cys0ACLoM5uRNYq35mY4OeP/Edm6NLiKfD0us +MfEQ+02B8RqXuHBAJAa/+f+U3zGkw268f3/16kZv/PTMfdOEy1cjKlQ3LFwIHfny +Brb/3vHAVTAyEbBPWmULEjopdevEPKmKyW2EXFphBmjOHSghmIRDxO2WmSuI8bIU +sH4oq6MwqAJpE5rzreBNLNh5ZY4yzw3nAJb6Bb59m0kt2fHKIq+AiQI4BBMBAgAi +BQJOjogSAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAp7oSK4szz9HRi +D/4sMdw5WrUtmagrXWVyj83YLJW2GBxH6s5UR1/fyl5uDYjBAccf3jDuIwVZzpCJ +ZpQ8RwvRV699Pag5L5uwDEvkiIMROPNescaXGROuNoCFfqIOTVZfGya2w06dB0Kh +C0l++iO6YVy1eJkyc/XooiOOtEfv5UpBZSWn9hMYaNSc9tiQcyPxzEnEQYUmIoXG +kHXUNRDBQfJLRZP4e9YjN/hH0ZW7/rHXXMxeBREfbCekKy0qDgJ/Sf3Eh6dwUkOR +/vCrdZM2Q8TTX0LJdflJdqMEuYHqm1j9RrnoXIjhx0wFopEOHPSr2qxOu2gOkyxB +JE7Ur3IKpMRaoCR0xHMb5MOgnMmwRW2G6KcZTCdr2jmxp2hK3BxRcUt3qh74jhZL +Dbv5dxTqVn/VK1CGhHbrcW2adkyi2sK7vVARdlSmHYWIWhLqv77p7tkSAX76Qig8 +X75WGF+W3YSAS4f3I6QXRnXxzG8TbMIa4CfeN5IZ2Z5TisC2YyuG8VdM/m6i6W18 +cLa7ZNGE3w04eVQvtigG+9p9gCs5Kg6PVVxwJsjGDDqHkCslfFF8Wl1ZdqXqtUB2 +RKTWb4XNU5XxO0xIGFtLUNnCKcJAOUCu/oRJ/WWHW+BKDdG1VbgYVFTXHc6YZpet +2D+sAs7cWV8GDJ9nChHWcQ5C/bPV1PVnheZhwGvHLsWrILkCDQROjogSARAAtLny +8nlyr8fyYGAocQz0S47a99n/X0Vmgwo1trJsCXWbOrpztznY8IFRK/dRnRHiMwBx +WQ4CvdUk2p0MweUiOjpEN7bUm92jeFXMr0hpQKf+O4DMExHS4hxLwArnKFuAk2ej +RQGXBcEoMv11LiUwuzFbWdXqMsA1TbuA+WvEBnFUYM/6xNiJeRIUIiGydhG1yaw8 +HrNWLHnhhcOfT6z5AO69hZZiJacp9pU/+jnep/M42p4J17x81+ESpJeladwR0Qxc +0qxOyWidN7oO5hSiBEwU6lYQjdQ23pa7tN1o90P9jyN2nFBEdBu2D/mi4DV/+VXU +YHNEy3uNhmmLGwMoPVWiZveRmG74+ne7MVyxwb9EIF3IenS4T65ee1dlZvaoMxUl +Ue8htEK0ChrQZOfITs9MyjUwoTiLUVo3kQeMli9HJEQXPRjHqkkZ7W65LhkEVnHS +PHWtttRSDkuZYtze+he142GzDSQA3dF2zy/tLpBb5CA29ITcQTspgV7AuV8YQqDZ +4XWHsR9Am5334N83EXk2oouqxl7mKUB0Vg6tujNCBSRn6A3CUaA29w/MyTg4z6Yw +6HD3il1J8PcWEoOzqlUoPd8tA5pcZCcKngkXndpXgsZCgoCgvx9WNU+LUrHBfhC3 +TLLsI7iGO1JvLghkesKTARF3O2hS3xAhfGZxn8MAEQEAAYkCHwQYAQIACQUCTo6I +EgIbDAAKCRAp7oSK4szz9HSYD/9hmEsJuSgAGwx/OPweYuDGkA25ajDAu59LpzTb +jB/yOU1rDVUu3cMH+UEyaEGlhbneGvHF2DsEC9il/8fVL4eaE9EWpopIonYndBE9 +1+YiGHPToiyKcdp0KuQMwm2ENAiEf/qErrB2NLna4wfZUx5lzvEOEk3cNPmNz2ER +yMPXIeeiQ9VKp3MzopWhvBItAyIzzuydKKvJAKzDoTOEL4w60slAphj8rVCsW45k +2AurWUH7VFM8ezXunieLeygCGb+YJZAet6yVXD3UwnNcWCGQ+xKSPuyKrn4xKG0N +5gzxnGIh/S/7IOjRaNR5X+pfWd6YzN9qURUfiXmuLSPRHK4Flfam4gMMHul9wL6X +BayFo2NUPBaxg4U9ACAgSJxgCTNPCKwnovecOsRmIESKtT1F3hbZRRgRGj/TDepJ +QNfHSyk/ZQfuoJggBMQLJKzGII42rb0W90QLMk0SyCzeb3LO3yyNiKpluNpJsl2I +qdBJE5t1LxhKDnju6JlFyPcGJnP/doTuDTjjL0V+guPAGVbuq0g2hku+ZlJwjMSt +NwHPWxeifuDJbQVIp0xZbI5djdHC8hVJX+d09J5eq0PlgMEidc4F+Vv+mmGJl0Gi +NfhmTaACSRzbI25/bhvj2xhx8A2LEOuU/+nzYgQzPcFpawiUP1wBnTqi+maxKx5/ +9ifyrw== +=Ibs8 +-----END PGP PUBLIC KEY BLOCK----- + +pub 1024D/D41A6DF2 2002-09-23 Andrew G. Morgan <morgan@kernel.org> +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.15 (GNU/Linux) + +mQGiBD2PVCcRBADmR2dfKJIaGj120v0EjrGbnYic8nKCrDLUHmtiZyIlMeTNqnw/ +/Q2m057SIyFC5K5W7XV8LIsOcpEBAdIS5QLClwec/wqVj1FU5TLHNifR9fBq+DaI +tyMH+LX/HUo4xPaJ5KnE62/3M/SyUx/S69RURfRdDsC+9ucKZkW9mnRiUwCgm18E ++aUKNBKGyqHaNK+n50jxW0ED/2epmE6porj12MyTlTvmxHuq7SSqgzTP8KoNoOE4 +mtZnYAkopb8uksBo4yj4abfBZNiVXEttc+XpwhnRODfy576wVy/lmDMTFAz7CYw8 +5Qmsf9HZXyAS+XovscbYYAWq11BycqHzVNqOevMZPX4Om7+rHBcIPI6pCd3ouPlW +ObE5A/oDWXC35DcgFdmgVH2qr5COEvrDs9T5w4UdRXBMj2khE+32rdP0qqGYCW13 +by84+Cpoekmg+6/FqL/At0Xl2a87czur5xR9mrDd32iknws0DggEuf+zL3Twt9kA +ftnqgiGr33iaNeXwgqfgQYMbxruLvjaAOayKPhr+tgJU6bIpWbQkQW5kcmV3IEcu +IE1vcmdhbiA8bW9yZ2FuQGtlcm5lbC5vcmc+iEYEEBECAAYFAj4UuSoACgkQkEgh +GpsoCtOuSACbBUTsx4vlTI5sfutfBntt4TySShoAn1M8hB0S9TkqbG/3OHB8gPm+ +QhjHiEYEERECAAYFAj3irW4ACgkQ1fT/Y8EaOHp+sQCfWWkmmIDvyUi4bA3v4VSw +WaK7mSsAn0N65kYwaW7ohuYJAPeZ6U2HKvFfiEYEExECAAYFAj22Rz8ACgkQi9gu +bzC5S1y0dACfewqmEfYHaTNlCD3PPBCQdWhfi4UAn3+rNDIS5AohUPpbG2/8s9Ef +ZLyKiFcEExECABcFAj2PVCcFCwcKAwQDFQMCAxYCAQIXgAAKCRBCF4Sr1Bpt8u+V +AJ958HbiLmhrpWjAauN9GrtKudijkACfR2XasdjQs2ECc2qMX19QwNohDAeIRgQQ +EQIABgUCQCGDkgAKCRCA8Qy7VNK/WXUIAJ9/Zhn5knqsTTMllzWxe/N1ddGaaACf +SiuBacgyyBdIas15RYaD0YYcNlGJARwEEwECAAYFAj/7MEkACgkQC56ssbtLKadZ +lwgAlS98PQDeITUujwAWpGvOhXh9Bfh27RRKe+MskFTzTzuvmK5+VZGo4suC0PPS +9Hv40UPtt0SvgIuli1Ero0pCP6pWGjgLGPWroXtKfXfYRqnu4vfETt/Ugy2OjG9R +zfum4J8PULD47bsMVw3oMHFucgerArSQNeNx0w5JwYpFJCb5jSf7yXhDCfm+yVv0 +XTls1DC7mtHQrnKGlZe75gEa6zaXRUAYboKbuBifV/anjwMLr2q0JKJSYxFFjIfG +e6QHAuM+NKj3+UAcpkCKYCUobaB315K/pOyKdKfRe5L+8zYQLafNqRlhkvuIkChX +ztyhoXEspp/yIPUJfZFcRldgEohGBBMRAgAGBQJEK0S1AAoJEOCAR9WqTho4asYA +oMdOh1uGDl7qgIO/h5VDwo4Hcs2xAJ4zqSnm0QrNgfFTK9x6j4Jzur+Tl4hGBBMR +AgAGBQJGg9bXAAoJEPmxwkd4G/I7NZ4An2wZ8rfwJt3CSm1ZVPiSf9Ax6J9fAKDM +1PqnD/qIbNMbmURXpEbvWWQunYkBIgQQAQIADAUCRgBA4AUDABJ1AAAKCRCXELib +yletfCcuB/kBeH0/nAFKNw77fNucYhlt9GuT1c1j+8emujF7mwgm18TVcxqRjeSV +PskEkzaX+mzf3Tfn6k7+d/dPYRHPrX0STdsNMqrZkqjt5tiozuLYJUE/PDKafzdI +Q7ya5ps2AdIKNixiSRPC+6cNB85NBorLXs9yg+JkQlPeUI7/DZb2iz1iZXTnyCZv +SvKA7JMYpCOzZ6fWshanZ/91hxQvsYHjYC+zQVTErSYQlBqz8fDLPfyYQiqQFn4c +T/i1WsxYMEaZtexvLuQe9LeaDqyY19DyBaJIIiN6EcGZ4sXRa7M6QUD1HKjEWt62 +U4shHkPGIMgQWLcRZDepovlpGVXLmXEf +=oXom +-----END PGP PUBLIC KEY BLOCK----- + +The following is my DSA key 'D41A6DF2' signed with my old '2A398175' +RSA key. + +-----BEGIN PGP MESSAGE----- +Version: 2.6.3a + +owF9k82L42QAxmccVjFzUNjbHLQLHlbDTJq0aZuRAd+8+WgmaZqkTZtWWchHk6Zt +vpOmGcT1A1zm5EVZPXhQYW972IMHFVxQPK14UNjLICKiexBkEQQ9iI7zB/hcf4eH +B57f6dY7O5e2jt76ab/58Db7HPVasb3NvLvzT/5G44+H1uSpW0/fffDih3Dv9+uv +/ka/9Nh3n/h865FH0Qd1/f7Ny4/jg28/uPJ9tvvRjTdPrz1z+vVnyf4t50T95vmr +/gtninr/q7NP56+8/4Xb/tlJl9d/vXNj9+bnly6/vHX2p56urvwQ/3j3y92Pt/eO +3w57h3vO7O+/tn+5dw17HT555/bOe9YTQZR6ZrjPNHHQYjhi6zz7/4VmeUGuKbxS +U3RaEmBNZCc1WupD8QIjo1ma+VF4WOPDQuFra/ygftCqXeVlHZP8sNg8i8AoCGZh +fljjorTmh25Uy2az2jzP40MMK8vywAuL2Ds470eQQOV9miGUEbQ1GjCBRjiueCyY +/AIn6us6u0h5K5z4dicUYcpIejfI/WklrHqzoZyEJYZgKhHUyfZAqDhIiuS4bYw6 +kpD17ZilgSMMSFWCq3JmY2UyWuCcTg6lruy7GuXSCcqYApJXvS4qGVhXj5obxTwm +xZBtEVijhw0qfYMNWpSma67mMBlEqcIWp8sxFYSar5fQC/AOi6CmLsq0yFdJ15RF +NCTri824zjIYMYsDthVH6fmWXjVcDdfBplsk7cEg8U6GSkeM5KjPNpEgn4YTsIxi +q1MsMzpqVoumabn0VPZHBpvnNmrE5TzU+oxbke1WOaqwVcD0hhw4acNJ2UFINchc +qjs1KjBAjWid2dZkAsYJjtOVnXRPRnLSn617U8Vo9oM2mnZpW1CEVgydRlQoqzHS +t1gSYBEzNmCDZGyPcwJv1CWSlIR9dp0yGTUky6buaAbdWxDLOYs2iNRR6knCT+AY +byBW1WmiMI5my8BDWxiXSBjI68aKMDtt+6RIyY1GBSnjNAh/GZZZnfE8tnDRE6kx +LHNqCRA3DxPP59NGwzflmVF6ieupk561SQtpvTBB36xEZZ6iuXestywhHlvqUh2T +SzsYNQTWLhCBxdd24MwtH3SsMVVNCa5Q+XxlB+TKguQ5s1Gfs1l2w0JA2xxYXJyO +g6UtglJlEE7tQbCZQKAKhgeACDUacs1BitNx3inQETimyE7X8qVgnsbjBTALmeLT +XCwcf7EE0EU0wjAzZ6FmBAttIukZOKWWcjRngH2EHLWNIY1cGMTKzP/o9S8= +=cdkf +-----END PGP MESSAGE----- + +Type Bits/KeyID Date User ID +pub 1024/2A398175 1996/11/17 Andrew G. Morgan <morgan@linux.kernel.org> + Andrew G. Morgan <morgan@transmeta.com> + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3a + +mQCNAzKOhJ4AAAEEAJ9xYnZSD1kYanF+8GUBhHf/gx6hGd8ZNmS5qIC8Qb8rMcTI ++E16nV+FnNRlPRbShITYjq1TPvVK8gTliZf41N9LRQZw0rywRt1NQyhdfKgDWYxB +kSOwK67oDjkzzC56XS2rrGI6K3Rz/VtYElRyuQ6ZyaKTGcgU/TTwrUUqOYF1AAUR +tCpBbmRyZXcgRy4gTW9yZ2FuIDxtb3JnYW5AbGludXgua2VybmVsLm9yZz6JAJUD +BRA2iFK0NPCtRSo5gXUBAalqA/9s3Hx8BUESiC9PpL88KSVe3ENoO0ogAuMDK3vj +k2a17Twxi92Dc/NPXr8ewEKF/h1GiRetLBVPGaSVC+602+2cr5SHqzUzAeyF2Xa6 +VAxCskxkAssTxIW7nyAMWaOB5A/1xm3YChawVQx3XIvbIp+HXHDNr/60COtlGm7I +IcHftbQnQW5kcmV3IEcuIE1vcmdhbiA8bW9yZ2FuQHRyYW5zbWV0YS5jb20+iQCV +AwUQNohVmTTwrUUqOYF1AQEgWwP+K94N0OO+I2A7lnP5Jp7O+kfMJCFxPZOeozrq +O8uKsAs03ekS+kDJ3p2ec65BOzZyweHEu1HtOtdZbXsN3zynLKBwJrvvaHBQpAqv +BrjfNsl9a+NFmfa4fmdPWTzCaG2rmFlaQvZ6FP7QrHXB/1+VlH0gJ90FOgAd3Qyp +4hhW9g8= +=qQJI +-----END PGP PUBLIC KEY BLOCK----- + +Type Bits/KeyID Date User ID +pub 1024/4536A8DD 1996/01/28 Michael K. Johnson <johnsonm@redhat.com> + Michael K. Johnson <johnsonm@nigel.vnet.net> +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3a + +mQCNAzEK0l0AAAEEAMWweYcS6ov1RISP6E7lb3vgQOrmhBy6S/8zkuHo92IkQWXm +V9AcMUY/eJPRJH6yI6o1ZKN4InT4uCkSIQOd2C8XyeIK5jFhpmP9DhoucacNL5H7 +oCV4wtFGhUDaDl9VeTtbWLSMESxJ4T/fL/IfkW95/Q2dF7zIDid5aW9FNqjdAAUR +tChNaWNoYWVsIEsuIEpvaG5zb24gPGpvaG5zb25tQHJlZGhhdC5jb20+iQCVAwUQ +MuqeiDTwrUUqOYF1AQEjywP/bCWLybbZSI8plyUSWD3yxwjsE+8BiOPGRu1AARUz +GbVZq9LqPDyjFtH9DqgXULyZtCAk8ebZonH/h/0EnZTi4tiZg3BHKXhIlWQnNz4D +QRdtUEmMNQzi9+3mU99CBGigsrDQnNrnI88ejo/0YY3gdt6752g5HAvY13h9A0ZP +MFWJAJUDBRAxgAouJ3lpb0U2qN0BActVA/9vgBOUheUpLPiIry/+2qqJv+e+LnHw +DgZqROpli9bhJ4wfb1sXPYkFzchR8BUeU0NY6HvAwxEilSNPE1yQoaJuy8POtTuu +aFO4wvuLp0v5LuatXaU8EsncwjrBsWqRB6Dqd+jyq24Pjx0YKNSRJxceiBE8SBDW +HESAhYTYCBLy77QsTWljaGFlbCBLLiBKb2huc29uIDxqb2huc29ubUBuaWdlbC52 +bmV0Lm5ldD6JAJUDBRAxGljWe01Ojay67k0BAf3qA/48N9OvgGk9nNR+Pg6aW3rK +2Dy8t2RQdFGd4b7gBtZeXUAklq9ppYZtS+cXFHoQ8d7K8XBjHh+rgF2oOSBQUrQf +eb8XkKSZQxB7DZVdi1gAsOzSwCrn4TWSSKc28P4Mjuj1Jr2f1FGST1+cGIl7JbhV +kLGjmvOIgs7lS8FE0Hhm/4kAlQMFEDEWclxEcVNogr/H7QEBN1QD/1iY+KYQyOTz +fgaBsx+Bt11kstmOlYhXx23yK2etG0p8XCD2r3aojGOTR/e3o2bLiJo4xe+iMhOM +dvdSzxSPGQ20wX3jGJaRrRiSClFTQbZSelGG0FcOGfM3mL5zeHaXzRcRciK3VDkD +IFzTQ3J5NJVBIVlAkxTMIxho758lR2SjiQCVAwUQMREqFnoDqzGe1QXFAQFdpAP/ +VPPoYO50seo1rLL28AA2PVKqo6BJwj0ZMsC14MDJEKryBbj/E4Ma25uSlzBjj+t9 +rbygoz0XWUQMLh8XPAEps3nE3n8FWROsdlucGzGiDGKVEygLPzCsjR7aGEspN1Y7 +4qOZPxbpGG7B5exOLur4ACY75m6oBh+PN+Q1liCIYXKJAJUDBRAxDpk1iGe2nxKR +G10BAeQjBACmx4DyJacQXxuckDaKMTXa8v2Q7lQpPDyHdn1oAUsx1mrbSL55v2AI +Q0riFWcFRTERpjAToCLgQjK1pKpmJcduiXURj6TPVKd88hYkuCIpn2hIaI7SCkd8 +HZlfFiuaxVN29UbbzHv3C+mseydpkPRrovqmOSuj2xAGFALo6Vl9U4kAlQMFEDEN +eD5EFXDNRmtCiQEBRmoEAJAuyY0F5hbweDOdeAhxLWeiTl9jGwQYDS3T5B5/9ZpC +bJ1yX7Pk2o7LvR9tg/Ji5sfMMvIpH48DNT4kyjmmChFXCUBccwd+33ugdTcYDwLR +Cdt7k9r2yXz1LEH+lVNKOEIhuIq8/sX61hvFR7+qSABthTLrvvynycD5n2pG3F7L +=aGjw +-----END PGP PUBLIC KEY BLOCK----- + +Type Bits/KeyID Date User ID +pub 1024/D4F4D901 1997/03/05 Cristian Gafton <gafton@sorosis.ro> + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3a + +mQCNAzMdU6sAAAEEAKLF73rRJ3RUtl+y4bLUOVOV7ataJ46ZHxDZeGAVi+/suwT9 +Kq7QdaeFc4Xwaq8PVWv7pZ4/qTwHUkdbjBVeLt+KOlprvKuadyAh9aG/SqmKkEvA +hCS3yZDwNmeSLO7VIN5ko1nIwVD4kPJvS3xX6kn6jd4mvv/qGfGvxKXU9NkBAAUR +tCNDcmlzdGlhbiBHYWZ0b24gPGdhZnRvbkBzb3Jvc2lzLnJvPokAlQMFEDMeTlI0 +8K1FKjmBdQEBmgQD/02JxAU6+fiaBKwRIFDdsLYTy8mPgYaoul9RIX450W5D5nY/ +/696F6TfmFUzvnrvTbZUDyLxHB0mnh4SrdKRKo57i7RDrdx3Mqlt/xP4R6nHwFed +yTMvz3KB9tYuWfC1fJp69/VRIkMrw448zKkgqHUnAKxMIHvXnV3M9jd6lXSYiQCV +AwUQMx1Tq/GvxKXU9NkBAQE3/gP/RZMe59OkBWS4whc9c6eac6zwcC/hNc1vyiZ5 +2TEHJ10PgtNtHchD7j3xsDO17/DGEZB23OQiPAeLdqnBr+y2uiSlQfYdpVHBHX3A +uX3onc69LpEHmUAJAVOvfU1scnDtOH/KeVN3nwc6PWLxzLWzXfUbwLNK+LiPMNMV +1qygu+s= +=J4G2 +-----END PGP PUBLIC KEY BLOCK----- + +Type Bits/KeyID Date User ID +pub 1024/A5D75B79 1997/03/01 Andrey V. Savochkin <saw@msu.ru> + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3a + +mQCNAzMYf1MAAAEEAK1S5jgmWnn8IS9mKoSpXu87f2soQhVZ3XdvsBCK2V7BojlU +0+JJrK+2gMH5tavyFsQ6cKch6I4xH54cS4P4tNE9M7OtfoXOxejtp9U9KZio8T0X +gM8qOS4fTQEfmdHSA5ETe5Vv+WPZ+/3SCo5kD1uIUUwppHDgJH+l396l11t5AAUR +tCBBbmRyZXkgVi4gU2F2b2Noa2luIDxzYXdAbXN1LnJ1PokAlQMFEDaIUh008K1F +KjmBdQEBFtkD/38mraXdr4aEYC6lxlG3cF+59XB6FjyBYhtwgNshpI2mB5XLr25p +f4jMFNUqnY/bGjXWKwbNguzJ0ukD8TgOg1ZXQZztRso1t1Y2M1KPbwlqj8ib1bZG +inQO/eqLrVwFH6F9CTiF0Fgy7faAIHN6BfE0o8earrcIwjT7sxRej3lziQCVAwUQ +M35653fqPT1smcpJAQHeqgQAlXMOru6Rz1TkslVrWD0n7dvBUHQxs0HS1pcWJnZJ +6kcYMLSA2RBi1fRabwzuOtzK60tOmfmnD7btcGBMMflOtfSulEg/xKNw2awEsNQK +ULEIBsvrpMr0UN4hWkxTggDXaykg7rQqgrbAsicoLuTtPDIbc+yhQcFEVGJiPO/I +tqiJAJUDBRAzfnUef89/VVw/1FkBAQ2lA/9q6FQM4RZzp75qxZ7jqAwUy9RFAKhp +L63YFJX3i1JsUjNoO51pjj5pEAxVVQsorqbdsmpC2aOUTf1AufEcs1kLojb3tc19 +MhXPyHTJs66QqWutdP/yOW+CLzmILAsbEgI6O+toVZ0rHVXjEtRgKUnYReHLrlYj +RKlBnkVc3NtPcIkAlQMFEDMYf1N/pd/epddbeQEBfKYD/3x/PkH2e+Cy7YXsfwxb +y/n+6eNIbfakSYjkwN5tDOeaKhdQKUJBKVwAzD2yrLmMDx6uW+FUOTucb6Anau6R +iKrAJq/a4DcpAeymo7cAthVU7en7HWwebQcL4wZGao1BJI+ulynki4sIqkfbGP83 +DK775eovl5X195ZkE/wNJvoi +=V5TY +-----END PGP PUBLIC KEY BLOCK----- diff --git a/libcap/libcap-2.24/progs/Makefile b/libcap/libcap-2.24/progs/Makefile @@ -0,0 +1,38 @@ + +topdir=$(shell pwd)/.. +include $(topdir)/Make.Rules +# +# Programs: all of the examples that we will compile +# +PROGS=getpcaps capsh +ifeq ($(LIBATTR),yes) +PROGS += getcap setcap +endif + +BUILD=$(PROGS) + +ifneq ($(DYNAMIC),yes) +LDFLAGS += --static +endif +LDLIBS += -L../libcap -lcap + +all: $(BUILD) + +$(BUILD): %: %.o + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< $(LDLIBS) + +%.o: %.c $(INCS) + $(CC) $(IPATH) $(CFLAGS) -c $< -o $@ + +install: all + mkdir -p -m 0755 $(SBINDIR) + for p in $(PROGS) ; do \ + install -m 0755 $$p $(SBINDIR) ; \ + done +ifeq ($(RAISE_SETFCAP),yes) + $(SBINDIR)/setcap cap_setfcap=i $(SBINDIR)/setcap +endif + +clean: + $(LOCALCLEAN) + rm -f *.o $(BUILD) tcapsh ping hack.sh diff --git a/libcap/libcap-2.24/progs/capsh.c b/libcap/libcap-2.24/progs/capsh.c @@ -0,0 +1,594 @@ +/* + * Copyright (c) 2008-11 Andrew G. Morgan <morgan@kernel.org> + * + * This is a simple 'bash' wrapper program that can be used to + * raise and lower both the bset and pI capabilities before invoking + * /bin/bash (hardcoded right now). + * + * The --print option can be used as a quick test whether various + * capability manipulations work as expected (or not). + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <sys/prctl.h> +#include <sys/types.h> +#include <unistd.h> +#include <pwd.h> +#include <grp.h> +#include <errno.h> +#include <ctype.h> +#include <sys/capability.h> +#include <sys/securebits.h> +#include <sys/wait.h> +#include <sys/prctl.h> + +#define MAX_GROUPS 100 /* max number of supplementary groups for user */ + +static const cap_value_t raise_setpcap[1] = { CAP_SETPCAP }; +static const cap_value_t raise_chroot[1] = { CAP_SYS_CHROOT }; + +static char *binary(unsigned long value) +{ + static char string[8*sizeof(unsigned long) + 1]; + unsigned i; + + i = sizeof(string); + string[--i] = '\0'; + do { + string[--i] = (value & 1) ? '1' : '0'; + value >>= 1; + } while ((i > 0) && value); + return string + i; +} + +int main(int argc, char *argv[], char *envp[]) +{ + pid_t child; + unsigned i; + + child = 0; + + for (i=1; i<argc; ++i) { + if (!memcmp("--drop=", argv[i], 4)) { + char *ptr; + cap_t orig, raised_for_setpcap; + + /* + * We need to do this here because --inh=XXX may have reset + * orig and it isn't until we are within the --drop code that + * we know what the prevailing (orig) pI value is. + */ + orig = cap_get_proc(); + if (orig == NULL) { + perror("Capabilities not available"); + exit(1); + } + + raised_for_setpcap = cap_dup(orig); + if (raised_for_setpcap == NULL) { + fprintf(stderr, "BSET modification requires CAP_SETPCAP\n"); + exit(1); + } + + if (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1, + raise_setpcap, CAP_SET) != 0) { + perror("unable to select CAP_SETPCAP"); + exit(1); + } + + if (strcmp("all", argv[i]+7) == 0) { + unsigned j = 0; + while (CAP_IS_SUPPORTED(j)) { + if (cap_drop_bound(j) != 0) { + char *name_ptr; + + name_ptr = cap_to_name(j); + fprintf(stderr, + "Unable to drop bounding capability [%s]\n", + name_ptr); + cap_free(name_ptr); + exit(1); + } + j++; + } + } else { + for (ptr = argv[i]+7; (ptr = strtok(ptr, ",")); ptr = NULL) { + /* find name for token */ + cap_value_t cap; + int status; + + if (cap_from_name(ptr, &cap) != 0) { + fprintf(stderr, + "capability [%s] is unknown to libcap\n", + ptr); + exit(1); + } + if (cap_set_proc(raised_for_setpcap) != 0) { + perror("unable to raise CAP_SETPCAP for BSET changes"); + exit(1); + } + status = prctl(PR_CAPBSET_DROP, cap); + if (cap_set_proc(orig) != 0) { + perror("unable to lower CAP_SETPCAP post BSET change"); + exit(1); + } + if (status) { + fprintf(stderr, "failed to drop [%s=%u]\n", ptr, cap); + exit(1); + } + } + } + cap_free(raised_for_setpcap); + cap_free(orig); + } else if (!memcmp("--inh=", argv[i], 6)) { + cap_t all, raised_for_setpcap; + char *text; + char *ptr; + + all = cap_get_proc(); + if (all == NULL) { + perror("Capabilities not available"); + exit(1); + } + if (cap_clear_flag(all, CAP_INHERITABLE) != 0) { + perror("libcap:cap_clear_flag() internal error"); + exit(1); + } + + raised_for_setpcap = cap_dup(all); + if ((raised_for_setpcap != NULL) + && (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1, + raise_setpcap, CAP_SET) != 0)) { + cap_free(raised_for_setpcap); + raised_for_setpcap = NULL; + } + + text = cap_to_text(all, NULL); + cap_free(all); + if (text == NULL) { + perror("Fatal error concerning process capabilities"); + exit(1); + } + ptr = malloc(10 + strlen(argv[i]+6) + strlen(text)); + if (ptr == NULL) { + perror("Out of memory for inh set"); + exit(1); + } + if (argv[i][6] && strcmp("none", argv[i]+6)) { + sprintf(ptr, "%s %s+i", text, argv[i]+6); + } else { + strcpy(ptr, text); + } + + all = cap_from_text(ptr); + if (all == NULL) { + perror("Fatal error internalizing capabilities"); + exit(1); + } + cap_free(text); + free(ptr); + + if (raised_for_setpcap != NULL) { + /* + * This is only for the case that pP does not contain + * the requested change to pI.. Failing here is not + * indicative of the cap_set_proc(all) failing (always). + */ + (void) cap_set_proc(raised_for_setpcap); + cap_free(raised_for_setpcap); + raised_for_setpcap = NULL; + } + + if (cap_set_proc(all) != 0) { + perror("Unable to set inheritable capabilities"); + exit(1); + } + /* + * Since status is based on orig, we don't want to restore + * the previous value of 'all' again here! + */ + + cap_free(all); + } else if (!memcmp("--caps=", argv[i], 7)) { + cap_t all, raised_for_setpcap; + + raised_for_setpcap = cap_get_proc(); + if (raised_for_setpcap == NULL) { + perror("Capabilities not available"); + exit(1); + } + + if ((raised_for_setpcap != NULL) + && (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1, + raise_setpcap, CAP_SET) != 0)) { + cap_free(raised_for_setpcap); + raised_for_setpcap = NULL; + } + + all = cap_from_text(argv[i]+7); + if (all == NULL) { + fprintf(stderr, "unable to interpret [%s]\n", argv[i]); + exit(1); + } + + if (raised_for_setpcap != NULL) { + /* + * This is only for the case that pP does not contain + * the requested change to pI.. Failing here is not + * indicative of the cap_set_proc(all) failing (always). + */ + (void) cap_set_proc(raised_for_setpcap); + cap_free(raised_for_setpcap); + raised_for_setpcap = NULL; + } + + if (cap_set_proc(all) != 0) { + fprintf(stderr, "Unable to set capabilities [%s]\n", argv[i]); + exit(1); + } + /* + * Since status is based on orig, we don't want to restore + * the previous value of 'all' again here! + */ + + cap_free(all); + } else if (!memcmp("--keep=", argv[i], 7)) { + unsigned value; + int set; + + value = strtoul(argv[i]+7, NULL, 0); + set = prctl(PR_SET_KEEPCAPS, value); + if (set < 0) { + fprintf(stderr, "prctl(PR_SET_KEEPCAPS, %u) failed: %s\n", + value, strerror(errno)); + exit(1); + } + } else if (!memcmp("--chroot=", argv[i], 9)) { + int status; + cap_t orig, raised_for_chroot; + + orig = cap_get_proc(); + if (orig == NULL) { + perror("Capabilities not available"); + exit(1); + } + + raised_for_chroot = cap_dup(orig); + if (raised_for_chroot == NULL) { + perror("Unable to duplicate capabilities"); + exit(1); + } + + if (cap_set_flag(raised_for_chroot, CAP_EFFECTIVE, 1, raise_chroot, + CAP_SET) != 0) { + perror("unable to select CAP_SET_SYS_CHROOT"); + exit(1); + } + + if (cap_set_proc(raised_for_chroot) != 0) { + perror("unable to raise CAP_SYS_CHROOT"); + exit(1); + } + cap_free(raised_for_chroot); + + status = chroot(argv[i]+9); + if (cap_set_proc(orig) != 0) { + perror("unable to lower CAP_SYS_CHROOT"); + exit(1); + } + /* + * Given we are now in a new directory tree, its good practice + * to start off in a sane location + */ + status = chdir("/"); + + cap_free(orig); + + if (status != 0) { + fprintf(stderr, "Unable to chroot/chdir to [%s]", argv[i]+9); + exit(1); + } + } else if (!memcmp("--secbits=", argv[i], 10)) { + unsigned value; + int status; + + value = strtoul(argv[i]+10, NULL, 0); + status = prctl(PR_SET_SECUREBITS, value); + if (status < 0) { + fprintf(stderr, "failed to set securebits to 0%o/0x%x\n", + value, value); + exit(1); + } + } else if (!memcmp("--forkfor=", argv[i], 10)) { + unsigned value; + + value = strtoul(argv[i]+10, NULL, 0); + if (value == 0) { + goto usage; + } + child = fork(); + if (child < 0) { + perror("unable to fork()"); + } else if (!child) { + sleep(value); + exit(0); + } + } else if (!memcmp("--killit=", argv[i], 9)) { + int retval, status; + pid_t result; + unsigned value; + + value = strtoul(argv[i]+9, NULL, 0); + if (!child) { + fprintf(stderr, "no forked process to kill\n"); + exit(1); + } + retval = kill(child, value); + if (retval != 0) { + perror("Unable to kill child process"); + exit(1); + } + result = waitpid(child, &status, 0); + if (result != child) { + fprintf(stderr, "waitpid didn't match child: %u != %u\n", + child, result); + exit(1); + } + if (WTERMSIG(status) != value) { + fprintf(stderr, "child terminated with odd signal (%d != %d)\n" + , value, WTERMSIG(status)); + exit(1); + } + } else if (!memcmp("--uid=", argv[i], 6)) { + unsigned value; + int status; + + value = strtoul(argv[i]+6, NULL, 0); + status = setuid(value); + if (status < 0) { + fprintf(stderr, "Failed to set uid=%u: %s\n", + value, strerror(errno)); + exit(1); + } + } else if (!memcmp("--gid=", argv[i], 6)) { + unsigned value; + int status; + + value = strtoul(argv[i]+6, NULL, 0); + status = setgid(value); + if (status < 0) { + fprintf(stderr, "Failed to set gid=%u: %s\n", + value, strerror(errno)); + exit(1); + } + } else if (!memcmp("--groups=", argv[i], 9)) { + char *ptr, *buf; + long length, max_groups; + gid_t *group_list; + int g_count; + + length = sysconf(_SC_GETGR_R_SIZE_MAX); + buf = calloc(1, length); + if (NULL == buf) { + fprintf(stderr, "No memory for [%s] operation\n", argv[i]); + exit(1); + } + + max_groups = sysconf(_SC_NGROUPS_MAX); + group_list = calloc(max_groups, sizeof(gid_t)); + if (NULL == group_list) { + fprintf(stderr, "No memory for gid list\n"); + exit(1); + } + + g_count = 0; + for (ptr = argv[i] + 9; (ptr = strtok(ptr, ",")); + ptr = NULL, g_count++) { + if (max_groups <= g_count) { + fprintf(stderr, "Too many groups specified (%d)\n", g_count); + exit(1); + } + if (!isdigit(*ptr)) { + struct group *g, grp; + getgrnam_r(ptr, &grp, buf, length, &g); + if (NULL == g) { + fprintf(stderr, "Failed to identify gid for group [%s]\n", ptr); + exit(1); + } + group_list[g_count] = g->gr_gid; + } else { + group_list[g_count] = strtoul(ptr, NULL, 0); + } + } + free(buf); + if (setgroups(g_count, group_list) != 0) { + fprintf(stderr, "Failed to setgroups.\n"); + exit(1); + } + free(group_list); + } else if (!memcmp("--user=", argv[i], 7)) { + struct passwd *pwd; + const char *user; + gid_t groups[MAX_GROUPS]; + int status, ngroups; + + user = argv[i] + 7; + pwd = getpwnam(user); + if (pwd == NULL) { + fprintf(stderr, "User [%s] not known\n", user); + exit(1); + } + ngroups = MAX_GROUPS; + status = getgrouplist(user, pwd->pw_gid, groups, &ngroups); + if (status < 1) { + perror("Unable to get group list for user"); + exit(1); + } + status = setgroups(ngroups, groups); + if (status != 0) { + perror("Unable to set group list for user"); + exit(1); + } + status = setgid(pwd->pw_gid); + if (status < 0) { + fprintf(stderr, "Failed to set gid=%u(user=%s): %s\n", + pwd->pw_gid, user, strerror(errno)); + exit(1); + } + status = setuid(pwd->pw_uid); + if (status < 0) { + fprintf(stderr, "Failed to set uid=%u(user=%s): %s\n", + pwd->pw_uid, user, strerror(errno)); + exit(1); + } + } else if (!memcmp("--decode=", argv[i], 9)) { + unsigned long long value; + unsigned cap; + const char *sep = ""; + + /* Note, if capabilities become longer than 64-bits we'll need + to fixup the following code.. */ + value = strtoull(argv[i]+9, NULL, 16); + printf("0x%016llx=", value); + + for (cap=0; (cap < 64) && (value >> cap); ++cap) { + if (value & (1ULL << cap)) { + char *ptr; + + ptr = cap_to_name(cap); + if (ptr != NULL) { + printf("%s%s", sep, ptr); + cap_free(ptr); + } else { + printf("%s%u", sep, cap); + } + sep = ","; + } + } + printf("\n"); + } else if (!memcmp("--supports=", argv[i], 11)) { + cap_value_t cap; + + if (cap_from_name(argv[i] + 11, &cap) < 0) { + fprintf(stderr, "cap[%s] not recognized by library\n", + argv[i] + 11); + exit(1); + } + if (!CAP_IS_SUPPORTED(cap)) { + fprintf(stderr, "cap[%s=%d] not supported by kernel\n", + argv[i] + 11, cap); + exit(1); + } + } else if (!strcmp("--print", argv[i])) { + unsigned cap; + int set, status, j; + cap_t all; + char *text; + const char *sep; + struct group *g; + gid_t groups[MAX_GROUPS], gid; + uid_t uid; + struct passwd *u; + + all = cap_get_proc(); + text = cap_to_text(all, NULL); + printf("Current: %s\n", text); + cap_free(text); + cap_free(all); + + printf("Bounding set ="); + sep = ""; + for (cap=0; (set = cap_get_bound(cap)) >= 0; cap++) { + char *ptr; + if (!set) { + continue; + } + + ptr = cap_to_name(cap); + if (ptr == NULL) { + printf("%s%u", sep, cap); + } else { + printf("%s%s", sep, ptr); + cap_free(ptr); + } + sep = ","; + } + printf("\n"); + set = prctl(PR_GET_SECUREBITS); + if (set >= 0) { + const char *b; + b = binary(set); /* use verilog convention for binary string */ + printf("Securebits: 0%o/0x%x/%u'b%s\n", set, set, + (unsigned) strlen(b), b); + printf(" secure-noroot: %s (%s)\n", + (set & 1) ? "yes":"no", + (set & 2) ? "locked":"unlocked"); + printf(" secure-no-suid-fixup: %s (%s)\n", + (set & 4) ? "yes":"no", + (set & 8) ? "locked":"unlocked"); + printf(" secure-keep-caps: %s (%s)\n", + (set & 16) ? "yes":"no", + (set & 32) ? "locked":"unlocked"); + } else { + printf("[Securebits ABI not supported]\n"); + set = prctl(PR_GET_KEEPCAPS); + if (set >= 0) { + printf(" prctl-keep-caps: %s (locking not supported)\n", + set ? "yes":"no"); + } else { + printf("[Keepcaps ABI not supported]\n"); + } + } + uid = getuid(); + u = getpwuid(uid); + printf("uid=%u(%s)\n", getuid(), u ? u->pw_name : "???"); + gid = getgid(); + g = getgrgid(gid); + printf("gid=%u(%s)\n", gid, g ? g->gr_name : "???"); + printf("groups="); + status = getgroups(MAX_GROUPS, groups); + sep = ""; + for (j=0; j < status; j++) { + g = getgrgid(groups[j]); + printf("%s%u(%s)", sep, groups[j], g ? g->gr_name : "???"); + sep = ","; + } + printf("\n"); + } else if ((!strcmp("--", argv[i])) || (!strcmp("==", argv[i]))) { + argv[i] = strdup(argv[i][0] == '-' ? "/bin/bash" : argv[0]); + argv[argc] = NULL; + execve(argv[i], argv+i, envp); + fprintf(stderr, "execve /bin/bash failed!\n"); + exit(1); + } else { + usage: + printf("usage: %s [args ...]\n" + " --help this message (or try 'man capsh')\n" + " --print display capability relevant state\n" + " --decode=xxx decode a hex string to a list of caps\n" + " --supports=xxx exit 1 if capability xxx unsupported\n" + " --drop=xxx remove xxx,.. capabilities from bset\n" + " --caps=xxx set caps as per cap_from_text()\n" + " --inh=xxx set xxx,.. inheritiable set\n" + " --secbits=<n> write a new value for securebits\n" + " --keep=<n> set keep-capabability bit to <n>\n" + " --uid=<n> set uid to <n> (hint: id <username>)\n" + " --gid=<n> set gid to <n> (hint: id <username>)\n" + " --groups=g,... set the supplemental groups\n" + " --user=<name> set uid,gid and groups to that of user\n" + " --chroot=path chroot(2) to this path\n" + " --killit=<n> send signal(n) to child\n" + " --forkfor=<n> fork and make child sleep for <n> sec\n" + " == re-exec(capsh) with args as for --\n" + " -- remaing arguments are for /bin/bash\n" + " (without -- [%s] will simply exit(0))\n", + argv[0], argv[0]); + + exit(strcmp("--help", argv[i]) != 0); + } + } + + exit(0); +} diff --git a/libcap/libcap-2.24/progs/capsh.o b/libcap/libcap-2.24/progs/capsh.o Binary files differ diff --git a/libcap/libcap-2.24/progs/getcap.c b/libcap/libcap-2.24/progs/getcap.c @@ -0,0 +1,108 @@ +/* + * Copyright (c) 1997,2007 Andrew G. Morgan <morgan@kernel.org> + * + * This displays the capabilities of a given file. + */ + +#define _XOPEN_SOURCE 500 + +#include <errno.h> +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <unistd.h> +#include <dirent.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <sys/capability.h> + +#include <ftw.h> + +static int verbose = 0; +static int recursive = 0; + +static void usage(void) +{ + fprintf(stderr, + "usage: getcap [-v] [-r] [-h] <filename> [<filename> ...]\n" + "\n" + "\tdisplays the capabilities on the queried file(s).\n" + ); + exit(1); +} + +static int do_getcap(const char *fname, const struct stat *stbuf, + int tflag, struct FTW* ftwbuf) +{ + cap_t cap_d; + char *result; + + if (tflag != FTW_F) { + if (verbose) { + printf("%s (Not a regular file)\n", fname); + } + return 0; + } + + cap_d = cap_get_file(fname); + if (cap_d == NULL) { + if (errno != ENODATA) { + fprintf(stderr, "Failed to get capabilities of file `%s' (%s)\n", + fname, strerror(errno)); + } else if (verbose) { + printf("%s\n", fname); + } + return 0; + } + + result = cap_to_text(cap_d, NULL); + if (!result) { + fprintf(stderr, + "Failed to get capabilities of human readable format at `%s' (%s)\n", + fname, strerror(errno)); + cap_free(cap_d); + return 0; + } + printf("%s %s\n", fname, result); + cap_free(cap_d); + cap_free(result); + + return 0; +} + +int main(int argc, char **argv) +{ + int i, c; + + while ((c = getopt(argc, argv, "rvh")) > 0) { + switch(c) { + case 'r': + recursive = 1; + break; + case 'v': + verbose = 1; + break; + default: + usage(); + } + } + + if (!argv[optind]) + usage(); + + for (i=optind; argv[i] != NULL; i++) { + struct stat stbuf; + + if (lstat(argv[i], &stbuf) != 0) { + fprintf(stderr, "%s (%s)\n", argv[i], strerror(errno)); + } else if (recursive) { + nftw(argv[i], do_getcap, 20, FTW_PHYS); + } else { + int tflag = S_ISREG(stbuf.st_mode) ? FTW_F : + (S_ISLNK(stbuf.st_mode) ? FTW_SL : FTW_NS); + do_getcap(argv[i], &stbuf, tflag, 0); + } + } + + return 0; +} diff --git a/libcap/libcap-2.24/progs/getcap.o b/libcap/libcap-2.24/progs/getcap.o Binary files differ diff --git a/libcap/libcap-2.24/progs/getpcaps.c b/libcap/libcap-2.24/progs/getpcaps.c @@ -0,0 +1,56 @@ +/* + * Copyright (c) 1997,2008 Andrew G. Morgan <morgan@kernel.org> + * + * This displays the capabilities of given target process(es). + */ + +#include <sys/types.h> +#include <errno.h> +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <sys/capability.h> + +static void usage(void) +{ + fprintf(stderr, +"usage: getcaps <pid> [<pid> ...]\n\n" +" This program displays the capabilities on the queried process(es).\n" +" The capabilities are displayed in the cap_from_text(3) format.\n\n" +"[Copyright (c) 1997-8,2007 Andrew G. Morgan <morgan@kernel.org>]\n" + ); + exit(1); +} + +int main(int argc, char **argv) +{ + int retval = 0; + + if (argc < 2) { + usage(); + } + + for ( ++argv; --argc > 0; ++argv ) { + ssize_t length; + int pid; + cap_t cap_d; + + pid = atoi(argv[0]); + + cap_d = cap_get_pid(pid); + if (cap_d == NULL) { + fprintf(stderr, "Failed to get cap's for proccess %d:" + " (%s)\n", pid, strerror(errno)); + retval = 1; + continue; + } else { + char *result = cap_to_text(cap_d, &length); + fprintf(stderr, "Capabilities for `%s': %s\n", *argv, result); + cap_free(result); + result = NULL; + cap_free(cap_d); + } + } + + return retval; +} diff --git a/libcap/libcap-2.24/progs/getpcaps.o b/libcap/libcap-2.24/progs/getpcaps.o Binary files differ diff --git a/libcap/libcap-2.24/progs/old/README b/libcap/libcap-2.24/progs/old/README @@ -0,0 +1 @@ +these files are not relevant to this release diff --git a/libcap/libcap-2.24/progs/old/execcap.c b/libcap/libcap-2.24/progs/old/execcap.c @@ -0,0 +1,68 @@ +/* + * This was written by Andrew G. Morgan <morgan@kernel.org> + * + * This is a program that is intended to exec a subsequent program. + * The purpose of this 'execcap' wrapper is to limit the inheritable + * capabilities of the exec()'d program. All environment variables + * are inherited. + */ + +#include <sys/types.h> +#include <errno.h> +#include <stdio.h> +#include <sys/capability.h> +#include <unistd.h> +#include <string.h> +#include <stdlib.h> + +static void usage(void) +{ + fprintf(stderr, +"usage: execcap <caps> <command-path> [command-args...]\n\n" +" This program is a wrapper that can be used to limit the Inheritable\n" +" capabilities of a program to be executed. Note, this wrapper is\n" +" intended to assist in overcoming a lack of support for filesystem\n" +" capability attributes and should be used to launch other files.\n" +" This program should _NOT_ be made setuid-0.\n\n" +"[Copyright (c) 1998 Andrew G. Morgan <morgan@kernel.org>]\n"); + + exit(1); +} + +int main(int argc, char **argv) +{ + cap_t new_caps; + + /* this program should not be made setuid-0 */ + if (getuid() && !geteuid()) { + usage(); + } + + /* check that we have at least 2 arguments */ + if (argc < 3) { + usage(); + } + + /* parse the first argument to obtain a set of capabilities */ + new_caps = cap_from_text(argv[1]); + if (new_caps == NULL) { + fprintf(stderr, "requested capabilities were not recognized\n"); + usage(); + } + + /* set these capabilities for the current process */ + if (cap_set_proc(new_caps) != 0) { + fprintf(stderr, "unable to set capabilities: %s\n", strerror(errno)); + usage(); + } + + /* exec the program indicated by args 2 ... */ + execvp(argv[2], argv+2); + + /* if we fall through to here, our exec failed -- announce the fact */ + fprintf(stderr, "Unable to execute command: %s\n", strerror(errno)); + + usage(); + + return 0; +} diff --git a/libcap/libcap-2.24/progs/old/setpcaps.c b/libcap/libcap-2.24/progs/old/setpcaps.c @@ -0,0 +1,124 @@ +/* + * Copyright (c) 1997-8 Andrew G. Morgan <morgan@kernel.org> + * + * This sets the capabilities of a given process. + */ + +#include <sys/types.h> +#include <errno.h> +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#undef _POSIX_SOURCE +#include <sys/capability.h> +#include <unistd.h> + +static void usage(void) +{ + fprintf(stderr, +"usage: setcap [-q] (-|<caps>) <pid> [ ... (-|<capsN>) <pid> ]\n\n" +" This program can be used to set the process capabilities of running\n" +" processes. In order to work, it needs to be executing with CAP_SETPCAP\n" +" raised, and the only capabilities that this program can bestow on others\n" +" are a subset of its effective set. This program is mostly intended as an\n" +" example -- a safe use of CAP_SETPCAP has yet to be demonstrated!\n\n" +"[Copyright (c) 1997-8 Andrew G. Morgan <morgan@kernel.org>]\n" + ); + exit(1); +} + +#define MAXCAP 2048 + +static int read_caps(int quiet, const char *filename, char *buffer) +{ + int i=MAXCAP; + + if (!quiet) { + fprintf(stderr, "Please enter caps for file [empty line to end]:\n"); + } + while (i > 0) { + int j = read(STDIN_FILENO, buffer, i); + + if (j < 0) { + fprintf(stderr, "\n[Error - aborting]\n"); + exit(1); + } + + if (j==0 || buffer[0] == '\n') { + /* we're done */ + break; + } + + /* move on... */ + + i -= j; + buffer += j; + } + + /* <NUL> terminate */ + buffer[0] = '\0'; + + return (i < MAXCAP ? 0:-1); +} + +int main(int argc, char **argv) +{ + char buffer[MAXCAP+1]; + int retval, quiet=0; + cap_t cap_d; + + if (argc < 3) { + usage(); + } + + while (--argc > 0) { + const char *text; + pid_t pid; + + if (!strcmp(*++argv,"-q")) { + quiet = 1; + continue; + } + if (!strcmp(*argv,"-")) { + retval = read_caps(quiet, *argv, buffer); + if (retval) + usage(); + text = buffer; + } else + text = *argv; + + cap_d = cap_from_text(text); + if (cap_d == NULL) { + perror("fatal error"); + usage(); + } +#ifndef DEBUG + { + ssize_t length; + char *result; + + result = cap_to_text(cap_d, &length); + fprintf(stderr, "[caps set to:\n%s\n]\n", result); + cap_free(result); + result = NULL; + } +#endif + + if (--argc <= 0) + usage(); + + pid = atoi(*++argv); + retval = capsetp(pid, cap_d); + + if (retval != 0) { + fprintf(stderr, "Failed to set cap's on process `%d': (%s)\n", + pid, strerror(errno)); + usage(); + } +#ifndef DEBUG + fprintf(stderr, "[caps set on %d]\n", pid); +#endif + } + + return 0; +} diff --git a/libcap/libcap-2.24/progs/old/sucap.c b/libcap/libcap-2.24/progs/old/sucap.c @@ -0,0 +1,199 @@ +/* + * $Id: sucap.c,v 1.1.1.1 1999/04/17 22:16:31 morgan Exp $ + * + * This was written by Finn Arne Gangstad <finnag@guardian.no> + * + * This is a program that is intended to exec a subsequent program. + * The purpose of this 'sucap' wrapper is to change uid but keep all + * privileges. All environment variables are inherited. + */ + +#include <sys/types.h> +#include <errno.h> +#include <stdio.h> +#undef _POSIX_SOURCE +#include <sys/capability.h> +#include <pwd.h> +#define __USE_BSD +#include <grp.h> +#include <unistd.h> +#include <sys/wait.h> +#include <errno.h> +#include <string.h> +#include <stdlib.h> + +static void usage(void) +{ + fprintf(stderr, +"usage: sucap <user> <group> <command-path> [command-args...]\n\n" +" This program is a wrapper that change UID but not privileges of a\n" +" program to be executed.\n" +" Note, this wrapper is intended to assist in overcoming a lack of support\n" +" for filesystem capability attributes and should be used to launch other\n" +" files. This program should _NOT_ be made setuid-0.\n\n" +"[Copyright (c) 1998 Finn Arne Gangstad <finnag@guardian.no>]\n"); + + exit(1); +} + + +static void +wait_on_fd(int fd) +{ + /* Wait until some data is available on a file descriptor, or until + * end of file or an error is detected */ + char buf[1]; + while (read(fd, buf, sizeof(buf)) == -1 && errno == EINTR) { + /* empty loop */ + } +} + + +int main(int argc, char **argv) +{ + cap_t old_caps; + uid_t uid; + pid_t pid, parent_pid; + gid_t gid; + int pipe_fds[2]; + + /* this program should not be made setuid-0 */ + if (getuid() && !geteuid()) { + usage(); + } + + /* check that we have at least 3 arguments */ + if (argc < 4) { + usage(); + } + + /* Convert username to uid */ + { + struct passwd *pw = getpwnam(argv[1]); + if (!pw) { + fprintf(stderr, "sucap: No such user: %s\n", argv[1]); + exit(1); + } + uid = pw->pw_uid; + } + + /* Convert groupname to gid */ + { + struct group *gr = getgrnam(argv[2]); + if (!gr) { + fprintf(stderr, "sucap: No such group: %s\n", argv[2]); + exit(1); + } + gid = gr->gr_gid; + } + + /* set process group to current pid */ + if (setpgid(0, getpid())) { + perror("sucap: Failed to set process group"); + exit(1); + } + + if (pipe(pipe_fds)) { + perror("sucap: pipe() failed"); + exit(1); + } + + parent_pid = getpid(); + + old_caps = cap_init(); + if (capgetp(0, old_caps)) { + perror("sucap: capgetp"); + exit(1); + } + + { + ssize_t x; + printf("Caps: %s\n", cap_to_text(old_caps, &x)); + } + + + /* fork off a child to do the hard work */ + fflush(NULL); + pid = fork(); + if (pid == -1) { + perror("sucap: fork failed"); + exit(1); + } + + /* 1. mother process sets gid and uid + * 2. child process sets capabilities of mother process + * 3. mother process execs whatever is to be executed + */ + + if (pid) { + /* Mother process. */ + close(pipe_fds[0]); + + /* Get rid of any supplemental groups */ + if (!getuid() && setgroups(0, 0)) { + perror("sucap: setgroups failed"); + exit(1); + } + + /* Set gid and uid (this probably clears capabilities) */ + setregid(gid, gid); + setreuid(uid, uid); + + { + ssize_t x; + cap_t cap = cap_init(); + capgetp(0, cap); + printf("Caps: %s\n", cap_to_text(cap, &x)); + } + + printf("[debug] uid:%d, real uid:%d\n", geteuid(), getuid()); + + /* Signal child that we want our privileges updated */ + close(pipe_fds[1]); /* Child hangs in blocking read */ + + /* Wait for child process to set our privileges */ + { + int status = 0; + if (wait(&status) == -1) { + perror("sucap: wait failed"); + } + if (!WIFEXITED(status) || WEXITSTATUS(status)) { + fprintf(stderr, "sucap: child did not exit cleanly.\n"); + exit(1); + } + } + + { + ssize_t x; + cap_t cap = cap_init(); + capgetp(0, cap); + printf("Caps: %s\n", cap_to_text(cap, &x)); + } + +/* printf("[debug] uid:%d, real uid:%d\n", geteuid(), getuid()); */ + /* exec the program indicated by args 2 ... */ + execvp(argv[3], argv+3); + + /* if we fall through to here, our exec failed -- announce the fact */ + fprintf(stderr, "Unable to execute command: %s\n", strerror(errno)); + + usage(); + } else { + /* Child process */ + close(pipe_fds[1]); + + /* Wait for mother process to setuid */ + wait_on_fd(pipe_fds[0]); + + /* Set privileges on mother process */ + if (capsetp(parent_pid, old_caps)) { + perror("sucaps: capsetp"); + _exit(1); + } + + /* exit to signal mother process that we are ready */ + _exit(0); + } + + return 0; +} diff --git a/libcap/libcap-2.24/progs/quicktest.sh b/libcap/libcap-2.24/progs/quicktest.sh @@ -0,0 +1,148 @@ +#!/bin/bash +# +# Run through a series of tests to try out the various capability +# manipulations posible through exec. +# +# [Run this as root in a root-enabled process tree.] + +try_capsh () { + echo "TEST: ./capsh $*" + ./capsh "$@" + if [ $? -ne 0 ]; then + echo FAILED + return 1 + else + echo PASSED + return 0 + fi +} + +fail_capsh () { + echo -n "EXPECT FAILURE: " + try_capsh "$@" + if [ $? -eq 1 ]; then + echo "[WHICH MEANS A PASS!]" + return 0 + else + echo "Undesired result - aborting" + echo "PROBLEM TEST: $*" + exit 1 + fi +} + +pass_capsh () { + echo -n "EXPECT SUCCESS: " + try_capsh "$@" + if [ $? -eq 0 ]; then + return 0 + else + echo "Undesired result - aborting" + echo "PROBLEM TEST: $*" + exit 1 + fi +} + +pass_capsh --print + + +# Make a local non-setuid-0 version of capsh and call it privileged +cp ./capsh ./privileged && chmod -s ./privileged +if [ $? -ne 0 ]; then + echo "Failed to copy capsh for capability manipulation" + exit 1 +fi + +# Give it the forced capability it could need +./setcap all=ep ./privileged +if [ $? -ne 0 ]; then + echo "Failed to set all capabilities on file" + exit 1 +fi +./setcap cap_setuid,cap_setgid=ep ./privileged +if [ $? -ne 0 ]; then + echo "Failed to set limited capabilities on privileged file" + exit 1 +fi + +# Explore keep_caps support +pass_capsh --keep=0 --keep=1 --keep=0 --keep=1 --print + +rm -f tcapsh +cp capsh tcapsh +chown root.root tcapsh +chmod u+s tcapsh +ls -l tcapsh + +# leverage keep caps maintain capabilities accross a change of uid +# from setuid root to capable luser (as per wireshark/dumpcap 0.99.7) +pass_capsh --uid=500 -- -c "./tcapsh --keep=1 --caps=\"cap_net_raw,cap_net_admin=ip\" --uid=500 --caps=\"cap_net_raw,cap_net_admin=pie\" --print" + +# This fails, on 2.6.24, but shouldn't +pass_capsh --uid=500 -- -c "./tcapsh --keep=1 --caps=\"cap_net_raw,cap_net_admin=ip\" --uid=500 --forkfor=10 --caps= --print --killit=9 --print" + +# only continue with these if --secbits is supported +./capsh --secbits=0x2f > /dev/null 2>&1 +if [ $? -ne 0 ]; then + echo "unable to test securebits manipulation - assume not supported (PASS)" + rm -f tcapsh + rm -f privileged + exit 0 +fi + +pass_capsh --secbits=42 --print +fail_capsh --secbits=32 --keep=1 --keep=0 --print +pass_capsh --secbits=10 --keep=0 --keep=1 --print +fail_capsh --secbits=47 -- -c "./tcapsh --user=nobody" + +rm -f tcapsh + +# Suppress uid=0 privilege +fail_capsh --secbits=47 --print -- -c "./capsh --user=nobody" + +# suppress uid=0 privilege and test this privileged +pass_capsh --secbits=0x2f --print -- -c "./privileged --user=nobody" + +# observe that the bounding set can be used to suppress this forced capability +fail_capsh --drop=cap_setuid --secbits=0x2f --print -- -c "./privileged --user=nobody" + +# change the way the capability is obtained (make it inheritable) +./setcap cap_setuid,cap_setgid=ei ./privileged + +# Note, the bounding set (edited with --drop) only limits p +# capabilities, not i's. +pass_capsh --secbits=47 --inh=cap_setuid,cap_setgid --drop=cap_setuid \ + --uid=500 --print -- -c "./privileged --user=nobody" + +rm -f ./privileged + +# test that we do not support capabilities on setuid shell-scripts +cat > hack.sh <<EOF +#!/bin/bash +mypid=\$\$ +caps=\$(./getpcaps \$mypid 2>&1 | cut -d: -f2) +if [ "\$caps" != " =" ]; then + echo "Shell script got [\$caps] - you should upgrade your kernel" + exit 1 +else + ls -l \$0 + echo "Good, no capabilities [\$caps] for this setuid-0 shell script" +fi +exit 0 +EOF +chmod +xs hack.sh +./capsh --uid=500 --inh=none --print -- ./hack.sh +status=$? +rm -f ./hack.sh +if [ $status -ne 0 ]; then + echo "shell scripts can have capabilities (bug)" + exit 1 +fi + +# Max lockdown +pass_capsh --keep=1 --user=nobody --caps=cap_setpcap=ep \ + --drop=all --secbits=0x2f --caps= --print + +# Verify we can chroot +pass_capsh --chroot=$(/bin/pwd) +pass_capsh --chroot=$(/bin/pwd) == +fail_capsh --chroot=$(/bin/pwd) -- -c "echo oops" diff --git a/libcap/libcap-2.24/progs/setcap.c b/libcap/libcap-2.24/progs/setcap.c @@ -0,0 +1,208 @@ +/* + * Copyright (c) 1997,2007-8 Andrew G. Morgan <morgan@kernel.org> + * + * This sets/verifies the capabilities of a given file. + */ + +#include <errno.h> +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <sys/capability.h> +#include <unistd.h> + +static void usage(void) +{ + fprintf(stderr, + "usage: setcap [-q] [-v] (-r|-|<caps>) <filename> " + "[ ... (-r|-|<capsN>) <filenameN> ]\n" + "\n" + " Note <filename> must be a regular (non-symlink) file.\n" + ); + exit(1); +} + +#define MAXCAP 2048 + +static int read_caps(int quiet, const char *filename, char *buffer) +{ + int i = MAXCAP; + + if (!quiet) { + fprintf(stderr, "Please enter caps for file [empty line to end]:\n"); + } + while (i > 0) { + int j = read(STDIN_FILENO, buffer, i); + + if (j < 0) { + fprintf(stderr, "\n[Error - aborting]\n"); + exit(1); + } + + if (j==0 || buffer[0] == '\n') { + /* we're done */ + break; + } + + /* move on... */ + + i -= j; + buffer += j; + } + + /* <NUL> terminate */ + buffer[0] = '\0'; + + return (i < MAXCAP ? 0:-1); +} + +int main(int argc, char **argv) +{ + int tried_to_cap_setfcap = 0; + char buffer[MAXCAP+1]; + int retval, quiet=0, verify=0; + cap_t mycaps; + cap_value_t capflag; + + if (argc < 3) { + usage(); + } + + mycaps = cap_get_proc(); + if (mycaps == NULL) { + fprintf(stderr, "warning - unable to get process capabilities" + " (old libcap?)\n"); + } + + while (--argc > 0) { + const char *text; + cap_t cap_d; + + if (!strcmp(*++argv, "-q")) { + quiet = 1; + continue; + } + if (!strcmp(*argv, "-v")) { + verify = 1; + continue; + } + + if (!strcmp(*argv, "-r")) { + cap_d = NULL; + } else { + if (!strcmp(*argv,"-")) { + retval = read_caps(quiet, *argv, buffer); + if (retval) + usage(); + text = buffer; + } else { + text = *argv; + } + + cap_d = cap_from_text(text); + if (cap_d == NULL) { + perror("fatal error"); + usage(); + } +#ifdef DEBUG + { + ssize_t length; + const char *result; + + result = cap_to_text(cap_d, &length); + fprintf(stderr, "caps set to: [%s]\n", result); + } +#endif + } + + if (--argc <= 0) + usage(); + /* + * Set the filesystem capability for this file. + */ + if (verify) { + cap_t cap_on_file; + int cmp; + + if (cap_d == NULL) { + cap_d = cap_from_text("="); + } + + cap_on_file = cap_get_file(*++argv); + + if (cap_on_file == NULL) { + cap_on_file = cap_from_text("="); + } + + cmp = cap_compare(cap_on_file, cap_d); + cap_free(cap_on_file); + + if (cmp != 0) { + if (!quiet) { + printf("%s differs in [%s%s%s]\n", *argv, + CAP_DIFFERS(cmp, CAP_PERMITTED) ? "p" : "", + CAP_DIFFERS(cmp, CAP_INHERITABLE) ? "i" : "", + CAP_DIFFERS(cmp, CAP_EFFECTIVE) ? "e" : ""); + } + exit(1); + } + if (!quiet) { + printf("%s: OK\n", *argv); + } + } else { + if (!tried_to_cap_setfcap) { + capflag = CAP_SETFCAP; + + /* + * Raise the effective CAP_SETFCAP. + */ + if (cap_set_flag(mycaps, CAP_EFFECTIVE, 1, &capflag, CAP_SET) + != 0) { + perror("unable to manipulate CAP_SETFCAP - " + "try a newer libcap?"); + exit(1); + } + if (cap_set_proc(mycaps) != 0) { + perror("unable to set CAP_SETFCAP effective capability"); + exit(1); + } + tried_to_cap_setfcap = 1; + } + retval = cap_set_file(*++argv, cap_d); + if (retval != 0) { + int explained = 0; +#ifdef linux + cap_value_t cap; + cap_flag_value_t per_state; + + for (cap = 0; + cap_get_flag(cap_d, cap, CAP_PERMITTED, &per_state) != -1; + cap++) { + cap_flag_value_t inh_state, eff_state; + + cap_get_flag(cap_d, cap, CAP_INHERITABLE, &inh_state); + cap_get_flag(cap_d, cap, CAP_EFFECTIVE, &eff_state); + if ((inh_state | per_state) != eff_state) { + fprintf(stderr, "NOTE: Under Linux, effective file capabilities must either be empty, or\n" + " exactly match the union of selected permitted and inheritable bits.\n"); + explained = 1; + break; + } + } +#endif /* def linux */ + + fprintf(stderr, + "Failed to set capabilities on file `%s' (%s)\n", + argv[0], strerror(errno)); + if (!explained) { + usage(); + } + } + } + if (cap_d) { + cap_free(cap_d); + } + } + + exit(0); +} diff --git a/libcap/libcap-2.24/progs/setcap.o b/libcap/libcap-2.24/progs/setcap.o Binary files differ diff --git a/libcap/libcap-2.24/template.c b/libcap/libcap-2.24/template.c @@ -0,0 +1,6 @@ +/* + * Copyright (c) 1997 <Author> <@> + * + * <Content> + */ + diff --git a/libcap/makeme b/libcap/makeme @@ -0,0 +1,15 @@ +name=libcap +version=2.24 +source=https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/$name-$version.tar.xz + +package() { + curl -# $source | tar xJ + cd $name-$version + + make + make RAISE_SETFCAP=no DESTDIR=$WORKDIR/$name prefix='' install + + rm $WORKDIR/$name/lib/libcap.so + rm $WORKDIR/$name/lib/libcap.so.* + rm -rf $WORKDIR/$name/lib/pkgconfig +}