--- /dev/null
+This is relative to libcap-2.05.
+
+
+From 51a79648bed2380d3e11be09b0343d734f2f2382 Mon Sep 17 00:00:00 2001
+From: Andrew G. Morgan <morgan@kernel.org>
+Date: Wed, 23 Jan 2008 23:33:34 -0800
+Subject: [PATCH] Speculative support for prctl based securebits.
+
+See corresponding kernel patch (2008/01/23).
+---
+ progs/capsh.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 50 insertions(+), 0 deletions(-)
+
+diff --git a/progs/capsh.c b/progs/capsh.c
+index 278bb17..a8ace77 100644
+--- a/progs/capsh.c
++++ b/progs/capsh.c
+@@ -15,12 +15,15 @@
+ #include <sys/prctl.h>
+ #include <sys/capability.h>
+ #include <unistd.h>
++#include <errno.h>
+
+ /* prctl based API for altering character of current process */
+ #define PR_GET_KEEPCAPS 7
+ #define PR_SET_KEEPCAPS 8
+ #define PR_CAPBSET_READ 23
+ #define PR_CAPBSET_DROP 24
++#define PR_GET_SECUREBITS 25
++#define PR_SET_SECUREBITS 26
+
+ static const cap_value_t raise_setpcap[1] = { CAP_SETPCAP };
+ static const cap_value_t raise_chroot[1] = { CAP_SYS_CHROOT };
+@@ -184,6 +187,28 @@ int main(int argc, char *argv[], char *envp[])
+ fprintf(stderr, "Unable to chroot to [%s]", argv[i]+9);
+ exit(1);
+ }
++ } else if (!memcmp("--secbits=", argv[i], 10)) {
++ unsigned value;
++ int status;
++
++ value = strtoul(argv[i]+10, NULL, 0);
++ status = prctl(PR_SET_SECUREBITS, value);
++ if (status < 0) {
++ fprintf(stderr, "failed to set securebits to 0%o/0x%x\n",
++ value, value);
++ exit(1);
++ }
++ } else if (!memcmp("--uid=", argv[i], 6)) {
++ unsigned value;
++ int status;
++
++ value = strtoul(argv[i]+6, NULL, 0);
++ status = setuid(value);
++ if (status < 0) {
++ fprintf(stderr, "Failed to set uid=%u: %s\n",
++ value, strerror(errno));
++ exit(1);
++ }
+ } else if (!strcmp("--print", argv[i])) {
+ unsigned cap;
+ int set;
+@@ -214,6 +239,29 @@ int main(int argc, char *argv[], char *envp[])
+ sep = ",";
+ }
+ printf("\n");
++ set = prctl(PR_GET_SECUREBITS);
++ if (set >= 0) {
++ printf("Securebits: 0%o/0x%x\n", set, set);
++ printf(" secure-noroot: %s (%s)\n",
++ (set & 1) ? "yes":"no",
++ (set & 2) ? "locked":"unlocked");
++ printf(" secure-no-suid-fixup: %s (%s)\n",
++ (set & 4) ? "yes":"no",
++ (set & 8) ? "locked":"unlocked");
++ printf(" secure-keep-caps: %s (%s)\n",
++ (set & 16) ? "yes":"no",
++ (set & 32) ? "locked":"unlocked");
++ } else {
++ printf("[Securebits ABI not supported]\n");
++ set = prctl(PR_GET_KEEPCAPS);
++ if (set >= 0) {
++ printf(" prctl-keep-caps: %s (locking not supported)\n",
++ set ? "yes":"no");
++ } else {
++ printf("[Keepcaps ABI not supported]\n");
++ }
++ }
++ printf("uid=%u\n", getuid());
+ } else if (!strcmp("--", argv[i])) {
+ argv[i] = strdup("/bin/bash");
+ argv[argc] = NULL;
+@@ -226,6 +274,8 @@ int main(int argc, char *argv[], char *envp[])
+ " --print display capability relevant state\n"
+ " --drop=xxx remove xxx,.. capabilities from bset\n"
+ " --inh=xxx set xxx,.. inheritiable set\n"
++ " --secbits=<n> write a new value for securebits\n"
++ " --uid=<n> set uid to <n> (hint: id <username>)\n"
+ " --chroot=path chroot(2) to this path to invoke bash\n"
+ " -- remaing arguments are for /bin/bash\n"
+ " (without -- [%s] will simply exit(0))\n",
+--
+1.5.3.7
+
projects / packages / libcap.git / commitdiff