delta/libcap2.git/libcap/libcap.h, branch master git.kernel.org: pub/scm/linux/kernel/git/morgan/libcap.git Recognize that NULL is an invalid cap_t and cap_iab_t. 2021-09-24T17:46:24+00:00 Andrew G. Morgan morgan@kernel.org 2021-09-24T17:46:24+00:00 6643c636e8ab44add497f97e479ad8a931d43adf This was a regresssion introduced in libcap-2.55. Fixed in libcap-2.59. Added a cap_launch NULL test too. Comparing against NULL would cause a SIGSEGV against these library revisions. Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
This was a regresssion introduced in libcap-2.55. Fixed in libcap-2.59.
Added a cap_launch NULL test too. Comparing against NULL would cause a
SIGSEGV against these library revisions.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Eliminate an alignment issue found by clang. 2021-08-27T04:45:27+00:00 Andrew G. Morgan morgan@kernel.org 2021-08-27T04:31:15+00:00 a56162c6900d203c5ac63a2b41b46cb0c45c645f Clang helpfully noticed that libcap allocated things should be 64-bit aligned on 64-bit platforms. Restructure the memory allocation to ensure this. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=214183 Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
Clang helpfully noticed that libcap allocated things should be 64-bit
aligned on 64-bit platforms. Restructure the memory allocation to ensure
this.

Fixes:

   https://bugzilla.kernel.org/show_bug.cgi?id=214183

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Handle libcap allocation failures more explicitly and fix a memory leak. 2021-08-21T17:29:16+00:00 Andrew G. Morgan morgan@kernel.org 2021-08-21T17:29:16+00:00 f81144578ff24a70356faafb82e55de8f3e1292f This started out as a refactoring of a patch provided by Samanta Navarro. Reworked, I noticed a latent memory leak in cap_iab_get_proc(), so I've fixed that too. Also, migrated a compile failure check to a more useful cap_test for a highly unlikely corner case (future proofing). While there, noticed and fixed the binary search test and code (not sure what it was testing before). Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
This started out as a refactoring of a patch provided by Samanta Navarro.
Reworked, I noticed a latent memory leak in cap_iab_get_proc(), so I've
fixed that too.

Also, migrated a compile failure check to a more useful cap_test for a
highly unlikely corner case (future proofing). While there, noticed
and fixed the binary search test and code (not sure what it was testing
before).

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Implement cap_launch. 2020-02-24T00:12:12+00:00 Andrew G. Morgan morgan@kernel.org 2020-02-23T23:50:20+00:00 ef485973d5547431782f9e5f4323eabfebb38622 In threaded programs, it's a bit tricky to fork/execve a child with capabilities different from the parent. Implement cap_launch and friends to accomplish this. https://bugzilla.kernel.org/show_bug.cgi?id=206195 Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
In threaded programs, it's a bit tricky to fork/execve a child with
capabilities different from the parent. Implement cap_launch and
friends to accomplish this.

https://bugzilla.kernel.org/show_bug.cgi?id=206195

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
A convenient IAB abstraction for inherited capability vectors. 2020-02-24T00:00:02+00:00 Andrew G. Morgan morgan@kernel.org 2020-02-17T22:00:46+00:00 943b011b5e53624eb9cab4e96c1985326e077cdd Linux supports three flavors of inheritable capability vectors: - the I (inheritable set) of cap_t - the A (ambient) alternative to file capabilities - the B (bounding) vector. The cap_iab_t collects these together into one object. I exactly equals that of cap_t, A is what you would expect and B is "blocked" bits which are ~cap_bound -- ie., 0 = nothing blocked. Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
Linux supports three flavors of inheritable capability vectors:

  - the I (inheritable set) of cap_t
  - the A (ambient) alternative to file capabilities
  - the B (bounding) vector.

The cap_iab_t collects these together into one object. I exactly equals
that of cap_t, A is what you would expect and B is "blocked" bits which
are ~cap_bound -- ie., 0 = nothing blocked.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Refactor the way we do the psx linkage in libcap. 2020-01-03T22:00:22+00:00 Andrew G. Morgan morgan@kernel.org 2020-01-03T22:00:22+00:00 f1f62a748d7c67361e91e32d26abafbfb03eeee4 Since we now have a serialized (linker trick) to initialize libcap we can reliably compute the number of capabilities of the running kernel in a race free way. Export the found number of capabilities with the cap_max_bits() function. This is also what we now use in both C and Go to define [all]=[eip]. In Go the equivalent function is cap.MaxBits(). Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
Since we now have a serialized (linker trick) to initialize libcap
we can reliably compute the number of capabilities of the running
kernel in a race free way. Export the found number of capabilities
with the cap_max_bits() function. This is also what we now use in
both C and Go to define [all]=[eip]. In Go the equivalent function
is cap.MaxBits().

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Add support to libcap for overriding system call functions. 2019-12-07T07:06:47+00:00 Andrew G. Morgan morgan@kernel.org 2019-12-01T02:33:42+00:00 b2b267ef1c83f1f3d3105a4bb84f8bebbc130dec Note, this override only supports the system calls that libcap uses to change kernel state associated with the current process. This is primarily intended to permit the user to use libpsx to force all pthreads to mirror capability and other security relevant state. Use a weak function definition feature of libpsx share_psx_syscall() to transparently arrange for libcap to so force itself to use the psx_syscall() abstraction when linked against -lpsx. This has the effect of using linker magic to make libcap transparently observe POSIX semantics for security state setting operations. That is, when linked as follows: gcc .... -lcap -lpsx -lpthread -Wl,-wrap,pthread_create all pthreads maintain a common security state with respect to the libcap API. This also adds full capability setting support to the Go package libcap/cap via a libcap/psx package which uses cgo+libpsx syscalls that share capabilities over all pthreads including those of the Go runtime. Finally, if Go supports syscall.PosixSyscall() etc. then provide a non-psx mechanism for libcap/cap to "just work" in all Go code. Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
Note, this override only supports the system calls that
libcap uses to change kernel state associated with the
current process. This is primarily intended to permit the
user to use libpsx to force all pthreads to mirror capability
and other security relevant state.

Use a weak function definition feature of libpsx share_psx_syscall()
to transparently arrange for libcap to so force itself to use the
psx_syscall() abstraction when linked against -lpsx. This has the
effect of using linker magic to make libcap transparently observe
POSIX semantics for security state setting operations. That is, when
linked as follows:

   gcc .... -lcap -lpsx -lpthread -Wl,-wrap,pthread_create

all pthreads maintain a common security state with respect to the
libcap API.

This also adds full capability setting support to the Go package
libcap/cap via a libcap/psx package which uses cgo+libpsx syscalls
that share capabilities over all pthreads including those of the
Go runtime.

Finally, if Go supports syscall.PosixSyscall() etc. then provide
a non-psx mechanism for libcap/cap to "just work" in all Go code.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Fix undefined behavior by shifting integer (1u) instead of signed integer (1). 2019-04-21T16:17:04+00:00 Andrew G. Morgan agm@google.com 2019-04-19T15:05:15+00:00 20c52b45d27b7459abab40c6978a21f714e1eed4 This issue was found with a static analysis code quality linter highlighting a 32-bit integer issue with some architectures. Signed-off-by: Andrew G. Morgan <agm@google.com> Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
This issue was found with a static analysis code quality linter highlighting
a 32-bit integer issue with some architectures.

Signed-off-by: Andrew G. Morgan <agm@google.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
pull request -- libcap -- bugfix 2019-04-14T00:29:26+00:00 Alexander Strelets streletsaa@gmail.com 2019-02-07T00:19:04+00:00 ac904b0ba91b072f1a192ff5c685d00122b0162b Hello, Mr. Andrew G. Morgan! I've found a tiny bug in libcap public headers. Unfortunately, I don't have an idea how to report this properly or make a pull request on the kernel.org website (I don't have an account there). So, I've just made a fork to my account on github.com and now sending a pull request to you. If these all should be done according to a different procedure, please, feel free to ask me for that. And here is my request for pull: The following changes since commit 658325c875d36539fd66c6960433435706203759: Up the minor release number. (2018-09-15 14:54:14 -0700) are available in the git repository at: https://github.com/xoiss/libcap.git master for you to fetch changes up to 5497b45db823f86e13835b5e55cbe4091ef3bfe1: Fix mistakenly permuted parameter sets of capget and capset (2019-02-07 02:56:52 +0300) ---------------------------------------------------------------- Alexander A. Strelets (1): Fix mistakenly permuted parameter sets of capget and capset libcap/include/sys/capability.h | 4 ++-- libcap/libcap.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
Hello, Mr. Andrew G. Morgan!

I've found a tiny bug in libcap public headers.

Unfortunately, I don't have an idea how to report this properly or make a
pull request on the kernel.org website (I don't have an account there). So,
I've just made a fork to my account on github.com and now sending a pull
request to you.

If these all should be done according to a different procedure, please,
feel free to ask me for that.

And here is my request for pull:

The following changes since commit 658325c875d36539fd66c6960433435706203759:
  Up the minor release number. (2018-09-15 14:54:14 -0700)
are available in the git repository at:
  https://github.com/xoiss/libcap.git master
for you to fetch changes up to 5497b45db823f86e13835b5e55cbe4091ef3bfe1:
  Fix mistakenly permuted parameter sets of capget and capset (2019-02-07
02:56:52 +0300)
----------------------------------------------------------------
Alexander A. Strelets (1):
      Fix mistakenly permuted parameter sets of capget and capset
 libcap/include/sys/capability.h | 4 ++--
 libcap/libcap.h                 | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
cap_file: add new rootid argument 2018-09-09T21:22:50+00:00 Christian Brauner christian@brauner.io 2018-08-10T16:13:30+00:00 474d843ff8a20085675bcdb2e22a6f8e6a0595cd Newer kernels support setting file capabilities in user namespaces. In addition to directly setting file capabilites in a user namespaces they can also be set in lieu of another user namespace by passing a uid down to the kernel which will convert it to an appropriate kuid_t representation. This commit adds a new rootid argument to the internal struct _cap_struct so that we can store the rootid when the kernel supports VFS_CAP_REVISION_3 and returns a struct vfs_ns_cap_data. Signed-off-by: Christian Brauner <christian@brauner.io> Reviewed-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Andrew G. Morgan <morgan@kernel.org> 
Newer kernels support setting file capabilities in user namespaces. In
addition to directly setting file capabilites in a user namespaces they
can also be set in lieu of another user namespace by passing a uid down
to the kernel which will convert it to an appropriate kuid_t
representation.
This commit adds a new rootid argument to the internal struct
_cap_struct so that we can store the rootid when the kernel supports
VFS_CAP_REVISION_3 and returns a struct vfs_ns_cap_data.

Signed-off-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>