[packages/libcap.git] / support-for-prctl-based-securebits.patch

This is relative to libcap-2.05.


From 51a79648bed2380d3e11be09b0343d734f2f2382 Mon Sep 17 00:00:00 2001
From: Andrew G. Morgan <morgan@kernel.org>
Date: Wed, 23 Jan 2008 23:33:34 -0800
Subject: [PATCH] Speculative support for prctl based securebits.

See corresponding kernel patch (2008/01/23).
---
 progs/capsh.c |   50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 50 insertions(+), 0 deletions(-)

diff --git a/progs/capsh.c b/progs/capsh.c
index 278bb17..a8ace77 100644
--- a/progs/capsh.c
+++ b/progs/capsh.c
@@ -15,12 +15,15 @@
 #include <sys/prctl.h>
 #include <sys/capability.h>
 #include <unistd.h>
+#include <errno.h>
 
 /* prctl based API for altering character of current process */
 #define PR_GET_KEEPCAPS    7
 #define PR_SET_KEEPCAPS    8
 #define PR_CAPBSET_READ   23
 #define PR_CAPBSET_DROP   24
+#define PR_GET_SECUREBITS 25
+#define PR_SET_SECUREBITS 26
 
 static const cap_value_t raise_setpcap[1] = { CAP_SETPCAP };
 static const cap_value_t raise_chroot[1] = { CAP_SYS_CHROOT };
@@ -184,6 +187,28 @@ int main(int argc, char *argv[], char *envp[])
 		fprintf(stderr, "Unable to chroot to [%s]", argv[i]+9);
 		exit(1);
 	    }
+	} else if (!memcmp("--secbits=", argv[i], 10)) {
+	    unsigned value;
+	    int status;
+
+	    value = strtoul(argv[i]+10, NULL, 0);
+	    status = prctl(PR_SET_SECUREBITS, value);
+	    if (status < 0) {
+		fprintf(stderr, "failed to set securebits to 0%o/0x%x\n",
+			value, value);
+		exit(1);
+	    }
+	} else if (!memcmp("--uid=", argv[i], 6)) {
+	    unsigned value;
+	    int status;
+
+	    value = strtoul(argv[i]+6, NULL, 0);
+	    status = setuid(value);
+	    if (status < 0) {
+		fprintf(stderr, "Failed to set uid=%u: %s\n",
+			value, strerror(errno));
+		exit(1);
+	    }
 	} else if (!strcmp("--print", argv[i])) {
 	    unsigned cap;
 	    int set;
@@ -214,6 +239,29 @@ int main(int argc, char *argv[], char *envp[])
 		sep = ",";
 	    }
 	    printf("\n");
+	    set = prctl(PR_GET_SECUREBITS);
+	    if (set >= 0) {
+		printf("Securebits: 0%o/0x%x\n", set, set);
+		printf(" secure-noroot: %s (%s)\n",
+		       (set & 1) ? "yes":"no",
+		       (set & 2) ? "locked":"unlocked");
+		printf(" secure-no-suid-fixup: %s (%s)\n",
+		       (set & 4) ? "yes":"no",
+		       (set & 8) ? "locked":"unlocked");
+		printf(" secure-keep-caps: %s (%s)\n",
+		       (set & 16) ? "yes":"no",
+		       (set & 32) ? "locked":"unlocked");
+	    } else {
+		printf("[Securebits ABI not supported]\n");
+		set = prctl(PR_GET_KEEPCAPS);
+		if (set >= 0) {
+		    printf(" prctl-keep-caps: %s (locking not supported)\n",
+			   set ? "yes":"no");
+		} else {
+		    printf("[Keepcaps ABI not supported]\n");
+		}
+	    }
+	    printf("uid=%u\n", getuid());
 	} else if (!strcmp("--", argv[i])) {
 	    argv[i] = strdup("/bin/bash");
 	    argv[argc] = NULL;
@@ -226,6 +274,8 @@ int main(int argc, char *argv[], char *envp[])
 		   "  --print        display capability relevant state\n"
 		   "  --drop=xxx     remove xxx,.. capabilities from bset\n"
 		   "  --inh=xxx      set xxx,.. inheritiable set\n"
+		   "  --secbits=<n>  write a new value for securebits\n"
+		   "  --uid=<n>      set uid to <n> (hint: id <username>)\n"
 		   "  --chroot=path  chroot(2) to this path to invoke bash\n"
 		   "  --             remaing arguments are for /bin/bash\n"
 		   "                 (without -- [%s] will simply exit(0))\n",
-- 
1.5.3.7
Commit	Line	Data
8ebe54fd JB	1	This is relative to libcap-2.05.
	2
	3
	4	From 51a79648bed2380d3e11be09b0343d734f2f2382 Mon Sep 17 00:00:00 2001
	5	From: Andrew G. Morgan <morgan@kernel.org>
	6	Date: Wed, 23 Jan 2008 23:33:34 -0800
	7	Subject: [PATCH] Speculative support for prctl based securebits.
	8
	9	See corresponding kernel patch (2008/01/23).
	10	---
	11	progs/capsh.c \| 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
	12	1 files changed, 50 insertions(+), 0 deletions(-)
	13
	14	diff --git a/progs/capsh.c b/progs/capsh.c
	15	index 278bb17..a8ace77 100644
	16	--- a/progs/capsh.c
	17	+++ b/progs/capsh.c
	18	@@ -15,12 +15,15 @@
	19	#include <sys/prctl.h>
	20	#include <sys/capability.h>
	21	#include <unistd.h>
	22	+#include <errno.h>
	23
	24	/* prctl based API for altering character of current process */
	25	#define PR_GET_KEEPCAPS 7
	26	#define PR_SET_KEEPCAPS 8
	27	#define PR_CAPBSET_READ 23
	28	#define PR_CAPBSET_DROP 24
	29	+#define PR_GET_SECUREBITS 25
	30	+#define PR_SET_SECUREBITS 26
	31
	32	static const cap_value_t raise_setpcap[1] = { CAP_SETPCAP };
	33	static const cap_value_t raise_chroot[1] = { CAP_SYS_CHROOT };
	34	@@ -184,6 +187,28 @@ int main(int argc, char argv[], char envp[])
	35	fprintf(stderr, "Unable to chroot to [%s]", argv[i]+9);
	36	exit(1);
	37	}
	38	+ } else if (!memcmp("--secbits=", argv[i], 10)) {
	39	+ unsigned value;
	40	+ int status;
	41	+
	42	+ value = strtoul(argv[i]+10, NULL, 0);
	43	+ status = prctl(PR_SET_SECUREBITS, value);
	44	+ if (status < 0) {
	45	+ fprintf(stderr, "failed to set securebits to 0%o/0x%x\n",
	46	+ value, value);
	47	+ exit(1);
	48	+ }
	49	+ } else if (!memcmp("--uid=", argv[i], 6)) {
	50	+ unsigned value;
	51	+ int status;
	52	+
	53	+ value = strtoul(argv[i]+6, NULL, 0);
	54	+ status = setuid(value);
	55	+ if (status < 0) {
	56	+ fprintf(stderr, "Failed to set uid=%u: %s\n",
	57	+ value, strerror(errno));
	58	+ exit(1);
	59	+ }
	60	} else if (!strcmp("--print", argv[i])) {
	61	unsigned cap;
	62	int set;
	63	@@ -214,6 +239,29 @@ int main(int argc, char argv[], char envp[])
	64	sep = ",";
65	}
66	printf("\n");
67	+ set = prctl(PR_GET_SECUREBITS);
68	+ if (set >= 0) {
69	+ printf("Securebits: 0%o/0x%x\n", set, set);
70	+ printf(" secure-noroot: %s (%s)\n",
71	+ (set & 1) ? "yes":"no",
72	+ (set & 2) ? "locked":"unlocked");
73	+ printf(" secure-no-suid-fixup: %s (%s)\n",
74	+ (set & 4) ? "yes":"no",
75	+ (set & 8) ? "locked":"unlocked");
76	+ printf(" secure-keep-caps: %s (%s)\n",
77	+ (set & 16) ? "yes":"no",
78	+ (set & 32) ? "locked":"unlocked");
79	+ } else {
80	+ printf("[Securebits ABI not supported]\n");
81	+ set = prctl(PR_GET_KEEPCAPS);
82	+ if (set >= 0) {
83	+ printf(" prctl-keep-caps: %s (locking not supported)\n",
84	+ set ? "yes":"no");
85	+ } else {
86	+ printf("[Keepcaps ABI not supported]\n");
87	+ }
88	+ }
89	+ printf("uid=%u\n", getuid());
90	} else if (!strcmp("--", argv[i])) {
91	argv[i] = strdup("/bin/bash");
92	argv[argc] = NULL;
93	@@ -226,6 +274,8 @@ int main(int argc, char argv[], char envp[])
94	" --print display capability relevant state\n"
95	" --drop=xxx remove xxx,.. capabilities from bset\n"
96	" --inh=xxx set xxx,.. inheritiable set\n"
97	+ " --secbits=<n> write a new value for securebits\n"
98	+ " --uid=<n> set uid to <n> (hint: id <username>)\n"
99	" --chroot=path chroot(2) to this path to invoke bash\n"
100	" -- remaing arguments are for /bin/bash\n"
101	" (without -- [%s] will simply exit(0))\n",
102	--
103	1.5.3.7
104