SOURCES: support-for-prctl-based-securebits.patch (NEW) 72524c7ff5...

qboosh qboosh at pld-linux.org
Sat Jan 26 22:12:34 CET 2008 

Author: qboosh                       Date: Sat Jan 26 21:12:34 2008 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
72524c7ff55fdfb9470e2af59f0963b6  http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/support-for-prctl-based-securebits.patch

---- Files affected:
SOURCES:
   support-for-prctl-based-securebits.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/support-for-prctl-based-securebits.patch
diff -u /dev/null SOURCES/support-for-prctl-based-securebits.patch:1.1
--- /dev/null	Sat Jan 26 22:12:34 2008
+++ SOURCES/support-for-prctl-based-securebits.patch	Sat Jan 26 22:12:29 2008
@@ -0,0 +1,104 @@
+This is relative to libcap-2.05.
+
+
+From 51a79648bed2380d3e11be09b0343d734f2f2382 Mon Sep 17 00:00:00 2001
+From: Andrew G. Morgan <morgan at kernel.org>
+Date: Wed, 23 Jan 2008 23:33:34 -0800
+Subject: [PATCH] Speculative support for prctl based securebits.
+
+See corresponding kernel patch (2008/01/23).
+---
+ progs/capsh.c |   50 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 50 insertions(+), 0 deletions(-)
+
+diff --git a/progs/capsh.c b/progs/capsh.c
+index 278bb17..a8ace77 100644
+--- a/progs/capsh.c
++++ b/progs/capsh.c
+@@ -15,12 +15,15 @@
+ #include <sys/prctl.h>
+ #include <sys/capability.h>
+ #include <unistd.h>
++#include <errno.h>
+ 
+ /* prctl based API for altering character of current process */
+ #define PR_GET_KEEPCAPS    7
+ #define PR_SET_KEEPCAPS    8
+ #define PR_CAPBSET_READ   23
+ #define PR_CAPBSET_DROP   24
++#define PR_GET_SECUREBITS 25
++#define PR_SET_SECUREBITS 26
+ 
+ static const cap_value_t raise_setpcap[1] = { CAP_SETPCAP };
+ static const cap_value_t raise_chroot[1] = { CAP_SYS_CHROOT };
+@@ -184,6 +187,28 @@ int main(int argc, char *argv[], char *envp[])
+ 		fprintf(stderr, "Unable to chroot to [%s]", argv[i]+9);
+ 		exit(1);
+ 	    }
++	} else if (!memcmp("--secbits=", argv[i], 10)) {
++	    unsigned value;
++	    int status;
++
++	    value = strtoul(argv[i]+10, NULL, 0);
++	    status = prctl(PR_SET_SECUREBITS, value);
++	    if (status < 0) {
++		fprintf(stderr, "failed to set securebits to 0%o/0x%x\n",
++			value, value);
++		exit(1);
++	    }
++	} else if (!memcmp("--uid=", argv[i], 6)) {
++	    unsigned value;
++	    int status;
++
++	    value = strtoul(argv[i]+6, NULL, 0);
++	    status = setuid(value);
++	    if (status < 0) {
++		fprintf(stderr, "Failed to set uid=%u: %s\n",
++			value, strerror(errno));
++		exit(1);
++	    }
+ 	} else if (!strcmp("--print", argv[i])) {
+ 	    unsigned cap;
+ 	    int set;
+@@ -214,6 +239,29 @@ int main(int argc, char *argv[], char *envp[])
+ 		sep = ",";
+ 	    }
+ 	    printf("\n");
++	    set = prctl(PR_GET_SECUREBITS);
++	    if (set >= 0) {
++		printf("Securebits: 0%o/0x%x\n", set, set);
++		printf(" secure-noroot: %s (%s)\n",
++		       (set & 1) ? "yes":"no",
++		       (set & 2) ? "locked":"unlocked");
++		printf(" secure-no-suid-fixup: %s (%s)\n",
++		       (set & 4) ? "yes":"no",
++		       (set & 8) ? "locked":"unlocked");
++		printf(" secure-keep-caps: %s (%s)\n",
++		       (set & 16) ? "yes":"no",
++		       (set & 32) ? "locked":"unlocked");
++	    } else {
++		printf("[Securebits ABI not supported]\n");
++		set = prctl(PR_GET_KEEPCAPS);
++		if (set >= 0) {
++		    printf(" prctl-keep-caps: %s (locking not supported)\n",
++			   set ? "yes":"no");
++		} else {
++		    printf("[Keepcaps ABI not supported]\n");
++		}
++	    }
++	    printf("uid=%u\n", getuid());
+ 	} else if (!strcmp("--", argv[i])) {
+ 	    argv[i] = strdup("/bin/bash");
+ 	    argv[argc] = NULL;
+@@ -226,6 +274,8 @@ int main(int argc, char *argv[], char *envp[])
+ 		   "  --print        display capability relevant state\n"
+ 		   "  --drop=xxx     remove xxx,.. capabilities from bset\n"
+ 		   "  --inh=xxx      set xxx,.. inheritiable set\n"
++		   "  --secbits=<n>  write a new value for securebits\n"
++		   "  --uid=<n>      set uid to <n> (hint: id <username>)\n"
+ 		   "  --chroot=path  chroot(2) to this path to invoke bash\n"
+ 		   "  --             remaing arguments are for /bin/bash\n"
+ 		   "                 (without -- [%s] will simply exit(0))\n",
+-- 
+1.5.3.7
+
================================================================

More information about the pld-cvs-commit mailing list