From 8d2d9cec773a81a69f9a1eb77e79ec4bad6776d7 Mon Sep 17 00:00:00 2001 From: Britney Fransen Date: Sun, 4 Oct 2020 16:15:06 +0000 Subject: libcap: update to 2.43 --- abs/core/libcap/PKGBUILD | 59 +++--- abs/core/libcap/libcap-2.23-header.patch | 350 ------------------------------- 2 files changed, 32 insertions(+), 377 deletions(-) delete mode 100644 abs/core/libcap/libcap-2.23-header.patch diff --git a/abs/core/libcap/PKGBUILD b/abs/core/libcap/PKGBUILD index b6dbd5a..e9947da 100644 --- a/abs/core/libcap/PKGBUILD +++ b/abs/core/libcap/PKGBUILD @@ -1,42 +1,47 @@ -#$Id: PKGBUILD 203064 2014-01-03 09:18:41Z allan $ -# Maintainer: Allan McRae +# Maintainer: Bartłomiej Piotrowski +# Contributor: Allan McRae # Contributor: Hugo Doria pkgname=libcap -pkgver=2.23 -pkgrel=2 -pkgdesc="POSIX 1003.1e capabilities" -arch=('i686' 'x86_64') -url="http://sites.google.com/site/fullycapable/" -license=('GPL2') -depends=('glibc' 'attr') -options=('!staticlibs') -source=(https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.23.tar.xz - libcap-2.23-header.patch) +pkgver=2.43 +pkgrel=1 +pkgdesc='POSIX 1003.1e capabilities' +arch=(x86_64) +url='https://sites.google.com/site/fullycapable/' +license=(GPL2) +depends=(glibc attr) +makedepends=(linux-api-headers) +provides=(libcap.so) +source=(https://kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-$pkgver.tar.{xz,sign}) +validpgpkeys=(38A644698C69787344E954CE29EE848AE2CCF3F4) # Andrew G. Morgan +sha512sums=('817add571fb2c54ad2a39974e6545b8fc8d855ecdcf2e00b2cc10e583802c49dfea2d8bca484c89ecd574fdacfc46565b51e3064a4407cf1985defb913240d45' + 'SKIP') prepare() { - cd ${srcdir}/${pkgname}-${pkgver} - - # install into /usr/bin + cd $pkgname-$pkgver sed -i "/SBINDIR/s#sbin#bin#" Make.Rules - # fix header path issues - patch -p1 -i $srcdir/libcap-2.23-header.patch - # and fix the build with that patch - sed -i "s#uapi/##" libcap/Makefile + # use our buildflags + sed -i "s/CFLAGS :=/CFLAGS += \$(CPPFLAGS) /" Make.Rules + sed -i "s/LDFLAGS :=/LDFLAGS +=/" Make.Rules } +_makeargs=( + KERNEL_HEADERS=/usr/include + RAISE_SETFCAP=no + SBINDIR=/usr/bin + lib=lib + prefix=/usr +) + build() { - cd ${srcdir}/${pkgname}-${pkgver} - make + make -C $pkgname-$pkgver "${_makeargs[@]}" } package() { - cd ${srcdir}/${pkgname}-${pkgver} - make prefix=/usr lib=/lib DESTDIR=${pkgdir} RAISE_SETFCAP=no install - + cd $pkgname-$pkgver + make DESTDIR="$pkgdir" "${_makeargs[@]}" install + install -Dm644 pam_cap/capability.conf \ - $pkgdir/usr/share/doc/$pkgname/capability.conf.example + "$pkgdir"/usr/share/doc/$pkgname/capability.conf.example } -md5sums=('09a185e4b0aa8a81a51c1e4d0eba7db0' - '945984c4bf5e601c24a7c80f001fb2c6') diff --git a/abs/core/libcap/libcap-2.23-header.patch b/abs/core/libcap/libcap-2.23-header.patch deleted file mode 100644 index 74c45e0..0000000 --- a/abs/core/libcap/libcap-2.23-header.patch +++ /dev/null @@ -1,350 +0,0 @@ -From c3290668646b767058e55b29f7b8f4be4af2e660 Mon Sep 17 00:00:00 2001 -From: Andrew G Morgan -Date: Thu, 02 Jan 2014 01:56:31 +0000 -Subject: Fix up the uapi/linux include scheme. - -In adopting this uapi header file (without kernel internals), I previously -messed up on the apparent location of the files. Thanks to Tom Gundersen for -the clarification. Also, delete the non-uapi copies of things since they -are no longer needed to build the library and tools. - -Signed-off-by: Andrew G Morgan ---- -diff --git a/Make.Rules b/Make.Rules -index 9ca6c89..5b58c59 100644 ---- a/Make.Rules -+++ b/Make.Rules -@@ -45,8 +45,8 @@ MINOR=23 - - # Compilation specifics - --KERNEL_HEADERS := $(topdir)/libcap/include --IPATH += -fPIC -I$(topdir)/libcap/include -I$(KERNEL_HEADERS) -+KERNEL_HEADERS := $(topdir)/libcap/include/uapi -+IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include - - CC := gcc - CFLAGS := -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -diff --git a/libcap/include/linux/capability.h b/libcap/include/linux/capability.h -deleted file mode 100644 -index a6ee1f9..0000000 ---- a/libcap/include/linux/capability.h -+++ /dev/null -@@ -1,219 +0,0 @@ --/* -- * This is -- * -- * Andrew G. Morgan -- * Alexander Kjeldaas -- * with help from Aleph1, Roland Buresund and Andrew Main. -- * -- * See here for the libcap library ("POSIX draft" compliance): -- * -- * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ -- */ --#ifndef _LINUX_CAPABILITY_H --#define _LINUX_CAPABILITY_H -- --#include -- -- --#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3 --#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3 -- --extern int file_caps_enabled; -- --typedef struct kernel_cap_struct { -- __u32 cap[_KERNEL_CAPABILITY_U32S]; --} kernel_cap_t; -- --/* exact same as vfs_cap_data but in cpu endian and always filled completely */ --struct cpu_vfs_cap_data { -- __u32 magic_etc; -- kernel_cap_t permitted; -- kernel_cap_t inheritable; --}; -- --#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct)) --#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t)) -- -- --struct file; --struct inode; --struct dentry; --struct user_namespace; -- --struct user_namespace *current_user_ns(void); -- --extern const kernel_cap_t __cap_empty_set; --extern const kernel_cap_t __cap_init_eff_set; -- --/* -- * Internal kernel functions only -- */ -- --#define CAP_FOR_EACH_U32(__capi) \ -- for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi) -- --/* -- * CAP_FS_MASK and CAP_NFSD_MASKS: -- * -- * The fs mask is all the privileges that fsuid==0 historically meant. -- * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE. -- * -- * It has never meant setting security.* and trusted.* xattrs. -- * -- * We could also define fsmask as follows: -- * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions -- * 2. The security.* and trusted.* xattrs are fs-related MAC permissions -- */ -- --# define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \ -- | CAP_TO_MASK(CAP_MKNOD) \ -- | CAP_TO_MASK(CAP_DAC_OVERRIDE) \ -- | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \ -- | CAP_TO_MASK(CAP_FOWNER) \ -- | CAP_TO_MASK(CAP_FSETID)) -- --# define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE)) -- --#if _KERNEL_CAPABILITY_U32S != 2 --# error Fix up hand-coded capability macro initializers --#else /* HAND-CODED capability initializers */ -- --# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }}) --# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }}) --# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ -- | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \ -- CAP_FS_MASK_B1 } }) --# define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ -- | CAP_TO_MASK(CAP_SYS_RESOURCE), \ -- CAP_FS_MASK_B1 } }) -- --#endif /* _KERNEL_CAPABILITY_U32S != 2 */ -- --# define cap_clear(c) do { (c) = __cap_empty_set; } while (0) -- --#define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag)) --#define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag)) --#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag)) -- --#define CAP_BOP_ALL(c, a, b, OP) \ --do { \ -- unsigned __capi; \ -- CAP_FOR_EACH_U32(__capi) { \ -- c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \ -- } \ --} while (0) -- --#define CAP_UOP_ALL(c, a, OP) \ --do { \ -- unsigned __capi; \ -- CAP_FOR_EACH_U32(__capi) { \ -- c.cap[__capi] = OP a.cap[__capi]; \ -- } \ --} while (0) -- --static inline kernel_cap_t cap_combine(const kernel_cap_t a, -- const kernel_cap_t b) --{ -- kernel_cap_t dest; -- CAP_BOP_ALL(dest, a, b, |); -- return dest; --} -- --static inline kernel_cap_t cap_intersect(const kernel_cap_t a, -- const kernel_cap_t b) --{ -- kernel_cap_t dest; -- CAP_BOP_ALL(dest, a, b, &); -- return dest; --} -- --static inline kernel_cap_t cap_drop(const kernel_cap_t a, -- const kernel_cap_t drop) --{ -- kernel_cap_t dest; -- CAP_BOP_ALL(dest, a, drop, &~); -- return dest; --} -- --static inline kernel_cap_t cap_invert(const kernel_cap_t c) --{ -- kernel_cap_t dest; -- CAP_UOP_ALL(dest, c, ~); -- return dest; --} -- --static inline int cap_isclear(const kernel_cap_t a) --{ -- unsigned __capi; -- CAP_FOR_EACH_U32(__capi) { -- if (a.cap[__capi] != 0) -- return 0; -- } -- return 1; --} -- --/* -- * Check if "a" is a subset of "set". -- * return 1 if ALL of the capabilities in "a" are also in "set" -- * cap_issubset(0101, 1111) will return 1 -- * return 0 if ANY of the capabilities in "a" are not in "set" -- * cap_issubset(1111, 0101) will return 0 -- */ --static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set) --{ -- kernel_cap_t dest; -- dest = cap_drop(a, set); -- return cap_isclear(dest); --} -- --/* Used to decide between falling back on the old suser() or fsuser(). */ -- --static inline int cap_is_fs_cap(int cap) --{ -- const kernel_cap_t __cap_fs_set = CAP_FS_SET; -- return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]); --} -- --static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a) --{ -- const kernel_cap_t __cap_fs_set = CAP_FS_SET; -- return cap_drop(a, __cap_fs_set); --} -- --static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a, -- const kernel_cap_t permitted) --{ -- const kernel_cap_t __cap_fs_set = CAP_FS_SET; -- return cap_combine(a, -- cap_intersect(permitted, __cap_fs_set)); --} -- --static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a) --{ -- const kernel_cap_t __cap_fs_set = CAP_NFSD_SET; -- return cap_drop(a, __cap_fs_set); --} -- --static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a, -- const kernel_cap_t permitted) --{ -- const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET; -- return cap_combine(a, -- cap_intersect(permitted, __cap_nfsd_set)); --} -- --extern bool has_capability(struct task_struct *t, int cap); --extern bool has_ns_capability(struct task_struct *t, -- struct user_namespace *ns, int cap); --extern bool has_capability_noaudit(struct task_struct *t, int cap); --extern bool has_ns_capability_noaudit(struct task_struct *t, -- struct user_namespace *ns, int cap); --extern bool capable(int cap); --extern bool ns_capable(struct user_namespace *ns, int cap); --extern bool inode_capable(const struct inode *inode, int cap); --extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap); -- --/* audit system wants to get cap info from files as well */ --extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps); -- --#endif /* !_LINUX_CAPABILITY_H */ -diff --git a/libcap/include/sys/capability.h b/libcap/include/sys/capability.h -index 56fc7fd..64ac50e 100644 ---- a/libcap/include/sys/capability.h -+++ b/libcap/include/sys/capability.h -@@ -26,7 +26,7 @@ extern "C" { - #ifndef __user - #define __user - #endif --#include -+#include - #include - - /* -diff --git a/libcap/include/linux/prctl.h b/libcap/include/uapi/linux/prctl.h -index a3baeb2..289760f 100644 ---- a/libcap/include/linux/prctl.h -+++ b/libcap/include/uapi/linux/prctl.h -@@ -102,4 +102,51 @@ - - #define PR_MCE_KILL_GET 34 - -+/* -+ * Tune up process memory map specifics. -+ */ -+#define PR_SET_MM 35 -+# define PR_SET_MM_START_CODE 1 -+# define PR_SET_MM_END_CODE 2 -+# define PR_SET_MM_START_DATA 3 -+# define PR_SET_MM_END_DATA 4 -+# define PR_SET_MM_START_STACK 5 -+# define PR_SET_MM_START_BRK 6 -+# define PR_SET_MM_BRK 7 -+# define PR_SET_MM_ARG_START 8 -+# define PR_SET_MM_ARG_END 9 -+# define PR_SET_MM_ENV_START 10 -+# define PR_SET_MM_ENV_END 11 -+# define PR_SET_MM_AUXV 12 -+# define PR_SET_MM_EXE_FILE 13 -+ -+/* -+ * Set specific pid that is allowed to ptrace the current task. -+ * A value of 0 mean "no process". -+ */ -+#define PR_SET_PTRACER 0x59616d61 -+# define PR_SET_PTRACER_ANY ((unsigned long)-1) -+ -+#define PR_SET_CHILD_SUBREAPER 36 -+#define PR_GET_CHILD_SUBREAPER 37 -+ -+/* -+ * If no_new_privs is set, then operations that grant new privileges (i.e. -+ * execve) will either fail or not grant them. This affects suid/sgid, -+ * file capabilities, and LSMs. -+ * -+ * Operations that merely manipulate or drop existing privileges (setresuid, -+ * capset, etc.) will still work. Drop those privileges if you want them gone. -+ * -+ * Changing LSM security domain is considered a new privilege. So, for example, -+ * asking selinux for a specific new context (e.g. with runcon) will result -+ * in execve returning -EPERM. -+ * -+ * See Documentation/prctl/no_new_privs.txt for more details. -+ */ -+#define PR_SET_NO_NEW_PRIVS 38 -+#define PR_GET_NO_NEW_PRIVS 39 -+ -+#define PR_GET_TID_ADDRESS 40 -+ - #endif /* _LINUX_PRCTL_H */ -diff --git a/libcap/include/linux/securebits.h b/libcap/include/uapi/linux/securebits.h -index 3340617..985aac9 100644 ---- a/libcap/include/linux/securebits.h -+++ b/libcap/include/uapi/linux/securebits.h -@@ -1,14 +1,11 @@ --#ifndef _LINUX_SECUREBITS_H --#define _LINUX_SECUREBITS_H 1 -+#ifndef _UAPI_LINUX_SECUREBITS_H -+#define _UAPI_LINUX_SECUREBITS_H - - /* Each securesetting is implemented using two bits. One bit specifies - whether the setting is on or off. The other bit specify whether the - setting is locked or not. A setting which is locked cannot be - changed from user-level. */ - #define issecure_mask(X) (1 << (X)) --#ifdef __KERNEL__ --#define issecure(X) (issecure_mask(X) & current_cred_xxx(securebits)) --#endif - - #define SECUREBITS_DEFAULT 0x00000000 - -@@ -51,4 +48,4 @@ - issecure_mask(SECURE_KEEP_CAPS)) - #define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1) - --#endif /* !_LINUX_SECUREBITS_H */ -+#endif /* _UAPI_LINUX_SECUREBITS_H */ --- -cgit v0.9.2 -- cgit v0.12