Attachment 849830 Details for Bug 771927 – Patch to support file capabilities

[patch] Patch to support file capabilities

0004-POSIX-CAPs-support.patch (text/plain), 9.46 KB, created by M. Steinborn on 2014-01-14 09:45:11 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: M. Steinborn

Created: 2014-01-14 09:45:11 UTC

Size: 9.46 KB

patch

obsolete

>From e698a164f990ec78ec308a65b87ff6468c90fbd0 Mon Sep 17 00:00:00 2001
>From: Markus Steinborn <gnugv_maintainer@yahoo.de>
>Date: Tue, 17 Dec 2013 15:29:36 +0100
>Subject: [PATCH 4/5] POSIX CAPs support
>
>---
> configure.ac    | 33 +++++++++++++++++++++++
> src/Makefile.am |  2 +-
> src/common.h    |  3 +++
> src/create.c    |  7 ++++-
> src/extract.c   |  2 ++
> src/tar.c       |  1 +
> src/tar.h       |  3 +++
> src/xattrs.c    | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> src/xattrs.h    |  4 +++
> src/xheader.c   | 18 +++++++++++++
> 10 files changed, 153 insertions(+), 2 deletions(-)
>
>diff --git a/configure.ac b/configure.ac
>index c9d1250..7232a39 100644
>--- a/configure.ac
>+++ b/configure.ac
>@@ -27,6 +27,8 @@ AM_INIT_AUTOMAKE([1.11 gnits tar-ustar dist-bzip2 dist-xz dist-shar std-options
> # Enable silent rules by default:
> AM_SILENT_RULES([yes])
> 
>+AC_SUBST(CAP_LIBS)
>+
> AC_PROG_CC
> AC_EXEEXT
> AC_PROG_RANLIB
>@@ -91,6 +93,37 @@ else
>   export enable_acl=no
> fi
> 
>+AC_MSG_CHECKING(whether to support FCAPs)
>+AC_ARG_WITH(fcaps-support,
>+[  --with-fcaps-support      Include File capability support (default=no)],
>+[ case "$withval" in
>+  yes)
>+    AC_CHECK_LIB(cap,cap_get_file,[CAPS_LIBS="$CAP_LIBS -lcap"])
>+    AC_CACHE_CHECK([for fcap support],tar_cv_HAVE_POSIX_CAPS,[
>+    caps_LIBS=$LIBS
>+    LIBS="$LIBS -lcap"
>+    AC_TRY_LINK([#include <sys/capability.h>],
>+[ char *p; cap_get_file(p);],
>+tar_cv_HAVE_POSIX_CAPS=yes,tar_cv_HAVE_POSIX_CAPS=no)
>+    LIBS=$caps_LIBS])
>+    if test x"$tar_cv_HAVE_POSIX_CAPS" = x"yes"; then
>+		AC_MSG_RESULT(Using posix file capabilities)
>+		AC_DEFINE(HAVE_POSIX_CAPS,1,[Whether POSIX FCAPS are available])
>+                CAP_LIBS="-lcap"
>+    else
>+                AC_MSG_ERROR(You need LIBCAP libraries installed.)
>+    fi
>+    ;;
>+  *)
>+    AC_MSG_RESULT(no)
>+    AC_DEFINE(HAVE_NO_CAPS,1,[Whether no CAPs support is available])
>+    ;;
>+  esac ],
>+  AC_DEFINE(HAVE_NO_CAPS,1,[Whether no CAPs support should be built in])
>+  AC_MSG_RESULT(no)
>+)
>+
>+
> AC_TYPE_SIGNAL
> AC_TYPE_MODE_T
> AC_TYPE_PID_T
>diff --git a/src/Makefile.am b/src/Makefile.am
>index 07c117d..2ee210b 100644
>--- a/src/Makefile.am
>+++ b/src/Makefile.am
>@@ -50,4 +50,4 @@ AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS)
> 
> LDADD = ../lib/libtar.a ../gnu/libgnu.a $(LIBINTL) $(LIBICONV)
> 
>-tar_LDADD = $(LIBS) $(LDADD) $(LIB_CLOCK_GETTIME) $(LIB_EACCESS) $(LIB_SELINUX)
>+tar_LDADD = $(LIBS) $(LDADD) $(LIB_CLOCK_GETTIME) $(LIB_EACCESS) $(LIB_SELINUX) $(CAP_LIBS)
>diff --git a/src/common.h b/src/common.h
>index 42fd539..11d69f8 100644
>--- a/src/common.h
>+++ b/src/common.h
>@@ -263,6 +263,9 @@ GLOBAL int selinux_context_option;
> /* If positive, save the ACLs.  */
> GLOBAL int acls_option;
> 
>+/* If positive, save the CAPs.  */
>+GLOBAL int caps_option;
>+
> /* If positive, save the user and root xattrs.  */
> GLOBAL int xattrs_option;
> 
>diff --git a/src/create.c b/src/create.c
>index 802652c..6be3225 100644
>--- a/src/create.c
>+++ b/src/create.c
>@@ -950,7 +950,10 @@ start_header (struct tar_stat_info *st)
> 
>           while (scan_xattr < st->xattr_map_size)
>             {
>-              xheader_store (xattr_map[scan_xattr].xkey, st, &scan_xattr);
>+	      if (!strcmp(xattr_map[scan_xattr].xkey, "SCHILY.xattr.security.capability"))
>+	         xheader_store ("STEINBORN.capability", st, &scan_xattr);
>+	      else
>+                 xheader_store (xattr_map[scan_xattr].xkey, st, &scan_xattr);
>               ++scan_xattr;
>             }
>         }
>@@ -1734,6 +1737,8 @@ dump_file0 (struct tar_stat_info *st, char const *name, char const *p)
>       xattrs_acls_get (parentfd, name, st, 0, !is_dir);
>       xattrs_selinux_get (parentfd, name, st, fd);
>       xattrs_xattrs_get (parentfd, name, st, fd);
>+      if (S_ISREG (st->stat.st_mode))
>+          xattrs_cap_get (parentfd, name, st, fd);
> 
>       if (is_dir)
> 	{
>diff --git a/src/extract.c b/src/extract.c
>index 9b6b7f9..46f0673 100644
>--- a/src/extract.c
>+++ b/src/extract.c
>@@ -391,6 +391,8 @@ set_stat (char const *file_name,
>   xattrs_xattrs_set (st, file_name, typeflag, 1);
>   xattrs_acls_set (st, file_name, typeflag);
>   xattrs_selinux_set (st, file_name, typeflag);
>+  if (typeflag == AREGTYPE || typeflag == REGTYPE || typeflag == CONTTYPE)
>+     xattrs_cap_set (st, file_name, typeflag);
> }
> 
> /* For each entry H in the leading prefix of entries in HEAD that do
>diff --git a/src/tar.c b/src/tar.c
>index b8e5b3c..ae4f613 100644
>--- a/src/tar.c
>+++ b/src/tar.c
>@@ -2771,6 +2771,7 @@ tar_stat_destroy (struct tar_stat_info *st)
>   free (st->cntx_name);
>   free (st->acls_a_ptr);
>   free (st->acls_d_ptr);
>+  free (st->cap_ptr);
>   free (st->sparse_map);
>   free (st->dumpdir);
>   xheader_destroy (&st->xhdr);
>diff --git a/src/tar.h b/src/tar.h
>index 70055af..5513e5d 100644
>--- a/src/tar.h
>+++ b/src/tar.h
>@@ -305,6 +305,9 @@ struct tar_stat_info
>   char *acls_d_ptr;         /* Default ACLs for the current archive entry. */
>   size_t acls_d_len;        /* Default ACLs for the current archive entry. */
> 
>+  char *cap_ptr;            /* Capability for the current archive entry. */
>+  size_t cap_len;           /* Capability for the current archive entry. */
>+
>   struct stat   stat;       /* regular filesystem stat */
> 
>   /* STAT doesn't always have access, data modification, and status
>diff --git a/src/xattrs.c b/src/xattrs.c
>index f5155aa..ba47062 100644
>--- a/src/xattrs.c
>+++ b/src/xattrs.c
>@@ -30,6 +30,10 @@
> #include "xattr-at.h"
> #include "selinux-at.h"
> 
>+#ifdef HAVE_POSIX_CAPS
>+# include <sys/capability.h>
>+#endif
>+
> struct xattrs_mask_map
> {
>   const char **masks;
>@@ -820,6 +824,84 @@ xattrs_acls_set (struct tar_stat_info const *st,
>     }
> }
> 
>+void
>+xattrs_cap_get (int parentfd, char const *file_name,
>+                 struct tar_stat_info *st, int fd)
>+{
>+  if (caps_option > 0)
>+    {
>+#ifndef HAVE_POSIX_CAPS
>+      static int done = 0;
>+      if (!done)
>+        WARN ((0, 0, _("POSIX CAPS support is not available")));
>+      done = 1;
>+#else
>+        cap_t caps;
>+	caps = cap_get_file(file_name);
>+	char* result = cap_to_text(caps, 0);
>+        st->cap_ptr = xstrdup(result);
>+        st->cap_len = strlen(st->cap_ptr);
>+	cap_free(result);
>+	cap_free(caps);
>+#endif
>+    }
>+}
>+
>+void
>+xattrs_cap_set (struct tar_stat_info const *st,
>+                 char const *file_name, char typeflag)
>+{
>+  if (caps_option > 0 && st->cap_ptr)
>+    {
>+#ifndef HAVE_POSIX_CAPS
>+      static int done = 0;
>+      if (!done)
>+        WARN ((0, 0, _("POSIX CAPS support is not available")));
>+      done = 1;
>+#else
>+        	cap_t caps;
>+		int unprintable = 0;
>+		unsigned char *tmpPtr = st->cap_ptr;
>+		
>+		while (*tmpPtr && !unprintable)
>+		{
>+		   if (*tmpPtr < 32 || *tmpPtr > 127)
>+		   {
>+		      unprintable = 1;
>+		      break;
>+		   }
>+		   tmpPtr++;
>+		}
>+		
>+		if (unprintable)
>+		{
>+		   WARN ((0,0, _("Reconstructing Capabilities for %s"), file_name));
>+        	   int ret = lsetxattr(file_name, "security.capability", st->cap_ptr, st->cap_len, 0);
>+		   if (ret)
>+		   {
>+		      WARN ((0,0, _("Cannot set security.capability for %s"), file_name));
>+		      return;
>+		   }
>+		   caps = cap_get_file(file_name);
>+		}
>+		else
>+        	   caps = cap_from_text(st->cap_ptr);
>+		if (!caps)
>+		{
>+		   WARN ((0,0, _("Cannot parse Capabilities for %s"), file_name));
>+		   return;
>+		}
>+
>+		int ret =  cap_set_file(file_name, caps);
>+
>+		if (ret)
>+		   ;//TODO
>+
>+		cap_free(caps);
>+#endif
>+    }
>+}
>+
> static void
> mask_map_realloc (struct xattrs_mask_map *map)
> {
>diff --git a/src/xattrs.h b/src/xattrs.h
>index fc73c55..e2c17d0 100644
>--- a/src/xattrs.h
>+++ b/src/xattrs.h
>@@ -47,4 +47,8 @@ extern void xattrs_xattrs_set (struct tar_stat_info const *st,
> extern void xattrs_print_char (struct tar_stat_info const *st, char *output);
> extern void xattrs_print (struct tar_stat_info const *st);
> 
>+extern void xattrs_cap_get (int parentfd, char const *file_name,
>+                             struct tar_stat_info *st, int fd);
>+extern void xattrs_cap_set (struct tar_stat_info const *st,
>+                             char const *file_name, char typeflag);
> #endif /* GUARD_XATTTRS_H */
>diff --git a/src/xheader.c b/src/xheader.c
>index f9eec91..c5f580a 100644
>--- a/src/xheader.c
>+++ b/src/xheader.c
>@@ -1636,6 +1636,21 @@ xattr_acls_d_decoder (struct tar_stat_info *st,
> }
> 
> static void
>+steinborn_caps_coder (struct tar_stat_info const *st , char const *keyword,
>+                    struct xheader *xhdr, void const *data)
>+{
>+  xheader_print_n (xhdr, keyword, st->cap_ptr, st->cap_len);
>+}
>+
>+static void
>+steinborn_caps_decoder (struct tar_stat_info *st,
>+                      char const *keyword, char const *arg, size_t size)
>+{
>+  st->cap_ptr = xmemdup (arg, size + 1);
>+  st->cap_len = size;
>+}
>+
>+static void
> xattr_coder (struct tar_stat_info const *st, char const *keyword,
>              struct xheader *xhdr, void const *data)
> {
>@@ -1780,6 +1795,7 @@ struct xhdr_tab const xhdr_tab[] = {
>      they are restored *only once* during extraction later on. */
> 
>   /* xattrs use the star format.  note we only save some variants... */
>+  { "SCHILY.xattr.security.capability",    dummy_coder, steinborn_caps_decoder, 0, false },
>   { "SCHILY.xattr.user",    xattr_coder, xattr_decoder, 0, true },
>   { "SCHILY.xattr.security",    xattr_coder, xattr_decoder, 0, true },
>   { "SCHILY.xattr.trusted", xattr_coder, xattr_decoder, 0, true },
>@@ -1789,5 +1805,7 @@ struct xhdr_tab const xhdr_tab[] = {
>   /* ignore everything else in the xattr namespaces... */
>   { "SCHILY.xattr",         dummy_coder, dummy_decoder, 0, true },
> 
>+  { "STEINBORN.capability", steinborn_caps_coder, steinborn_caps_decoder, false, false },
>+
>   { NULL, NULL, NULL, 0, false }
> };
>-- 
>1.8.4
>

Actions: View | Diff

Attachments on bug 771927: 849830 | 1164880