Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libcap for openSUSE:Factory checked
in at 2021-02-16 22:34:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libcap (Old)
and /work/SRC/openSUSE:Factory/.libcap.new.28504 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libcap"
Tue Feb 16 22:34:57 2021 rev:43 rq:870717 version:2.48
Changes:
--------
--- /work/SRC/openSUSE:Factory/libcap/libcap.changes 2021-02-07
15:13:38.233361949 +0100
+++ /work/SRC/openSUSE:Factory/.libcap.new.28504/libcap.changes 2021-02-16
22:35:18.177562973 +0100
@@ -1,0 +2,12 @@
+Tue Feb 9 23:16:17 UTC 2021 - Dirk M??ller <dmuel...@suse.com>
+
+- update to 2.48:
+ * More uniform use of $(MAKE) in Makefiles
+ * No longer include symlinks in the git tree
+ * Provide support for make GOLANG=no ...
+ * Provide support for pointing at a specific build of the go binary
+ * camelCase the contrib/seccomp/explore.go program
+ * A number of documentation fixes to man pages and source code comments
+ * Last use of GO major version 0
+
+-------------------------------------------------------------------
Old:
----
libcap-2.47.tar.xz
New:
----
libcap-2.48.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libcap.spec ++++++
--- /var/tmp/diff_new_pack.k6S8CJ/_old 2021-02-16 22:35:18.761563752 +0100
+++ /var/tmp/diff_new_pack.k6S8CJ/_new 2021-02-16 22:35:18.765563757 +0100
@@ -17,7 +17,7 @@
Name: libcap
-Version: 2.47
+Version: 2.48
Release: 0
Summary: Library for Capabilities (linux-privs) Support
License: BSD-3-Clause AND GPL-2.0-only
++++++ libcap-2.47.tar.xz -> libcap-2.48.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/Make.Rules new/libcap-2.48/Make.Rules
--- old/libcap-2.47/Make.Rules 2021-01-24 03:06:05.000000000 +0100
+++ new/libcap-2.48/Make.Rules 2021-02-05 06:47:20.000000000 +0100
@@ -1,7 +1,7 @@
# Common version number defines for libcap
LIBTITLE=libcap
VERSION=2
-MINOR=47
+MINOR=48
#
## Optional prefixes:
@@ -103,16 +103,21 @@
PTHREADS ?= yes
ifeq ($(PTHREADS),yes)
-GO := go
-GOLANG := $(shell if [ -n "$(shell $(GO) version 2>/dev/null)" ]; then echo
yes ; else echo no ; fi)
+GO ?= go
+GOLANG ?= $(shell if [ -n "$(shell $(GO) version 2>/dev/null)" ]; then echo
yes ; else echo no ; fi)
ifeq ($(GOLANG),yes)
-GOROOT := $(shell $(GO) env GOROOT)
-GOCGO := $(shell if [ "$(shell $(GO) env CGO_ENABLED)" = 1 ]; then echo yes ;
else echo no ; fi)
-GOOSARCH := $(shell $(GO) env GOHOSTOS)_$(shell $(GO) env GOHOSTARCH)
+GOROOT ?= $(shell $(GO) env GOROOT)
+GOCGO ?= $(shell if [ "$(shell $(GO) env CGO_ENABLED)" = 1 ]; then echo yes ;
else echo no ; fi)
+GOOSARCH ?= $(shell $(GO) env GOHOSTOS)_$(shell $(GO) env GOHOSTARCH)
+CGO_REQUIRED=$(shell $(topdir)/go/cgo-required.sh $(GO))
+ifeq ($(CGO_REQUIRED),1)
+# Strictly speaking go1.15 doesn't need this, but 1.16 is when the
+# real golang support arrives for non-cgo support, so drop the last
+# vestige of legacy workarounds then.
+CGO_LDFLAGS_ALLOW := -Wl,-?-wrap[=,][^-.@][^,]*
+endif
CGO_CFLAGS := -I$(topdir)/libcap/include
CGO_LDFLAGS := -L$(topdir)/libcap
-CGO_LDFLAGS_ALLOW := -Wl,-?-wrap[=,][^-.@][^,]*
-CGO_REQUIRED=$(shell $(topdir)/go/cgo-required.sh)
endif
endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/Makefile new/libcap-2.48/Makefile
--- old/libcap-2.47/Makefile 2020-12-13 02:03:19.000000000 +0100
+++ new/libcap-2.48/Makefile 2021-02-03 06:34:29.000000000 +0100
@@ -42,32 +42,32 @@
cd .. && ln -s libcap libcap-$(VERSION).$(MINOR) && tar cvf
libcap-$(VERSION).$(MINOR).tar --exclude patches libcap-$(VERSION).$(MINOR)/*
&& rm libcap-$(VERSION).$(MINOR)
test: all
- make -C libcap $@
- make -C tests $@
+ $(MAKE) -C libcap $@
+ $(MAKE) -C tests $@
ifneq ($(PAM_CAP),no)
$(MAKE) -C pam_cap $@
endif
ifeq ($(GOLANG),yes)
- make -C go $@
+ $(MAKE) -C go $@
endif
- make -C progs $@
+ $(MAKE) -C progs $@
sudotest: all
- make -C tests $@
+ $(MAKE) -C tests $@
ifneq ($(PAM_CAP),no)
$(MAKE) -C pam_cap $@
endif
ifeq ($(GOLANG),yes)
- make -C go $@
+ $(MAKE) -C go $@
endif
- make -C progs $@
+ $(MAKE) -C progs $@
distcheck:
./distcheck.sh
- make DYNAMIC=yes clean all test sudotest
- make CC=/usr/local/musl/bin/musl-gcc clean all test sudotest
- make clean all test sudotest
- make distclean
+ $(MAKE) DYNAMIC=yes clean all test sudotest
+ $(MAKE) CC=/usr/local/musl/bin/musl-gcc clean all test sudotest
+ $(MAKE) clean all test sudotest
+ $(MAKE) distclean
morgangodoc:
@echo "Now the release is made, you want to remember to run:"
@@ -84,7 +84,7 @@
git tag -u D41A6DF2 -s v$(GOMAJOR).$(VERSION).$(MINOR) -m "This is the
version tag for the 'libcap' Go base directory associated with
libcap-$(VERSION).$(MINOR)."
git tag -u D41A6DF2 -s psx/v$(GOMAJOR).$(VERSION).$(MINOR) -m "This is
the version tag for the 'psx' Go package associated with
libcap-$(VERSION).$(MINOR)."
git tag -u D41A6DF2 -s cap/v$(GOMAJOR).$(VERSION).$(MINOR) -m "This is
the version tag for the 'cap' Go package associated with
libcap-$(VERSION).$(MINOR)."
- make release
+ $(MAKE) release
@echo "sign the tar file using korg key"
cd .. && gpg -sba -u E2CCF3F4 libcap-$(VERSION).$(MINOR).tar
- make morgangodoc
+ $(MAKE) morgangodoc
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/cap/file.go new/libcap-2.48/cap/file.go
--- old/libcap-2.47/cap/file.go 2020-08-02 03:31:08.000000000 +0200
+++ new/libcap-2.48/cap/file.go 2021-02-03 02:37:26.000000000 +0100
@@ -170,7 +170,7 @@
// use file capabilities to become capable inside a namespace to be
// administered by that UID. If capability aware code within that
// namespace writes file capabilities without explicitly setting such
-// a UID, the kernel will fixup the capabilities to be specific to
+// a UID, the kernel will fix-up the capabilities to be specific to
// that owner. In this way, the kernel prevents filesystem
// capabilities from leaking out of that restricted namespace.
func (c *Set) SetNSOwner(uid int) {
@@ -228,8 +228,8 @@
//
// Note, Linux does not store the full Effective Value Flag in the
// metadata for the file. Only a single Effective bit is stored in
-// this metadata. This single bit is non-zero if the Permitted vector
-// has any overlapping bits with the Effective or Inheritable vector
+// this metadata. This single bit is non-zero if the Effective vector
+// has any overlapping bits with the Permitted or Inheritable vector
// of c. This may appear suboptimal, but the reasoning behind it is
// sound. Namely, the purpose of the Effective bit it to support
// capabability unaware binaries that will only work if they magically
@@ -237,10 +237,10 @@
// referred to simply as the 'legacy' bit). Without *full* support for
// capability manipulation, as it is provided in this "../libcap/cap"
// package, this was the only way for Go programs to make use of
-// capabilities.
+// file capabilities.
//
// The preferred way a binary will actually manipulate its
-// file-acquired capabilities is to carefully and deliberately using
+// file-acquired capabilities is to carefully and deliberately use
// this package (or libcap, assisted by libpsx, for threaded C/C++
// family code).
func (c *Set) SetFd(file *os.File) error {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/cap/go.mod new/libcap-2.48/cap/go.mod
--- old/libcap-2.47/cap/go.mod 2021-01-24 03:07:25.000000000 +0100
+++ new/libcap-2.48/cap/go.mod 2021-02-05 06:48:35.000000000 +0100
@@ -2,4 +2,4 @@
go 1.11
-require kernel.org/pub/linux/libs/security/libcap/psx v0.2.47
+require kernel.org/pub/linux/libs/security/libcap/psx v0.2.48
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/contrib/seccomp/explore.go
new/libcap-2.48/contrib/seccomp/explore.go
--- old/libcap-2.47/contrib/seccomp/explore.go 2021-01-24 03:01:25.000000000
+0100
+++ new/libcap-2.48/contrib/seccomp/explore.go 2021-02-03 06:34:29.000000000
+0100
@@ -45,32 +45,32 @@
)
const (
- PR_SET_NO_NEW_PRIVS = 38
+ prSetNoNewPrivs = 38
- SYS_SECCOMP = 317 // x86_64 syscall number
- SECCOMP_SET_MODE_FILTER = 1 // uses user-supplied filter.
- SECCOMP_FILTER_FLAG_TSYNC = (1 << 0) // mirror filtering on all
threads.
- SECCOMP_RET_ERRNO = 0x00050000 // returns an errno
- SECCOMP_RET_DATA = 0x0000ffff // mask for RET data payload
(ex. errno)
- SECCOMP_RET_KILL_PROCESS = 0x80000000 // kill the whole process
immediately
- SECCOMP_RET_TRAP = 0x00030000 // disallow and force a SIGSYS
- SECCOMP_RET_ALLOW = 0x7fff0000
+ sysSeccomp = 317 // x86_64 syscall number
+ seccompSetModeFilter = 1 // uses user-supplied filter.
+ seccompFilterFlagTsync = (1 << 0) // mirror filtering on all threads.
+ seccompRetErrno = 0x00050000 // returns an errno
+ seccompRetData = 0x0000ffff // mask for RET data payload (ex.
errno)
+ seccompRetKillProcess = 0x80000000 // kill the whole process
immediately
+ seccompRetTrap = 0x00030000 // disallow and force a SIGSYS
+ seccompRetAllow = 0x7fff0000
- BPF_LD = 0x00
- BPF_JMP = 0x05
- BPF_RET = 0x06
+ bpfLd = 0x00
+ bpfJmp = 0x05
+ bpfRet = 0x06
- BPF_W = 0x00
+ bpfW = 0x00
- BPF_ABS = 0x20
- BPF_JEQ = 0x10
+ bpfAbs = 0x20
+ bpfJeq = 0x10
- BPF_K = 0x00
+ bpfK = 0x00
- AUDIT_ARCH_X86_64 = 3221225534 // HACK: I don't understand this value
- ARCH_NR = AUDIT_ARCH_X86_64
+ auditArchX86_64 = 3221225534 // HACK: I don't understand this value
+ archNr = auditArchX86_64
- syscall_nr = 0
+ syscallNr = 0
)
// SockFilter is a single filter block.
@@ -95,66 +95,67 @@
Filter *SockFilter
}
+// SockFilterSlice is a subprogram filter.
type SockFilterSlice []SockFilter
-func BPF_STMT(code uint16, k uint32) SockFilter {
+func bpfStmt(code uint16, k uint32) SockFilter {
return SockFilter{code, 0, 0, k}
}
-func BPF_JUMP(code uint16, k uint32, jt uint8, jf uint8) SockFilter {
+func bpfJump(code uint16, k uint32, jt uint8, jf uint8) SockFilter {
return SockFilter{code, jt, jf, k}
}
-func ValidateArchitecture() []SockFilter {
+func validateArchitecture() []SockFilter {
return []SockFilter{
- BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 4), // HACK: I don't understand
this 4.
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS),
+ bpfStmt(bpfLd+bpfW+bpfAbs, 4), // HACK: I don't understand this
4.
+ bpfJump(bpfJmp+bpfJeq+bpfK, archNr, 1, 0),
+ bpfStmt(bpfRet+bpfK, seccompRetKillProcess),
}
}
func ExamineSyscall() []SockFilter {
return []SockFilter{
- BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr),
+ bpfStmt(bpfLd+bpfW+bpfAbs, syscallNr),
}
}
func AllowSyscall(syscallNum uint32) []SockFilter {
return []SockFilter{
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscallNum, 0, 1),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+ bpfJump(bpfJmp+bpfJeq+bpfK, syscallNum, 0, 1),
+ bpfStmt(bpfRet+bpfK, seccompRetAllow),
}
}
func DisallowSyscall(syscallNum, errno uint32) []SockFilter {
return []SockFilter{
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscallNum, 0, 1),
- BPF_STMT(BPF_RET+BPF_K,
SECCOMP_RET_ERRNO|(errno&SECCOMP_RET_DATA)),
+ bpfJump(bpfJmp+bpfJeq+bpfK, syscallNum, 0, 1),
+ bpfStmt(bpfRet+bpfK, seccompRetErrno|(errno&seccompRetData)),
}
}
func KillProcess() []SockFilter {
return []SockFilter{
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS),
+ bpfStmt(bpfRet+bpfK, seccompRetKillProcess),
}
}
func NotifyProcessAndDie() []SockFilter {
return []SockFilter{
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP),
+ bpfStmt(bpfRet+bpfK, seccompRetTrap),
}
}
func TrapOnSyscall(syscallNum uint32) []SockFilter {
return []SockFilter{
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscallNum, 0, 1),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP),
+ bpfJump(bpfJmp+bpfJeq+bpfK, syscallNum, 0, 1),
+ bpfStmt(bpfRet+bpfK, seccompRetTrap),
}
}
func AllGood() []SockFilter {
return []SockFilter{
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+ bpfStmt(bpfRet+bpfK, seccompRetAllow),
}
}
@@ -178,10 +179,10 @@
return nil
}
-// seccomp_set_mode_filter is our wrapper for performing our seccomp system
call.
+// SeccompSetModeFilter is our wrapper for performing our seccomp system call.
//go:uintptrescapes
-func seccomp_set_mode_filter(prog *SockFProg) error {
- if _, _, e := syscall.RawSyscall(SYS_SECCOMP, SECCOMP_SET_MODE_FILTER,
SECCOMP_FILTER_FLAG_TSYNC, uintptr(unsafe.Pointer(prog))); e != 0 {
+func SeccompSetModeFilter(prog *SockFProg) error {
+ if _, _, e := syscall.RawSyscall(sysSeccomp, seccompSetModeFilter,
seccompFilterFlagTsync, uintptr(unsafe.Pointer(prog))); e != 0 {
return e
}
return nil
@@ -220,12 +221,12 @@
}
// This is required to load a filter without privilege.
- if err := prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0); err != nil {
+ if err := prctl(prSetNoNewPrivs, 1, 0, 0, 0, 0); err != nil {
log.Fatalf("Prctl(PR_SET_NO_NEW_PRIVS): %v", err)
}
fmt.Println("Applying syscall policy...")
- if err := seccomp_set_mode_filter(prog); err != nil {
+ if err := SeccompSetModeFilter(prog); err != nil {
log.Fatalf("seccomp_set_mode_filter: %v", err)
}
fmt.Println("...Policy applied")
@@ -240,7 +241,7 @@
}
var filter []SockFilter
- filter = append(filter, ValidateArchitecture()...)
+ filter = append(filter, validateArchitecture()...)
// Grab the system call number.
filter = append(filter, ExamineSyscall()...)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/contrib/seccomp/go.mod
new/libcap-2.48/contrib/seccomp/go.mod
--- old/libcap-2.47/contrib/seccomp/go.mod 2021-01-24 03:08:01.000000000
+0100
+++ new/libcap-2.48/contrib/seccomp/go.mod 2021-02-05 06:49:24.000000000
+0100
@@ -2,4 +2,4 @@
go 1.14
-require kernel.org/pub/linux/libs/security/libcap/psx v0.2.47
+require kernel.org/pub/linux/libs/security/libcap/psx v0.2.48
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/doc/libpsx.3 new/libcap-2.48/doc/libpsx.3
--- old/libcap-2.47/doc/libpsx.3 2020-10-18 03:38:52.000000000 +0200
+++ new/libcap-2.48/doc/libpsx.3 2021-02-03 06:34:29.000000000 +0100
@@ -1,4 +1,4 @@
-.TH LIBPSX 3 "2020-10-13" "" "Linux Programmer's Manual"
+.TH LIBPSX 3 "2021-01-31" "" "Linux Programmer's Manual"
.SH NAME
psx_syscall3, psx_syscall6 \- POSIX semantics for system calls
.SH SYNOPSIS
@@ -36,7 +36,9 @@
mechanism uses signo=33 (which is hidden by glibc below a redefined
SIGRTMIN),
.B libpsx
-usurps SIGRTMAX for this process.
+inserts itself in the SIGSYS handler stack. It goes to great length to
+be the first such handler but acts as a pass-through for other SIGSYS
+uses.
.PP
A linker trick of
.I wrapping
@@ -73,7 +75,10 @@
.SH CONFORMING TO
The needs of
.BR libcap (3)
-for POSIX semantics of capability manipulation.
+for POSIX semantics of capability manipulation. You can read more
+about why this is needed here:
+.TP
+https://sites.google.com/site/fullycapable/who-ordered-libpsx
.SH "REPORTING BUGS"
Please report bugs via:
.TP
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/go/.gitignore
new/libcap-2.48/go/.gitignore
--- old/libcap-2.47/go/.gitignore 2020-12-12 05:05:21.000000000 +0100
+++ new/libcap-2.48/go/.gitignore 2021-02-05 06:34:20.000000000 +0100
@@ -3,6 +3,7 @@
try-launching
try-launching-cgo
psx-signals
+psx-signals-cgo
b210613
mknames
web
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/go/Makefile new/libcap-2.48/go/Makefile
--- old/libcap-2.47/go/Makefile 2020-12-24 01:46:18.000000000 +0100
+++ new/libcap-2.48/go/Makefile 2021-02-05 06:34:20.000000000 +0100
@@ -76,12 +76,11 @@
GO111MODULE=off CGO_ENABLED="1"
CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" GOPATH=$(GOPATH) $(GO) build -o $@-cgo
$<
endif
-# Bug reported issues:
-# https://bugzilla.kernel.org/show_bug.cgi?id=210533 (cgo - fixed)
-# https://github.com/golang/go/issues/43149 (nocgo - not fixed yet)
-# When the latter is fixed we can replace CGO_ENABLED=1 with ="$(CGO_REQUIRED)"
-psx-signals: psx-signals.go $(PSXGOPACKAGE)
- GO111MODULE=off CGO_ENABLED=1 CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)"
CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) $(GO)
build $<
+psx-signals: psx-signals.go $(PSXGOPACKAGE)
+ GO111MODULE=off CGO_ENABLED="$(CGO_REQUIRED)"
CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)"
CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) $(GO) build $<
+ifeq ($(CGO_REQUIRED),0)
+ GO111MODULE=off CGO_ENABLED="1"
CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)"
CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) $(GO) build -o $@-cgo $<
+endif
b210613: b210613.go $(CAPGOPACKAGE)
GO111MODULE=off CGO_ENABLED="$(CGO_REQUIRED)"
CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)"
CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) $(GO) build $<
@@ -91,6 +90,9 @@
GO111MODULE=off CGO_ENABLED="$(CGO_REQUIRED)"
CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" GOPATH="$(GOPATH)" $(GO) test
$(IMPORTDIR)/cap
LD_LIBRARY_PATH=../libcap ./compare-cap
./psx-signals
+ifeq ($(CGO_REQUIRED),0)
+ ./psx-signals-cgo
+endif
./setid --caps=false
./gowns -- -c "echo gowns runs"
@@ -122,5 +124,5 @@
rm -f web setid gowns
rm -f compare-cap try-launching try-launching-cgo
rm -f $(topdir)/cap/*~ $(topdir)/psx/*~
- rm -f psx-signals b210613
+ rm -f b210613 psx-signals psx-signals-cgo
rm -fr pkg src
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/go/cgo-required.sh
new/libcap-2.48/go/cgo-required.sh
--- old/libcap-2.47/go/cgo-required.sh 2020-07-01 04:43:01.000000000 +0200
+++ new/libcap-2.48/go/cgo-required.sh 2021-02-05 06:34:20.000000000 +0100
@@ -4,8 +4,13 @@
# available to the working go runtime or not. If it isn't we always
# have to use libcap/psx to get POSIX semantics for syscalls that
# change security state.
+if [ -n "$1" ]; then
+ export GO="${1}"
+else
+ export GO=go
+fi
-if [ -z "$(go doc syscall 2>/dev/null|grep AllThreadsSyscall)" ]; then
+if [ -z "$(${GO} doc syscall 2>/dev/null|grep AllThreadsSyscall)" ]; then
echo "1"
else
echo "0"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/goapps/gowns/go.mod
new/libcap-2.48/goapps/gowns/go.mod
--- old/libcap-2.47/goapps/gowns/go.mod 2021-01-24 03:08:53.000000000 +0100
+++ new/libcap-2.48/goapps/gowns/go.mod 2021-02-05 06:50:35.000000000 +0100
@@ -2,4 +2,4 @@
go 1.15
-require kernel.org/pub/linux/libs/security/libcap/cap v0.2.47
+require kernel.org/pub/linux/libs/security/libcap/cap v0.2.48
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/goapps/setid/go.mod
new/libcap-2.48/goapps/setid/go.mod
--- old/libcap-2.47/goapps/setid/go.mod 2021-01-24 03:08:38.000000000 +0100
+++ new/libcap-2.48/goapps/setid/go.mod 2021-02-05 06:50:59.000000000 +0100
@@ -3,6 +3,6 @@
go 1.11
require (
- kernel.org/pub/linux/libs/security/libcap/cap v0.2.47
- kernel.org/pub/linux/libs/security/libcap/psx v0.2.47
+ kernel.org/pub/linux/libs/security/libcap/cap v0.2.48
+ kernel.org/pub/linux/libs/security/libcap/psx v0.2.48
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/goapps/web/go.mod
new/libcap-2.48/goapps/web/go.mod
--- old/libcap-2.47/goapps/web/go.mod 2021-01-24 03:08:24.000000000 +0100
+++ new/libcap-2.48/goapps/web/go.mod 2021-02-05 06:51:17.000000000 +0100
@@ -2,4 +2,4 @@
go 1.11
-require kernel.org/pub/linux/libs/security/libcap/cap v0.2.47
+require kernel.org/pub/linux/libs/security/libcap/cap v0.2.48
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/libcap/Makefile
new/libcap-2.48/libcap/Makefile
--- old/libcap-2.47/libcap/Makefile 2020-11-03 02:58:32.000000000 +0100
+++ new/libcap-2.48/libcap/Makefile 2021-02-03 07:15:55.000000000 +0100
@@ -28,18 +28,18 @@
all: pcs $(STACAPLIBNAME)
ifeq ($(SHARED),yes)
- make $(CAPLIBNAME)
+ $(MAKE) $(CAPLIBNAME)
endif
ifeq ($(PTHREADS),yes)
- make $(STAPSXLIBNAME)
+ $(MAKE) $(STAPSXLIBNAME)
ifeq ($(SHARED),yes)
- make $(PSXLIBNAME)
+ $(MAKE) $(PSXLIBNAME)
endif
endif
pcs: libcap.pc
ifeq ($(PTHREADS),yes)
- make libpsx.pc
+ $(MAKE) libpsx.pc
endif
ifeq ($(BUILD_GPERF),yes)
@@ -88,8 +88,8 @@
$(AR) rcs $@ $^
$(RANLIB) $@
-$(STAPSXLIBNAME): $(PSXOBJS)
- $(AR) rcs $@ $^
+$(STAPSXLIBNAME): $(PSXOBJS) include/sys/psx_syscall.h
+ $(AR) rcs $@ $(PSXOBJS)
$(RANLIB) $@
ifeq ($(SHARED),yes)
@@ -98,8 +98,8 @@
ln -sf $(MINCAPLIBNAME) $(MAJCAPLIBNAME)
ln -sf $(MAJCAPLIBNAME) $(CAPLIBNAME)
-$(PSXLIBNAME) $(MAJPSXLIBNAME) $(MINPSXLIBNAME): $(PSXOBJS)
- $(LD) $(CFLAGS) $(LDFLAGS) -Wl,-soname,$(MAJPSXLIBNAME) -o
$(MINPSXLIBNAME) $^ $(PSXLINKFLAGS)
+$(PSXLIBNAME) $(MAJPSXLIBNAME) $(MINPSXLIBNAME): $(PSXOBJS)
include/sys/psx_syscall.h
+ $(LD) $(CFLAGS) $(LDFLAGS) -Wl,-soname,$(MAJPSXLIBNAME) -o
$(MINPSXLIBNAME) $(PSXOBJS) $(PSXLINKFLAGS)
ln -sf $(MINPSXLIBNAME) $(MAJPSXLIBNAME)
ln -sf $(MAJPSXLIBNAME) $(PSXLIBNAME)
endif
@@ -118,27 +118,27 @@
install: install-static
ifeq ($(SHARED),yes)
- make install-shared
+ $(MAKE) install-shared
endif
install-static: install-static-cap
ifeq ($(PTHREADS),yes)
- make install-static-psx
+ $(MAKE) install-static-psx
endif
install-shared: install-shared-cap
ifeq ($(PTHREADS),yes)
- make install-shared-psx
+ $(MAKE) install-shared-psx
endif
install-cap: install-static-cap
ifeq ($(SHARED),yes)
- make install-shared-cap
+ $(MAKE) install-shared-cap
endif
install-psx: install-static-psx
ifeq ($(SHARED),yes)
- make install-shared-psx
+ $(MAKE) install-shared-psx
endif
install-static-cap: install-common-cap $(STACAPLIBNAME)
@@ -167,7 +167,11 @@
install -m 0644 include/sys/capability.h $(FAKEROOT)$(INCDIR)/sys
install -m 0644 libcap.pc $(FAKEROOT)$(PKGCONFIGDIR)/libcap.pc
-install-common-psx: install-common libpsx.pc
+include/sys/psx_syscall.h: ../psx/psx_syscall.h
+ rm -f $@
+ ln -s ../../../psx/psx_syscall.h $@
+
+install-common-psx: install-common libpsx.pc include/sys/psx_syscall.h
install -m 0644 include/sys/psx_syscall.h $(FAKEROOT)$(INCDIR)/sys
install -m 0644 libpsx.pc $(FAKEROOT)$(PKGCONFIGDIR)/libpsx.pc
@@ -181,4 +185,5 @@
rm -f $(CAPOBJS) $(CAPLIBNAME)* $(STACAPLIBNAME) libcap.pc
rm -f $(PSXOBJS) $(PSXLIBNAME)* $(STAPSXLIBNAME) libpsx.pc
rm -f cap_names.h cap_names.list.h _makenames $(GPERF_OUTPUT) cap_test
+ rm -f include/sys/psx_syscall.h
cd include/sys && $(LOCALCLEAN)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/libcap/include/sys/.gitignore
new/libcap-2.48/libcap/include/sys/.gitignore
--- old/libcap-2.47/libcap/include/sys/.gitignore 1970-01-01
01:00:00.000000000 +0100
+++ new/libcap-2.48/libcap/include/sys/.gitignore 2021-02-03
07:15:55.000000000 +0100
@@ -0,0 +1 @@
+psx_syscall.h
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/libcap/include/sys/psx_syscall.h
new/libcap-2.48/libcap/include/sys/psx_syscall.h
--- old/libcap-2.47/libcap/include/sys/psx_syscall.h 2021-02-16
22:35:18.869563895 +0100
+++ new/libcap-2.48/libcap/include/sys/psx_syscall.h 1970-01-01
01:00:00.000000000 +0100
@@ -1 +0,0 @@
-symbolic link to ../../../psx/psx_syscall.h
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/libcap/psx_syscall.h
new/libcap-2.48/libcap/psx_syscall.h
--- old/libcap-2.47/libcap/psx_syscall.h 2021-02-16 22:35:18.873563900
+0100
+++ new/libcap-2.48/libcap/psx_syscall.h 1970-01-01 01:00:00.000000000
+0100
@@ -1 +0,0 @@
-symbolic link to include/sys/psx_syscall.h
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/psx/README new/libcap-2.48/psx/README
--- old/libcap-2.47/psx/README 2020-07-16 04:31:24.000000000 +0200
+++ new/libcap-2.48/psx/README 2021-02-03 02:37:26.000000000 +0100
@@ -1,20 +1,28 @@
-Package psx provides a CGo backed API for invoking system calls in a
-way that each system call is mirrored on all pthreads of the combined
-Go/CGo runtime. Since the Go runtime treats all pthreads as
-interchangeable, a feature like this is needed to meaningfully change
-process privilege (including dropping privilege) in a Go program
-running on Linux. This package is required by:
+Package "psx" provides an API for invoking system calls in a way that
+each system call is mirrored on all OS threads of the combined Go/CGo
+runtime. Since the Go runtime treats OS threads as interchangeable, a
+feature like this is needed to meaningfully change process privilege
+(including dropping privilege) in a Go program running on Linux. This
+package is required by:
"kernel.org/pub/linux/libs/security/libcap/cap"
-The functionality is implemented by a C library: libpsx, which is
-distributed with the libcap. The official release announcement site
-for libcap and libpsx is:
+When compiled CGO_ENABLED=0, the functionality requires go1.16+ to
+build. That release of Go introduced syscall.AllThreadsSyscall*()
+APIs. When compiled this way, the "psx" package functions
+psx.Syscall3() and psx.Syscall6() are aliased to
+syscall.AllThreadsSyscall() and syscall.AllThreadsSyscall6()
+respectively.
+
+When compiled CGO_ENABLED=1, the functionality is implemented by C
+code, [lib]psx, which is distributed with libcap.
+
+The official release announcement site for libcap and libpsx is:
https://sites.google.com/site/fullycapable/
-Like libcap/libpsx itself, the psx package is distributed with a "you
-choose" License. Specifically: BSD three clause, or GPL2. See the
+Like libcap/libpsx itself, the "psx" package is distributed with a
+"you choose" License. Specifically: BSD three clause, or GPL2. See the
LICENSE file.
Andrew G. Morgan <mor...@kernel.org>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/psx/psx.c new/libcap-2.48/psx/psx.c
--- old/libcap-2.47/psx/psx.c 2020-12-12 05:05:21.000000000 +0100
+++ new/libcap-2.48/psx/psx.c 2021-02-03 02:37:26.000000000 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019,20 Andrew G Morgan <mor...@kernel.org>
+ * Copyright (c) 2019-21 Andrew G Morgan <mor...@kernel.org>
*
* This file contains a collection of routines that perform thread
* synchronization to ensure that a whole process is running as a
@@ -30,12 +30,12 @@
#include "psx_syscall.h"
/*
- * psx_load_syscalls() is weakly defined so we can have it overridden
- * by libpsx if it is linked. Specifically, when libcap calls
- * psx_load_sycalls it will override their defaut values. As can be
- * seen here this present function is a no-op. However, if libpsx is
- * linked, the one present in that library (not being weak) will
- * replace this one.
+ * psx_load_syscalls() can be weakly defined in dependent libraries to
+ * provide a mechanism for a library to optionally leverage this psx
+ * mechanism. Specifically, when libcap calls psx_load_sycalls() it
+ * provides a weakly declared default that maps its system calls to
+ * the regular system call functions. However, when linked with psx,
+ * this function here overrides the syscalls to be the psx ones.
*/
void psx_load_syscalls(long int (**syscall_fn)(long int,
long int, long int, long int),
@@ -96,7 +96,8 @@
/*
* psx_action_key is used for thread local storage of the thread's
- * registration. */
+ * registration.
+ */
pthread_key_t psx_action_key;
/*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libcap-2.47/psx/psx.go new/libcap-2.48/psx/psx.go
--- old/libcap-2.47/psx/psx.go 2020-12-24 01:46:18.000000000 +0100
+++ new/libcap-2.48/psx/psx.go 2021-02-03 06:34:29.000000000 +0100
@@ -7,6 +7,8 @@
"syscall"
)
+// Syscall3 and Syscall6 are aliases for syscall.AllThreadsSyscall*
+// when compiled CGO_ENABLED=0.
var (
Syscall3 = syscall.AllThreadsSyscall
Syscall6 = syscall.AllThreadsSyscall6
