From 9d857f62af05ff2f9a4ec22f1cfacecf071b668a Mon Sep 17 00:00:00 2001 From: Sean Whitton Date: Wed, 3 Nov 2021 14:32:39 -0700 Subject: add CAPABILITY-P and grovel for some Linux capability constants Signed-off-by: Sean Whitton --- consfigurator.asd | 1 + debian/changelog | 2 +- debian/control | 2 ++ doc/introduction.rst | 3 ++- src/libcap.lisp | 57 +++++++++++++++++++++++++++++++++++++++++++++++ src/package.lisp | 47 +++++++++++++++++++++++++++++++++++++- src/property/package.lisp | 2 +- src/util/posix1e.lisp | 28 +++++++++++++++++++++++ 8 files changed, 138 insertions(+), 4 deletions(-) create mode 100644 src/libcap.lisp diff --git a/consfigurator.asd b/consfigurator.asd index 1539b9b..3501dc1 100644 --- a/consfigurator.asd +++ b/consfigurator.asd @@ -24,6 +24,7 @@ (:file "src/reader") (:cffi-grovel-file "src/libc") (:cffi-grovel-file "src/libacl") + (:cffi-grovel-file "src/libcap" :if-feature :linux) (:file "src/util") (:file "src/util/posix1e") (:file "src/connection") diff --git a/debian/changelog b/debian/changelog index f4df5e8..841e0a8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,7 @@ consfigurator (0.12.0-1) UNRELEASED; urgency=medium * New upstream release. - * Add deps and build-deps on cl-bordeaux-threads and libacl1-dev. + * Add deps and build-deps on cl-bordeaux-threads, libacl1-dev and libcap-dev. * Add ${sphinxdoc:Built-Using} to Built-Using. * Run 'wrap-and-sort -abst'. diff --git a/debian/control b/debian/control index bb1bc64..a1a6af3 100644 --- a/debian/control +++ b/debian/control @@ -19,6 +19,7 @@ Build-Depends: debhelper-compat (= 13), dh-elpa, libacl1-dev, + libcap-dev, python3-sphinx, python3-sphinx-rtd-theme, sbcl, @@ -48,6 +49,7 @@ Depends: cl-trivial-backtrace, emacsen-common, libacl1-dev, + libcap-dev, ${misc:Depends}, Recommends: emacs, diff --git a/doc/introduction.rst b/doc/introduction.rst index 1af6cf3..cc961ee 100644 --- a/doc/introduction.rst +++ b/doc/introduction.rst @@ -297,7 +297,8 @@ Portability and stability - As both Consfigurator and its dependency Osicat make use of CFFI-Grovel, loading Consfigurator into Lisp currently always additionally requires a C - toolchain, and development headers for libacl. It might be possible to + toolchain, and development headers for libacl. On GNU/Linux, development + headers for libcap are also required. It might be possible to conditionalise further so as to avoid any dependency on a C toolchain for the root Lisp. diff --git a/src/libcap.lisp b/src/libcap.lisp new file mode 100644 index 0000000..96f850e --- /dev/null +++ b/src/libcap.lisp @@ -0,0 +1,57 @@ +(in-package :consfigurator.util.posix1e) + +(include "sys/capability.h") + +(ctype cap_t "cap_t") +(ctype cap_value_t "cap_value_t") + +(cenum cap_flag_t + ((:cap-effective "CAP_EFFECTIVE")) + ((:cap-permitted "CAP_PERMITTED")) + ((:cap-inheritable "CAP_INHERITABLE"))) +(cenum cap_flag_value_t ((:cap-set "CAP_SET")) ((:cap-clear "CAP_CLEAR"))) + +(constant (+CAP-CHOWN+ "CAP_CHOWN")) +(constant (+CAP-DAC-OVERRIDE+ "CAP_DAC_OVERRIDE")) +(constant (+CAP-DAC-READ-SEARCH+ "CAP_DAC_READ_SEARCH")) +(constant (+CAP-FOWNER+ "CAP_FOWNER")) +(constant (+CAP-FSETID+ "CAP_FSETID")) +(constant (+CAP-KILL+ "CAP_KILL")) +(constant (+CAP-SETGID+ "CAP_SETGID")) +(constant (+CAP-SETUID+ "CAP_SETUID")) + +#+linux +(progn + (constant (+CAP-SETPCAP+ "CAP_SETPCAP")) + (constant (+CAP-LINUX-IMMUTABLE+ "CAP_LINUX_IMMUTABLE")) + (constant (+CAP-NET-BIND-SERVICE+ "CAP_NET_BIND_SERVICE")) + (constant (+CAP-NET-BROADCAST+ "CAP_NET_BROADCAST")) + (constant (+CAP-NET-ADMIN+ "CAP_NET_ADMIN")) + (constant (+CAP-NET-RAW+ "CAP_NET_RAW")) + (constant (+CAP-IPC-LOCK+ "CAP_IPC_LOCK")) + (constant (+CAP-IPC-OWNER+ "CAP_IPC_OWNER")) + (constant (+CAP-SYS-MODULE+ "CAP_SYS_MODULE")) + (constant (+CAP-SYS-RAWIO+ "CAP_SYS_RAWIO")) + (constant (+CAP-SYS-CHROOT+ "CAP_SYS_CHROOT")) + (constant (+CAP-SYS-PTRACE+ "CAP_SYS_PTRACE")) + (constant (+CAP-SYS-PACCT+ "CAP_SYS_PACCT")) + (constant (+CAP-SYS-ADMIN+ "CAP_SYS_ADMIN")) + (constant (+CAP-SYS-BOOT+ "CAP_SYS_BOOT")) + (constant (+CAP-SYS-NICE+ "CAP_SYS_NICE")) + (constant (+CAP-SYS-RESOURCE+ "CAP_SYS_RESOURCE")) + (constant (+CAP-SYS-TIME+ "CAP_SYS_TIME")) + (constant (+CAP-SYS-TTY-CONFIG+ "CAP_SYS_TTY_CONFIG")) + (constant (+CAP-MKNOD+ "CAP_MKNOD")) + (constant (+CAP-LEASE+ "CAP_LEASE")) + (constant (+CAP-AUDIT-WRITE+ "CAP_AUDIT_WRITE")) + (constant (+CAP-AUDIT-CONTROL+ "CAP_AUDIT_CONTROL")) + (constant (+CAP-SETFCAP+ "CAP_SETFCAP")) + (constant (+CAP-MAC-OVERRIDE+ "CAP_MAC_OVERRIDE")) + (constant (+CAP-MAC-ADMIN+ "CAP_MAC_ADMIN")) + (constant (+CAP-SYSLOG+ "CAP_SYSLOG")) + (constant (+CAP-WAKE-ALARM+ "CAP_WAKE_ALARM")) + (constant (+CAP-BLOCK-SUSPEND+ "CAP_BLOCK_SUSPEND")) + (constant (+CAP-AUDIT-READ+ "CAP_AUDIT_READ")) + (constant (+CAP-PERFMON+ "CAP_PERFMON")) + (constant (+CAP-BPF+ "CAP_BPF")) + (constant (+CAP-CHECKPOINT-RESTORE+ "CAP_CHECKPOINT_RESTORE"))) diff --git a/src/package.lisp b/src/package.lisp index 08fd65e..6be40e0 100644 --- a/src/package.lisp +++ b/src/package.lisp @@ -343,7 +343,52 @@ #:acl-get-entry #:acl-get-tag-type #:acl-get-qualifier - #:acl-set-qualifier)) + #:acl-set-qualifier + + #:+CAP-CHOWN+ + #:+CAP-DAC-OVERRIDE+ + #:+CAP-DAC-READ-SEARCH+ + #:+CAP-FOWNER+ + #:+CAP-FSETID+ + #:+CAP-KILL+ + #:+CAP-SETGID+ + #:+CAP-SETUID+ + + #:+CAP-SETPCAP+ + #:+CAP-LINUX-IMMUTABLE+ + #:+CAP-NET-BIND-SERVICE+ + #:+CAP-NET-BROADCAST+ + #:+CAP-NET-ADMIN+ + #:+CAP-NET-RAW+ + #:+CAP-IPC-LOCK+ + #:+CAP-IPC-OWNER+ + #:+CAP-SYS-MODULE+ + #:+CAP-SYS-RAWIO+ + #:+CAP-SYS-CHROOT+ + #:+CAP-SYS-PTRACE+ + #:+CAP-SYS-PACCT+ + #:+CAP-SYS-ADMIN+ + #:+CAP-SYS-BOOT+ + #:+CAP-SYS-NICE+ + #:+CAP-SYS-RESOURCE+ + #:+CAP-SYS-TIME+ + #:+CAP-SYS-TTY-CONFIG+ + #:+CAP-MKNOD+ + #:+CAP-LEASE+ + #:+CAP-AUDIT-WRITE+ + #:+CAP-AUDIT-CONTROL+ + #:+CAP-SETFCAP+ + #:+CAP-MAC-OVERRIDE+ + #:+CAP-MAC-ADMIN+ + #:+CAP-SYSLOG+ + #:+CAP-WAKE-ALARM+ + #:+CAP-BLOCK-SUSPEND+ + #:+CAP-AUDIT-READ+ + #:+CAP-PERFMON+ + #:+CAP-BPF+ + #:+CAP-CHECKPOINT-RESTORE+ + + #:capability-p)) (defpackage :consfigurator.property.cmd (:use #:cl #:consfigurator) diff --git a/src/property/package.lisp b/src/property/package.lisp index 91b2aef..4548056 100644 --- a/src/property/package.lisp +++ b/src/property/package.lisp @@ -19,7 +19,7 @@ (named-readtables:in-readtable :consfigurator) (defparameter *consfigurator-system-dependencies* - '(:apt ("build-essential" "libacl1-dev"))) + '(:apt ("build-essential" "libacl1-dev" "libcap-dev"))) (defgeneric %command (package-manager) (:documentation diff --git a/src/util/posix1e.lisp b/src/util/posix1e.lisp index 05525ab..2166921 100644 --- a/src/util/posix1e.lisp +++ b/src/util/posix1e.lisp @@ -18,6 +18,8 @@ (in-package :consfigurator.util.posix1e) (named-readtables:in-readtable :consfigurator) +;;;; POSIX ACLs + (define-foreign-library libacl (t (:default "libacl"))) (use-foreign-library libacl) @@ -57,3 +59,29 @@ (defun acl-get-qualifier (entry-d type) (with-acl-free (qualifier-p (%acl-get-qualifier entry-d)) (mem-ref qualifier-p type))) + + +;;;; Capabilities + +(define-foreign-library libcap (:linux (:default "libcap"))) + +(use-foreign-library libcap) + +(define-error-retval-cfun () "cap_free" :int (obj_d :pointer)) + +(define-error-retval-cfun (:failure-val (null-pointer)) + "cap_get_proc" :pointer) + +(define-error-retval-cfun () + "cap_get_flag" :int + (cap-p :pointer) (cap cap_value_t) (flag cap_flag_t) (value-p :pointer)) + +(defun capability-p (set &rest capabilities) + "Does the current thread have each of CAPABILITIES in SET?" + (let ((cap-opaque (cap-get-proc))) + (unwind-protect + (with-foreign-object (value-p 'cap_flag_value_t) + (loop for capability in capabilities + do (cap-get-flag cap-opaque capability set value-p) + always (eql :cap-set (mem-ref value-p 'cap_flag_value_t)))) + (cap-free cap-opaque)))) -- cgit v1.2.3