/[gentoo-x86]/eclass/fcaps.eclass
Gentoo

Contents of /eclass/fcaps.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.4 - (show annotations) (download)
Sun Apr 28 03:11:47 2013 UTC (14 months, 3 weeks ago) by vapier
Branch: MAIN
Changes since 1.3: +16 -7 lines
only warn if setcap is not found rather than be fatal #458518

1 # Copyright 1999-2013 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/eclass/fcaps.eclass,v 1.3 2013/01/30 07:15:49 vapier Exp $
4
5 # @ECLASS: fcaps.eclass
6 # @MAINTAINER:
7 # Constanze Hausner <constanze@gentoo.org>
8 # base-system@gentoo.org
9 # @BLURB: function to set POSIX file-based capabilities
10 # @DESCRIPTION:
11 # This eclass provides a function to set file-based capabilities on binaries.
12 #
13 # Due to probable capability-loss on moving or copying, this happens in
14 # pkg_postinst-phase (at least for now).
15 #
16 # @EXAMPLE:
17 # You can manually set the caps on ping and ping6 by doing:
18 # @CODE
19 # pkg_postinst() {
20 # fcaps cap_net_raw bin/ping bin/ping6
21 # }
22 # @CODE
23 #
24 # Or set it via the global ebuild var FILECAPS:
25 # @CODE
26 # FILECAPS=(
27 # cap_net_raw bin/ping bin/ping6
28 # )
29 # @CODE
30
31 if [[ ${___ECLASS_ONCE_FCAPS} != "recur -_+^+_- spank" ]] ; then
32 ___ECLASS_ONCE_FCAPS="recur -_+^+_- spank"
33
34 IUSE="+filecaps"
35
36 DEPEND="filecaps? ( sys-libs/libcap )"
37
38 # @ECLASS-VARIABLE: FILECAPS
39 # @DEFAULT_UNSET
40 # @DESCRIPTION:
41 # An array of fcap arguments to use to automatically execute fcaps. See that
42 # function for more details.
43 #
44 # All args are consumed until the '--' marker is found. So if you have:
45 # @CODE
46 # FILECAPS=( moo cow -- fat cat -- chubby penguin )
47 # @CODE
48 #
49 # This will end up executing:
50 # @CODE
51 # fcaps moo cow
52 # fcaps fat cat
53 # fcaps chubby penguin
54 # @CODE
55 #
56 # Note: If you override pkg_postinst, you must call fcaps_pkg_postinst yourself.
57
58 # @FUNCTION: fcaps
59 # @USAGE: [-o <owner>] [-g <group>] [-m <mode>] [-M <caps mode>] <capabilities> <file[s]>
60 # @DESCRIPTION:
61 # Sets the specified capabilities on the specified files.
62 #
63 # The caps option takes the form as expected by the cap_from_text(3) man page.
64 # If no action is specified, then "=ep" will be used as a default.
65 #
66 # If the file is a relative path (e.g. bin/foo rather than /bin/foo), then the
67 # appropriate path var ($D/$ROOT/etc...) will be prefixed based on the current
68 # ebuild phase.
69 #
70 # The caps mode (default 711) is used to set the permission on the file if
71 # capabilities were properly set on the file.
72 #
73 # If the system is unable to set capabilities, it will use the specified user,
74 # group, and mode (presumably to make the binary set*id). The defaults there
75 # are root:root and 4711. Otherwise, the ownership and permissions will be
76 # unchanged.
77 fcaps() {
78 debug-print-function ${FUNCNAME} "$@"
79
80 # Process the user options first.
81 local owner='root'
82 local group='root'
83 local mode='4711'
84 local caps_mode='711'
85
86 while [[ $# -gt 0 ]] ; do
87 case $1 in
88 -o) owner=$2; shift;;
89 -g) group=$2; shift;;
90 -m) mode=$2; shift;;
91 -M) caps_mode=$2; shift;;
92 *) break;;
93 esac
94 shift
95 done
96
97 [[ $# -lt 2 ]] && die "${FUNCNAME}: wrong arg count"
98
99 local caps=$1
100 [[ ${caps} == *[-=+]* ]] || caps+="=ep"
101 shift
102
103 local root
104 case ${EBUILD_PHASE} in
105 compile|install|preinst)
106 root=${ED:-${D}}
107 ;;
108 postinst)
109 root=${EROOT:-${ROOT}}
110 ;;
111 esac
112
113 # Process every file!
114 local file out
115 for file ; do
116 [[ ${file} != /* ]] && file="${root}${file}"
117
118 if use filecaps ; then
119 # Try to set capabilities. Ignore errors when the
120 # fs doesn't support it, but abort on all others.
121 debug-print "${FUNCNAME}: setting caps '${caps}' on '${file}'"
122
123 # If everything goes well, we don't want the file to be readable
124 # by people.
125 chmod ${caps_mode} "${file}" || die
126
127 if ! out=$(LC_ALL=C setcap "${caps}" "${file}" 2>&1) ; then
128 case ${out} in
129 *"command not found"*)
130 if [[ -z ${__FCAPS_WARNED} ]] ; then
131 __FCAPS_WARNED="true"
132 ewarn "Could not find cap utils. Please make sure libcap is available."
133 fi
134 ;;
135 *"Operation not supported"*)
136 local fstype=$(stat -f -c %T "${file}")
137 ewarn "Could not set caps on '${file}' due to missing filesystem support."
138 ewarn "Make sure you enable XATTR support for '${fstype}' in your kernel."
139 ewarn "You might also have to enable the relevant FS_SECURITY option."
140 ;;
141 *)
142 eerror "Setting caps '${caps}' on file '${file}' failed:"
143 eerror "${out}"
144 die "could not set caps"
145 ;;
146 esac
147 else
148 # Sanity check that everything took.
149 setcap -v "${caps}" "${file}" >/dev/null \
150 || die "Checking caps '${caps}' on '${file}' failed"
151
152 # Everything worked. Move on to the next file.
153 continue
154 fi
155 fi
156
157 # If we're still here, setcaps failed.
158 debug-print "${FUNCNAME}: setting owner/mode on '${file}'"
159 chown "${owner}:${group}" "${file}" || die
160 chmod ${mode} "${file}" || die
161 done
162 }
163
164 # @FUNCTION: fcaps_pkg_postinst
165 # @DESCRIPTION:
166 # Process the FILECAPS array.
167 fcaps_pkg_postinst() {
168 local arg args=()
169 for arg in "${FILECAPS[@]}" "--" ; do
170 if [[ ${arg} == "--" ]] ; then
171 fcaps "${args[@]}"
172 args=()
173 else
174 args+=( "${arg}" )
175 fi
176 done
177 }
178
179 EXPORT_FUNCTIONS pkg_postinst
180
181 fi

  ViewVC Help
Powered by ViewVC 1.1.20