/[gentoo-x86]/eclass/fcaps.eclass
Gentoo

Contents of /eclass/fcaps.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.2 - (show annotations) (download)
Sun Jan 27 17:47:10 2013 UTC (17 months, 1 week ago) by vapier
Branch: MAIN
Changes since 1.1: +11 -2 lines
add a flag for setting the permission of the file when using capabilities

1 # Copyright 1999-2013 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/eclass/fcaps.eclass,v 1.1 2013/01/27 17:27:10 vapier Exp $
4
5 # @ECLASS: fcaps.eclass
6 # @MAINTAINER:
7 # Constanze Hausner <constanze@gentoo.org>
8 # base-system@gentoo.org
9 # @BLURB: function to set POSIX file-based capabilities
10 # @DESCRIPTION:
11 # This eclass provides a function to set file-based capabilities on binaries.
12 #
13 # Due to probable capability-loss on moving or copying, this happens in
14 # pkg_postinst-phase (at least for now).
15 #
16 # @EXAMPLE:
17 # You can manually set the caps on ping and ping6 by doing:
18 # @CODE
19 # pkg_postinst() {
20 # fcaps cap_net_raw bin/ping bin/ping6
21 # }
22 # @CODE
23 #
24 # Or set it via the global ebuild var FILECAPS:
25 # @CODE
26 # FILECAPS=(
27 # cap_net_raw bin/ping bin/ping6
28 # )
29 # @CODE
30
31 if [[ ${___ECLASS_ONCE_FCAPS} != "recur -_+^+_- spank" ]] ; then
32 ___ECLASS_ONCE_FCAPS="recur -_+^+_- spank"
33
34 IUSE="+filecaps"
35
36 DEPEND="filecaps? ( sys-libs/libcap )"
37
38 # @ECLASS-VARIABLE: FILECAPS
39 # @DEFAULT_UNSET
40 # @DESCRIPTION:
41 # An array of fcap arguments to use to automatically execute fcaps. See that
42 # function for more details.
43 #
44 # All args are consumed until the '--' marker is found. So if you have:
45 # @CODE
46 # FILECAPS=( moo cow -- fat cat -- chubby penguin )
47 # @CODE
48 #
49 # This will end up executing:
50 # @CODE
51 # fcaps moo cow
52 # fcaps fat cat
53 # fcaps chubby penguin
54 # @CODE
55 #
56 # Note: If you override pkg_postinst, you must call fcaps_pkg_postinst yourself.
57
58 # @FUNCTION: fcaps
59 # @USAGE: [-o <owner>] [-g <group>] [-m <mode>] [-M <caps mode>] <capabilities> <file[s]>
60 # @DESCRIPTION:
61 # Sets the specified capabilities on the specified files.
62 #
63 # The caps option takes the form as expected by the cap_from_text(3) man page.
64 # If no action is specified, then "=ep" will be used as a default.
65 #
66 # If the file is a relative path (e.g. bin/foo rather than /bin/foo), then the
67 # appropriate path var ($D/$ROOT/etc...) will be prefixed based on the current
68 # ebuild phase.
69 #
70 # The caps mode (default 711) is used to set the permission on the file if
71 # capabilities were properly set on the file.
72 #
73 # If the system is unable to set capabilities, it will use the specified user,
74 # group, and mode (presumably to make the binary set*id). The defaults there
75 # are root:root and 4711. Otherwise, the ownership and permissions will be
76 # unchanged.
77 fcaps() {
78 debug-print-function ${FUNCNAME} "$@"
79
80 # Process the user options first.
81 local owner='root'
82 local group='root'
83 local mode='4711'
84 local caps_mode='711'
85
86 while [[ $# -gt 0 ]] ; do
87 case $1 in
88 -o) owner=$2; shift;;
89 -g) group=$2; shift;;
90 -m) mode=$2; shift;;
91 -M) caps_mode=$2; shift;;
92 *) break;;
93 esac
94 shift
95 done
96
97 [[ $# -lt 2 ]] && die "${FUNCNAME}: wrong arg count"
98
99 local caps=$1
100 [[ ${caps} == *[-=+]* ]] || caps+="=ep"
101 shift
102
103 local root
104 case ${EBUILD_PHASE} in
105 compile|install|preinst)
106 root=${ED:-${D}}
107 ;;
108 postinst)
109 root=${EROOT:-${ROOT}}
110 ;;
111 esac
112
113 # Process every file!
114 local file out
115 for file ; do
116 [[ ${file} != /* ]] && file="${root}${file}"
117
118 if use filecaps ; then
119 # Try to set capabilities. Ignore errors when the
120 # fs doesn't support it, but abort on all others.
121 debug-print "${FUNCNAME}: setting caps '${caps}' on '${file}'"
122
123 # If everything goes well, we don't want the file to be readable
124 # by people.
125 chmod ${caps_mode} "${file}" || die
126
127 if ! out=$(LC_ALL=C setcap "${caps}" "${file}" 2>&1) ; then
128 if [[ ${out} != *"Operation not supported"* ]] ; then
129 eerror "Setting caps '${caps}' on file '${file}' failed:"
130 eerror "${out}"
131 die "could not set caps"
132 else
133 local fstype=$(stat -f -c %T "${file}")
134 ewarn "Could not set caps on '${file}' due to missing filesystem support."
135 ewarn "Make sure you enable XATTR support for '${fstype}' in your kernel."
136 fi
137 else
138 # Sanity check that everything took.
139 setcap -v "${caps}" "${file}" >/dev/null \
140 || die "Checking caps '${caps}' on '${file}' failed"
141
142 # Everything worked. Move on to the next file.
143 continue
144 fi
145 fi
146
147 # If we're still here, setcaps failed.
148 debug-print "${FUNCNAME}: setting owner/mode on '${file}'"
149 chown "${owner}:${group}" "${file}" || die
150 chmod ${mode} "${file}" || die
151 done
152 }
153
154 # @FUNCTION: fcaps_pkg_postinst
155 # @DESCRIPTION:
156 # Process the FILECAPS array.
157 fcaps_pkg_postinst() {
158 local arg args=()
159 for arg in "${FILECAPS[@]}" "--" ; do
160 if [[ ${arg} == "--" ]] ; then
161 fcaps "${args[@]}"
162 args=()
163 else
164 args+=( "${arg}" )
165 fi
166 done
167 }
168
169 EXPORT_FUNCTIONS pkg_postinst
170
171 fi

  ViewVC Help
Powered by ViewVC 1.1.20