Implement cap.Launch()

From a Go runtime provide a convenient way to launch a different process with modified capabilities etc. without disturbing the security state of the parent. Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
author: Andrew G. Morgan <morgan@kernel.org> 2020-02-23 15:50:51 -0800
committer: Andrew G. Morgan <morgan@kernel.org> 2020-02-23 16:21:40 -0800
commit: e20eb695f91b5c3a87039d6b512b28056c71256d (patch)
tree: 8ebbd8776824030a95bcac5c4f72e3d5b538f8ea /go/Makefile
parent: ef485973d5547431782f9e5f4323eabfebb38622 (diff)
download: libcap2-e20eb695f91b5c3a87039d6b512b28056c71256d.tar.gz
1 files changed, 24 insertions, 3 deletions
diff --git a/go/Makefile b/go/Makefile
index 704c28f..7269716 100644
--- a/go/Makefile
+++ b/go/Makefile
@@ -10,11 +10,14 @@ CAPGOPACKAGE=pkg/$(GOOSARCH)/libcap/cap.a
 
 DEPS=../libcap/libcap.a ../libcap/libpsx.a
 
-all: $(PSXGOPACKAGE) $(CAPGOPACKAGE) web compare-cap
+all: $(PSXGOPACKAGE) $(CAPGOPACKAGE) web compare-cap try-launching
 
 $(DEPS):
 	make -C ../libcap all
 
+../progs/capsh:
+	make -C ../progs capsh
+
 src/libcap/psx:
 	mkdir -p src/libcap
 	ln -s $(topdir)/psx src/libcap/
@@ -52,12 +55,29 @@ ifeq ($(RAISE_GO_FILECAP),yes)
 	@echo "NOTE: RAISED cap_net_bind_service ON web binary"
 endif
 
-test: all
+ok: ok.go
+	CGO_ENABLED=0 GOPATH=$(GOPATH) go build $<
+
+try-launching: try-launching.go $(CAPGOPACKAGE) ok
+	CGO_ENABLED="$(CGO_REQUIRED)" CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) go build $<
+ifeq ($(CGO_REQUIRED),0)
+	CGO_ENABLED="1" CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) go build -o $@-cgo $<
+endif
+
+test: all ../progs/capsh
 	CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH="$(GOPATH)" go test libcap/psx
 	CGO_LDFLAGS_ALLOW="$(CGO_LDFLAGS_ALLOW)" CGO_CFLAGS="$(CGO_CFLAGS)" CGO_LDFLAGS="$(CGO_LDFLAGS)" GOPATH=$(GOPATH) go test libcap/cap
 	LD_LIBRARY_PATH=../libcap ./compare-cap
+	./try-launching
+ifeq ($(CGO_REQUIRED),0)
+	./try-launching-cgo
+endif
 
 sudotest: test
+	sudo ./try-launching
+ifeq ($(CGO_REQUIRED),0)
+	sudo ./try-launching-cgo
+endif
 
 install: all
 	mkdir -p $(FAKEROOT)$(GOPKGDIR)/libcap/psx
@@ -70,7 +90,8 @@ install: all
 clean:
 	GOPATH=$(GOPATH) go clean -x -i libcap/cap 2> /dev/null || exit 0
 	GOPATH=$(GOPATH) go clean -x -i libcap/psx 2> /dev/null || exit 0
-	rm -f *.o *.so mknames web compare-cap *~
+	rm -f *.o *.so *~ mknames web ok
+	rm -f compare-cap try-launching try-launching-cgo
 	rm -f $(topdir)/cap/*~ $(topdir)/cap/names.go $(topdir)/cap/syscalls*.go
 	rm -f $(topdir)/psx/*~
 	rm -fr pkg src
author	Andrew G. Morgan <morgan@kernel.org>	2020-02-23 15:50:51 -0800
committer	Andrew G. Morgan <morgan@kernel.org>	2020-02-23 16:21:40 -0800
commit	e20eb695f91b5c3a87039d6b512b28056c71256d (patch)
tree	8ebbd8776824030a95bcac5c4f72e3d5b538f8ea /go/Makefile
parent	ef485973d5547431782f9e5f4323eabfebb38622 (diff)
download	libcap2-e20eb695f91b5c3a87039d6b512b28056c71256d.tar.gz