Compare commits
No commits in common. "rawhide" and "f27" have entirely different histories.
@ -1 +0,0 @@
|
||||
1
|
7
.gitignore
vendored
7
.gitignore
vendored
@ -1,3 +1,4 @@
|
||||
/libcap-*.tar.gz
|
||||
/libcap-*.tar.sign
|
||||
/*.src.rpm
|
||||
libcap-2.17.tar.gz
|
||||
/libcap-2.22.tar.bz2
|
||||
/libcap-2.24.tar.gz
|
||||
/libcap-2.25.tar.gz
|
||||
|
@ -1,105 +0,0 @@
|
||||
pub rsa4096 2011-10-07 [SC]
|
||||
38A644698C69787344E954CE29EE848AE2CCF3F4
|
||||
uid Andrew G. Morgan <morgan@kernel.org>
|
||||
uid Andrew G. Morgan (Work Address) <agm@google.com>
|
||||
sub rsa4096 2011-10-07 [E]
|
||||
E8BBFE9EBCE94FB48D2F98FC61B996743B143E89
|
||||
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBE6OiBIBEADpdtUxC8Fmhn5UK6UCZdU7mFgZwN8U9cabFUPfUIkMqXULhCD0
|
||||
hG2/amuiiUoLollPjOopNqk4cc8LcZfszOdBFAYj7MeWzNySVw4KkWrVCEH/bZ0Q
|
||||
QzZH2qmoMT5CIrtcNxCAvukYsZLhyZYO0HdfuE05mVhVjtX9Btfxr7Ndvb7L4MRS
|
||||
3Qb6+nHTgfn/Oow92/koIWvi0YvskKdZypeU888TQL99E8xdgL2n2Ip3xYwBHRR2
|
||||
GPb5MGOuEItF3tJ0kkILW5mzkJq/iLzRphzKjdF76I9QVRP8dZ+uWHPubWePm/5c
|
||||
1H9lnlw00ZZ/ucQvSwTesUYk2aKkxzgm6X8fCdJXBLGgW5K6CkynpjN3qJ9KpcNY
|
||||
H55smUgp8BaiWuoHe4pLvuBhnN2wiYOe2j9UvGX1OaRstMXFx7YbBvkGgdoZthUe
|
||||
VPGAa4K+dnI2oy4wukzl/unAKrlMCBRsRoW2qjy3TDSXqwJhd34ilHzrdAdchrh/
|
||||
acBfbBtRzVlcDTnGltDNMuRTXzujaY9C3B0L2E+Jfrds8WcM8ASO4mHwJUTMrBwM
|
||||
b5sFSG+/X9Ufg/c2G086HQ7xMERUA5oz66P5ReHCph8WHQN2L5vtZwL7//hZB9hn
|
||||
G0K1210YEDXpFPijpis/54MKUSkWEFOLjUbiSPbwEfb79A00CcHojQQinwARAQAB
|
||||
tCRBbmRyZXcgRy4gTW9yZ2FuIDxtb3JnYW5Aa2VybmVsLm9yZz6JAhwEEAECAAYF
|
||||
Ak6YnFgACgkQINBOWnE2YKdO8Q//fwzZuxAacpWE2wByvuwM7hiYOtzxX9tSsaMA
|
||||
NaYtxb8rYwM5YtkjCaBnWoyJ8de7L82HJff/GnxVpw0CWm5Dyj9Pvs/VAIvC4+75
|
||||
+5cs6YWQIhIV5NbmD92lKFni2xNcBomzttB1CexjemtmXQIwm0i06HBbfg8Nkv3l
|
||||
WnZlHHzgOffnkodR56rJCOq75wTPZPmx9WP87bDW2B5ZwzGs4jcBEP8qz4J5agVk
|
||||
97OrYrhy2RrtD6a4f3/VYJq12mvJ/lImgEwNoLsZfMZ6B6wpCvfmx80z1dE/VOmG
|
||||
YKpDPhU5v6y0gQm/UOpz0tzgRJw7CYRK3mbM/Ctnc4n6y0UpbVAmAStRvnlM1DgL
|
||||
3nuuh3EJ6s1r2m2l1SRT09va+lK6s1GARMD+6tmQE7+89DwwSB0lJtWCHRGP/M8W
|
||||
ePdqRAVz3xTkqbRMgcnuvpL6qPveK1Qzv2MxUomB7A8QDxzKzQAIugzm5E1irfmZ
|
||||
jg54/8R2bo0uIp8PS6wx8RD7TYHxGpe4cEAkBr/5/5TfMaTDbrx/f/XqRm/89Mx9
|
||||
04TLVyMqVDcsXAgd+fIGtv/e8cBVMDIRsE9aZQsSOil168Q8qYrJbYRcWmEGaM4d
|
||||
KCGYhEPE7ZaZK4jxshSwfiirozCoAmkTmvOt4E0s2HlljjLPDecAlvoFvn2bSS3Z
|
||||
8coir4CJAjsEEwECACUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJOmRGP
|
||||
AhkBAAoJECnuhIrizPP0wK0P/RMvjmzeXbgoa36cBDvDKReAiC56Au4qGXkNah39
|
||||
84tNPT1hVUKCiwiUmULoNJbEI4qFJTtwsMi5QzE+daCA7t+ALJiC+PKiKFG1LDz7
|
||||
mxfhmBeS3XcYuqZdjyKrATUFr0SHbsJxtRCslawGD2gKczLknFeBXL0997TfJS9i
|
||||
pLibqCtmvyryHn4EbZfoJqcpj/RBN/izVGHNYI8BsZpO5F6z7vXoncDL0dKh65nd
|
||||
GaIbhVDUPsDBvzg3i+EzhB51hYTTNKK0QpWbmsXfJBnvztinfLUsnO9HV8aRaygO
|
||||
I/DAKAtT7YPXORA1oFYtx69bzulqC+TXUmeV8YW8bETH4xHM9mQb0oNLPibR2nK2
|
||||
FSDiLp0/eEM5vgzfPVUX7WzBJUPsf0ah/e1yrXqudGUUZ0R+3VMOdxMryZBKLymk
|
||||
zyvu6a5DcLarqAt8y9ciRH67HKNnE1gvHf5K2Q37gwSecwmXCjpMlbVJnIarLKBc
|
||||
VRcYKtxgPxCv6483I8heSKF7PB/IFBmzT1cX7lhln9+62Ks/0Gs0pA0iNLaD+POP
|
||||
iqWrAwZsFvKjD9PDaCBDFRWjFqZLyJMsMi1qmP8jWsdQqPdUskQC0ftvw3Z6Siyy
|
||||
rriSAzglCjmmAcfdt+w4b/EO4SzSZUnd/ApkHkZx1Lbta15WKxGi7S8/5zNdaK72
|
||||
1nUdiQIzBBABCAAdFiEEIHnICkX+vZuglRryyyMS4ez3P1cFAl0PDA8ACgkQyyMS
|
||||
4ez3P1eHXg//ceYbw0RGvvkpBn41t2D2OEDnowyAqgdrByFoub4mam3lxjKZob6F
|
||||
nIVcp0aY6TTOW0Peo0ZMigLh2DkEpF0JZrtTu5Om2tZpn+16d2c9ThROEasTERqI
|
||||
AnUHMmpXupRZDSdHJTSD+HdlBSvO9Ve2vtIv/F9AW8pIQqZby3rJeFwsaQl9GUuw
|
||||
T6teyBG5GZVFLDvNM2r64moTGvxsZdOEz/2KSZNMONEIFWYJPbBtaKZjlNJebh+i
|
||||
YwOda6YqGwmyBpudtMtyHUT5gXBIaaMfKW40CxxTesOuV7YWg52ZkJe8tsURnIUi
|
||||
55wCaLnNM+bsqjRIDZ5tAvCqTCj+T5hg6uJbmWOhCHW4VMp3PKEgmajMSZVAfzcW
|
||||
iryAT/xol531qwer+3LRRS21qha3lfAJNaDy6rTHBqeDXyo7oeBQwoFIJFA5w9Ia
|
||||
DVRfWXiKnHjsma0CEg1JXXnL1eb2Bzh8qInUQEgm92B/w2tJgNDDNPIDQDlbWgQw
|
||||
24Wzx5QGOfr4CJM3WMhSdUEn8jyyFj+GmCfCAtRTEPhGIf4op6rZfH5Q8O0UJ865
|
||||
iIvshNNLoWtkVx2MTU4juXsz666Vq+HFzyIw2xPeabVIKVzF25+vbTTRQIhohuU9
|
||||
FV36IqXOGGwYAlnu8/2NFDWbUIhaCaB0N2AeVH8kQcO9L0OEHB0MJy+0MEFuZHJl
|
||||
dyBHLiBNb3JnYW4gKFdvcmsgQWRkcmVzcykgPGFnbUBnb29nbGUuY29tPokCOAQT
|
||||
AQIAIgUCTpUPggIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQKe6EiuLM
|
||||
8/TM2hAAwOPHeKi+9/SukBgW+8Cg9vOERdwnjX9P6lrFY4mbxISDt9edQeBd5PBb
|
||||
dEk8ins+C5y0+iC8pBX7sZxTkNyDXcNk7icytKy8iewtCR94NVT/OXYy4cU60Eyk
|
||||
OnqIZxTCNLRthu+XTd8+Ptlcgwv4js5LI16hn+fbO0j1SIgEei+wepmpibh3tU6L
|
||||
idWPVj8ZqT32zDdwu9TCr1/eLyKg3PKeoFPuMD4ZYVp5Um4as4IEEGC4i7QSSDjY
|
||||
0BnYBHfbBA/l4S2VICrwiX1FnN7BrW/viWgM0k6X6Rbn+NArq0aPYD2+VOpXMdQO
|
||||
Y9n2foOzuHfCjaDeDNhfVy4zeylb1SwDxdQM1jbI0VgML0iwAjT27Xw3t/z2Kwb/
|
||||
JiHkxmknPZ/Htx5we3BJW6RMYcOxqgdNcyV+NCZVTl585FklroHHRORpILB5x6be
|
||||
r7c5x2BbxfA9aKT/la/wHd0mikwfUzDelGGKu1N3r/zzE3IuQlK2m0ENm9uq8Hac
|
||||
yZKKqCHSY96yWfC5vEnn/gVs/3OUs3vOnj1FkcoOX/wQxJcYKOYbpRPFbojdikp1
|
||||
zj7IR3X39RS3GpA59uAW+Vxt6xDkgu8s7NmJ2RLvLS/iL2tkF78cTLd4bzPizl2W
|
||||
gGulIG8rJLCpa65IOfe0yrDgHPYF7cWC1gDhOc3LuyFwVHYEwWiJAjMEEAEIAB0W
|
||||
IQQgecgKRf69m6CVGvLLIxLh7Pc/VwUCXQ8MGwAKCRDLIxLh7Pc/V0F9EACHKNqF
|
||||
l5xXDHe/0nlZ+J/OFRNIE8ObZAxQLaPfK3gRkFn/SbKQzkzB84X2il7A/W221Lzi
|
||||
me5eTFPhTX3RxUcoSQdrtCCov5gCeuiUbhuJ28zuJxslxLE8bhnmNfpLmFFGtbMI
|
||||
kXq+y0uqc08Yj8frPXKgx7KvOoovpm0X/igiAkiuKLhbq8xIwaIN0NL4slFlx+ZP
|
||||
Ed0KA6qOvlLr0T/lLVptAeMrzfi2gqY1utSqE5IVrbtU6Kptw3zfURsGFFIaKjIr
|
||||
hzu25Cdpg/NxYGqo2GqD0lZ+OeWSy0WI5sxCSDqr0to9lvsJGv2Nc06ixIjH7vG2
|
||||
Hc/cC0QyHdBM6GwaLmUH9hrcSCLR5kxTzAW0Cf6lrAZUL36Ivl5l+zoLdJqSgZLY
|
||||
YXqMdQf75Y5TRFzry5pWRef3ba4/sgui89W11Uccdq/pGe4OKo0I/vq3bv35/3cZ
|
||||
aMGjj3x6v67kk8GWbKg6CPBnzb1dY7VDA5RWOt2lPZr4omUNFwRpxAfZADUz2Q4S
|
||||
tMQVE018SSH1i6G9EB8KVQEBeD4qgaWs1z9sqA7K5wlBzGarTa2RspH0GMmYwxBY
|
||||
hXtYpKm/47Dkg8j3N01VVwky0XGPFHCVgFbeXGknL1O3thOGs5XPO05jtBcbYI1u
|
||||
vvK+h/CNn1yuTG13BSG4pgRF1Sy6CFLHme0d/rkCDQROjogSARAAtLny8nlyr8fy
|
||||
YGAocQz0S47a99n/X0Vmgwo1trJsCXWbOrpztznY8IFRK/dRnRHiMwBxWQ4CvdUk
|
||||
2p0MweUiOjpEN7bUm92jeFXMr0hpQKf+O4DMExHS4hxLwArnKFuAk2ejRQGXBcEo
|
||||
Mv11LiUwuzFbWdXqMsA1TbuA+WvEBnFUYM/6xNiJeRIUIiGydhG1yaw8HrNWLHnh
|
||||
hcOfT6z5AO69hZZiJacp9pU/+jnep/M42p4J17x81+ESpJeladwR0Qxc0qxOyWid
|
||||
N7oO5hSiBEwU6lYQjdQ23pa7tN1o90P9jyN2nFBEdBu2D/mi4DV/+VXUYHNEy3uN
|
||||
hmmLGwMoPVWiZveRmG74+ne7MVyxwb9EIF3IenS4T65ee1dlZvaoMxUlUe8htEK0
|
||||
ChrQZOfITs9MyjUwoTiLUVo3kQeMli9HJEQXPRjHqkkZ7W65LhkEVnHSPHWtttRS
|
||||
DkuZYtze+he142GzDSQA3dF2zy/tLpBb5CA29ITcQTspgV7AuV8YQqDZ4XWHsR9A
|
||||
m5334N83EXk2oouqxl7mKUB0Vg6tujNCBSRn6A3CUaA29w/MyTg4z6Yw6HD3il1J
|
||||
8PcWEoOzqlUoPd8tA5pcZCcKngkXndpXgsZCgoCgvx9WNU+LUrHBfhC3TLLsI7iG
|
||||
O1JvLghkesKTARF3O2hS3xAhfGZxn8MAEQEAAYkCHwQYAQIACQUCTo6IEgIbDAAK
|
||||
CRAp7oSK4szz9HSYD/9hmEsJuSgAGwx/OPweYuDGkA25ajDAu59LpzTbjB/yOU1r
|
||||
DVUu3cMH+UEyaEGlhbneGvHF2DsEC9il/8fVL4eaE9EWpopIonYndBE91+YiGHPT
|
||||
oiyKcdp0KuQMwm2ENAiEf/qErrB2NLna4wfZUx5lzvEOEk3cNPmNz2ERyMPXIeei
|
||||
Q9VKp3MzopWhvBItAyIzzuydKKvJAKzDoTOEL4w60slAphj8rVCsW45k2AurWUH7
|
||||
VFM8ezXunieLeygCGb+YJZAet6yVXD3UwnNcWCGQ+xKSPuyKrn4xKG0N5gzxnGIh
|
||||
/S/7IOjRaNR5X+pfWd6YzN9qURUfiXmuLSPRHK4Flfam4gMMHul9wL6XBayFo2NU
|
||||
PBaxg4U9ACAgSJxgCTNPCKwnovecOsRmIESKtT1F3hbZRRgRGj/TDepJQNfHSyk/
|
||||
ZQfuoJggBMQLJKzGII42rb0W90QLMk0SyCzeb3LO3yyNiKpluNpJsl2IqdBJE5t1
|
||||
LxhKDnju6JlFyPcGJnP/doTuDTjjL0V+guPAGVbuq0g2hku+ZlJwjMStNwHPWxei
|
||||
fuDJbQVIp0xZbI5djdHC8hVJX+d09J5eq0PlgMEidc4F+Vv+mmGJl0GiNfhmTaAC
|
||||
SRzbI25/bhvj2xhx8A2LEOuU/+nzYgQzPcFpawiUP1wBnTqi+maxKx5/9ifyrw==
|
||||
=6WX5
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
264
capfaq-0.2.txt
Normal file
264
capfaq-0.2.txt
Normal file
@ -0,0 +1,264 @@
|
||||
This is the Linux kernel capabilities FAQ
|
||||
|
||||
Its history, to the extent that I am able to reconstruct it is that
|
||||
v2.0 was posted to the Linux kernel list on 1999/04/02 by Boris
|
||||
Tobotras. Thanks to Denis Ducamp for forwarding me a copy.
|
||||
|
||||
Cheers
|
||||
|
||||
Andrew
|
||||
|
||||
Linux Capabilities FAQ 0.2
|
||||
==========================
|
||||
|
||||
1) What is a capability?
|
||||
|
||||
The name "capabilities" as used in the Linux kernel can be confusing.
|
||||
First there are Capabilities as defined in computer science. A
|
||||
capability is a token used by a process to prove that it is allowed to
|
||||
do an operation on an object. The capability identifies the object
|
||||
and the operations allowed on that object. A file descriptor is a
|
||||
capability. You create the file descriptor with the "open" call and
|
||||
request read or write permissions. Later, when doing a read or write
|
||||
operation, the kernel uses the file descriptor as an index into a
|
||||
data structure that indicates what operations are allowed. This is an
|
||||
efficient way to check permissions. The necessary data structures are
|
||||
created once during the "open" call. Later read and write calls only
|
||||
have to do a table lookup. Operations on capabilities include copying
|
||||
capabilities, transferring capabilities between processes, modifying a
|
||||
capability, and revoking a capability. Modifying a capability can be
|
||||
something like taking a read-write filedescriptor and making it
|
||||
read-only. A capability often has a notion of an "owner" which is
|
||||
able to invalidate all copies and derived versions of a capability.
|
||||
Entire OSes are based on this "capability" model, with varying degrees
|
||||
of purity. There are other ways of implementing capabilities than the
|
||||
file descriptor model - traditionally special hardware has been used,
|
||||
but modern systems also use the memory management unit of the CPU.
|
||||
|
||||
Then there is something quite different called "POSIX capabilities"
|
||||
which is what Linux uses. These capabilities are a partitioning of
|
||||
the all powerful root privilege into a set of distinct privileges (but
|
||||
look at securelevel emulation to find out that this isn't necessary
|
||||
the whole truth). Users familiar with VMS or "Trusted" versions of
|
||||
other UNIX variants will know this under the name "privileges". The
|
||||
name "capabilities" comes from the now defunct POSIX draft 1003.1e
|
||||
which used this name.
|
||||
|
||||
2) So what is a "POSIX capability"?
|
||||
|
||||
A process has three sets of bitmaps called the inheritable(I),
|
||||
permitted(P), and effective(E) capabilities. Each capability is
|
||||
implemented as a bit in each of these bitmaps which is either set or
|
||||
unset. When a process tries to do a privileged operation, the
|
||||
operating system will check the appropriate bit in the effective set
|
||||
of the process (instead of checking whether the effective uid of the
|
||||
process i 0 as is normally done). For example, when a process tries
|
||||
to set the clock, the Linux kernel will check that the process has the
|
||||
CAP_SYS_TIME bit (which is currently bit 25) set in its effective set.
|
||||
|
||||
The permitted set of the process indicates the capabilities the
|
||||
process can use. The process can have capabilities set in the
|
||||
permitted set that are not in the effective set. This indicates that
|
||||
the process has temporarily disabled this capability. A process is
|
||||
allowed to set a bit in its effective set only if it is available in
|
||||
the permitted set. The distinction between effective and permitted
|
||||
exists so that processes can "bracket" operations that need privilege.
|
||||
|
||||
The inheritable capabilities are the capabilities of the current
|
||||
process that should be inherited by a program executed by the current
|
||||
process. The permitted set of a process is masked against the
|
||||
inheritable set during exec(). Nothing special happens during fork()
|
||||
or clone(). Child processes and threads are given an exact copy of
|
||||
the capabilities of the parent process.
|
||||
|
||||
3) What about other entities in the system? Users, Groups, Files?
|
||||
|
||||
Files have capabilities. Conceptually they have the same three
|
||||
bitmaps that processes have, but to avoid confusion we call them by
|
||||
other names. Only executable files have capabilities, libraries don't
|
||||
have capabilities (yet). The three sets are called the allowed set,
|
||||
the forced set, and the effective set.
|
||||
|
||||
The allowed set indicates what capabilities the executable is allowed
|
||||
to receive from an execing process. This means that during exec(),
|
||||
the capabilities of the old process are first masked against a set
|
||||
which indicates what the process gives away (the inheritable set of
|
||||
the process), and then they are masked against a set which indicates
|
||||
what capabilities the new process image is allowed to receive (the
|
||||
allowed set of the executable).
|
||||
|
||||
The forced set is a set of capabilities created out of thin air and
|
||||
given to the process after execing the executable. The forced set is
|
||||
similar in nature to the setuid feature. In fact, the setuid bit from
|
||||
the filesystem is "read" as a full forced set by the kernel.
|
||||
|
||||
The effective set indicates which bits in the permitted set of the new
|
||||
process should be transferred to the effective set of the new process.
|
||||
The effective set is best thought of as a "capability aware" set. It
|
||||
should consist of only 1s if the executable is capability-dumb, or
|
||||
only 0s if the executable is capability-smart. Since the effective
|
||||
set consists of only 0s or only 1s, the filesystem can implement this
|
||||
set using a single bit.
|
||||
|
||||
NOTE: Filesystem support for capabilities is not part of Linux 2.2.
|
||||
|
||||
Users and Groups don't have associated capabilities from the kernel's
|
||||
point of view, but it is entirely reasonable to associate users or
|
||||
groups with capabilities. By letting the "login" program set some
|
||||
capabilities it is possible to make role users such as a backup user
|
||||
that will have the CAP_DAC_READ_SEARCH capability and be able to do
|
||||
backups. This could also be implemented as a PAM module, but nobody
|
||||
has implemented one yet.
|
||||
|
||||
4) What capabilities exist?
|
||||
|
||||
The capabilities available in Linux are listed and documented in the
|
||||
file /usr/src/linux/include/linux/capability.h.
|
||||
|
||||
5) Are Linux capabilities hierarchical?
|
||||
|
||||
No, you cannot make a "subcapability" out of a Linux capability as in
|
||||
capability-based OSes.
|
||||
|
||||
6) How can I use capabilities to make sure Mr. Evil Luser (eluser)
|
||||
can't exploit my "suid" programs?
|
||||
|
||||
This is the general outline of how this works given filesystem
|
||||
capability support exists. First, you have a PAM module that sets the
|
||||
inheritable capabilities of the login-shell of eluser. Then for all
|
||||
"suid" programs on the system, you decide what capabilities they need
|
||||
and set the _allowed_ set of the executable to that set of
|
||||
capabilities. The capability rules
|
||||
|
||||
new permitted = forced | (allowed & inheritable)
|
||||
|
||||
means that you should be careful about setting forced capabilities on
|
||||
executables. In a few cases, this can be useful though. For example
|
||||
the login program needs to set the inheritable set of the new user and
|
||||
therefore needs an almost full permitted set. So if you want eluser
|
||||
to be able to run login and log in as a different user, you will have
|
||||
to set some forced bits on that executable.
|
||||
|
||||
7) What about passing capabilities between processes?
|
||||
|
||||
Currently this is done by the system call "setcap" which can set the
|
||||
capabilities of another process. This requires the CAP_SETPCAP
|
||||
capability which you really only want to grant a _few_ processes.
|
||||
CAP_SETPCAP was originally intended as a workaround to be able to
|
||||
implement filesystem support for capabilities using a daemon outside
|
||||
the kernel.
|
||||
|
||||
There has been discussions about implementing socket-level capability
|
||||
passing. This means that you can pass a capability over a socket. No
|
||||
support for this exists in the official kernel yet.
|
||||
|
||||
8) I see securelevel has been removed from 2.2 and are superceeded by
|
||||
capabilities. How do I emulate securelevel using capabilities?
|
||||
|
||||
The setcap system call can remove a capability from _all_ processes on
|
||||
the system in one atomic operation. The setcap utility from the
|
||||
libcap distribution will do this for you. The utility requires the
|
||||
CAP_SETPCAP privilege to do this. The CAP_SETPCAP capability is not
|
||||
enabled by default.
|
||||
|
||||
libcap is available from
|
||||
ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/
|
||||
|
||||
9) I noticed that the capability.h file lacks some capabilities that
|
||||
are needed to fully emulate 2.0 securelevel. Is there a patch for
|
||||
this?
|
||||
|
||||
Actually yes - funny you should ask :-). The problem with 2.0
|
||||
securelevel is that they for example stop root from accessing block
|
||||
devices. At the same time they restrict the use of iopl. These two
|
||||
changes are fundamentally different. Blocking access to block devices
|
||||
means restricting something that usually isn't restricted.
|
||||
Restricting access to the use of iopl on the other hand means
|
||||
restricting (blocking) access to something that is already blocked.
|
||||
Emulating the parts of 2.0 securelevel that restricts things that are
|
||||
normally not restricted means that the capabilites in the kernel has
|
||||
to have a set of capabilities that are usually _on_ for a normal
|
||||
process (note that this breaks the explanation that capabilities are a
|
||||
partitioning of the root privileges). There is an experimental patch at
|
||||
|
||||
ftp://ftp.guardian.no/pub/free/linux/capabilities/patch-cap-exp-1
|
||||
|
||||
which implements a set of capabilities with the "CAP_USER" prefix:
|
||||
|
||||
cap_user_sock - allowed to use socket()
|
||||
cap_user_dev - allowed to open char/block devices
|
||||
cap_user_fifo - allowed to use pipes
|
||||
|
||||
These should be enough to emulate 2.0 securelevel (tell me if we need
|
||||
something more).
|
||||
|
||||
10) Seems I need a CAP_SETPCAP capability that I don't have to make use
|
||||
of capabilities. How do I enable this capability?
|
||||
|
||||
Change the definition of CAP_INIT_EFF_SET and CAP_INIT_INH_SET to the
|
||||
following in include/linux/capability.h:
|
||||
|
||||
#define CAP_INIT_EFF_SET { ~0 }
|
||||
#define CAP_INIT_INH_SET { ~0 }
|
||||
|
||||
This will start init with a full capability set and not with
|
||||
CAP_SETPCAP removed.
|
||||
|
||||
11) How do I start a process with a limited set of capabilities?
|
||||
|
||||
Get the libcap library and use the execcap utility. The following
|
||||
example starts the update daemon with only the CAP_SYS_ADMIN
|
||||
capability.
|
||||
|
||||
execcap 'cap_sys_admin=eip' update
|
||||
|
||||
12) How do I start a process with a limited set of capabilities under
|
||||
another uid?
|
||||
|
||||
Use the sucap utility which changes uid from root without loosing any
|
||||
capabilities. Normally all capabilities are cleared when changing uid
|
||||
from root. The sucap utility requires the CAP_SETPCAP capability.
|
||||
The following example starts updated under uid updated and gid updated
|
||||
with CAP_SYS_ADMIN raised in the Effective set.
|
||||
|
||||
sucap updated updated execcap 'cap_sys_admin=eip' update
|
||||
|
||||
[ Sucap is currently available from
|
||||
ftp://ftp.guardian.no/pub/free/linux/capabilities/sucap.c. Put it in
|
||||
the progs directory of libcap to compile.]
|
||||
|
||||
13) What are the "capability rules"
|
||||
|
||||
The capability rules are the rules used to set the capabilities of the
|
||||
new process image after an exec. They work like this:
|
||||
|
||||
pI' = pI
|
||||
(***) pP' = fP | (fI & pI)
|
||||
pE' = pP' & fE [NB. fE is 0 or ~0]
|
||||
|
||||
I=Inheritable, P=Permitted, E=Effective // p=process, f=file
|
||||
' indicates post-exec().
|
||||
|
||||
Now to make sense of the equations think of fP as the Forced set of
|
||||
the executable, and fI as the Allowed set of the executable. Notice
|
||||
how the Inheritable set isn't touched at all during exec().
|
||||
|
||||
14) What are the laws for setting capability bits in the Inheritable,
|
||||
Permitted, and Effective sets?
|
||||
|
||||
Bits can be transferred from Permitted to either Effective or
|
||||
Inheritable set.
|
||||
|
||||
Bits can be removed from all sets.
|
||||
|
||||
15) Where is the standard on which the Linux capabilities are based?
|
||||
|
||||
There used to be a POSIX draft called POSIX.6 and later POSIX 1003.1e.
|
||||
However after the committee had spent over 10 years, POSIX decided
|
||||
that enough is enough and dropped the draft. There will therefore not
|
||||
be a POSIX standard covering security anytime soon. This may lead to
|
||||
that the POSIX draft is available for free, however.
|
||||
|
||||
--
|
||||
Best regards, -- Boris.
|
||||
|
20
gating.yaml
20
gating.yaml
@ -1,20 +0,0 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- fedora-*
|
||||
decision_context: bodhi_update_push_testing
|
||||
subject_type: koji_build
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpmdeplint.functional}
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpminspect.static-analysis}
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.installability.functional}
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- fedora-*
|
||||
decision_context: bodhi_update_push_stable
|
||||
subject_type: koji_build
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpmdeplint.functional}
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpminspect.static-analysis}
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.installability.functional}
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
|
23
getpcaps.8
Normal file
23
getpcaps.8
Normal file
@ -0,0 +1,23 @@
|
||||
.\" Hey, EMACS: -*- nroff -*-
|
||||
.TH GETPCAPS 8 "2001-05-29"
|
||||
.\" Please adjust this date whenever revising the manpage.
|
||||
.SH NAME
|
||||
getpcaps \- display process capabilities
|
||||
.SH SYNOPSIS
|
||||
.B getpcaps
|
||||
.IR pid ...
|
||||
.SH DESCRIPTION
|
||||
.B getpcaps
|
||||
displays the capabilities on the processes indicated by the
|
||||
.I pid
|
||||
value(s) given on the commandline. The capabilities
|
||||
are displayed in the
|
||||
.BR cap_from_text (3)
|
||||
format.
|
||||
.SH SEE ALSO
|
||||
.BR execcap (8).
|
||||
.br
|
||||
.SH AUTHOR
|
||||
This manual page was written by Robert Bihlmeyer <robbe@debian.org>,
|
||||
for the Debian GNU/Linux system (but may be used by others).
|
||||
|
22
libcap-2.25-buildflags.patch
Normal file
22
libcap-2.25-buildflags.patch
Normal file
@ -0,0 +1,22 @@
|
||||
diff -up libcap-2.25/Make.Rules.rh libcap-2.25/Make.Rules
|
||||
--- libcap-2.25/Make.Rules.rh 2016-04-11 18:52:01.418065682 +0200
|
||||
+++ libcap-2.25/Make.Rules 2016-04-11 18:52:10.790113866 +0200
|
||||
@@ -49,7 +49,8 @@ KERNEL_HEADERS := $(topdir)/libcap/inclu
|
||||
IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include
|
||||
|
||||
CC := gcc
|
||||
-CFLAGS := -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
|
||||
+CFLAGS := $(RPM_OPT_FLAGS) -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
|
||||
+
|
||||
BUILD_CC := $(CC)
|
||||
BUILD_CFLAGS := $(CFLAGS) $(IPATH)
|
||||
AR := ar
|
||||
@@ -60,7 +61,7 @@ WARNINGS=-Wall -Wwrite-strings \
|
||||
-Wstrict-prototypes -Wmissing-prototypes \
|
||||
-Wnested-externs -Winline -Wshadow
|
||||
LD=$(CC) -Wl,-x -shared
|
||||
-LDFLAGS := #-g
|
||||
+LDFLAGS := $(RPM_LD_FLAGS) #-g
|
||||
BUILD_GPERF := $(shell which gperf >/dev/null 2>/dev/null && echo yes)
|
||||
|
||||
SYSTEM_HEADERS = /usr/include
|
@ -1,2 +0,0 @@
|
||||
addFilter('.*static-library-without-debuginfo.*')
|
||||
addFilter('.*pam-unauthorized-module.*')
|
160
libcap.spec
160
libcap.spec
@ -1,22 +1,18 @@
|
||||
Name: libcap
|
||||
Version: 2.69
|
||||
Release: 1%{?dist}
|
||||
Version: 2.25
|
||||
Release: 7%{?dist}
|
||||
Summary: Library for getting and setting POSIX.1e capabilities
|
||||
URL: https://sites.google.com/site/fullycapable/
|
||||
License: BSD-3-Clause OR GPL-2.0-only
|
||||
License: GPLv2
|
||||
Group: System Environment/Libraries
|
||||
|
||||
Source0: https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.gz
|
||||
Source1: https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.sign
|
||||
Source2: https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git/plain/keys/29EE848AE2CCF3F4.asc
|
||||
#Source: http://mirror.linux.org.au/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.bz2
|
||||
Source: https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.gz
|
||||
# http://manned.org/getpcaps/299a4949/src:
|
||||
Source1: getpcaps.8
|
||||
Patch0: %{name}-2.25-buildflags.patch
|
||||
|
||||
BuildRequires: pam-devel gcc
|
||||
BuildRequires: make
|
||||
BuildRequires: glibc-static
|
||||
BuildRequires: gnupg2
|
||||
|
||||
%ifarch aarch64 armv7hl i686 ppc64le s390x x86_64
|
||||
BuildRequires: golang >= 1.11
|
||||
%endif
|
||||
BuildRequires: libattr-devel pam-devel perl-interpreter
|
||||
|
||||
%description
|
||||
libcap is a library for getting and setting POSIX.1e (formerly POSIX 6)
|
||||
@ -24,6 +20,7 @@ draft 15 capabilities.
|
||||
|
||||
%package static
|
||||
Summary: Static libraries for libcap development
|
||||
Group: Development/Libraries
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description static
|
||||
@ -35,6 +32,7 @@ draft 15 capabilities.
|
||||
|
||||
%package devel
|
||||
Summary: Development files for libcap
|
||||
Group: Development/Libraries
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description devel
|
||||
@ -46,139 +44,51 @@ draft 15 capabilities.
|
||||
Install libcap-devel if you want to develop or compile applications using
|
||||
libcap.
|
||||
|
||||
%package -n captree
|
||||
Summary: Capability inspection utility
|
||||
|
||||
%description -n captree
|
||||
The captree program was inspired by the utility pstree, but it uses the
|
||||
libcap/cap (Go package) API to explore process runtime state and display
|
||||
the capability status of processes and threads.
|
||||
|
||||
%prep
|
||||
gzip -cd %{SOURCE0} | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data=-
|
||||
%autosetup -p1
|
||||
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
|
||||
%build
|
||||
%make_build prefix=%{_prefix} lib=%{_lib} GO_BUILD_FLAGS="-ldflags=-linkmode=external" all
|
||||
|
||||
%check
|
||||
make test
|
||||
# libcap can not be build with _smp_mflags:
|
||||
make prefix=%{_prefix} lib=%{_lib} LIBDIR=%{_libdir} SBINDIR=%{_sbindir} \
|
||||
INCDIR=%{_includedir} MANDIR=%{_mandir} PKGCONFIGDIR=%{_libdir}/pkgconfig/
|
||||
|
||||
%install
|
||||
%make_install prefix=%{_prefix} lib=%{_lib} GO_BUILD_FLAGS="-ldflags=-linkmode=external"
|
||||
make install RAISE_SETFCAP=no \
|
||||
DESTDIR=%{buildroot} \
|
||||
LIBDIR=%{_libdir} \
|
||||
SBINDIR=%{_sbindir} \
|
||||
PKGCONFIGDIR=%{_libdir}/pkgconfig/
|
||||
|
||||
mkdir -p %{buildroot}/%{_mandir}/man{2,3,8}
|
||||
mv -f doc/*.3 %{buildroot}/%{_mandir}/man3/
|
||||
cp -f %{SOURCE1} %{buildroot}/%{_mandir}/man8/
|
||||
|
||||
chmod +x %{buildroot}/%{_libdir}/*.so.*
|
||||
|
||||
%ldconfig_scriptlets
|
||||
%post -p /sbin/ldconfig
|
||||
%postun -p /sbin/ldconfig
|
||||
|
||||
%files
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license License
|
||||
%doc doc/capability.md
|
||||
%{_libdir}/libcap.so.2{,.*}
|
||||
%{_libdir}/libpsx.so.2{,.*}
|
||||
%{_sbindir}/{capsh,getcap,getpcaps,setcap}
|
||||
%{_mandir}/man1/capsh.1*
|
||||
%{_mandir}/man8/{getcap,getpcaps,setcap}.8*
|
||||
%doc doc/capability.notes
|
||||
%{_libdir}/*.so.*
|
||||
%{_sbindir}/*
|
||||
%{_mandir}/man1/*
|
||||
%{_mandir}/man8/*
|
||||
%{_libdir}/security/pam_cap.so
|
||||
|
||||
%files static
|
||||
%{_libdir}/libcap.a
|
||||
%{_libdir}/libpsx.a
|
||||
|
||||
%files devel
|
||||
%{_includedir}/sys/capability.h
|
||||
%{_includedir}/sys/psx_syscall.h
|
||||
%{_libdir}/libcap.so
|
||||
%{_libdir}/libpsx.so
|
||||
%{_mandir}/man3/cap*.3*
|
||||
%{_mandir}/man3/libcap.3*
|
||||
%{_mandir}/man3/libpsx.3*
|
||||
%{_mandir}/man3/psx_*.3*
|
||||
%{_mandir}/man3/__psx_syscall.3*
|
||||
%{_libdir}/pkgconfig/{libcap,libpsx}.pc
|
||||
|
||||
%files -n captree
|
||||
%license License
|
||||
%{_sbindir}/captree
|
||||
%{_mandir}/man8/captree.8*
|
||||
%{_includedir}/*
|
||||
%{_libdir}/*.so
|
||||
%{_mandir}/man3/*
|
||||
%{_libdir}/pkgconfig/libcap.pc
|
||||
|
||||
%changelog
|
||||
* Mon Nov 06 2023 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 2.69-1
|
||||
- Update to 2.69 (with contribs from Yanko Kaneti <yaneti@declera.com>, and Andrew G. Morgan <morgan@kernel.org>)
|
||||
- Update license to SPDX (by Anderson Toshiyuki Sasaki <ansasaki@redhat.com>)
|
||||
- Make file lists more explicit to avoid accidental ABI changes (Dominik Mierzejewski <dominik@greysector.net>)
|
||||
|
||||
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||
|
||||
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.48-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||
|
||||
* Sun Feb 14 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 2.48-2
|
||||
- Rebase distro flags patch
|
||||
|
||||
* Wed Feb 10 2021 Giuseppe Scrivano <gscrivan@redhat.com> - 2.48-1
|
||||
- Update to 0.2.48
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.46-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Sun Jan 17 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 2.46-1
|
||||
- Update to 0.2.46
|
||||
|
||||
* Wed Oct 21 2020 Karsten Hopp <karsten@fedoraproject.org> - 2.44-1
|
||||
- update to 2.44
|
||||
- remove additional getpcaps manpage as it now included in the sources
|
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Mon Feb 04 2019 Karsten Hopp <karsten@redhat.com> - 2.26-5
|
||||
- enable gating
|
||||
|
||||
* Mon Feb 04 2019 Karsten Hopp <karsten@redhat.com> - 2.26-4
|
||||
- bump release
|
||||
|
||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Mon Jan 28 2019 Karsten Hopp <karsten@redhat.com> - 2.26-2
|
||||
- add CI tests using the standard test interface (astepano)
|
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-12
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Mon Jul 02 2018 Karsten Hopp <karsten@redhat.com> - 2.25-11
|
||||
- rebuild
|
||||
|
||||
* Wed Feb 21 2018 Karsten Hopp <karsten@redhat.com> - 2.25-10
|
||||
- buildrequire gcc
|
||||
|
||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-9
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.25-8
|
||||
- Switch to %%ldconfig_scriptlets
|
||||
|
||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||
|
||||
|
@ -1,5 +0,0 @@
|
||||
summary: Basic smoke test for libcap
|
||||
discover:
|
||||
how: fmf
|
||||
execute:
|
||||
how: tmt
|
3
sources
3
sources
@ -1,2 +1 @@
|
||||
SHA512 (libcap-2.69.tar.gz) = 75ee0fe8e1ac835f29cb76d233f731dcf126b73eed5229a130bbe4308a42441934d4e9cefeaaab45f774de2ed6859c752fbbfb9908e792f2f9f3d0f841e01aee
|
||||
SHA512 (libcap-2.69.tar.sign) = 00f323444463b020c999f6fab255a61bd719f8d0ec1b619352e4f1b13407acee9a8e176861e5b408f64a871dc4095c6a26af541c3a0d4efca364c2d4b3679d30
|
||||
4b18f7166a121138cca0cdd8ab64df4c libcap-2.25.tar.gz
|
||||
|
@ -1,2 +0,0 @@
|
||||
summary: capsh tests
|
||||
description: tests basic capsh functionality
|
@ -1,94 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||
rlRun "pushd $TmpDir"
|
||||
rlRun "useradd -m libcap_tester"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should remove capability"
|
||||
rlRun -s "capsh --drop=cap_sys_admin -- -c 'getpcaps \$\$'"
|
||||
rlAssertGrep "cap_sys_admin-ep" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should prevent the use of removed capability"
|
||||
rlRun -s "capsh --drop=cap_net_raw -- -c 'ping localhost -e 0 -c 1'" 2,126 "Ping without cap_net_raw shoud fail"
|
||||
rlAssertGrep "Operation not permitted" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should set the prevailing process capabilities"
|
||||
rlRun -s "capsh --caps=cap_chown+p --print"
|
||||
rlAssertGrep "^Current:.*cap_chown[+=][ei]?p[ei]?.*" $rlRun_LOG -E
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should set the inheritable set of capabilities"
|
||||
rlRun -s "capsh --inh=cap_chown --print"
|
||||
rlAssertGrep "^Current:.*cap_chown[+=][ep]?i[ep]?.*" $rlRun_LOG -E
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should set and show the inheritable set of capabilities"
|
||||
rlRun -s "capsh --inh=cap_chown -- -c 'getpcaps \$\$' 2>&1"
|
||||
rlAssertGrep ".*cap_chown[+=][ep]?i[ep]?.*" $rlRun_LOG -E
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should assume the identity of the user nobody"
|
||||
USERID=`id -u nobody`
|
||||
GROUPID=`id -g nobody`
|
||||
rlRun -s "capsh --user=nobody -- -c 'id'"
|
||||
rlAssertGrep "uid=$USERID(nobody) gid=$GROUPID(nobody) groups=$GROUPID(nobody)" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should assume the nobody identity with uid"
|
||||
USERID=`id -u nobody`
|
||||
rlRun -s "capsh --uid=$USERID -- -c 'id'"
|
||||
rlAssertGrep "uid=$USERID(nobody) gid=0(root) groups=0(root)" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should assume guid of nobody"
|
||||
GROUPID=`id -g nobody`
|
||||
rlRun -s "capsh --gid=$GROUPID -- -c 'id'"
|
||||
rlAssertGrep "uid=0(root) gid=$GROUPID(nobody)" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should assume the supplementary groups"
|
||||
GROUPID=`id -g nobody`
|
||||
GROUP2ID=`id -g daemon`
|
||||
rlRun -s "capsh --groups=${GROUPID},${GROUP2ID} -- -c id"
|
||||
rlAssertGrep "uid=0(root) gid=0(root) groups=0(root),${GROUP2ID}(daemon),${GROUPID}(nobody)" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should decode capabilities"
|
||||
rlRun "CODE=$( cat /proc/$$/status | awk '/CapEff/ { print $2 }' )"
|
||||
rlRun "DECODE=$( capsh --decode=$CODE | cut -d '=' -f 2 )"
|
||||
rlRun "capsh --print | grep \"$DECODE\""
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should detect the existence of a capability on the system"
|
||||
rlRun "capsh --supports=cap_net_raw"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should detect the absence of a capability on the system"
|
||||
rlRun -s "capsh --supports=cap_foo_bar" 1
|
||||
rlAssertGrep "cap\[cap_foo_bar\] not recognized by library" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should error for unsupported option"
|
||||
rlRun "capsh --foo bar" 1
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should run as a regular user"
|
||||
USERID=`id -u libcap_tester`
|
||||
rlRun -s "su - libcap_tester -c 'capsh --print'"
|
||||
rlAssertGrep "Current: =\$" $rlRun_LOG -E
|
||||
rlAssertGrep "uid=$USERID(libcap_tester)" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "userdel -r libcap_tester"
|
||||
rlRun "popd"
|
||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||
rlPhaseEnd
|
||||
rlJournalEnd
|
@ -1,2 +0,0 @@
|
||||
summary: setcap and getcap tests
|
||||
description: tests setcap and getcap basic functionality
|
@ -1,98 +0,0 @@
|
||||
#!/bin/bash
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||
rlRun "pushd $TmpDir"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should set and get capabilities on multiple files"
|
||||
rlRun "touch test-file-0"
|
||||
rlRun "touch test-file-1"
|
||||
rlRun "setcap cap_net_admin+p test-file-0 cap_net_raw+ei test-file-1"
|
||||
rlRun -s "getcap test-file-0 test-file-1"
|
||||
rlAssertGrep "test-file-0.*cap_net_admin[+=]p" $rlRun_LOG -E
|
||||
rlAssertGrep "test-file-1.*cap_net_raw[+=]ei" $rlRun_LOG -E
|
||||
rlRun "rm -f test-file-0 test-file-1"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should set capabilities via stdin"
|
||||
rlRun "touch test-file-0"
|
||||
rlRun "echo -e 'cap_net_raw+p\ncap_net_admin+p' > input"
|
||||
rlRun -s "setcap - test-file-0 < input"
|
||||
rlAssertGrep "Please" $rlRun_LOG
|
||||
rlRun -s "getcap test-file-0"
|
||||
rlAssertGrep "cap_net_admin,cap_net_raw[+=]p" $rlRun_LOG -E
|
||||
rlRun "rm -f test-file-0"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should set capabilities quietly via stdin"
|
||||
rlRun "touch test-file-0"
|
||||
rlRun "echo -e 'cap_net_raw+p' > input"
|
||||
rlRun -s "setcap -q - test-file-0 < input"
|
||||
rlAssertNotGrep "Please" $rlRun_LOG
|
||||
rlRun -s "getcap test-file-0"
|
||||
rlAssertGrep "cap_net_raw[+=]p" $rlRun_LOG -E
|
||||
rlRun "rm -f test-file-0"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should remove capabilities"
|
||||
rlRun "touch test-file-0"
|
||||
rlRun "setcap cap_net_admin+p test-file-0"
|
||||
rlRun "setcap -r test-file-0"
|
||||
rlRun -s "getcap test-file-0"
|
||||
rlAssertNotGrep "cap_net_admin" $rlRun_LOG
|
||||
rlRun "rm -f test-file-0"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should list capabilities recursively"
|
||||
rlRun "touch test-file-0"
|
||||
rlRun "mkdir test-dir-1"
|
||||
rlRun "touch test-dir-1/test-file-1"
|
||||
rlRun "setcap cap_net_admin+p test-file-0 cap_net_raw+ei test-dir-1/test-file-1"
|
||||
rlRun -s "getcap -r *"
|
||||
rlAssertGrep "^test-file-0.*cap_net_admin[+=]p\$" $rlRun_LOG -E
|
||||
rlAssertGrep "^test-dir-1/test-file-1.*cap_net_raw[+=]ei\$" $rlRun_LOG -E
|
||||
rlRun "rm -f test-file-0"
|
||||
rlRun "rm -rf test-dir-1"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "listing capabilities verbosely"
|
||||
rlRun "touch test-file-0"
|
||||
rlRun "mkdir test-dir-1"
|
||||
rlRun "touch test-dir-1/test-file-1"
|
||||
rlRun "touch test-dir-1/test-file-2"
|
||||
rlRun "setcap cap_net_admin+p test-file-0 cap_net_raw+ei test-dir-1/test-file-1"
|
||||
rlRun -s "getcap -v -r *"
|
||||
rlAssertGrep "^test-file-0.*cap_net_admin[+=]p\$" $rlRun_LOG -E
|
||||
rlAssertGrep "^test-dir-1/test-file-1.*cap_net_raw[+=]ei\$" $rlRun_LOG -E
|
||||
rlAssertGrep "^test-dir-1/test-file-2\$" $rlRun_LOG -E
|
||||
rlRun "rm -f test-file-0"
|
||||
rlRun "rm -rf test-dir-1"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should setcap print help"
|
||||
rlRun -s "setcap -h"
|
||||
rlAssertGrep "usage" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should getcap print help"
|
||||
rlRun -s "getcap -h"
|
||||
rlAssertGrep "usage" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "setcap should exit with 1 on invalid arguments"
|
||||
rlRun -s "setcap foo bar" 1
|
||||
rlAssertGrep "Invalid" $rlRun_LOG -i
|
||||
rlPhaseEnd
|
||||
rlPhaseStartTest "getcap should exit with 1 on invalid arguments"
|
||||
rlRun -s "getcap -f oo" 1
|
||||
rlAssertGrep "Invalid" $rlRun_LOG -i
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "popd"
|
||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||
rlPhaseEnd
|
||||
rlJournalEnd
|
@ -1,2 +0,0 @@
|
||||
summary: libcap-devel tests
|
||||
description: tests libcap-devel functionality
|
@ -1,52 +0,0 @@
|
||||
/*
|
||||
# SPDX-License-Identifier: LGPL-2.1+
|
||||
# ~~~
|
||||
# Description: libcap tests
|
||||
#
|
||||
# Author: Susant Sahani <susant@redhat.com>
|
||||
# Copyright (c) 2018 Red Hat, Inc.
|
||||
# ~~~
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <netinet/in.h>
|
||||
#include <setjmp.h>
|
||||
#include <inttypes.h>
|
||||
#include <cmocka.h>
|
||||
#include <sys/capability.h>
|
||||
#include <netdb.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <errno.h>
|
||||
#include <unistd.h>
|
||||
|
||||
void drop_cap(cap_value_t capflag) {
|
||||
cap_t d;
|
||||
|
||||
d = cap_get_proc();
|
||||
assert_non_null(d);
|
||||
|
||||
assert_return_code(cap_set_flag(d, CAP_EFFECTIVE, 1, &capflag, CAP_CLEAR), 0);
|
||||
assert_return_code(cap_set_flag(d, CAP_PERMITTED, 1, &capflag, CAP_CLEAR), 0);
|
||||
assert_return_code(cap_set_proc(d), 0);
|
||||
}
|
||||
|
||||
void test_drop_cap_net_raw(void **state) {
|
||||
int s;
|
||||
|
||||
assert_true((s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP)) >= 0);
|
||||
close(s);
|
||||
|
||||
drop_cap(CAP_NET_RAW);
|
||||
|
||||
assert_false((s = socket(PF_INET, SOCK_RAW, IPPROTO_UDP)) >= 0);
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
const struct CMUnitTest libcap_tests[] = {
|
||||
cmocka_unit_test(test_drop_cap_net_raw),
|
||||
};
|
||||
|
||||
return cmocka_run_group_tests(libcap_tests, NULL, NULL);
|
||||
}
|
@ -1,17 +0,0 @@
|
||||
#!/bin/bash
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlRun "gcc -lcap -lcmocka -Wall -g3 -o test-libcap test-libcap.c"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "./test-libcap"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "rm test-libcap"
|
||||
rlPhaseEnd
|
||||
rlJournalEnd
|
@ -1,9 +0,0 @@
|
||||
test: ./test.sh
|
||||
framework: beakerlib
|
||||
require:
|
||||
- libcap
|
||||
- libcap-devel
|
||||
- libcmocka
|
||||
- libcmocka-devel
|
||||
- gcc
|
||||
- iputils
|
@ -1,2 +0,0 @@
|
||||
summary: man pages install smoke tests
|
||||
description: verify that the man pages are installed correctly
|
@ -1,21 +0,0 @@
|
||||
#!/bin/bash
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
expected_manpages=(
|
||||
'capsh(1)'
|
||||
'libcap(3)' # there are many more but if these are present then it verifies it because of the glob install
|
||||
'libpsx(3)'
|
||||
'getcap(8)'
|
||||
'getpcaps(8)'
|
||||
'setcap(8)'
|
||||
'captree(8)'
|
||||
|
||||
)
|
||||
|
||||
rlJournalStart
|
||||
for page in "${expected_manpages[@]}"; do
|
||||
rlPhaseStartTest "test ${page}"
|
||||
rlRun "man --pager=cat '${page}'"
|
||||
rlPhaseEnd
|
||||
done
|
||||
rlJournalEnd
|
@ -1,2 +0,0 @@
|
||||
summary: pam_cap.so tests
|
||||
description: tests pam_cap.so functionality
|
@ -1,32 +0,0 @@
|
||||
#!/bin/bash
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||
rlRun "pushd $TmpDir"
|
||||
rlRun "useradd -m pam_cap_user"
|
||||
rlRun "useradd -m pam_cap_user2"
|
||||
rlFileBackup /etc/pam.d/su
|
||||
[ -f /etc/security/capability.conf ] && rlFileBackup /etc/security/capability.conf
|
||||
rlRun "echo -e 'cap_net_raw pam_cap_user\nnone *' > /etc/security/capability.conf"
|
||||
rlRun "sed '1 s/^/auth required pam_cap.so/' -i /etc/pam.d/su" 0 "Configure pam_cap.so in /etc/pam.d/su"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Should given pam_cap_user the cap_net_raw capability"
|
||||
rlRun -s "su - pam_cap_user -c 'getpcaps \$\$'"
|
||||
rlAssertGrep ".*cap_net_raw[+=].*" $rlRun_LOG -E
|
||||
rlPhaseEnd
|
||||
rlPhaseStartTest "The user pam_cap_user2 should not have the cap_net_raw capability"
|
||||
rlRun -s "su - pam_cap_user2 -c 'getpcaps \$\$'"
|
||||
rlAssertNotGrep "cap_net_raw" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "userdel -r pam_cap_user"
|
||||
rlRun "userdel -r pam_cap_user2"
|
||||
rlFileRestore
|
||||
rlRun "popd"
|
||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||
rlPhaseEnd
|
||||
rlJournalEnd
|
@ -1,2 +0,0 @@
|
||||
summary: validates pkg-configs presence.
|
||||
description: ensures libcap.pc and libpsx.pc are installed
|
@ -1,44 +0,0 @@
|
||||
#!/bin/bash
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||
rlRun "pushd $TmpDir"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "libcap pkg-config should be present and valid"
|
||||
rlRun "rpm -ql libcap-devel | grep libcap.pc" 0 "There must be libcap.pc"
|
||||
if [ $? -eq 0 ]; then
|
||||
PCFILE=$(rpm -ql libcap-devel | grep libcap.pc)
|
||||
rlRun "pkg-config --libs libcap | grep -- '-lcap'"
|
||||
VER=$(awk '/Version:/ { print $2 }' $PCFILE | tail -1)
|
||||
rlRun "pkg-config --modversion libcap | grep $VER"
|
||||
rlRun -s "pkg-config --print-variables libcap"
|
||||
rlAssertGrep "^prefix" $rlRun_LOG
|
||||
rlAssertGrep "^exec_prefix" $rlRun_LOG
|
||||
rlAssertGrep "^libdir" $rlRun_LOG
|
||||
rlAssertGrep "^includedir" $rlRun_LOG
|
||||
fi
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "libcap pkg-config should be present and valid"
|
||||
rlRun "rpm -ql libcap-devel | grep libpsx.pc" 0 "There must be libpsx.pc"
|
||||
if [ $? -eq 0 ]; then
|
||||
PCFILE=$(rpm -ql libcap-devel | grep libpsx.pc)
|
||||
rlRun "pkg-config --libs libpsx | grep -- '-lpsx -lpthread -Wl,-wrap,pthread_create'"
|
||||
VER=$(awk '/Version:/ { print $2 }' $PCFILE | tail -1)
|
||||
rlRun "pkg-config --modversion libpsx | grep $VER"
|
||||
rlRun -s "pkg-config --print-variables libpsx"
|
||||
rlAssertGrep "^prefix" $rlRun_LOG
|
||||
rlAssertGrep "^exec_prefix" $rlRun_LOG
|
||||
rlAssertGrep "^libdir" $rlRun_LOG
|
||||
rlAssertGrep "^includedir" $rlRun_LOG
|
||||
fi
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "popd"
|
||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||
rlPhaseEnd
|
||||
rlJournalEnd
|
Loading…
Reference in New Issue
Block a user