This is relative to libcap-2.05.


From 51a79648bed2380d3e11be09b0343d734f2f2382 Mon Sep 17 00:00:00 2001
From: Andrew G. Morgan <morgan@kernel.org>
Date: Wed, 23 Jan 2008 23:33:34 -0800
Subject: [PATCH] Speculative support for prctl based securebits.

See corresponding kernel patch (2008/01/23).
---
 progs/capsh.c |   50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 50 insertions(+), 0 deletions(-)

diff --git a/progs/capsh.c b/progs/capsh.c
index 278bb17..a8ace77 100644
--- a/progs/capsh.c
+++ b/progs/capsh.c
@@ -15,12 +15,15 @@
 #include <sys/prctl.h>
 #include <sys/capability.h>
 #include <unistd.h>
+#include <errno.h>
 
 /* prctl based API for altering character of current process */
 #define PR_GET_KEEPCAPS    7
 #define PR_SET_KEEPCAPS    8
 #define PR_CAPBSET_READ   23
 #define PR_CAPBSET_DROP   24
+#define PR_GET_SECUREBITS 25
+#define PR_SET_SECUREBITS 26
 
 static const cap_value_t raise_setpcap[1] = { CAP_SETPCAP };
 static const cap_value_t raise_chroot[1] = { CAP_SYS_CHROOT };
@@ -184,6 +187,28 @@ int main(int argc, char *argv[], char *envp[])
 		fprintf(stderr, "Unable to chroot to [%s]", argv[i]+9);
 		exit(1);
 	    }
+	} else if (!memcmp("--secbits=", argv[i], 10)) {
+	    unsigned value;
+	    int status;
+
+	    value = strtoul(argv[i]+10, NULL, 0);
+	    status = prctl(PR_SET_SECUREBITS, value);
+	    if (status < 0) {
+		fprintf(stderr, "failed to set securebits to 0%o/0x%x\n",
+			value, value);
+		exit(1);
+	    }
+	} else if (!memcmp("--uid=", argv[i], 6)) {
+	    unsigned value;
+	    int status;
+
+	    value = strtoul(argv[i]+6, NULL, 0);
+	    status = setuid(value);
+	    if (status < 0) {
+		fprintf(stderr, "Failed to set uid=%u: %s\n",
+			value, strerror(errno));
+		exit(1);
+	    }
 	} else if (!strcmp("--print", argv[i])) {
 	    unsigned cap;
 	    int set;
@@ -214,6 +239,29 @@ int main(int argc, char *argv[], char *envp[])
 		sep = ",";
 	    }
 	    printf("\n");
+	    set = prctl(PR_GET_SECUREBITS);
+	    if (set >= 0) {
+		printf("Securebits: 0%o/0x%x\n", set, set);
+		printf(" secure-noroot: %s (%s)\n",
+		       (set & 1) ? "yes":"no",
+		       (set & 2) ? "locked":"unlocked");
+		printf(" secure-no-suid-fixup: %s (%s)\n",
+		       (set & 4) ? "yes":"no",
+		       (set & 8) ? "locked":"unlocked");
+		printf(" secure-keep-caps: %s (%s)\n",
+		       (set & 16) ? "yes":"no",
+		       (set & 32) ? "locked":"unlocked");
+	    } else {
+		printf("[Securebits ABI not supported]\n");
+		set = prctl(PR_GET_KEEPCAPS);
+		if (set >= 0) {
+		    printf(" prctl-keep-caps: %s (locking not supported)\n",
+			   set ? "yes":"no");
+		} else {
+		    printf("[Keepcaps ABI not supported]\n");
+		}
+	    }
+	    printf("uid=%u\n", getuid());
 	} else if (!strcmp("--", argv[i])) {
 	    argv[i] = strdup("/bin/bash");
 	    argv[argc] = NULL;
@@ -226,6 +274,8 @@ int main(int argc, char *argv[], char *envp[])
 		   "  --print        display capability relevant state\n"
 		   "  --drop=xxx     remove xxx,.. capabilities from bset\n"
 		   "  --inh=xxx      set xxx,.. inheritiable set\n"
+		   "  --secbits=<n>  write a new value for securebits\n"
+		   "  --uid=<n>      set uid to <n> (hint: id <username>)\n"
 		   "  --chroot=path  chroot(2) to this path to invoke bash\n"
 		   "  --             remaing arguments are for /bin/bash\n"
 		   "                 (without -- [%s] will simply exit(0))\n",
-- 
1.5.3.7