diff options
author | Andrew G. Morgan <morgan@kernel.org> | 2021-07-02 19:51:51 -0700 |
---|---|---|
committer | Andrew G. Morgan <morgan@kernel.org> | 2021-07-02 19:51:51 -0700 |
commit | 69f7ddbb126f7efa1342b25030e8ca48ee5560ba (patch) | |
tree | 984a408f0c6c00ccef544c5cf2e7d344e9318a6e | |
parent | 6926f78d99fc0e5ed5b10a06ffde79539b70df6a (diff) | |
download | libcap2-69f7ddbb126f7efa1342b25030e8ca48ee5560ba.tar.gz |
Provide a '--current' command line argument for capsh.
This is equivalent to 'capsh --print|fgrep Current'. I've been using
that combination a lot in the write-ups on the libcap website
(https://sites.google.com/site/fullycapable/) and so it struck me
that capsh probably should support it natively.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
-rw-r--r-- | doc/capsh.1 | 5 | ||||
-rw-r--r-- | progs/capsh.c | 40 | ||||
-rwxr-xr-x | progs/quicktest.sh | 1 |
3 files changed, 33 insertions, 13 deletions
diff --git a/doc/capsh.1 b/doc/capsh.1 index 524d9ac..3e26842 100644 --- a/doc/capsh.1 +++ b/doc/capsh.1 @@ -1,4 +1,4 @@ -.TH CAPSH 1 "2020-10-27" "libcap 2" "User Commands" +.TH CAPSH 1 "2021-07-01" "libcap 2" "User Commands" .SH NAME capsh \- capability shell wrapper .SH SYNOPSIS @@ -21,6 +21,9 @@ Display the list of commands supported by .B \-\-print Display prevailing capability and related state. .TP +.B \-\-current +Display prevailing capability state, 1e capabilities and IAB vector. +.TP .BI \-\- " [args]" Execute .B /bin/bash diff --git a/progs/capsh.c b/progs/capsh.c index 9a2d7b8..7b52dd9 100644 --- a/progs/capsh.c +++ b/progs/capsh.c @@ -83,33 +83,45 @@ static void display_prctl_set(const char *name, int (*fn)(cap_value_t)) } } -/* arg_print displays the current capability state of the process */ -static void arg_print(void) +static void display_current(void) { - long set; - int status, j; cap_t all; char *text; - const char *sep; - struct group *g; - gid_t groups[MAX_GROUPS], gid; - uid_t uid, euid; - struct passwd *u, *eu; - cap_iab_t iab; all = cap_get_proc(); text = cap_to_text(all, NULL); printf("Current: %s\n", text); cap_free(text); cap_free(all); +} + +static void display_current_iab(void) +{ + cap_iab_t iab; + char *text; - display_prctl_set("Bounding", cap_get_bound); - display_prctl_set("Ambient", cap_get_ambient); iab = cap_iab_get_proc(); text = cap_iab_to_text(iab); printf("Current IAB: %s\n", text); cap_free(text); cap_free(iab); +} + +/* arg_print displays the current capability state of the process */ +static void arg_print(void) +{ + long set; + int status, j; + const char *sep; + struct group *g; + gid_t groups[MAX_GROUPS], gid; + uid_t uid, euid; + struct passwd *u, *eu; + + display_current(); + display_prctl_set("Bounding", cap_get_bound); + display_prctl_set("Ambient", cap_get_ambient); + display_current_iab(); set = cap_get_secbits(); if (set >= 0) { @@ -1011,6 +1023,9 @@ int main(int argc, char *argv[], char *envp[]) } } } + } else if (strcmp("--current", argv[i]) == 0) { + display_current(); + display_current_iab(); } else { usage: printf("usage: %s [args ...]\n" @@ -1018,6 +1033,7 @@ int main(int argc, char *argv[], char *envp[]) " --cap-uid=<n> use libcap cap_setuid() to change uid\n" " --caps=xxx set caps as per cap_from_text()\n" " --chroot=path chroot(2) to this path\n" + " --current show current caps and IAB vectors\n" " --decode=xxx decode a hex string to a list of caps\n" " --delamb=xxx remove xxx,... capabilities from ambient\n" " --explain=xxx explain what capability xxx permits\n" diff --git a/progs/quicktest.sh b/progs/quicktest.sh index aaabbca..e508d0b 100755 --- a/progs/quicktest.sh +++ b/progs/quicktest.sh @@ -43,6 +43,7 @@ pass_capsh () { } pass_capsh --print +pass_capsh --current # Validate that PATH expansion works PATH=$(/bin/pwd)/junk:$(/bin/pwd) capsh == == == --modes |