Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 849830 Details for
Bug 771927
RFE: use libcap(3) for portable archiving of file capabilities
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch to support file capabilities
0004-POSIX-CAPs-support.patch (text/plain), 9.46 KB, created by
M. Steinborn
on 2014-01-14 09:45:11 UTC
(
hide
)
Description:
Patch to support file capabilities
Filename:
MIME Type:
Creator:
M. Steinborn
Created:
2014-01-14 09:45:11 UTC
Size:
9.46 KB
patch
obsolete
>From e698a164f990ec78ec308a65b87ff6468c90fbd0 Mon Sep 17 00:00:00 2001 >From: Markus Steinborn <gnugv_maintainer@yahoo.de> >Date: Tue, 17 Dec 2013 15:29:36 +0100 >Subject: [PATCH 4/5] POSIX CAPs support > >--- > configure.ac | 33 +++++++++++++++++++++++ > src/Makefile.am | 2 +- > src/common.h | 3 +++ > src/create.c | 7 ++++- > src/extract.c | 2 ++ > src/tar.c | 1 + > src/tar.h | 3 +++ > src/xattrs.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > src/xattrs.h | 4 +++ > src/xheader.c | 18 +++++++++++++ > 10 files changed, 153 insertions(+), 2 deletions(-) > >diff --git a/configure.ac b/configure.ac >index c9d1250..7232a39 100644 >--- a/configure.ac >+++ b/configure.ac >@@ -27,6 +27,8 @@ AM_INIT_AUTOMAKE([1.11 gnits tar-ustar dist-bzip2 dist-xz dist-shar std-options > # Enable silent rules by default: > AM_SILENT_RULES([yes]) > >+AC_SUBST(CAP_LIBS) >+ > AC_PROG_CC > AC_EXEEXT > AC_PROG_RANLIB >@@ -91,6 +93,37 @@ else > export enable_acl=no > fi > >+AC_MSG_CHECKING(whether to support FCAPs) >+AC_ARG_WITH(fcaps-support, >+[ --with-fcaps-support Include File capability support (default=no)], >+[ case "$withval" in >+ yes) >+ AC_CHECK_LIB(cap,cap_get_file,[CAPS_LIBS="$CAP_LIBS -lcap"]) >+ AC_CACHE_CHECK([for fcap support],tar_cv_HAVE_POSIX_CAPS,[ >+ caps_LIBS=$LIBS >+ LIBS="$LIBS -lcap" >+ AC_TRY_LINK([#include <sys/capability.h>], >+[ char *p; cap_get_file(p);], >+tar_cv_HAVE_POSIX_CAPS=yes,tar_cv_HAVE_POSIX_CAPS=no) >+ LIBS=$caps_LIBS]) >+ if test x"$tar_cv_HAVE_POSIX_CAPS" = x"yes"; then >+ AC_MSG_RESULT(Using posix file capabilities) >+ AC_DEFINE(HAVE_POSIX_CAPS,1,[Whether POSIX FCAPS are available]) >+ CAP_LIBS="-lcap" >+ else >+ AC_MSG_ERROR(You need LIBCAP libraries installed.) >+ fi >+ ;; >+ *) >+ AC_MSG_RESULT(no) >+ AC_DEFINE(HAVE_NO_CAPS,1,[Whether no CAPs support is available]) >+ ;; >+ esac ], >+ AC_DEFINE(HAVE_NO_CAPS,1,[Whether no CAPs support should be built in]) >+ AC_MSG_RESULT(no) >+) >+ >+ > AC_TYPE_SIGNAL > AC_TYPE_MODE_T > AC_TYPE_PID_T >diff --git a/src/Makefile.am b/src/Makefile.am >index 07c117d..2ee210b 100644 >--- a/src/Makefile.am >+++ b/src/Makefile.am >@@ -50,4 +50,4 @@ AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) > > LDADD = ../lib/libtar.a ../gnu/libgnu.a $(LIBINTL) $(LIBICONV) > >-tar_LDADD = $(LIBS) $(LDADD) $(LIB_CLOCK_GETTIME) $(LIB_EACCESS) $(LIB_SELINUX) >+tar_LDADD = $(LIBS) $(LDADD) $(LIB_CLOCK_GETTIME) $(LIB_EACCESS) $(LIB_SELINUX) $(CAP_LIBS) >diff --git a/src/common.h b/src/common.h >index 42fd539..11d69f8 100644 >--- a/src/common.h >+++ b/src/common.h >@@ -263,6 +263,9 @@ GLOBAL int selinux_context_option; > /* If positive, save the ACLs. */ > GLOBAL int acls_option; > >+/* If positive, save the CAPs. */ >+GLOBAL int caps_option; >+ > /* If positive, save the user and root xattrs. */ > GLOBAL int xattrs_option; > >diff --git a/src/create.c b/src/create.c >index 802652c..6be3225 100644 >--- a/src/create.c >+++ b/src/create.c >@@ -950,7 +950,10 @@ start_header (struct tar_stat_info *st) > > while (scan_xattr < st->xattr_map_size) > { >- xheader_store (xattr_map[scan_xattr].xkey, st, &scan_xattr); >+ if (!strcmp(xattr_map[scan_xattr].xkey, "SCHILY.xattr.security.capability")) >+ xheader_store ("STEINBORN.capability", st, &scan_xattr); >+ else >+ xheader_store (xattr_map[scan_xattr].xkey, st, &scan_xattr); > ++scan_xattr; > } > } >@@ -1734,6 +1737,8 @@ dump_file0 (struct tar_stat_info *st, char const *name, char const *p) > xattrs_acls_get (parentfd, name, st, 0, !is_dir); > xattrs_selinux_get (parentfd, name, st, fd); > xattrs_xattrs_get (parentfd, name, st, fd); >+ if (S_ISREG (st->stat.st_mode)) >+ xattrs_cap_get (parentfd, name, st, fd); > > if (is_dir) > { >diff --git a/src/extract.c b/src/extract.c >index 9b6b7f9..46f0673 100644 >--- a/src/extract.c >+++ b/src/extract.c >@@ -391,6 +391,8 @@ set_stat (char const *file_name, > xattrs_xattrs_set (st, file_name, typeflag, 1); > xattrs_acls_set (st, file_name, typeflag); > xattrs_selinux_set (st, file_name, typeflag); >+ if (typeflag == AREGTYPE || typeflag == REGTYPE || typeflag == CONTTYPE) >+ xattrs_cap_set (st, file_name, typeflag); > } > > /* For each entry H in the leading prefix of entries in HEAD that do >diff --git a/src/tar.c b/src/tar.c >index b8e5b3c..ae4f613 100644 >--- a/src/tar.c >+++ b/src/tar.c >@@ -2771,6 +2771,7 @@ tar_stat_destroy (struct tar_stat_info *st) > free (st->cntx_name); > free (st->acls_a_ptr); > free (st->acls_d_ptr); >+ free (st->cap_ptr); > free (st->sparse_map); > free (st->dumpdir); > xheader_destroy (&st->xhdr); >diff --git a/src/tar.h b/src/tar.h >index 70055af..5513e5d 100644 >--- a/src/tar.h >+++ b/src/tar.h >@@ -305,6 +305,9 @@ struct tar_stat_info > char *acls_d_ptr; /* Default ACLs for the current archive entry. */ > size_t acls_d_len; /* Default ACLs for the current archive entry. */ > >+ char *cap_ptr; /* Capability for the current archive entry. */ >+ size_t cap_len; /* Capability for the current archive entry. */ >+ > struct stat stat; /* regular filesystem stat */ > > /* STAT doesn't always have access, data modification, and status >diff --git a/src/xattrs.c b/src/xattrs.c >index f5155aa..ba47062 100644 >--- a/src/xattrs.c >+++ b/src/xattrs.c >@@ -30,6 +30,10 @@ > #include "xattr-at.h" > #include "selinux-at.h" > >+#ifdef HAVE_POSIX_CAPS >+# include <sys/capability.h> >+#endif >+ > struct xattrs_mask_map > { > const char **masks; >@@ -820,6 +824,84 @@ xattrs_acls_set (struct tar_stat_info const *st, > } > } > >+void >+xattrs_cap_get (int parentfd, char const *file_name, >+ struct tar_stat_info *st, int fd) >+{ >+ if (caps_option > 0) >+ { >+#ifndef HAVE_POSIX_CAPS >+ static int done = 0; >+ if (!done) >+ WARN ((0, 0, _("POSIX CAPS support is not available"))); >+ done = 1; >+#else >+ cap_t caps; >+ caps = cap_get_file(file_name); >+ char* result = cap_to_text(caps, 0); >+ st->cap_ptr = xstrdup(result); >+ st->cap_len = strlen(st->cap_ptr); >+ cap_free(result); >+ cap_free(caps); >+#endif >+ } >+} >+ >+void >+xattrs_cap_set (struct tar_stat_info const *st, >+ char const *file_name, char typeflag) >+{ >+ if (caps_option > 0 && st->cap_ptr) >+ { >+#ifndef HAVE_POSIX_CAPS >+ static int done = 0; >+ if (!done) >+ WARN ((0, 0, _("POSIX CAPS support is not available"))); >+ done = 1; >+#else >+ cap_t caps; >+ int unprintable = 0; >+ unsigned char *tmpPtr = st->cap_ptr; >+ >+ while (*tmpPtr && !unprintable) >+ { >+ if (*tmpPtr < 32 || *tmpPtr > 127) >+ { >+ unprintable = 1; >+ break; >+ } >+ tmpPtr++; >+ } >+ >+ if (unprintable) >+ { >+ WARN ((0,0, _("Reconstructing Capabilities for %s"), file_name)); >+ int ret = lsetxattr(file_name, "security.capability", st->cap_ptr, st->cap_len, 0); >+ if (ret) >+ { >+ WARN ((0,0, _("Cannot set security.capability for %s"), file_name)); >+ return; >+ } >+ caps = cap_get_file(file_name); >+ } >+ else >+ caps = cap_from_text(st->cap_ptr); >+ if (!caps) >+ { >+ WARN ((0,0, _("Cannot parse Capabilities for %s"), file_name)); >+ return; >+ } >+ >+ int ret = cap_set_file(file_name, caps); >+ >+ if (ret) >+ ;//TODO >+ >+ cap_free(caps); >+#endif >+ } >+} >+ > static void > mask_map_realloc (struct xattrs_mask_map *map) > { >diff --git a/src/xattrs.h b/src/xattrs.h >index fc73c55..e2c17d0 100644 >--- a/src/xattrs.h >+++ b/src/xattrs.h >@@ -47,4 +47,8 @@ extern void xattrs_xattrs_set (struct tar_stat_info const *st, > extern void xattrs_print_char (struct tar_stat_info const *st, char *output); > extern void xattrs_print (struct tar_stat_info const *st); > >+extern void xattrs_cap_get (int parentfd, char const *file_name, >+ struct tar_stat_info *st, int fd); >+extern void xattrs_cap_set (struct tar_stat_info const *st, >+ char const *file_name, char typeflag); > #endif /* GUARD_XATTTRS_H */ >diff --git a/src/xheader.c b/src/xheader.c >index f9eec91..c5f580a 100644 >--- a/src/xheader.c >+++ b/src/xheader.c >@@ -1636,6 +1636,21 @@ xattr_acls_d_decoder (struct tar_stat_info *st, > } > > static void >+steinborn_caps_coder (struct tar_stat_info const *st , char const *keyword, >+ struct xheader *xhdr, void const *data) >+{ >+ xheader_print_n (xhdr, keyword, st->cap_ptr, st->cap_len); >+} >+ >+static void >+steinborn_caps_decoder (struct tar_stat_info *st, >+ char const *keyword, char const *arg, size_t size) >+{ >+ st->cap_ptr = xmemdup (arg, size + 1); >+ st->cap_len = size; >+} >+ >+static void > xattr_coder (struct tar_stat_info const *st, char const *keyword, > struct xheader *xhdr, void const *data) > { >@@ -1780,6 +1795,7 @@ struct xhdr_tab const xhdr_tab[] = { > they are restored *only once* during extraction later on. */ > > /* xattrs use the star format. note we only save some variants... */ >+ { "SCHILY.xattr.security.capability", dummy_coder, steinborn_caps_decoder, 0, false }, > { "SCHILY.xattr.user", xattr_coder, xattr_decoder, 0, true }, > { "SCHILY.xattr.security", xattr_coder, xattr_decoder, 0, true }, > { "SCHILY.xattr.trusted", xattr_coder, xattr_decoder, 0, true }, >@@ -1789,5 +1805,7 @@ struct xhdr_tab const xhdr_tab[] = { > /* ignore everything else in the xattr namespaces... */ > { "SCHILY.xattr", dummy_coder, dummy_decoder, 0, true }, > >+ { "STEINBORN.capability", steinborn_caps_coder, steinborn_caps_decoder, false, false }, >+ > { NULL, NULL, NULL, 0, false } > }; >-- >1.8.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 771927
: 849830 |
1164880