+++ /dev/null
-This is relative to libcap-2.05.
-
-
-From 51a79648bed2380d3e11be09b0343d734f2f2382 Mon Sep 17 00:00:00 2001
-From: Andrew G. Morgan <morgan@kernel.org>
-Date: Wed, 23 Jan 2008 23:33:34 -0800
-Subject: [PATCH] Speculative support for prctl based securebits.
-
-See corresponding kernel patch (2008/01/23).
----
- progs/capsh.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 files changed, 50 insertions(+), 0 deletions(-)
-
-diff --git a/progs/capsh.c b/progs/capsh.c
-index 278bb17..a8ace77 100644
---- a/progs/capsh.c
-+++ b/progs/capsh.c
-@@ -15,12 +15,15 @@
- #include <sys/prctl.h>
- #include <sys/capability.h>
- #include <unistd.h>
-+#include <errno.h>
-
- /* prctl based API for altering character of current process */
- #define PR_GET_KEEPCAPS 7
- #define PR_SET_KEEPCAPS 8
- #define PR_CAPBSET_READ 23
- #define PR_CAPBSET_DROP 24
-+#define PR_GET_SECUREBITS 25
-+#define PR_SET_SECUREBITS 26
-
- static const cap_value_t raise_setpcap[1] = { CAP_SETPCAP };
- static const cap_value_t raise_chroot[1] = { CAP_SYS_CHROOT };
-@@ -184,6 +187,28 @@ int main(int argc, char *argv[], char *envp[])
- fprintf(stderr, "Unable to chroot to [%s]", argv[i]+9);
- exit(1);
- }
-+ } else if (!memcmp("--secbits=", argv[i], 10)) {
-+ unsigned value;
-+ int status;
-+
-+ value = strtoul(argv[i]+10, NULL, 0);
-+ status = prctl(PR_SET_SECUREBITS, value);
-+ if (status < 0) {
-+ fprintf(stderr, "failed to set securebits to 0%o/0x%x\n",
-+ value, value);
-+ exit(1);
-+ }
-+ } else if (!memcmp("--uid=", argv[i], 6)) {
-+ unsigned value;
-+ int status;
-+
-+ value = strtoul(argv[i]+6, NULL, 0);
-+ status = setuid(value);
-+ if (status < 0) {
-+ fprintf(stderr, "Failed to set uid=%u: %s\n",
-+ value, strerror(errno));
-+ exit(1);
-+ }
- } else if (!strcmp("--print", argv[i])) {
- unsigned cap;
- int set;
-@@ -214,6 +239,29 @@ int main(int argc, char *argv[], char *envp[])
- sep = ",";
- }
- printf("\n");
-+ set = prctl(PR_GET_SECUREBITS);
-+ if (set >= 0) {
-+ printf("Securebits: 0%o/0x%x\n", set, set);
-+ printf(" secure-noroot: %s (%s)\n",
-+ (set & 1) ? "yes":"no",
-+ (set & 2) ? "locked":"unlocked");
-+ printf(" secure-no-suid-fixup: %s (%s)\n",
-+ (set & 4) ? "yes":"no",
-+ (set & 8) ? "locked":"unlocked");
-+ printf(" secure-keep-caps: %s (%s)\n",
-+ (set & 16) ? "yes":"no",
-+ (set & 32) ? "locked":"unlocked");
-+ } else {
-+ printf("[Securebits ABI not supported]\n");
-+ set = prctl(PR_GET_KEEPCAPS);
-+ if (set >= 0) {
-+ printf(" prctl-keep-caps: %s (locking not supported)\n",
-+ set ? "yes":"no");
-+ } else {
-+ printf("[Keepcaps ABI not supported]\n");
-+ }
-+ }
-+ printf("uid=%u\n", getuid());
- } else if (!strcmp("--", argv[i])) {
- argv[i] = strdup("/bin/bash");
- argv[argc] = NULL;
-@@ -226,6 +274,8 @@ int main(int argc, char *argv[], char *envp[])
- " --print display capability relevant state\n"
- " --drop=xxx remove xxx,.. capabilities from bset\n"
- " --inh=xxx set xxx,.. inheritiable set\n"
-+ " --secbits=<n> write a new value for securebits\n"
-+ " --uid=<n> set uid to <n> (hint: id <username>)\n"
- " --chroot=path chroot(2) to this path to invoke bash\n"
- " -- remaing arguments are for /bin/bash\n"
- " (without -- [%s] will simply exit(0))\n",
---
-1.5.3.7
-