diff options
author | Sean Whitton <spwhitton@spwhitton.name> | 2021-11-03 14:32:39 -0700 |
---|---|---|
committer | Sean Whitton <spwhitton@spwhitton.name> | 2021-11-04 12:19:00 -0700 |
commit | 9d857f62af05ff2f9a4ec22f1cfacecf071b668a (patch) | |
tree | d405328773cdc2336089d1ef15d53a68933c1ee3 /src | |
parent | 2c9bf3e94369e6576ea576eaa82970a8128a59f5 (diff) | |
download | consfigurator-9d857f62af05ff2f9a4ec22f1cfacecf071b668a.tar.gz |
add CAPABILITY-P and grovel for some Linux capability constants
Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>
Diffstat (limited to 'src')
-rw-r--r-- | src/libcap.lisp | 57 | ||||
-rw-r--r-- | src/package.lisp | 47 | ||||
-rw-r--r-- | src/property/package.lisp | 2 | ||||
-rw-r--r-- | src/util/posix1e.lisp | 28 |
4 files changed, 132 insertions, 2 deletions
diff --git a/src/libcap.lisp b/src/libcap.lisp new file mode 100644 index 0000000..96f850e --- /dev/null +++ b/src/libcap.lisp @@ -0,0 +1,57 @@ +(in-package :consfigurator.util.posix1e) + +(include "sys/capability.h") + +(ctype cap_t "cap_t") +(ctype cap_value_t "cap_value_t") + +(cenum cap_flag_t + ((:cap-effective "CAP_EFFECTIVE")) + ((:cap-permitted "CAP_PERMITTED")) + ((:cap-inheritable "CAP_INHERITABLE"))) +(cenum cap_flag_value_t ((:cap-set "CAP_SET")) ((:cap-clear "CAP_CLEAR"))) + +(constant (+CAP-CHOWN+ "CAP_CHOWN")) +(constant (+CAP-DAC-OVERRIDE+ "CAP_DAC_OVERRIDE")) +(constant (+CAP-DAC-READ-SEARCH+ "CAP_DAC_READ_SEARCH")) +(constant (+CAP-FOWNER+ "CAP_FOWNER")) +(constant (+CAP-FSETID+ "CAP_FSETID")) +(constant (+CAP-KILL+ "CAP_KILL")) +(constant (+CAP-SETGID+ "CAP_SETGID")) +(constant (+CAP-SETUID+ "CAP_SETUID")) + +#+linux +(progn + (constant (+CAP-SETPCAP+ "CAP_SETPCAP")) + (constant (+CAP-LINUX-IMMUTABLE+ "CAP_LINUX_IMMUTABLE")) + (constant (+CAP-NET-BIND-SERVICE+ "CAP_NET_BIND_SERVICE")) + (constant (+CAP-NET-BROADCAST+ "CAP_NET_BROADCAST")) + (constant (+CAP-NET-ADMIN+ "CAP_NET_ADMIN")) + (constant (+CAP-NET-RAW+ "CAP_NET_RAW")) + (constant (+CAP-IPC-LOCK+ "CAP_IPC_LOCK")) + (constant (+CAP-IPC-OWNER+ "CAP_IPC_OWNER")) + (constant (+CAP-SYS-MODULE+ "CAP_SYS_MODULE")) + (constant (+CAP-SYS-RAWIO+ "CAP_SYS_RAWIO")) + (constant (+CAP-SYS-CHROOT+ "CAP_SYS_CHROOT")) + (constant (+CAP-SYS-PTRACE+ "CAP_SYS_PTRACE")) + (constant (+CAP-SYS-PACCT+ "CAP_SYS_PACCT")) + (constant (+CAP-SYS-ADMIN+ "CAP_SYS_ADMIN")) + (constant (+CAP-SYS-BOOT+ "CAP_SYS_BOOT")) + (constant (+CAP-SYS-NICE+ "CAP_SYS_NICE")) + (constant (+CAP-SYS-RESOURCE+ "CAP_SYS_RESOURCE")) + (constant (+CAP-SYS-TIME+ "CAP_SYS_TIME")) + (constant (+CAP-SYS-TTY-CONFIG+ "CAP_SYS_TTY_CONFIG")) + (constant (+CAP-MKNOD+ "CAP_MKNOD")) + (constant (+CAP-LEASE+ "CAP_LEASE")) + (constant (+CAP-AUDIT-WRITE+ "CAP_AUDIT_WRITE")) + (constant (+CAP-AUDIT-CONTROL+ "CAP_AUDIT_CONTROL")) + (constant (+CAP-SETFCAP+ "CAP_SETFCAP")) + (constant (+CAP-MAC-OVERRIDE+ "CAP_MAC_OVERRIDE")) + (constant (+CAP-MAC-ADMIN+ "CAP_MAC_ADMIN")) + (constant (+CAP-SYSLOG+ "CAP_SYSLOG")) + (constant (+CAP-WAKE-ALARM+ "CAP_WAKE_ALARM")) + (constant (+CAP-BLOCK-SUSPEND+ "CAP_BLOCK_SUSPEND")) + (constant (+CAP-AUDIT-READ+ "CAP_AUDIT_READ")) + (constant (+CAP-PERFMON+ "CAP_PERFMON")) + (constant (+CAP-BPF+ "CAP_BPF")) + (constant (+CAP-CHECKPOINT-RESTORE+ "CAP_CHECKPOINT_RESTORE"))) diff --git a/src/package.lisp b/src/package.lisp index 08fd65e..6be40e0 100644 --- a/src/package.lisp +++ b/src/package.lisp @@ -343,7 +343,52 @@ #:acl-get-entry #:acl-get-tag-type #:acl-get-qualifier - #:acl-set-qualifier)) + #:acl-set-qualifier + + #:+CAP-CHOWN+ + #:+CAP-DAC-OVERRIDE+ + #:+CAP-DAC-READ-SEARCH+ + #:+CAP-FOWNER+ + #:+CAP-FSETID+ + #:+CAP-KILL+ + #:+CAP-SETGID+ + #:+CAP-SETUID+ + + #:+CAP-SETPCAP+ + #:+CAP-LINUX-IMMUTABLE+ + #:+CAP-NET-BIND-SERVICE+ + #:+CAP-NET-BROADCAST+ + #:+CAP-NET-ADMIN+ + #:+CAP-NET-RAW+ + #:+CAP-IPC-LOCK+ + #:+CAP-IPC-OWNER+ + #:+CAP-SYS-MODULE+ + #:+CAP-SYS-RAWIO+ + #:+CAP-SYS-CHROOT+ + #:+CAP-SYS-PTRACE+ + #:+CAP-SYS-PACCT+ + #:+CAP-SYS-ADMIN+ + #:+CAP-SYS-BOOT+ + #:+CAP-SYS-NICE+ + #:+CAP-SYS-RESOURCE+ + #:+CAP-SYS-TIME+ + #:+CAP-SYS-TTY-CONFIG+ + #:+CAP-MKNOD+ + #:+CAP-LEASE+ + #:+CAP-AUDIT-WRITE+ + #:+CAP-AUDIT-CONTROL+ + #:+CAP-SETFCAP+ + #:+CAP-MAC-OVERRIDE+ + #:+CAP-MAC-ADMIN+ + #:+CAP-SYSLOG+ + #:+CAP-WAKE-ALARM+ + #:+CAP-BLOCK-SUSPEND+ + #:+CAP-AUDIT-READ+ + #:+CAP-PERFMON+ + #:+CAP-BPF+ + #:+CAP-CHECKPOINT-RESTORE+ + + #:capability-p)) (defpackage :consfigurator.property.cmd (:use #:cl #:consfigurator) diff --git a/src/property/package.lisp b/src/property/package.lisp index 91b2aef..4548056 100644 --- a/src/property/package.lisp +++ b/src/property/package.lisp @@ -19,7 +19,7 @@ (named-readtables:in-readtable :consfigurator) (defparameter *consfigurator-system-dependencies* - '(:apt ("build-essential" "libacl1-dev"))) + '(:apt ("build-essential" "libacl1-dev" "libcap-dev"))) (defgeneric %command (package-manager) (:documentation diff --git a/src/util/posix1e.lisp b/src/util/posix1e.lisp index 05525ab..2166921 100644 --- a/src/util/posix1e.lisp +++ b/src/util/posix1e.lisp @@ -18,6 +18,8 @@ (in-package :consfigurator.util.posix1e) (named-readtables:in-readtable :consfigurator) +;;;; POSIX ACLs + (define-foreign-library libacl (t (:default "libacl"))) (use-foreign-library libacl) @@ -57,3 +59,29 @@ (defun acl-get-qualifier (entry-d type) (with-acl-free (qualifier-p (%acl-get-qualifier entry-d)) (mem-ref qualifier-p type))) + + +;;;; Capabilities + +(define-foreign-library libcap (:linux (:default "libcap"))) + +(use-foreign-library libcap) + +(define-error-retval-cfun () "cap_free" :int (obj_d :pointer)) + +(define-error-retval-cfun (:failure-val (null-pointer)) + "cap_get_proc" :pointer) + +(define-error-retval-cfun () + "cap_get_flag" :int + (cap-p :pointer) (cap cap_value_t) (flag cap_flag_t) (value-p :pointer)) + +(defun capability-p (set &rest capabilities) + "Does the current thread have each of CAPABILITIES in SET?" + (let ((cap-opaque (cap-get-proc))) + (unwind-protect + (with-foreign-object (value-p 'cap_flag_value_t) + (loop for capability in capabilities + do (cap-get-flag cap-opaque capability set value-p) + always (eql :cap-set (mem-ref value-p 'cap_flag_value_t)))) + (cap-free cap-opaque)))) |