| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
This is needed to locally configure libcap to find the pid data
if the proc filesystem is not mounted at "/proc" (rare). Currently
libcap only uses this info to implement cap_iab_get_pid().
This brings libcap back to parity with the Go "cap" package.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This brings libcap back to parity with the Go 'cap' package. We
provide a CAP_IAB_DIFFERS(result, vector) macro to evaluate the result
of cap_iab_compare().
Extend the getpcaps arguments to include --iab. This causes the utility
to explore the IAB tuple for the specified process. When used, this
outputs a text representation in a similar format to that of the
'captree' (Go) utility.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
| |
We previously added a cap_iab_fill() etc, functions. Bring the
regular capability flag manipulation API into alignment by
adding libcap.cap_fill() and (*cap.Set).Fill().
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A desire for this stabilization came out of a conversation with a
Google colleague, Mike Schilling.
This commit unifies the default libcap/cap (Go) behavior with libcap2
with respect to the binary output of cap.Export(). Previously,
libcap/cap.Export() could generate shorter binary values. [To restore
that behavior, set libcap/cap.MinExtFlagSize = 0.]
Looking to some point in the distant future, this also prepares libcap
to retain the same exported binary representation for capabilities
defineable today... That is, if the kernel were to extend the capability
flags to be 96 bits, but a capability of "cap_chown=ep" would not touch
any of the higher bits, an 'exported' capability in external format
should not need to change. (Setting libcap/cap.MinExtFlagSize = 0,
cap.Export() => 8 bytes for this capability set in external format.
However, libcap and libcap/cap now both default to 29 bytes. That is
libcap2 has the more significant legacy footprint.)
In all cases, libcap/cap and libcap2 were previously interoperable,
being able to import each others exported format. This remains true
[independent of the setting of libcap/cap.MinExtFlagSize].
Addresses this bug:
https://bugzilla.kernel.org/show_bug.cgi?id=213375
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some PAM applications drop privilege when they change UID, which has
the side effect of dropping ambient capabilities. We add support for
the "keepcaps" argument which can be used in an attempt by the module
to not drop permitted capabilities when performing a setuid() call.
Some experimentation may be needed to see if this works for any given
application. To not be a security bug vector, it requires the application
so configured perform an exec() to launch a user-specific operation.
This is an attempt to provide some Adminstrator support for working
around the issue observed in this bug (report by Zoltan Fridrich):
https://bugzilla.kernel.org/show_bug.cgi?id=212945
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
| |
The cap_launch() 2nd argument should be consistently named. So, we
choose "detail".
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
| |
This is a handy function launcher for running a function in a forked
copy of the process. This fork will be terminated should the callback
return.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
| |
Where we need symlinks we now create them as part of the make process.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove psx_pthread_create() from libpsx - given the way -lpsx is
linked this is not needed.
Also, as pointed out by Lorenz Bauer, "go mod vendor" support
was unable to vendor a copy of psx_syscall.h because it didn't
reside in the same directory as the *.go code for the psx package.
(General discussion https://github.com/golang/go/issues/26366 .)
Given that we can, avoid the use of a sub-directory in the libcap
tree.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
| |
Linus' kernel has defined this one now.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
| |
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
| |
Signed-off-by: Michael Kerrisk (man-pages) <mtk.manpages@gmail.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
| |
The primary path for this header is now in the Go package psx, but we
still need to link it via libcap/include.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
| |
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
| |
eBPF (extended Berkeley Packet Filters) now have their own capability.
Earlier releases of the kernel used CAP_SYS_ADMIN for this feature.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
| |
I should have checked before releasing 2.35. Sigh. Won't make that
mistake again.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
| |
In a couple of places I've made some Go constants internal to
the Go packages. They use underscores and weren't Go-style
constants and weren't really appropriate for use outside the
context of the Go packages.
Signed-off-by: Andrew G. Morgan <agm@google.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
| |
In threaded programs, it's a bit tricky to fork/execve a child with
capabilities different from the parent. Implement cap_launch and
friends to accomplish this.
https://bugzilla.kernel.org/show_bug.cgi?id=206195
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Linux supports three flavors of inheritable capability vectors:
- the I (inheritable set) of cap_t
- the A (ambient) alternative to file capabilities
- the B (bounding) vector.
The cap_iab_t collects these together into one object. I exactly equals
that of cap_t, A is what you would expect and B is "blocked" bits which
are ~cap_bound -- ie., 0 = nothing blocked.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we fork() we disable thread-shared semantics for
the psx_syscall()s of the child, but retain them in the
parent. This change also enhances support for unexpectedly
exiting threads (which seems to be the way Go likes to
terminate pthreads when using cgo linkage).
Enhanced licap_psx_test to fork() from created threads and
exit that thread after the forked child dies. (Ran this
10,000 times to generate confidence no races in libpsx.)
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
| |
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since we now have a serialized (linker trick) to initialize libcap
we can reliably compute the number of capabilities of the running
kernel in a race free way. Export the found number of capabilities
with the cap_max_bits() function. This is also what we now use in
both C and Go to define [all]=[eip]. In Go the equivalent function
is cap.MaxBits().
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As well as substantial updates to the man pages, including
an explanation of how capabilities can be robustly used with
pthreads, implement a set of convenience functions in libcap
to make dropping privilege in careful ways straightforward.
These include adding the abstraction of libcap recommended
"modes" and cap_setuid() and cap_setgroups() functions.
The progs/quicktest.sh script and capsh has been extended
to validate each of these new functions.
Add convenience functions to the libcap/cap Go package.
Specifically, added Compare(), Differs(), GetSecbits() &
Secbits.Set(), GetMode() & Mode.Set(), SetUID() and
SetGroups().
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Note, this override only supports the system calls that
libcap uses to change kernel state associated with the
current process. This is primarily intended to permit the
user to use libpsx to force all pthreads to mirror capability
and other security relevant state.
Use a weak function definition feature of libpsx share_psx_syscall()
to transparently arrange for libcap to so force itself to use the
psx_syscall() abstraction when linked against -lpsx. This has the
effect of using linker magic to make libcap transparently observe
POSIX semantics for security state setting operations. That is, when
linked as follows:
gcc .... -lcap -lpsx -lpthread -Wl,-wrap,pthread_create
all pthreads maintain a common security state with respect to the
libcap API.
This also adds full capability setting support to the Go package
libcap/cap via a libcap/psx package which uses cgo+libpsx syscalls
that share capabilities over all pthreads including those of the
Go runtime.
Finally, if Go supports syscall.PosixSyscall() etc. then provide
a non-psx mechanism for libcap/cap to "just work" in all Go code.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since Linux kernel supported threads are not POSIX threads
and the glibc pthread library only supports POSIX semantics
for 9 system calls, to fully support the POSIX semantics for
a process sharing its security state across all of its
threads, we've created libpsx.
This commit also includes a threading test in tests/ for
this new psx_syscall() abstraction - one that transparently
mirrors calling POSIX-needing semantics syscalls over
all running threads.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
| |
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hello, Mr. Andrew G. Morgan!
I've found a tiny bug in libcap public headers.
Unfortunately, I don't have an idea how to report this properly or make a
pull request on the kernel.org website (I don't have an account there). So,
I've just made a fork to my account on github.com and now sending a pull
request to you.
If these all should be done according to a different procedure, please,
feel free to ask me for that.
And here is my request for pull:
The following changes since commit 658325c875d36539fd66c6960433435706203759:
Up the minor release number. (2018-09-15 14:54:14 -0700)
are available in the git repository at:
https://github.com/xoiss/libcap.git master
for you to fetch changes up to 5497b45db823f86e13835b5e55cbe4091ef3bfe1:
Fix mistakenly permuted parameter sets of capget and capset (2019-02-07
02:56:52 +0300)
----------------------------------------------------------------
Alexander A. Strelets (1):
Fix mistakenly permuted parameter sets of capget and capset
libcap/include/sys/capability.h | 4 ++--
libcap/libcap.h | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
cap_set_nsowner() allows to set the rootid of file capability sets. It can
be used to set the rootid of a target user namespace as seen in the
current user namespace. This allows a user namespace to set file
capabilities in lieu of another user namespace.
Signed-off-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
| |
cap_get_nsowner() allows to retrieve the rootid of the file capability sets
in the current user namespace.
Signed-off-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
| |
As noted by Christian Brauner.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
| |
Note, the kernel version of this file has evolved away from the libcap
license so we are managing this source separately. The slightly more
open nature of the libcap version can be merged into the kernel if wanted.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The ambient set is some strangeness associated with trying to revive
naive inheritance. While personally not a fan of this feature, I
recognize it is in the kernel so libcap now supports it with
three new functions:
int cap_get_ambient(cap_value_t cap)
int cap_set_ambient(cap_value_t cap, cap_flag_value_t set)
int cap_reset_ambient(void)
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
| |
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This header stuff seems a bit fragile, but Serge reports including
it in sys/capability.h was causing a lot of trouble building dependent
app packages.
From the perspective of libcap, this API is only needed internally in
cap_file.c so we put an include there.
Signed-off-by: Andrew G Morgan <morgan@kernel.org>
|
| |
|
|
|
|
| |
Cc: Andrew G. Morgan <morgan@kernel.org>
Signed-off-by: Xose Vazquez Perez <xose.vazquez@gmail.com>
Signed-off-by: Andrew G Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
| |
In adopting this uapi header file (without kernel internals), I previously
messed up on the apparent location of the files. Thanks to Tom Gundersen for
the clarification. Also, delete the non-uapi copies of things since they
are no longer needed to build the library and tools.
Signed-off-by: Andrew G Morgan <morgan@kernel.org>
|
| |
|
|
| |
Signed-off-by: Andrew G Morgan <morgan@kernel.org>
|
| |
|
|
|
|
| |
Include some documentation and a link to capsh's man page.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
| |
Since commit 38ef4c2e437d11b5922723504b62824e96761459 syslog
operations require CAP_SYSLOG capability (intoriduced by commit
ce6ada35bdf710d16582cc4869c26722547e6f11), not CAP_SYS_ADMIN.
Patch introduces CAP_SYSLOG capability.
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
|
| |
|
|
|
|
|
| |
Also add linux securebits.h file in case the system headers did not
include them.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Hey Andrew,
Do you think this belongs in libcap? I figure it looks nice
sitting next to include/sys/capability.h... But can't
convince myself whether it's useful or not.
Signed-off-by: Serge Hallyn <serge@us.ibm.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
| |
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
| |
Also clean up header to avoid hackery - no longer needed apparently.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
| |
This change should not impact any code.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
| |
Test new and old function with modified test.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
| |
v3 capabilities are functionally equivalent to v2 capabilities, but
having a different magic value allow the kernel to warn about possibly
unsafe use of v2 capabilities.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
| |
Don't install non-existent man pages.
Update kernel header from latest 2.6.26 git tree.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
| |
This function makes modifying only one of E I and P sets easier.
cap_clear() = cap_clear_flag(,E) + cap_clear_flag(,I) + cap_clear_flag(,P)
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
| |
This reverts commit 6f8418fa5e8a253970e317600cb963ff45fbe24e.
Serge says this was premature (and Andrew says my bad).
|
| |
|
|
|
| |
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Signed-off-by: Serge H. Hallyn <sergeh@us.ibm.com>
|
