/[gentoo-x86]/eclass/fcaps.eclass
Gentoo

Contents of /eclass/fcaps.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.1 - (show annotations) (download)
Sun Jan 27 17:27:10 2013 UTC (23 months ago) by vapier
Branch: MAIN
initial file capabilities support

1 # Copyright 1999-2013 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: $
4
5 # @ECLASS: fcaps.eclass
6 # @MAINTAINER:
7 # Constanze Hausner <constanze@gentoo.org>
8 # base-system@gentoo.org
9 # @BLURB: function to set POSIX file-based capabilities
10 # @DESCRIPTION:
11 # This eclass provides a function to set file-based capabilities on binaries.
12 #
13 # Due to probable capability-loss on moving or copying, this happens in
14 # pkg_postinst-phase (at least for now).
15 #
16 # @EXAMPLE:
17 # You can manually set the caps on ping and ping6 by doing:
18 # @CODE
19 # pkg_postinst() {
20 # fcaps cap_net_raw bin/ping bin/ping6
21 # }
22 # @CODE
23 #
24 # Or set it via the global ebuild var FILECAPS:
25 # @CODE
26 # FILECAPS=(
27 # cap_net_raw bin/ping bin/ping6
28 # )
29 # @CODE
30
31 if [[ ${___ECLASS_ONCE_FCAPS} != "recur -_+^+_- spank" ]] ; then
32 ___ECLASS_ONCE_FCAPS="recur -_+^+_- spank"
33
34 IUSE="+filecaps"
35
36 DEPEND="filecaps? ( sys-libs/libcap )"
37
38 # @ECLASS-VARIABLE: FILECAPS
39 # @DEFAULT_UNSET
40 # @DESCRIPTION:
41 # An array of fcap arguments to use to automatically execute fcaps. See that
42 # function for more details.
43 #
44 # All args are consumed until the '--' marker is found. So if you have:
45 # @CODE
46 # FILECAPS=( moo cow -- fat cat -- chubby penguin )
47 # @CODE
48 #
49 # This will end up executing:
50 # @CODE
51 # fcaps moo cow
52 # fcaps fat cat
53 # fcaps chubby penguin
54 # @CODE
55 #
56 # Note: If you override pkg_postinst, you must call fcaps_pkg_postinst yourself.
57
58 # @FUNCTION: fcaps
59 # @USAGE: [-o <owner>] [-g <group>] [-m <mode>] <capabilities> <file[s]>
60 # @DESCRIPTION:
61 # Sets the specified capabilities on the specified files.
62 #
63 # The caps option takes the form as expected by the cap_from_text(3) man page.
64 # If no action is specified, then "=ep" will be used as a default.
65 #
66 # If the file is a relative path (e.g. bin/foo rather than /bin/foo), then the
67 # appropriate path var ($D/$ROOT/etc...) will be prefixed based on the current
68 # ebuild phase.
69 #
70 # If the system is unable to set capabilities, it will use the specified user,
71 # group, and mode (presumably to make the binary set*id). The defaults there
72 # are root:root and 4711. Otherwise, the ownership and permissions will be
73 # unchanged.
74 fcaps() {
75 debug-print-function ${FUNCNAME} "$@"
76
77 # Process the user options first.
78 local owner='root'
79 local group='root'
80 local mode='4711'
81
82 while [[ $# -gt 0 ]] ; do
83 case $1 in
84 -o) owner=$2; shift;;
85 -g) group=$2; shift;;
86 -m) mode=$2; shift;;
87 *) break;;
88 esac
89 shift
90 done
91
92 [[ $# -lt 2 ]] && die "${FUNCNAME}: wrong arg count"
93
94 local caps=$1
95 [[ ${caps} == *[-=+]* ]] || caps+="=ep"
96 shift
97
98 local root
99 case ${EBUILD_PHASE} in
100 compile|install|preinst)
101 root=${ED:-${D}}
102 ;;
103 postinst)
104 root=${EROOT:-${ROOT}}
105 ;;
106 esac
107
108 # Process every file!
109 local file out
110 for file ; do
111 [[ ${file} != /* ]] && file="${root}${file}"
112
113 if use filecaps ; then
114 # Try to set capabilities. Ignore errors when the
115 # fs doesn't support it, but abort on all others.
116 debug-print "${FUNCNAME}: setting caps '${caps}' on '${file}'"
117
118 if ! out=$(LC_ALL=C setcap "${caps}" "${file}" 2>&1) ; then
119 if [[ ${out} != *"Operation not supported"* ]] ; then
120 eerror "Setting caps '${caps}' on file '${file}' failed:"
121 eerror "${out}"
122 die "could not set caps"
123 else
124 local fstype=$(stat -f -c %T "${file}")
125 ewarn "Could not set caps on '${file}' due to missing filesystem support."
126 ewarn "Make sure you enable XATTR support for '${fstype}' in your kernel."
127 fi
128 else
129 # Sanity check that everything took.
130 setcap -v "${caps}" "${file}" >/dev/null \
131 || die "Checking caps '${caps}' on '${file}' failed"
132
133 # Everything worked. Move on to the next file.
134 continue
135 fi
136 fi
137
138 # If we're still here, setcaps failed.
139 debug-print "${FUNCNAME}: setting owner/mode on '${file}'"
140 chown "${owner}:${group}" "${file}" || die
141 chmod ${mode} "${file}" || die
142 done
143 }
144
145 # @FUNCTION: fcaps_pkg_postinst
146 # @DESCRIPTION:
147 # Process the FILECAPS array.
148 fcaps_pkg_postinst() {
149 local arg args=()
150 for arg in "${FILECAPS[@]}" "--" ; do
151 if [[ ${arg} == "--" ]] ; then
152 fcaps "${args[@]}"
153 args=()
154 else
155 args+=( "${arg}" )
156 fi
157 done
158 }
159
160 EXPORT_FUNCTIONS pkg_postinst
161
162 fi

  ViewVC Help
Powered by ViewVC 1.1.20