rpms/libcap
6
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL 9.0.0 Alpha bootstrap

Browse Source 
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/libcap#67e96608f23674abb40556f98d9bab5b1fb34196
This commit is contained in:
Petr Šabata 2020-10-15 15:39:37 +02:00
parent 795ebfe256
commit 1f1aae1e1c
23 changed files with 1461 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@ -0,0 +1,5 @@
libcap-2.17.tar.gz
/libcap-2.22.tar.bz2
/libcap-2.24.tar.gz
/libcap-2.25.tar.gz
/libcap-2.26.tar.gz

264
capfaq-0.2.txt Normal file
View File

@ -0,0 +1,264 @@
This is the Linux kernel capabilities FAQ
Its history, to the extent that I am able to reconstruct it is that
v2.0 was posted to the Linux kernel list on 1999/04/02 by Boris
Tobotras. Thanks to Denis Ducamp for forwarding me a copy.
Cheers
Andrew
Linux Capabilities FAQ 0.2
==========================
1) What is a capability?
The name "capabilities" as used in the Linux kernel can be confusing.
First there are Capabilities as defined in computer science. A
capability is a token used by a process to prove that it is allowed to
do an operation on an object. The capability identifies the object
and the operations allowed on that object. A file descriptor is a
capability. You create the file descriptor with the "open" call and
request read or write permissions. Later, when doing a read or write
operation, the kernel uses the file descriptor as an index into a
data structure that indicates what operations are allowed. This is an
efficient way to check permissions. The necessary data structures are
created once during the "open" call. Later read and write calls only
have to do a table lookup. Operations on capabilities include copying
capabilities, transferring capabilities between processes, modifying a
capability, and revoking a capability. Modifying a capability can be
something like taking a read-write filedescriptor and making it
read-only. A capability often has a notion of an "owner" which is
able to invalidate all copies and derived versions of a capability.
Entire OSes are based on this "capability" model, with varying degrees
of purity. There are other ways of implementing capabilities than the
file descriptor model - traditionally special hardware has been used,
but modern systems also use the memory management unit of the CPU.
Then there is something quite different called "POSIX capabilities"
which is what Linux uses. These capabilities are a partitioning of
the all powerful root privilege into a set of distinct privileges (but
look at securelevel emulation to find out that this isn't necessary
the whole truth). Users familiar with VMS or "Trusted" versions of
other UNIX variants will know this under the name "privileges". The
name "capabilities" comes from the now defunct POSIX draft 1003.1e
which used this name.
2) So what is a "POSIX capability"?
A process has three sets of bitmaps called the inheritable(I),
permitted(P), and effective(E) capabilities. Each capability is
implemented as a bit in each of these bitmaps which is either set or
unset. When a process tries to do a privileged operation, the
operating system will check the appropriate bit in the effective set
of the process (instead of checking whether the effective uid of the
process i 0 as is normally done). For example, when a process tries
to set the clock, the Linux kernel will check that the process has the
CAP_SYS_TIME bit (which is currently bit 25) set in its effective set.
The permitted set of the process indicates the capabilities the
process can use. The process can have capabilities set in the
permitted set that are not in the effective set. This indicates that
the process has temporarily disabled this capability. A process is
allowed to set a bit in its effective set only if it is available in
the permitted set. The distinction between effective and permitted
exists so that processes can "bracket" operations that need privilege.
The inheritable capabilities are the capabilities of the current
process that should be inherited by a program executed by the current
process. The permitted set of a process is masked against the
inheritable set during exec(). Nothing special happens during fork()
or clone(). Child processes and threads are given an exact copy of
the capabilities of the parent process.
3) What about other entities in the system? Users, Groups, Files?
Files have capabilities. Conceptually they have the same three
bitmaps that processes have, but to avoid confusion we call them by
other names. Only executable files have capabilities, libraries don't
have capabilities (yet). The three sets are called the allowed set,
the forced set, and the effective set.
The allowed set indicates what capabilities the executable is allowed
to receive from an execing process. This means that during exec(),
the capabilities of the old process are first masked against a set
which indicates what the process gives away (the inheritable set of
the process), and then they are masked against a set which indicates
what capabilities the new process image is allowed to receive (the
allowed set of the executable).
The forced set is a set of capabilities created out of thin air and
given to the process after execing the executable. The forced set is
similar in nature to the setuid feature. In fact, the setuid bit from
the filesystem is "read" as a full forced set by the kernel.
The effective set indicates which bits in the permitted set of the new
process should be transferred to the effective set of the new process.
The effective set is best thought of as a "capability aware" set. It
should consist of only 1s if the executable is capability-dumb, or
only 0s if the executable is capability-smart. Since the effective
set consists of only 0s or only 1s, the filesystem can implement this
set using a single bit.
NOTE: Filesystem support for capabilities is not part of Linux 2.2.
Users and Groups don't have associated capabilities from the kernel's
point of view, but it is entirely reasonable to associate users or
groups with capabilities. By letting the "login" program set some
capabilities it is possible to make role users such as a backup user
that will have the CAP_DAC_READ_SEARCH capability and be able to do
backups. This could also be implemented as a PAM module, but nobody
has implemented one yet.
4) What capabilities exist?
The capabilities available in Linux are listed and documented in the
file /usr/src/linux/include/linux/capability.h.
5) Are Linux capabilities hierarchical?
No, you cannot make a "subcapability" out of a Linux capability as in
capability-based OSes.
6) How can I use capabilities to make sure Mr. Evil Luser (eluser)
can't exploit my "suid" programs?
This is the general outline of how this works given filesystem
capability support exists. First, you have a PAM module that sets the
inheritable capabilities of the login-shell of eluser. Then for all
"suid" programs on the system, you decide what capabilities they need
and set the _allowed_ set of the executable to that set of
capabilities. The capability rules
new permitted = forced | (allowed & inheritable)
means that you should be careful about setting forced capabilities on
executables. In a few cases, this can be useful though. For example
the login program needs to set the inheritable set of the new user and
therefore needs an almost full permitted set. So if you want eluser
to be able to run login and log in as a different user, you will have
to set some forced bits on that executable.
7) What about passing capabilities between processes?
Currently this is done by the system call "setcap" which can set the
capabilities of another process. This requires the CAP_SETPCAP
capability which you really only want to grant a _few_ processes.
CAP_SETPCAP was originally intended as a workaround to be able to
implement filesystem support for capabilities using a daemon outside
the kernel.
There has been discussions about implementing socket-level capability
passing. This means that you can pass a capability over a socket. No
support for this exists in the official kernel yet.
8) I see securelevel has been removed from 2.2 and are superceeded by
capabilities. How do I emulate securelevel using capabilities?
The setcap system call can remove a capability from _all_ processes on
the system in one atomic operation. The setcap utility from the
libcap distribution will do this for you. The utility requires the
CAP_SETPCAP privilege to do this. The CAP_SETPCAP capability is not
enabled by default.
libcap is available from
ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/
9) I noticed that the capability.h file lacks some capabilities that
are needed to fully emulate 2.0 securelevel. Is there a patch for
this?
Actually yes - funny you should ask :-). The problem with 2.0
securelevel is that they for example stop root from accessing block
devices. At the same time they restrict the use of iopl. These two
changes are fundamentally different. Blocking access to block devices
means restricting something that usually isn't restricted.
Restricting access to the use of iopl on the other hand means
restricting (blocking) access to something that is already blocked.
Emulating the parts of 2.0 securelevel that restricts things that are
normally not restricted means that the capabilites in the kernel has
to have a set of capabilities that are usually _on_ for a normal
process (note that this breaks the explanation that capabilities are a
partitioning of the root privileges). There is an experimental patch at
ftp://ftp.guardian.no/pub/free/linux/capabilities/patch-cap-exp-1
which implements a set of capabilities with the "CAP_USER" prefix:
cap_user_sock - allowed to use socket()
cap_user_dev - allowed to open char/block devices
cap_user_fifo - allowed to use pipes
These should be enough to emulate 2.0 securelevel (tell me if we need
something more).
10) Seems I need a CAP_SETPCAP capability that I don't have to make use
of capabilities. How do I enable this capability?
Change the definition of CAP_INIT_EFF_SET and CAP_INIT_INH_SET to the
following in include/linux/capability.h:
#define CAP_INIT_EFF_SET { ~0 }
#define CAP_INIT_INH_SET { ~0 }
This will start init with a full capability set and not with
CAP_SETPCAP removed.
11) How do I start a process with a limited set of capabilities?
Get the libcap library and use the execcap utility. The following
example starts the update daemon with only the CAP_SYS_ADMIN
capability.
execcap 'cap_sys_admin=eip' update
12) How do I start a process with a limited set of capabilities under
another uid?
Use the sucap utility which changes uid from root without loosing any
capabilities. Normally all capabilities are cleared when changing uid
from root. The sucap utility requires the CAP_SETPCAP capability.
The following example starts updated under uid updated and gid updated
with CAP_SYS_ADMIN raised in the Effective set.
sucap updated updated execcap 'cap_sys_admin=eip' update
[ Sucap is currently available from
ftp://ftp.guardian.no/pub/free/linux/capabilities/sucap.c. Put it in
the progs directory of libcap to compile.]
13) What are the "capability rules"
The capability rules are the rules used to set the capabilities of the
new process image after an exec. They work like this:
pI' = pI
(***) pP' = fP | (fI & pI)
pE' = pP' & fE [NB. fE is 0 or ~0]
I=Inheritable, P=Permitted, E=Effective // p=process, f=file
' indicates post-exec().
Now to make sense of the equations think of fP as the Forced set of
the executable, and fI as the Allowed set of the executable. Notice
how the Inheritable set isn't touched at all during exec().
14) What are the laws for setting capability bits in the Inheritable,
Permitted, and Effective sets?
Bits can be transferred from Permitted to either Effective or
Inheritable set.
Bits can be removed from all sets.
15) Where is the standard on which the Linux capabilities are based?
There used to be a POSIX draft called POSIX.6 and later POSIX 1003.1e.
However after the committee had spent over 10 years, POSIX decided
that enough is enough and dropped the draft. There will therefore not
be a POSIX standard covering security anytime soon. This may lead to
that the POSIX draft is available for free, however.
--
Best regards, -- Boris.

7
gating.yaml Normal file
View File

@ -0,0 +1,7 @@
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_testing
rules:
- !PassingTestCaseRule {test_case_name: dist.depcheck}
- !PassingTestCaseRule {test_case_name: dist.abicheck}

23
getpcaps.8 Normal file
View File

@ -0,0 +1,23 @@
.\" Hey, EMACS: -*- nroff -*-
.TH GETPCAPS 8 "2001-05-29"
.\" Please adjust this date whenever revising the manpage.
.SH NAME
getpcaps \- display process capabilities
.SH SYNOPSIS
.B getpcaps
.IR pid ...
.SH DESCRIPTION
.B getpcaps
displays the capabilities on the processes indicated by the
.I pid
value(s) given on the commandline. The capabilities
are displayed in the
.BR cap_from_text (3)
format.
.SH SEE ALSO
.BR execcap (8).
.br
.SH AUTHOR
This manual page was written by Robert Bihlmeyer <robbe@debian.org>,
for the Debian GNU/Linux system (but may be used by others).

22
libcap-2.25-buildflags.patch Normal file
View File

@ -0,0 +1,22 @@
diff -up libcap-2.25/Make.Rules.rh libcap-2.25/Make.Rules
--- libcap-2.25/Make.Rules.rh 2016-04-11 18:52:01.418065682 +0200
+++ libcap-2.25/Make.Rules 2016-04-11 18:52:10.790113866 +0200
@@ -49,7 +49,8 @@ KERNEL_HEADERS := $(topdir)/libcap/inclu
IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include
CC := gcc
-CFLAGS := -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
+CFLAGS := $(RPM_OPT_FLAGS) -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
+
BUILD_CC := $(CC)
BUILD_CFLAGS := $(CFLAGS) $(IPATH)
AR := ar
@@ -60,7 +61,7 @@ WARNINGS=-Wall -Wwrite-strings \
-Wstrict-prototypes -Wmissing-prototypes \
-Wnested-externs -Winline -Wshadow
LD=$(CC) -Wl,-x -shared
-LDFLAGS := #-g
+LDFLAGS := $(RPM_LD_FLAGS) #-g
BUILD_GPERF := $(shell which gperf >/dev/null 2>/dev/null && echo yes)
SYSTEM_HEADERS = /usr/include

358
libcap.spec Normal file
View File

@ -0,0 +1,358 @@
Name: libcap
Version: 2.26
Release: 8%{?dist}
Summary: Library for getting and setting POSIX.1e capabilities
URL: https://sites.google.com/site/fullycapable/
License: GPLv2
Source: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/snapshot/%{name}-%{version}.tar.gz
# http://manned.org/getpcaps/299a4949/src:
Source1: getpcaps.8
Patch0: libcap-2.25-buildflags.patch
BuildRequires: libattr-devel pam-devel perl-interpreter gcc
%description
libcap is a library for getting and setting POSIX.1e (formerly POSIX 6)
draft 15 capabilities.
%package static
Summary: Static libraries for libcap development
Requires: %{name} = %{version}-%{release}
%description static
The libcap-static package contains static libraries needed to develop programs
that use libcap and need to be statically linked.
libcap is a library for getting and setting POSIX.1e (formerly POSIX 6)
draft 15 capabilities.
%package devel
Summary: Development files for libcap
Requires: %{name} = %{version}-%{release}
%description devel
Development files (Headers, etc) for libcap.
libcap is a library for getting and setting POSIX.1e (formerly POSIX 6)
draft 15 capabilities.
Install libcap-devel if you want to develop or compile applications using
libcap.
%prep
%setup -q
%patch0 -p1
%build
# libcap can not be build with _smp_mflags:
make prefix=%{_prefix} lib=%{_lib} LIBDIR=%{_libdir} SBINDIR=%{_sbindir} \
INCDIR=%{_includedir} MANDIR=%{_mandir} PKGCONFIGDIR=%{_libdir}/pkgconfig/
%install
make install RAISE_SETFCAP=no \
DESTDIR=%{buildroot} \
LIBDIR=%{_libdir} \
SBINDIR=%{_sbindir} \
PKGCONFIGDIR=%{_libdir}/pkgconfig/
mkdir -p %{buildroot}/%{_mandir}/man{2,3,8}
mv -f doc/*.3 %{buildroot}/%{_mandir}/man3/
cp -f %{SOURCE1} %{buildroot}/%{_mandir}/man8/
chmod +x %{buildroot}/%{_libdir}/*.so.*
%ldconfig_scriptlets
%files
%{!?_licensedir:%global license %%doc}
%license License
%doc doc/capability.notes
%{_libdir}/*.so.*
%{_sbindir}/*
%{_mandir}/man1/*
%{_mandir}/man8/*
%{_libdir}/security/pam_cap.so
%files static
%{_libdir}/libcap.a
%files devel
%{_includedir}/*
%{_libdir}/*.so
%{_mandir}/man3/*
%{_libdir}/pkgconfig/libcap.pc
%changelog
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Feb 04 2019 Karsten Hopp <karsten@redhat.com> - 2.26-5
- enable gating
* Mon Feb 04 2019 Karsten Hopp <karsten@redhat.com> - 2.26-4
- bump release
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.26-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 28 2019 Karsten Hopp <karsten@redhat.com> - 2.26-2
- add CI tests using the standard test interface (astepano)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jul 02 2018 Karsten Hopp <karsten@redhat.com> - 2.25-11
- rebuild
* Wed Feb 21 2018 Karsten Hopp <karsten@redhat.com> - 2.25-10
- buildrequire gcc
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.25-8
- Switch to %%ldconfig_scriptlets
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Dec 15 2016 Karsten Hopp <karsten@redhat.com> - 2.25-4
- add -static subpackage (rhbz#1380251)
* Sun Nov 27 2016 Lubomir Rintel <lkundrak@v3.sk> - 2.25-3
- Add perl BR to fix FTBFS
* Mon Apr 25 2016 Peter Robinson <pbrobinson@fedoraproject.org> 2.25-2
- Fix pkgconfig install location on aarch64
- Spec file cleanups
* Mon Apr 11 2016 Karsten Hopp <karsten@redhat.com> - 2.25-1
- libcap-2.25
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.24-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.24-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.24-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Thu Jul 17 2014 Tom Callaway <spot@fedoraproject.org> - 2.24-6
- fix license handling
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.24-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Fri Apr 25 2014 Karsten Hopp <karsten@redhat.com> 2.24-4
- fix libdir in libcap.pc
* Wed Apr 23 2014 Marcin Juszkiewicz <mjuszkiewicz@redhat.com> - 2.24-3
- set pkg-config dir to proper value to get it built on AArch64
* Wed Apr 16 2014 Karsten Hopp <karsten@redhat.com> 2.24-2
- fix URL and license
* Wed Apr 16 2014 Karsten Hopp <karsten@redhat.com> 2.24-1
- update to 2.24
- dropped patch for rhbz#911878, it is upstream now
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.22-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Tue May 14 2013 Karsten Hopp <karsten@redhat.com> 2.22-6
- mv libraries to /usr/lib*
- add getpcaps man page
- spec file cleanup
- fix URL of tarball
* Tue May 14 2013 Karsten Hopp <karsten@redhat.com> 2.22-5
- add patch from Mark Wielaard to fix use of uninitialized memory in _fcaps_load
rhbz #911878
* Sun Feb 24 2013 Ville Skyttä <ville.skytta@iki.fi> - 2.22-5
- Build with $RPM_OPT_FLAGS and $RPM_LD_FLAGS.
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.22-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.22-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.22-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Wed Jul 27 2011 Karsten Hopp <karsten@redhat.com> 2.22-1
- update to 2.22 (#689752)
* Mon Feb 07 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.17-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Thu Dec 10 2009 Karsten Hopp <karsten@redhat.com> 2.17-1
- update to 2.17
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.16-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Tue Jun 16 2009 Karsten Hopp <karsten@redhat.com> 2.16-4
- fix build problems with p.e. cdrkit
* Sun Mar 22 2009 Karsten Hopp <karsten@redhat.com> 2.16-1
- update, with a fix for rebuild problems
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Fri Jun 06 2008 Karsten Hopp <karsten@redhat.com> 2.10-2
- drop libcap.so.1
- fix buildrequires and path to pam security module
* Thu Jun 05 2008 Karsten Hopp <karsten@redhat.com> 2.10-1
- libcap-2.10
* Thu Feb 21 2008 Karsten Hopp <karsten@redhat.com> 2.06-4
- don't build static binaries (#433808)
* Wed Feb 20 2008 Karsten Hopp <karsten@redhat.com> 2.06-3
- temporarily add libcap-1 libraries to bootstrap some packages
* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 2.06-2
- Autorebuild for GCC 4.3
* Fri Feb 15 2008 Karsten Hopp <karsten@redhat.com> 2.06-1
- upate to 2.06 (#432983)
* Wed Jan 16 2008 Karsten Hopp <karsten@redhat.com> 1.10-33
- drop post,postun requirements on ldconfig as find-requires can handle this
* Tue Jan 15 2008 Karsten Hopp <karsten@redhat.com> 1.10-32
- add disttag
- fix changelog
- fix defattr
* Mon Jan 14 2008 Karsten Hopp <karsten@redhat.com> 1.10-31
- use cp -p in spec file to preserve file attributes (#225992)
- add license file
* Fri Aug 24 2007 Karsten Hopp <karsten@redhat.com> 1.10-30
- rebuild
* Fri Feb 23 2007 Karsten Hopp <karsten@redhat.com> 1.10-29
- add CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL (#229833)
* Wed Feb 21 2007 Karsten Hopp <karsten@redhat.com> 1.10-28
- drop obsolete ia64 patch
- rpmlint fixes
* Wed Feb 21 2007 Karsten Hopp <karsten@redhat.com> 1.10-27
- misc. review fixes
- add debian patch to make it build with a recent glibc
- remove static lib
* Wed Jul 19 2006 Karsten Hopp <karsten@redhat.de> 1.10-25
- add patch to support COPTFLAG (#199365)
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.10-24.2.1
- rebuild
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.10-24.2
- bump again for double-long bug on ppc(64)
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.10-24.1
- rebuilt for new gcc4.1 snapshot and glibc changes
* Mon Dec 19 2005 Karsten Hopp <karsten@redhat.de> 1.10-24
- added development manpages
- as there are no manpages for the executables available, added at least
a FAQ (#172324)
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt
* Mon Oct 31 2005 Steve Grubb <sgrubb@redhat.com> 1.10-23
- rebuild to pick up audit capabilities
* Wed Mar 02 2005 Karsten Hopp <karsten@redhat.de> 1.10-22
- build with gcc-4
* Wed Feb 09 2005 Karsten Hopp <karsten@redhat.de> 1.10-21
- rebuilt
* Tue Aug 31 2004 Phil Knirsch <pknirsch@redhat.com> 1.10-20
- Fix wrong typedef in userland patch (#98801)
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Tue Jan 27 2004 Karsten Hopp <karsten@redhat.de> 1.10-17
- use _manpath
* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
- rebuilt
* Sat Jan 4 2003 Jeff Johnson <jbj@redhat.com> 1.10-14
- set execute bits on library so that requires are generated.
* Thu Nov 21 2002 Mike A. Harris <mharris@redhat.com> 1.10-13
- Removed %%name macro sillyness from package Summary, description text, etc.
- Removed archaic Prefix: tag
- lib64 fixes everywhere to use _lib, _libdir, etc
- Removed deletion of RPM_BUILD_DIR from %%clean section
- Added -q flag to setup macro
- Severely cleaned up spec file, and removed usage of perl
* Fri Jul 19 2002 Jakub Jelinek <jakub@redhat.com> 1.10-12
- CFLAGS was using COPTFLAG variable, not COPTFLAGS
- build with -fpic
- apply the IA-64 patch everywhere, use capget/capset from glibc,
not directly as _syscall (as it is broken on IA-32 with -fpic)
- reenable alpha
* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Wed May 29 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.10-10
- Exclude alpha for now, apparent gcc bug.
* Fri Nov 9 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.10-6
- Fix sys/capabilities.h header (#55727)
- Move to /lib, some applications seem to be using this rather early
(#55733)
* Mon Jul 16 2001 Trond Eivind Glomsrød <teg@redhat.com>
- Add post,postun scripts
* Tue Jul 10 2001 Jakub Jelinek <jakub@redhat.com>
- don't build libcap.so.1 with ld -shared, but gcc -shared
* Wed Jun 20 2001 Trond Eivind Glomsrød <teg@redhat.com>
- Rebuild - it was missing for alpha
* Wed Jun 06 2001 Florian La Roche <Florian.LaRoche@redhat.de>
- add s390/s390x support
* Thu May 17 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.10-1
- initial RPM
- fix build on ia64

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (libcap-2.26.tar.gz) = 4a0bfbc1c3efb009a309d9b894aa553009a229323da4780caa424bd70d0579d6b156e2034bc4dee8dc3b2caaf8617a18c74a01095a4c2a8fbe732e5e8a304603

64
tests/capsh-basic-functionality/Makefile Normal file
View File

@ -0,0 +1,64 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/libcap/Sanity/capsh-basic-functionality
# Description: tests basic functionality
# Author: Karel Srot <ksrot@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2017 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/libcap/Sanity/capsh-basic-functionality
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Karel Srot <ksrot@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: tests basic functionality" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: libcap" >> $(METADATA)
@echo "Requires: libcap" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5 -RHEL6" >> $(METADATA)
rhts-lint $(METADATA)

3
tests/capsh-basic-functionality/PURPOSE Normal file
View File

@ -0,0 +1,3 @@
PURPOSE of /CoreOS/libcap/Sanity/capsh-basic-functionality
Description: tests basic functionality
Author: Karel Srot <ksrot@redhat.com>

123
tests/capsh-basic-functionality/runtest.sh Executable file
View File

@ -0,0 +1,123 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/libcap/Sanity/capsh-basic-functionality
# Description: tests basic functionality
# Author: Karel Srot <ksrot@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2017 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="libcap"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlRun "useradd -m libcap_tester"
rlPhaseEnd
rlPhaseStartTest "Remove the listed capabilities from the prevailing bounding set"
rlRun -s "capsh --drop=cap_net_raw -- -c 'getpcaps \$\$'"
rlAssertGrep "Capabilities for" $rlRun_LOG
rlAssertNotGrep cap_net_raw $rlRun_LOG
rlRun -s "capsh --drop=cap_net_raw -- -c 'ping localhost -c 1'" 2,126 "Ping without cap_net_raw shoud fail"
rlAssertGrep "Operation not permitted" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "Set the prevailing process capabilities"
rlRun -s "capsh --caps=cap_chown+p --print"
rlAssertGrep "Current: = cap_chown+p" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "Set the inheritable set of capabilities"
rlRun -s "capsh --inh=cap_chown --print"
rlRun "grep 'Current: = ' $rlRun_LOG | grep 'cap_chown+eip'"
rlRun -s "capsh --inh=cap_chown -- -c 'getpcaps \$\$' 2>&1"
rlAssertGrep "cap_chown+eip" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "Assume the identity of the user nobody"
USERID=`id -u nobody`
GROUPID=`id -g nobody`
rlRun -s "capsh --user=nobody -- -c 'id'"
rlAssertGrep "uid=$USERID(nobody) gid=$GROUPID(nobody) groups=$GROUPID(nobody)" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "Force all uid values to equal to nobody"
rlRun -s "capsh --uid=$USERID -- -c 'id'"
rlAssertGrep "uid=$USERID(nobody) gid=0(root) groups=0(root)" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "Force all gid values to equal to nobody"
rlRun -s "capsh --gid=$GROUPID -- -c 'id'"
rlAssertGrep "uid=0(root) gid=$GROUPID(nobody)" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "Set the supplementary groups"
GROUP2ID=`id -g daemon`
rlRun -s "capsh --groups=${GROUPID},${GROUP2ID} -- -c id"
rlAssertGrep "uid=0(root) gid=0(root) groups=0(root),${GROUP2ID}(daemon),${GROUPID}(nobody)" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "Permit the process to retain its capabilities after a setuid"
CURRENT=`capsh --print | grep 'Current:' | cut -d '+' -f 1`
rlRun -s "capsh --keep=0 --uid=$USERID --print"
rlAssertGrep 'Current: =$' $rlRun_LOG -E
rlRun -s "capsh --keep=1 --uid=$USERID --print"
rlAssertGrep "$CURRENT" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "Decode capabilities"
rlRun "CODE=$( cat /proc/$$/status | awk '/CapEff/ { print $2 }' )"
rlRun "DECODE=$( capsh --decode=$CODE | cut -d '=' -f 2 )"
rlRun "capsh --print | grep 'Current: = $DECODE'"
rlPhaseEnd
rlPhaseStartTest "Verify the existence of a capability on the system"
rlRun "capsh --supports=cap_net_raw"
rlRun -s "capsh --supports=cap_foo_bar" 1
rlAssertGrep "cap\[cap_foo_bar\] not recognized by library" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "Verify exit code for unsupported option"
rlRun "capsh --foo bar" 1
rlPhaseEnd
rlPhaseStartTest "Run as a regular user"
USERID=`id -u libcap_tester`
rlRun -s "su - libcap_tester -c 'capsh --print'"
rlAssertGrep "Current: =\$" $rlRun_LOG -E
rlAssertGrep "uid=$USERID(libcap_tester)" $rlRun_LOG
rlPhaseEnd
rlPhaseStartCleanup
rlRun "userdel -r libcap_tester"
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

64
tests/pam_cap-so-sanity-test/Makefile Normal file
View File

@ -0,0 +1,64 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/libcap/Sanity/pam_cap-so-sanity-test
# Description: basic functionality test for pam_cap.so module
# Author: Karel Srot <ksrot@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2017 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/libcap/Sanity/pam_cap-so-sanity-test
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Karel Srot <ksrot@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: basic functionality test for pam_cap.so module" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: libcap" >> $(METADATA)
@echo "Requires: libcap" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

5
tests/pam_cap-so-sanity-test/PURPOSE Normal file
View File

@ -0,0 +1,5 @@
PURPOSE of /CoreOS/libcap/Sanity/pam_cap-so-sanity-test
Description: basic functionality test for pam_cap.so module
Author: Karel Srot <ksrot@redhat.com>
Test if a test user can be granted capabilities via pam_cap.so module.

63
tests/pam_cap-so-sanity-test/runtest.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/libcap/Sanity/pam_cap-so-sanity-test
# Description: basic functionality test for pam_cap.so module
# Author: Karel Srot <ksrot@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2017 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="libcap"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlRun "useradd -m pam_cap_user"
rlRun "useradd -m pam_cap_user2"
rlFileBackup /etc/pam.d/su
[ -f /etc/security/capability.conf ] && rlFileBackup /etc/security/capability.conf
rlRun "echo -e 'cap_net_raw pam_cap_user\nnone *' > /etc/security/capability.conf"
rlRun "sed '1 s/^/auth required pam_cap.so/' -i /etc/pam.d/su" 0 "Configure pam_cap.so in /etc/pam.d/su"
rlPhaseEnd
rlPhaseStartTest
rlRun "su - pam_cap_user -c 'getpcaps \$\$' &> user1.log"
rlAssertGrep "Capabilities for.* = cap_net_raw" user1.log -E
rlRun "su - pam_cap_user2 -c 'getpcaps \$\$' &> user2.log"
rlAssertNotGrep "cap_net_raw" user2.log
rlPhaseEnd
rlPhaseStartCleanup
rlRun "userdel -r pam_cap_user"
rlRun "userdel -r pam_cap_user2"
rlFileRestore
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

65
tests/pkg-config-libcap-pc-addition/Makefile Normal file
View File

@ -0,0 +1,65 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/libcap/Sanity/pkg-config-libcap-pc-addition
# Description: Test for BZ#1425490 (Missing libcap.pc)
# Author: Karel Srot <ksrot@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2017 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/libcap/Sanity/pkg-config-libcap-pc-addition
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Karel Srot <ksrot@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test for BZ#1425490 (Missing libcap.pc)" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: libcap" >> $(METADATA)
@echo "Requires: libcap libcap-devel pkgconfig" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Bug: 1425490" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5 -RHEL6" >> $(METADATA)
rhts-lint $(METADATA)

7
tests/pkg-config-libcap-pc-addition/PURPOSE Normal file
View File

@ -0,0 +1,7 @@
PURPOSE of /CoreOS/libcap/Sanity/pkg-config-libcap-pc-addition
Description: Test for BZ#1425490 (Missing libcap.pc)
Author: Karel Srot <ksrot@redhat.com>
Bug summary: Missing libcap.pc
Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=1425490
Checking the presence and sanity of the libcap.pc file.

62
tests/pkg-config-libcap-pc-addition/runtest.sh Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/libcap/Sanity/pkg-config-libcap-pc-addition
# Description: Test for BZ#1425490 (Missing libcap.pc)
# Author: Karel Srot <ksrot@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2017 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="libcap"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlPhaseEnd
rlPhaseStartTest
rlRun "rpm -ql libcap-devel | grep libcap.pc" 0 "There must be libcap.pc"
if [ $? -eq 0 ]; then
PCFILE=$(rpm -ql libcap-devel | grep libcap.pc)
rlRun "pkg-config --libs libcap | grep -- '-lcap'"
VER=$(awk '/Version:/ { print $2 }' $PCFILE | tail -1)
rlRun "pkg-config --modversion libcap | grep $VER"
rlRun -s "pkg-config --print-variables libcap"
rlAssertGrep "^prefix" $rlRun_LOG
rlAssertGrep "^exec_prefix" $rlRun_LOG
rlAssertGrep "^libdir" $rlRun_LOG
rlAssertGrep "^includedir" $rlRun_LOG
fi
rlPhaseEnd
rlPhaseStartCleanup
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

46
tests/sanity-tests/Makefile Normal file
View File

@ -0,0 +1,46 @@
# SPDX-License-Identifier: LGPL-2.1+
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/libcap
# Description: Test if libcap working ok
# Author: Susant Sahani<susant@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/libcap
export TESTVERSION=1.0
OBJS = test-libcap.c
CFLAG = -Wall -g3
CC = gcc
LIBS = -lcap -lcmocka
test-libcap:${OBJ}
${CC} ${CFLAGS} ${INCLUDES} -o $@ ${OBJS} ${LIBS}
run: test-libcap
./runtest.sh
clean:
-rm -f *~ test-libcap
.c.o:
${CC} ${CFLAGS} ${INCLUDES} -c $<
CC = gcc
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Susant Sahani<susant@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test libcap works ok" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: libcap" >> $(METADATA)
@echo "Requires: libcap libcap-devel" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -Fedora 29" >> $(METADATA)
rhts-lint $(METADATA)

34
tests/sanity-tests/runtest.sh Executable file
View File

@ -0,0 +1,34 @@
#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1+
# ~~~
# runtest.sh of libcap
# Description: Tests for libcap
#
# Author: Susant Sahani <susant@redhat.com>
# Copyright (c) 2018 Red Hat, Inc.
# ~~~
# Include Beaker environment
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="libcap"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "cp test-libcap /usr/bin/"
rlPhaseEnd
rlPhaseStartTest
rlLog "Starting libcap tests ..."
rlRun "/usr/bin/test-libcap"
rlPhaseEnd
rlPhaseStartCleanup
rlRun "rm /usr/bin/test-libcap"
rlLog "libcap tests done"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd
rlGetTestState

52
tests/sanity-tests/test-libcap.c Normal file
View File

@ -0,0 +1,52 @@
/*
# SPDX-License-Identifier: LGPL-2.1+
# ~~~
# Description: libcap tests
#
# Author: Susant Sahani <susant@redhat.com>
# Copyright (c) 2018 Red Hat, Inc.
# ~~~
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <setjmp.h>
#include <inttypes.h>
#include <cmocka.h>
#include <sys/capability.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <errno.h>
#include <unistd.h>
void drop_cap(cap_value_t capflag) {
cap_t d;
d = cap_get_proc();
assert_non_null(d);
assert_return_code(cap_set_flag(d, CAP_EFFECTIVE, 1, &capflag, CAP_CLEAR), 0);
assert_return_code(cap_set_flag(d, CAP_PERMITTED, 1, &capflag, CAP_CLEAR), 0);
assert_return_code(cap_set_proc(d), 0);
}
void test_drop_cap_net_raw(void **state) {
int s;
assert_true((s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP)) >= 0);
close(s);
drop_cap(CAP_NET_RAW);
assert_false((s = socket(PF_INET, SOCK_RAW, IPPROTO_UDP)) >= 0);
}
int main(int argc, char *argv[]) {
const struct CMUnitTest libcap_tests[] = {
cmocka_unit_test(test_drop_cap_net_raw),
};
return cmocka_run_group_tests(libcap_tests, NULL, NULL);
}

64
tests/setcap-getcap-basic-functionality/Makefile Normal file
View File

@ -0,0 +1,64 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/libcap/Sanity/setcap-getcap-basic-functionality
# Description: test basic functionality
# Author: Karel Srot <ksrot@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2017 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/libcap/Sanity/setcap-getcap-basic-functionality
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Karel Srot <ksrot@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: test basic functionality" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: libcap" >> $(METADATA)
@echo "Requires: libcap" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

3
tests/setcap-getcap-basic-functionality/PURPOSE Normal file
View File

@ -0,0 +1,3 @@
PURPOSE of /CoreOS/libcap/Sanity/setcap-getcap-basic-functionality
Description: test basic functionality
Author: Karel Srot <ksrot@redhat.com>

98
tests/setcap-getcap-basic-functionality/runtest.sh Executable file
View File

@ -0,0 +1,98 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/libcap/Sanity/setcap-getcap-basic-functionality
# Description: test basic functionality
# Author: Karel Srot <ksrot@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2017 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="libcap"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlRun "mkdir mydir && touch file1 mydir/file2 mydir/file3"
rlPhaseEnd
rlPhaseStartTest "set and get capabilities"
rlRun "setcap cap_net_admin+p file1 cap_net_raw+ei mydir/file2"
rlRun -s "getcap file1 mydir/file2"
rlAssertGrep "file1 = cap_net_admin+p" $rlRun_LOG
rlAssertGrep "mydir/file2 = cap_net_raw+ei" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "set capabilities via stdin"
rlRun "echo -e 'cap_net_raw+p\ncap_net_admin+p' > input"
rlRun -s "setcap - mydir/file3 < input"
rlAssertGrep "Please enter caps for file \[empty line to end\]:" $rlRun_LOG
rlRun "getcap mydir/file3 | grep 'mydir/file3 = cap_net_admin,cap_net_raw+p'"
rlPhaseEnd
rlPhaseStartTest "set capabilities quietly via stdin"
rlRun "echo -e 'cap_net_raw+p' > input"
rlRun -s "setcap -q - mydir/file3 < input"
rlAssertNotGrep "Please enter caps for file" $rlRun_LOG
rlRun "getcap mydir/file3 | grep 'mydir/file3 = cap_net_raw+p'"
rlPhaseEnd
rlPhaseStartTest "remove capabilities"
rlRun "setcap -r mydir/file3"
rlRun "getcap | grep file3" 1 "There should be no capabilities listed for file1"
rlPhaseEnd
rlPhaseStartTest "listing capabilities recursively"
rlRun -s "getcap -r *"
rlAssertGrep "file1 = cap_net_admin+p" $rlRun_LOG
rlAssertGrep "mydir/file2 = cap_net_raw+ei" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "listing capabilities verbosely"
rlRun -s "getcap -v mydir/*"
rlAssertGrep "mydir/file2 = cap_net_raw+ei" $rlRun_LOG
rlAssertGrep "mydir/file3\$" $rlRun_LOG -E
rlPhaseEnd
rlPhaseStartTest "print help"
rlRun "setcap -h | grep 'usage: setcap'" 1
rlRun "getcap -h | grep 'usage: getcap'" 1
rlPhaseEnd
rlPhaseStartTest "exit with 1 on error"
rlRun -s "setcap foo bar" 1
rlAssertGrep "fatal error: Invalid argument" $rlRun_LOG
rlRun -s "getcap -f oo" 1
rlAssertGrep "getcap: invalid option -- 'f'" $rlRun_LOG
rlPhaseEnd
rlPhaseStartCleanup
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

28
tests/tests.yml Normal file
View File

@ -0,0 +1,28 @@
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
- container
tests:
- sanity-tests
- pam_cap-so-sanity-test
- setcap-getcap-basic-functionality
required_packages:
- libcap # libcap package required for all tests
- libcap-devel
- libcmocka
- libcmocka-devel
- gcc
- iputils # ping command required for capsh-basic-functionality
# Tests that run in atomic
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- atomic
tests:
- capsh-basic-functionality
- pam_cap-so-sanity-test
- setcap-getcap-basic-functionality