From 8ebe54fd3ccab1a754b42ab8e10df269a4be4001 Mon Sep 17 00:00:00 2001 From: Jakub Bogusz Date: Sat, 26 Jan 2008 21:12:29 +0000 Subject: [PATCH] 72524c7ff55fdfb9470e2af59f0963b6 http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/support-for-prctl-based-securebits.patch Changed files: support-for-prctl-based-securebits.patch -> 1.1 --- support-for-prctl-based-securebits.patch | 104 +++++++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 support-for-prctl-based-securebits.patch diff --git a/support-for-prctl-based-securebits.patch b/support-for-prctl-based-securebits.patch new file mode 100644 index 0000000..be236e8 --- /dev/null +++ b/support-for-prctl-based-securebits.patch @@ -0,0 +1,104 @@ +This is relative to libcap-2.05. + + +From 51a79648bed2380d3e11be09b0343d734f2f2382 Mon Sep 17 00:00:00 2001 +From: Andrew G. Morgan +Date: Wed, 23 Jan 2008 23:33:34 -0800 +Subject: [PATCH] Speculative support for prctl based securebits. + +See corresponding kernel patch (2008/01/23). +--- + progs/capsh.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 files changed, 50 insertions(+), 0 deletions(-) + +diff --git a/progs/capsh.c b/progs/capsh.c +index 278bb17..a8ace77 100644 +--- a/progs/capsh.c ++++ b/progs/capsh.c +@@ -15,12 +15,15 @@ + #include + #include + #include ++#include + + /* prctl based API for altering character of current process */ + #define PR_GET_KEEPCAPS 7 + #define PR_SET_KEEPCAPS 8 + #define PR_CAPBSET_READ 23 + #define PR_CAPBSET_DROP 24 ++#define PR_GET_SECUREBITS 25 ++#define PR_SET_SECUREBITS 26 + + static const cap_value_t raise_setpcap[1] = { CAP_SETPCAP }; + static const cap_value_t raise_chroot[1] = { CAP_SYS_CHROOT }; +@@ -184,6 +187,28 @@ int main(int argc, char *argv[], char *envp[]) + fprintf(stderr, "Unable to chroot to [%s]", argv[i]+9); + exit(1); + } ++ } else if (!memcmp("--secbits=", argv[i], 10)) { ++ unsigned value; ++ int status; ++ ++ value = strtoul(argv[i]+10, NULL, 0); ++ status = prctl(PR_SET_SECUREBITS, value); ++ if (status < 0) { ++ fprintf(stderr, "failed to set securebits to 0%o/0x%x\n", ++ value, value); ++ exit(1); ++ } ++ } else if (!memcmp("--uid=", argv[i], 6)) { ++ unsigned value; ++ int status; ++ ++ value = strtoul(argv[i]+6, NULL, 0); ++ status = setuid(value); ++ if (status < 0) { ++ fprintf(stderr, "Failed to set uid=%u: %s\n", ++ value, strerror(errno)); ++ exit(1); ++ } + } else if (!strcmp("--print", argv[i])) { + unsigned cap; + int set; +@@ -214,6 +239,29 @@ int main(int argc, char *argv[], char *envp[]) + sep = ","; + } + printf("\n"); ++ set = prctl(PR_GET_SECUREBITS); ++ if (set >= 0) { ++ printf("Securebits: 0%o/0x%x\n", set, set); ++ printf(" secure-noroot: %s (%s)\n", ++ (set & 1) ? "yes":"no", ++ (set & 2) ? "locked":"unlocked"); ++ printf(" secure-no-suid-fixup: %s (%s)\n", ++ (set & 4) ? "yes":"no", ++ (set & 8) ? "locked":"unlocked"); ++ printf(" secure-keep-caps: %s (%s)\n", ++ (set & 16) ? "yes":"no", ++ (set & 32) ? "locked":"unlocked"); ++ } else { ++ printf("[Securebits ABI not supported]\n"); ++ set = prctl(PR_GET_KEEPCAPS); ++ if (set >= 0) { ++ printf(" prctl-keep-caps: %s (locking not supported)\n", ++ set ? "yes":"no"); ++ } else { ++ printf("[Keepcaps ABI not supported]\n"); ++ } ++ } ++ printf("uid=%u\n", getuid()); + } else if (!strcmp("--", argv[i])) { + argv[i] = strdup("/bin/bash"); + argv[argc] = NULL; +@@ -226,6 +274,8 @@ int main(int argc, char *argv[], char *envp[]) + " --print display capability relevant state\n" + " --drop=xxx remove xxx,.. capabilities from bset\n" + " --inh=xxx set xxx,.. inheritiable set\n" ++ " --secbits= write a new value for securebits\n" ++ " --uid= set uid to (hint: id )\n" + " --chroot=path chroot(2) to this path to invoke bash\n" + " -- remaing arguments are for /bin/bash\n" + " (without -- [%s] will simply exit(0))\n", +-- +1.5.3.7 + -- 2.44.0