1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
From c34b2725817d4fd1fd6878bbb16617cb9e3e3a70 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
Date: Fri, 22 Jan 2016 16:23:59 +0100
Subject: [PATCH] removing capability enforcement
Signed-off-by: ronan <ronan@iot.bzh>
Change-Id: Idb724192ceab176a611bbed45c0ebc9c8eb5dd30
---
progs/setcap.c | 45 +--------------------------------------------
1 file changed, 1 insertion(+), 44 deletions(-)
diff --git a/progs/setcap.c b/progs/setcap.c
index 7304343..71999b6 100644
--- a/progs/setcap.c
+++ b/progs/setcap.c
@@ -58,11 +58,9 @@ static int read_caps(int quiet, const char *filename, char *buffer)
int main(int argc, char **argv)
{
- int tried_to_cap_setfcap = 0;
char buffer[MAXCAP+1];
int retval, quiet=0, verify=0;
cap_t mycaps;
- cap_value_t capflag;
if (argc < 3) {
usage();
@@ -150,54 +148,13 @@ int main(int argc, char **argv)
printf("%s: OK\n", *argv);
}
} else {
- if (!tried_to_cap_setfcap) {
- capflag = CAP_SETFCAP;
-
- /*
- * Raise the effective CAP_SETFCAP.
- */
- if (cap_set_flag(mycaps, CAP_EFFECTIVE, 1, &capflag, CAP_SET)
- != 0) {
- perror("unable to manipulate CAP_SETFCAP - "
- "try a newer libcap?");
- exit(1);
- }
- if (cap_set_proc(mycaps) != 0) {
- perror("unable to set CAP_SETFCAP effective capability");
- exit(1);
- }
- tried_to_cap_setfcap = 1;
- }
retval = cap_set_file(*++argv, cap_d);
if (retval != 0) {
- int explained = 0;
int oerrno = errno;
-#ifdef linux
- cap_value_t cap;
- cap_flag_value_t per_state;
-
- for (cap = 0;
- cap_get_flag(cap_d, cap, CAP_PERMITTED, &per_state) != -1;
- cap++) {
- cap_flag_value_t inh_state, eff_state;
-
- cap_get_flag(cap_d, cap, CAP_INHERITABLE, &inh_state);
- cap_get_flag(cap_d, cap, CAP_EFFECTIVE, &eff_state);
- if ((inh_state | per_state) != eff_state) {
- fprintf(stderr, "NOTE: Under Linux, effective file capabilities must either be empty, or\n"
- " exactly match the union of selected permitted and inheritable bits.\n");
- explained = 1;
- break;
- }
- }
-#endif /* def linux */
-
fprintf(stderr,
"Failed to set capabilities on file `%s' (%s)\n",
argv[0], strerror(oerrno));
- if (!explained) {
- usage();
- }
+
}
}
if (cap_d) {
--
2.6.6
|
