143 lines
6.7 KiB
Diff
143 lines
6.7 KiB
Diff
|
diff -urp libcap-ng-0.8.orig/docs/capng_have_capabilities.3 libcap-ng-0.8/docs/capng_have_capabilities.3
|
||
|
--- libcap-ng-0.8.orig/docs/capng_have_capabilities.3 2018-02-07 13:20:31.000000000 -0500
|
||
|
+++ libcap-ng-0.8/docs/capng_have_capabilities.3 2018-08-09 16:29:40.521624973 -0400
|
||
|
@@ -1,14 +1,20 @@
|
||
|
-.TH "CAPNG_HAVE_CAPABILITIES" "3" "June 2009" "Red Hat" "Libcap-ng API"
|
||
|
+.TH "CAPNG_HAVE_CAPABILITIES" "3" "Aug 2018" "Red Hat" "Libcap-ng API"
|
||
|
.SH NAME
|
||
|
-capng_have_capabilities \- general check for capabilities
|
||
|
+.nf
|
||
|
+capng_have_capabilities, capng_have_permitted_capabilities \- check for capabilities
|
||
|
.SH "SYNOPSIS"
|
||
|
.B #include <cap-ng.h>
|
||
|
.sp
|
||
|
capng_results_t capng_have_capabilities(capng_select_t set);
|
||
|
+capng_results_t capng_have_permitted_capabilities(void);
|
||
|
|
||
|
.SH "DESCRIPTION"
|
||
|
|
||
|
-capng_have_capabilities will check the selected internal capabilities sets to see what the status is. The capabilities sets must be previously setup with calls to capng_get_caps_process, capng_get_caps_fd, or in some other way setup. The options are CAPNG_SELECT_CAPS for the traditional capabilities, CAPNG_SELECT_BOUNDS for the bounding set, or CAPNG_SELECT_BOTH if clearing both is desired.
|
||
|
+capng_have_capabilities will check the selected internal capabilities sets to see what the status is. The capabilities sets must be previously setup with calls to capng_get_caps_process, capng_get_caps_fd, or in some other way setup. The options are CAPNG_SELECT_CAPS for the traditional capabilities, CAPNG_SELECT_BOUNDS for the bounding set, or CAPNG_SELECT_BOTH if clearing both is desired. When capabilities are checked, it will only look at the effective capabilities.
|
||
|
+
|
||
|
+If, however, the source of capabilities comes from a file, then you may need to additionally check the permitted capabilities. It's for this reason that
|
||
|
+.B capng_have_permitted_capabilities
|
||
|
+was created. It takes no arguments because it simply checks the permitted set.
|
||
|
|
||
|
.SH "RETURN VALUE"
|
||
|
|
||
|
diff -urp libcap-ng-0.8.orig/src/cap-ng.c libcap-ng-0.8/src/cap-ng.c
|
||
|
--- libcap-ng-0.8.orig/src/cap-ng.c 2018-07-02 14:42:53.993939477 -0400
|
||
|
+++ libcap-ng-0.8/src/cap-ng.c 2018-08-09 16:31:47.255611373 -0400
|
||
|
@@ -777,10 +776,10 @@ capng_results_t capng_have_capabilities(
|
||
|
full = 1;
|
||
|
else
|
||
|
return CAPNG_PARTIAL;
|
||
|
- if ((m.data.v3[1].effective & UPPER_MASK) == 0)
|
||
|
+ if ((m.data.v3[1].effective & UPPER_MASK) == 0 && !full)
|
||
|
empty = 1;
|
||
|
else if ((m.data.v3[1].effective & UPPER_MASK) ==
|
||
|
- UPPER_MASK)
|
||
|
+ UPPER_MASK && !empty)
|
||
|
full = 1;
|
||
|
else
|
||
|
return CAPNG_PARTIAL;
|
||
|
@@ -805,6 +804,40 @@ capng_results_t capng_have_capabilities(
|
||
|
|
||
|
if (empty == 1 && full == 0)
|
||
|
return CAPNG_NONE;
|
||
|
+ else if (empty == 0 && full == 1)
|
||
|
+ return CAPNG_FULL;
|
||
|
+
|
||
|
+ return CAPNG_PARTIAL;
|
||
|
+}
|
||
|
+
|
||
|
+// -1 - error, 0 - no caps, 1 partial caps, 2 full caps
|
||
|
+capng_results_t capng_have_permitted_capabilities(void)
|
||
|
+{
|
||
|
+ int empty = 0, full = 0;
|
||
|
+
|
||
|
+ // First, try to init with current set
|
||
|
+ if (m.state < CAPNG_INIT)
|
||
|
+ capng_get_caps_process();
|
||
|
+
|
||
|
+ // If we still don't have anything, error out
|
||
|
+ if (m.state < CAPNG_INIT)
|
||
|
+ return CAPNG_FAIL;
|
||
|
+
|
||
|
+ if (m.data.v3[0].permitted == 0)
|
||
|
+ empty = 1;
|
||
|
+ else if (m.data.v3[0].permitted == 0xFFFFFFFFU)
|
||
|
+ full = 1;
|
||
|
+ else
|
||
|
+ return CAPNG_PARTIAL;
|
||
|
+ if ((m.data.v3[1].permitted & UPPER_MASK) == 0 && !full)
|
||
|
+ empty = 1;
|
||
|
+ else if ((m.data.v3[1].permitted & UPPER_MASK) == UPPER_MASK && !empty)
|
||
|
+ full = 1;
|
||
|
+ else
|
||
|
+ return CAPNG_PARTIAL;
|
||
|
+
|
||
|
+ if (empty == 1 && full == 0)
|
||
|
+ return CAPNG_NONE;
|
||
|
else if (empty == 0 && full == 1)
|
||
|
return CAPNG_FULL;
|
||
|
|
||
|
diff -urp libcap-ng-0.8.orig/src/cap-ng.h libcap-ng-0.8/src/cap-ng.h
|
||
|
--- libcap-ng-0.8.orig/src/cap-ng.h 2018-02-07 13:20:31.000000000 -0500
|
||
|
+++ libcap-ng-0.8/src/cap-ng.h 2018-08-09 15:54:10.054853595 -0400
|
||
|
@@ -63,6 +63,7 @@ int capng_apply_caps_fd(int fd);
|
||
|
|
||
|
// These functions check capability bits
|
||
|
capng_results_t capng_have_capabilities(capng_select_t set);
|
||
|
+capng_results_t capng_have_permitted_capabilities(void);
|
||
|
int capng_have_capability(capng_type_t which, unsigned int capability);
|
||
|
|
||
|
// These functions printout capabilities
|
||
|
diff -urp libcap-ng-0.8.orig/utils/filecap.8 libcap-ng-0.8/utils/filecap.8
|
||
|
--- libcap-ng-0.8.orig/utils/filecap.8 2018-02-07 13:20:31.000000000 -0500
|
||
|
+++ libcap-ng-0.8/utils/filecap.8 2018-08-09 16:35:39.751586424 -0400
|
||
|
@@ -1,10 +1,10 @@
|
||
|
-.TH FILECAP: "8" "March 2009" "Red Hat" "System Administration Utilities"
|
||
|
+.TH FILECAP: "8" "Aug 2018" "Red Hat" "System Administration Utilities"
|
||
|
.SH NAME
|
||
|
filecap \- a program to see capabilities
|
||
|
.SH SYNOPSIS
|
||
|
.B filecap [ \-a | \-d | /dir | /dir/file [cap1 cap2 ...] ]
|
||
|
.SH DESCRIPTION
|
||
|
-\fBfilecap\fP is a program that prints out a report of programs with file based capabilities. If a file is not in the report or there is no report at all, no capabilities were found. For expedience, the default is to check only the directories in the PATH environmental variable. If the \-a command line option is given, then all directories will be checked. If a directory is passed, it will recursively check that directory. If a path to a file is given, it will only check that file. If the path to the file includes capabilities, then they are written to the file.
|
||
|
+\fBfilecap\fP is a program that prints out a report of programs with file based capabilities. If a file is not in the report or there is no report at all, no capabilities were found. For expedience, the default is to check only the directories in the PATH environmental variable. If the \-a command line option is given, then all directories will be checked. If a directory is passed, it will recursively check that directory. If a path to a file is given, it will only check that file. If a file is given followed by capabilities, then the capabilities are written to the file.
|
||
|
|
||
|
.SH OPTIONS
|
||
|
.TP
|
||
|
diff -urp libcap-ng-0.8.orig/utils/filecap.c libcap-ng-0.8/utils/filecap.c
|
||
|
--- libcap-ng-0.8.orig/utils/filecap.c 2018-02-07 13:20:31.000000000 -0500
|
||
|
+++ libcap-ng-0.8/utils/filecap.c 2018-08-09 16:03:18.989794688 -0400
|
||
|
@@ -59,6 +59,7 @@ static int check_file(const char *fpath,
|
||
|
int fd = open(fpath, O_RDONLY|O_CLOEXEC);
|
||
|
if (fd >= 0) {
|
||
|
capng_results_t rc;
|
||
|
+ int permitted = 0;
|
||
|
|
||
|
capng_clear(CAPNG_SELECT_BOTH);
|
||
|
if (capng_get_caps_fd(fd) < 0) {
|
||
|
@@ -68,12 +69,17 @@ static int check_file(const char *fpath,
|
||
|
ret = 1;
|
||
|
}
|
||
|
rc = capng_have_capabilities(CAPNG_SELECT_CAPS);
|
||
|
+ if (rc == CAPNG_NONE) {
|
||
|
+ permitted = 1;
|
||
|
+ rc = capng_have_permitted_capabilities();
|
||
|
+ }
|
||
|
if (rc > CAPNG_NONE) {
|
||
|
if (header == 0) {
|
||
|
header = 1;
|
||
|
- printf("%-20s capabilities\n", "file");
|
||
|
+ printf("%-9s %-20s capabilities\n", "set", "file");
|
||
|
}
|
||
|
- printf("%s ", fpath);
|
||
|
+ printf("%s %s ",
|
||
|
+ permitted ? "permitted" : "effective", fpath);
|
||
|
if (rc == CAPNG_FULL)
|
||
|
printf("full");
|
||
|
else
|