Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libcap for openSUSE:Factory checked in at 2023-02-14 16:42:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libcap (Old) and /work/SRC/openSUSE:Factory/.libcap.new.27156 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libcap" Tue Feb 14 16:42:24 2023 rev:56 rq:1064421 version:2.67 Changes: -------- --- /work/SRC/openSUSE:Factory/libcap/libcap.changes 2022-10-03 13:44:58.369377254 +0200 +++ /work/SRC/openSUSE:Factory/.libcap.new.27156/libcap.changes 2023-02-14 16:42:25.601375975 +0100 @@ -1,0 +2,26 @@ +Sat Feb 4 18:39:55 UTC 2023 - Dirk Müller <dmuel...@suse.com> + +- update to 2.67: + * Replace use of fgrep with grep -F (POSIX grep flags preferred by + GNU grep) - patch from David Seifert. + * Added SPDX identifiers to License file(s). Hopefully this will + help the various robots out there correctly identify the + longstanding licenses for libcap and friends. (Bug: 216609 + reported by Günther Noack) + * Started down the rabbit hole of trying to address (Bug: 216610 + reported by Günther Noack on behalf of Michael Stapelberg) + * The basic issue is how to link C code with Go psx without using + CGo. This is all a low level hackery. If you are interested, + browse the source. + * Correct for bad whatis entries in man pages (this was throwing a + Debian build test, detail) + * Also reviewed man pages and addressed cross linkage issues (Bug: + * Cleaned up some README.md files (made a github mirror now just so + I can automatically render them). + * Changed meaning of DYNAMIC=no builds. + This now builds everything with static linking except for libc. + The reason for this exception is explained in the commit message. + * Inserted demonstration exploit code in capso.so to support + article. + +------------------------------------------------------------------- @@ -39 +65,2 @@ - * Minor clarification to cap_get_pid() man page concerning pid value within namespaces. + * Minor clarification to cap_get_pid() man page concerning pid + value within namespaces. Old: ---- libcap-2.66.tar.sign libcap-2.66.tar.xz New: ---- libcap-2.67.tar.sign libcap-2.67.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libcap.spec ++++++ --- /var/tmp/diff_new_pack.9Pa80u/_old 2023-02-14 16:42:27.189385399 +0100 +++ /var/tmp/diff_new_pack.9Pa80u/_new 2023-02-14 16:42:27.193385423 +0100 @@ -1,7 +1,7 @@ # # spec file for package libcap # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,16 +17,16 @@ Name: libcap -Version: 2.66 +Version: 2.67 Release: 0 Summary: Library for Capabilities (linux-privs) Support License: BSD-3-Clause OR GPL-2.0-only Group: Development/Libraries/C and C++ URL: https://sites.google.com/site/fullycapable/ Source: https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-%{version}.tar.xz -Source2: baselibs.conf -Source3: https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-%{version}.tar.sign -Source4: https://git.kernel.org/pub/scm/linux/kernel/git/morgan/libcap.git/plain/pgp.keys.asc#/%{name}.keyring +Source1: https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-%{version}.tar.sign +Source2: https://git.kernel.org/pub/scm/linux/kernel/git/morgan/libcap.git/plain/pgp.keys.asc#/%{name}.keyring +Source3: baselibs.conf BuildRequires: fdupes BuildRequires: glibc-devel-static BuildRequires: pkgconfig ++++++ libcap-2.66.tar.xz -> libcap-2.67.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/License new/libcap-2.67/License --- old/libcap-2.66/License 2021-02-15 19:13:21.000000000 +0100 +++ new/libcap-2.67/License 2022-10-31 00:32:12.000000000 +0100 @@ -1,3 +1,5 @@ +/* SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-only */ + Unless otherwise *explicitly* stated, the following text describes the licensed conditions under which the contents of this libcap release may be used and distributed. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/Make.Rules new/libcap-2.67/Make.Rules --- old/libcap-2.66/Make.Rules 2022-09-24 22:41:21.000000000 +0200 +++ new/libcap-2.67/Make.Rules 2023-02-03 04:46:03.000000000 +0100 @@ -1,7 +1,7 @@ # Common version number defines for libcap LIBTITLE=libcap VERSION=2 -MINOR=66 +MINOR=67 # ## Optional prefixes: @@ -18,7 +18,7 @@ # administrative operations that could be needed to recover a system. ifndef lib -lib=$(shell ldd /usr/bin/ld|egrep "ld-linux|ld.so"|cut -d/ -f2) +lib=$(shell ldd /usr/bin/ld|grep -E "ld-linux|ld.so"|cut -d/ -f2) endif ifndef sbin diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/cap/License new/libcap-2.67/cap/License --- old/libcap-2.66/cap/License 2021-02-15 19:13:21.000000000 +0100 +++ new/libcap-2.67/cap/License 2022-10-31 00:32:12.000000000 +0100 @@ -1,3 +1,5 @@ +/* SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-only */ + Unless otherwise *explicitly* stated, the following text describes the licensed conditions under which the contents of this libcap/cap release may be used and distributed. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/cap/go.mod new/libcap-2.67/cap/go.mod --- old/libcap-2.66/cap/go.mod 2022-09-24 22:41:21.000000000 +0200 +++ new/libcap-2.67/cap/go.mod 2023-02-03 04:46:24.000000000 +0100 @@ -2,4 +2,4 @@ go 1.11 -require kernel.org/pub/linux/libs/security/libcap/psx v1.2.66 +require kernel.org/pub/linux/libs/security/libcap/psx v1.2.67 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/contrib/bug216610/Makefile new/libcap-2.67/contrib/bug216610/Makefile --- old/libcap-2.66/contrib/bug216610/Makefile 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/contrib/bug216610/Makefile 2022-10-31 00:32:12.000000000 +0100 @@ -0,0 +1,23 @@ +topdir=$(shell pwd)/../.. +include ../../Make.Rules + +GOTARGET=$(shell eval $$(go env) ; echo $${GOHOSTOS}_$${GOARCH}) + +all: go/fib + +go/fib: go/main.go go/vendor/fibber/fib.go go/vendor/fibber/fibs_$(GOTARGET).s go/vendor/fibber/fib_$(GOTARGET).syso go/vendor/kernel.org/pub/linux/libs/security/libcap/psx + cd go && CGO_ENABLED=0 go build -o fib main.go + +go/vendor/kernel.org/pub/linux/libs/security/libcap/psx: + mkdir -p go/vendor/kernel.org/pub/linux/libs/security/libcap/ + ln -s $(topdir)/psx $@ + +go/vendor/fibber/fib_$(GOTARGET).syso: c/fib.c ./gcc_$(GOTARGET).sh + ./gcc_$(GOTARGET).sh -O3 c/fib.c -c -o go/vendor/fibber/fib_$(GOTARGET).syso + +clean: + rm -f *~ + rm -f c/*.o c/*~ + rm -f go/fib go/*~ + rm -f go/vendor/fibber/*.syso go/vendor/fibber/*~ + rm -rf go/vendor/kernel.org diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/contrib/bug216610/README.md new/libcap-2.67/contrib/bug216610/README.md --- old/libcap-2.66/contrib/bug216610/README.md 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/contrib/bug216610/README.md 2023-01-15 00:18:31.000000000 +0100 @@ -0,0 +1,121 @@ +# Linking psx and C code without cgo + +## Overview + +In some embedded situations, there is a desire to compile Go binaries +to include some C code, but not `libc` etc. For a long time, I had +assumed this was not possible, since using `cgo` *requires* `libc` and +`libpthread` linkage. + +This embedded compilation need was referenced in a [bug +filed](https://bugzilla.kernel.org/show_bug.cgi?id=216610) against the +[`"psx"`](https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/psx) +package. The bug-filer was seeking an alternative to `CGO_ENABLED=1` +compilation needing the `cgo` variant of `psx` build. However, the go +`"runtime"` package will always +[`panic()`](https://cs.opensource.google/go/go/+/refs/tags/go1.19.2:src/runtime/os_linux.go;l=717-720) +if you try this because it needs `libpthread` and `[g]libc` to work. + +In researching that bug report, however, I have learned there is a +trick to combining a non-CGO built binary with compiled C code. I +learned about it from a brief reference in the [Go Programming +Language +Wiki](https://zchee.github.io/golang-wiki/GcToolchainTricks/). + +This present directory evolved from my attempt to understand and +hopefully resolve what was going on as reported in that bug into an +example of this _trick_. I was unable to resolve the problem as +reported because of the aformentioned `panic` in the Go +runtime. However, I was able to demonstrate embedding C code in a Go +binary without use of cgo. So, a Go-native version of `"psx"` is thus +achievable. This is what the example in this present directory does. + +*Caveat Emptor*: this example is very fragile. The Go team only +supports `cgo` linking against C. That being said, I'd certainly like +to receive bug fixes, etc for this directory if you find you need to +evolve it to make it work for your use case. + +## Content + +In this example we have: + +- Some C code for the functions `fib_init()` and `fib_next()` that +combine to implement a _compute engine_ to determine [Fibonacci +Numbers](https://en.wikipedia.org/wiki/Fibonacci_number). The source +for this is in the sub directory `./c/fib.c`. + +- Some Go code, in the directory `./go/vendor/fibber` that uses this +C compiled compute kernel. + +- `gcc_linux_amd64.sh` which is a wrapper for `gcc` that adjusts the +compilation to be digestible by Go's (internal) linker. Using `gcc` +directly instead of this wrapper generates an incomplete binary - +which miscomputes the expected answers. See the discussion below for +what might be going on. + +- A top level `Makefile` to build it all. + +This build uses vendored Go packages so one can experiment with +modifications of the `"psx"` package to explore potential changes (of +which there have been none). + +## Building and running the built binary + +Set things up with: +``` +$ git clone git://git.kernel.org/pub/scm/libs/libcap/libcap.git +$ cd libcap +$ make all +$ cd contrib/bug216610 +$ make clean all +``` +When you run `./go/fib` it should generate the following output: +``` +$ ./go/fib +psx syscall result: PID=<nnnnn> +fib: 0, 1, 1, 2, 3, 5, 8, 13, 21, 34, ... +$ +``` +Where `<nnnnn>` is the PID of the program at runtime and will be +different each time the program is invoked. + +## Discussion + +The Fibonacci detail of what is going on is mostly uninteresting. The +reason for developing this example was to explore the build issues in +the reported [Bug +216610](https://bugzilla.kernel.org/show_bug.cgi?id=216610). Ultimately, +this example offers an alternative path to build a `nocgo` that links +to compute engine style C code. + +The reason we have added the `./gcc_linux_amd64.sh` wrapper for `gcc` +is that we've found the Go linker has a hard time digesting the +cross-sectional `%rip` based data addressing that various optimization +modes of gcc like to use. Specifically, if a `R_X86_64_PC32` +relocation entry made in a `.text` section is intended to map into a +`.rodata.cst8` section in a generated `.syso` file, the Go linker +seems to [replace this reference with a `0` offset to +`(%rip)`](https://github.com/golang/go/issues/24321#issuecomment-1296084103). What +our wrapper script does is rewrite the generated assembly to store +these data references to the `.text` section. The Go linker has no +problem with this _same section_ relative addressing. + +## Future thoughts + +At present, this example only works on Linux with `x86_64` (in +go-speak that is `linux_amd64`). This is because I have only provided +some bridging assembly for Go to C calling conventions on that +architecture target (`./go/vendor/fibber/fibs_linux_amd64.s`). + +Perhaps a later version will have bridging code for all the Go +supported Linux architectures, but it will also have to provide some +mechanism to build the `./c/fib.c` code to make +`fib_linux_<arch>.syso` files. The [cited +bug](https://bugzilla.kernel.org/show_bug.cgi?id=216610) includes some +pointers for how to use Docker to support this. + +## Reporting bugs + +Please report issues or offer improvements to this example via the +[Fully Capable `libcap`](https://sites.google.com/site/fullycapable/) +website. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/contrib/bug216610/c/fib.c new/libcap-2.67/contrib/bug216610/c/fib.c --- old/libcap-2.66/contrib/bug216610/c/fib.c 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/contrib/bug216610/c/fib.c 2022-10-31 00:32:12.000000000 +0100 @@ -0,0 +1,20 @@ +#include <inttypes.h> + +struct state { + uint32_t b, a; +}; + +void fib_init(struct state *s); +void fib_init(struct state *s) +{ + s->a = 0; + s->b = 1; +} + +void fib_next(struct state *s); +void fib_next(struct state *s) +{ + uint32_t next = s->a + s->b; + s->a = s->b; + s->b = next; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/contrib/bug216610/gcc_linux_amd64.sh new/libcap-2.67/contrib/bug216610/gcc_linux_amd64.sh --- old/libcap-2.66/contrib/bug216610/gcc_linux_amd64.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/contrib/bug216610/gcc_linux_amd64.sh 2023-01-15 00:18:31.000000000 +0100 @@ -0,0 +1,58 @@ +#!/bin/bash +# +# The Go linker does not seem to know what to do with relative +# addressing of rodata.* offset from %rip. GCC likes to use this +# addressing mode on this architecture, so we quickly run into +# mis-computation when the relative addressing used in a .syso file of +# symbol located data is resolved to completely the wrong place by the +# Go (internal) linker. +# +# As a workaround for this, we can modify the assembly source code +# generated by GCC to not point at problematic '.rodata.*' sections, +# and place this data in the good old '.text' section where Go's +# linker can make sense of it. +# +# This script exists to generate a '.syso' file from some '*.c' files. +# It works by recognizing the '*.c' command line arguments and +# converting them into fixed-up '*.s' files. It then performs the +# compilation for the collection of the '*.s' files. Upon success, it +# purges the intermediate '*.s' files. +# +# The fragile aspect of this present script is which compiler +# arguments should be used for the compilation from '.c' -> '.s' +# files. What we do is accumulate arguments until we encounter our +# first '*.c' file and use those to perform the '.c' -> '.o' +# compilation. We build up a complete command line for gcc +# substituting '.s' files for '.c' files in the original command +# line. Then with the new command line assembled we invoke gcc with +# those. If that works, we remove all of the intermediate '.s' files. +setup=0 +args=() +final=() +ses=() +for arg in "$@"; do + if [[ "${arg##*.}" = "c" ]]; then + setup=1 + s="${arg%.*}.s" + "gcc" "${args[@]}" -S -o "${s}" "${arg}" + sed -i -e 's/.*\.rodata\..*/\t.text/' "${s}" + final+=("${s}") + ses+=("${s}") + else + if [[ $setup -eq 0 ]]; then + args+=("${arg}") + fi + final+=("${arg}") + fi +done + +#echo final: "${final[@]}" +#echo args: "${args[@]}" +#echo ses: "${ses[@]}" + +"gcc" "${final[@]}" +if [[ $? -ne 0 ]]; then + echo "failed to compile" + exit 1 +fi +rm -f "${ses[@]}" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/contrib/bug216610/go/.gitignore new/libcap-2.67/contrib/bug216610/go/.gitignore --- old/libcap-2.66/contrib/bug216610/go/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/contrib/bug216610/go/.gitignore 2022-10-31 00:32:12.000000000 +0100 @@ -0,0 +1,3 @@ +fib +*.syso +vendor/kernel.org diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/contrib/bug216610/go/go.mod new/libcap-2.67/contrib/bug216610/go/go.mod --- old/libcap-2.66/contrib/bug216610/go/go.mod 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/contrib/bug216610/go/go.mod 2023-02-03 04:46:24.000000000 +0100 @@ -0,0 +1,3 @@ +module fib + +go 1.18 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/contrib/bug216610/go/main.go new/libcap-2.67/contrib/bug216610/go/main.go --- old/libcap-2.66/contrib/bug216610/go/main.go 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/contrib/bug216610/go/main.go 2022-10-31 00:32:12.000000000 +0100 @@ -0,0 +1,28 @@ +// Program fib uses the psx package once, and then prints the first +// ten Fibonacci numbers. +package main + +import ( + "fibber" + "fmt" + "log" + "syscall" + + "kernel.org/pub/linux/libs/security/libcap/psx" +) + +func main() { + pid, _, err := psx.Syscall3(syscall.SYS_GETPID, 0, 0, 0) + if err != 0 { + log.Fatalf("failed to get PID via psx: %v", err) + } + fmt.Print("psx syscall result: PID=") + fmt.Println(pid) + s := fibber.NewState() + fmt.Print("fib: ", s.A, ", ", s.B) + for i:=0; i<8; i++ { + s.Next() + fmt.Print(", ", s.B) + } + fmt.Println(", ...") +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/contrib/bug216610/go/vendor/fibber/fib.go new/libcap-2.67/contrib/bug216610/go/vendor/fibber/fib.go --- old/libcap-2.66/contrib/bug216610/go/vendor/fibber/fib.go 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/contrib/bug216610/go/vendor/fibber/fib.go 2022-10-31 00:32:12.000000000 +0100 @@ -0,0 +1,26 @@ +package fibber + +import ( + "unsafe" +) + +type State struct { + B, A uint32 +} + +func fibInit(ptr unsafe.Pointer) +func fibNext(ptr unsafe.Pointer) + +// NewState initializes a Fibonacci Number sequence generator. Upon +// return s.A=0 and s.B=1 are the first two numbers in the sequence. +func NewState() (*State) { + s := &State{} + fibInit(unsafe.Pointer(&s.B)) + return s +} + +// Next advances the state to the next number in the sequence. Upon +// return, s.B is the most recently calculated value. +func (s *State) Next() { + fibNext(unsafe.Pointer(&s.B)) +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/contrib/bug216610/go/vendor/fibber/fibs_linux_amd64.s new/libcap-2.67/contrib/bug216610/go/vendor/fibber/fibs_linux_amd64.s --- old/libcap-2.66/contrib/bug216610/go/vendor/fibber/fibs_linux_amd64.s 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/contrib/bug216610/go/vendor/fibber/fibs_linux_amd64.s 2022-10-31 00:32:12.000000000 +0100 @@ -0,0 +1,57 @@ +// To transition from a Go call to a C function call, we are skating +// on really thin ice... Ceveat Emptor! +// +// Ref: +// https://gitlab.com/x86-psABIs/x86-64-ABI/-/wikis/home +// +// This is not strictly needed, but it makes gdb debugging less +// confusing because spacer ends up being an alias for the TEXT +// section start. +TEXT ·spacer(SB),$0 + RET + +#define RINDEX(n) (8*n) + +// Push all of the registers the C callee isn't expected to preserve. +#define PUSHALL() \ + ADJSP $(RINDEX(9)) \ + MOVQ AX, RINDEX(0)(SP) \ + MOVQ CX, RINDEX(1)(SP) \ + MOVQ DX, RINDEX(2)(SP) \ + MOVQ SI, RINDEX(3)(SP) \ + MOVQ DI, RINDEX(4)(SP) \ + MOVQ R8, RINDEX(5)(SP) \ + MOVQ R9, RINDEX(6)(SP) \ + MOVQ R10, RINDEX(7)(SP) \ + MOVQ R11, RINDEX(8)(SP) + +// Pop all of the registers the C callee isn't expected to preserve. +#define POPALL() \ + MOVQ RINDEX(0)(SP), AX \ + MOVQ RINDEX(1)(SP), CX \ + MOVQ RINDEX(2)(SP), DX \ + MOVQ RINDEX(3)(SP), SI \ + MOVQ RINDEX(4)(SP), DI \ + MOVQ RINDEX(5)(SP), R8 \ + MOVQ RINDEX(6)(SP), R9 \ + MOVQ RINDEX(7)(SP), R10 \ + MOVQ RINDEX(8)(SP), R11 \ + ADJSP $-(RINDEX(9)) + +// Header to this function wrapper is the last time we can voluntarily +// yield to some other goroutine. +TEXT ·fibInit(SB),$0-8 + PUSHALL() + MOVQ ptr+RINDEX(0)(FP), DI + CALL fib_init(SB) + POPALL() + RET + +// Header to this function wrapper is the last time we can voluntarily +// yield to some other goroutine. +TEXT ·fibNext(SB),$0-8 + PUSHALL() + MOVQ ptr+RINDEX(0)(FP), DI + CALL fib_next(SB) + POPALL() + RET diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/contrib/capso/.gitignore new/libcap-2.67/contrib/capso/.gitignore --- old/libcap-2.66/contrib/capso/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/contrib/capso/.gitignore 2022-10-10 01:21:46.000000000 +0200 @@ -0,0 +1,2 @@ +capso.so +bind diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/contrib/capso/README.md new/libcap-2.67/contrib/capso/README.md --- old/libcap-2.66/contrib/capso/README.md 2021-11-14 07:30:40.000000000 +0100 +++ new/libcap-2.67/contrib/capso/README.md 2022-10-31 00:32:12.000000000 +0100 @@ -1,20 +1,21 @@ # Leveraging file capabilities on shared libraries -This directory contains an example of a shared library (capso.so) that -can be installed with file capabilities. When the library is linked -against an unprivileged program, it includes internal support for -re-invoking itself as a child subprocess to execute a privileged +This directory contains an example of a shared library (`capso.so`) +that can be installed with file capabilities. When the library is +linked against an unprivileged program, it includes internal support +for re-invoking itself as a child subprocess to execute a privileged operation on bahalf of the parent. -The idea for doing this was evolved from the way pam_unix.so is able -to leverage a separate program, and libcap's recently added support -for supporting binary execution of all the .so files built by the +The idea for doing this was evolved from the way `pam_unix.so` is able +to leverage a separate program, and `libcap`'s recently added support +for supporting binary execution of all the `.so` files built by the package. -The actual program example 'bind' leverages the -"cap_net_bind_service=p" ./capso.so file to bind to the privileged -port 80. +The actual program example `./bind` leverages the +`"cap_net_bind_service=p"` enabled `./capso.so` file to bind to the +privileged port 80. -A writeup of how to explore this example is provided here: +A writeup of how to build and explore the behavior of this example is +provided on the `libcap` distribution website: https://sites.google.com/site/fullycapable/capable-shared-objects diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/contrib/capso/capso.c new/libcap-2.67/contrib/capso/capso.c --- old/libcap-2.66/contrib/capso/capso.c 2021-11-14 07:30:40.000000000 +0100 +++ new/libcap-2.67/contrib/capso/capso.c 2022-10-10 01:21:46.000000000 +0200 @@ -26,6 +26,73 @@ #include "capso.h" +extern char **environ; + +/* + * fake_exploit is some dedicated code to simulate a shell escape type + * exploit. This is obviously not something serious to include in code + * that has actually been audited for security, but we use it to + * demonstrate an aspect of file capabilities vs. setuid root for + * granting privilege. + */ +static void fake_exploit(void) { +#ifdef ALLOW_EXPLOIT + const char *exploit = getenv("TRIGGER_EXPLOIT"); + if (exploit == NULL) { + return; + } + + switch (*exploit) { + case '^': + case '%': + exploit++; + cap_value_t caps = CAP_NET_BIND_SERVICE; + cap_t c = cap_get_proc(); + cap_set_flag(c, CAP_INHERITABLE, 1, &caps, CAP_SET); + if (cap_set_proc(c)) { + perror("Failed to raise inheritable capability"); + exit(1); + } + if (*(exploit-1) == '%') { + break; + } + cap_free(c); + if (cap_set_ambient(caps, CAP_SET) != 0) { + perror("Unable to raise ambient capability"); + exit(1); + } + break; + } + + char *ts = strdup(exploit); + if (ts == NULL) { + perror("Failed to duplicate exploit string"); + exit(1); + } + + int i, j, n = 1; + for (i = 0; ts[i]; i++) { + switch (ts[i]) { + case ' ': + case '\t': + n++; + ts[i] = '\0'; + } + } + char **argv = calloc(n, sizeof(char *)); + for (i = 0, j = 0; j < n; j++) { + char *s = ts+i; + argv[j] = s; + i += 1 + strlen(s); + printf("execv argv[%d] = \"%s\"\n", j, s); + } + + execv(argv[0], argv); + perror("Execv failed"); + exit(1); +#endif /* def ALLOW_EXPLOIT */ +} + /* * where_am_i determines the full path for the shared libary that * contains this function. It allocates the path in strdup()d memory @@ -160,7 +227,7 @@ */ path = where_am_i(); if (path == NULL) { - perror("unable to find self"); + perror("Unable to find self"); goto drop_alloc; } @@ -168,7 +235,7 @@ args[1] = hostname; args[2] = NULL; - helper = cap_new_launcher(path, args, NULL); + helper = cap_new_launcher(path, args, (void *) environ); if (helper == NULL) { goto drop_path; } @@ -247,19 +314,19 @@ working = cap_get_proc(); if (working == NULL) { - perror("unable to read capabilities"); + perror("Unable to read capabilities"); exit(1); } if (cap_set_flag(working, CAP_EFFECTIVE, 1, &cap_net_bind_service, CAP_SET) != 0) { - perror("unable to raise CAP_NET_BIND_SERVICE"); + perror("Unable to raise CAP_NET_BIND_SERVICE"); exit(1); } if (cap_set_proc(working) != 0) { - perror("cap_set_proc problem"); - fprintf(stderr, "try: sudo setcap cap_net_bind_service=p %s\n", + perror("Problem with cap_set_proc"); + fprintf(stderr, "Try: sudo setcap cap_net_bind_service=p %s\n", argv[0]); exit(1); } @@ -287,9 +354,11 @@ *((int *) CMSG_DATA(ctrl)) = fd; if (sendmsg(3, &msg, 0) < 0) { - perror("failed to write fd"); + perror("Failed to write fd"); } + fake_exploit(); + #ifdef CAPSO_DEBUG printf("exiting standalone %s\n", argv[0]); sleep(30); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/contrib/seccomp/go.mod new/libcap-2.67/contrib/seccomp/go.mod --- old/libcap-2.66/contrib/seccomp/go.mod 2022-09-24 22:41:21.000000000 +0200 +++ new/libcap-2.67/contrib/seccomp/go.mod 2023-02-03 04:46:24.000000000 +0100 @@ -2,4 +2,4 @@ go 1.14 -require kernel.org/pub/linux/libs/security/libcap/psx v1.2.66 +require kernel.org/pub/linux/libs/security/libcap/psx v1.2.67 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/contrib/sucap/README.md new/libcap-2.67/contrib/sucap/README.md --- old/libcap-2.66/contrib/sucap/README.md 2021-09-18 05:56:21.000000000 +0200 +++ new/libcap-2.67/contrib/sucap/README.md 2022-10-31 00:32:12.000000000 +0100 @@ -1,22 +1,21 @@ -This directory contains a port of the SimplePAMApp su to more -aggressively use libcap. +# A fully capable version of `su` -The Makefile builds a binary called `su` that registers with PAM as -the application `sucap`. We've provided a sample `/etc/pam.d/sucap` -file in this directory named `sucap.pamconfig`. +This directory contains a port of the `SimplePAMApp` `su` one that can +work in a `PURE1E` `libcap`-_mode_ environment. -The point of developing this is to better test the full libcap +The point of developing this is to better test the full `libcap` implementation, and to also provide a non-setuid-root worked example -for testing PAM interaction with libcap and pam_cap.so. The -expectations for `pam_unix.so` are that it includes this commit: +for testing PAM interaction with `libcap` and `pam_cap.so`. The +required expectations for `pam_unix.so` are that it include this +commit: https://github.com/linux-pam/linux-pam/pull/373/commits/bf9b1d8ad909634000a7356af2d865a79d3f86f3 -The original sources were found here: +The original sources for this version of `su` were found here: https://kernel.org/pub/linux/libs/pam/pre/applications/SimplePAMApps-0.60.tar.gz -The SimplePAMApps contain the same License as libcap (they were +The `SimplePAMApps` contain the same License as `libcap` (they were originally started by the same authors!). The credited Authors in the above tarball were: @@ -33,7 +32,7 @@ Finally, Andrew would like to apologize to Andrey for removing all of the config support he worked to add all those decades ago..! I just wanted to make a quick tester for a potential workaround for this -pam_cap issue: +`pam_cap.so` issue: - https://bugzilla.kernel.org/show_bug.cgi?id=212945 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/doc/Makefile new/libcap-2.67/doc/Makefile --- old/libcap-2.66/doc/Makefile 2021-12-12 22:47:05.000000000 +0100 +++ new/libcap-2.67/doc/Makefile 2022-10-17 02:15:32.000000000 +0200 @@ -11,6 +11,7 @@ cap_fill.3 cap_fill_flag.3 cap_max_bits.3 \ cap_compare.3 cap_get_proc.3 cap_get_pid.3 cap_set_proc.3 \ cap_get_file.3 cap_get_fd.3 cap_set_file.3 cap_set_fd.3 \ + cap_set_nsowner.3 cap_get_nsowner.3 \ cap_copy_ext.3 cap_size.3 cap_copy_int.3 cap_mode.3 \ cap_from_text.3 cap_to_text.3 cap_from_name.3 cap_to_name.3 \ capsetp.3 capgetp.3 libcap.3 \ @@ -25,7 +26,8 @@ cap_iab.3 cap_iab_init.3 cap_iab_dup.3 cap_iab_compare.3 \ cap_iab_get_proc.3 cap_iab_get_pid.3 cap_iab_set_proc.3 \ cap_iab_to_text.3 cap_iab_from_text.3 cap_iab_get_vector.3 \ - cap_iab_set_vector.3 cap_iab_fill.3 \ + cap_iab_set_vector.3 cap_iab_fill.3 cap_proc_root.3 \ + cap_prctl.3 cap_prctlw.3 \ psx_syscall.3 psx_syscall3.3 psx_syscall6.3 psx_set_sensitivity.3 \ libpsx.3 MAN8S = getcap.8 setcap.8 getpcaps.8 captree.8 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/doc/cap_clear.3 new/libcap-2.67/doc/cap_clear.3 --- old/libcap-2.66/doc/cap_clear.3 2021-11-22 02:20:50.000000000 +0100 +++ new/libcap-2.67/doc/cap_clear.3 2022-10-17 02:15:32.000000000 +0200 @@ -1,6 +1,6 @@ -.TH CAP_CLEAR 3 "2021-10-01" "" "Linux Programmer's Manual" +.TH CAP_CLEAR 3 "2022-10-16" "" "Linux Programmer's Manual" .SH NAME -cap_clear, cap_clear_flag, cap_get_flag, cap_set_flag, cap_fill_flag, cap_fill, cap_compare \- capability data object manipulation +cap_clear, cap_clear_flag, cap_get_flag, cap_set_flag, cap_fill_flag, cap_fill, cap_compare, cap_max_bits \- capability data object manipulation .SH SYNOPSIS .nf #include <sys/capability.h> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/doc/cap_get_file.3 new/libcap-2.67/doc/cap_get_file.3 --- old/libcap-2.66/doc/cap_get_file.3 2021-03-07 04:55:56.000000000 +0100 +++ new/libcap-2.67/doc/cap_get_file.3 2022-10-17 02:15:32.000000000 +0200 @@ -1,10 +1,10 @@ .\" .\" written by Andrew Main <zef...@dcs.warwick.ac.uk> .\" -.TH CAP_GET_FILE 3 "2021-03-06" "" "Linux Programmer's Manual" +.TH CAP_GET_FILE 3 "2022-10-16" "" "Linux Programmer's Manual" .SH NAME -cap_get_file, cap_set_file, cap_get_fd, cap_set_fd \- capability -manipulation on files +cap_get_file, cap_set_file, cap_get_fd, cap_set_fd, cap_get_nsowner, \ +cap_set_nsowner \- capability manipulation on files .SH SYNOPSIS .nf #include <sys/capability.h> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/doc/cap_get_nsowner.3 new/libcap-2.67/doc/cap_get_nsowner.3 --- old/libcap-2.66/doc/cap_get_nsowner.3 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/doc/cap_get_nsowner.3 2022-10-17 02:15:32.000000000 +0200 @@ -0,0 +1 @@ +.so man3/cap_get_file.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/doc/cap_iab.3 new/libcap-2.67/doc/cap_iab.3 --- old/libcap-2.66/doc/cap_iab.3 2021-11-21 06:48:26.000000000 +0100 +++ new/libcap-2.67/doc/cap_iab.3 2022-10-17 02:15:32.000000000 +0200 @@ -1,33 +1,28 @@ -.TH CAP_IAB 3 "2021-11-17" "" "Linux Programmer's Manual" +.TH CAP_IAB 3 "2022-10-16" "" "Linux Programmer's Manual" .SH NAME +cap_iab_init, cap_iab_dup, cap_iab_get_proc, cap_iab_get_pid, \ +cap_iab_set_proc, cap_iab_to_text, cap_iab_from_text, \ +cap_iab_get_vector, cap_iab_compare, cap_iab_set_vector, \ +cap_iab_fill, cap_proc_root \- inheritable IAB tuple support functions +.SH SYNOPSIS .nf #include <sys/capability.h> cap_iab_t cap_iab_init(void); - cap_iab_t cap_iab_dup(cap_iab_t iab); - cap_iab_t cap_iab_get_proc(void); - cap_iab_t cap_iab_get_pid(pid_t pid); - int cap_iab_set_proc(cap_iab_t iab); - char *cap_iab_to_text(cap_iab_t iab); - cap_iab_t cap_iab_from_text(const char *text); - cap_flag_value_t cap_iab_get_vector(cap_iab_t iab, cap_iab_vector_t vec, cap_value_t val); - int cap_iab_compare(cap_iab_t a, cap_iab_t b); - int cap_iab_set_vector(cap_iab_t iab, cap_iab_vector_t vec, cap_value_t val, cap_flag_value_t enable); - int cap_iab_fill(cap_iab_t iab, cap_iab_vector_t vec, cap_t set, cap_flag_t flag); - +char *cap_proc_root(const char *root); .fi .sp Link with \fI\-lcap\fP. @@ -88,6 +83,11 @@ returns a copy of the IAB value for the specified process. The returned cap_iab_t should be freed with .BR cap_free (3). +This function defaults to searching +.BR /proc/ <PID> /status +for the IAB information, but that location can be overridden using the +.BR cap_proc_root () +function. .sp .BR cap_iab_set_proc () can be used to set the IAB value carried by the current process. Such @@ -137,6 +137,19 @@ values in the IAB tuple. Similarly copying into the Inh vector may implicitly lower Amb values that are not present in the resulting Inh vector. +.sp +.BR cap_proc_root () +can be used to determine the current location queried by +.BR cap_iab_get_pid (). +Returned values should be released with +.BR cap_free (3). +If the argument to +.BR cap_proc_root () +is not \fBNULL\fP, a copy of it will become the replacement for +.BR /proc . +Note, this function is \fInot\fP thread safe with respect to +concurrent calls to +.BR cap_iab_get_pid (). .SH "ERRORS" The functions returning \fIcap_iab_t\fP values or allocated memory in the form of a string return NULL on error. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/doc/cap_launch.3 new/libcap-2.67/doc/cap_launch.3 --- old/libcap-2.66/doc/cap_launch.3 2021-10-23 07:22:32.000000000 +0200 +++ new/libcap-2.67/doc/cap_launch.3 2022-10-10 01:21:46.000000000 +0200 @@ -1,5 +1,10 @@ .TH CAP_LAUNCH 3 "2021-08-01" "" "Linux Programmer's Manual" .SH NAME +cap_new_launcher, cap_func_launcher, cap_launcher_callback, \ +cap_launcher_set_mode, cap_launcher_set_iab, cap_launcher_set_chroot, \ +cap_launch, cap_launcher_setuid, cap_launcher_setgroups \ +\- libcap launch functionality +.SH SYNOPSYS .nf #include <sys/capability.h> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/doc/cap_prctl.3 new/libcap-2.67/doc/cap_prctl.3 --- old/libcap-2.66/doc/cap_prctl.3 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/doc/cap_prctl.3 2022-10-17 02:15:32.000000000 +0200 @@ -0,0 +1 @@ +.so man3/cap_get_proc.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/doc/cap_prctlw.3 new/libcap-2.67/doc/cap_prctlw.3 --- old/libcap-2.66/doc/cap_prctlw.3 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/doc/cap_prctlw.3 2022-10-17 02:15:32.000000000 +0200 @@ -0,0 +1 @@ +.so man3/cap_get_proc.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/doc/cap_proc_root.3 new/libcap-2.67/doc/cap_proc_root.3 --- old/libcap-2.66/doc/cap_proc_root.3 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/doc/cap_proc_root.3 2022-10-17 02:15:32.000000000 +0200 @@ -0,0 +1 @@ +.so man3/cap_iab.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/doc/cap_set_nsowner.3 new/libcap-2.67/doc/cap_set_nsowner.3 --- old/libcap-2.66/doc/cap_set_nsowner.3 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/doc/cap_set_nsowner.3 2022-10-17 02:15:32.000000000 +0200 @@ -0,0 +1 @@ +.so man3/cap_get_file.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/doc/crosslink.sh new/libcap-2.67/doc/crosslink.sh --- old/libcap-2.66/doc/crosslink.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/libcap-2.67/doc/crosslink.sh 2022-10-17 02:15:32.000000000 +0200 @@ -0,0 +1,15 @@ +#!/bin/bash +# +# So many cross links to maintain. Here is a script that I've used to +# validate things at least conform to some structure: +# +for x in *.? ; do + y=$(grep -F '.so m' ${x} | awk '{print $2}' | sed -e 's/man..//') + if [ -z "${y}" ]; then + continue + fi + echo + echo "###########" + echo "${x} => ${y}" + grep -F "${x%.*}" "${y}" +done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/doc/libcap.3 new/libcap-2.67/doc/libcap.3 --- old/libcap-2.66/doc/libcap.3 2021-11-21 06:48:26.000000000 +0100 +++ new/libcap-2.67/doc/libcap.3 2022-10-17 02:15:32.000000000 +0200 @@ -1,15 +1,21 @@ -.TH LIBCAP 3 "2021-03-06" "" "Linux Programmer's Manual" +.TH LIBCAP 3 "2022-10-16" "" "Linux Programmer's Manual" .SH NAME cap_clear, cap_clear_flag, cap_compare, cap_copy_ext, cap_copy_int, \ -cap_free, cap_from_name, cap_from_text, cap_get_fd, cap_get_file, \ -cap_get_flag, cap_get_pid, cap_get_proc, cap_set_fd, cap_set_file, \ -cap_set_flag, cap_set_proc, cap_size, cap_to_name, cap_to_text, \ -cap_get_pid, cap_dup \- capability data object manipulation +cap_drop_bound, cap_dup, cap_fill, cap_fill_flag, cap_free, cap_from_name, \ +cap_from_text, cap_get_ambient, cap_get_bound, cap_get_fd, \ +cap_get_file, cap_get_flag, cap_get_mode, cap_get_nsowner, cap_get_pid, \ +cap_get_pid, cap_get_proc, cap_get_secbits, cap_init, cap_max_bits, \ +cap_prctl, cap_prctlw, cap_proc_root, cap_reset_ambient, \ +cap_set_ambient, cap_set_fd, cap_set_file, cap_set_flag, cap_setgroups, \ +cap_set_mode, cap_set_nsowner, cap_set_proc, cap_set_secbits, \ +cap_setuid, cap_size, cap_to_name, cap_to_text \- capability data object manipulation .SH SYNOPSIS .nf #include <sys/capability.h> int cap_clear(cap_t cap_p); +int cap_fill(cap_t cap_p, cap_flag_t to, cap_flag_t from); +int cap_fill_flag(cap_t cap_p, cap_flag_t to, const cap_t ref, cap_flag_t from); int cap_clear_flag(cap_t cap_p, cap_flag_t flag); int cap_compare(cap_t cap_a, cap_t cap_b); ssize_t cap_copy_ext(void *ext_p, cap_t cap_p, ssize_t size); @@ -36,18 +42,42 @@ char *cap_to_name(cap_value_t cap); char *cap_to_text(cap_t caps, ssize_t *length_p); cap_t cap_get_pid(pid_t pid); +cap_t cap_init(); cap_t cap_dup(cap_t cap_p); + +char *cap_proc_root(const char *root); +int cap_get_nsowner(cap_t cap_p); +int cap_set_nsowner(cap_t cap_p, uid_t rootuid); +int cap_get_bound(cap_value_t cap); +int cap_drop_bound(cap_value_t cap); +int cap_get_ambient(cap_value_t cap); +int cap_set_ambient(cap_value_t cap, cap_flag_value_t value); +int cap_reset_ambient(void); +int cap_set_mode(cap_mode_t flavor); +cap_mode_t cap_get_mode(void); +const char *cap_mode_name(cap_mode_t flavor); +unsigned cap_get_secbits(); +int cap_set_secbits(unsigned bits); +int cap_prctl(long int pr_cmd, long int arg1, long int arg2, long int arg3, + long int arg4, long int arg5); +int cap_prctlw(long int pr_cmd, long int arg1, long int arg2, long int arg3, + long int arg4, long int arg5); +int cap_setuid(uid_t uid); +int cap_setgroups(gid_t gid, size_t ngroups, const gid_t groups[]); .fi .sp Link with \fI\-lcap\fP. .fi .SH DESCRIPTION -These functions work on a capability state held in working storage. +These primary functions work on a capability state held in working +storage and attempt to complete the POSIX.1e (draft) user space API +for Capability based privilege. +.PP A .I cap_t holds information about the capabilities in each of the three sets, -Permitted, Inheritable, and Effective. -Each capability in a set may be clear (disabled, 0) or set (enabled, 1). +Permitted, Inheritable, and Effective. Each capability in a set may +be clear (disabled, 0) or set (enabled, 1). .PP These functions work with the following data types: .TP 18 @@ -80,10 +110,65 @@ These functions are as per the withdrawn POSIX.1e draft specification. The following functions are Linux extensions: .BR cap_clear_flag (), +.BR cap_drop_bound (), +.BR cap_fill (), +.BR cap_fill_flag (), .BR cap_from_name (), -.BR cap_to_name (), +.BR cap_get_ambient (), +.BR cap_get_bound (), +.BR cap_get_mode (), +.BR cap_get_nsowner (), +.BR cap_get_secbits (), +.BR cap_mode_name (), +.BR cap_proc_root (), +.BR cap_prctl (), +.BR cap_prctlw (), +.BR cap_reset_ambient (), +.BR cap_setgroups (), +.BR cap_setuid (), +.BR cap_set_ambient (), +.BR cap_set_mode (), +.BR cap_set_nsowner (), +.BR cap_set_secbits (), +.BR cap_to_name () and .BR cap_compare (). +.PP +A Linux, \fIIAB\fP, extension of Inheritable, Bounding and Ambient +tuple capability vectors are also supported by \fBlibcap\fP. Those +functions are described in a companion man page: +.BR cap_iab (3). +Further, for managing the complexity of launching a sub-process, +\fBlibcap\fP supports the abstraction: +.BR cap_launch (3). +.PP +In addition to the \fBcap_\fP prefixed \fBlibcap\fP API, the library +also provides prototypes for the Linux system calls that provide the +native API for process capabilities. These prototypes are: +.sp +.nf +int capget(cap_user_header_t header, cap_user_data_t data); +int capset(cap_user_header_t header, const cap_user_data_t data); +.fi +.sp +Further, \fBlibcap\fP provides a set-up function, +.sp +.nf +void cap_set_syscall( + long int (*new_syscall)(long int, long int, long int, long int), + long int (*new_syscall6)(long int, + long int, long int, long int, + long int, long int, long int)); +.fi +.sp +which can be used to redirect its use of the +.BR capset () +and other system calls that write kernel managed state. This is +especially useful when supporting POSIX semantics for security +state. When a program is linked against +.BR libpsx (3) +as described in that man page, this function is used to connect +\fBlibcap\fP to POSIX semantics system calls. .SH "REPORTING BUGS" The .B libcap @@ -99,9 +184,15 @@ .BR cap_from_text (3), .BR cap_get_file (3), .BR cap_get_proc (3), +.BR cap_iab (3), .BR cap_init (3), +.BR cap_launch (3), .BR capabilities (7), .BR getpid (2), -.BR capsh (1) +.BR capsh (1), +.BR captree (8), +.BR getcap (8), +.BR getpcaps (8), +.BR setcap (8) and .BR libpsx (3). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/go/go.mod new/libcap-2.67/go/go.mod --- old/libcap-2.66/go/go.mod 2022-09-24 22:41:21.000000000 +0200 +++ new/libcap-2.67/go/go.mod 2023-02-03 04:46:24.000000000 +0100 @@ -3,6 +3,6 @@ go 1.11 require ( - kernel.org/pub/linux/libs/security/libcap/cap v1.2.66 - kernel.org/pub/linux/libs/security/libcap/psx v1.2.66 + kernel.org/pub/linux/libs/security/libcap/cap v1.2.67 + kernel.org/pub/linux/libs/security/libcap/psx v1.2.67 ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/goapps/captrace/go.mod new/libcap-2.67/goapps/captrace/go.mod --- old/libcap-2.66/goapps/captrace/go.mod 2022-09-24 22:41:21.000000000 +0200 +++ new/libcap-2.67/goapps/captrace/go.mod 2023-02-03 04:46:24.000000000 +0100 @@ -2,4 +2,4 @@ go 1.16 -require kernel.org/pub/linux/libs/security/libcap/cap v1.2.66 +require kernel.org/pub/linux/libs/security/libcap/cap v1.2.67 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/goapps/captree/go.mod new/libcap-2.67/goapps/captree/go.mod --- old/libcap-2.66/goapps/captree/go.mod 2022-09-24 22:41:21.000000000 +0200 +++ new/libcap-2.67/goapps/captree/go.mod 2023-02-03 04:46:24.000000000 +0100 @@ -2,4 +2,4 @@ go 1.16 -require kernel.org/pub/linux/libs/security/libcap/cap v1.2.66 +require kernel.org/pub/linux/libs/security/libcap/cap v1.2.67 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/goapps/gowns/go.mod new/libcap-2.67/goapps/gowns/go.mod --- old/libcap-2.66/goapps/gowns/go.mod 2022-09-24 22:41:21.000000000 +0200 +++ new/libcap-2.67/goapps/gowns/go.mod 2023-02-03 04:46:24.000000000 +0100 @@ -2,4 +2,4 @@ go 1.15 -require kernel.org/pub/linux/libs/security/libcap/cap v1.2.66 +require kernel.org/pub/linux/libs/security/libcap/cap v1.2.67 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/goapps/setid/go.mod new/libcap-2.67/goapps/setid/go.mod --- old/libcap-2.66/goapps/setid/go.mod 2022-09-24 22:41:21.000000000 +0200 +++ new/libcap-2.67/goapps/setid/go.mod 2023-02-03 04:46:24.000000000 +0100 @@ -3,6 +3,6 @@ go 1.11 require ( - kernel.org/pub/linux/libs/security/libcap/cap v1.2.66 - kernel.org/pub/linux/libs/security/libcap/psx v1.2.66 + kernel.org/pub/linux/libs/security/libcap/cap v1.2.67 + kernel.org/pub/linux/libs/security/libcap/psx v1.2.67 ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/goapps/web/go.mod new/libcap-2.67/goapps/web/go.mod --- old/libcap-2.66/goapps/web/go.mod 2022-09-24 22:41:21.000000000 +0200 +++ new/libcap-2.67/goapps/web/go.mod 2023-02-03 04:46:24.000000000 +0100 @@ -2,4 +2,4 @@ go 1.11 -require kernel.org/pub/linux/libs/security/libcap/cap v1.2.66 +require kernel.org/pub/linux/libs/security/libcap/cap v1.2.67 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/kdebug/test-kernel.sh new/libcap-2.67/kdebug/test-kernel.sh --- old/libcap-2.66/kdebug/test-kernel.sh 2021-09-18 05:56:21.000000000 +0200 +++ new/libcap-2.67/kdebug/test-kernel.sh 2022-10-10 01:21:46.000000000 +0200 @@ -62,7 +62,7 @@ echo "file /root/interactive $HERE/interactive 0755 0 0" >> fs.conf fi -COMMANDS="awk cat chmod cp dmesg fgrep id less ln ls mkdir mount pwd rm rmdir sh sort umount uniq vi" +COMMANDS="awk cat chmod cp dmesg grep id less ln ls mkdir mount pwd rm rmdir sh sort umount uniq vi" for f in $COMMANDS; do echo slink /bin/$f /sbin/busybox 0755 0 0 >> fs.conf done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/libcap/cap_alloc.c new/libcap-2.67/libcap/cap_alloc.c --- old/libcap-2.66/libcap/cap_alloc.c 2022-01-24 07:02:32.000000000 +0100 +++ new/libcap-2.67/libcap/cap_alloc.c 2023-02-03 05:05:56.000000000 +0100 @@ -17,7 +17,7 @@ */ static cap_value_t _cap_max_bits; -__attribute__((constructor (300))) void _libcap_initialize() +__attribute__((constructor (300))) void _libcap_initialize(void) { int errno_saved = errno; _cap_mu_lock(&__libcap_mutex); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/libcap/cap_proc.c new/libcap-2.67/libcap/cap_proc.c --- old/libcap-2.66/libcap/cap_proc.c 2022-04-10 23:22:40.000000000 +0200 +++ new/libcap-2.67/libcap/cap_proc.c 2023-02-03 05:06:28.000000000 +0100 @@ -363,7 +363,7 @@ * case where the set is empty already but the ambient cap API is * locked. */ -int cap_reset_ambient() +int cap_reset_ambient(void) { return _cap_reset_ambient(&multithread); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/libcap/include/sys/capability.h new/libcap-2.67/libcap/include/sys/capability.h --- old/libcap-2.66/libcap/include/sys/capability.h 2022-09-24 22:41:21.000000000 +0200 +++ new/libcap-2.67/libcap/include/sys/capability.h 2023-02-03 04:46:48.000000000 +0100 @@ -18,7 +18,7 @@ * Provide a programmatic way to #ifdef around features. */ #define LIBCAP_MAJOR 2 -#define LIBCAP_MINOR 66 +#define LIBCAP_MINOR 67 /* * This file complements the kernel file by providing prototype diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/pam_cap/License new/libcap-2.67/pam_cap/License --- old/libcap-2.66/pam_cap/License 2020-07-01 04:43:01.000000000 +0200 +++ new/libcap-2.67/pam_cap/License 2022-10-31 00:32:12.000000000 +0100 @@ -1,3 +1,5 @@ +/* SPDX-License-Identifier: BSD-3-Clause OR LGPL-2.0-or-later */ + Unless otherwise *explicitly* stated the following text describes the licensed conditions under which the contents of this module release may be distributed: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/pam_cap/execable.c new/libcap-2.67/pam_cap/execable.c --- old/libcap-2.66/pam_cap/execable.c 2021-09-18 05:56:21.000000000 +0200 +++ new/libcap-2.67/pam_cap/execable.c 2022-10-31 00:32:12.000000000 +0100 @@ -26,7 +26,7 @@ printf( "%s (version " LIBCAP_VERSION ") is a PAM module to specify\n" "inheritable (IAB) capabilities via the libpam authentication\n" - "abstraction. See the libcap License file for licensing information.\n" + "abstraction. See the pam_cap License file for licensing information.\n" "\n" "Release notes and feature documentation for libcap and pam_cap.so\n" "can be found at:\n" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/progs/Makefile new/libcap-2.67/progs/Makefile --- old/libcap-2.66/progs/Makefile 2021-09-30 06:46:31.000000000 +0200 +++ new/libcap-2.67/progs/Makefile 2022-10-16 23:51:15.000000000 +0200 @@ -15,9 +15,11 @@ DEPS = ../libcap/libcap.so else # For this build variant override the LDFLAGS to link statically from -# libraries within the build tree. If you never want this, use -# make DYNAMIC=yes ... -LDFLAGS = --static +# libraries within the build tree. If you never want this, use make +# DYNAMIC=yes . Note, we can't reliably link statically against glibc +# becasuse of https://sourceware.org/bugzilla/show_bug.cgi?id=12491 . +LDFLAGS = -Wl,-Bstatic +LDFLAGS_SUFFIX = -Wl,-Bdynamic DEPS = ../libcap/libcap.a endif @@ -28,7 +30,7 @@ $(MAKE) -C ../libcap libcap.so $(BUILD): %: %.o $(DEPS) - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< $(LIBCAPLIB) + $(CC) $(CFLAGS) $(LDFLAGS) $< $(LIBCAPLIB) $(LDFLAGS_SUFFIX) -o $@ %.o: %.c $(INCS) $(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@ @@ -50,7 +52,7 @@ diff -u capshdoc.c $@ || (rm $@ ; exit 1) capsh: capsh.c capshdoc.c.cf capshdoc.h $(DEPS) - $(CC) $(CFLAGS) $(CPPFLAGS) $(CAPSH_SHELL) $(LDFLAGS) -o $@ $< capshdoc.c $(LIBCAPLIB) + $(CC) $(CFLAGS) $(CPPFLAGS) $(CAPSH_SHELL) $(LDFLAGS) $< capshdoc.c $(LIBCAPLIB) $(LDFLAGS_SUFFIX) -o $@ # Statically linked with minimal linkage flags to enable running in a # chroot and in other in-tree testing contexts. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/progs/mkcapshdoc.sh new/libcap-2.67/progs/mkcapshdoc.sh --- old/libcap-2.66/progs/mkcapshdoc.sh 2021-09-30 06:46:31.000000000 +0200 +++ new/libcap-2.67/progs/mkcapshdoc.sh 2022-10-10 01:21:46.000000000 +0200 @@ -15,7 +15,7 @@ let x=0 while [ -f "../doc/values/${x}.txt" ]; do - name=$(fgrep ",${x}}" ../libcap/cap_names.list.h|sed -e 's/{"//' -e 's/",/ = /' -e 's/},//') + name=$(grep -F ",${x}}" ../libcap/cap_names.list.h|sed -e 's/{"//' -e 's/",/ = /' -e 's/},//') echo "static const char *explanation${x}[] = { /* ${name} */" sed -e 's/"/\\"/g' -e 's/^/ "/' -e 's/$/",/' "../doc/values/${x}.txt" let x=1+${x} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/progs/quicktest.sh new/libcap-2.67/progs/quicktest.sh --- old/libcap-2.66/progs/quicktest.sh 2021-09-18 05:56:21.000000000 +0200 +++ new/libcap-2.67/progs/quicktest.sh 2022-10-10 01:21:46.000000000 +0200 @@ -256,7 +256,7 @@ cp ./tcapsh-static ./nsprivileged && /bin/chmod -s ./nsprivileged ./setcap -n 1 all=ep ./nsprivileged if [ $? -eq 0 ]; then - ./getcap -n ./nsprivileged | fgrep "[rootid=1]" + ./getcap -n ./nsprivileged | grep -F "[rootid=1]" if [ $? -ne 0 ]; then echo "FAILED setting ns rootid on file" exit 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libcap-2.66/psx/License new/libcap-2.67/psx/License --- old/libcap-2.66/psx/License 2021-02-15 19:13:21.000000000 +0100 +++ new/libcap-2.67/psx/License 2022-10-31 00:32:12.000000000 +0100 @@ -1,3 +1,5 @@ +/* SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-only */ + Unless otherwise *explicitly* stated, the following text describes the licensed conditions under which the contents of this libcap/psx release may be used and distributed.
