ignore known lint issues

Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>

.cvsignore

@@ -1 +0,0 @@
-libcap-2.16.tar.gz

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -0,0 +1,3 @@
+/libcap-*.tar.gz
+/libcap-*.tar.sign
+/*.src.rpm

29EE848AE2CCF3F4.asc

@@ -0,0 +1,105 @@
+pub   rsa4096 2011-10-07 [SC]
+      38A644698C69787344E954CE29EE848AE2CCF3F4
+uid                      Andrew G. Morgan <morgan@kernel.org>
+uid                      Andrew G. Morgan (Work Address) <agm@google.com>
+sub   rsa4096 2011-10-07 [E]
+      E8BBFE9EBCE94FB48D2F98FC61B996743B143E89
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBE6OiBIBEADpdtUxC8Fmhn5UK6UCZdU7mFgZwN8U9cabFUPfUIkMqXULhCD0
+hG2/amuiiUoLollPjOopNqk4cc8LcZfszOdBFAYj7MeWzNySVw4KkWrVCEH/bZ0Q
+QzZH2qmoMT5CIrtcNxCAvukYsZLhyZYO0HdfuE05mVhVjtX9Btfxr7Ndvb7L4MRS
+3Qb6+nHTgfn/Oow92/koIWvi0YvskKdZypeU888TQL99E8xdgL2n2Ip3xYwBHRR2
+GPb5MGOuEItF3tJ0kkILW5mzkJq/iLzRphzKjdF76I9QVRP8dZ+uWHPubWePm/5c
+1H9lnlw00ZZ/ucQvSwTesUYk2aKkxzgm6X8fCdJXBLGgW5K6CkynpjN3qJ9KpcNY
+H55smUgp8BaiWuoHe4pLvuBhnN2wiYOe2j9UvGX1OaRstMXFx7YbBvkGgdoZthUe
+VPGAa4K+dnI2oy4wukzl/unAKrlMCBRsRoW2qjy3TDSXqwJhd34ilHzrdAdchrh/
+acBfbBtRzVlcDTnGltDNMuRTXzujaY9C3B0L2E+Jfrds8WcM8ASO4mHwJUTMrBwM
+b5sFSG+/X9Ufg/c2G086HQ7xMERUA5oz66P5ReHCph8WHQN2L5vtZwL7//hZB9hn
+G0K1210YEDXpFPijpis/54MKUSkWEFOLjUbiSPbwEfb79A00CcHojQQinwARAQAB
+tCRBbmRyZXcgRy4gTW9yZ2FuIDxtb3JnYW5Aa2VybmVsLm9yZz6JAhwEEAECAAYF
+Ak6YnFgACgkQINBOWnE2YKdO8Q//fwzZuxAacpWE2wByvuwM7hiYOtzxX9tSsaMA
+NaYtxb8rYwM5YtkjCaBnWoyJ8de7L82HJff/GnxVpw0CWm5Dyj9Pvs/VAIvC4+75
++5cs6YWQIhIV5NbmD92lKFni2xNcBomzttB1CexjemtmXQIwm0i06HBbfg8Nkv3l
+WnZlHHzgOffnkodR56rJCOq75wTPZPmx9WP87bDW2B5ZwzGs4jcBEP8qz4J5agVk
+97OrYrhy2RrtD6a4f3/VYJq12mvJ/lImgEwNoLsZfMZ6B6wpCvfmx80z1dE/VOmG
+YKpDPhU5v6y0gQm/UOpz0tzgRJw7CYRK3mbM/Ctnc4n6y0UpbVAmAStRvnlM1DgL
+3nuuh3EJ6s1r2m2l1SRT09va+lK6s1GARMD+6tmQE7+89DwwSB0lJtWCHRGP/M8W
+ePdqRAVz3xTkqbRMgcnuvpL6qPveK1Qzv2MxUomB7A8QDxzKzQAIugzm5E1irfmZ
+jg54/8R2bo0uIp8PS6wx8RD7TYHxGpe4cEAkBr/5/5TfMaTDbrx/f/XqRm/89Mx9
+04TLVyMqVDcsXAgd+fIGtv/e8cBVMDIRsE9aZQsSOil168Q8qYrJbYRcWmEGaM4d
+KCGYhEPE7ZaZK4jxshSwfiirozCoAmkTmvOt4E0s2HlljjLPDecAlvoFvn2bSS3Z
+8coir4CJAjsEEwECACUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJOmRGP
+AhkBAAoJECnuhIrizPP0wK0P/RMvjmzeXbgoa36cBDvDKReAiC56Au4qGXkNah39
+84tNPT1hVUKCiwiUmULoNJbEI4qFJTtwsMi5QzE+daCA7t+ALJiC+PKiKFG1LDz7
+mxfhmBeS3XcYuqZdjyKrATUFr0SHbsJxtRCslawGD2gKczLknFeBXL0997TfJS9i
+pLibqCtmvyryHn4EbZfoJqcpj/RBN/izVGHNYI8BsZpO5F6z7vXoncDL0dKh65nd
+GaIbhVDUPsDBvzg3i+EzhB51hYTTNKK0QpWbmsXfJBnvztinfLUsnO9HV8aRaygO
+I/DAKAtT7YPXORA1oFYtx69bzulqC+TXUmeV8YW8bETH4xHM9mQb0oNLPibR2nK2
+FSDiLp0/eEM5vgzfPVUX7WzBJUPsf0ah/e1yrXqudGUUZ0R+3VMOdxMryZBKLymk
+zyvu6a5DcLarqAt8y9ciRH67HKNnE1gvHf5K2Q37gwSecwmXCjpMlbVJnIarLKBc
+VRcYKtxgPxCv6483I8heSKF7PB/IFBmzT1cX7lhln9+62Ks/0Gs0pA0iNLaD+POP
+iqWrAwZsFvKjD9PDaCBDFRWjFqZLyJMsMi1qmP8jWsdQqPdUskQC0ftvw3Z6Siyy
+rriSAzglCjmmAcfdt+w4b/EO4SzSZUnd/ApkHkZx1Lbta15WKxGi7S8/5zNdaK72
+1nUdiQIzBBABCAAdFiEEIHnICkX+vZuglRryyyMS4ez3P1cFAl0PDA8ACgkQyyMS
+4ez3P1eHXg//ceYbw0RGvvkpBn41t2D2OEDnowyAqgdrByFoub4mam3lxjKZob6F
+nIVcp0aY6TTOW0Peo0ZMigLh2DkEpF0JZrtTu5Om2tZpn+16d2c9ThROEasTERqI
+AnUHMmpXupRZDSdHJTSD+HdlBSvO9Ve2vtIv/F9AW8pIQqZby3rJeFwsaQl9GUuw
+T6teyBG5GZVFLDvNM2r64moTGvxsZdOEz/2KSZNMONEIFWYJPbBtaKZjlNJebh+i
+YwOda6YqGwmyBpudtMtyHUT5gXBIaaMfKW40CxxTesOuV7YWg52ZkJe8tsURnIUi
+55wCaLnNM+bsqjRIDZ5tAvCqTCj+T5hg6uJbmWOhCHW4VMp3PKEgmajMSZVAfzcW
+iryAT/xol531qwer+3LRRS21qha3lfAJNaDy6rTHBqeDXyo7oeBQwoFIJFA5w9Ia
+DVRfWXiKnHjsma0CEg1JXXnL1eb2Bzh8qInUQEgm92B/w2tJgNDDNPIDQDlbWgQw
+24Wzx5QGOfr4CJM3WMhSdUEn8jyyFj+GmCfCAtRTEPhGIf4op6rZfH5Q8O0UJ865
+iIvshNNLoWtkVx2MTU4juXsz666Vq+HFzyIw2xPeabVIKVzF25+vbTTRQIhohuU9
+FV36IqXOGGwYAlnu8/2NFDWbUIhaCaB0N2AeVH8kQcO9L0OEHB0MJy+0MEFuZHJl
+dyBHLiBNb3JnYW4gKFdvcmsgQWRkcmVzcykgPGFnbUBnb29nbGUuY29tPokCOAQT
+AQIAIgUCTpUPggIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQKe6EiuLM
+8/TM2hAAwOPHeKi+9/SukBgW+8Cg9vOERdwnjX9P6lrFY4mbxISDt9edQeBd5PBb
+dEk8ins+C5y0+iC8pBX7sZxTkNyDXcNk7icytKy8iewtCR94NVT/OXYy4cU60Eyk
+OnqIZxTCNLRthu+XTd8+Ptlcgwv4js5LI16hn+fbO0j1SIgEei+wepmpibh3tU6L
+idWPVj8ZqT32zDdwu9TCr1/eLyKg3PKeoFPuMD4ZYVp5Um4as4IEEGC4i7QSSDjY
+0BnYBHfbBA/l4S2VICrwiX1FnN7BrW/viWgM0k6X6Rbn+NArq0aPYD2+VOpXMdQO
+Y9n2foOzuHfCjaDeDNhfVy4zeylb1SwDxdQM1jbI0VgML0iwAjT27Xw3t/z2Kwb/
+JiHkxmknPZ/Htx5we3BJW6RMYcOxqgdNcyV+NCZVTl585FklroHHRORpILB5x6be
+r7c5x2BbxfA9aKT/la/wHd0mikwfUzDelGGKu1N3r/zzE3IuQlK2m0ENm9uq8Hac
+yZKKqCHSY96yWfC5vEnn/gVs/3OUs3vOnj1FkcoOX/wQxJcYKOYbpRPFbojdikp1
+zj7IR3X39RS3GpA59uAW+Vxt6xDkgu8s7NmJ2RLvLS/iL2tkF78cTLd4bzPizl2W
+gGulIG8rJLCpa65IOfe0yrDgHPYF7cWC1gDhOc3LuyFwVHYEwWiJAjMEEAEIAB0W
+IQQgecgKRf69m6CVGvLLIxLh7Pc/VwUCXQ8MGwAKCRDLIxLh7Pc/V0F9EACHKNqF
+l5xXDHe/0nlZ+J/OFRNIE8ObZAxQLaPfK3gRkFn/SbKQzkzB84X2il7A/W221Lzi
+me5eTFPhTX3RxUcoSQdrtCCov5gCeuiUbhuJ28zuJxslxLE8bhnmNfpLmFFGtbMI
+kXq+y0uqc08Yj8frPXKgx7KvOoovpm0X/igiAkiuKLhbq8xIwaIN0NL4slFlx+ZP
+Ed0KA6qOvlLr0T/lLVptAeMrzfi2gqY1utSqE5IVrbtU6Kptw3zfURsGFFIaKjIr
+hzu25Cdpg/NxYGqo2GqD0lZ+OeWSy0WI5sxCSDqr0to9lvsJGv2Nc06ixIjH7vG2
+Hc/cC0QyHdBM6GwaLmUH9hrcSCLR5kxTzAW0Cf6lrAZUL36Ivl5l+zoLdJqSgZLY
+YXqMdQf75Y5TRFzry5pWRef3ba4/sgui89W11Uccdq/pGe4OKo0I/vq3bv35/3cZ
+aMGjj3x6v67kk8GWbKg6CPBnzb1dY7VDA5RWOt2lPZr4omUNFwRpxAfZADUz2Q4S
+tMQVE018SSH1i6G9EB8KVQEBeD4qgaWs1z9sqA7K5wlBzGarTa2RspH0GMmYwxBY
+hXtYpKm/47Dkg8j3N01VVwky0XGPFHCVgFbeXGknL1O3thOGs5XPO05jtBcbYI1u
+vvK+h/CNn1yuTG13BSG4pgRF1Sy6CFLHme0d/rkCDQROjogSARAAtLny8nlyr8fy
+YGAocQz0S47a99n/X0Vmgwo1trJsCXWbOrpztznY8IFRK/dRnRHiMwBxWQ4CvdUk
+2p0MweUiOjpEN7bUm92jeFXMr0hpQKf+O4DMExHS4hxLwArnKFuAk2ejRQGXBcEo
+Mv11LiUwuzFbWdXqMsA1TbuA+WvEBnFUYM/6xNiJeRIUIiGydhG1yaw8HrNWLHnh
+hcOfT6z5AO69hZZiJacp9pU/+jnep/M42p4J17x81+ESpJeladwR0Qxc0qxOyWid
+N7oO5hSiBEwU6lYQjdQ23pa7tN1o90P9jyN2nFBEdBu2D/mi4DV/+VXUYHNEy3uN
+hmmLGwMoPVWiZveRmG74+ne7MVyxwb9EIF3IenS4T65ee1dlZvaoMxUlUe8htEK0
+ChrQZOfITs9MyjUwoTiLUVo3kQeMli9HJEQXPRjHqkkZ7W65LhkEVnHSPHWtttRS
+DkuZYtze+he142GzDSQA3dF2zy/tLpBb5CA29ITcQTspgV7AuV8YQqDZ4XWHsR9A
+m5334N83EXk2oouqxl7mKUB0Vg6tujNCBSRn6A3CUaA29w/MyTg4z6Yw6HD3il1J
+8PcWEoOzqlUoPd8tA5pcZCcKngkXndpXgsZCgoCgvx9WNU+LUrHBfhC3TLLsI7iG
+O1JvLghkesKTARF3O2hS3xAhfGZxn8MAEQEAAYkCHwQYAQIACQUCTo6IEgIbDAAK
+CRAp7oSK4szz9HSYD/9hmEsJuSgAGwx/OPweYuDGkA25ajDAu59LpzTbjB/yOU1r
+DVUu3cMH+UEyaEGlhbneGvHF2DsEC9il/8fVL4eaE9EWpopIonYndBE91+YiGHPT
+oiyKcdp0KuQMwm2ENAiEf/qErrB2NLna4wfZUx5lzvEOEk3cNPmNz2ERyMPXIeei
+Q9VKp3MzopWhvBItAyIzzuydKKvJAKzDoTOEL4w60slAphj8rVCsW45k2AurWUH7
+VFM8ezXunieLeygCGb+YJZAet6yVXD3UwnNcWCGQ+xKSPuyKrn4xKG0N5gzxnGIh
+/S/7IOjRaNR5X+pfWd6YzN9qURUfiXmuLSPRHK4Flfam4gMMHul9wL6XBayFo2NU
+PBaxg4U9ACAgSJxgCTNPCKwnovecOsRmIESKtT1F3hbZRRgRGj/TDepJQNfHSyk/
+ZQfuoJggBMQLJKzGII42rb0W90QLMk0SyCzeb3LO3yyNiKpluNpJsl2IqdBJE5t1
+LxhKDnju6JlFyPcGJnP/doTuDTjjL0V+guPAGVbuq0g2hku+ZlJwjMStNwHPWxei
+fuDJbQVIp0xZbI5djdHC8hVJX+d09J5eq0PlgMEidc4F+Vv+mmGJl0GiNfhmTaAC
+SRzbI25/bhvj2xhx8A2LEOuU/+nzYgQzPcFpawiUP1wBnTqi+maxKx5/9ifyrw==
+=6WX5
+-----END PGP PUBLIC KEY BLOCK-----

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: libcap
-# $Id: Makefile,v 1.1 2004/09/09 07:21:20 cvsdist Exp $
-NAME := libcap
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attempt a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

capfaq-0.2.txt

@@ -1,264 +0,0 @@
-This is the Linux kernel capabilities FAQ
-
-Its history, to the extent that I am able to reconstruct it is that
-v2.0 was posted to the Linux kernel list on 1999/04/02 by Boris
-Tobotras. Thanks to Denis Ducamp for forwarding me a copy.
-
-Cheers
-
-Andrew
-
-Linux Capabilities FAQ 0.2
-==========================
-
-1) What is a capability?
-
-The name "capabilities" as used in the Linux kernel can be confusing.
-First there are Capabilities as defined in computer science. A
-capability is a token used by a process to prove that it is allowed to
-do an operation on an object.  The capability identifies the object
-and the operations allowed on that object.  A file descriptor is a
-capability.  You create the file descriptor with the "open" call and
-request read or write permissions.  Later, when doing a read or write
-operation, the kernel uses the file descriptor as an index into a
-data structure that indicates what operations are allowed.  This is an
-efficient way to check permissions.  The necessary data structures are
-created once during the "open" call.  Later read and write calls only
-have to do a table lookup.  Operations on capabilities include copying
-capabilities, transferring capabilities between processes, modifying a
-capability, and revoking a capability.  Modifying a capability can be
-something like taking a read-write filedescriptor and making it
-read-only.  A capability often has a notion of an "owner" which is
-able to invalidate all copies and derived versions of a capability.
-Entire OSes are based on this "capability" model, with varying degrees
-of purity.  There are other ways of implementing capabilities than the
-file descriptor model - traditionally special hardware has been used,
-but modern systems also use the memory management unit of the CPU.
-
-Then there is something quite different called "POSIX capabilities"
-which is what Linux uses.  These capabilities are a partitioning of
-the all powerful root privilege into a set of distinct privileges (but
-look at securelevel emulation to find out that this isn't necessary
-the whole truth).  Users familiar with VMS or "Trusted" versions of
-other UNIX variants will know this under the name "privileges".  The
-name "capabilities" comes from the now defunct POSIX draft 1003.1e
-which used this name.
-
-2) So what is a "POSIX capability"?
-
-A process has three sets of bitmaps called the inheritable(I),
-permitted(P), and effective(E) capabilities.  Each capability is
-implemented as a bit in each of these bitmaps which is either set or
-unset.  When a process tries to do a privileged operation, the
-operating system will check the appropriate bit in the effective set
-of the process (instead of checking whether the effective uid of the
-process i 0 as is normally done).  For example, when a process tries
-to set the clock, the Linux kernel will check that the process has the
-CAP_SYS_TIME bit (which is currently bit 25) set in its effective set.
-
-The permitted set of the process indicates the capabilities the
-process can use.  The process can have capabilities set in the
-permitted set that are not in the effective set.  This indicates that
-the process has temporarily disabled this capability.  A process is
-allowed to set a bit in its effective set only if it is available in
-the permitted set.  The distinction between effective and permitted
-exists so that processes can "bracket" operations that need privilege.
-
-The inheritable capabilities are the capabilities of the current
-process that should be inherited by a program executed by the current
-process.  The permitted set of a process is masked against the
-inheritable set during exec().  Nothing special happens during fork()
-or clone().  Child processes and threads are given an exact copy of
-the capabilities of the parent process.
-
-3) What about other entities in the system? Users, Groups, Files?
-
-Files have capabilities.  Conceptually they have the same three
-bitmaps that processes have, but to avoid confusion we call them by
-other names.  Only executable files have capabilities, libraries don't
-have capabilities (yet).  The three sets are called the allowed set,
-the forced set, and the effective set.
-
-The allowed set indicates what capabilities the executable is allowed
-to receive from an execing process.  This means that during exec(),
-the capabilities of the old process are first masked against a set
-which indicates what the process gives away (the inheritable set of
-the process), and then they are masked against a set which indicates
-what capabilities the new process image is allowed to receive (the
-allowed set of the executable).
-
-The forced set is a set of capabilities created out of thin air and
-given to the process after execing the executable.  The forced set is
-similar in nature to the setuid feature.  In fact, the setuid bit from
-the filesystem is "read" as a full forced set by the kernel.
-
-The effective set indicates which bits in the permitted set of the new
-process should be transferred to the effective set of the new process.
-The effective set is best thought of as a "capability aware" set.  It
-should consist of only 1s if the executable is capability-dumb, or
-only 0s if the executable is capability-smart.  Since the effective
-set consists of only 0s or only 1s, the filesystem can implement this
-set using a single bit.
-
-NOTE: Filesystem support for capabilities is not part of Linux 2.2.
-
-Users and Groups don't have associated capabilities from the kernel's
-point of view, but it is entirely reasonable to associate users or
-groups with capabilities.  By letting the "login" program set some
-capabilities it is possible to make role users such as a backup user
-that will have the CAP_DAC_READ_SEARCH capability and be able to do
-backups.  This could also be implemented as a PAM module, but nobody
-has implemented one yet.
-
-4) What capabilities exist?
-
-The capabilities available in Linux are listed and documented in the
-file /usr/src/linux/include/linux/capability.h.
-
-5) Are Linux capabilities hierarchical?
-
-No, you cannot make a "subcapability" out of a Linux capability as in
-capability-based OSes.
-
-6) How can I use capabilities to make sure Mr. Evil Luser (eluser)
-can't exploit my "suid" programs?
-
-This is the general outline of how this works given filesystem
-capability support exists.  First, you have a PAM module that sets the
-inheritable capabilities of the login-shell of eluser.  Then for all
-"suid" programs on the system, you decide what capabilities they need
-and set the _allowed_ set of the executable to that set of
-capabilities.  The capability rules
-
-   new permitted = forced | (allowed & inheritable)
-
-means that you should be careful about setting forced capabilities on
-executables.  In a few cases, this can be useful though.  For example
-the login program needs to set the inheritable set of the new user and
-therefore needs an almost full permitted set.  So if you want eluser
-to be able to run login and log in as a different user, you will have
-to set some forced bits on that executable.
-
-7) What about passing capabilities between processes?
-
-Currently this is done by the system call "setcap" which can set the
-capabilities of another process.  This requires the CAP_SETPCAP
-capability which you really only want to grant a _few_ processes.
-CAP_SETPCAP was originally intended as a workaround to be able to
-implement filesystem support for capabilities using a daemon outside
-the kernel.
-
-There has been discussions about implementing socket-level capability
-passing.  This means that you can pass a capability over a socket.  No
-support for this exists in the official kernel yet.
-
-8) I see securelevel has been removed from 2.2 and are superceeded by
-capabilities.  How do I emulate securelevel using capabilities?
-
-The setcap system call can remove a capability from _all_ processes on
-the system in one atomic operation.  The setcap utility from the
-libcap distribution will do this for you.  The utility requires the
-CAP_SETPCAP privilege to do this.  The CAP_SETPCAP capability is not
-enabled by default.
-
-libcap is available from
-ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/
-
-9) I noticed that the capability.h file lacks some capabilities that
-are needed to fully emulate 2.0 securelevel.  Is there a patch for
-this?
-
-Actually yes - funny you should ask :-).  The problem with 2.0
-securelevel is that they for example stop root from accessing block
-devices.  At the same time they restrict the use of iopl.  These two
-changes are fundamentally different.  Blocking access to block devices
-means restricting something that usually isn't restricted.
-Restricting access to the use of iopl on the other hand means
-restricting (blocking) access to something that is already blocked.
-Emulating the parts of 2.0 securelevel that restricts things that are
-normally not restricted means that the capabilites in the kernel has
-to have a set of capabilities that are usually _on_ for a normal
-process (note that this breaks the explanation that capabilities are a
-partitioning of the root privileges).  There is an experimental patch at
-
-ftp://ftp.guardian.no/pub/free/linux/capabilities/patch-cap-exp-1
-
-which implements a set of capabilities with the "CAP_USER" prefix:
-
-cap_user_sock  - allowed to use socket()
-cap_user_dev   - allowed to open char/block devices
-cap_user_fifo  - allowed to use pipes
-
-These should be enough to emulate 2.0 securelevel (tell me if we need
-something more).
-
-10) Seems I need a CAP_SETPCAP capability that I don't have to make use
-of capabilities.  How do I enable this capability?
-
-Change the definition of CAP_INIT_EFF_SET and CAP_INIT_INH_SET to the
-following in include/linux/capability.h:
-
-#define CAP_INIT_EFF_SET    { ~0 }
-#define CAP_INIT_INH_SET    { ~0 }
-
-This will start init with a full capability set and not with
-CAP_SETPCAP removed.
-
-11) How do I start a process with a limited set of capabilities?
-
-Get the libcap library and use the execcap utility.  The following
-example starts the update daemon with only the CAP_SYS_ADMIN
-capability.
-
-execcap 'cap_sys_admin=eip' update
-
-12) How do I start a process with a limited set of capabilities under
-another uid?
-
-Use the sucap utility which changes uid from root without loosing any
-capabilities.  Normally all capabilities are cleared when changing uid
-from root.  The sucap utility requires the CAP_SETPCAP capability.
-The following example starts updated under uid updated and gid updated
-with CAP_SYS_ADMIN raised in the Effective set.
-
-sucap updated updated execcap 'cap_sys_admin=eip' update
-
-[ Sucap is currently available from
-ftp://ftp.guardian.no/pub/free/linux/capabilities/sucap.c. Put it in
-the progs directory of libcap to compile.]
-
-13) What are the "capability rules"
-
-The capability rules are the rules used to set the capabilities of the
-new process image after an exec.  They work like this:
-
-        pI' = pI
-  (***) pP' = fP | (fI & pI)
-        pE' = pP' & fE          [NB. fE is 0 or ~0]
-
-  I=Inheritable, P=Permitted, E=Effective // p=process, f=file
-  ' indicates post-exec().
-
-Now to make sense of the equations think of fP as the Forced set of
-the executable, and fI as the Allowed set of the executable.  Notice
-how the Inheritable set isn't touched at all during exec().
-
-14) What are the laws for setting capability bits in the Inheritable,
-Permitted, and Effective sets?
-
-Bits can be transferred from Permitted to either Effective or
-Inheritable set.
-
-Bits can be removed from all sets.
-
-15) Where is the standard on which the Linux capabilities are based?
-
-There used to be a POSIX draft called POSIX.6 and later POSIX 1003.1e.
-However after the committee had spent over 10 years, POSIX decided
-that enough is enough and dropped the draft.  There will therefore not
-be a POSIX standard covering security anytime soon.  This may lead to
-that the POSIX draft is available for free, however.
-
---
-        Best regards, -- Boris.
-

gating.yaml

@@ -0,0 +1,20 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpmdeplint.functional}
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpminspect.static-analysis}
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.installability.functional}
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpmdeplint.functional}
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpminspect.static-analysis}
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.installability.functional}
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}

libcap-2.16-headerfix.patch

@@ -1,13 +0,0 @@
-diff -up libcap-2.16/libcap/include/sys/capability.h.hfix libcap-2.16/libcap/include/sys/capability.h
---- libcap-2.16/libcap/include/sys/capability.h.hfix	2009-06-15 14:46:51.000000000 +0200
-+++ libcap-2.16/libcap/include/sys/capability.h	2009-06-15 14:47:00.000000000 +0200
-@@ -30,6 +30,9 @@ extern "C" {
- #define _LINUX_FS_H
- #define __LINUX_COMPILER_H
- #define __user
-+#define _ASM_X86_SIGCONTEXT_H
-+#define _ASM_POWERPC_SIGCONTEXT_H
-+#define _SPARC_SIGCONTEXT_H
- 
- typedef unsigned int __u32;
- typedef __u32 __le32;

libcap.rpmlintrc

@@ -0,0 +1,2 @@
+addFilter('.*static-library-without-debuginfo.*')
+addFilter('.*pam-unauthorized-module.*')

libcap.spec

@@ -1,27 +1,44 @@
 Name: libcap
-Version: 2.16
-Release: 5%{?dist}
+Version: 2.69
+Release: 1%{?dist}
 Summary: Library for getting and setting POSIX.1e capabilities
-Source: http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/%{name}-%{version}.tar.gz
-Patch0: libcap-2.16-headerfix.patch
+URL: https://sites.google.com/site/fullycapable/
+License: BSD-3-Clause OR GPL-2.0-only
 
-URL: http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
-License: LGPLv2+
-Group: System Environment/Libraries
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: libattr-devel pam-devel
+Source0: https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.gz
+Source1: https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.sign
+Source2: https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git/plain/keys/29EE848AE2CCF3F4.asc
+
+BuildRequires: pam-devel gcc
+BuildRequires: make
+BuildRequires: glibc-static
+BuildRequires: gnupg2
+
+%ifarch aarch64 armv7hl i686 ppc64le s390x x86_64
+BuildRequires: golang >= 1.11
+%endif
 
 %description
 libcap is a library for getting and setting POSIX.1e (formerly POSIX 6)
 draft 15 capabilities.
 
+%package static
+Summary: Static libraries for libcap development
+Requires: %{name} = %{version}-%{release}
+
+%description static
+The libcap-static package contains static libraries needed to develop programs
+that use libcap and need to be statically linked. 
+
+libcap is a library for getting and setting POSIX.1e (formerly POSIX 6)
+draft 15 capabilities.
+
 %package devel
 Summary: Development files for libcap
-Group: Development/Libraries
 Requires: %{name} = %{version}-%{release}
 
 %description devel
-Development files (Headers, libraries for static linking, etc) for libcap.
+Development files (Headers, etc) for libcap.
 
 libcap is a library for getting and setting POSIX.1e (formerly POSIX 6)
 draft 15 capabilities.
@@ -29,54 +46,223 @@ draft 15 capabilities.
 Install libcap-devel if you want to develop or compile applications using
 libcap.
 
+%package -n captree
+Summary: Capability inspection utility
+
+%description -n captree
+The captree program was inspired by the utility pstree, but it uses the
+libcap/cap (Go package) API to explore process runtime state and display
+the capability status of processes and threads.
+
 %prep
-%setup -q
-%patch0 -p1
+gzip -cd %{SOURCE0} | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data=-
+%autosetup -p1
+
 
 %build
-# libcap can not be build with _smp_mflags:
-make PREFIX=%{_prefix} LIBDIR=%{_lib} SBINDIR=%{_sbindir} \
-     INCDIR=%{_includedir} MANDIR=%{_mandir} COPTFLAG="$RPM_OPT_FLAGS"
+%make_build prefix=%{_prefix} lib=%{_lib} GO_BUILD_FLAGS="-ldflags=-linkmode=external" all
+
+%check
+make test
 
 %install
-rm -rf ${RPM_BUILD_ROOT}
-make install DESTDIR=${RPM_BUILD_ROOT} \
-             LIBDIR=${RPM_BUILD_ROOT}/%{_lib} \
-             SBINDIR=${RPM_BUILD_ROOT}/%{_sbindir} \
-             INCDIR=${RPM_BUILD_ROOT}/%{_includedir} \
-             MANDIR=${RPM_BUILD_ROOT}/%{_mandir}/ \
-             COPTFLAG="$RPM_OPT_FLAGS"
-mkdir -p ${RPM_BUILD_ROOT}/%{_mandir}/man{2,3,8}
-#mv -f doc/*.2 ${RPM_BUILD_ROOT}/%{_mandir}/man2/
-mv -f doc/*.3 ${RPM_BUILD_ROOT}/%{_mandir}/man3/
+%make_install prefix=%{_prefix} lib=%{_lib} GO_BUILD_FLAGS="-ldflags=-linkmode=external"
 
-# remove static lib
-rm -f ${RPM_BUILD_ROOT}/%{_lib}/libcap.a
+mkdir -p %{buildroot}/%{_mandir}/man{2,3,8}
+mv -f doc/*.3 %{buildroot}/%{_mandir}/man3/
 
-chmod +x ${RPM_BUILD_ROOT}/%{_lib}/*.so.*
+chmod +x %{buildroot}/%{_libdir}/*.so.*
 
-%post -p /sbin/ldconfig
-%postun -p /sbin/ldconfig
+%ldconfig_scriptlets
 
 %files
-%defattr(-,root,root,-)
-/%{_lib}/*.so.*
-%{_sbindir}/*
-%{_mandir}/man8/*
-/%{_lib}/security/pam_cap.so
-%doc doc/capability.notes License
+%license License
+%doc doc/capability.md
+%{_libdir}/libcap.so.2{,.*}
+%{_libdir}/libpsx.so.2{,.*}
+%{_sbindir}/{capsh,getcap,getpcaps,setcap}
+%{_mandir}/man1/capsh.1*
+%{_mandir}/man8/{getcap,getpcaps,setcap}.8*
+%{_libdir}/security/pam_cap.so
+
+%files static
+%{_libdir}/libcap.a
+%{_libdir}/libpsx.a
 
 %files devel
-%defattr(-,root,root,-)
-%{_includedir}/*
-/%{_lib}/*.so
-#{_mandir}/man2/*
-%{_mandir}/man3/*
+%{_includedir}/sys/capability.h
+%{_includedir}/sys/psx_syscall.h
+%{_libdir}/libcap.so
+%{_libdir}/libpsx.so
+%{_mandir}/man3/cap*.3*
+%{_mandir}/man3/libcap.3*
+%{_mandir}/man3/libpsx.3*
+%{_mandir}/man3/psx_*.3*
+%{_mandir}/man3/__psx_syscall.3*
+%{_libdir}/pkgconfig/{libcap,libpsx}.pc
 
-%clean
-rm -rf ${RPM_BUILD_ROOT}
+%files -n captree
+%license License
+%{_sbindir}/captree
+%{_mandir}/man8/captree.8*
 
 %changelog
+* Mon Nov 06 2023 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 2.69-1
+- Update to 2.69 (with contribs from Yanko Kaneti <yaneti@declera.com>, and Andrew G. Morgan <morgan@kernel.org>)
+- Update license to SPDX (by Anderson Toshiyuki Sasaki <ansasaki@redhat.com>)
+- Make file lists more explicit to avoid accidental ABI changes (Dominik Mierzejewski <dominik@greysector.net>)
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Sun Feb 14 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 2.48-2
+- Rebase distro flags patch
+
+* Wed Feb 10 2021 Giuseppe Scrivano <gscrivan@redhat.com> - 2.48-1
+- Update to 0.2.48
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.46-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Sun Jan 17 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 2.46-1
+- Update to 0.2.46
+
+* Wed Oct 21 2020 Karsten Hopp <karsten@fedoraproject.org> - 2.44-1
+- update to 2.44
+- remove additional getpcaps manpage as it now included in the sources
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Feb 04 2019 Karsten Hopp <karsten@redhat.com> - 2.26-5
+- enable gating
+
+* Mon Feb 04 2019 Karsten Hopp <karsten@redhat.com> - 2.26-4
+- bump release
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 28 2019 Karsten Hopp <karsten@redhat.com> - 2.26-2
+- add CI tests using the standard test interface (astepano)
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Jul 02 2018 Karsten Hopp <karsten@redhat.com> - 2.25-11
+- rebuild
+
+* Wed Feb 21 2018 Karsten Hopp <karsten@redhat.com> - 2.25-10
+- buildrequire gcc
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.25-8
+- Switch to %%ldconfig_scriptlets
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Dec 15 2016 Karsten Hopp <karsten@redhat.com> - 2.25-4
+- add -static subpackage (rhbz#1380251)
+
+* Sun Nov 27 2016 Lubomir Rintel <lkundrak@v3.sk> - 2.25-3
+- Add perl BR to fix FTBFS
+
+* Mon Apr 25 2016 Peter Robinson <pbrobinson@fedoraproject.org> 2.25-2
+- Fix pkgconfig install location on aarch64
+- Spec file cleanups
+
+* Mon Apr 11 2016 Karsten Hopp <karsten@redhat.com> - 2.25-1
+- libcap-2.25
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.24-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.24-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.24-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Thu Jul 17 2014 Tom Callaway <spot@fedoraproject.org> - 2.24-6
+- fix license handling
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.24-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Fri Apr 25 2014 Karsten Hopp <karsten@redhat.com> 2.24-4
+- fix libdir in libcap.pc
+
+* Wed Apr 23 2014 Marcin Juszkiewicz <mjuszkiewicz@redhat.com> - 2.24-3
+- set pkg-config dir to proper value to get it built on AArch64
+
+* Wed Apr 16 2014 Karsten Hopp <karsten@redhat.com> 2.24-2
+- fix URL and license
+
+* Wed Apr 16 2014 Karsten Hopp <karsten@redhat.com> 2.24-1
+- update to 2.24
+- dropped patch for rhbz#911878, it is upstream now
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.22-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Tue May 14 2013 Karsten Hopp <karsten@redhat.com> 2.22-6
+- mv libraries to /usr/lib*
+- add getpcaps man page 
+- spec file cleanup
+- fix URL of tarball
+
+* Tue May 14 2013 Karsten Hopp <karsten@redhat.com> 2.22-5
+- add patch from Mark Wielaard to fix use of uninitialized memory in _fcaps_load
+  rhbz #911878
+
+* Sun Feb 24 2013 Ville Skyttä <ville.skytta@iki.fi> - 2.22-5
+- Build with $RPM_OPT_FLAGS and $RPM_LD_FLAGS.
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.22-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.22-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.22-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Wed Jul 27 2011 Karsten Hopp <karsten@redhat.com> 2.22-1
+- update to 2.22 (#689752)
+
+* Mon Feb 07 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.17-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Thu Dec 10 2009 Karsten Hopp <karsten@redhat.com> 2.17-1
+- update to 2.17
+
 * Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.16-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
 

plans/main.fmf

@@ -0,0 +1,5 @@
+summary: Basic smoke test for libcap 
+discover:
+    how: fmf
+execute:
+    how: tmt

sources

@@ -1 +1,2 @@
-9e075fda242c4070ba76407064c13302  libcap-2.16.tar.gz
+SHA512 (libcap-2.69.tar.gz) = 75ee0fe8e1ac835f29cb76d233f731dcf126b73eed5229a130bbe4308a42441934d4e9cefeaaab45f774de2ed6859c752fbbfb9908e792f2f9f3d0f841e01aee
+SHA512 (libcap-2.69.tar.sign) = 00f323444463b020c999f6fab255a61bd719f8d0ec1b619352e4f1b13407acee9a8e176861e5b408f64a871dc4095c6a26af541c3a0d4efca364c2d4b3679d30

tests/capsh/main.fmf

@@ -0,0 +1,2 @@
+summary: capsh tests
+description: tests basic capsh functionality

tests/capsh/test.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+        rlRun "pushd $TmpDir"
+        rlRun "useradd -m libcap_tester"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should remove capability"
+        rlRun -s "capsh --drop=cap_sys_admin -- -c 'getpcaps \$\$'"
+        rlAssertGrep "cap_sys_admin-ep" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should prevent the use of removed capability"
+        rlRun -s "capsh --drop=cap_net_raw -- -c 'ping localhost -e 0 -c 1'" 2,126 "Ping without cap_net_raw shoud fail"
+        rlAssertGrep "Operation not permitted" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should set the prevailing process capabilities"
+        rlRun -s "capsh --caps=cap_chown+p --print"
+        rlAssertGrep "^Current:.*cap_chown[+=][ei]?p[ei]?.*" $rlRun_LOG -E
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should set the inheritable set of capabilities"
+        rlRun -s "capsh --inh=cap_chown --print"
+        rlAssertGrep "^Current:.*cap_chown[+=][ep]?i[ep]?.*" $rlRun_LOG -E
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should set and show the inheritable set of capabilities"
+        rlRun -s "capsh --inh=cap_chown -- -c 'getpcaps \$\$' 2>&1"
+        rlAssertGrep ".*cap_chown[+=][ep]?i[ep]?.*" $rlRun_LOG -E
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should assume the identity of the user nobody"
+        USERID=`id -u nobody`
+        GROUPID=`id -g nobody`
+        rlRun -s "capsh --user=nobody -- -c 'id'"
+        rlAssertGrep "uid=$USERID(nobody) gid=$GROUPID(nobody) groups=$GROUPID(nobody)" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should assume the nobody identity with uid"
+        USERID=`id -u nobody`
+        rlRun -s "capsh --uid=$USERID -- -c 'id'"
+        rlAssertGrep "uid=$USERID(nobody) gid=0(root) groups=0(root)" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should assume guid of nobody"
+        GROUPID=`id -g nobody`
+        rlRun -s "capsh --gid=$GROUPID -- -c 'id'"
+        rlAssertGrep "uid=0(root) gid=$GROUPID(nobody)" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should assume the supplementary groups"
+        GROUPID=`id -g nobody`
+        GROUP2ID=`id -g daemon`
+        rlRun -s "capsh --groups=${GROUPID},${GROUP2ID} -- -c id"
+        rlAssertGrep "uid=0(root) gid=0(root) groups=0(root),${GROUP2ID}(daemon),${GROUPID}(nobody)" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should decode capabilities"
+        rlRun "CODE=$( cat /proc/$$/status | awk '/CapEff/ { print $2 }' )"
+        rlRun "DECODE=$( capsh --decode=$CODE | cut -d '=' -f 2 )"
+        rlRun "capsh --print | grep \"$DECODE\""
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should detect the existence of a capability on the system"
+        rlRun "capsh --supports=cap_net_raw"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should detect the absence of a capability on the system"
+        rlRun -s "capsh --supports=cap_foo_bar" 1
+        rlAssertGrep "cap\[cap_foo_bar\] not recognized by library" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should error for unsupported option"
+        rlRun "capsh --foo bar" 1
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should run as a regular user"
+        USERID=`id -u libcap_tester`
+        rlRun -s "su - libcap_tester -c 'capsh --print'"
+        rlAssertGrep "Current: =\$" $rlRun_LOG -E
+        rlAssertGrep "uid=$USERID(libcap_tester)" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "userdel -r libcap_tester"
+        rlRun "popd"
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+    rlPhaseEnd
+rlJournalEnd

tests/getcap-setcap/main.fmf

@@ -0,0 +1,2 @@
+summary: setcap and getcap tests
+description: tests setcap and getcap basic functionality

tests/getcap-setcap/test.sh

@@ -0,0 +1,98 @@
+#!/bin/bash
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+        rlRun "pushd $TmpDir"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should set and get capabilities on multiple files"
+        rlRun "touch test-file-0"
+        rlRun "touch test-file-1"
+        rlRun "setcap cap_net_admin+p test-file-0 cap_net_raw+ei test-file-1"
+        rlRun -s "getcap test-file-0 test-file-1"
+        rlAssertGrep "test-file-0.*cap_net_admin[+=]p" $rlRun_LOG -E
+        rlAssertGrep "test-file-1.*cap_net_raw[+=]ei" $rlRun_LOG -E
+        rlRun "rm -f test-file-0 test-file-1"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should set capabilities via stdin"
+        rlRun "touch test-file-0"
+        rlRun "echo -e 'cap_net_raw+p\ncap_net_admin+p' > input"
+        rlRun -s "setcap - test-file-0 < input"
+        rlAssertGrep "Please" $rlRun_LOG
+        rlRun -s "getcap test-file-0"
+        rlAssertGrep "cap_net_admin,cap_net_raw[+=]p" $rlRun_LOG -E
+        rlRun "rm -f test-file-0"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should set capabilities quietly via stdin"
+        rlRun "touch test-file-0"
+        rlRun "echo -e 'cap_net_raw+p' > input"
+        rlRun -s "setcap -q - test-file-0 < input"
+        rlAssertNotGrep "Please" $rlRun_LOG
+        rlRun -s "getcap test-file-0"
+        rlAssertGrep "cap_net_raw[+=]p" $rlRun_LOG -E
+        rlRun "rm -f test-file-0"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should remove capabilities"
+        rlRun "touch test-file-0"
+        rlRun "setcap cap_net_admin+p test-file-0"
+        rlRun "setcap -r test-file-0"
+        rlRun -s "getcap test-file-0"
+        rlAssertNotGrep "cap_net_admin" $rlRun_LOG
+        rlRun "rm -f test-file-0"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should list capabilities recursively"
+        rlRun "touch test-file-0"
+        rlRun "mkdir test-dir-1"
+        rlRun "touch test-dir-1/test-file-1"
+        rlRun "setcap cap_net_admin+p test-file-0 cap_net_raw+ei test-dir-1/test-file-1"
+        rlRun -s "getcap -r *"
+        rlAssertGrep "^test-file-0.*cap_net_admin[+=]p\$" $rlRun_LOG -E
+        rlAssertGrep "^test-dir-1/test-file-1.*cap_net_raw[+=]ei\$" $rlRun_LOG -E
+        rlRun "rm -f test-file-0"
+        rlRun "rm -rf test-dir-1"
+    rlPhaseEnd
+
+    rlPhaseStartTest "listing capabilities verbosely"
+        rlRun "touch test-file-0"
+        rlRun "mkdir test-dir-1"
+        rlRun "touch test-dir-1/test-file-1"
+        rlRun "touch test-dir-1/test-file-2"
+        rlRun "setcap cap_net_admin+p test-file-0 cap_net_raw+ei test-dir-1/test-file-1"
+        rlRun -s "getcap -v -r *"
+        rlAssertGrep "^test-file-0.*cap_net_admin[+=]p\$" $rlRun_LOG -E
+        rlAssertGrep "^test-dir-1/test-file-1.*cap_net_raw[+=]ei\$" $rlRun_LOG -E
+        rlAssertGrep "^test-dir-1/test-file-2\$" $rlRun_LOG -E
+        rlRun "rm -f test-file-0"
+        rlRun "rm -rf test-dir-1"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should setcap print help"
+        rlRun -s "setcap -h"
+        rlAssertGrep "usage" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should getcap print help"
+        rlRun -s "getcap -h"
+        rlAssertGrep "usage" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "setcap should exit with 1 on invalid arguments"
+        rlRun -s "setcap foo bar" 1
+        rlAssertGrep "Invalid" $rlRun_LOG -i
+    rlPhaseEnd
+    rlPhaseStartTest "getcap should exit with 1 on invalid arguments"
+        rlRun -s "getcap -f oo" 1
+        rlAssertGrep "Invalid" $rlRun_LOG -i
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "popd"
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+    rlPhaseEnd
+rlJournalEnd

tests/libcap-devel/main.fmf

@@ -0,0 +1,2 @@
+summary: libcap-devel tests
+description: tests libcap-devel functionality

tests/libcap-devel/test-libcap.c

@@ -0,0 +1,52 @@
+/*
+# SPDX-License-Identifier: LGPL-2.1+
+# ~~~
+#   Description: libcap tests
+#
+#   Author: Susant Sahani <susant@redhat.com>
+#   Copyright (c) 2018 Red Hat, Inc.
+# ~~~
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <setjmp.h>
+#include <inttypes.h>
+#include <cmocka.h>
+#include <sys/capability.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <errno.h>
+#include <unistd.h>
+
+void drop_cap(cap_value_t capflag) {
+        cap_t d;
+
+        d = cap_get_proc();
+        assert_non_null(d);
+
+        assert_return_code(cap_set_flag(d, CAP_EFFECTIVE, 1, &capflag, CAP_CLEAR), 0);
+        assert_return_code(cap_set_flag(d, CAP_PERMITTED, 1, &capflag, CAP_CLEAR), 0);
+        assert_return_code(cap_set_proc(d), 0);
+}
+
+void test_drop_cap_net_raw(void **state) {
+        int s;
+
+        assert_true((s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP)) >= 0);
+        close(s);
+
+        drop_cap(CAP_NET_RAW);
+
+        assert_false((s = socket(PF_INET, SOCK_RAW, IPPROTO_UDP)) >= 0);
+}
+
+int main(int argc, char *argv[]) {
+        const struct CMUnitTest libcap_tests[] = {
+                                                  cmocka_unit_test(test_drop_cap_net_raw),
+        };
+
+        return cmocka_run_group_tests(libcap_tests, NULL, NULL);
+}

tests/libcap-devel/test.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlRun "gcc -lcap -lcmocka -Wall -g3 -o test-libcap test-libcap.c"
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun "./test-libcap"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "rm test-libcap"
+    rlPhaseEnd
+rlJournalEnd

tests/main.fmf

@@ -0,0 +1,9 @@
+test: ./test.sh
+framework: beakerlib
+require:
+    - libcap
+    - libcap-devel
+    - libcmocka
+    - libcmocka-devel
+    - gcc
+    - iputils

tests/manpages/main.fmf

@@ -0,0 +1,2 @@
+summary: man pages install smoke tests
+description: verify that the man pages are installed correctly

tests/manpages/test.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+expected_manpages=(
+    'capsh(1)'
+    'libcap(3)' # there are many more but if these are present then it verifies it because of the glob install
+    'libpsx(3)'
+    'getcap(8)'
+    'getpcaps(8)'
+    'setcap(8)'
+    'captree(8)'
+    
+)
+
+rlJournalStart
+  for page in "${expected_manpages[@]}"; do
+    rlPhaseStartTest "test ${page}"
+        rlRun "man --pager=cat '${page}'"
+    rlPhaseEnd
+  done
+rlJournalEnd

tests/pam_cap/main.fmf

@@ -0,0 +1,2 @@
+summary: pam_cap.so tests
+description: tests pam_cap.so functionality

tests/pam_cap/test.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+        rlRun "pushd $TmpDir"
+        rlRun "useradd -m pam_cap_user"
+        rlRun "useradd -m pam_cap_user2"
+        rlFileBackup /etc/pam.d/su
+        [ -f /etc/security/capability.conf ] && rlFileBackup /etc/security/capability.conf
+        rlRun "echo -e 'cap_net_raw pam_cap_user\nnone *' > /etc/security/capability.conf"
+        rlRun "sed '1 s/^/auth required pam_cap.so/' -i /etc/pam.d/su" 0 "Configure pam_cap.so in /etc/pam.d/su"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Should given pam_cap_user the cap_net_raw capability"
+        rlRun -s "su - pam_cap_user -c 'getpcaps \$\$'"
+        rlAssertGrep ".*cap_net_raw[+=].*" $rlRun_LOG -E
+    rlPhaseEnd
+    rlPhaseStartTest "The user pam_cap_user2 should not have the cap_net_raw capability"
+        rlRun -s "su - pam_cap_user2 -c 'getpcaps \$\$'"
+        rlAssertNotGrep "cap_net_raw" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "userdel -r pam_cap_user"
+        rlRun "userdel -r pam_cap_user2"
+        rlFileRestore
+        rlRun "popd"
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+    rlPhaseEnd
+rlJournalEnd

tests/pkg-configs/main.fmf

@@ -0,0 +1,2 @@
+summary: validates pkg-configs presence.
+description: ensures libcap.pc and libpsx.pc are installed

tests/pkg-configs/test.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+        rlRun "pushd $TmpDir"
+    rlPhaseEnd
+
+    rlPhaseStartTest "libcap pkg-config should be present and valid"
+        rlRun "rpm -ql libcap-devel | grep libcap.pc" 0 "There must be libcap.pc"
+        if [ $? -eq 0 ]; then
+          PCFILE=$(rpm -ql libcap-devel | grep libcap.pc)
+          rlRun "pkg-config --libs libcap | grep -- '-lcap'"
+          VER=$(awk '/Version:/ { print $2 }' $PCFILE | tail -1)
+          rlRun "pkg-config --modversion libcap | grep $VER"
+          rlRun -s "pkg-config --print-variables libcap"
+          rlAssertGrep "^prefix" $rlRun_LOG
+          rlAssertGrep "^exec_prefix" $rlRun_LOG
+          rlAssertGrep "^libdir" $rlRun_LOG
+          rlAssertGrep "^includedir" $rlRun_LOG
+        fi
+    rlPhaseEnd
+
+    rlPhaseStartTest "libcap pkg-config should be present and valid"
+        rlRun "rpm -ql libcap-devel | grep libpsx.pc" 0 "There must be libpsx.pc"
+        if [ $? -eq 0 ]; then
+          PCFILE=$(rpm -ql libcap-devel | grep libpsx.pc)
+          rlRun "pkg-config --libs libpsx | grep -- '-lpsx -lpthread -Wl,-wrap,pthread_create'"
+          VER=$(awk '/Version:/ { print $2 }' $PCFILE | tail -1)
+          rlRun "pkg-config --modversion libpsx | grep $VER"
+          rlRun -s "pkg-config --print-variables libpsx"
+          rlAssertGrep "^prefix" $rlRun_LOG
+          rlAssertGrep "^exec_prefix" $rlRun_LOG
+          rlAssertGrep "^libdir" $rlRun_LOG
+          rlAssertGrep "^includedir" $rlRun_LOG
+        fi
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "popd"
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+    rlPhaseEnd
+rlJournalEnd