/[gentoo-x86]/eclass/fcaps.eclass
Gentoo

Diff of /eclass/fcaps.eclass

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.3 Revision 1.8
1# Copyright 1999-2013 Gentoo Foundation 1# Copyright 1999-2013 Gentoo Foundation
2# Distributed under the terms of the GNU General Public License v2 2# Distributed under the terms of the GNU General Public License v2
3# $Header: /var/cvsroot/gentoo-x86/eclass/fcaps.eclass,v 1.3 2013/01/30 07:15:49 vapier Exp $ 3# $Header: /var/cvsroot/gentoo-x86/eclass/fcaps.eclass,v 1.8 2013/06/27 01:18:57 vapier Exp $
4 4
5# @ECLASS: fcaps.eclass 5# @ECLASS: fcaps.eclass
6# @MAINTAINER: 6# @MAINTAINER:
7# Constanze Hausner <constanze@gentoo.org> 7# Constanze Hausner <constanze@gentoo.org>
8# base-system@gentoo.org 8# base-system@gentoo.org
31if [[ ${___ECLASS_ONCE_FCAPS} != "recur -_+^+_- spank" ]] ; then 31if [[ ${___ECLASS_ONCE_FCAPS} != "recur -_+^+_- spank" ]] ; then
32___ECLASS_ONCE_FCAPS="recur -_+^+_- spank" 32___ECLASS_ONCE_FCAPS="recur -_+^+_- spank"
33 33
34IUSE="+filecaps" 34IUSE="+filecaps"
35 35
36# We can't use libcap-ng atm due to #471414.
36DEPEND="filecaps? ( sys-libs/libcap )" 37DEPEND="filecaps? ( sys-libs/libcap )"
37 38
38# @ECLASS-VARIABLE: FILECAPS 39# @ECLASS-VARIABLE: FILECAPS
39# @DEFAULT_UNSET 40# @DEFAULT_UNSET
40# @DESCRIPTION: 41# @DESCRIPTION:
109 root=${EROOT:-${ROOT}} 110 root=${EROOT:-${ROOT}}
110 ;; 111 ;;
111 esac 112 esac
112 113
113 # Process every file! 114 # Process every file!
114 local file out 115 local file
115 for file ; do 116 for file ; do
116 [[ ${file} != /* ]] && file="${root}${file}" 117 [[ ${file} != /* ]] && file="${root}${file}"
117 118
118 if use filecaps ; then 119 if use filecaps ; then
119 # Try to set capabilities. Ignore errors when the 120 # Try to set capabilities. Ignore errors when the
122 123
123 # If everything goes well, we don't want the file to be readable 124 # If everything goes well, we don't want the file to be readable
124 # by people. 125 # by people.
125 chmod ${caps_mode} "${file}" || die 126 chmod ${caps_mode} "${file}" || die
126 127
128 # Set/verify funcs for sys-libs/libcap.
129 _libcap() { setcap "${caps}" "${file}" ; }
130 _libcap_verify() { setcap -v "${caps}" "${file}" >/dev/null ; }
131
132 # Set/verify funcs for sys-libs/libcap-ng.
133 # Note: filecap only supports =ep mode.
134 # It also expects a different form:
135 # setcap cap_foo,cap_bar
136 # filecap foo bar
137 _libcap_ng() {
138 local caps=",${caps%=ep}"
139 filecap "${file}" "${caps//,cap_}"
140 }
141 _libcap_ng_verify() {
142 # libcap-ng has a crappy interface
143 local rcaps icaps caps=",${caps%=ep}"
144 rcaps=$(filecap "${file}" | \
145 sed -nr \
146 -e "s:^.{${#file}} +::" \
147 -e 's:, +:\n:g' \
148 -e 2p | \
149 LC_ALL=C sort)
150 [[ ${PIPESTATUS[0]} -eq 0 ]] || return 1
151 icaps=$(echo "${caps//,cap_}" | LC_ALL=C sort)
152 [[ ${rcaps} == ${icaps} ]]
153 }
154
155 local out cmd notfound=0
156 for cmd in _libcap _libcap_ng ; do
127 if ! out=$(LC_ALL=C setcap "${caps}" "${file}" 2>&1) ; then 157 if ! out=$(LC_ALL=C ${cmd} 2>&1) ; then
128 if [[ ${out} != *"Operation not supported"* ]] ; then 158 case ${out} in
159 *"command not found"*)
160 : $(( ++notfound ))
161 continue
162 ;;
163 *"Operation not supported"*)
164 local fstype=$(stat -f -c %T "${file}")
165 ewarn "Could not set caps on '${file}' due to missing filesystem support:"
166 ewarn "* enable XATTR support for '${fstype}' in your kernel (if configurable)"
167 ewarn "* mount the fs with the user_xattr option (if not the default)"
168 ewarn "* enable the relevant FS_SECURITY option (if configurable)"
169 break
170 ;;
171 *)
129 eerror "Setting caps '${caps}' on file '${file}' failed:" 172 eerror "Setting caps '${caps}' on file '${file}' failed:"
130 eerror "${out}" 173 eerror "${out}"
131 die "could not set caps" 174 die "could not set caps"
175 ;;
176 esac
132 else 177 else
133 local fstype=$(stat -f -c %T "${file}") 178 # Sanity check that everything took.
134 ewarn "Could not set caps on '${file}' due to missing filesystem support." 179 ${cmd}_verify || die "Checking caps '${caps}' on '${file}' failed"
135 ewarn "Make sure you enable XATTR support for '${fstype}' in your kernel." 180
136 ewarn "You might also have to enable the relevant FS_SECURITY option." 181 # Everything worked. Move on to the next file.
182 continue 2
137 fi 183 fi
138 else 184 done
139 # Sanity check that everything took. 185 if [[ ${notfound} -eq 2 ]] && [[ -z ${__FCAPS_WARNED} ]] ; then
140 setcap -v "${caps}" "${file}" >/dev/null \ 186 __FCAPS_WARNED="true"
141 || die "Checking caps '${caps}' on '${file}' failed" 187 ewarn "Could not find cap utils; make sure libcap or libcap-ng is available."
142
143 # Everything worked. Move on to the next file.
144 continue
145 fi 188 fi
146 fi 189 fi
147 190
148 # If we're still here, setcaps failed. 191 # If we're still here, setcaps failed.
149 debug-print "${FUNCNAME}: setting owner/mode on '${file}'" 192 debug-print "${FUNCNAME}: setting owner/mode on '${file}'"

Legend:
Removed from v.1.3  
changed lines
  Added in v.1.8

  ViewVC Help
Powered by ViewVC 1.1.20