Hello,
last GSoC I developed an eclass for the handling of file-based
capabilities [1]. One should be able to set file-caps for the binary from
the src_install phase. The eclass handles the setting of the caps and
also applies a fallback file-mode, if the caps-setting goes wrong.
I would be happy, if you guys and gals could take a look at it,
and review it :).
It uses a new global use-flag (filecaps) so it wouldn't collide with
the caps use-flag and the corresponding old handling of file-caps.
The git repository, which also includes a manpage and some tests for the eclass,
is available here [2].
I'm going to update the eclass with your patches there.
Cheers,
Constanze
[1] http://www.friedhoff.org/posixfilecaps.html
[2] https://github.com/constanze/GSoC2010_Gentoo_Capabilities
# Copyright 2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
# @ECLASS: fcaps.eclass
# @MAINTAINER: Constanze Hausner <consta...@gentoo.org>
# @BLURB: function to set POSIX file-based capabilities
# @DESCRIPTION:
# This eclass provides a function to set file-based capabilities on binaries.
# Due to probable capability-loss on moving or copying, this happens in
# pkg_postinst-phase (at least for now).
IUSE="filecaps"
DEPEND="filecaps? ( sys-libs/libcap )"
# @FUNCTION: fcaps
# @USAGE: fcaps {uid:gid} {file-mode} {cap1[,cap2,...]} {file}
# @RETURN: 0 if all okay; non-zero if failure and fallback
# @DESCRIPTION:
# fcaps sets the specified capabilities in the effective and permitted set of
# the given file. In case of failure fcaps sets the given file-mode.
fcaps() {
debug-print-function ${FUNCNAME} "$@"
debug-print "${FUNCNAME}: Trying to set capabilities for ${4}"
local uid_gid=$1
local perms=$2
export fallbackFileMode=$perms
local capset=$3
local path=$4
if [ $# -eq 5 ]; then
local set_mode=$5
else
debug-print "${FUNCNAME}: no set-mode provided, setting it to
ep"
#if there is no set_mode provided, it is set to true
local set_mode=1
fi
#set owner/group
debug-print "${FUNCNAME}: setting owner and group to ${uid_gid}"
chown $uid_gid $path
if [ $? -ne 0 ]; then
eerror "chown "$uid_gid" "$path" failed."
return 2
fi
#set file-mode including suid
debug-print "${FUNCNAME}: setting file-mode ${perms}, including suid"
chmod $perms $path
if [ $? -ne 0 ]; then
eerror "chmod "$perms" "$path" failed."
return 3
fi
#if filecaps is not enabled all is done
use !filecaps && return 0
#if libcap is not installed caps cannot be set
if [ ! -f "/sbin/setcap" ]; then
debug-print "${FUNCNAME}: libcap not installed, could not set
caps"
return 4
fi
#Check for set mode
if [ $set_mode -eq 1 ]; then
debug-print "${FUNCNAME}: set-mode = ep"
local sets="=ep"
else
debug-print "${FUNCNAME}: set-mode = ei"
local sets="=ei"
fi
#set the capability
debug-print "${FUNCNAME}: setting capabilities"
setcap "$capset""$sets" "$path" &> /dev/null
#check if the capabilitiy got set correctly
debug-print "${FUNCNAME}: checking capabilities"
setcap -v "$capset""$sets" "$path" &> /dev/null
local res=$?
#if caps could be set, remove suid-bit
if [ $res -eq 0 ]; then
debug-print "${FUNCNAME}: caps were set, removing suid-bit"
chmod -s $path
else
debug-print "${FUNCNAME}: caps could not be set"
ewarn "setcap "$capset" "$path" failed."
ewarn "Check your kernel and filesystem."
ewarn "Fallback file-mode was set."
fi
return $res
}
