From 967b3a0a95223036478e7d991ee96fa42912803a Mon Sep 17 00:00:00 2001 From: "Andrew G. Morgan" Date: Sun, 5 Sep 2021 11:42:28 -0700 Subject: Add --mode query support to capsh This addresses the feature request: https://bugzilla.kernel.org/show_bug.cgi?id=214319 Signed-off-by: Andrew G. Morgan --- doc/capsh.1 | 11 ++++++++--- progs/capsh.c | 57 +++++++++++++++++++++++++++++++++------------------------ 2 files changed, 41 insertions(+), 27 deletions(-) diff --git a/doc/capsh.1 b/doc/capsh.1 index 87ce06e..42637ab 100644 --- a/doc/capsh.1 +++ b/doc/capsh.1 @@ -91,9 +91,10 @@ Following this command, the effective capabilities will be cleared, but the permitted set will not be, so the running program is still privileged. .TP -.B \-\-modes -Lists all of the libcap modes supported by -.BR \-\-mode . +.B \-\-mode +Display the prevailing libcap mode as guessed by the +.BR cap_get_mode (3) +function. .TP .BR \-\-mode= Force the program into a @@ -101,6 +102,10 @@ Force the program into a security mode. This is a set of securebits and prevailing capability arrangement recommended for its pre-determined security stance. .TP +.B \-\-modes +Lists all of the libcap modes supported by +.BR \-\-mode= . +.TP .BR \-\-inmode= Confirm that the prevailing mode is that specified in .IR , diff --git a/progs/capsh.c b/progs/capsh.c index 0cf8b1e..be86cd7 100644 --- a/progs/capsh.c +++ b/progs/capsh.c @@ -611,30 +611,38 @@ int main(int argc, char *argv[], char *envp[]) printf(" %s", m); } printf("\n"); - } else if (!strncmp("--mode=", argv[i], 7)) { - const char *target = argv[i]+7; - cap_mode_t c; - int found = 0; - for (c = 1; ; c++) { - const char *m = cap_mode_name(c); - if (!strcmp("UNKNOWN", m)) { - found = 0; - break; + } else if (!strncmp("--mode", argv[i], 6)) { + if (argv[i][6] == '=') { + const char *target = argv[i]+7; + cap_mode_t c; + int found = 0; + for (c = 1; ; c++) { + const char *m = cap_mode_name(c); + if (!strcmp("UNKNOWN", m)) { + found = 0; + break; + } + if (!strcmp(m, target)) { + found = 1; + break; + } } - if (!strcmp(m, target)) { - found = 1; - break; + if (!found) { + printf("unsupported mode: %s\n", target); + exit(1); } - } - if (!found) { - printf("unsupported mode: %s\n", target); - exit(1); - } - int ret = cap_set_mode(c); - if (ret != 0) { - printf("failed to set mode [%s]: %s\n", - target, strerror(errno)); - exit(1); + int ret = cap_set_mode(c); + if (ret != 0) { + printf("failed to set mode [%s]: %s\n", + target, strerror(errno)); + exit(1); + } + } else if (argv[i][6]) { + printf("unrecognized command [%s]\n", argv[i]); + goto usage; + } else { + cap_mode_t m = cap_get_mode(); + printf("Mode: %s\n", cap_mode_name(m)); } } else if (!strncmp("--inmode=", argv[i], 9)) { const char *target = argv[i]+9; @@ -1106,8 +1114,9 @@ int main(int argc, char *argv[], char *envp[]) " --keep= set keep-capability bit to \n" " --killit= send signal(n) to child\n" " --license display license info\n" - " --modes list libcap named capability modes\n" - " --mode= set capability mode to \n" + " --mode display current libcap mode\n" + " --mode= set libcap mode to \n" + " --modes list libcap named modes\n" " --no-new-privs set sticky process privilege limiter\n" " --noamb reset (drop) all ambient capabilities\n" " --print display capability relevant state\n" -- cgit v1.2.1