diff --color -ruN a/distcheck.sh b/distcheck.sh --- a/distcheck.sh 1970-01-01 01:00:00.000000000 +0100 +++ b/distcheck.sh 2021-06-10 10:06:19.618284780 +0200 @@ -0,0 +1,13 @@ +#!/bin/bash + +actual=$(wget -o/dev/null -O/dev/stdout https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/include/uapi/linux/capability.h | grep "#define.CAP_LAST_CAP"|awk '{print $3}') +working=$(grep "#define.CAP_LAST_CAP" libcap/include/uapi/linux/capability.h|awk '{print $3}') + +if [[ ${actual} = ${working} ]]; then + echo "up to date with officially named caps" + exit 0 +fi + +echo "want: ${actual}" +echo "have: ${working}" +exit 1 diff --color -ruN a/libcap/include/uapi/linux/capability.h b/libcap/include/uapi/linux/capability.h --- a/libcap/include/uapi/linux/capability.h 2018-09-09 20:06:40.000000000 +0200 +++ b/libcap/include/uapi/linux/capability.h 2021-06-10 10:05:19.729202015 +0200 @@ -331,6 +331,8 @@ #define CAP_AUDIT_CONTROL 30 +/* Set capabilities on files. */ + #define CAP_SETFCAP 31 /* Override MAC access. @@ -366,8 +368,50 @@ #define CAP_AUDIT_READ 37 +/* Allow system performance and observability privileged operations using + * perf_events, i915_perf and other kernel subsystems. */ + +#define CAP_PERFMON 38 + +/* + * CAP_BPF allows the following BPF operations: + * - Creating all types of BPF maps + * - Advanced verifier features + * - Indirect variable access + * - Bounded loops + * - BPF to BPF function calls + * - Scalar precision tracking + * - Larger complexity limits + * - Dead code elimination + * - And potentially other features + * - Loading BPF Type Format (BTF) data + * - Retrieve xlated and JITed code of BPF programs + * - Use bpf_spin_lock() helper + * + * CAP_PERFMON relaxes the verifier checks further: + * - BPF progs can use of pointer-to-integer conversions + * - speculation attack hardening measures are bypassed + * - bpf_probe_read to read arbitrary kernel memory is allowed + * - bpf_trace_printk to print kernel memory is allowed + * + * CAP_SYS_ADMIN is required to use bpf_probe_write_user. + * + * CAP_SYS_ADMIN is required to iterate system wide loaded + * programs, maps, links, BTFs and convert their IDs to file descriptors. + * + * CAP_PERFMON and CAP_BPF are required to load tracing programs. + * CAP_NET_ADMIN and CAP_BPF are required to load networking programs. + */ + +#define CAP_BPF 39 + +/* Allow checkpoint/restore related operations */ +/* Allow PID selection during clone3() */ +/* Allow writing to ns_last_pid */ + +#define CAP_CHECKPOINT_RESTORE 40 -#define CAP_LAST_CAP CAP_AUDIT_READ +#define CAP_LAST_CAP CAP_CHECKPOINT_RESTORE #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) diff --color -ruN a/Makefile b/Makefile --- a/Makefile 2018-09-15 23:51:38.000000000 +0200 +++ b/Makefile 2021-06-10 10:07:30.872573023 +0200 @@ -33,7 +33,10 @@ test: all cd progs && sudo ./quicktest.sh -morganrelease: distclean +distcheck: + ./distcheck.sh + +morganrelease: distclean distcheck @echo "sign the tag twice: older DSA key; and newer RSA kernel.org key" git tag -u D41A6DF2 -s libcap-$(VERSION).$(MINOR) -m "This is libcap-$(VERSION).$(MINOR)" git tag -u E2CCF3F4 -s libcap-korg-$(VERSION).$(MINOR) -m "This is libcap-$(VERSION).$(MINOR)"