From 100d8e3ab0eb44b0def28d6f5e858dbc6398ec6c Mon Sep 17 00:00:00 2001 From: "Andrew G. Morgan" Date: Sun, 19 Oct 2008 19:14:08 -0700 Subject: Add an example program to verify that a file has specific capabilities. This program is not installed by default. Its more of a code sample to help folk trying to put such checks into other programs (package managers for example). Signed-off-by: Andrew G. Morgan --- doc/cap_clear.3 | 2 +- progs/.gitignore | 1 + progs/Makefile | 7 ++--- progs/verify-caps.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 81 insertions(+), 4 deletions(-) create mode 100644 progs/verify-caps.c diff --git a/doc/cap_clear.3 b/doc/cap_clear.3 index 3fb5178..48f5cc0 100644 --- a/doc/cap_clear.3 +++ b/doc/cap_clear.3 @@ -98,7 +98,7 @@ returned value carries further information about which of three sets, differ. Specifically, the macro .B CAP_DIFFERS .RI ( status ", " flag ) -evaluates to 0 if the returned status differs in its +evaluates to non-zero if the returned status differs in its .I flag components. .SH "RETURN VALUE" diff --git a/progs/.gitignore b/progs/.gitignore index 280c19e..f42095f 100644 --- a/progs/.gitignore +++ b/progs/.gitignore @@ -2,3 +2,4 @@ capsh getcap getpcaps setcap +verify-caps diff --git a/progs/Makefile b/progs/Makefile index a8e0e53..3f66a38 100644 --- a/progs/Makefile +++ b/progs/Makefile @@ -5,13 +5,14 @@ include $(topdir)/Make.Rules # Programs: all of the examples that we will compile # PROGS=getpcaps getcap setcap capsh +BUILD=$(PROGS) verify-caps LDFLAGS += --static LDLIBS += -lcap -all: $(PROGS) +all: $(BUILD) -$(PROGS): %: %.o +$(BUILD): %: %.o $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< $(LDLIBS) %.o: %.c $(INCS) @@ -25,4 +26,4 @@ install: all clean: $(LOCALCLEAN) - rm -f *.o $(PROGS) tcapsh ping + rm -f *.o $(BUILD) tcapsh ping diff --git a/progs/verify-caps.c b/progs/verify-caps.c new file mode 100644 index 0000000..2efef17 --- /dev/null +++ b/progs/verify-caps.c @@ -0,0 +1,75 @@ +/* + * Copyright (c) 2008 Andrew G. Morgan + * + * This is a simple script that attempts to verify a file has + * a specific set of capabilities associated with it. This + * code is intended to be a simple prototype for inclusion + * in package manager applications. + */ + +#include +#include +#include + +static int caps_differ(const char *filename, const char *file_caps) +{ + int cmp; + cap_t in_effect, reference; + + in_effect = cap_get_file(filename); + reference = cap_from_text(file_caps); + + if ((in_effect == NULL) || (reference == NULL)) { + char *text; + + if (in_effect == reference) { + return 0; + } else if (in_effect != NULL) { + text = cap_to_text(in_effect, NULL); + printf("reference caps (empty) vs. current (%s)\n", text); + } else { + text = cap_to_text(reference, NULL); + printf("reference caps (%s) vs. current (empty)\n", text); + } + cap_free(text); + return 1; + } + + cmp = cap_compare(in_effect, reference); + if (cmp == 0) { + return 0; + } else { + char *text_ref, *text_current; + + text_current = cap_to_text(in_effect, NULL); + text_ref = cap_to_text(reference, NULL); + + printf("reference caps (%s) vs. current (%s) [differ:%s%s%s]\n", + text_ref, text_current, + CAP_DIFFERS(cmp, CAP_PERMITTED) ? "p" : "", + CAP_DIFFERS(cmp, CAP_INHERITABLE) ? "i" : "", + CAP_DIFFERS(cmp, CAP_EFFECTIVE) ? "e" : ""); + + cap_free(text_ref); + cap_free(text_current); + + return cmp; + } +} + +int main(int argc, char *argv[]) +{ + if (argc != 3) { + fprintf(stderr, "usage: %s \n", argv[0]); + exit(1); + } + + if (caps_differ(argv[1], argv[2])) { + printf("capabilities differ\n"); + exit(1); + } else { + printf("capabibilities are as expected\n"); + } + + exit(0); +} -- cgit v1.2.1