diff options
| author | Andrew G. Morgan <morgan@kernel.org> | 2021-09-05 11:42:28 -0700 |
|---|---|---|
| committer | Andrew G. Morgan <morgan@kernel.org> | 2021-09-05 11:42:28 -0700 |
| commit | 967b3a0a95223036478e7d991ee96fa42912803a (patch) | |
| tree | 3e452269cd7b58b8a65708e98da789635e159307 | |
| parent | 5ef14d07420c299ecd8de96928a5d1ce1e232df3 (diff) | |
| download | libcap2-967b3a0a95223036478e7d991ee96fa42912803a.tar.gz | |
Add --mode query support to capsh
This addresses the feature request:
https://bugzilla.kernel.org/show_bug.cgi?id=214319
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
| -rw-r--r-- | doc/capsh.1 | 11 | ||||
| -rw-r--r-- | progs/capsh.c | 57 |
2 files changed, 41 insertions, 27 deletions
diff --git a/doc/capsh.1 b/doc/capsh.1 index 87ce06e..42637ab 100644 --- a/doc/capsh.1 +++ b/doc/capsh.1 @@ -91,9 +91,10 @@ Following this command, the effective capabilities will be cleared, but the permitted set will not be, so the running program is still privileged. .TP -.B \-\-modes -Lists all of the libcap modes supported by -.BR \-\-mode . +.B \-\-mode +Display the prevailing libcap mode as guessed by the +.BR cap_get_mode (3) +function. .TP .BR \-\-mode= <mode> Force the program into a @@ -101,6 +102,10 @@ Force the program into a security mode. This is a set of securebits and prevailing capability arrangement recommended for its pre-determined security stance. .TP +.B \-\-modes +Lists all of the libcap modes supported by +.BR \-\-mode= <mode>. +.TP .BR \-\-inmode= <mode> Confirm that the prevailing mode is that specified in .IR <mode> , diff --git a/progs/capsh.c b/progs/capsh.c index 0cf8b1e..be86cd7 100644 --- a/progs/capsh.c +++ b/progs/capsh.c @@ -611,30 +611,38 @@ int main(int argc, char *argv[], char *envp[]) printf(" %s", m); } printf("\n"); - } else if (!strncmp("--mode=", argv[i], 7)) { - const char *target = argv[i]+7; - cap_mode_t c; - int found = 0; - for (c = 1; ; c++) { - const char *m = cap_mode_name(c); - if (!strcmp("UNKNOWN", m)) { - found = 0; - break; + } else if (!strncmp("--mode", argv[i], 6)) { + if (argv[i][6] == '=') { + const char *target = argv[i]+7; + cap_mode_t c; + int found = 0; + for (c = 1; ; c++) { + const char *m = cap_mode_name(c); + if (!strcmp("UNKNOWN", m)) { + found = 0; + break; + } + if (!strcmp(m, target)) { + found = 1; + break; + } } - if (!strcmp(m, target)) { - found = 1; - break; + if (!found) { + printf("unsupported mode: %s\n", target); + exit(1); } - } - if (!found) { - printf("unsupported mode: %s\n", target); - exit(1); - } - int ret = cap_set_mode(c); - if (ret != 0) { - printf("failed to set mode [%s]: %s\n", - target, strerror(errno)); - exit(1); + int ret = cap_set_mode(c); + if (ret != 0) { + printf("failed to set mode [%s]: %s\n", + target, strerror(errno)); + exit(1); + } + } else if (argv[i][6]) { + printf("unrecognized command [%s]\n", argv[i]); + goto usage; + } else { + cap_mode_t m = cap_get_mode(); + printf("Mode: %s\n", cap_mode_name(m)); } } else if (!strncmp("--inmode=", argv[i], 9)) { const char *target = argv[i]+9; @@ -1106,8 +1114,9 @@ int main(int argc, char *argv[], char *envp[]) " --keep=<n> set keep-capability bit to <n>\n" " --killit=<n> send signal(n) to child\n" " --license display license info\n" - " --modes list libcap named capability modes\n" - " --mode=<xxx> set capability mode to <xxx>\n" + " --mode display current libcap mode\n" + " --mode=<xxx> set libcap mode to <xxx>\n" + " --modes list libcap named modes\n" " --no-new-privs set sticky process privilege limiter\n" " --noamb reset (drop) all ambient capabilities\n" " --print display capability relevant state\n" |