delta/libcap2.git, branch master git.kernel.org: pub/scm/linux/kernel/git/morgan/libcap.git Up the release version to 2.59 2021-09-27T01:20:33+00:00 Andrew G. Morgan morgan@kernel.org 2021-09-27T01:20:33+00:00 9eb56596eef5e55a596aa97ecaf8466ea559d05c Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Fix to 'make clean sudotest' reliably 2021-09-24T17:58:05+00:00 Andrew G. Morgan morgan@kernel.org 2021-09-24T17:58:05+00:00 22569c7cfb428edc5ae05cf631a25227087e74d0 Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Recognize that NULL is an invalid cap_t and cap_iab_t. 2021-09-24T17:46:24+00:00 Andrew G. Morgan morgan@kernel.org 2021-09-24T17:46:24+00:00 6643c636e8ab44add497f97e479ad8a931d43adf This was a regresssion introduced in libcap-2.55. Fixed in libcap-2.59. Added a cap_launch NULL test too. Comparing against NULL would cause a SIGSEGV against these library revisions. Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
This was a regresssion introduced in libcap-2.55. Fixed in libcap-2.59.
Added a cap_launch NULL test too. Comparing against NULL would cause a
SIGSEGV against these library revisions.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Update example to avoid reference to deprecated Compare function. 2021-09-24T03:46:31+00:00 Andrew G. Morgan morgan@kernel.org 2021-09-24T03:46:31+00:00 f8b754967348052ca92c6d2c95551cbbb1e1d387 In 2.54 (*Set).Compare() was deprecated in favor of (*Set).Cf(), so update the top level comment to reflect the preferred API. Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
In 2.54 (*Set).Compare() was deprecated in favor of (*Set).Cf(),
so update the top level comment to reflect the preferred API.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Spelling fix. 2021-09-23T01:57:44+00:00 Andrew G. Morgan morgan@kernel.org 2021-09-23T01:50:53+00:00 dba6efc51b2cb4ee97e34575d298cdbb58cfed68 Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
More compliant cap.Differs documentation. 2021-09-18T04:07:19+00:00 Andrew G. Morgan morgan@kernel.org 2021-09-18T04:07:19+00:00 33a6686e2bc126916145f01246ee6be80669dcdb Deprecation has a stylized comment format as per go.dev. Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
Deprecation has a stylized comment format as per go.dev.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Up the release version to 2.58 2021-09-18T02:35:42+00:00 Andrew G. Morgan morgan@kernel.org 2021-09-18T02:35:29+00:00 01627eae86cc299de459067614e6964b63bb6bcb Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Fix typo in capsh. 2021-09-15T04:57:05+00:00 Andrew G. Morgan morgan@kernel.org 2021-09-15T04:57:05+00:00 0efe94c6ec601a5d1e84819e87618c5837395709 Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Add some debugging info for the pam_cap.so deferred callback. 2021-09-15T03:54:00+00:00 Andrew G. Morgan morgan@kernel.org 2021-09-15T03:54:00+00:00 9f9602215ccf205cca1b0a495db9eae18d204265 As with the other D(()) entries in the pam_cap.so module, this is enabled if the /* #define PAM_DEBUG */ comment is uncommented at the top of the pam_cap.so file. I tried this on a sample app and it didn't actually follow the documentation: http://www.linux-pam.org/Linux-PAM-html/adg-interface-by-app-expected.html#adg-pam_end where no pam_end() call was made to terminate the fork()ed copy of the pamh value. That app needs to be fixed. Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
As with the other D(()) entries in the pam_cap.so module, this
is enabled if the /* #define PAM_DEBUG */ comment is uncommented
at the top of the pam_cap.so file.

I tried this on a sample app and it didn't actually follow the
documentation:

http://www.linux-pam.org/Linux-PAM-html/adg-interface-by-app-expected.html#adg-pam_end

where no pam_end() call was made to terminate the fork()ed copy of the pamh
value. That app needs to be fixed.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Another attempt at supporting Ambient vector setting from pam_cap.so. 2021-09-15T02:45:59+00:00 Andrew G. Morgan morgan@kernel.org 2021-09-15T02:36:56+00:00 2c3b8949f4374db5285865ad8ce1bdf49d6f24c6 While the session idea worked with contrib/sucap/su.c, it failed on more traditional PAM apps. For a second (likely last) attempt to find a path, I've deleted the session support and now attempt to do the setting via a PAM data item cleanup() callback. In the contrib/sucap/su.c code, evolved from the original SimplePAMApps 'su', there is a pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT) from within the fork()d launcher code, so I hope this convention is standard for all the PAM apps that came after. The suggested config for this module for an app, that wants to support the Ambient vector, is thus now: #%PAM-1.0 auth required pam_cap.so keepcaps defer auth required pam_unix.so account required pam_unix.so password required pam_unix.so session required pam_unix.so This is all part of an effort to address: https://bugzilla.kernel.org/show_bug.cgi?id=214377 Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
While the session idea worked with contrib/sucap/su.c, it failed on
more traditional PAM apps. For a second (likely last) attempt to find a
path, I've deleted the session support and now attempt to do the setting
via a PAM data item cleanup() callback. In the contrib/sucap/su.c code,
evolved from the original SimplePAMApps 'su', there is a

   pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT)

from within the fork()d launcher code, so I hope this convention is
standard for all the PAM apps that came after.

The suggested config for this module for an app, that wants to support
the Ambient vector, is thus now:

    #%PAM-1.0
    auth            required pam_cap.so keepcaps defer
    auth            required pam_unix.so
    account         required pam_unix.so
    password        required pam_unix.so
    session         required pam_unix.so

This is all part of an effort to address:

   https://bugzilla.kernel.org/show_bug.cgi?id=214377

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>