[arch-commits] Commit in libcap/trunk (PKGBUILD libcap-2.23-header.patch)
Allan McRae
allan at nymeria.archlinux.org
Mon Jan 6 02:57:33 UTC 2014
Date: Monday, January 6, 2014 @ 03:57:32
Author: allan
Revision: 203229
upgpkg: libcap 2.24-1
upstream update, remove included patch and sed
Modified:
libcap/trunk/PKGBUILD
Deleted:
libcap/trunk/libcap-2.23-header.patch
--------------------------+
PKGBUILD | 15 -
libcap-2.23-header.patch | 350 ---------------------------------------------
2 files changed, 4 insertions(+), 361 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2014-01-05 23:07:05 UTC (rev 203228)
+++ PKGBUILD 2014-01-06 02:57:32 UTC (rev 203229)
@@ -3,8 +3,8 @@
# Contributor: Hugo Doria <hugo at archlinux.org>
pkgname=libcap
-pkgver=2.23
-pkgrel=2
+pkgver=2.24
+pkgrel=1
pkgdesc="POSIX 1003.1e capabilities"
arch=('i686' 'x86_64')
url="http://sites.google.com/site/fullycapable/"
@@ -11,10 +11,8 @@
license=('GPL2')
depends=('glibc' 'attr')
options=('!staticlibs')
-source=(https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.23.tar.xz
- libcap-2.23-header.patch)
-md5sums=('09a185e4b0aa8a81a51c1e4d0eba7db0'
- '945984c4bf5e601c24a7c80f001fb2c6')
+source=(https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-${pkgver}.tar.xz)
+md5sums=('d43ab9f680435a7fff35b4ace8d45b80')
prepare() {
cd ${srcdir}/${pkgname}-${pkgver}
@@ -21,11 +19,6 @@
# install into /usr/bin
sed -i "/SBINDIR/s#sbin#bin#" Make.Rules
-
- # fix header path issues
- patch -p1 -i $srcdir/libcap-2.23-header.patch
- # and fix the build with that patch
- sed -i "s#uapi/##" libcap/Makefile
}
build() {
Deleted: libcap-2.23-header.patch
===================================================================
--- libcap-2.23-header.patch 2014-01-05 23:07:05 UTC (rev 203228)
+++ libcap-2.23-header.patch 2014-01-06 02:57:32 UTC (rev 203229)
@@ -1,350 +0,0 @@
-From c3290668646b767058e55b29f7b8f4be4af2e660 Mon Sep 17 00:00:00 2001
-From: Andrew G Morgan <morgan at kernel.org>
-Date: Thu, 02 Jan 2014 01:56:31 +0000
-Subject: Fix up the uapi/linux include scheme.
-
-In adopting this uapi header file (without kernel internals), I previously
-messed up on the apparent location of the files. Thanks to Tom Gundersen for
-the clarification. Also, delete the non-uapi copies of things since they
-are no longer needed to build the library and tools.
-
-Signed-off-by: Andrew G Morgan <morgan at kernel.org>
----
-diff --git a/Make.Rules b/Make.Rules
-index 9ca6c89..5b58c59 100644
---- a/Make.Rules
-+++ b/Make.Rules
-@@ -45,8 +45,8 @@ MINOR=23
-
- # Compilation specifics
-
--KERNEL_HEADERS := $(topdir)/libcap/include
--IPATH += -fPIC -I$(topdir)/libcap/include -I$(KERNEL_HEADERS)
-+KERNEL_HEADERS := $(topdir)/libcap/include/uapi
-+IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include
-
- CC := gcc
- CFLAGS := -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
-diff --git a/libcap/include/linux/capability.h b/libcap/include/linux/capability.h
-deleted file mode 100644
-index a6ee1f9..0000000
---- a/libcap/include/linux/capability.h
-+++ /dev/null
-@@ -1,219 +0,0 @@
--/*
-- * This is <linux/capability.h>
-- *
-- * Andrew G. Morgan <morgan at kernel.org>
-- * Alexander Kjeldaas <astor at guardian.no>
-- * with help from Aleph1, Roland Buresund and Andrew Main.
-- *
-- * See here for the libcap library ("POSIX draft" compliance):
-- *
-- * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
-- */
--#ifndef _LINUX_CAPABILITY_H
--#define _LINUX_CAPABILITY_H
--
--#include <uapi/linux/capability.h>
--
--
--#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
--#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
--
--extern int file_caps_enabled;
--
--typedef struct kernel_cap_struct {
-- __u32 cap[_KERNEL_CAPABILITY_U32S];
--} kernel_cap_t;
--
--/* exact same as vfs_cap_data but in cpu endian and always filled completely */
--struct cpu_vfs_cap_data {
-- __u32 magic_etc;
-- kernel_cap_t permitted;
-- kernel_cap_t inheritable;
--};
--
--#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct))
--#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t))
--
--
--struct file;
--struct inode;
--struct dentry;
--struct user_namespace;
--
--struct user_namespace *current_user_ns(void);
--
--extern const kernel_cap_t __cap_empty_set;
--extern const kernel_cap_t __cap_init_eff_set;
--
--/*
-- * Internal kernel functions only
-- */
--
--#define CAP_FOR_EACH_U32(__capi) \
-- for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
--
--/*
-- * CAP_FS_MASK and CAP_NFSD_MASKS:
-- *
-- * The fs mask is all the privileges that fsuid==0 historically meant.
-- * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
-- *
-- * It has never meant setting security.* and trusted.* xattrs.
-- *
-- * We could also define fsmask as follows:
-- * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
-- * 2. The security.* and trusted.* xattrs are fs-related MAC permissions
-- */
--
--# define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \
-- | CAP_TO_MASK(CAP_MKNOD) \
-- | CAP_TO_MASK(CAP_DAC_OVERRIDE) \
-- | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
-- | CAP_TO_MASK(CAP_FOWNER) \
-- | CAP_TO_MASK(CAP_FSETID))
--
--# define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE))
--
--#if _KERNEL_CAPABILITY_U32S != 2
--# error Fix up hand-coded capability macro initializers
--#else /* HAND-CODED capability initializers */
--
--# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
--# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
--# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
-- | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
-- CAP_FS_MASK_B1 } })
--# define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
-- | CAP_TO_MASK(CAP_SYS_RESOURCE), \
-- CAP_FS_MASK_B1 } })
--
--#endif /* _KERNEL_CAPABILITY_U32S != 2 */
--
--# define cap_clear(c) do { (c) = __cap_empty_set; } while (0)
--
--#define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
--#define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
--#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))
--
--#define CAP_BOP_ALL(c, a, b, OP) \
--do { \
-- unsigned __capi; \
-- CAP_FOR_EACH_U32(__capi) { \
-- c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \
-- } \
--} while (0)
--
--#define CAP_UOP_ALL(c, a, OP) \
--do { \
-- unsigned __capi; \
-- CAP_FOR_EACH_U32(__capi) { \
-- c.cap[__capi] = OP a.cap[__capi]; \
-- } \
--} while (0)
--
--static inline kernel_cap_t cap_combine(const kernel_cap_t a,
-- const kernel_cap_t b)
--{
-- kernel_cap_t dest;
-- CAP_BOP_ALL(dest, a, b, |);
-- return dest;
--}
--
--static inline kernel_cap_t cap_intersect(const kernel_cap_t a,
-- const kernel_cap_t b)
--{
-- kernel_cap_t dest;
-- CAP_BOP_ALL(dest, a, b, &);
-- return dest;
--}
--
--static inline kernel_cap_t cap_drop(const kernel_cap_t a,
-- const kernel_cap_t drop)
--{
-- kernel_cap_t dest;
-- CAP_BOP_ALL(dest, a, drop, &~);
-- return dest;
--}
--
--static inline kernel_cap_t cap_invert(const kernel_cap_t c)
--{
-- kernel_cap_t dest;
-- CAP_UOP_ALL(dest, c, ~);
-- return dest;
--}
--
--static inline int cap_isclear(const kernel_cap_t a)
--{
-- unsigned __capi;
-- CAP_FOR_EACH_U32(__capi) {
-- if (a.cap[__capi] != 0)
-- return 0;
-- }
-- return 1;
--}
--
--/*
-- * Check if "a" is a subset of "set".
-- * return 1 if ALL of the capabilities in "a" are also in "set"
-- * cap_issubset(0101, 1111) will return 1
-- * return 0 if ANY of the capabilities in "a" are not in "set"
-- * cap_issubset(1111, 0101) will return 0
-- */
--static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
--{
-- kernel_cap_t dest;
-- dest = cap_drop(a, set);
-- return cap_isclear(dest);
--}
--
--/* Used to decide between falling back on the old suser() or fsuser(). */
--
--static inline int cap_is_fs_cap(int cap)
--{
-- const kernel_cap_t __cap_fs_set = CAP_FS_SET;
-- return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]);
--}
--
--static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
--{
-- const kernel_cap_t __cap_fs_set = CAP_FS_SET;
-- return cap_drop(a, __cap_fs_set);
--}
--
--static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a,
-- const kernel_cap_t permitted)
--{
-- const kernel_cap_t __cap_fs_set = CAP_FS_SET;
-- return cap_combine(a,
-- cap_intersect(permitted, __cap_fs_set));
--}
--
--static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a)
--{
-- const kernel_cap_t __cap_fs_set = CAP_NFSD_SET;
-- return cap_drop(a, __cap_fs_set);
--}
--
--static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
-- const kernel_cap_t permitted)
--{
-- const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET;
-- return cap_combine(a,
-- cap_intersect(permitted, __cap_nfsd_set));
--}
--
--extern bool has_capability(struct task_struct *t, int cap);
--extern bool has_ns_capability(struct task_struct *t,
-- struct user_namespace *ns, int cap);
--extern bool has_capability_noaudit(struct task_struct *t, int cap);
--extern bool has_ns_capability_noaudit(struct task_struct *t,
-- struct user_namespace *ns, int cap);
--extern bool capable(int cap);
--extern bool ns_capable(struct user_namespace *ns, int cap);
--extern bool inode_capable(const struct inode *inode, int cap);
--extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
--
--/* audit system wants to get cap info from files as well */
--extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
--
--#endif /* !_LINUX_CAPABILITY_H */
-diff --git a/libcap/include/sys/capability.h b/libcap/include/sys/capability.h
-index 56fc7fd..64ac50e 100644
---- a/libcap/include/sys/capability.h
-+++ b/libcap/include/sys/capability.h
-@@ -26,7 +26,7 @@ extern "C" {
- #ifndef __user
- #define __user
- #endif
--#include <uapi/linux/capability.h>
-+#include <linux/capability.h>
- #include <linux/xattr.h>
-
- /*
-diff --git a/libcap/include/linux/prctl.h b/libcap/include/uapi/linux/prctl.h
-index a3baeb2..289760f 100644
---- a/libcap/include/linux/prctl.h
-+++ b/libcap/include/uapi/linux/prctl.h
-@@ -102,4 +102,51 @@
-
- #define PR_MCE_KILL_GET 34
-
-+/*
-+ * Tune up process memory map specifics.
-+ */
-+#define PR_SET_MM 35
-+# define PR_SET_MM_START_CODE 1
-+# define PR_SET_MM_END_CODE 2
-+# define PR_SET_MM_START_DATA 3
-+# define PR_SET_MM_END_DATA 4
-+# define PR_SET_MM_START_STACK 5
-+# define PR_SET_MM_START_BRK 6
-+# define PR_SET_MM_BRK 7
-+# define PR_SET_MM_ARG_START 8
-+# define PR_SET_MM_ARG_END 9
-+# define PR_SET_MM_ENV_START 10
-+# define PR_SET_MM_ENV_END 11
-+# define PR_SET_MM_AUXV 12
-+# define PR_SET_MM_EXE_FILE 13
-+
-+/*
-+ * Set specific pid that is allowed to ptrace the current task.
-+ * A value of 0 mean "no process".
-+ */
-+#define PR_SET_PTRACER 0x59616d61
-+# define PR_SET_PTRACER_ANY ((unsigned long)-1)
-+
-+#define PR_SET_CHILD_SUBREAPER 36
-+#define PR_GET_CHILD_SUBREAPER 37
-+
-+/*
-+ * If no_new_privs is set, then operations that grant new privileges (i.e.
-+ * execve) will either fail or not grant them. This affects suid/sgid,
-+ * file capabilities, and LSMs.
-+ *
-+ * Operations that merely manipulate or drop existing privileges (setresuid,
-+ * capset, etc.) will still work. Drop those privileges if you want them gone.
-+ *
-+ * Changing LSM security domain is considered a new privilege. So, for example,
-+ * asking selinux for a specific new context (e.g. with runcon) will result
-+ * in execve returning -EPERM.
-+ *
-+ * See Documentation/prctl/no_new_privs.txt for more details.
-+ */
-+#define PR_SET_NO_NEW_PRIVS 38
-+#define PR_GET_NO_NEW_PRIVS 39
-+
-+#define PR_GET_TID_ADDRESS 40
-+
- #endif /* _LINUX_PRCTL_H */
-diff --git a/libcap/include/linux/securebits.h b/libcap/include/uapi/linux/securebits.h
-index 3340617..985aac9 100644
---- a/libcap/include/linux/securebits.h
-+++ b/libcap/include/uapi/linux/securebits.h
-@@ -1,14 +1,11 @@
--#ifndef _LINUX_SECUREBITS_H
--#define _LINUX_SECUREBITS_H 1
-+#ifndef _UAPI_LINUX_SECUREBITS_H
-+#define _UAPI_LINUX_SECUREBITS_H
-
- /* Each securesetting is implemented using two bits. One bit specifies
- whether the setting is on or off. The other bit specify whether the
- setting is locked or not. A setting which is locked cannot be
- changed from user-level. */
- #define issecure_mask(X) (1 << (X))
--#ifdef __KERNEL__
--#define issecure(X) (issecure_mask(X) & current_cred_xxx(securebits))
--#endif
-
- #define SECUREBITS_DEFAULT 0x00000000
-
-@@ -51,4 +48,4 @@
- issecure_mask(SECURE_KEEP_CAPS))
- #define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1)
-
--#endif /* !_LINUX_SECUREBITS_H */
-+#endif /* _UAPI_LINUX_SECUREBITS_H */
---
-cgit v0.9.2
More information about the arch-commits
mailing list