aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSean Whitton <spwhitton@spwhitton.name>2021-11-03 14:32:39 -0700
committerSean Whitton <spwhitton@spwhitton.name>2021-11-04 12:19:00 -0700
commit9d857f62af05ff2f9a4ec22f1cfacecf071b668a (patch)
treed405328773cdc2336089d1ef15d53a68933c1ee3
parent2c9bf3e94369e6576ea576eaa82970a8128a59f5 (diff)
downloadconsfigurator-9d857f62af05ff2f9a4ec22f1cfacecf071b668a.tar.gz
add CAPABILITY-P and grovel for some Linux capability constants
Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>
Diffstat
-rw-r--r--consfigurator.asd1
-rw-r--r--debian/changelog2
-rw-r--r--debian/control2
-rw-r--r--doc/introduction.rst3
-rw-r--r--src/libcap.lisp57
-rw-r--r--src/package.lisp47
-rw-r--r--src/property/package.lisp2
-rw-r--r--src/util/posix1e.lisp28
8 files changed, 138 insertions, 4 deletions
diff --git a/consfigurator.asd b/consfigurator.asd
index 1539b9b..3501dc1 100644
--- a/consfigurator.asd
+++ b/consfigurator.asd
@@ -24,6 +24,7 @@
(:file "src/reader")
(:cffi-grovel-file "src/libc")
(:cffi-grovel-file "src/libacl")
+ (:cffi-grovel-file "src/libcap" :if-feature :linux)
(:file "src/util")
(:file "src/util/posix1e")
(:file "src/connection")
diff --git a/debian/changelog b/debian/changelog
index f4df5e8..841e0a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,7 @@
consfigurator (0.12.0-1) UNRELEASED; urgency=medium
* New upstream release.
- * Add deps and build-deps on cl-bordeaux-threads and libacl1-dev.
+ * Add deps and build-deps on cl-bordeaux-threads, libacl1-dev and libcap-dev.
* Add ${sphinxdoc:Built-Using} to Built-Using.
* Run 'wrap-and-sort -abst'.
diff --git a/debian/control b/debian/control
index bb1bc64..a1a6af3 100644
--- a/debian/control
+++ b/debian/control
@@ -19,6 +19,7 @@ Build-Depends:
debhelper-compat (= 13),
dh-elpa,
libacl1-dev,
+ libcap-dev,
python3-sphinx,
python3-sphinx-rtd-theme,
sbcl,
@@ -48,6 +49,7 @@ Depends:
cl-trivial-backtrace,
emacsen-common,
libacl1-dev,
+ libcap-dev,
${misc:Depends},
Recommends:
emacs,
diff --git a/doc/introduction.rst b/doc/introduction.rst
index 1af6cf3..cc961ee 100644
--- a/doc/introduction.rst
+++ b/doc/introduction.rst
@@ -297,7 +297,8 @@ Portability and stability
- As both Consfigurator and its dependency Osicat make use of CFFI-Grovel,
loading Consfigurator into Lisp currently always additionally requires a C
- toolchain, and development headers for libacl. It might be possible to
+ toolchain, and development headers for libacl. On GNU/Linux, development
+ headers for libcap are also required. It might be possible to
conditionalise further so as to avoid any dependency on a C toolchain for
the root Lisp.
diff --git a/src/libcap.lisp b/src/libcap.lisp
new file mode 100644
index 0000000..96f850e
--- /dev/null
+++ b/src/libcap.lisp
@@ -0,0 +1,57 @@
+(in-package :consfigurator.util.posix1e)
+
+(include "sys/capability.h")
+
+(ctype cap_t "cap_t")
+(ctype cap_value_t "cap_value_t")
+
+(cenum cap_flag_t
+ ((:cap-effective "CAP_EFFECTIVE"))
+ ((:cap-permitted "CAP_PERMITTED"))
+ ((:cap-inheritable "CAP_INHERITABLE")))
+(cenum cap_flag_value_t ((:cap-set "CAP_SET")) ((:cap-clear "CAP_CLEAR")))
+
+(constant (+CAP-CHOWN+ "CAP_CHOWN"))
+(constant (+CAP-DAC-OVERRIDE+ "CAP_DAC_OVERRIDE"))
+(constant (+CAP-DAC-READ-SEARCH+ "CAP_DAC_READ_SEARCH"))
+(constant (+CAP-FOWNER+ "CAP_FOWNER"))
+(constant (+CAP-FSETID+ "CAP_FSETID"))
+(constant (+CAP-KILL+ "CAP_KILL"))
+(constant (+CAP-SETGID+ "CAP_SETGID"))
+(constant (+CAP-SETUID+ "CAP_SETUID"))
+
+#+linux
+(progn
+ (constant (+CAP-SETPCAP+ "CAP_SETPCAP"))
+ (constant (+CAP-LINUX-IMMUTABLE+ "CAP_LINUX_IMMUTABLE"))
+ (constant (+CAP-NET-BIND-SERVICE+ "CAP_NET_BIND_SERVICE"))
+ (constant (+CAP-NET-BROADCAST+ "CAP_NET_BROADCAST"))
+ (constant (+CAP-NET-ADMIN+ "CAP_NET_ADMIN"))
+ (constant (+CAP-NET-RAW+ "CAP_NET_RAW"))
+ (constant (+CAP-IPC-LOCK+ "CAP_IPC_LOCK"))
+ (constant (+CAP-IPC-OWNER+ "CAP_IPC_OWNER"))
+ (constant (+CAP-SYS-MODULE+ "CAP_SYS_MODULE"))
+ (constant (+CAP-SYS-RAWIO+ "CAP_SYS_RAWIO"))
+ (constant (+CAP-SYS-CHROOT+ "CAP_SYS_CHROOT"))
+ (constant (+CAP-SYS-PTRACE+ "CAP_SYS_PTRACE"))
+ (constant (+CAP-SYS-PACCT+ "CAP_SYS_PACCT"))
+ (constant (+CAP-SYS-ADMIN+ "CAP_SYS_ADMIN"))
+ (constant (+CAP-SYS-BOOT+ "CAP_SYS_BOOT"))
+ (constant (+CAP-SYS-NICE+ "CAP_SYS_NICE"))
+ (constant (+CAP-SYS-RESOURCE+ "CAP_SYS_RESOURCE"))
+ (constant (+CAP-SYS-TIME+ "CAP_SYS_TIME"))
+ (constant (+CAP-SYS-TTY-CONFIG+ "CAP_SYS_TTY_CONFIG"))
+ (constant (+CAP-MKNOD+ "CAP_MKNOD"))
+ (constant (+CAP-LEASE+ "CAP_LEASE"))
+ (constant (+CAP-AUDIT-WRITE+ "CAP_AUDIT_WRITE"))
+ (constant (+CAP-AUDIT-CONTROL+ "CAP_AUDIT_CONTROL"))
+ (constant (+CAP-SETFCAP+ "CAP_SETFCAP"))
+ (constant (+CAP-MAC-OVERRIDE+ "CAP_MAC_OVERRIDE"))
+ (constant (+CAP-MAC-ADMIN+ "CAP_MAC_ADMIN"))
+ (constant (+CAP-SYSLOG+ "CAP_SYSLOG"))
+ (constant (+CAP-WAKE-ALARM+ "CAP_WAKE_ALARM"))
+ (constant (+CAP-BLOCK-SUSPEND+ "CAP_BLOCK_SUSPEND"))
+ (constant (+CAP-AUDIT-READ+ "CAP_AUDIT_READ"))
+ (constant (+CAP-PERFMON+ "CAP_PERFMON"))
+ (constant (+CAP-BPF+ "CAP_BPF"))
+ (constant (+CAP-CHECKPOINT-RESTORE+ "CAP_CHECKPOINT_RESTORE")))
diff --git a/src/package.lisp b/src/package.lisp
index 08fd65e..6be40e0 100644
--- a/src/package.lisp
+++ b/src/package.lisp
@@ -343,7 +343,52 @@
#:acl-get-entry
#:acl-get-tag-type
#:acl-get-qualifier
- #:acl-set-qualifier))
+ #:acl-set-qualifier
+
+ #:+CAP-CHOWN+
+ #:+CAP-DAC-OVERRIDE+
+ #:+CAP-DAC-READ-SEARCH+
+ #:+CAP-FOWNER+
+ #:+CAP-FSETID+
+ #:+CAP-KILL+
+ #:+CAP-SETGID+
+ #:+CAP-SETUID+
+
+ #:+CAP-SETPCAP+
+ #:+CAP-LINUX-IMMUTABLE+
+ #:+CAP-NET-BIND-SERVICE+
+ #:+CAP-NET-BROADCAST+
+ #:+CAP-NET-ADMIN+
+ #:+CAP-NET-RAW+
+ #:+CAP-IPC-LOCK+
+ #:+CAP-IPC-OWNER+
+ #:+CAP-SYS-MODULE+
+ #:+CAP-SYS-RAWIO+
+ #:+CAP-SYS-CHROOT+
+ #:+CAP-SYS-PTRACE+
+ #:+CAP-SYS-PACCT+
+ #:+CAP-SYS-ADMIN+
+ #:+CAP-SYS-BOOT+
+ #:+CAP-SYS-NICE+
+ #:+CAP-SYS-RESOURCE+
+ #:+CAP-SYS-TIME+
+ #:+CAP-SYS-TTY-CONFIG+
+ #:+CAP-MKNOD+
+ #:+CAP-LEASE+
+ #:+CAP-AUDIT-WRITE+
+ #:+CAP-AUDIT-CONTROL+
+ #:+CAP-SETFCAP+
+ #:+CAP-MAC-OVERRIDE+
+ #:+CAP-MAC-ADMIN+
+ #:+CAP-SYSLOG+
+ #:+CAP-WAKE-ALARM+
+ #:+CAP-BLOCK-SUSPEND+
+ #:+CAP-AUDIT-READ+
+ #:+CAP-PERFMON+
+ #:+CAP-BPF+
+ #:+CAP-CHECKPOINT-RESTORE+
+
+ #:capability-p))
(defpackage :consfigurator.property.cmd
(:use #:cl #:consfigurator)
diff --git a/src/property/package.lisp b/src/property/package.lisp
index 91b2aef..4548056 100644
--- a/src/property/package.lisp
+++ b/src/property/package.lisp
@@ -19,7 +19,7 @@
(named-readtables:in-readtable :consfigurator)
(defparameter *consfigurator-system-dependencies*
- '(:apt ("build-essential" "libacl1-dev")))
+ '(:apt ("build-essential" "libacl1-dev" "libcap-dev")))
(defgeneric %command (package-manager)
(:documentation
diff --git a/src/util/posix1e.lisp b/src/util/posix1e.lisp
index 05525ab..2166921 100644
--- a/src/util/posix1e.lisp
+++ b/src/util/posix1e.lisp
@@ -18,6 +18,8 @@
(in-package :consfigurator.util.posix1e)
(named-readtables:in-readtable :consfigurator)
+;;;; POSIX ACLs
+
(define-foreign-library libacl (t (:default "libacl")))
(use-foreign-library libacl)
@@ -57,3 +59,29 @@
(defun acl-get-qualifier (entry-d type)
(with-acl-free (qualifier-p (%acl-get-qualifier entry-d))
(mem-ref qualifier-p type)))
+
+
+;;;; Capabilities
+
+(define-foreign-library libcap (:linux (:default "libcap")))
+
+(use-foreign-library libcap)
+
+(define-error-retval-cfun () "cap_free" :int (obj_d :pointer))
+
+(define-error-retval-cfun (:failure-val (null-pointer))
+ "cap_get_proc" :pointer)
+
+(define-error-retval-cfun ()
+ "cap_get_flag" :int
+ (cap-p :pointer) (cap cap_value_t) (flag cap_flag_t) (value-p :pointer))
+
+(defun capability-p (set &rest capabilities)
+ "Does the current thread have each of CAPABILITIES in SET?"
+ (let ((cap-opaque (cap-get-proc)))
+ (unwind-protect
+ (with-foreign-object (value-p 'cap_flag_value_t)
+ (loop for capability in capabilities
+ do (cap-get-flag cap-opaque capability set value-p)
+ always (eql :cap-set (mem-ref value-p 'cap_flag_value_t))))
+ (cap-free cap-opaque))))
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-10 14:41:33 +0000