Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libcap for openSUSE:Factory checked
in at 2023-04-03 17:45:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libcap (Old)
and /work/SRC/openSUSE:Factory/.libcap.new.9019 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libcap"
Mon Apr 3 17:45:21 2023 rev:58 rq:1075562 version:2.68
Changes:
--------
--- /work/SRC/openSUSE:Factory/libcap/libcap.changes 2023-03-29
23:25:49.351068033 +0200
+++ /work/SRC/openSUSE:Factory/.libcap.new.9019/libcap.changes 2023-04-03
17:45:24.966017357 +0200
@@ -1,0 +2,23 @@
+Thu Mar 30 07:55:07 UTC 2023 - Dirk Müller <dmuel...@suse.com>
+
+- update to 2.68:
+ * Force libcap internal functions to be hidden outside the library
+ * Expanded the list of man page (links) to all of the supported API
+ functions.
+ * fixed some formatting issues with the libpsx(3) manpage.
+ * Add support for a markdown preamble and postscript when generating
+ .md versions of the man pages (Bug 217007)
+ * psx package clean up
+ * fix some copy-paste errors with TestShared()
+ * added a more complete psx testing into this test as well
+ * cap package clean up
+ * drop an unnecessary use of ", _" in the sources
+ * cleaned up cap.NamedCount documentation
+ * Converted goapps/web/README to .md format and fixed the
+ instructions to indicate go mod tidy is needed.
+ * cap_compare test binary now cleans up after itself (Bug 217018)
+ * Figured out how to cross compile Go programs for arm (i.e. RPi) that
+ use C code, don't use cgo but do use the psx package
+ * Eliminate use of vendor directory
+
+-------------------------------------------------------------------
Old:
----
libcap-2.67.tar.sign
libcap-2.67.tar.xz
New:
----
libcap-2.68.tar.sign
libcap-2.68.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libcap.spec ++++++
--- /var/tmp/diff_new_pack.XZZoqC/_old 2023-04-03 17:45:25.778646538 +0200
+++ /var/tmp/diff_new_pack.XZZoqC/_new 2023-04-03 17:45:25.782649638 +0200
@@ -17,7 +17,7 @@
Name: libcap
-Version: 2.67
+Version: 2.68
Release: 0
Summary: Library for Capabilities (linux-privs) Support
License: BSD-3-Clause OR GPL-2.0-only
++++++ libcap-2.67.tar.xz -> libcap-2.68.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/Make.Rules new/libcap-2.68/Make.Rules
--- old/libcap-2.67/Make.Rules 2023-02-03 04:46:03.000000000 +0100
+++ new/libcap-2.68/Make.Rules 2023-03-26 01:02:50.000000000 +0100
@@ -1,7 +1,7 @@
# Common version number defines for libcap
LIBTITLE=libcap
VERSION=2
-MINOR=67
+MINOR=68
#
## Optional prefixes:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/cap/go.mod new/libcap-2.68/cap/go.mod
--- old/libcap-2.67/cap/go.mod 2023-02-03 04:46:24.000000000 +0100
+++ new/libcap-2.68/cap/go.mod 2023-03-26 01:02:50.000000000 +0100
@@ -2,4 +2,4 @@
go 1.11
-require kernel.org/pub/linux/libs/security/libcap/psx v1.2.67
+require kernel.org/pub/linux/libs/security/libcap/psx v1.2.68
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/cap/names.go new/libcap-2.68/cap/names.go
--- old/libcap-2.67/cap/names.go 2021-09-18 05:56:21.000000000 +0200
+++ new/libcap-2.68/cap/names.go 2023-03-26 00:31:40.000000000 +0100
@@ -2,8 +2,8 @@
/* ** DO NOT EDIT THIS FILE. IT WAS AUTO-GENERATED BY LIBCAP'S GO BUILDER
(mknames.go) ** */
-// NamedCount holds the number of capability values with official
-// names known at the time this libcap/cap version, was released. The
+// NamedCount holds the number of capability values, with official
+// names, known at the time this libcap/cap version was released. The
// "../libcap/cap" package is fully able to manipulate higher numbered
// capability values by numerical value. However, if you find
// cap.NamedCount < cap.MaxBits(), it is probably time to upgrade this
@@ -42,6 +42,10 @@
// where file owner ID should otherwise need be equal to
// the UID, except where cap.FSETID is applicable. It
// doesn't override MAC and DAC restrictions.
+ //
+ // This capability permits the deletion of a file owned
+ // by another UID in a directory protected by the sticky
+ // (t) bit.
FOWNER
// FSETID allows a process to set the S_ISUID and S_ISUID bits of
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/contrib/bug216610/.gitignore
new/libcap-2.68/contrib/bug216610/.gitignore
--- old/libcap-2.67/contrib/bug216610/.gitignore 1970-01-01
01:00:00.000000000 +0100
+++ new/libcap-2.68/contrib/bug216610/.gitignore 2023-02-12
06:10:41.000000000 +0100
@@ -0,0 +1,3 @@
+*~
+arms
+Dockerfile
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/contrib/bug216610/Dockerfile
new/libcap-2.68/contrib/bug216610/Dockerfile
--- old/libcap-2.67/contrib/bug216610/Dockerfile 1970-01-01
01:00:00.000000000 +0100
+++ new/libcap-2.68/contrib/bug216610/Dockerfile 2023-03-05
18:41:56.000000000 +0100
@@ -0,0 +1,13 @@
+FROM debian:latest
+
+# A directory to share files via.
+RUN mkdir /shared
+
+RUN apt-get update
+RUN apt-get install -y gcc-arm-linux-gnueabi binutils-arm-linux-gnueabi
+RUN apt-get install -y gcc-aarch64-linux-gnu binutils-aarch64-linux-gnu
+
+# create a builder user
+RUN echo "builder:x:1000:1000:,,,:/home/builder:/bin/bash" >> /etc/passwd
+RUN echo "builder:*:19289:0:99999:7:::" >> /etc/shadow
+RUN mkdir -p /home/builder && chown builder.bin /home/builder
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/contrib/bug216610/Makefile
new/libcap-2.68/contrib/bug216610/Makefile
--- old/libcap-2.67/contrib/bug216610/Makefile 2022-10-31 00:32:12.000000000
+0100
+++ new/libcap-2.68/contrib/bug216610/Makefile 2023-02-12 06:10:41.000000000
+0100
@@ -5,19 +5,26 @@
all: go/fib
-go/fib: go/main.go go/vendor/fibber/fib.go go/vendor/fibber/fibs_$(GOTARGET).s
go/vendor/fibber/fib_$(GOTARGET).syso
go/vendor/kernel.org/pub/linux/libs/security/libcap/psx
- cd go && CGO_ENABLED=0 go build -o fib main.go
+go/fib: go/main.go go/fibber/fib.go go/fibber/linkage.go
go/fibber/fibs_$(GOTARGET).s go/fibber/fib_$(GOTARGET).syso
+ cd go && CGO_ENABLED=0 go build
-go/vendor/kernel.org/pub/linux/libs/security/libcap/psx:
- mkdir -p go/vendor/kernel.org/pub/linux/libs/security/libcap/
- ln -s $(topdir)/psx $@
+# Build the host native version.
+go/fibber/fib_$(GOTARGET).syso go/fibber/linkage.go: c/fib.c ./c/gcc.sh
./package_fns.sh
+ GCC=gcc ./c/gcc.sh -O3 c/fib.c -c -o go/fibber/fib_$(GOTARGET).syso
+ ./package_fns.sh fibber go/fibber/fib_$(GOTARGET).syso >
go/fibber/linkage.go
-go/vendor/fibber/fib_$(GOTARGET).syso: c/fib.c ./gcc_$(GOTARGET).sh
- ./gcc_$(GOTARGET).sh -O3 c/fib.c -c -o
go/vendor/fibber/fib_$(GOTARGET).syso
+Dockerfile: Makefile ./mkdocker.sh
+ ./mkdocker.sh > $@
+
+# Use this build target (make arms) to extend support to include arm
+# and arm64 GOARCH values.
+arms: Dockerfile Makefile ./c/gcc.sh ./c/build.sh ./c/fib.c
+ docker run --rm -v $$PWD/c:/shared:z -h debian -u $$(id -u) -it expt
shared/build.sh
+ mv c/*.syso go/fibber/
+ touch arms
clean:
- rm -f *~
+ rm -f *~ arms
rm -f c/*.o c/*~
rm -f go/fib go/*~
- rm -f go/vendor/fibber/*.syso go/vendor/fibber/*~
- rm -rf go/vendor/kernel.org
+ rm -f go/fibber/*.syso go/fibber/*~ go/fibber/linkage.go
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/contrib/bug216610/README.md
new/libcap-2.68/contrib/bug216610/README.md
--- old/libcap-2.67/contrib/bug216610/README.md 2023-01-15 00:18:31.000000000
+0100
+++ new/libcap-2.68/contrib/bug216610/README.md 2023-02-12 06:10:41.000000000
+0100
@@ -7,12 +7,12 @@
assumed this was not possible, since using `cgo` *requires* `libc` and
`libpthread` linkage.
-This embedded compilation need was referenced in a [bug
+This _embedded compilation_ need was referenced in a [bug
filed](https://bugzilla.kernel.org/show_bug.cgi?id=216610) against the
[`"psx"`](https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/psx)
package. The bug-filer was seeking an alternative to `CGO_ENABLED=1`
-compilation needing the `cgo` variant of `psx` build. However, the go
-`"runtime"` package will always
+compilation _requiring_ the `cgo` variant of `psx` build. However, the
+go `"runtime"` package will always
[`panic()`](https://cs.opensource.google/go/go/+/refs/tags/go1.19.2:src/runtime/os_linux.go;l=717-720)
if you try this because it needs `libpthread` and `[g]libc` to work.
@@ -25,10 +25,11 @@
This present directory evolved from my attempt to understand and
hopefully resolve what was going on as reported in that bug into an
example of this _trick_. I was unable to resolve the problem as
-reported because of the aformentioned `panic` in the Go
+reported because of the aformentioned `panic()` in the Go
runtime. However, I was able to demonstrate embedding C code in a Go
-binary without use of cgo. So, a Go-native version of `"psx"` is thus
-achievable. This is what the example in this present directory does.
+binary _without_ use of cgo. In such a binary, the Go-native version
+of `"psx"` is thus achievable. This is what the example in this
+present directory demonstrates.
*Caveat Emptor*: this example is very fragile. The Go team only
supports `cgo` linking against C. That being said, I'd certainly like
@@ -42,23 +43,20 @@
- Some C code for the functions `fib_init()` and `fib_next()` that
combine to implement a _compute engine_ to determine [Fibonacci
Numbers](https://en.wikipedia.org/wiki/Fibonacci_number). The source
-for this is in the sub directory `./c/fib.c`.
+for this is in the sub directory `c/fib.c`.
-- Some Go code, in the directory `./go/vendor/fibber` that uses this
-C compiled compute kernel.
+- Some Go code, in the directory `go/fibber` that uses this C compiled
+compute kernel.
-- `gcc_linux_amd64.sh` which is a wrapper for `gcc` that adjusts the
-compilation to be digestible by Go's (internal) linker. Using `gcc`
-directly instead of this wrapper generates an incomplete binary -
-which miscomputes the expected answers. See the discussion below for
-what might be going on.
+- `c/gcc.sh` which is a wrapper for `gcc` that adjusts the compilation
+to be digestible by Go's (internal) linker (the one that gets invoked
+when compiling `CGO_ENABLED=0`. Using `gcc` directly instead of this
+wrapper generates an incomplete binary - which miscomputes the
+expected answers. See the discussion below for what seems to be going
+on.
- A top level `Makefile` to build it all.
-This build uses vendored Go packages so one can experiment with
-modifications of the `"psx"` package to explore potential changes (of
-which there have been none).
-
## Building and running the built binary
Set things up with:
@@ -85,34 +83,54 @@
reason for developing this example was to explore the build issues in
the reported [Bug
216610](https://bugzilla.kernel.org/show_bug.cgi?id=216610). Ultimately,
-this example offers an alternative path to build a `nocgo` that links
-to compute engine style C code.
+this example offers an alternative path to building a `nocgo` program
+that links to compute kernel of C code.
-The reason we have added the `./gcc_linux_amd64.sh` wrapper for `gcc`
-is that we've found the Go linker has a hard time digesting the
+The reason we have added the `c/gcc.sh` wrapper for `gcc` is that
+we've found the Go linker has a hard time digesting the
cross-sectional `%rip` based data addressing that various optimization
-modes of gcc like to use. Specifically, if a `R_X86_64_PC32`
-relocation entry made in a `.text` section is intended to map into a
-`.rodata.cst8` section in a generated `.syso` file, the Go linker
-seems to [replace this reference with a `0` offset to
+modes of gcc like to use. Specifically, in the x86_64/amd64
+architecture, if a `R_X86_64_PC32` relocation entry made in a `.text`
+section refers to an `.rodata.cst8` section in a generated `.syso`
+file, the Go linker seems to [replace this reference with a `0` offset
+to
`(%rip)`](https://github.com/golang/go/issues/24321#issuecomment-1296084103).
What
our wrapper script does is rewrite the generated assembly to store
these data references to the `.text` section. The Go linker has no
-problem with this _same section_ relative addressing.
+problem with this _same section_ relative addressing and is able to
+link the resulting objects without problems.
+
+If you want to cross compile, we have support for 32-bit arm
+compilation: what is needed for the Raspberry PI. To get this support,
+try:
+```
+$ make clean all arms
+$ cd go
+$ GOARCH=arm CGO_ENABLED=0 go build
+```
+The generated `fib` binary runs on a 32-bit Raspberry Pi.
## Future thoughts
-At present, this example only works on Linux with `x86_64` (in
-go-speak that is `linux_amd64`). This is because I have only provided
-some bridging assembly for Go to C calling conventions on that
-architecture target (`./go/vendor/fibber/fibs_linux_amd64.s`).
-
-Perhaps a later version will have bridging code for all the Go
-supported Linux architectures, but it will also have to provide some
-mechanism to build the `./c/fib.c` code to make
-`fib_linux_<arch>.syso` files. The [cited
-bug](https://bugzilla.kernel.org/show_bug.cgi?id=216610) includes some
-pointers for how to use Docker to support this.
+At present, this example only works on Linux with `x86_64` and `arm`
+build architectures. (In go-speak that is `linux_amd64` and
+`linux_arm`). This is because I have only provided some bridging
+assembly for Go to C calling conventions for those architecture
+targets: `./go/fibber/fibs_linux_amd64.s` and
+`./go/fibber/fibs_linux_arm.s`. The non-native, `make arms`, cross
+compilation requires the `docker` command to be available.
+
+I intend to implement an `arm64` build, when I have a system on which
+to test it.
+
+**Note** The Fedora system on which I've been developing this has some
+ SELINUX impediment to naively using the `docker -v ...` bind mount
+ option. I need the `:z` suffix for bind mounting. I don't know how
+ common an issue this is. On Fedora, building the arm variants of the
+ .syso file can be performed as follows:
+```
+$ docker run --rm -v $PWD/c:/shared:z -h debian -u $(id -u) -it expt
shared/build.sh
+```
## Reporting bugs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/contrib/bug216610/c/build.sh
new/libcap-2.68/contrib/bug216610/c/build.sh
--- old/libcap-2.67/contrib/bug216610/c/build.sh 1970-01-01
01:00:00.000000000 +0100
+++ new/libcap-2.68/contrib/bug216610/c/build.sh 2023-02-12
06:10:41.000000000 +0100
@@ -0,0 +1,10 @@
+#!/bin/bash
+#
+# Builds the following .syso files to the directory containing this script:
+#
+# fib_linux_arm.syso
+# fib_linux_arm64.syso
+
+cd ${0%/*}
+GCC=arm-linux-gnueabi-gcc ./gcc.sh -O3 fib.c -c -o fib_linux_arm.syso
+GCC=aarch64-linux-gnu-gcc ./gcc.sh -O3 fib.c -c -o fib_linux_arm64.syso
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/contrib/bug216610/c/gcc.sh
new/libcap-2.68/contrib/bug216610/c/gcc.sh
--- old/libcap-2.67/contrib/bug216610/c/gcc.sh 1970-01-01 01:00:00.000000000
+0100
+++ new/libcap-2.68/contrib/bug216610/c/gcc.sh 2023-03-05 18:41:56.000000000
+0100
@@ -0,0 +1,61 @@
+#!/bin/bash
+#
+# The Go linker does not seem to know what to do with relative
+# addressing of rodata.* offset from %rip. GCC likes to use this
+# addressing mode on this architecture, so we quickly run into
+# mis-computation when the relative addressing used in a .syso file of
+# symbol located data is resolved to completely the wrong place by the
+# Go (internal) linker.
+#
+# As a workaround for this, we can modify the assembly source code
+# generated by GCC to not point at problematic '.rodata.*' sections,
+# and place this data in the good old '.text' section where Go's
+# linker can make sense of it.
+#
+# This script exists to generate a '.syso' file from some '*.c' files.
+# It works by recognizing the '*.c' command line arguments and
+# converting them into fixed-up '*.s' files. It then performs the
+# compilation for the collection of the '*.s' files. Upon success, it
+# purges the intermediate '*.s' files.
+#
+# The fragile aspect of this present script is which compiler
+# arguments should be used for the compilation from '.c' -> '.s'
+# files. What we do is accumulate arguments until we encounter our
+# first '*.c' file and use those to perform the '.c' -> '.s'
+# compilation. We build up a complete command line for gcc
+# substituting '.s' files for '.c' files in the original command
+# line. Then with the new command line assembled we invoke gcc with
+# those. If that works, we remove all of the intermediate '.s' files.
+
+GCC="${GCC:=gcc}"
+setup=0
+args=()
+final=()
+ses=()
+
+for arg in "$@"; do
+ if [[ "${arg##*.}" = "c" ]]; then
+ setup=1
+ s="${arg%.*}.s"
+ "${GCC}" "${args[@]}" -S -o "${s}" "${arg}"
+ sed -i -e 's/.*\.rodata\..*/\t.text/' "${s}"
+ final+=("${s}")
+ ses+=("${s}")
+ else
+ if [[ $setup -eq 0 ]]; then
+ args+=("${arg}")
+ fi
+ final+=("${arg}")
+ fi
+done
+
+#echo final: "${final[@]}"
+#echo args: "${args[@]}"
+#echo ses: "${ses[@]}"
+
+"${GCC}" "${final[@]}"
+if [[ $? -ne 0 ]]; then
+ echo "failed to compile"
+ exit 1
+fi
+rm -f "${ses[@]}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/contrib/bug216610/gcc_linux_amd64.sh
new/libcap-2.68/contrib/bug216610/gcc_linux_amd64.sh
--- old/libcap-2.67/contrib/bug216610/gcc_linux_amd64.sh 2023-01-15
00:18:31.000000000 +0100
+++ new/libcap-2.68/contrib/bug216610/gcc_linux_amd64.sh 1970-01-01
01:00:00.000000000 +0100
@@ -1,58 +0,0 @@
-#!/bin/bash
-#
-# The Go linker does not seem to know what to do with relative
-# addressing of rodata.* offset from %rip. GCC likes to use this
-# addressing mode on this architecture, so we quickly run into
-# mis-computation when the relative addressing used in a .syso file of
-# symbol located data is resolved to completely the wrong place by the
-# Go (internal) linker.
-#
-# As a workaround for this, we can modify the assembly source code
-# generated by GCC to not point at problematic '.rodata.*' sections,
-# and place this data in the good old '.text' section where Go's
-# linker can make sense of it.
-#
-# This script exists to generate a '.syso' file from some '*.c' files.
-# It works by recognizing the '*.c' command line arguments and
-# converting them into fixed-up '*.s' files. It then performs the
-# compilation for the collection of the '*.s' files. Upon success, it
-# purges the intermediate '*.s' files.
-#
-# The fragile aspect of this present script is which compiler
-# arguments should be used for the compilation from '.c' -> '.s'
-# files. What we do is accumulate arguments until we encounter our
-# first '*.c' file and use those to perform the '.c' -> '.o'
-# compilation. We build up a complete command line for gcc
-# substituting '.s' files for '.c' files in the original command
-# line. Then with the new command line assembled we invoke gcc with
-# those. If that works, we remove all of the intermediate '.s' files.
-setup=0
-args=()
-final=()
-ses=()
-for arg in "$@"; do
- if [[ "${arg##*.}" = "c" ]]; then
- setup=1
- s="${arg%.*}.s"
- "gcc" "${args[@]}" -S -o "${s}" "${arg}"
- sed -i -e 's/.*\.rodata\..*/\t.text/' "${s}"
- final+=("${s}")
- ses+=("${s}")
- else
- if [[ $setup -eq 0 ]]; then
- args+=("${arg}")
- fi
- final+=("${arg}")
- fi
-done
-
-#echo final: "${final[@]}"
-#echo args: "${args[@]}"
-#echo ses: "${ses[@]}"
-
-"gcc" "${final[@]}"
-if [[ $? -ne 0 ]]; then
- echo "failed to compile"
- exit 1
-fi
-rm -f "${ses[@]}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/contrib/bug216610/go/.gitignore
new/libcap-2.68/contrib/bug216610/go/.gitignore
--- old/libcap-2.67/contrib/bug216610/go/.gitignore 2022-10-31
00:32:12.000000000 +0100
+++ new/libcap-2.68/contrib/bug216610/go/.gitignore 2023-02-12
06:10:41.000000000 +0100
@@ -1,3 +1,5 @@
fib
*.syso
-vendor/kernel.org
+main
+go.sum
+linkage.go
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/contrib/bug216610/go/fibber/fib.go
new/libcap-2.68/contrib/bug216610/go/fibber/fib.go
--- old/libcap-2.67/contrib/bug216610/go/fibber/fib.go 1970-01-01
01:00:00.000000000 +0100
+++ new/libcap-2.68/contrib/bug216610/go/fibber/fib.go 2023-02-12
06:10:41.000000000 +0100
@@ -0,0 +1,32 @@
+// Package fibber implements a Fibonacci sequence generator using a C
+// coded compute kernel (a .syso file).
+package fibber
+
+import (
+ "unsafe"
+)
+
+// State is the native Go form of the C.state structure.
+type State struct {
+ B, A uint32
+}
+
+// cPtr converts State into a C pointer suitable as an argument for
+// sysoCaller.
+func (s *State) cPtr() unsafe.Pointer {
+ return unsafe.Pointer(&s.B)
+}
+
+// NewState initializes a Fibonacci Number sequence generator. Upon
+// return s.A=0 and s.B=1 are the first two numbers in the sequence.
+func NewState() *State {
+ s := &State{}
+ syso__fib_init.call(s.cPtr())
+ return s
+}
+
+// Next advances the state to the next number in the sequence. Upon
+// return, s.B is the most recently calculated value.
+func (s *State) Next() {
+ syso__fib_next.call(s.cPtr())
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/libcap-2.67/contrib/bug216610/go/fibber/fibs_linux_amd64.s
new/libcap-2.68/contrib/bug216610/go/fibber/fibs_linux_amd64.s
--- old/libcap-2.67/contrib/bug216610/go/fibber/fibs_linux_amd64.s
1970-01-01 01:00:00.000000000 +0100
+++ new/libcap-2.68/contrib/bug216610/go/fibber/fibs_linux_amd64.s
2023-02-12 06:10:41.000000000 +0100
@@ -0,0 +1,21 @@
+// To transition from a Go call to a C function call, we are skating
+// on really thin ice... Ceveat Emptor!
+//
+// Ref:
+// https://gitlab.com/x86-psABIs/x86-64-ABI/-/wikis/home
+//
+// This is not strictly needed, but it makes gdb debugging less
+// confusing because spacer ends up being an alias for the TEXT
+// section start.
+TEXT ·spacer(SB),$0
+ RET
+
+#define RINDEX(n) (8*n)
+
+// Header to this function wrapper is the last time we can voluntarily
+// yield to some other goroutine.
+TEXT ·syso(SB),$0-16
+ MOVQ cFn+RINDEX(0)(FP), SI
+ MOVQ state+RINDEX(1)(FP), DI
+ CALL *SI
+ RET
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/libcap-2.67/contrib/bug216610/go/fibber/fibs_linux_arm.s
new/libcap-2.68/contrib/bug216610/go/fibber/fibs_linux_arm.s
--- old/libcap-2.67/contrib/bug216610/go/fibber/fibs_linux_arm.s
1970-01-01 01:00:00.000000000 +0100
+++ new/libcap-2.68/contrib/bug216610/go/fibber/fibs_linux_arm.s
2023-02-12 06:10:41.000000000 +0100
@@ -0,0 +1,23 @@
+// To transition from a Go call to a C function call, we are skating
+// on really thin ice... Ceveat Emptor!
+//
+// Ref:
+//
https://stackoverflow.com/questions/261419/what-registers-to-save-in-the-arm-c-calling-convention
+//
+// This is not strictly needed, but it makes gdb debugging less
+// confusing because spacer ends up being an alias for the TEXT
+// section start.
+TEXT ·spacer(SB),$0
+ RET
+
+#define FINDEX(n) (8*n)
+
+// Header to this function wrapper is the last time we can voluntarily
+// yield to some other goroutine.
+//
+// Conventions: PC == R15, SP == R13, LR == R14, IP (scratch) = R12
+TEXT ·syso(SB),$0-8
+ MOVW cFn+0(FP), R14
+ MOVW state+4(FP), R0
+ BL (R14)
+ RET
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/contrib/bug216610/go/go.mod
new/libcap-2.68/contrib/bug216610/go/go.mod
--- old/libcap-2.67/contrib/bug216610/go/go.mod 2023-02-03 04:46:24.000000000
+0100
+++ new/libcap-2.68/contrib/bug216610/go/go.mod 2023-03-26 01:02:50.000000000
+0100
@@ -1,3 +1,5 @@
module fib
go 1.18
+
+require kernel.org/pub/linux/libs/security/libcap/psx v1.2.68
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/contrib/bug216610/go/main.go
new/libcap-2.68/contrib/bug216610/go/main.go
--- old/libcap-2.67/contrib/bug216610/go/main.go 2022-10-31
00:32:12.000000000 +0100
+++ new/libcap-2.68/contrib/bug216610/go/main.go 2023-02-12
06:10:41.000000000 +0100
@@ -3,11 +3,12 @@
package main
import (
- "fibber"
"fmt"
"log"
"syscall"
+ "fib/fibber"
+
"kernel.org/pub/linux/libs/security/libcap/psx"
)
@@ -20,7 +21,7 @@
fmt.Println(pid)
s := fibber.NewState()
fmt.Print("fib: ", s.A, ", ", s.B)
- for i:=0; i<8; i++ {
+ for i := 0; i < 8; i++ {
s.Next()
fmt.Print(", ", s.B)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/libcap-2.67/contrib/bug216610/go/vendor/fibber/fib.go
new/libcap-2.68/contrib/bug216610/go/vendor/fibber/fib.go
--- old/libcap-2.67/contrib/bug216610/go/vendor/fibber/fib.go 2022-10-31
00:32:12.000000000 +0100
+++ new/libcap-2.68/contrib/bug216610/go/vendor/fibber/fib.go 1970-01-01
01:00:00.000000000 +0100
@@ -1,26 +0,0 @@
-package fibber
-
-import (
- "unsafe"
-)
-
-type State struct {
- B, A uint32
-}
-
-func fibInit(ptr unsafe.Pointer)
-func fibNext(ptr unsafe.Pointer)
-
-// NewState initializes a Fibonacci Number sequence generator. Upon
-// return s.A=0 and s.B=1 are the first two numbers in the sequence.
-func NewState() (*State) {
- s := &State{}
- fibInit(unsafe.Pointer(&s.B))
- return s
-}
-
-// Next advances the state to the next number in the sequence. Upon
-// return, s.B is the most recently calculated value.
-func (s *State) Next() {
- fibNext(unsafe.Pointer(&s.B))
-}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/libcap-2.67/contrib/bug216610/go/vendor/fibber/fibs_linux_amd64.s
new/libcap-2.68/contrib/bug216610/go/vendor/fibber/fibs_linux_amd64.s
--- old/libcap-2.67/contrib/bug216610/go/vendor/fibber/fibs_linux_amd64.s
2022-10-31 00:32:12.000000000 +0100
+++ new/libcap-2.68/contrib/bug216610/go/vendor/fibber/fibs_linux_amd64.s
1970-01-01 01:00:00.000000000 +0100
@@ -1,57 +0,0 @@
-// To transition from a Go call to a C function call, we are skating
-// on really thin ice... Ceveat Emptor!
-//
-// Ref:
-// https://gitlab.com/x86-psABIs/x86-64-ABI/-/wikis/home
-//
-// This is not strictly needed, but it makes gdb debugging less
-// confusing because spacer ends up being an alias for the TEXT
-// section start.
-TEXT ·spacer(SB),$0
- RET
-
-#define RINDEX(n) (8*n)
-
-// Push all of the registers the C callee isn't expected to preserve.
-#define PUSHALL() \
- ADJSP $(RINDEX(9)) \
- MOVQ AX, RINDEX(0)(SP) \
- MOVQ CX, RINDEX(1)(SP) \
- MOVQ DX, RINDEX(2)(SP) \
- MOVQ SI, RINDEX(3)(SP) \
- MOVQ DI, RINDEX(4)(SP) \
- MOVQ R8, RINDEX(5)(SP) \
- MOVQ R9, RINDEX(6)(SP) \
- MOVQ R10, RINDEX(7)(SP) \
- MOVQ R11, RINDEX(8)(SP)
-
-// Pop all of the registers the C callee isn't expected to preserve.
-#define POPALL() \
- MOVQ RINDEX(0)(SP), AX \
- MOVQ RINDEX(1)(SP), CX \
- MOVQ RINDEX(2)(SP), DX \
- MOVQ RINDEX(3)(SP), SI \
- MOVQ RINDEX(4)(SP), DI \
- MOVQ RINDEX(5)(SP), R8 \
- MOVQ RINDEX(6)(SP), R9 \
- MOVQ RINDEX(7)(SP), R10 \
- MOVQ RINDEX(8)(SP), R11 \
- ADJSP $-(RINDEX(9))
-
-// Header to this function wrapper is the last time we can voluntarily
-// yield to some other goroutine.
-TEXT ·fibInit(SB),$0-8
- PUSHALL()
- MOVQ ptr+RINDEX(0)(FP), DI
- CALL fib_init(SB)
- POPALL()
- RET
-
-// Header to this function wrapper is the last time we can voluntarily
-// yield to some other goroutine.
-TEXT ·fibNext(SB),$0-8
- PUSHALL()
- MOVQ ptr+RINDEX(0)(FP), DI
- CALL fib_next(SB)
- POPALL()
- RET
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/contrib/bug216610/mkdocker.sh
new/libcap-2.68/contrib/bug216610/mkdocker.sh
--- old/libcap-2.67/contrib/bug216610/mkdocker.sh 1970-01-01
01:00:00.000000000 +0100
+++ new/libcap-2.68/contrib/bug216610/mkdocker.sh 2023-03-05
18:41:56.000000000 +0100
@@ -0,0 +1,18 @@
+#!/bin/bash
+#
+# This script generates a Dockerfile to be used for cross-compilation
+cat <<EOF
+FROM debian:latest
+
+# A directory to share files via.
+RUN mkdir /shared
+
+RUN apt-get update
+RUN apt-get install -y gcc-arm-linux-gnueabi binutils-arm-linux-gnueabi
+RUN apt-get install -y gcc-aarch64-linux-gnu binutils-aarch64-linux-gnu
+
+# create a builder user
+RUN echo "builder:x:$(id -u):$(id -g):,,,:/home/builder:/bin/bash" >>
/etc/passwd
+RUN echo "builder:*:19289:0:99999:7:::" >> /etc/shadow
+RUN mkdir -p /home/builder && chown builder.bin /home/builder
+EOF
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/contrib/bug216610/package_fns.sh
new/libcap-2.68/contrib/bug216610/package_fns.sh
--- old/libcap-2.67/contrib/bug216610/package_fns.sh 1970-01-01
01:00:00.000000000 +0100
+++ new/libcap-2.68/contrib/bug216610/package_fns.sh 2023-02-12
06:10:41.000000000 +0100
@@ -0,0 +1,47 @@
+#!/bin/bash
+#
+# Generate some Go code to make calling into the C code of the .syso
+# file easier.
+
+package="${1}"
+syso="${2}"
+
+if [[ -z "${syso}" ]]; then
+ echo "usage: $0 <package> <.....syso>" >&2
+ exit 1
+fi
+
+if [[ "${syso%.syso}" == "${syso}" ]]; then
+ echo "2nd argument should be a .syso file" >&2
+ exit 1
+fi
+
+cat<<EOF
+package ${package}
+
+import (
+ "unsafe"
+)
+
+// syso is how we call, indirectly, into the C-code.
+func syso(cFn, state unsafe.Pointer)
+
+type sysoCaller struct {
+ ptr unsafe.Pointer
+}
+
+// call calls the syso linked C-function, $sym().
+func (s *sysoCaller) call(data unsafe.Pointer) {
+ syso(s.ptr, data)
+}
+EOF
+
+for sym in $(objdump -x "${syso}" | grep -F 'g F' | awk '{print $6}'); do
+ cat<<EOF
+
+//go:linkname _${sym} ${sym}
+var _${sym} byte
+var syso__${sym} = &sysoCaller{ptr: unsafe.Pointer(&_${sym})}
+
+EOF
+done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/contrib/seccomp/go.mod
new/libcap-2.68/contrib/seccomp/go.mod
--- old/libcap-2.67/contrib/seccomp/go.mod 2023-02-03 04:46:24.000000000
+0100
+++ new/libcap-2.68/contrib/seccomp/go.mod 2023-03-26 01:02:50.000000000
+0100
@@ -2,4 +2,4 @@
go 1.14
-require kernel.org/pub/linux/libs/security/libcap/psx v1.2.67
+require kernel.org/pub/linux/libs/security/libcap/psx v1.2.68
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/doc/Makefile new/libcap-2.68/doc/Makefile
--- old/libcap-2.67/doc/Makefile 2022-10-17 02:15:32.000000000 +0200
+++ new/libcap-2.68/doc/Makefile 2023-02-24 06:12:31.000000000 +0100
@@ -13,6 +13,7 @@
cap_get_file.3 cap_get_fd.3 cap_set_file.3 cap_set_fd.3 \
cap_set_nsowner.3 cap_get_nsowner.3 \
cap_copy_ext.3 cap_size.3 cap_copy_int.3 cap_mode.3 \
+ cap_copy_int_check.3 cap_set_syscall.3 \
cap_from_text.3 cap_to_text.3 cap_from_name.3 cap_to_name.3 \
capsetp.3 capgetp.3 libcap.3 \
cap_get_bound.3 cap_drop_bound.3 \
@@ -29,6 +30,7 @@
cap_iab_set_vector.3 cap_iab_fill.3 cap_proc_root.3 \
cap_prctl.3 cap_prctlw.3 \
psx_syscall.3 psx_syscall3.3 psx_syscall6.3 psx_set_sensitivity.3 \
+ psx_load_syscalls.3 __psx_syscall.3 \
libpsx.3
MAN8S = getcap.8 setcap.8 getpcaps.8 captree.8
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/doc/__psx_syscall.3
new/libcap-2.68/doc/__psx_syscall.3
--- old/libcap-2.67/doc/__psx_syscall.3 1970-01-01 01:00:00.000000000 +0100
+++ new/libcap-2.68/doc/__psx_syscall.3 2023-02-20 04:52:32.000000000 +0100
@@ -0,0 +1 @@
+.so man3/libpsx.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/doc/cap_copy_ext.3
new/libcap-2.68/doc/cap_copy_ext.3
--- old/libcap-2.67/doc/cap_copy_ext.3 2021-03-07 04:55:56.000000000 +0100
+++ new/libcap-2.68/doc/cap_copy_ext.3 2023-02-20 04:52:32.000000000 +0100
@@ -9,6 +9,7 @@
ssize_t cap_size(cap_t cap_p);
ssize_t cap_copy_ext(void *ext_p, cap_t cap_p, ssize_t size);
cap_t cap_copy_int(const void * ext_p);
+cap_t cap_copy_int_check(const void *cap_ext, ssize_t length);
.fi
.sp
Link with \fI\-lcap\fP.
@@ -56,9 +57,9 @@
the capability state from the record pointed to by
.I ext_p
into the capability state, converting, if necessary, the data from a
-contiguous, persistent format to an undefined, internal format. Once
-copied into internal format, the object can be manipulated by the capability
-state manipulation functions (see
+contiguous, persistent format to an opaque, internal format. Once
+copied into internal format, the object can be manipulated by the
+capability state manipulation functions (see
.BR cap_clear (3)).
Note that the record pointed to by
.I ext_p
@@ -71,6 +72,12 @@
with the
.I cap_t
as an argument.
+.PP
+.BR cap_copy_int_check ()
+performs the same operation as
+.BR cap_copy_int ()
+but additionally checks that the provided external data's size is not
+larger than the noted length.
.SH "RETURN VALUE"
.BR cap_size ()
returns the length required to hold a capability data record on success,
@@ -82,8 +89,10 @@
on success, and \-1 on failure.
.PP
.BR cap_copy_int ()
-returns a pointer to the newly created capability state in working storage
-on success, and NULL on failure.
+and
+.BR cap_copy_int_check ()
+return a pointer to the newly created capability state in working
+storage on success, and NULL on failure.
.PP
On failure,
.BR errno
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/doc/cap_copy_int_check.3
new/libcap-2.68/doc/cap_copy_int_check.3
--- old/libcap-2.67/doc/cap_copy_int_check.3 1970-01-01 01:00:00.000000000
+0100
+++ new/libcap-2.68/doc/cap_copy_int_check.3 2023-02-20 04:52:32.000000000
+0100
@@ -0,0 +1 @@
+.so man3/cap_copy_ext.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/doc/cap_set_syscall.3
new/libcap-2.68/doc/cap_set_syscall.3
--- old/libcap-2.67/doc/cap_set_syscall.3 1970-01-01 01:00:00.000000000
+0100
+++ new/libcap-2.68/doc/cap_set_syscall.3 2023-02-20 04:52:32.000000000
+0100
@@ -0,0 +1 @@
+.so man3/libcap.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/doc/capability.md
new/libcap-2.68/doc/capability.md
--- old/libcap-2.67/doc/capability.md 1970-01-01 01:00:00.000000000 +0100
+++ new/libcap-2.68/doc/capability.md 2023-02-20 04:52:32.000000000 +0100
@@ -0,0 +1,63 @@
+# Notes concerning wider use of capabilities
+
+## Overview
+
+**NOTE** These notes were added to the libcap package in
+libcap-1.03. They pre-date file capability support, but fully
+anticipate it. They are some thoughts on how to restructure a system
+to better leverage capability support. I've updated them to render as
+an `.md` formatted file.
+
+As of Linux 2.2.0, the power of the superuser has been partitioned
+into a set of discrete capabilities (in other places, these
+capabilities are know as privileges).
+
+The contents of the libcap package are a library and a number of
+simple programs that are intended to show how an application/daemon
+can be protected (with wrappers) or rewritten to take advantage of
+this fine grained approach to constraining the danger to your system
+from programs running as 'root'.
+
+## Notes on securing your system
+
+### Adopting a role approach to system security
+
+Changing all of the system binaries and directories to be owned by
+some user that cannot log on. You might like to create a user with
+the name 'system' who's account is locked with a '*' password. This
+user can be made the owner of all of the system directories on your
+system and critical system binaries too.
+
+Why is this a good idea? In a simple case, the `CAP_FOWNER` capability
+is required for the superuser to delete files owned by a non-root user
+in a _sticky-bit_ protected non-root owned directory. Thus, the sticky
+bit can help you protect the `/lib/` directory from a compromized
+daemon where the directory and the files it contains are owned by the
+system user. It can be protected to ensure that the daemon is not
+running with the `CAP_FOWNER` capability...
+
+### Limiting the damage
+
+If your daemon only needs to be setuid-root in order to bind to a low
+numbered port. You should restrict it to only having access to the
+`CAP_NET_BIND_SERVICE` capability. Coupled with not having any files
+on the system owned by root, it becomes significantly harder for such
+a daemon to damage your system.
+
+Note, you should think of this kind of trick as making things harder
+for a potential attacker to exploit a hole in a daemon of this
+type. Being able to bind to any privileged port is still a formidable
+privilege and can lead to difficult but _interesting_
+man-in-the-middle attacks -- hijack the telnet port for example and
+masquerade as the login program... Collecting passwords for another
+day.
+
+### The /proc/ filesystem
+
+This Linux-specific directory tree holds most of the state of the
+system in a form that can sometimes be manipulated by file
+read/writes. Take care to ensure that the filesystem is not mounted
+with uid=0, since root (with no capabilities) would still be able to
+read sensitive files in the `/proc/` tree - `kcore` for example.
+
+[Patch is available for 2.2.1 - I just wrote it!]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/doc/capability.notes
new/libcap-2.68/doc/capability.notes
--- old/libcap-2.67/doc/capability.notes 2021-09-18 05:56:21.000000000
+0200
+++ new/libcap-2.68/doc/capability.notes 1970-01-01 01:00:00.000000000
+0100
@@ -1,58 +0,0 @@
-Overview
---------
-
-As of Linux 2.2.0, the power of the superuser has been partitioned
-into a set of discrete capabilities (in other places, these
-capabilities are know as privileges).
-
-The contents of the libcap package are a library and a number of
-simple programs that are intended to show how an application/daemon
-can be protected (with wrappers) or rewritten to take advantage of
-this fine grained approach to constraining the danger to your system
-from programs running as 'root'.
-
-Notes on securing your system
------------------------------
-
-Adopting a role approach to system security:
-
-changing all of the system binaries and directories to be owned by
-some user that cannot log on. You might like to create a user with
-the name 'system' who's account is locked with a '*' password. This
-user can be made the owner of all of the system directories on your
-system and critical system binaries too.
-
-Why is this a good idea? In a simple case, the CAP_FUSER capability is
-required for the superuser to delete files owned by a non-root user in
-a 'sticky-bit' protected non-root owned directory. Thus, the sticky
-bit can help you protect the /lib/ directory from an compromized
-daemon where the directory and the files it contains are owned by the
-system user. It can be protected by using a wrapper like execcap to
-ensure that the daemon is not running with the CAP_FUSER capability...
-
-
-Limiting the damage:
-
-If your daemon only needs to be setuid-root in order to bind to a low
-numbered port. You should restrict it to only having access to the
-CAP_NET_BIND_SERVICE capability. Coupled with not having any files on
-the system owned by root, it becomes significantly harder for such a
-daemon to damage your system.
-
-Note, you should think of this kind of trick as making things harder
-for a potential attacker to exploit a hole in a daemon of this
-type. Being able to bind to any privileged port is still a formidable
-privilege and can lead to difficult but 'interesting' man in the
-middle attacks -- hijack the telnet port for example and masquerade as
-the login program... Collecting passwords for another day.
-
-
-The /proc/ filesystem:
-
-This Linux-specific directory tree holds most of the state of the
-system in a form that can sometimes be manipulated by file
-read/writes. Take care to ensure that the filesystem is not mounted
-with uid=0, since root (with no capabilities) would still be able to
-read sensitive files in the /proc/ tree - kcore for example.
-
-[Patch is available for 2.2.1 - I just wrote it!]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/doc/libpsx.3 new/libcap-2.68/doc/libpsx.3
--- old/libcap-2.67/doc/libpsx.3 2021-12-12 22:47:05.000000000 +0100
+++ new/libcap-2.68/doc/libpsx.3 2023-03-26 00:31:40.000000000 +0100
@@ -5,9 +5,17 @@
.nf
#include <sys/psx_syscall.h>
-long int psx_syscall3(long int syscall_nr, long int arg1, long int arg2, long
int arg3);
-long int psx_syscall6(long int syscall_nr, long int arg1, long int arg2, long
int arg3, long int arg4, long int arg5, long int arg6);
+long int psx_syscall3(long int syscall_nr,
+ long int arg1, long int arg2, long int arg3);
+long int psx_syscall6(long int syscall_nr,
+ long int arg1, long int arg2, long int arg3,
+ long int arg4, long int arg5, long int arg6);
int psx_set_sensitivity(psx_sensitivity_t sensitivity);
+void psx_load_syscalls(long int (**syscall_fn)(long int,
+ long int, long int, long int),
+ long int (**syscall6_fn)(long int,
+ long int, long int, long int,
+ long int, long int, long int));
.fi
.sp
Link with one of these:
@@ -22,7 +30,7 @@
.BR pthreads (7)
implementation on Linux. To be compliant POSIX threads, via the
.BR nptl "(7) " setxid
-mechanism glibc maintains consistent UID and GID credentials amongst
+mechanism, glibc maintains consistent UID and GID credentials amongst
all of the threads associated with the current process. However, other
credential state is not supported by this abstraction. To support
these extended kernel managed security attributes,
@@ -35,10 +43,12 @@
signal. Whereas the
.B nptl:setxid
mechanism uses signo=33 (which is hidden by glibc below a redefined
-SIGRTMIN),
-.B libpsx
-inserts itself in the SIGSYS handler stack. It goes to great length to
-be the first such handler but acts as a pass-through for other SIGSYS
+.BR SIGRTMIN "), " libpsx
+inserts itself in the
+.B SIGSYS
+handler stack. It goes to great length to be the first such handler
+but acts as a pass-through for other
+.B SIGSYS
uses.
.PP
A linker trick of
@@ -52,7 +62,9 @@
An inefficient macrology trick supports the
.BR psx_syscall ()
pseudo function which takes 1 to 7 arguments, depending on the needs
-of the caller. The macrology pads out the call to actually use
+of the caller. The macrology (which ultimately invokes
+.BR __psx_syscall ())
+pads out the call to actually use
.BR psx_syscall3 ()
or
.BR psx_syscall6 ()
@@ -74,6 +86,21 @@
prints the error details and generates a
.B SIGSYS
signal.
+.PP
+.BR psx_load_syscalls ()
+can be used to set caller defined function pointers for invoking 3 and
+6 argument syscalls. This function can be used to configure a library,
+or program to change behavior when linked against
+.BR libpsx .
+Indeed,
+.B libcap
+uses this function from
+.B libpsx
+to override its thread scoped default system call based API. When
+linked with
+.BR libpsx ", " libcap
+can operate on all the threads of a multithreaded program to operate
+with POSIX semantics.
.SH RETURN VALUE
The return value for system call functions is generally the value
returned by the kernel, or \-1 in the case of an error. In such cases
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/doc/mkmd.sh new/libcap-2.68/doc/mkmd.sh
--- old/libcap-2.67/doc/mkmd.sh 2021-09-30 06:46:31.000000000 +0200
+++ new/libcap-2.68/doc/mkmd.sh 2023-02-07 03:08:30.000000000 +0100
@@ -50,6 +50,14 @@
cat > "${index}" <<EOF
# Manpages for libcap and libpsx
+EOF
+
+if [[ -f "local-md.preamble" ]]; then
+ cat "local-md.preamble" >> "${index}"
+fi
+
+cat >> "${index}" <<EOF
+
## Individual reference pages
EOF
@@ -69,6 +77,14 @@
## More information
+EOF
+
+if [[ -f "local-md.postscript" ]]; then
+ cat "local-md.postscript" >> "${index}"
+fi
+
+cat >> "${index}" <<EOF
+
For further information, see the
[FullyCapable](https://sites.google.com/site/fullycapable/) homepage
for libcap.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/doc/psx_load_syscalls.3
new/libcap-2.68/doc/psx_load_syscalls.3
--- old/libcap-2.67/doc/psx_load_syscalls.3 1970-01-01 01:00:00.000000000
+0100
+++ new/libcap-2.68/doc/psx_load_syscalls.3 2023-02-20 04:52:32.000000000
+0100
@@ -0,0 +1 @@
+.so man3/libpsx.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/doc/values/3.txt
new/libcap-2.68/doc/values/3.txt
--- old/libcap-2.67/doc/values/3.txt 2020-07-12 02:30:19.000000000 +0200
+++ new/libcap-2.68/doc/values/3.txt 2023-02-20 04:52:32.000000000 +0100
@@ -2,3 +2,7 @@
where file owner ID should otherwise need be equal to
the UID, except where CAP_FSETID is applicable. It
doesn't override MAC and DAC restrictions.
+
+This capability permits the deletion of a file owned
+by another UID in a directory protected by the sticky
+(t) bit.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/go/compare-cap.go
new/libcap-2.68/go/compare-cap.go
--- old/libcap-2.67/go/compare-cap.go 2021-11-22 02:20:50.000000000 +0100
+++ new/libcap-2.68/go/compare-cap.go 2023-02-12 06:10:41.000000000 +0100
@@ -116,16 +116,18 @@
if err := want.SetFd(f); err != nil {
log.Fatalf("failed to fset file capability: %v", err)
}
- if err := saved.SetProc(); err != nil {
- log.Fatalf("failed to lower effective capability: %v", err)
- }
- // End of critical section.
-
if got, err := cap.GetFd(f); err != nil {
log.Fatalf("failed to fread caps: %v", err)
} else if is, was := got.String(), want.String(); is != was {
log.Fatalf("fread file caps do not match desired: got=%q
want=%q", is, was)
}
+ if err := empty.SetFd(f); err != nil && err != syscall.ENODATA {
+ log.Fatalf("blocked from cleanup fremoving filecaps: %v", err)
+ }
+ if err := saved.SetProc(); err != nil {
+ log.Fatalf("failed to lower effective capability: %v", err)
+ }
+ // End of critical section.
}
// tryProcCaps performs a set of convenience functions and compares
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/go/go.mod new/libcap-2.68/go/go.mod
--- old/libcap-2.67/go/go.mod 2023-02-03 04:46:24.000000000 +0100
+++ new/libcap-2.68/go/go.mod 2023-03-26 01:02:50.000000000 +0100
@@ -3,6 +3,6 @@
go 1.11
require (
- kernel.org/pub/linux/libs/security/libcap/cap v1.2.67
- kernel.org/pub/linux/libs/security/libcap/psx v1.2.67
+ kernel.org/pub/linux/libs/security/libcap/cap v1.2.68
+ kernel.org/pub/linux/libs/security/libcap/psx v1.2.68
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/go/mknames.go
new/libcap-2.68/go/mknames.go
--- old/libcap-2.67/go/mknames.go 2020-08-02 03:31:08.000000000 +0200
+++ new/libcap-2.68/go/mknames.go 2023-03-26 00:31:40.000000000 +0100
@@ -52,8 +52,8 @@
/* ** DO NOT EDIT THIS FILE. IT WAS AUTO-GENERATED BY LIBCAP'S GO BUILDER
(mknames.go) ** */
-// NamedCount holds the number of capability values with official
-// names known at the time this libcap/cap version, was released. The
+// NamedCount holds the number of capability values, with official
+// names, known at the time this libcap/cap version was released. The
// "../libcap/cap" package is fully able to manipulate higher numbered
// capability values by numerical value. However, if you find
// cap.NamedCount < cap.MaxBits(), it is probably time to upgrade this
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/goapps/captrace/go.mod
new/libcap-2.68/goapps/captrace/go.mod
--- old/libcap-2.67/goapps/captrace/go.mod 2023-02-03 04:46:24.000000000
+0100
+++ new/libcap-2.68/goapps/captrace/go.mod 2023-03-26 01:02:50.000000000
+0100
@@ -2,4 +2,4 @@
go 1.16
-require kernel.org/pub/linux/libs/security/libcap/cap v1.2.67
+require kernel.org/pub/linux/libs/security/libcap/cap v1.2.68
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/goapps/captree/captree.go
new/libcap-2.68/goapps/captree/captree.go
--- old/libcap-2.67/goapps/captree/captree.go 2022-04-29 07:00:36.000000000
+0200
+++ new/libcap-2.68/goapps/captree/captree.go 2023-02-07 03:08:30.000000000
+0100
@@ -448,7 +448,7 @@
}
var noted []string
- for pid, _ := range wanted {
+ for pid := range wanted {
noted = append(noted, pid)
}
sort.Slice(noted, func(i, j int) bool {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/goapps/captree/go.mod
new/libcap-2.68/goapps/captree/go.mod
--- old/libcap-2.67/goapps/captree/go.mod 2023-02-03 04:46:24.000000000
+0100
+++ new/libcap-2.68/goapps/captree/go.mod 2023-03-26 01:02:50.000000000
+0100
@@ -2,4 +2,4 @@
go 1.16
-require kernel.org/pub/linux/libs/security/libcap/cap v1.2.67
+require kernel.org/pub/linux/libs/security/libcap/cap v1.2.68
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/goapps/gowns/go.mod
new/libcap-2.68/goapps/gowns/go.mod
--- old/libcap-2.67/goapps/gowns/go.mod 2023-02-03 04:46:24.000000000 +0100
+++ new/libcap-2.68/goapps/gowns/go.mod 2023-03-26 01:02:50.000000000 +0100
@@ -2,4 +2,4 @@
go 1.15
-require kernel.org/pub/linux/libs/security/libcap/cap v1.2.67
+require kernel.org/pub/linux/libs/security/libcap/cap v1.2.68
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/goapps/setid/go.mod
new/libcap-2.68/goapps/setid/go.mod
--- old/libcap-2.67/goapps/setid/go.mod 2023-02-03 04:46:24.000000000 +0100
+++ new/libcap-2.68/goapps/setid/go.mod 2023-03-26 01:02:50.000000000 +0100
@@ -3,6 +3,6 @@
go 1.11
require (
- kernel.org/pub/linux/libs/security/libcap/cap v1.2.67
- kernel.org/pub/linux/libs/security/libcap/psx v1.2.67
+ kernel.org/pub/linux/libs/security/libcap/cap v1.2.68
+ kernel.org/pub/linux/libs/security/libcap/psx v1.2.68
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/goapps/web/README
new/libcap-2.68/goapps/web/README
--- old/libcap-2.67/goapps/web/README 2021-05-17 00:53:01.000000000 +0200
+++ new/libcap-2.68/goapps/web/README 1970-01-01 01:00:00.000000000 +0100
@@ -1,18 +0,0 @@
-This sample program needs to be built as follows (when built with Go
-prior to 1.15):
-
- CGO_LDFLAGS_ALLOW="-Wl,-?-wrap[=,][^-.@][^,]*" go build web.go
-
-go1.15+ does not require the CGO_LDFLAGS_ALLOW variable and can build
-this code with
-
- go build web.go
-
-A more complete walk through of what this code does is provided here:
-
-
https://sites.google.com/site/fullycapable/getting-started-with-go/building-go-programs-that-manipulate-capabilities
-
-Go compilers prior to go1.11.13 are not expected to work. Report more
-recent issues to:
-
-
https://bugzilla.kernel.org/buglist.cgi?component=libcap&list_id=1065141&product=Tools&resolution=---
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/goapps/web/README.md
new/libcap-2.68/goapps/web/README.md
--- old/libcap-2.67/goapps/web/README.md 1970-01-01 01:00:00.000000000
+0100
+++ new/libcap-2.68/goapps/web/README.md 2023-03-26 00:31:40.000000000
+0100
@@ -0,0 +1,28 @@
+# Web serving with/without privilege
+
+## Building
+
+This sample program needs to be built as follows (when built with Go
+prior to 1.15):
+```
+ export CGO_LDFLAGS_ALLOW="-Wl,-?-wrap[=,][^-.@][^,]*"
+ go mod tidy
+ go build web.go
+```
+go1.15+ does not require the `CGO_LDFLAGS_ALLOW` environment variable
+and can build this code with:
+```
+ go mod tidy
+ go build web.go
+```
+
+## Further discussion
+
+A more complete walk through of what this code does is provided on the
+[Fully Capable
+website](https://sites.google.com/site/fullycapable/getting-started-with-go/building-go-programs-that-manipulate-capabilities).
+
+## Reporting bugs
+
+Go compilers prior to go1.11.13 are not expected to work. Report more
+recent issues to the [`libcap` bug
tracker](https://bugzilla.kernel.org/buglist.cgi?component=libcap&list_id=1065141&product=Tools&resolution=---).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/goapps/web/go.mod
new/libcap-2.68/goapps/web/go.mod
--- old/libcap-2.67/goapps/web/go.mod 2023-02-03 04:46:24.000000000 +0100
+++ new/libcap-2.68/goapps/web/go.mod 2023-03-26 01:02:50.000000000 +0100
@@ -2,4 +2,4 @@
go 1.11
-require kernel.org/pub/linux/libs/security/libcap/cap v1.2.67
+require kernel.org/pub/linux/libs/security/libcap/cap v1.2.68
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/goapps/web/web.go
new/libcap-2.68/goapps/web/web.go
--- old/libcap-2.67/goapps/web/web.go 2021-09-18 05:56:21.000000000 +0200
+++ new/libcap-2.68/goapps/web/web.go 2023-03-26 00:31:40.000000000 +0100
@@ -13,6 +13,8 @@
// package - go versions prior to 1.15 need some environment variable
// workarounds):
//
+// go mod init web
+// go mod tidy
// go build web.go
// sudo setcap cap_setpcap,cap_net_bind_service=p web
// ./web --port=80
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/libcap/cap_alloc.c
new/libcap-2.68/libcap/cap_alloc.c
--- old/libcap-2.67/libcap/cap_alloc.c 2023-02-03 05:05:56.000000000 +0100
+++ new/libcap-2.68/libcap/cap_alloc.c 2023-02-09 04:21:16.000000000 +0100
@@ -17,6 +17,7 @@
*/
static cap_value_t _cap_max_bits;
+__attribute__((visibility ("hidden")))
__attribute__((constructor (300))) void _libcap_initialize(void)
{
int errno_saved = errno;
@@ -95,7 +96,7 @@
* This is an internal library function to duplicate a string and
* tag the result as something cap_free can handle.
*/
-char *_libcap_strdup(const char *old)
+__attribute__((visibility ("hidden"))) char *_libcap_strdup(const char *old)
{
struct _cap_alloc_s *header;
char *raw_data;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/libcap/execable.c
new/libcap-2.68/libcap/execable.c
--- old/libcap-2.67/libcap/execable.c 2021-11-21 07:12:24.000000000 +0100
+++ new/libcap-2.68/libcap/execable.c 2023-02-09 04:21:16.000000000 +0100
@@ -18,6 +18,7 @@
printf("\nCurrent mode: %s\n", cap_mode_name(mode));
printf("Number of cap values known to: this libcap=%d, running
kernel=%d\n",
CAP_LAST_CAP+1, bits);
+
if (bits > CAP_LAST_CAP+1) {
printf("=> Consider upgrading libcap to name:");
for (c = CAP_LAST_CAP+1; c < bits; c++) {
@@ -30,6 +31,8 @@
printf(" %s", name);
cap_free(name);
}
+ } else {
+ return;
}
printf("\n");
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/libcap/execable.h
new/libcap-2.68/libcap/execable.h
--- old/libcap-2.67/libcap/execable.h 2021-11-15 06:19:25.000000000 +0100
+++ new/libcap-2.68/libcap/execable.h 2023-02-09 04:21:16.000000000 +0100
@@ -93,7 +93,8 @@
*/
#define SO_MAIN \
static void __execable_main(int, char**); \
-extern void __so_start(void); \
+__attribute__((visibility ("hidden"))) \
+void __so_start(void); \
__SO_FORCE_ARG_ALIGNMENT \
void __so_start(void) \
{ \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/libcap/include/sys/capability.h
new/libcap-2.68/libcap/include/sys/capability.h
--- old/libcap-2.67/libcap/include/sys/capability.h 2023-02-03
04:46:48.000000000 +0100
+++ new/libcap-2.68/libcap/include/sys/capability.h 2023-03-26
01:02:50.000000000 +0100
@@ -18,7 +18,7 @@
* Provide a programmatic way to #ifdef around features.
*/
#define LIBCAP_MAJOR 2
-#define LIBCAP_MINOR 67
+#define LIBCAP_MINOR 68
/*
* This file complements the kernel file by providing prototype
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/progs/capshdoc.c
new/libcap-2.68/progs/capshdoc.c
--- old/libcap-2.67/progs/capshdoc.c 2021-09-30 06:46:31.000000000 +0200
+++ new/libcap-2.68/progs/capshdoc.c 2023-02-20 04:52:32.000000000 +0100
@@ -30,6 +30,10 @@
"where file owner ID should otherwise need be equal to",
"the UID, except where CAP_FSETID is applicable. It",
"doesn't override MAC and DAC restrictions.",
+ "",
+ "This capability permits the deletion of a file owned",
+ "by another UID in a directory protected by the sticky",
+ "(t) bit.",
NULL
};
static const char *explanation4[] = { /* cap_fsetid = 4 */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/progs/quicktest.sh
new/libcap-2.68/progs/quicktest.sh
--- old/libcap-2.67/progs/quicktest.sh 2022-10-10 01:21:46.000000000 +0200
+++ new/libcap-2.68/progs/quicktest.sh 2023-02-12 06:10:41.000000000 +0100
@@ -283,6 +283,7 @@
grep "skipping file cap tests"
if [ $? -eq 0 ]; then
echo "FAILED not engaging file cap tests"
+ exit 1
fi
echo "PASSED"
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.67/psx/psx_test.go
new/libcap-2.68/psx/psx_test.go
--- old/libcap-2.67/psx/psx_test.go 2020-12-12 08:57:35.000000000 +0100
+++ new/libcap-2.68/psx/psx_test.go 2023-02-07 04:08:49.000000000 +0100
@@ -2,6 +2,7 @@
import (
"runtime"
+ "sync"
"syscall"
"testing"
)
@@ -41,9 +42,65 @@
<-c
}
+// Test state is mirrored as expected.
+func TestShared(t *testing.T) {
+ const prGetKeepCaps = 7
+ const prSetKeepCaps = 8
+
+ var wg sync.WaitGroup
+
+ newTracker := func() chan<- uintptr {
+ ch := make(chan uintptr)
+ go func() {
+ runtime.LockOSThread()
+ defer wg.Done()
+ tid := syscall.Gettid()
+ for {
+ if _, ok := <-ch; !ok {
+ break
+ }
+ val, ok := <-ch
+ if !ok {
+ break
+ }
+ got, _, e := Syscall3(syscall.SYS_PRCTL,
prGetKeepCaps, 0, 0)
+ if e != 0 {
+ t.Fatalf("[%d] psx:prctl(GET_KEEPCAPS)
?= %d failed: %v", tid, val, syscall.Errno(e))
+ }
+ if got != val {
+ t.Errorf("[%d] bad keepcaps value:
got=%d, want=%d", tid, got, val)
+ }
+ if _, ok := <-ch; !ok {
+ break
+ }
+ }
+ }()
+ return ch
+ }
+
+ var tracked []chan<- uintptr
+ for i := 0; i <= 10; i++ {
+ val := uintptr(i & 1)
+ if _, _, e := Syscall3(syscall.SYS_PRCTL, prSetKeepCaps, val,
0); e != 0 {
+ t.Fatalf("[%d] psx:prctl(SET_KEEPCAPS, %d) failed: %v",
i, i&1, syscall.Errno(e))
+ }
+ wg.Add(1)
+ tracked = append(tracked, newTracker())
+ for _, ch := range tracked {
+ ch <- 2 // start serialization.
+ ch <- val // definitely written after change.
+ ch <- 3 // end serialization.
+ }
+ }
+ for _, ch := range tracked {
+ close(ch)
+ }
+ wg.Wait()
+}
+
// Test to confirm no regression against:
//
-// https://github.com/golang/go/issues/42494
+// https://github.com/golang/go/issues/42494
func TestThreadChurn(t *testing.T) {
const prSetKeepCaps = 8
