diff options
| author | Andrew G. Morgan <morgan@kernel.org> | 2020-07-02 21:36:16 -0700 |
|---|---|---|
| committer | Andrew G. Morgan <morgan@kernel.org> | 2020-07-02 22:12:11 -0700 |
| commit | 876ac7186ba274c3992e026e4631936de74834ce (patch) | |
| tree | 565ec429461d9814198451cc1d1509b432334117 /go | |
| parent | a3e844af8976dc7397f272eade1bb609050220eb (diff) | |
| download | platform_external_libcap-876ac7186ba274c3992e026e4631936de74834ce.tar.gz platform_external_libcap-876ac7186ba274c3992e026e4631936de74834ce.tar.bz2 platform_external_libcap-876ac7186ba274c3992e026e4631936de74834ce.zip | |
Revamp the way we package cap and psx packages.
It has been requested that we make the "libcap/cap" package into
a module that plays better with the golang ecosystem. I was holding
off until there was a golang version that contained the
runtime.AllThreadsSyscall() support, but that appears to not have
made it to 1.15, so I'm using a development build tag dependency
in otherwise static sources for the "libcap/cap" package.
My intention is that the canonical import paths for these packages
will be:
"git.kernel.org/libs/libcap/cap"
"git.kernel.org/libs/libcap/psx"
That being said, I may have to move them if I can't get some
proxy to resolve these paths to the right git repo of kernel.org.
The is work in the direction of addressing:
https://bugzilla.kernel.org/show_bug.cgi?id=207567
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Diffstat (limited to 'go')
| -rw-r--r-- | go/.gitignore | 1 | ||||
| -rw-r--r-- | go/Makefile | 59 | ||||
| -rw-r--r-- | go/compare-cap.go | 2 | ||||
| -rwxr-xr-x | go/syscalls.sh | 6 | ||||
| -rw-r--r-- | go/try-launching.go | 2 | ||||
| -rw-r--r-- | go/web.go | 18 |
6 files changed, 48 insertions, 40 deletions
diff --git a/go/.gitignore b/go/.gitignore index 660b12d..322297c 100644 --- a/go/.gitignore +++ b/go/.gitignore @@ -1,3 +1,4 @@ +good-names.go compare-cap try-launching try-launching-cgo diff --git a/go/Makefile b/go/Makefile index 7269716..3bee774 100644 --- a/go/Makefile +++ b/go/Makefile @@ -1,12 +1,20 @@ -# Building the libcap/{cap.psx} Go packages. Note, we use symlinks to -# construct a go friendly src tree. +# Building the libcap/{cap.psx} Go packages, and examples. +# +# Note, we use symlinks to construct a GOPATH friendly src tree. The +# packages themselves are intended to be (ultimately) found via proxy +# as "git.kernel.org/lib/libcap/cap" and +# "git.kernel.org/lib/libcap/psx". However, to validate their use on +# these paths, we fake such a structure in the build tree with +# symlinks. topdir=$(realpath ..) include $(topdir)/Make.Rules GOPATH=$(realpath .) -PSXGOPACKAGE=pkg/$(GOOSARCH)/libcap/psx.a -CAPGOPACKAGE=pkg/$(GOOSARCH)/libcap/cap.a +IMPORTDIR=git.kernel.org/libs/libcap +PKGDIR=pkg/$(GOOSARCH)/$(IMPORTDIR) +PSXGOPACKAGE=$(PKGDIR)/psx.a +CAPGOPACKAGE=$(PKGDIR)/cap.a DEPS=../libcap/libcap.a ../libcap/libpsx.a @@ -18,29 +26,27 @@ $(DEPS): ../progs/capsh: make -C ../progs capsh -src/libcap/psx: - mkdir -p src/libcap - ln -s $(topdir)/psx src/libcap/ +src/$(IMPORTDIR)/psx: + mkdir -p src/$(IMPORTDIR) + ln -s $(topdir)/psx src/$(IMPORTDIR) -src/libcap/cap: - mkdir -p src/libcap - ln -s $(topdir)/cap src/libcap/ +src/$(IMPORTDIR)/cap: + mkdir -p src/$(IMPORTDIR) + ln -s $(topdir)/cap src/$(IMPORTDIR) $(topdir)/libcap/cap_names.h: $(DEPS) make -C $(topdir)/libcap all -src/libcap/cap/names.go: $(topdir)/libcap/cap_names.h src/libcap/cap mknames.go +good-names.go: $(topdir)/libcap/cap_names.h src/$(IMPORTDIR)/cap mknames.go go run mknames.go --header=$< | gofmt > $@ || rm -f $@ + diff -u ../cap/names.go $@ -src/libcap/cap/syscalls.go: ./syscalls.sh src/libcap/cap - ./syscalls.sh src/libcap/cap - -$(PSXGOPACKAGE): src/libcap/psx src/libcap/psx/psx.go src/libcap/psx/psx_test.go $(DEPS) +$(PSXGOPACKAGE): src/$(IMPORTDIR)/psx ../psx/*.go $(DEPS) mkdir -p pkg - CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH="$(GOPATH)" go install libcap/psx + CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH="$(GOPATH)" go install $(IMPORTDIR)/psx -$(CAPGOPACKAGE): src/libcap/cap/syscalls.go src/libcap/cap/names.go src/libcap/cap/cap.go src/libcap/cap/text.go $(PSXGOPACKAGE) - CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) go install libcap/cap +$(CAPGOPACKAGE): src/$(IMPORTDIR)/cap ../cap/*.go good-names.go $(PSXGOPACKAGE) + CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) go install $(IMPORTDIR)/cap # Compiles something with this package to compare it to libcap. This # tests more when run under sudotest (see ../progs/quicktest.sh for that). @@ -48,25 +54,25 @@ compare-cap: compare-cap.go $(CAPGOPACKAGE) CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) go build $< web: web.go $(CAPGOPACKAGE) - CGO_ENABLED="$(CGO_REQUIRED)" CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) go build $< + CGO_ENABLED="$(CGO_REQUIRED)" CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) go build $(GOBUILDTAG) $< ifeq ($(RAISE_GO_FILECAP),yes) make -C ../progs setcap sudo ../progs/setcap cap_setpcap,cap_net_bind_service=p web - @echo "NOTE: RAISED cap_net_bind_service ON web binary" + @echo "NOTE: RAISED cap_setpcap,cap_net_bind_service ON web binary" endif ok: ok.go CGO_ENABLED=0 GOPATH=$(GOPATH) go build $< try-launching: try-launching.go $(CAPGOPACKAGE) ok - CGO_ENABLED="$(CGO_REQUIRED)" CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) go build $< + CGO_ENABLED="$(CGO_REQUIRED)" CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) go build $(GOBUILDTAG) $< ifeq ($(CGO_REQUIRED),0) CGO_ENABLED="1" CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) go build -o $@-cgo $< endif test: all ../progs/capsh - CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH="$(GOPATH)" go test libcap/psx - CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) go test libcap/cap + CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH="$(GOPATH)" go test $(IMPORTDIR)/psx + CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) go test $(IMPORTDIR)/cap LD_LIBRARY_PATH=../libcap ./compare-cap ./try-launching ifeq ($(CGO_REQUIRED),0) @@ -88,10 +94,7 @@ install: all install -m 0644 src/libcap/cap/* $(FAKEROOT)$(GOPKGDIR)/libcap/cap/ clean: - GOPATH=$(GOPATH) go clean -x -i libcap/cap 2> /dev/null || exit 0 - GOPATH=$(GOPATH) go clean -x -i libcap/psx 2> /dev/null || exit 0 - rm -f *.o *.so *~ mknames web ok + rm -f *.o *.so *~ mknames web ok good-names.go rm -f compare-cap try-launching try-launching-cgo - rm -f $(topdir)/cap/*~ $(topdir)/cap/names.go $(topdir)/cap/syscalls*.go - rm -f $(topdir)/psx/*~ + rm -f $(topdir)/cap/*~ $(topdir)/psx/*~ rm -fr pkg src diff --git a/go/compare-cap.go b/go/compare-cap.go index 4e104a1..ad131a2 100644 --- a/go/compare-cap.go +++ b/go/compare-cap.go @@ -8,7 +8,7 @@ import ( "syscall" "unsafe" - "libcap/cap" + "git.kernel.org/libs/libcap/cap" ) // #include <stdlib.h> diff --git a/go/syscalls.sh b/go/syscalls.sh index 9733d97..c707507 100755 --- a/go/syscalls.sh +++ b/go/syscalls.sh @@ -16,8 +16,9 @@ if [ -z "$(go doc syscall 2>/dev/null|grep AllThreadsSyscall)" ]; then package cap import ( - "libcap/psx" "syscall" + + "git.kernel.org/libs/libcap/psx" ) // multisc provides syscalls overridable for testing purposes that @@ -76,8 +77,9 @@ cat > "${dir}/syscalls_cgo.go" <<EOF package cap import ( - "libcap/psx" "syscall" + + "git.kernel.org/libs/libcap/psx" ) // multisc provides syscalls overridable for testing purposes that diff --git a/go/try-launching.go b/go/try-launching.go index 847925b..e795e8b 100644 --- a/go/try-launching.go +++ b/go/try-launching.go @@ -7,7 +7,7 @@ import ( "strings" "syscall" - "libcap/cap" + "git.kernel.org/libs/libcap/cap" ) // tryLaunching attempts to launch a bunch of programs in parallel. It @@ -4,9 +4,9 @@ // // This program cannot work reliably as a pure Go application without // the equivalent of the Go runtime patch that adds a POSIX semantics -// wrapper around the system calls that change kernel state. A patch -// for the pure Go compiler/runtime to add this support is available -// here [2019-12-14]: +// wrapper around the system calls that change per-thread security +// state. A patch for the pure Go compiler/runtime to add this support +// is available here [2019-12-14]: // // https://go-review.googlesource.com/c/go/+/210639/ // @@ -14,11 +14,12 @@ // runtime the only way to get capabilities to work reliably on the Go // runtime is to use something like libpsx via cgo to do capability // setting syscalls in C with POSIX semantics. As of this build of the -// Go "libcap/cap" package, courtesy of the "libcap/psx" package, this -// is how things work. +// Go "git.kernel.org/libs/libcap/cap" package, courtesy of the +// "git.kernel.org/libs/libcap/psx" package, this is how things work. // -// To set this up, compile and empower this binary as follows -// (packages libcap/{cap,psx} should be installed, as must libpsx.a): +// To set this up, compile and empower this binary as follows (read +// over the detail in the psx package description if this doesn't +// 'just' work): // // go build web.go // sudo setcap cap_setpcap,cap_net_bind_service=p web @@ -32,12 +33,13 @@ package main import ( "flag" "fmt" - "libcap/cap" "log" "net" "net/http" "runtime" "syscall" + + "git.kernel.org/libs/libcap/cap" ) var ( |