libcap: update to 2.24.
This commit is contained in:
Juan RP
parent
882f5f70de
commit
1c19b3012f
2 changed files with 4 additions and 355 deletions
|
|
@ -1,350 +0,0 @@
|
|||
From c3290668646b767058e55b29f7b8f4be4af2e660 Mon Sep 17 00:00:00 2001
|
||||
From: Andrew G Morgan <morgan@kernel.org>
|
||||
Date: Thu, 02 Jan 2014 01:56:31 +0000
|
||||
Subject: Fix up the uapi/linux include scheme.
|
||||
|
||||
In adopting this uapi header file (without kernel internals), I previously
|
||||
messed up on the apparent location of the files. Thanks to Tom Gundersen for
|
||||
the clarification. Also, delete the non-uapi copies of things since they
|
||||
are no longer needed to build the library and tools.
|
||||
|
||||
Signed-off-by: Andrew G Morgan <morgan@kernel.org>
|
||||
---
|
||||
diff --git a/Make.Rules b/Make.Rules
|
||||
index 9ca6c89..5b58c59 100644
|
||||
--- Make.Rules
|
||||
+++ Make.Rules
|
||||
@@ -45,8 +45,8 @@ MINOR=23
|
||||
|
||||
# Compilation specifics
|
||||
|
||||
-KERNEL_HEADERS := $(topdir)/libcap/include
|
||||
-IPATH += -fPIC -I$(topdir)/libcap/include -I$(KERNEL_HEADERS)
|
||||
+KERNEL_HEADERS := $(topdir)/libcap/include/uapi
|
||||
+IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include
|
||||
|
||||
CC := gcc
|
||||
CFLAGS := -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
|
||||
diff --git a/libcap/include/linux/capability.h b/libcap/include/linux/capability.h
|
||||
deleted file mode 100644
|
||||
index a6ee1f9..0000000
|
||||
--- libcap/include/linux/capability.h
|
||||
+++ /dev/null
|
||||
@@ -1,219 +0,0 @@
|
||||
-/*
|
||||
- * This is <linux/capability.h>
|
||||
- *
|
||||
- * Andrew G. Morgan <morgan@kernel.org>
|
||||
- * Alexander Kjeldaas <astor@guardian.no>
|
||||
- * with help from Aleph1, Roland Buresund and Andrew Main.
|
||||
- *
|
||||
- * See here for the libcap library ("POSIX draft" compliance):
|
||||
- *
|
||||
- * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
|
||||
- */
|
||||
-#ifndef _LINUX_CAPABILITY_H
|
||||
-#define _LINUX_CAPABILITY_H
|
||||
-
|
||||
-#include <uapi/linux/capability.h>
|
||||
-
|
||||
-
|
||||
-#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
|
||||
-#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
|
||||
-
|
||||
-extern int file_caps_enabled;
|
||||
-
|
||||
-typedef struct kernel_cap_struct {
|
||||
- __u32 cap[_KERNEL_CAPABILITY_U32S];
|
||||
-} kernel_cap_t;
|
||||
-
|
||||
-/* exact same as vfs_cap_data but in cpu endian and always filled completely */
|
||||
-struct cpu_vfs_cap_data {
|
||||
- __u32 magic_etc;
|
||||
- kernel_cap_t permitted;
|
||||
- kernel_cap_t inheritable;
|
||||
-};
|
||||
-
|
||||
-#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct))
|
||||
-#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t))
|
||||
-
|
||||
-
|
||||
-struct file;
|
||||
-struct inode;
|
||||
-struct dentry;
|
||||
-struct user_namespace;
|
||||
-
|
||||
-struct user_namespace *current_user_ns(void);
|
||||
-
|
||||
-extern const kernel_cap_t __cap_empty_set;
|
||||
-extern const kernel_cap_t __cap_init_eff_set;
|
||||
-
|
||||
-/*
|
||||
- * Internal kernel functions only
|
||||
- */
|
||||
-
|
||||
-#define CAP_FOR_EACH_U32(__capi) \
|
||||
- for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
|
||||
-
|
||||
-/*
|
||||
- * CAP_FS_MASK and CAP_NFSD_MASKS:
|
||||
- *
|
||||
- * The fs mask is all the privileges that fsuid==0 historically meant.
|
||||
- * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
|
||||
- *
|
||||
- * It has never meant setting security.* and trusted.* xattrs.
|
||||
- *
|
||||
- * We could also define fsmask as follows:
|
||||
- * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
|
||||
- * 2. The security.* and trusted.* xattrs are fs-related MAC permissions
|
||||
- */
|
||||
-
|
||||
-# define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \
|
||||
- | CAP_TO_MASK(CAP_MKNOD) \
|
||||
- | CAP_TO_MASK(CAP_DAC_OVERRIDE) \
|
||||
- | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
|
||||
- | CAP_TO_MASK(CAP_FOWNER) \
|
||||
- | CAP_TO_MASK(CAP_FSETID))
|
||||
-
|
||||
-# define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE))
|
||||
-
|
||||
-#if _KERNEL_CAPABILITY_U32S != 2
|
||||
-# error Fix up hand-coded capability macro initializers
|
||||
-#else /* HAND-CODED capability initializers */
|
||||
-
|
||||
-# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
|
||||
-# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
|
||||
-# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
|
||||
- | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
|
||||
- CAP_FS_MASK_B1 } })
|
||||
-# define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
|
||||
- | CAP_TO_MASK(CAP_SYS_RESOURCE), \
|
||||
- CAP_FS_MASK_B1 } })
|
||||
-
|
||||
-#endif /* _KERNEL_CAPABILITY_U32S != 2 */
|
||||
-
|
||||
-# define cap_clear(c) do { (c) = __cap_empty_set; } while (0)
|
||||
-
|
||||
-#define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
|
||||
-#define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
|
||||
-#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))
|
||||
-
|
||||
-#define CAP_BOP_ALL(c, a, b, OP) \
|
||||
-do { \
|
||||
- unsigned __capi; \
|
||||
- CAP_FOR_EACH_U32(__capi) { \
|
||||
- c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \
|
||||
- } \
|
||||
-} while (0)
|
||||
-
|
||||
-#define CAP_UOP_ALL(c, a, OP) \
|
||||
-do { \
|
||||
- unsigned __capi; \
|
||||
- CAP_FOR_EACH_U32(__capi) { \
|
||||
- c.cap[__capi] = OP a.cap[__capi]; \
|
||||
- } \
|
||||
-} while (0)
|
||||
-
|
||||
-static inline kernel_cap_t cap_combine(const kernel_cap_t a,
|
||||
- const kernel_cap_t b)
|
||||
-{
|
||||
- kernel_cap_t dest;
|
||||
- CAP_BOP_ALL(dest, a, b, |);
|
||||
- return dest;
|
||||
-}
|
||||
-
|
||||
-static inline kernel_cap_t cap_intersect(const kernel_cap_t a,
|
||||
- const kernel_cap_t b)
|
||||
-{
|
||||
- kernel_cap_t dest;
|
||||
- CAP_BOP_ALL(dest, a, b, &);
|
||||
- return dest;
|
||||
-}
|
||||
-
|
||||
-static inline kernel_cap_t cap_drop(const kernel_cap_t a,
|
||||
- const kernel_cap_t drop)
|
||||
-{
|
||||
- kernel_cap_t dest;
|
||||
- CAP_BOP_ALL(dest, a, drop, &~);
|
||||
- return dest;
|
||||
-}
|
||||
-
|
||||
-static inline kernel_cap_t cap_invert(const kernel_cap_t c)
|
||||
-{
|
||||
- kernel_cap_t dest;
|
||||
- CAP_UOP_ALL(dest, c, ~);
|
||||
- return dest;
|
||||
-}
|
||||
-
|
||||
-static inline int cap_isclear(const kernel_cap_t a)
|
||||
-{
|
||||
- unsigned __capi;
|
||||
- CAP_FOR_EACH_U32(__capi) {
|
||||
- if (a.cap[__capi] != 0)
|
||||
- return 0;
|
||||
- }
|
||||
- return 1;
|
||||
-}
|
||||
-
|
||||
-/*
|
||||
- * Check if "a" is a subset of "set".
|
||||
- * return 1 if ALL of the capabilities in "a" are also in "set"
|
||||
- * cap_issubset(0101, 1111) will return 1
|
||||
- * return 0 if ANY of the capabilities in "a" are not in "set"
|
||||
- * cap_issubset(1111, 0101) will return 0
|
||||
- */
|
||||
-static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
|
||||
-{
|
||||
- kernel_cap_t dest;
|
||||
- dest = cap_drop(a, set);
|
||||
- return cap_isclear(dest);
|
||||
-}
|
||||
-
|
||||
-/* Used to decide between falling back on the old suser() or fsuser(). */
|
||||
-
|
||||
-static inline int cap_is_fs_cap(int cap)
|
||||
-{
|
||||
- const kernel_cap_t __cap_fs_set = CAP_FS_SET;
|
||||
- return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]);
|
||||
-}
|
||||
-
|
||||
-static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
|
||||
-{
|
||||
- const kernel_cap_t __cap_fs_set = CAP_FS_SET;
|
||||
- return cap_drop(a, __cap_fs_set);
|
||||
-}
|
||||
-
|
||||
-static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a,
|
||||
- const kernel_cap_t permitted)
|
||||
-{
|
||||
- const kernel_cap_t __cap_fs_set = CAP_FS_SET;
|
||||
- return cap_combine(a,
|
||||
- cap_intersect(permitted, __cap_fs_set));
|
||||
-}
|
||||
-
|
||||
-static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a)
|
||||
-{
|
||||
- const kernel_cap_t __cap_fs_set = CAP_NFSD_SET;
|
||||
- return cap_drop(a, __cap_fs_set);
|
||||
-}
|
||||
-
|
||||
-static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
|
||||
- const kernel_cap_t permitted)
|
||||
-{
|
||||
- const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET;
|
||||
- return cap_combine(a,
|
||||
- cap_intersect(permitted, __cap_nfsd_set));
|
||||
-}
|
||||
-
|
||||
-extern bool has_capability(struct task_struct *t, int cap);
|
||||
-extern bool has_ns_capability(struct task_struct *t,
|
||||
- struct user_namespace *ns, int cap);
|
||||
-extern bool has_capability_noaudit(struct task_struct *t, int cap);
|
||||
-extern bool has_ns_capability_noaudit(struct task_struct *t,
|
||||
- struct user_namespace *ns, int cap);
|
||||
-extern bool capable(int cap);
|
||||
-extern bool ns_capable(struct user_namespace *ns, int cap);
|
||||
-extern bool inode_capable(const struct inode *inode, int cap);
|
||||
-extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
|
||||
-
|
||||
-/* audit system wants to get cap info from files as well */
|
||||
-extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
|
||||
-
|
||||
-#endif /* !_LINUX_CAPABILITY_H */
|
||||
diff --git a/libcap/include/sys/capability.h b/libcap/include/sys/capability.h
|
||||
index 56fc7fd..64ac50e 100644
|
||||
--- libcap/include/sys/capability.h
|
||||
+++ libcap/include/sys/capability.h
|
||||
@@ -26,7 +26,7 @@ extern "C" {
|
||||
#ifndef __user
|
||||
#define __user
|
||||
#endif
|
||||
-#include <uapi/linux/capability.h>
|
||||
+#include <linux/capability.h>
|
||||
#include <linux/xattr.h>
|
||||
|
||||
/*
|
||||
diff --git a/libcap/include/linux/prctl.h b/libcap/include/uapi/linux/prctl.h
|
||||
index a3baeb2..289760f 100644
|
||||
--- libcap/include/linux/prctl.h
|
||||
+++ libcap/include/uapi/linux/prctl.h
|
||||
@@ -102,4 +102,51 @@
|
||||
|
||||
#define PR_MCE_KILL_GET 34
|
||||
|
||||
+/*
|
||||
+ * Tune up process memory map specifics.
|
||||
+ */
|
||||
+#define PR_SET_MM 35
|
||||
+# define PR_SET_MM_START_CODE 1
|
||||
+# define PR_SET_MM_END_CODE 2
|
||||
+# define PR_SET_MM_START_DATA 3
|
||||
+# define PR_SET_MM_END_DATA 4
|
||||
+# define PR_SET_MM_START_STACK 5
|
||||
+# define PR_SET_MM_START_BRK 6
|
||||
+# define PR_SET_MM_BRK 7
|
||||
+# define PR_SET_MM_ARG_START 8
|
||||
+# define PR_SET_MM_ARG_END 9
|
||||
+# define PR_SET_MM_ENV_START 10
|
||||
+# define PR_SET_MM_ENV_END 11
|
||||
+# define PR_SET_MM_AUXV 12
|
||||
+# define PR_SET_MM_EXE_FILE 13
|
||||
+
|
||||
+/*
|
||||
+ * Set specific pid that is allowed to ptrace the current task.
|
||||
+ * A value of 0 mean "no process".
|
||||
+ */
|
||||
+#define PR_SET_PTRACER 0x59616d61
|
||||
+# define PR_SET_PTRACER_ANY ((unsigned long)-1)
|
||||
+
|
||||
+#define PR_SET_CHILD_SUBREAPER 36
|
||||
+#define PR_GET_CHILD_SUBREAPER 37
|
||||
+
|
||||
+/*
|
||||
+ * If no_new_privs is set, then operations that grant new privileges (i.e.
|
||||
+ * execve) will either fail or not grant them. This affects suid/sgid,
|
||||
+ * file capabilities, and LSMs.
|
||||
+ *
|
||||
+ * Operations that merely manipulate or drop existing privileges (setresuid,
|
||||
+ * capset, etc.) will still work. Drop those privileges if you want them gone.
|
||||
+ *
|
||||
+ * Changing LSM security domain is considered a new privilege. So, for example,
|
||||
+ * asking selinux for a specific new context (e.g. with runcon) will result
|
||||
+ * in execve returning -EPERM.
|
||||
+ *
|
||||
+ * See Documentation/prctl/no_new_privs.txt for more details.
|
||||
+ */
|
||||
+#define PR_SET_NO_NEW_PRIVS 38
|
||||
+#define PR_GET_NO_NEW_PRIVS 39
|
||||
+
|
||||
+#define PR_GET_TID_ADDRESS 40
|
||||
+
|
||||
#endif /* _LINUX_PRCTL_H */
|
||||
diff --git a/libcap/include/linux/securebits.h b/libcap/include/uapi/linux/securebits.h
|
||||
index 3340617..985aac9 100644
|
||||
--- libcap/include/linux/securebits.h
|
||||
+++ libcap/include/uapi/linux/securebits.h
|
||||
@@ -1,14 +1,11 @@
|
||||
-#ifndef _LINUX_SECUREBITS_H
|
||||
-#define _LINUX_SECUREBITS_H 1
|
||||
+#ifndef _UAPI_LINUX_SECUREBITS_H
|
||||
+#define _UAPI_LINUX_SECUREBITS_H
|
||||
|
||||
/* Each securesetting is implemented using two bits. One bit specifies
|
||||
whether the setting is on or off. The other bit specify whether the
|
||||
setting is locked or not. A setting which is locked cannot be
|
||||
changed from user-level. */
|
||||
#define issecure_mask(X) (1 << (X))
|
||||
-#ifdef __KERNEL__
|
||||
-#define issecure(X) (issecure_mask(X) & current_cred_xxx(securebits))
|
||||
-#endif
|
||||
|
||||
#define SECUREBITS_DEFAULT 0x00000000
|
||||
|
||||
@@ -51,4 +48,4 @@
|
||||
issecure_mask(SECURE_KEEP_CAPS))
|
||||
#define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1)
|
||||
|
||||
-#endif /* !_LINUX_SECUREBITS_H */
|
||||
+#endif /* _UAPI_LINUX_SECUREBITS_H */
|
||||
--
|
||||
cgit v0.9.2
|
||||
|
|
@ -1,18 +1,17 @@
|
|||
# Template file for 'libcap'
|
||||
pkgname=libcap
|
||||
version=2.23
|
||||
revision=2
|
||||
version=2.24
|
||||
revision=1
|
||||
hostmakedepends="gperf perl pam-devel"
|
||||
makedepends="pam-devel attr-devel"
|
||||
short_desc="POSIX.1e capabilities suite"
|
||||
maintainer="Juan RP <xtraeme@gmail.com>"
|
||||
homepage="http://sites.google.com/site/fullycapable/"
|
||||
license="GPL-2"
|
||||
distfiles="${KERNEL_SITE}/libs/security/linux-privs/libcap2/$pkgname-$version.tar.bz2"
|
||||
checksum=deebc3b9ff44760a281feb4b379adacc641f5e90999089feb3d7717862242355
|
||||
distfiles="${KERNEL_SITE}/libs/security/linux-privs/libcap2/$pkgname-$version.tar.xz"
|
||||
checksum=cee4568f78dc851d726fc93f25f4ed91cc223b1fe8259daa4a77158d174e6c65
|
||||
|
||||
do_build() {
|
||||
sed -i "s#uapi/##" libcap/Makefile
|
||||
make CC="$CC" BUILD_CC=cc
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue