[arch-commits] Commit in libcap/trunk (PKGBUILD libcap-2.23-header.patch)
Allan McRae
allan at nymeria.archlinux.org
Thu Jan 2 06:32:13 UTC 2014
Date: Thursday, January 2, 2014 @ 07:32:13
Author: allan
Revision: 203031
upgpkg: libcap 2.23-2
fix header issues (fs#38333)
Added:
libcap/trunk/libcap-2.23-header.patch
Modified:
libcap/trunk/PKGBUILD
--------------------------+
PKGBUILD | 13 +
libcap-2.23-header.patch | 350 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 360 insertions(+), 3 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2014-01-02 06:24:42 UTC (rev 203030)
+++ PKGBUILD 2014-01-02 06:32:13 UTC (rev 203031)
@@ -4,7 +4,7 @@
pkgname=libcap
pkgver=2.23
-pkgrel=1
+pkgrel=2
pkgdesc="POSIX 1003.1e capabilities"
arch=('i686' 'x86_64')
url="http://sites.google.com/site/fullycapable/"
@@ -11,8 +11,10 @@
license=('GPL2')
depends=('glibc' 'attr')
options=('!staticlibs')
-source=(https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.23.tar.xz)
-md5sums=('09a185e4b0aa8a81a51c1e4d0eba7db0')
+source=(https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.23.tar.xz
+ libcap-2.23-header.patch)
+md5sums=('09a185e4b0aa8a81a51c1e4d0eba7db0'
+ '945984c4bf5e601c24a7c80f001fb2c6')
prepare() {
cd ${srcdir}/${pkgname}-${pkgver}
@@ -19,6 +21,11 @@
# install into /usr/bin
sed -i "/SBINDIR/s#sbin#bin#" Make.Rules
+
+ # fix header path issues
+ patch -p1 -i $srcdir/libcap-2.23-header.patch
+ # and fix the build with that patch
+ sed -i "s#uapi/##" libcap/Makefile
}
build() {
Added: libcap-2.23-header.patch
===================================================================
--- libcap-2.23-header.patch (rev 0)
+++ libcap-2.23-header.patch 2014-01-02 06:32:13 UTC (rev 203031)
@@ -0,0 +1,350 @@
+From c3290668646b767058e55b29f7b8f4be4af2e660 Mon Sep 17 00:00:00 2001
+From: Andrew G Morgan <morgan at kernel.org>
+Date: Thu, 02 Jan 2014 01:56:31 +0000
+Subject: Fix up the uapi/linux include scheme.
+
+In adopting this uapi header file (without kernel internals), I previously
+messed up on the apparent location of the files. Thanks to Tom Gundersen for
+the clarification. Also, delete the non-uapi copies of things since they
+are no longer needed to build the library and tools.
+
+Signed-off-by: Andrew G Morgan <morgan at kernel.org>
+---
+diff --git a/Make.Rules b/Make.Rules
+index 9ca6c89..5b58c59 100644
+--- a/Make.Rules
++++ b/Make.Rules
+@@ -45,8 +45,8 @@ MINOR=23
+
+ # Compilation specifics
+
+-KERNEL_HEADERS := $(topdir)/libcap/include
+-IPATH += -fPIC -I$(topdir)/libcap/include -I$(KERNEL_HEADERS)
++KERNEL_HEADERS := $(topdir)/libcap/include/uapi
++IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include
+
+ CC := gcc
+ CFLAGS := -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
+diff --git a/libcap/include/linux/capability.h b/libcap/include/linux/capability.h
+deleted file mode 100644
+index a6ee1f9..0000000
+--- a/libcap/include/linux/capability.h
++++ /dev/null
+@@ -1,219 +0,0 @@
+-/*
+- * This is <linux/capability.h>
+- *
+- * Andrew G. Morgan <morgan at kernel.org>
+- * Alexander Kjeldaas <astor at guardian.no>
+- * with help from Aleph1, Roland Buresund and Andrew Main.
+- *
+- * See here for the libcap library ("POSIX draft" compliance):
+- *
+- * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
+- */
+-#ifndef _LINUX_CAPABILITY_H
+-#define _LINUX_CAPABILITY_H
+-
+-#include <uapi/linux/capability.h>
+-
+-
+-#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
+-#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
+-
+-extern int file_caps_enabled;
+-
+-typedef struct kernel_cap_struct {
+- __u32 cap[_KERNEL_CAPABILITY_U32S];
+-} kernel_cap_t;
+-
+-/* exact same as vfs_cap_data but in cpu endian and always filled completely */
+-struct cpu_vfs_cap_data {
+- __u32 magic_etc;
+- kernel_cap_t permitted;
+- kernel_cap_t inheritable;
+-};
+-
+-#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct))
+-#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t))
+-
+-
+-struct file;
+-struct inode;
+-struct dentry;
+-struct user_namespace;
+-
+-struct user_namespace *current_user_ns(void);
+-
+-extern const kernel_cap_t __cap_empty_set;
+-extern const kernel_cap_t __cap_init_eff_set;
+-
+-/*
+- * Internal kernel functions only
+- */
+-
+-#define CAP_FOR_EACH_U32(__capi) \
+- for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
+-
+-/*
+- * CAP_FS_MASK and CAP_NFSD_MASKS:
+- *
+- * The fs mask is all the privileges that fsuid==0 historically meant.
+- * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
+- *
+- * It has never meant setting security.* and trusted.* xattrs.
+- *
+- * We could also define fsmask as follows:
+- * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
+- * 2. The security.* and trusted.* xattrs are fs-related MAC permissions
+- */
+-
+-# define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \
+- | CAP_TO_MASK(CAP_MKNOD) \
+- | CAP_TO_MASK(CAP_DAC_OVERRIDE) \
+- | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
+- | CAP_TO_MASK(CAP_FOWNER) \
+- | CAP_TO_MASK(CAP_FSETID))
+-
+-# define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE))
+-
+-#if _KERNEL_CAPABILITY_U32S != 2
+-# error Fix up hand-coded capability macro initializers
+-#else /* HAND-CODED capability initializers */
+-
+-# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
+-# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
+-# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
+- | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
+- CAP_FS_MASK_B1 } })
+-# define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
+- | CAP_TO_MASK(CAP_SYS_RESOURCE), \
+- CAP_FS_MASK_B1 } })
+-
+-#endif /* _KERNEL_CAPABILITY_U32S != 2 */
+-
+-# define cap_clear(c) do { (c) = __cap_empty_set; } while (0)
+-
+-#define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
+-#define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
+-#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))
+-
+-#define CAP_BOP_ALL(c, a, b, OP) \
+-do { \
+- unsigned __capi; \
+- CAP_FOR_EACH_U32(__capi) { \
+- c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \
+- } \
+-} while (0)
+-
+-#define CAP_UOP_ALL(c, a, OP) \
+-do { \
+- unsigned __capi; \
+- CAP_FOR_EACH_U32(__capi) { \
+- c.cap[__capi] = OP a.cap[__capi]; \
+- } \
+-} while (0)
+-
+-static inline kernel_cap_t cap_combine(const kernel_cap_t a,
+- const kernel_cap_t b)
+-{
+- kernel_cap_t dest;
+- CAP_BOP_ALL(dest, a, b, |);
+- return dest;
+-}
+-
+-static inline kernel_cap_t cap_intersect(const kernel_cap_t a,
+- const kernel_cap_t b)
+-{
+- kernel_cap_t dest;
+- CAP_BOP_ALL(dest, a, b, &);
+- return dest;
+-}
+-
+-static inline kernel_cap_t cap_drop(const kernel_cap_t a,
+- const kernel_cap_t drop)
+-{
+- kernel_cap_t dest;
+- CAP_BOP_ALL(dest, a, drop, &~);
+- return dest;
+-}
+-
+-static inline kernel_cap_t cap_invert(const kernel_cap_t c)
+-{
+- kernel_cap_t dest;
+- CAP_UOP_ALL(dest, c, ~);
+- return dest;
+-}
+-
+-static inline int cap_isclear(const kernel_cap_t a)
+-{
+- unsigned __capi;
+- CAP_FOR_EACH_U32(__capi) {
+- if (a.cap[__capi] != 0)
+- return 0;
+- }
+- return 1;
+-}
+-
+-/*
+- * Check if "a" is a subset of "set".
+- * return 1 if ALL of the capabilities in "a" are also in "set"
+- * cap_issubset(0101, 1111) will return 1
+- * return 0 if ANY of the capabilities in "a" are not in "set"
+- * cap_issubset(1111, 0101) will return 0
+- */
+-static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
+-{
+- kernel_cap_t dest;
+- dest = cap_drop(a, set);
+- return cap_isclear(dest);
+-}
+-
+-/* Used to decide between falling back on the old suser() or fsuser(). */
+-
+-static inline int cap_is_fs_cap(int cap)
+-{
+- const kernel_cap_t __cap_fs_set = CAP_FS_SET;
+- return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]);
+-}
+-
+-static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
+-{
+- const kernel_cap_t __cap_fs_set = CAP_FS_SET;
+- return cap_drop(a, __cap_fs_set);
+-}
+-
+-static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a,
+- const kernel_cap_t permitted)
+-{
+- const kernel_cap_t __cap_fs_set = CAP_FS_SET;
+- return cap_combine(a,
+- cap_intersect(permitted, __cap_fs_set));
+-}
+-
+-static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a)
+-{
+- const kernel_cap_t __cap_fs_set = CAP_NFSD_SET;
+- return cap_drop(a, __cap_fs_set);
+-}
+-
+-static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
+- const kernel_cap_t permitted)
+-{
+- const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET;
+- return cap_combine(a,
+- cap_intersect(permitted, __cap_nfsd_set));
+-}
+-
+-extern bool has_capability(struct task_struct *t, int cap);
+-extern bool has_ns_capability(struct task_struct *t,
+- struct user_namespace *ns, int cap);
+-extern bool has_capability_noaudit(struct task_struct *t, int cap);
+-extern bool has_ns_capability_noaudit(struct task_struct *t,
+- struct user_namespace *ns, int cap);
+-extern bool capable(int cap);
+-extern bool ns_capable(struct user_namespace *ns, int cap);
+-extern bool inode_capable(const struct inode *inode, int cap);
+-extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
+-
+-/* audit system wants to get cap info from files as well */
+-extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
+-
+-#endif /* !_LINUX_CAPABILITY_H */
+diff --git a/libcap/include/sys/capability.h b/libcap/include/sys/capability.h
+index 56fc7fd..64ac50e 100644
+--- a/libcap/include/sys/capability.h
++++ b/libcap/include/sys/capability.h
+@@ -26,7 +26,7 @@ extern "C" {
+ #ifndef __user
+ #define __user
+ #endif
+-#include <uapi/linux/capability.h>
++#include <linux/capability.h>
+ #include <linux/xattr.h>
+
+ /*
+diff --git a/libcap/include/linux/prctl.h b/libcap/include/uapi/linux/prctl.h
+index a3baeb2..289760f 100644
+--- a/libcap/include/linux/prctl.h
++++ b/libcap/include/uapi/linux/prctl.h
+@@ -102,4 +102,51 @@
+
+ #define PR_MCE_KILL_GET 34
+
++/*
++ * Tune up process memory map specifics.
++ */
++#define PR_SET_MM 35
++# define PR_SET_MM_START_CODE 1
++# define PR_SET_MM_END_CODE 2
++# define PR_SET_MM_START_DATA 3
++# define PR_SET_MM_END_DATA 4
++# define PR_SET_MM_START_STACK 5
++# define PR_SET_MM_START_BRK 6
++# define PR_SET_MM_BRK 7
++# define PR_SET_MM_ARG_START 8
++# define PR_SET_MM_ARG_END 9
++# define PR_SET_MM_ENV_START 10
++# define PR_SET_MM_ENV_END 11
++# define PR_SET_MM_AUXV 12
++# define PR_SET_MM_EXE_FILE 13
++
++/*
++ * Set specific pid that is allowed to ptrace the current task.
++ * A value of 0 mean "no process".
++ */
++#define PR_SET_PTRACER 0x59616d61
++# define PR_SET_PTRACER_ANY ((unsigned long)-1)
++
++#define PR_SET_CHILD_SUBREAPER 36
++#define PR_GET_CHILD_SUBREAPER 37
++
++/*
++ * If no_new_privs is set, then operations that grant new privileges (i.e.
++ * execve) will either fail or not grant them. This affects suid/sgid,
++ * file capabilities, and LSMs.
++ *
++ * Operations that merely manipulate or drop existing privileges (setresuid,
++ * capset, etc.) will still work. Drop those privileges if you want them gone.
++ *
++ * Changing LSM security domain is considered a new privilege. So, for example,
++ * asking selinux for a specific new context (e.g. with runcon) will result
++ * in execve returning -EPERM.
++ *
++ * See Documentation/prctl/no_new_privs.txt for more details.
++ */
++#define PR_SET_NO_NEW_PRIVS 38
++#define PR_GET_NO_NEW_PRIVS 39
++
++#define PR_GET_TID_ADDRESS 40
++
+ #endif /* _LINUX_PRCTL_H */
+diff --git a/libcap/include/linux/securebits.h b/libcap/include/uapi/linux/securebits.h
+index 3340617..985aac9 100644
+--- a/libcap/include/linux/securebits.h
++++ b/libcap/include/uapi/linux/securebits.h
+@@ -1,14 +1,11 @@
+-#ifndef _LINUX_SECUREBITS_H
+-#define _LINUX_SECUREBITS_H 1
++#ifndef _UAPI_LINUX_SECUREBITS_H
++#define _UAPI_LINUX_SECUREBITS_H
+
+ /* Each securesetting is implemented using two bits. One bit specifies
+ whether the setting is on or off. The other bit specify whether the
+ setting is locked or not. A setting which is locked cannot be
+ changed from user-level. */
+ #define issecure_mask(X) (1 << (X))
+-#ifdef __KERNEL__
+-#define issecure(X) (issecure_mask(X) & current_cred_xxx(securebits))
+-#endif
+
+ #define SECUREBITS_DEFAULT 0x00000000
+
+@@ -51,4 +48,4 @@
+ issecure_mask(SECURE_KEEP_CAPS))
+ #define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1)
+
+-#endif /* !_LINUX_SECUREBITS_H */
++#endif /* _UAPI_LINUX_SECUREBITS_H */
+--
+cgit v0.9.2
More information about the arch-commits
mailing list