| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
In 2.54 (*Set).Compare() was deprecated in favor of (*Set).Cf(),
so update the top level comment to reflect the preferred API.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Older APIs remain but are documented as deprecated. If we ever need
to release a golang version "2" version of the library, I'll drop
support for deprecated functions, but I have no intention of needing
to do that. In the mean time, the deprecated functions are wrappers
around the new functions.
New API: *Set and *IAB have .Cf() functions now. That return a
[IAB]Diff value. This value, if 0, means the compared pointers
match one another. Non-zero values can be interogated with the
([IAB]Diff).Has() functions.
Also, add an IABGetPID() function. Since the kernel provides no
syscall support for this, we have to resort to parsing the /proc/
files. Implemented mostly for parity with the syscall backed
GetPID() *Set returning API.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
| |
Typos found with codespell
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
| |
Thanks to Gregory Fuchedzhy for requesting the feature(s) and kicking
the tires on it.
Details: https://bugzilla.kernel.org/show_bug.cgi?id=211919
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
| |
Also a minor change to the cap examples in the package overview doc.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create a new launcher that does not require a specific target executable
but comes as close as Go lets to running code in a disposable security
context.
In C, this same functionality is implemented as a full blown fork() and
is useful when libcap is linked with libpsx. In Go, we can't
meaningfully fork the go runtime, so this is the next best thing. It is
intended to implement the feature discussed here:
https://bugzilla.kernel.org/show_bug.cgi?id=211919
Previously, we banned use of capability etc setting cap.Fn() calls from
within a launch callback. With this change, we now permit the callback
to perform cap.Fn() calls in such a way that they are automatically
limited to the callback goroutine and do not affect the rest of the
process. Because this goroutine will die after the launch callback
completes this behavior does not confuse the rest of the process - which
retains a process wide security state - POSIX semantics.
The main process goroutines outside of launchers will continue to block
on cap.Fn() calls that modify process capability state until all
outstanding launch()es have completed.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
| |
I realized that there was not explicit comments about this POSIX
semantics underpinning the behavior of libcap/cap. So, I've added some.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
| |
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
| |
Go 1.16 release branch contains the syscall.AllThreadsSyscall now,
so use the Go release tag to identify a build environment that supports
this feature.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
| |
Drop references to go1.15rc1
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
| |
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
| |
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While this does not change anything about the supported range of
equivalent text specifications for capabilities, as accepted by
cap_from_text(), this does alter the preferred output format of
cap_to_text() to be two characters shorter in most cases. That is,
what used to be summarized as:
"= cap_foo+..."
is now converted to the equivalent text:
"cap_foo=..."
which is also more intuitive.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
| |
Also add some .String() functions for Flag and Vector values.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
| |
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
| |
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The main functional change with this commit is to fix this bug:
https://bugzilla.kernel.org/show_bug.cgi?id=208445
Also, include better documentation for the "cap" module. Now that it
is a proper Go module, it is starting to show up on the automated
golang module sites (such as pkg.go.dev) and I thought it deserved
more of an intro comment.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After reading more about Go modules, I now see how ownership of the
stable URL path for the packages is required. As such, I'm changing
the official package paths to these:
"kernel.org/pub/linux/libs/security/libcap/cap"
"kernel.org/pub/linux/libs/security/libcap/psx"
I have the right permissions to maintain these directories. I will
place the libcap/{cap,psx}/index.html files at those locations and
then validate that the go getting magic does the right things.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
| |
In a couple of places I've made some Go constants internal to
the Go packages. They use underscores and weren't Go-style
constants and weren't really appropriate for use outside the
context of the Go packages.
Signed-off-by: Andrew G. Morgan <agm@google.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The latest iteration of the golang patch [*] for supporting a
syscall API that can normalize privilege over the whole runtime
(aka POSIX semantics) has renamed this API. The API also now
drops this functionality when CGO is enabled, but that doesn't
affect libcap because libcap uses libpsx in this build
configuration.
[*] https://go-review.googlesource.com/c/go/+/210639/
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
golang-1.14* on arm64 consumes a lot of stack and the feature
we need appears to be handled by //go:uintptrescapes .
Addresses the issue reported by thediveo@ here:
https://bugzilla.kernel.org/show_bug.cgi?id=207547
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
| |
From a Go runtime provide a convenient way to launch a different
process with modified capabilities etc. without disturbing the
security state of the parent.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since we now have a serialized (linker trick) to initialize libcap
we can reliably compute the number of capabilities of the running
kernel in a race free way. Export the found number of capabilities
with the cap_max_bits() function. This is also what we now use in
both C and Go to define [all]=[eip]. In Go the equivalent function
is cap.MaxBits().
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
| |
If the ambient set is locked, but empty already, allow
cap_reset_ambient to succeed. That is, change the semantics
of cap_reset_ambient to be those of ensuring that the set
is reset.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As well as substantial updates to the man pages, including
an explanation of how capabilities can be robustly used with
pthreads, implement a set of convenience functions in libcap
to make dropping privilege in careful ways straightforward.
These include adding the abstraction of libcap recommended
"modes" and cap_setuid() and cap_setgroups() functions.
The progs/quicktest.sh script and capsh has been extended
to validate each of these new functions.
Add convenience functions to the libcap/cap Go package.
Specifically, added Compare(), Differs(), GetSecbits() &
Secbits.Set(), GetMode() & Mode.Set(), SetUID() and
SetGroups().
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I've moved my go.patch to address:
https://github.com/golang/go/issues/1435
into a development patch against the upstream Go sources:
https://go-review.googlesource.com/c/go/+/210639/
and the review process will likely evolve it somewhat. I plan to
ensure that working libcap/cap Go package is in sync with the
working state of the above development change.
As such, there is no need to keep the patch here any more.
I'll keep the tests for now, as it isn't clear to me how the Go
source tree supports tests that require privilege yet.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
By default, we are installing "libcap/cap" and "libcap/psx"
in "/usr/share/gocode/src/". To make this work, we also install
"libpsx.a" with "libcap.*".
[If anyone wants to contribute a go .pc/.pc.in file for the Go
packages, that would be appreciated.]
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
| |
I guess this API was implemented with required defaults in
case it gets more complicated in the future.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
| |
Reject &cap.Set{} definitions harder. Require the use of cap.NewCap().
Also remove dependence on syscall.*Syscall6() for prctl - our use is
fully covered by the syscall.*Syscall() API.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This version of the Go package libcap/cap works well
enough to be used by others. Unfortunately, to use it
we need to apply something like the included patch
(contrib/go.patch) to the build sources for the Go
runtime and syscall packages.
I'll be trying to get these accepted by the Go team
in parallel.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
The API for this "libcap/cap" package is very similar to libcap.
I've included a substantial interoperability test that validate
libcap(c) and libcap/cap(go) have import/export text and binary
format compatibility.
My motivation for implementing a standalone Go package was for a
cross-compilation issue I ran into (Go is much more friendly for
cross-compilation by default, unless you need to use cgo).
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
