diff options
| author | Andrew G. Morgan <morgan@kernel.org> | 2021-04-19 20:15:44 -0700 |
|---|---|---|
| committer | Andrew G. Morgan <morgan@kernel.org> | 2021-04-19 20:15:44 -0700 |
| commit | 3f1f067e609fc99342734b2b1ad099aae2b5e4fd (patch) | |
| tree | 64177894dcb7d27972ca0cb1e615b8e2af8348ef | |
| parent | b48c649ef01b01e3e7d95c070beb6afae2c1cf25 (diff) | |
| download | libcap2-3f1f067e609fc99342734b2b1ad099aae2b5e4fd.tar.gz | |
Clean up the comments and links in goapps/web/
They had become stale.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
| -rw-r--r-- | goapps/web/README | 2 | ||||
| -rw-r--r-- | goapps/web/web.go | 25 |
2 files changed, 9 insertions, 18 deletions
diff --git a/goapps/web/README b/goapps/web/README index cc3c609..cbabd5d 100644 --- a/goapps/web/README +++ b/goapps/web/README @@ -10,7 +10,7 @@ this code with A more complete walk through of what this code does is provided here: - https://sites.google.com/site/fullycapable/building-go-programs-that-manipulate-capabilities + https://sites.google.com/site/fullycapable/getting-started-with-go/building-go-programs-that-manipulate-capabilities Go compilers prior to go1.11.13 are not expected to work. Report more recent issues to: diff --git a/goapps/web/web.go b/goapps/web/web.go index d184e97..f76e2b0 100644 --- a/goapps/web/web.go +++ b/goapps/web/web.go @@ -2,25 +2,16 @@ // bind to a privileged port, and then drop all capabilities before // handling the first web request. // -// This program cannot work reliably as a pure Go application without -// the equivalent of the Go runtime patch that adds a POSIX semantics -// wrapper around the system calls that change per-thread security -// state. A patch for the pure Go compiler/runtime to add this support -// is available here [2019-12-14]: +// This program can be compiled CGO_ENABLED=0 with the go1.16+ +// toolchain. // -// https://go-review.googlesource.com/c/go/+/210639/ +// Go versions prior to 1.16 use some cgo support provided by the +// "kernel.org/pub/linux/libs/security/libcap/psx" package. // -// Until that patch, or something like it, is absorbed into the Go -// runtime the only way to get capabilities to work reliably on the Go -// runtime is to use something like libpsx via CGo to do capability -// setting syscalls in C with POSIX semantics. As of this build of the -// Go "kernel.org/pub/linux/libs/security/libcap/cap" package, -// courtesy of the "kernel.org/pub/linux/libs/security/libcap/psx" -// package, this is how things work. -// -// To set this up, compile and empower this binary as follows (read -// over the detail in the psx package description if this doesn't -// 'just' work): +// To set this up, compile and empower this binary as follows (the +// README contains a pointer to a full writeup for building this +// package - go versions prior to 1.15 need some environment variable +// workarounds): // // go build web.go // sudo setcap cap_setpcap,cap_net_bind_service=p web |