source: patches/libcap-2.23-uapi-1.patch@ bb13596

clfs-3.0.0-systemd clfs-3.0.0-sysvinit systemd sysvinit
Last change on this file since bb13596 was d4764b6, checked in by Chris Staub <chris@…>, 11 years ago

Add patch to fix libcap

  • Property mode set to 100644
File size: 23.8 KB
RevLine 
[d4764b6]1Submitted By: Chris Staub (chris at cross-lfs dot org)
2Date: 2014-01-05
3Initial Package Version: 2.23
4Origin: Upstream
5Upstream Status: Applied
6Description: Fixes libcap headers to allow other programs to link to libcap
7
8diff -Naur libcap-2.23.orig/Make.Rules libcap-2.23/Make.Rules
9--- libcap-2.23.orig/Make.Rules 2013-12-24 14:23:11.000000000 -0500
10+++ libcap-2.23/Make.Rules 2014-01-05 01:23:01.000000000 -0500
11@@ -45,8 +45,8 @@
12
13 # Compilation specifics
14
15-KERNEL_HEADERS := $(topdir)/libcap/include
16-IPATH += -fPIC -I$(topdir)/libcap/include -I$(KERNEL_HEADERS)
17+KERNEL_HEADERS := $(topdir)/libcap/include/uapi
18+IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include
19
20 CC := gcc
21 CFLAGS := -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
22diff -Naur libcap-2.23.orig/libcap/Makefile libcap-2.23/libcap/Makefile
23--- libcap-2.23.orig/libcap/Makefile 2013-12-24 12:08:53.000000000 -0500
24+++ libcap-2.23/libcap/Makefile 2014-01-05 01:23:01.000000000 -0500
25@@ -53,7 +53,7 @@
26
27 cap_names.list.h: Makefile $(KERNEL_HEADERS)/linux/capability.h
28 @echo "=> making $@ from $(KERNEL_HEADERS)/linux/capability.h"
29- perl -e 'while ($$l=<>) { if ($$l =~ /^\#define[ \t](CAP[_A-Z]+)[ \t]+([0-9]+)\s+$$/) { $$tok=$$1; $$val=$$2; $$tok =~ tr/A-Z/a-z/; print "{\"$$tok\",$$val},\n"; } }' $(KERNEL_HEADERS)/uapi/linux/capability.h | fgrep -v 0x > $@
30+ perl -e 'while ($$l=<>) { if ($$l =~ /^\#define[ \t](CAP[_A-Z]+)[ \t]+([0-9]+)\s+$$/) { $$tok=$$1; $$val=$$2; $$tok =~ tr/A-Z/a-z/; print "{\"$$tok\",$$val},\n"; } }' $(KERNEL_HEADERS)/linux/capability.h | fgrep -v 0x > $@
31
32 $(STALIBNAME): $(OBJS)
33 $(AR) rcs $@ $^
34diff -Naur libcap-2.23.orig/libcap/include/linux/capability.h libcap-2.23/libcap/include/linux/capability.h
35--- libcap-2.23.orig/libcap/include/linux/capability.h 2013-12-15 23:47:10.000000000 -0500
36+++ libcap-2.23/libcap/include/linux/capability.h 1969-12-31 19:00:00.000000000 -0500
37@@ -1,219 +0,0 @@
38-/*
39- * This is <linux/capability.h>
40- *
41- * Andrew G. Morgan <morgan@kernel.org>
42- * Alexander Kjeldaas <astor@guardian.no>
43- * with help from Aleph1, Roland Buresund and Andrew Main.
44- *
45- * See here for the libcap library ("POSIX draft" compliance):
46- *
47- * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
48- */
49-#ifndef _LINUX_CAPABILITY_H
50-#define _LINUX_CAPABILITY_H
51-
52-#include <uapi/linux/capability.h>
53-
54-
55-#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
56-#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
57-
58-extern int file_caps_enabled;
59-
60-typedef struct kernel_cap_struct {
61- __u32 cap[_KERNEL_CAPABILITY_U32S];
62-} kernel_cap_t;
63-
64-/* exact same as vfs_cap_data but in cpu endian and always filled completely */
65-struct cpu_vfs_cap_data {
66- __u32 magic_etc;
67- kernel_cap_t permitted;
68- kernel_cap_t inheritable;
69-};
70-
71-#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct))
72-#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t))
73-
74-
75-struct file;
76-struct inode;
77-struct dentry;
78-struct user_namespace;
79-
80-struct user_namespace *current_user_ns(void);
81-
82-extern const kernel_cap_t __cap_empty_set;
83-extern const kernel_cap_t __cap_init_eff_set;
84-
85-/*
86- * Internal kernel functions only
87- */
88-
89-#define CAP_FOR_EACH_U32(__capi) \
90- for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
91-
92-/*
93- * CAP_FS_MASK and CAP_NFSD_MASKS:
94- *
95- * The fs mask is all the privileges that fsuid==0 historically meant.
96- * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
97- *
98- * It has never meant setting security.* and trusted.* xattrs.
99- *
100- * We could also define fsmask as follows:
101- * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
102- * 2. The security.* and trusted.* xattrs are fs-related MAC permissions
103- */
104-
105-# define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \
106- | CAP_TO_MASK(CAP_MKNOD) \
107- | CAP_TO_MASK(CAP_DAC_OVERRIDE) \
108- | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
109- | CAP_TO_MASK(CAP_FOWNER) \
110- | CAP_TO_MASK(CAP_FSETID))
111-
112-# define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE))
113-
114-#if _KERNEL_CAPABILITY_U32S != 2
115-# error Fix up hand-coded capability macro initializers
116-#else /* HAND-CODED capability initializers */
117-
118-# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
119-# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
120-# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
121- | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
122- CAP_FS_MASK_B1 } })
123-# define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
124- | CAP_TO_MASK(CAP_SYS_RESOURCE), \
125- CAP_FS_MASK_B1 } })
126-
127-#endif /* _KERNEL_CAPABILITY_U32S != 2 */
128-
129-# define cap_clear(c) do { (c) = __cap_empty_set; } while (0)
130-
131-#define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
132-#define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
133-#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))
134-
135-#define CAP_BOP_ALL(c, a, b, OP) \
136-do { \
137- unsigned __capi; \
138- CAP_FOR_EACH_U32(__capi) { \
139- c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \
140- } \
141-} while (0)
142-
143-#define CAP_UOP_ALL(c, a, OP) \
144-do { \
145- unsigned __capi; \
146- CAP_FOR_EACH_U32(__capi) { \
147- c.cap[__capi] = OP a.cap[__capi]; \
148- } \
149-} while (0)
150-
151-static inline kernel_cap_t cap_combine(const kernel_cap_t a,
152- const kernel_cap_t b)
153-{
154- kernel_cap_t dest;
155- CAP_BOP_ALL(dest, a, b, |);
156- return dest;
157-}
158-
159-static inline kernel_cap_t cap_intersect(const kernel_cap_t a,
160- const kernel_cap_t b)
161-{
162- kernel_cap_t dest;
163- CAP_BOP_ALL(dest, a, b, &);
164- return dest;
165-}
166-
167-static inline kernel_cap_t cap_drop(const kernel_cap_t a,
168- const kernel_cap_t drop)
169-{
170- kernel_cap_t dest;
171- CAP_BOP_ALL(dest, a, drop, &~);
172- return dest;
173-}
174-
175-static inline kernel_cap_t cap_invert(const kernel_cap_t c)
176-{
177- kernel_cap_t dest;
178- CAP_UOP_ALL(dest, c, ~);
179- return dest;
180-}
181-
182-static inline int cap_isclear(const kernel_cap_t a)
183-{
184- unsigned __capi;
185- CAP_FOR_EACH_U32(__capi) {
186- if (a.cap[__capi] != 0)
187- return 0;
188- }
189- return 1;
190-}
191-
192-/*
193- * Check if "a" is a subset of "set".
194- * return 1 if ALL of the capabilities in "a" are also in "set"
195- * cap_issubset(0101, 1111) will return 1
196- * return 0 if ANY of the capabilities in "a" are not in "set"
197- * cap_issubset(1111, 0101) will return 0
198- */
199-static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
200-{
201- kernel_cap_t dest;
202- dest = cap_drop(a, set);
203- return cap_isclear(dest);
204-}
205-
206-/* Used to decide between falling back on the old suser() or fsuser(). */
207-
208-static inline int cap_is_fs_cap(int cap)
209-{
210- const kernel_cap_t __cap_fs_set = CAP_FS_SET;
211- return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]);
212-}
213-
214-static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
215-{
216- const kernel_cap_t __cap_fs_set = CAP_FS_SET;
217- return cap_drop(a, __cap_fs_set);
218-}
219-
220-static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a,
221- const kernel_cap_t permitted)
222-{
223- const kernel_cap_t __cap_fs_set = CAP_FS_SET;
224- return cap_combine(a,
225- cap_intersect(permitted, __cap_fs_set));
226-}
227-
228-static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a)
229-{
230- const kernel_cap_t __cap_fs_set = CAP_NFSD_SET;
231- return cap_drop(a, __cap_fs_set);
232-}
233-
234-static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
235- const kernel_cap_t permitted)
236-{
237- const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET;
238- return cap_combine(a,
239- cap_intersect(permitted, __cap_nfsd_set));
240-}
241-
242-extern bool has_capability(struct task_struct *t, int cap);
243-extern bool has_ns_capability(struct task_struct *t,
244- struct user_namespace *ns, int cap);
245-extern bool has_capability_noaudit(struct task_struct *t, int cap);
246-extern bool has_ns_capability_noaudit(struct task_struct *t,
247- struct user_namespace *ns, int cap);
248-extern bool capable(int cap);
249-extern bool ns_capable(struct user_namespace *ns, int cap);
250-extern bool inode_capable(const struct inode *inode, int cap);
251-extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
252-
253-/* audit system wants to get cap info from files as well */
254-extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
255-
256-#endif /* !_LINUX_CAPABILITY_H */
257diff -Naur libcap-2.23.orig/libcap/include/linux/prctl.h libcap-2.23/libcap/include/linux/prctl.h
258--- libcap-2.23.orig/libcap/include/linux/prctl.h 2013-12-15 23:46:28.000000000 -0500
259+++ libcap-2.23/libcap/include/linux/prctl.h 1969-12-31 19:00:00.000000000 -0500
260@@ -1,105 +0,0 @@
261-#ifndef _LINUX_PRCTL_H
262-#define _LINUX_PRCTL_H
263-
264-/* Values to pass as first argument to prctl() */
265-
266-#define PR_SET_PDEATHSIG 1 /* Second arg is a signal */
267-#define PR_GET_PDEATHSIG 2 /* Second arg is a ptr to return the signal */
268-
269-/* Get/set current->mm->dumpable */
270-#define PR_GET_DUMPABLE 3
271-#define PR_SET_DUMPABLE 4
272-
273-/* Get/set unaligned access control bits (if meaningful) */
274-#define PR_GET_UNALIGN 5
275-#define PR_SET_UNALIGN 6
276-# define PR_UNALIGN_NOPRINT 1 /* silently fix up unaligned user accesses */
277-# define PR_UNALIGN_SIGBUS 2 /* generate SIGBUS on unaligned user access */
278-
279-/* Get/set whether or not to drop capabilities on setuid() away from
280- * uid 0 (as per security/commoncap.c) */
281-#define PR_GET_KEEPCAPS 7
282-#define PR_SET_KEEPCAPS 8
283-
284-/* Get/set floating-point emulation control bits (if meaningful) */
285-#define PR_GET_FPEMU 9
286-#define PR_SET_FPEMU 10
287-# define PR_FPEMU_NOPRINT 1 /* silently emulate fp operations accesses */
288-# define PR_FPEMU_SIGFPE 2 /* don't emulate fp operations, send SIGFPE instead */
289-
290-/* Get/set floating-point exception mode (if meaningful) */
291-#define PR_GET_FPEXC 11
292-#define PR_SET_FPEXC 12
293-# define PR_FP_EXC_SW_ENABLE 0x80 /* Use FPEXC for FP exception enables */
294-# define PR_FP_EXC_DIV 0x010000 /* floating point divide by zero */
295-# define PR_FP_EXC_OVF 0x020000 /* floating point overflow */
296-# define PR_FP_EXC_UND 0x040000 /* floating point underflow */
297-# define PR_FP_EXC_RES 0x080000 /* floating point inexact result */
298-# define PR_FP_EXC_INV 0x100000 /* floating point invalid operation */
299-# define PR_FP_EXC_DISABLED 0 /* FP exceptions disabled */
300-# define PR_FP_EXC_NONRECOV 1 /* async non-recoverable exc. mode */
301-# define PR_FP_EXC_ASYNC 2 /* async recoverable exception mode */
302-# define PR_FP_EXC_PRECISE 3 /* precise exception mode */
303-
304-/* Get/set whether we use statistical process timing or accurate timestamp
305- * based process timing */
306-#define PR_GET_TIMING 13
307-#define PR_SET_TIMING 14
308-# define PR_TIMING_STATISTICAL 0 /* Normal, traditional,
309- statistical process timing */
310-# define PR_TIMING_TIMESTAMP 1 /* Accurate timestamp based
311- process timing */
312-
313-#define PR_SET_NAME 15 /* Set process name */
314-#define PR_GET_NAME 16 /* Get process name */
315-
316-/* Get/set process endian */
317-#define PR_GET_ENDIAN 19
318-#define PR_SET_ENDIAN 20
319-# define PR_ENDIAN_BIG 0
320-# define PR_ENDIAN_LITTLE 1 /* True little endian mode */
321-# define PR_ENDIAN_PPC_LITTLE 2 /* "PowerPC" pseudo little endian */
322-
323-/* Get/set process seccomp mode */
324-#define PR_GET_SECCOMP 21
325-#define PR_SET_SECCOMP 22
326-
327-/* Get/set the capability bounding set (as per security/commoncap.c) */
328-#define PR_CAPBSET_READ 23
329-#define PR_CAPBSET_DROP 24
330-
331-/* Get/set the process' ability to use the timestamp counter instruction */
332-#define PR_GET_TSC 25
333-#define PR_SET_TSC 26
334-# define PR_TSC_ENABLE 1 /* allow the use of the timestamp counter */
335-# define PR_TSC_SIGSEGV 2 /* throw a SIGSEGV instead of reading the TSC */
336-
337-/* Get/set securebits (as per security/commoncap.c) */
338-#define PR_GET_SECUREBITS 27
339-#define PR_SET_SECUREBITS 28
340-
341-/*
342- * Get/set the timerslack as used by poll/select/nanosleep
343- * A value of 0 means "use default"
344- */
345-#define PR_SET_TIMERSLACK 29
346-#define PR_GET_TIMERSLACK 30
347-
348-#define PR_TASK_PERF_EVENTS_DISABLE 31
349-#define PR_TASK_PERF_EVENTS_ENABLE 32
350-
351-/*
352- * Set early/late kill mode for hwpoison memory corruption.
353- * This influences when the process gets killed on a memory corruption.
354- */
355-#define PR_MCE_KILL 33
356-# define PR_MCE_KILL_CLEAR 0
357-# define PR_MCE_KILL_SET 1
358-
359-# define PR_MCE_KILL_LATE 0
360-# define PR_MCE_KILL_EARLY 1
361-# define PR_MCE_KILL_DEFAULT 2
362-
363-#define PR_MCE_KILL_GET 34
364-
365-#endif /* _LINUX_PRCTL_H */
366diff -Naur libcap-2.23.orig/libcap/include/linux/securebits.h libcap-2.23/libcap/include/linux/securebits.h
367--- libcap-2.23.orig/libcap/include/linux/securebits.h 2013-12-15 23:46:28.000000000 -0500
368+++ libcap-2.23/libcap/include/linux/securebits.h 1969-12-31 19:00:00.000000000 -0500
369@@ -1,54 +0,0 @@
370-#ifndef _LINUX_SECUREBITS_H
371-#define _LINUX_SECUREBITS_H 1
372-
373-/* Each securesetting is implemented using two bits. One bit specifies
374- whether the setting is on or off. The other bit specify whether the
375- setting is locked or not. A setting which is locked cannot be
376- changed from user-level. */
377-#define issecure_mask(X) (1 << (X))
378-#ifdef __KERNEL__
379-#define issecure(X) (issecure_mask(X) & current_cred_xxx(securebits))
380-#endif
381-
382-#define SECUREBITS_DEFAULT 0x00000000
383-
384-/* When set UID 0 has no special privileges. When unset, we support
385- inheritance of root-permissions and suid-root executable under
386- compatibility mode. We raise the effective and inheritable bitmasks
387- *of the executable file* if the effective uid of the new process is
388- 0. If the real uid is 0, we raise the effective (legacy) bit of the
389- executable file. */
390-#define SECURE_NOROOT 0
391-#define SECURE_NOROOT_LOCKED 1 /* make bit-0 immutable */
392-
393-#define SECBIT_NOROOT (issecure_mask(SECURE_NOROOT))
394-#define SECBIT_NOROOT_LOCKED (issecure_mask(SECURE_NOROOT_LOCKED))
395-
396-/* When set, setuid to/from uid 0 does not trigger capability-"fixup".
397- When unset, to provide compatiblility with old programs relying on
398- set*uid to gain/lose privilege, transitions to/from uid 0 cause
399- capabilities to be gained/lost. */
400-#define SECURE_NO_SETUID_FIXUP 2
401-#define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */
402-
403-#define SECBIT_NO_SETUID_FIXUP (issecure_mask(SECURE_NO_SETUID_FIXUP))
404-#define SECBIT_NO_SETUID_FIXUP_LOCKED \
405- (issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED))
406-
407-/* When set, a process can retain its capabilities even after
408- transitioning to a non-root user (the set-uid fixup suppressed by
409- bit 2). Bit-4 is cleared when a process calls exec(); setting both
410- bit 4 and 5 will create a barrier through exec that no exec()'d
411- child can use this feature again. */
412-#define SECURE_KEEP_CAPS 4
413-#define SECURE_KEEP_CAPS_LOCKED 5 /* make bit-4 immutable */
414-
415-#define SECBIT_KEEP_CAPS (issecure_mask(SECURE_KEEP_CAPS))
416-#define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED))
417-
418-#define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \
419- issecure_mask(SECURE_NO_SETUID_FIXUP) | \
420- issecure_mask(SECURE_KEEP_CAPS))
421-#define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1)
422-
423-#endif /* !_LINUX_SECUREBITS_H */
424diff -Naur libcap-2.23.orig/libcap/include/sys/capability.h libcap-2.23/libcap/include/sys/capability.h
425--- libcap-2.23.orig/libcap/include/sys/capability.h 2013-12-15 23:47:10.000000000 -0500
426+++ libcap-2.23/libcap/include/sys/capability.h 2014-01-05 01:23:01.000000000 -0500
427@@ -26,7 +26,7 @@
428 #ifndef __user
429 #define __user
430 #endif
431-#include <uapi/linux/capability.h>
432+#include <linux/capability.h>
433 #include <linux/xattr.h>
434
435 /*
436diff -Naur libcap-2.23.orig/libcap/include/uapi/linux/prctl.h libcap-2.23/libcap/include/uapi/linux/prctl.h
437--- libcap-2.23.orig/libcap/include/uapi/linux/prctl.h 1969-12-31 19:00:00.000000000 -0500
438+++ libcap-2.23/libcap/include/uapi/linux/prctl.h 2014-01-05 01:23:01.000000000 -0500
439@@ -0,0 +1,152 @@
440+#ifndef _LINUX_PRCTL_H
441+#define _LINUX_PRCTL_H
442+
443+/* Values to pass as first argument to prctl() */
444+
445+#define PR_SET_PDEATHSIG 1 /* Second arg is a signal */
446+#define PR_GET_PDEATHSIG 2 /* Second arg is a ptr to return the signal */
447+
448+/* Get/set current->mm->dumpable */
449+#define PR_GET_DUMPABLE 3
450+#define PR_SET_DUMPABLE 4
451+
452+/* Get/set unaligned access control bits (if meaningful) */
453+#define PR_GET_UNALIGN 5
454+#define PR_SET_UNALIGN 6
455+# define PR_UNALIGN_NOPRINT 1 /* silently fix up unaligned user accesses */
456+# define PR_UNALIGN_SIGBUS 2 /* generate SIGBUS on unaligned user access */
457+
458+/* Get/set whether or not to drop capabilities on setuid() away from
459+ * uid 0 (as per security/commoncap.c) */
460+#define PR_GET_KEEPCAPS 7
461+#define PR_SET_KEEPCAPS 8
462+
463+/* Get/set floating-point emulation control bits (if meaningful) */
464+#define PR_GET_FPEMU 9
465+#define PR_SET_FPEMU 10
466+# define PR_FPEMU_NOPRINT 1 /* silently emulate fp operations accesses */
467+# define PR_FPEMU_SIGFPE 2 /* don't emulate fp operations, send SIGFPE instead */
468+
469+/* Get/set floating-point exception mode (if meaningful) */
470+#define PR_GET_FPEXC 11
471+#define PR_SET_FPEXC 12
472+# define PR_FP_EXC_SW_ENABLE 0x80 /* Use FPEXC for FP exception enables */
473+# define PR_FP_EXC_DIV 0x010000 /* floating point divide by zero */
474+# define PR_FP_EXC_OVF 0x020000 /* floating point overflow */
475+# define PR_FP_EXC_UND 0x040000 /* floating point underflow */
476+# define PR_FP_EXC_RES 0x080000 /* floating point inexact result */
477+# define PR_FP_EXC_INV 0x100000 /* floating point invalid operation */
478+# define PR_FP_EXC_DISABLED 0 /* FP exceptions disabled */
479+# define PR_FP_EXC_NONRECOV 1 /* async non-recoverable exc. mode */
480+# define PR_FP_EXC_ASYNC 2 /* async recoverable exception mode */
481+# define PR_FP_EXC_PRECISE 3 /* precise exception mode */
482+
483+/* Get/set whether we use statistical process timing or accurate timestamp
484+ * based process timing */
485+#define PR_GET_TIMING 13
486+#define PR_SET_TIMING 14
487+# define PR_TIMING_STATISTICAL 0 /* Normal, traditional,
488+ statistical process timing */
489+# define PR_TIMING_TIMESTAMP 1 /* Accurate timestamp based
490+ process timing */
491+
492+#define PR_SET_NAME 15 /* Set process name */
493+#define PR_GET_NAME 16 /* Get process name */
494+
495+/* Get/set process endian */
496+#define PR_GET_ENDIAN 19
497+#define PR_SET_ENDIAN 20
498+# define PR_ENDIAN_BIG 0
499+# define PR_ENDIAN_LITTLE 1 /* True little endian mode */
500+# define PR_ENDIAN_PPC_LITTLE 2 /* "PowerPC" pseudo little endian */
501+
502+/* Get/set process seccomp mode */
503+#define PR_GET_SECCOMP 21
504+#define PR_SET_SECCOMP 22
505+
506+/* Get/set the capability bounding set (as per security/commoncap.c) */
507+#define PR_CAPBSET_READ 23
508+#define PR_CAPBSET_DROP 24
509+
510+/* Get/set the process' ability to use the timestamp counter instruction */
511+#define PR_GET_TSC 25
512+#define PR_SET_TSC 26
513+# define PR_TSC_ENABLE 1 /* allow the use of the timestamp counter */
514+# define PR_TSC_SIGSEGV 2 /* throw a SIGSEGV instead of reading the TSC */
515+
516+/* Get/set securebits (as per security/commoncap.c) */
517+#define PR_GET_SECUREBITS 27
518+#define PR_SET_SECUREBITS 28
519+
520+/*
521+ * Get/set the timerslack as used by poll/select/nanosleep
522+ * A value of 0 means "use default"
523+ */
524+#define PR_SET_TIMERSLACK 29
525+#define PR_GET_TIMERSLACK 30
526+
527+#define PR_TASK_PERF_EVENTS_DISABLE 31
528+#define PR_TASK_PERF_EVENTS_ENABLE 32
529+
530+/*
531+ * Set early/late kill mode for hwpoison memory corruption.
532+ * This influences when the process gets killed on a memory corruption.
533+ */
534+#define PR_MCE_KILL 33
535+# define PR_MCE_KILL_CLEAR 0
536+# define PR_MCE_KILL_SET 1
537+
538+# define PR_MCE_KILL_LATE 0
539+# define PR_MCE_KILL_EARLY 1
540+# define PR_MCE_KILL_DEFAULT 2
541+
542+#define PR_MCE_KILL_GET 34
543+
544+/*
545+ * Tune up process memory map specifics.
546+ */
547+#define PR_SET_MM 35
548+# define PR_SET_MM_START_CODE 1
549+# define PR_SET_MM_END_CODE 2
550+# define PR_SET_MM_START_DATA 3
551+# define PR_SET_MM_END_DATA 4
552+# define PR_SET_MM_START_STACK 5
553+# define PR_SET_MM_START_BRK 6
554+# define PR_SET_MM_BRK 7
555+# define PR_SET_MM_ARG_START 8
556+# define PR_SET_MM_ARG_END 9
557+# define PR_SET_MM_ENV_START 10
558+# define PR_SET_MM_ENV_END 11
559+# define PR_SET_MM_AUXV 12
560+# define PR_SET_MM_EXE_FILE 13
561+
562+/*
563+ * Set specific pid that is allowed to ptrace the current task.
564+ * A value of 0 mean "no process".
565+ */
566+#define PR_SET_PTRACER 0x59616d61
567+# define PR_SET_PTRACER_ANY ((unsigned long)-1)
568+
569+#define PR_SET_CHILD_SUBREAPER 36
570+#define PR_GET_CHILD_SUBREAPER 37
571+
572+/*
573+ * If no_new_privs is set, then operations that grant new privileges (i.e.
574+ * execve) will either fail or not grant them. This affects suid/sgid,
575+ * file capabilities, and LSMs.
576+ *
577+ * Operations that merely manipulate or drop existing privileges (setresuid,
578+ * capset, etc.) will still work. Drop those privileges if you want them gone.
579+ *
580+ * Changing LSM security domain is considered a new privilege. So, for example,
581+ * asking selinux for a specific new context (e.g. with runcon) will result
582+ * in execve returning -EPERM.
583+ *
584+ * See Documentation/prctl/no_new_privs.txt for more details.
585+ */
586+#define PR_SET_NO_NEW_PRIVS 38
587+#define PR_GET_NO_NEW_PRIVS 39
588+
589+#define PR_GET_TID_ADDRESS 40
590+
591+#endif /* _LINUX_PRCTL_H */
592diff -Naur libcap-2.23.orig/libcap/include/uapi/linux/securebits.h libcap-2.23/libcap/include/uapi/linux/securebits.h
593--- libcap-2.23.orig/libcap/include/uapi/linux/securebits.h 1969-12-31 19:00:00.000000000 -0500
594+++ libcap-2.23/libcap/include/uapi/linux/securebits.h 2014-01-05 01:23:01.000000000 -0500
595@@ -0,0 +1,51 @@
596+#ifndef _UAPI_LINUX_SECUREBITS_H
597+#define _UAPI_LINUX_SECUREBITS_H
598+
599+/* Each securesetting is implemented using two bits. One bit specifies
600+ whether the setting is on or off. The other bit specify whether the
601+ setting is locked or not. A setting which is locked cannot be
602+ changed from user-level. */
603+#define issecure_mask(X) (1 << (X))
604+
605+#define SECUREBITS_DEFAULT 0x00000000
606+
607+/* When set UID 0 has no special privileges. When unset, we support
608+ inheritance of root-permissions and suid-root executable under
609+ compatibility mode. We raise the effective and inheritable bitmasks
610+ *of the executable file* if the effective uid of the new process is
611+ 0. If the real uid is 0, we raise the effective (legacy) bit of the
612+ executable file. */
613+#define SECURE_NOROOT 0
614+#define SECURE_NOROOT_LOCKED 1 /* make bit-0 immutable */
615+
616+#define SECBIT_NOROOT (issecure_mask(SECURE_NOROOT))
617+#define SECBIT_NOROOT_LOCKED (issecure_mask(SECURE_NOROOT_LOCKED))
618+
619+/* When set, setuid to/from uid 0 does not trigger capability-"fixup".
620+ When unset, to provide compatiblility with old programs relying on
621+ set*uid to gain/lose privilege, transitions to/from uid 0 cause
622+ capabilities to be gained/lost. */
623+#define SECURE_NO_SETUID_FIXUP 2
624+#define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */
625+
626+#define SECBIT_NO_SETUID_FIXUP (issecure_mask(SECURE_NO_SETUID_FIXUP))
627+#define SECBIT_NO_SETUID_FIXUP_LOCKED \
628+ (issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED))
629+
630+/* When set, a process can retain its capabilities even after
631+ transitioning to a non-root user (the set-uid fixup suppressed by
632+ bit 2). Bit-4 is cleared when a process calls exec(); setting both
633+ bit 4 and 5 will create a barrier through exec that no exec()'d
634+ child can use this feature again. */
635+#define SECURE_KEEP_CAPS 4
636+#define SECURE_KEEP_CAPS_LOCKED 5 /* make bit-4 immutable */
637+
638+#define SECBIT_KEEP_CAPS (issecure_mask(SECURE_KEEP_CAPS))
639+#define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED))
640+
641+#define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \
642+ issecure_mask(SECURE_NO_SETUID_FIXUP) | \
643+ issecure_mask(SECURE_KEEP_CAPS))
644+#define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1)
645+
646+#endif /* _UAPI_LINUX_SECUREBITS_H */
Note: See TracBrowser for help on using the repository browser.