From e2a3387cf777c5b190d70475e98ada83b9abbc4a Mon Sep 17 00:00:00 2001 From: Sean Whitton Date: Sat, 16 Apr 2022 15:29:29 -0700 Subject: drop plus signs & use underscores in C preprocessor constants Signed-off-by: Sean Whitton --- src/connection/chroot.lisp | 2 +- src/connection/linux-namespace.lisp | 20 +++---- src/libacl.lisp | 12 ++-- src/libc.lisp | 18 +++--- src/libcap.lisp | 82 +++++++++++++------------- src/package.lisp | 114 ++++++++++++++++++------------------ src/util/linux-namespace.lisp | 14 ++--- 7 files changed, 131 insertions(+), 131 deletions(-) diff --git a/src/connection/chroot.lisp b/src/connection/chroot.lisp index e40d7ca..80c79cb 100644 --- a/src/connection/chroot.lisp +++ b/src/connection/chroot.lisp @@ -120,7 +120,7 @@ should be the mount point, without the chroot's root prefixed.") (defmethod post-fork ((connection chroot.fork-connection)) (with-slots (into) connection #+linux - (progn (unshare +CLONE_NEWNS+) + (progn (unshare CLONE_NEWNS) (mrun "mount" "--make-rslave" (stripln (run "findmnt" "-nro" "TARGET" "-T" into))) (linux-chroot-mounts connection)) diff --git a/src/connection/linux-namespace.lisp b/src/connection/linux-namespace.lisp index 7693330..2924f2e 100644 --- a/src/connection/linux-namespace.lisp +++ b/src/connection/linux-namespace.lisp @@ -236,15 +236,15 @@ setgroups(2) is denied in the namespace." (linux-namespace-connection init-hooks-connection) ()) #+linux -(define-constant +namespace-types+ `(("user" . ,+CLONE_NEWUSER+) - ("cgroup" . ,+CLONE_NEWCGROUP+) - ("ipc" . ,+CLONE_NEWIPC+) - ("uts" . ,+CLONE_NEWUTS+) - ("net" . ,+CLONE_NEWNET+) - ("pid" . ,+CLONE_NEWPID+) - ("mnt" . ,+CLONE_NEWNS+) - ,@(and (boundp '+CLONE_NEWTIME+) - `(("time" . ,+CLONE_NEWTIME+)))) +(define-constant +namespace-types+ `(("user" . ,CLONE_NEWUSER) + ("cgroup" . ,CLONE_NEWCGROUP) + ("ipc" . ,CLONE_NEWIPC) + ("uts" . ,CLONE_NEWUTS) + ("net" . ,CLONE_NEWNET) + ("pid" . ,CLONE_NEWPID) + ("mnt" . ,CLONE_NEWNS) + ,@(and (boundp 'CLONE_NEWTIME) + `(("time" . ,CLONE_NEWTIME)))) :test #'equal) (define-error-retval-cfun () "setns" :int (fd :int) (type :int)) @@ -311,7 +311,7 @@ setgroups(2) is denied in the namespace." ;; indicates that the namespace we tried to join belongs ;; to a parent userns, in which case if we were ever ;; going to join it would have to have been on 1st pass. - if (and fd setuserns (not (eql type +CLONE_NEWUSER+))) + if (and fd setuserns (not (eql type CLONE_NEWUSER))) do (handler-case (setns fd type) (nix:eperm ())) else if fd do (setns fd type)) ;; If we entered new PID or time namespaces then need to fork diff --git a/src/libacl.lisp b/src/libacl.lisp index b162e30..8f88749 100644 --- a/src/libacl.lisp +++ b/src/libacl.lisp @@ -6,9 +6,9 @@ (ctype acl_type_t "acl_type_t") (ctype acl_entry_t "acl_entry_t") -(constant (+ACL-USER+ "ACL_USER")) -(constant (+ACL-GROUP+ "ACL_GROUP")) -(constant (+ACL-TYPE-ACCESS+ "ACL_TYPE_ACCESS")) -(constant (+ACL-TYPE-DEFAULT+ "ACL_TYPE_DEFAULT")) -(constant (+ACL-NEXT-ENTRY+ "ACL_NEXT_ENTRY")) -(constant (+ACL-FIRST-ENTRY+ "ACL_FIRST_ENTRY")) +(constant (ACL_USER "ACL_USER")) +(constant (ACL_GROUP "ACL_GROUP")) +(constant (ACL_TYPE_ACCESS "ACL_TYPE_ACCESS")) +(constant (ACL_TYPE_DEFAULT "ACL_TYPE_DEFAULT")) +(constant (ACL_NEXT_ENTRY "ACL_NEXT_ENTRY")) +(constant (ACL_FIRST_ENTRY "ACL_FIRST_ENTRY")) diff --git a/src/libc.lisp b/src/libc.lisp index 41a601b..5edb800 100644 --- a/src/libc.lisp +++ b/src/libc.lisp @@ -14,13 +14,13 @@ #+linux (progn - (constant (+CLONE_NEWCGROUP+ "CLONE_NEWCGROUP")) - (constant (+CLONE_NEWIPC+ "CLONE_NEWIPC")) - (constant (+CLONE_NEWNET+ "CLONE_NEWNET")) - (constant (+CLONE_NEWNS+ "CLONE_NEWNS")) - (constant (+CLONE_NEWPID+ "CLONE_NEWPID")) - (constant (+CLONE_NEWTIME+ "CLONE_NEWTIME")) - (constant (+CLONE_NEWUSER+ "CLONE_NEWUSER")) - (constant (+CLONE_NEWUTS+ "CLONE_NEWUTS")) + (constant (CLONE_NEWCGROUP "CLONE_NEWCGROUP")) + (constant (CLONE_NEWIPC "CLONE_NEWIPC")) + (constant (CLONE_NEWNET "CLONE_NEWNET")) + (constant (CLONE_NEWNS "CLONE_NEWNS")) + (constant (CLONE_NEWPID "CLONE_NEWPID")) + (constant (CLONE_NEWTIME "CLONE_NEWTIME")) + (constant (CLONE_NEWUSER "CLONE_NEWUSER")) + (constant (CLONE_NEWUTS "CLONE_NEWUTS")) - (constant (+NS_GET_OWNER_UID+ "NS_GET_OWNER_UID"))) + (constant (NS_GET_OWNER_UID "NS_GET_OWNER_UID"))) diff --git a/src/libcap.lisp b/src/libcap.lisp index 96f850e..567de23 100644 --- a/src/libcap.lisp +++ b/src/libcap.lisp @@ -11,47 +11,47 @@ ((:cap-inheritable "CAP_INHERITABLE"))) (cenum cap_flag_value_t ((:cap-set "CAP_SET")) ((:cap-clear "CAP_CLEAR"))) -(constant (+CAP-CHOWN+ "CAP_CHOWN")) -(constant (+CAP-DAC-OVERRIDE+ "CAP_DAC_OVERRIDE")) -(constant (+CAP-DAC-READ-SEARCH+ "CAP_DAC_READ_SEARCH")) -(constant (+CAP-FOWNER+ "CAP_FOWNER")) -(constant (+CAP-FSETID+ "CAP_FSETID")) -(constant (+CAP-KILL+ "CAP_KILL")) -(constant (+CAP-SETGID+ "CAP_SETGID")) -(constant (+CAP-SETUID+ "CAP_SETUID")) +(constant (CAP_CHOWN "CAP_CHOWN")) +(constant (CAP_DAC_OVERRIDE "CAP_DAC_OVERRIDE")) +(constant (CAP_DAC_READ_SEARCH "CAP_DAC_READ_SEARCH")) +(constant (CAP_FOWNER "CAP_FOWNER")) +(constant (CAP_FSETID "CAP_FSETID")) +(constant (CAP_KILL "CAP_KILL")) +(constant (CAP_SETGID "CAP_SETGID")) +(constant (CAP_SETUID "CAP_SETUID")) #+linux (progn - (constant (+CAP-SETPCAP+ "CAP_SETPCAP")) - (constant (+CAP-LINUX-IMMUTABLE+ "CAP_LINUX_IMMUTABLE")) - (constant (+CAP-NET-BIND-SERVICE+ "CAP_NET_BIND_SERVICE")) - (constant (+CAP-NET-BROADCAST+ "CAP_NET_BROADCAST")) - (constant (+CAP-NET-ADMIN+ "CAP_NET_ADMIN")) - (constant (+CAP-NET-RAW+ "CAP_NET_RAW")) - (constant (+CAP-IPC-LOCK+ "CAP_IPC_LOCK")) - (constant (+CAP-IPC-OWNER+ "CAP_IPC_OWNER")) - (constant (+CAP-SYS-MODULE+ "CAP_SYS_MODULE")) - (constant (+CAP-SYS-RAWIO+ "CAP_SYS_RAWIO")) - (constant (+CAP-SYS-CHROOT+ "CAP_SYS_CHROOT")) - (constant (+CAP-SYS-PTRACE+ "CAP_SYS_PTRACE")) - (constant (+CAP-SYS-PACCT+ "CAP_SYS_PACCT")) - (constant (+CAP-SYS-ADMIN+ "CAP_SYS_ADMIN")) - (constant (+CAP-SYS-BOOT+ "CAP_SYS_BOOT")) - (constant (+CAP-SYS-NICE+ "CAP_SYS_NICE")) - (constant (+CAP-SYS-RESOURCE+ "CAP_SYS_RESOURCE")) - (constant (+CAP-SYS-TIME+ "CAP_SYS_TIME")) - (constant (+CAP-SYS-TTY-CONFIG+ "CAP_SYS_TTY_CONFIG")) - (constant (+CAP-MKNOD+ "CAP_MKNOD")) - (constant (+CAP-LEASE+ "CAP_LEASE")) - (constant (+CAP-AUDIT-WRITE+ "CAP_AUDIT_WRITE")) - (constant (+CAP-AUDIT-CONTROL+ "CAP_AUDIT_CONTROL")) - (constant (+CAP-SETFCAP+ "CAP_SETFCAP")) - (constant (+CAP-MAC-OVERRIDE+ "CAP_MAC_OVERRIDE")) - (constant (+CAP-MAC-ADMIN+ "CAP_MAC_ADMIN")) - (constant (+CAP-SYSLOG+ "CAP_SYSLOG")) - (constant (+CAP-WAKE-ALARM+ "CAP_WAKE_ALARM")) - (constant (+CAP-BLOCK-SUSPEND+ "CAP_BLOCK_SUSPEND")) - (constant (+CAP-AUDIT-READ+ "CAP_AUDIT_READ")) - (constant (+CAP-PERFMON+ "CAP_PERFMON")) - (constant (+CAP-BPF+ "CAP_BPF")) - (constant (+CAP-CHECKPOINT-RESTORE+ "CAP_CHECKPOINT_RESTORE"))) + (constant (CAP_SETPCAP "CAP_SETPCAP")) + (constant (CAP_LINUX_IMMUTABLE "CAP_LINUX_IMMUTABLE")) + (constant (CAP_NET_BIND_SERVICE "CAP_NET_BIND_SERVICE")) + (constant (CAP_NET_BROADCAST "CAP_NET_BROADCAST")) + (constant (CAP_NET_ADMIN "CAP_NET_ADMIN")) + (constant (CAP_NET_RAW "CAP_NET_RAW")) + (constant (CAP_IPC_LOCK "CAP_IPC_LOCK")) + (constant (CAP_IPC_OWNER "CAP_IPC_OWNER")) + (constant (CAP_SYS_MODULE "CAP_SYS_MODULE")) + (constant (CAP_SYS_RAWIO "CAP_SYS_RAWIO")) + (constant (CAP_SYS_CHROOT "CAP_SYS_CHROOT")) + (constant (CAP_SYS_PTRACE "CAP_SYS_PTRACE")) + (constant (CAP_SYS_PACCT "CAP_SYS_PACCT")) + (constant (CAP_SYS_ADMIN "CAP_SYS_ADMIN")) + (constant (CAP_SYS_BOOT "CAP_SYS_BOOT")) + (constant (CAP_SYS_NICE "CAP_SYS_NICE")) + (constant (CAP_SYS_RESOURCE "CAP_SYS_RESOURCE")) + (constant (CAP_SYS_TIME "CAP_SYS_TIME")) + (constant (CAP_SYS_TTY_CONFIG "CAP_SYS_TTY_CONFIG")) + (constant (CAP_MKNOD "CAP_MKNOD")) + (constant (CAP_LEASE "CAP_LEASE")) + (constant (CAP_AUDIT_WRITE "CAP_AUDIT_WRITE")) + (constant (CAP_AUDIT_CONTROL "CAP_AUDIT_CONTROL")) + (constant (CAP_SETFCAP "CAP_SETFCAP")) + (constant (CAP_MAC_OVERRIDE "CAP_MAC_OVERRIDE")) + (constant (CAP_MAC_ADMIN "CAP_MAC_ADMIN")) + (constant (CAP_SYSLOG "CAP_SYSLOG")) + (constant (CAP_WAKE_ALARM "CAP_WAKE_ALARM")) + (constant (CAP_BLOCK_SUSPEND "CAP_BLOCK_SUSPEND")) + (constant (CAP_AUDIT_READ "CAP_AUDIT_READ")) + (constant (CAP_PERFMON "CAP_PERFMON")) + (constant (CAP_BPF "CAP_BPF")) + (constant (CAP_CHECKPOINT_RESTORE "CAP_CHECKPOINT_RESTORE"))) diff --git a/src/package.lisp b/src/package.lisp index 91008ec..9e0b036 100644 --- a/src/package.lisp +++ b/src/package.lisp @@ -88,16 +88,16 @@ #:uid_t #:gid_t - #:+CLONE_NEWCGROUP+ - #:+CLONE_NEWIPC+ - #:+CLONE_NEWNET+ - #:+CLONE_NEWNS+ - #:+CLONE_NEWPID+ - #:+CLONE_NEWTIME+ - #:+CLONE_NEWUSER+ - #:+CLONE_NEWUTS+ + #:CLONE_NEWCGROUP + #:CLONE_NEWIPC + #:CLONE_NEWNET + #:CLONE_NEWNS + #:CLONE_NEWPID + #:CLONE_NEWTIME + #:CLONE_NEWUSER + #:CLONE_NEWUTS - #:+NS_GET_OWNER_UID+ + #:NS_GET_OWNER_UID ;; util.lisp #:multiple-value-mapcan @@ -343,12 +343,12 @@ (:use #:cffi) (:export #:acl_type_t #:acl_entry_t - #:+ACL-USER+ - #:+ACL-GROUP+ - #:+ACL-TYPE-ACCESS+ - #:+ACL-TYPE-DEFAULT+ - #:+ACL-NEXT-ENTRY+ - #:+ACL-FIRST-ENTRY+ + #:ACL_USER + #:ACL_GROUP + #:ACL_TYPE_ACCESS + #:ACL_TYPE_DEFAULT + #:ACL_NEXT_ENTRY + #:ACL_FIRST_ENTRY #:with-acl-free #:acl-get-file @@ -358,48 +358,48 @@ #:acl-get-qualifier #:acl-set-qualifier - #:+CAP-CHOWN+ - #:+CAP-DAC-OVERRIDE+ - #:+CAP-DAC-READ-SEARCH+ - #:+CAP-FOWNER+ - #:+CAP-FSETID+ - #:+CAP-KILL+ - #:+CAP-SETGID+ - #:+CAP-SETUID+ - - #:+CAP-SETPCAP+ - #:+CAP-LINUX-IMMUTABLE+ - #:+CAP-NET-BIND-SERVICE+ - #:+CAP-NET-BROADCAST+ - #:+CAP-NET-ADMIN+ - #:+CAP-NET-RAW+ - #:+CAP-IPC-LOCK+ - #:+CAP-IPC-OWNER+ - #:+CAP-SYS-MODULE+ - #:+CAP-SYS-RAWIO+ - #:+CAP-SYS-CHROOT+ - #:+CAP-SYS-PTRACE+ - #:+CAP-SYS-PACCT+ - #:+CAP-SYS-ADMIN+ - #:+CAP-SYS-BOOT+ - #:+CAP-SYS-NICE+ - #:+CAP-SYS-RESOURCE+ - #:+CAP-SYS-TIME+ - #:+CAP-SYS-TTY-CONFIG+ - #:+CAP-MKNOD+ - #:+CAP-LEASE+ - #:+CAP-AUDIT-WRITE+ - #:+CAP-AUDIT-CONTROL+ - #:+CAP-SETFCAP+ - #:+CAP-MAC-OVERRIDE+ - #:+CAP-MAC-ADMIN+ - #:+CAP-SYSLOG+ - #:+CAP-WAKE-ALARM+ - #:+CAP-BLOCK-SUSPEND+ - #:+CAP-AUDIT-READ+ - #:+CAP-PERFMON+ - #:+CAP-BPF+ - #:+CAP-CHECKPOINT-RESTORE+ + #:CAP_CHOWN + #:CAP_DAC_OVERRIDE + #:CAP_DAC_READ_SEARCH + #:CAP_FOWNER + #:CAP_FSETID + #:CAP_KILL + #:CAP_SETGID + #:CAP_SETUID + + #:CAP_SETPCAP + #:CAP_LINUX_IMMUTABLE + #:CAP_NET_BIND_SERVICE + #:CAP_NET_BROADCAST + #:CAP_NET_ADMIN + #:CAP_NET_RAW + #:CAP_IPC_LOCK + #:CAP_IPC_OWNER + #:CAP_SYS_MODULE + #:CAP_SYS_RAWIO + #:CAP_SYS_CHROOT + #:CAP_SYS_PTRACE + #:CAP_SYS_PACCT + #:CAP_SYS_ADMIN + #:CAP_SYS_BOOT + #:CAP_SYS_NICE + #:CAP_SYS_RESOURCE + #:CAP_SYS_TIME + #:CAP_SYS_TTY_CONFIG + #:CAP_MKNOD + #:CAP_LEASE + #:CAP_AUDIT_WRITE + #:CAP_AUDIT_CONTROL + #:CAP_SETFCAP + #:CAP_MAC_OVERRIDE + #:CAP_MAC_ADMIN + #:CAP_SYSLOG + #:CAP_WAKE_ALARM + #:CAP_BLOCK_SUSPEND + #:CAP_AUDIT_READ + #:CAP_PERFMON + #:CAP_BPF + #:CAP_CHECKPOINT_RESTORE #:posix-capability-p)) diff --git a/src/util/linux-namespace.lisp b/src/util/linux-namespace.lisp index 606f311..3bc2e59 100644 --- a/src/util/linux-namespace.lisp +++ b/src/util/linux-namespace.lisp @@ -114,8 +114,8 @@ CONSFIGURATOR.UTIL.LINUX-NAMESPACE:REDUCE-ID-MAPS and user_namespaces(7)." ;; Restore mode because chown wipes setuid/setgid. (nix:chmod file mode) ;; Now do the ACL shifts; directories have two. - (shift-acl file +ACL-TYPE-ACCESS+) - (when dirp (shift-acl file +ACL-TYPE-DEFAULT+))) + (shift-acl file ACL_TYPE_ACCESS) + (when dirp (shift-acl file ACL_TYPE_DEFAULT))) (when (and dirp (not linkp)) (mapc #'shift (local-directory-contents file)))))) (shift-acl (file type) @@ -123,16 +123,16 @@ CONSFIGURATOR.UTIL.LINUX-NAMESPACE:REDUCE-ID-MAPS and user_namespaces(7)." (with-foreign-objects ((uid 'uid_t) (gid 'gid_t) (entry-p 'acl_entry_t)) (loop with setp - for etype = +ACL-FIRST-ENTRY+ then +ACL-NEXT-ENTRY+ + for etype = ACL_FIRST_ENTRY then ACL_NEXT_ENTRY while (plusp (acl-get-entry acl etype entry-p)) for entry = (mem-ref entry-p 'acl_entry_t) for tag-type = (acl-get-tag-type entry) - when (= tag-type +ACL-USER+) + when (= tag-type ACL_USER) do (awhen (funcall uidmap (acl-get-qualifier entry 'uid_t)) (setf setp t (mem-ref uid 'uid_t) it) (acl-set-qualifier entry uid)) - when (= tag-type +ACL-GROUP+) + when (= tag-type ACL_GROUP) do (awhen (funcall gidmap (acl-get-qualifier entry 'gid_t)) (setf setp t (mem-ref gid 'gid_t) it) @@ -145,7 +145,7 @@ CONSFIGURATOR.UTIL.LINUX-NAMESPACE:REDUCE-ID-MAPS and user_namespaces(7)." (with-foreign-object (owner 'uid_t) (if (minusp (foreign-funcall - "ioctl" :int fd :unsigned-long +NS_GET_OWNER_UID+ :pointer owner + "ioctl" :int fd :unsigned-long NS_GET_OWNER_UID :pointer owner :int)) (error "Couldn't determine owner of target userns.") (mem-ref owner 'uid_t)))) @@ -153,7 +153,7 @@ CONSFIGURATOR.UTIL.LINUX-NAMESPACE:REDUCE-ID-MAPS and user_namespaces(7)." (defun setgroups-p () "In a Lisp-type connection, do we have the ability to use setgroups(2)?" (and #-linux (zerop (nix:geteuid)) - #+linux (posix-capability-p :cap-effective +CAP-SETGID+) + #+linux (posix-capability-p :cap-effective CAP_SETGID) #+linux (string= "allow" (stripln (read-file-string "/proc/thread-self/setgroups"))))) -- cgit v1.2.3