| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Signed-off-by: Michael Kerrisk (man-pages) <mtk.manpages@gmail.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
|
|
|
| |
Apparently some folk like to supply these defines on the compiler
command line. Protect these defines with some more macrology.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
|
|
|
|
| |
Daniel Gröber discovered that pam_cap did not handle PAM_REINITIALIZE_CRED,
which eg: sudo passes.
Signed-off-by: Christian Kastner <ckk@kvr.at>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
|
|
| |
Delete a lot of redundant code now libcap supports an IAB abstraction.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Since we now have a serialized (linker trick) to initialize libcap
we can reliably compute the number of capabilities of the running
kernel in a race free way. Export the found number of capabilities
with the cap_max_bits() function. This is also what we now use in
both C and Go to define [all]=[eip]. In Go the equivalent function
is cap.MaxBits().
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
|
|
|
|
| |
We're not using it, but it seems like a small price to
pay for having targets I'm not building regularly
continue to build.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rewrote the pam_cap config file parsing to support:
- @group syntax for identifying groups of users
- ^cap_foo support for raising both inheritable and ambient caps
- !cap_bar support for dropping bounding capabilities
Updated documentation for pre-existing libcap's ambient support.
This pam_cap feature upgrade was done in collaboration with
Knut Omang and Christoph Lameter.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since Linux kernel supported threads are not POSIX threads
and the glibc pthread library only supports POSIX semantics
for 9 system calls, to fully support the POSIX semantics for
a process sharing its security state across all of its
threads, we've created libpsx.
This commit also includes a threading test in tests/ for
this new psx_syscall() abstraction - one that transparently
mirrors calling POSIX-needing semantics syscalls over
all running threads.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
| |
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
instead, prepend it when actually using them.
This makes the variables more useful for specifying on the make invocation,
as you don't have to repeat your FAKEROOT/DESTDIR for every variable you
want to set. Just like you can set 'lib' without specifying lib_prefix.
compare:
make DESTDIR="${somevar}" prefix=/usr/local LIBDIR="${somevar}"/usr/local/lib96 MANDIR="${somevar}"/usr/share/man
to:
make DESTDIR="${somevar}" prefix=/usr/local LIBDIR=/usr/local/lib96 MANDIR=/usr/share/man
Signed-off-by: Andrew G Morgan <morgan@kernel.org>
|
|
|
|
|
|
| |
Cc: Andrew G. Morgan <morgan@kernel.org>
Signed-off-by: Xose Vazquez Perez <xose.vazquez@gmail.com>
Signed-off-by: Andrew G Morgan <morgan@kernel.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For my conveneince, default to installing an inheritable
file capability on setcap when installed. This requires the
process inherit a capability for it to take effect, but that's
what pam_cap is for...
You can disable this install feature with:
make RAISE_SETFCAP=no install
Also, clean up Make files and a test, and add more comments.
The make files needed a fix (remove -lpam from pam_cap/Makefile)
and I've added a number of comments in support of various issues
folk have asked me about.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
|
|
|
| |
This patch allows modifications of $(CFLAGS) when invoking make and fixes some
library linking issues.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
|
| |
Reported-by: Ulf Grüne <ulf.gruene@t-online.de>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
|
|
|
|
| |
All the good parts of this change are Mike Frysinger's
<vapier@gentoo.org> work. Everything that is broken, is due to my
mangling of it.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
|
|
| |
Also fixed a bug with config= module argument.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
|
| |
This revision of libcap has support for 32-bit and 64-bit capabilities.
It also supports filesystem capabilities of both sizes.
|
| |
|
|
|
|
|
|
| |
Note, I've been confused about the capset/capget system calls.
It would seem that the current way(TM) is to get the raw API
from libc.
|
|
Since I wrote it, and reserve all rights, I'm going to rebrand it
with the same license as libcap. (Will fix this an compiling etc.
on the next commit.)
|