Bump github.com/syndtr/gocapability/ to latest to support AUDIT_READ

Godeps/Godeps.json

@@ -521,7 +521,7 @@
 		},
 		{
 			"ImportPath": "github.com/syndtr/gocapability/capability",
-			"Rev": "3c85049eaeb429febe7788d9c7aac42322a377fe"
+			"Rev": "2c00daeb6c3b45114c80ac44119e7b8801fdd852"
 		},
 		{
 			"ImportPath": "github.com/ugorji/go/codec",

Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go

@@ -60,7 +60,8 @@ type Capabilities interface {
 	Apply(kind CapType) error
 }
 
-// NewPid create new initialized Capabilities object for given pid.
+// NewPid create new initialized Capabilities object for given pid when it
+// is nonzero, or for the current pid if pid is 0
 func NewPid(pid int) (Capabilities, error) {
 	return newPid(pid)
 }

Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go

@@ -24,12 +24,46 @@ const (
 	linuxCapVer3 = 0x20080522
 )
 
-var capVers uint32
+var (
+	capVers    uint32
+	capLastCap Cap
+)
 
 func init() {
 	var hdr capHeader
 	capget(&hdr, nil)
 	capVers = hdr.version
+
+	if initLastCap() == nil {
+		CAP_LAST_CAP = capLastCap
+		if capLastCap > 31 {
+			capUpperMask = (uint32(1) << (uint(capLastCap) - 31)) - 1
+		} else {
+			capUpperMask = 0
+		}
+	}
+}
+
+func initLastCap() error {
+	if capLastCap != 0 {
+		return nil
+	}
+
+	f, err := os.Open("/proc/sys/kernel/cap_last_cap")
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	var b []byte = make([]byte, 11)
+	_, err = f.Read(b)
+	if err != nil {
+		return err
+	}
+
+	fmt.Sscanf(string(b), "%d", &capLastCap)
+
+	return nil
 }
 
 func mkStringCap(c Capabilities, which CapType) (ret string) {
@@ -351,7 +385,15 @@ func (c *capsV3) Load() (err error) {
 		return
 	}
 
-	f, err := os.Open(fmt.Sprintf("/proc/%d/status", c.hdr.pid))
+	var status_path string
+
+	if c.hdr.pid == 0 {
+		status_path = fmt.Sprintf("/proc/self/status")
+	} else {
+		status_path = fmt.Sprintf("/proc/%d/status", c.hdr.pid)
+	}
+
+	f, err := os.Open(status_path)
 	if err != nil {
 		return
 	}

Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go

@@ -34,110 +34,30 @@ const (
 	BOUNDS = BOUNDING
 )
 
+//go:generate go run enumgen/gen.go
 type Cap int
 
-func (c Cap) String() string {
-	switch c {
-	case CAP_CHOWN:
-		return "chown"
-	case CAP_DAC_OVERRIDE:
-		return "dac_override"
-	case CAP_DAC_READ_SEARCH:
-		return "dac_read_search"
-	case CAP_FOWNER:
-		return "fowner"
-	case CAP_FSETID:
-		return "fsetid"
-	case CAP_KILL:
-		return "kill"
-	case CAP_SETGID:
-		return "setgid"
-	case CAP_SETUID:
-		return "setuid"
-	case CAP_SETPCAP:
-		return "setpcap"
-	case CAP_LINUX_IMMUTABLE:
-		return "linux_immutable"
-	case CAP_NET_BIND_SERVICE:
-		return "net_bind_service"
-	case CAP_NET_BROADCAST:
-		return "net_broadcast"
-	case CAP_NET_ADMIN:
-		return "net_admin"
-	case CAP_NET_RAW:
-		return "net_raw"
-	case CAP_IPC_LOCK:
-		return "ipc_lock"
-	case CAP_IPC_OWNER:
-		return "ipc_owner"
-	case CAP_SYS_MODULE:
-		return "sys_module"
-	case CAP_SYS_RAWIO:
-		return "sys_rawio"
-	case CAP_SYS_CHROOT:
-		return "sys_chroot"
-	case CAP_SYS_PTRACE:
-		return "sys_ptrace"
-	case CAP_SYS_PACCT:
-		return "sys_psacct"
-	case CAP_SYS_ADMIN:
-		return "sys_admin"
-	case CAP_SYS_BOOT:
-		return "sys_boot"
-	case CAP_SYS_NICE:
-		return "sys_nice"
-	case CAP_SYS_RESOURCE:
-		return "sys_resource"
-	case CAP_SYS_TIME:
-		return "sys_time"
-	case CAP_SYS_TTY_CONFIG:
-		return "sys_tty_config"
-	case CAP_MKNOD:
-		return "mknod"
-	case CAP_LEASE:
-		return "lease"
-	case CAP_AUDIT_WRITE:
-		return "audit_write"
-	case CAP_AUDIT_CONTROL:
-		return "audit_control"
-	case CAP_SETFCAP:
-		return "setfcap"
-	case CAP_MAC_OVERRIDE:
-		return "mac_override"
-	case CAP_MAC_ADMIN:
-		return "mac_admin"
-	case CAP_SYSLOG:
-		return "syslog"
-	case CAP_WAKE_ALARM:
-		return "wake_alarm"
-	case CAP_BLOCK_SUSPEND:
-		return "block_suspend"
-	}
-	return "unknown"
-}
-
+// POSIX-draft defined capabilities.
 const (
-	// POSIX-draft defined capabilities.
-
 	// In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this
 	// overrides the restriction of changing file ownership and group
 	// ownership.
-	CAP_CHOWN Cap = 0
+	CAP_CHOWN = Cap(0)
 
 	// Override all DAC access, including ACL execute access if
 	// [_POSIX_ACL] is defined. Excluding DAC access covered by
 	// CAP_LINUX_IMMUTABLE.
-	CAP_DAC_OVERRIDE Cap = 1
+	CAP_DAC_OVERRIDE = Cap(1)
 
 	// Overrides all DAC restrictions regarding read and search on files
 	// and directories, including ACL restrictions if [_POSIX_ACL] is
 	// defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE.
-	CAP_DAC_READ_SEARCH Cap = 2
+	CAP_DAC_READ_SEARCH = Cap(2)
 
 	// Overrides all restrictions about allowed operations on files, where
 	// file owner ID must be equal to the user ID, except where CAP_FSETID
 	// is applicable. It doesn't override MAC and DAC restrictions.
-	CAP_FOWNER Cap = 3
+	CAP_FOWNER = Cap(3)
 
 	// Overrides the following restrictions that the effective user ID
 	// shall match the file owner ID when setting the S_ISUID and S_ISGID
@@ -145,21 +65,21 @@ const (
 	// supplementary group IDs) shall match the file owner ID when setting
 	// the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
 	// cleared on successful return from chown(2) (not implemented).
-	CAP_FSETID Cap = 4
+	CAP_FSETID = Cap(4)
 
 	// Overrides the restriction that the real or effective user ID of a
 	// process sending a signal must match the real or effective user ID
 	// of the process receiving the signal.
-	CAP_KILL Cap = 5
+	CAP_KILL = Cap(5)
 
 	// Allows setgid(2) manipulation
 	// Allows setgroups(2)
 	// Allows forged gids on socket credentials passing.
-	CAP_SETGID Cap = 6
+	CAP_SETGID = Cap(6)
 
 	// Allows set*uid(2) manipulation (including fsuid).
 	// Allows forged pids on socket credentials passing.
-	CAP_SETUID Cap = 7
+	CAP_SETUID = Cap(7)
 
 	// Linux-specific capabilities
 
@@ -171,17 +91,17 @@ const (
 	//     to the current process' inheritable set
 	//   Allow taking bits out of capability bounding set
 	//   Allow modification of the securebits for a process
-	CAP_SETPCAP Cap = 8
+	CAP_SETPCAP = Cap(8)
 
 	// Allow modification of S_IMMUTABLE and S_APPEND file attributes
-	CAP_LINUX_IMMUTABLE Cap = 9
+	CAP_LINUX_IMMUTABLE = Cap(9)
 
 	// Allows binding to TCP/UDP sockets below 1024
 	// Allows binding to ATM VCIs below 32
-	CAP_NET_BIND_SERVICE Cap = 10
+	CAP_NET_BIND_SERVICE = Cap(10)
 
 	// Allow broadcasting, listen to multicast
-	CAP_NET_BROADCAST Cap = 11
+	CAP_NET_BROADCAST = Cap(11)
 
 	// Allow interface configuration
 	// Allow administration of IP firewall, masquerading and accounting
@@ -196,36 +116,36 @@ const (
 	// Allow multicasting
 	// Allow read/write of device-specific registers
 	// Allow activation of ATM control sockets
-	CAP_NET_ADMIN Cap = 12
+	CAP_NET_ADMIN = Cap(12)
 
 	// Allow use of RAW sockets
 	// Allow use of PACKET sockets
 	// Allow binding to any address for transparent proxying (also via NET_ADMIN)
-	CAP_NET_RAW Cap = 13
+	CAP_NET_RAW = Cap(13)
 
 	// Allow locking of shared memory segments
 	// Allow mlock and mlockall (which doesn't really have anything to do
 	// with IPC)
-	CAP_IPC_LOCK Cap = 14
+	CAP_IPC_LOCK = Cap(14)
 
 	// Override IPC ownership checks
-	CAP_IPC_OWNER Cap = 15
+	CAP_IPC_OWNER = Cap(15)
 
 	// Insert and remove kernel modules - modify kernel without limit
-	CAP_SYS_MODULE Cap = 16
+	CAP_SYS_MODULE = Cap(16)
 
 	// Allow ioperm/iopl access
 	// Allow sending USB messages to any device via /proc/bus/usb
-	CAP_SYS_RAWIO Cap = 17
+	CAP_SYS_RAWIO = Cap(17)
 
 	// Allow use of chroot()
-	CAP_SYS_CHROOT Cap = 18
+	CAP_SYS_CHROOT = Cap(18)
 
 	// Allow ptrace() of any process
-	CAP_SYS_PTRACE Cap = 19
+	CAP_SYS_PTRACE = Cap(19)
 
 	// Allow configuration of process accounting
-	CAP_SYS_PACCT Cap = 20
+	CAP_SYS_PACCT = Cap(20)
 
 	// Allow configuration of the secure attention key
 	// Allow administration of the random device
@@ -263,10 +183,10 @@ const (
 	// arbitrary SCSI commands
 	// Allow setting encryption key on loopback filesystem
 	// Allow setting zone reclaim policy
-	CAP_SYS_ADMIN Cap = 21
+	CAP_SYS_ADMIN = Cap(21)
 
 	// Allow use of reboot()
-	CAP_SYS_BOOT Cap = 22
+	CAP_SYS_BOOT = Cap(22)
 
 	// Allow raising priority and setting priority on other (different
 	// UID) processes
@@ -274,7 +194,7 @@ const (
 	// processes and setting the scheduling algorithm used by another
 	// process.
 	// Allow setting cpu affinity on other processes
-	CAP_SYS_NICE Cap = 23
+	CAP_SYS_NICE = Cap(23)
 
 	// Override resource limits. Set resource limits.
 	// Override quota limits.
@@ -287,33 +207,33 @@ const (
 	// Allow more than 64hz interrupts from the real-time clock
 	// Override max number of consoles on console allocation
 	// Override max number of keymaps
-	CAP_SYS_RESOURCE Cap = 24
+	CAP_SYS_RESOURCE = Cap(24)
 
 	// Allow manipulation of system clock
 	// Allow irix_stime on mips
 	// Allow setting the real-time clock
-	CAP_SYS_TIME Cap = 25
+	CAP_SYS_TIME = Cap(25)
 
 	// Allow configuration of tty devices
 	// Allow vhangup() of tty
-	CAP_SYS_TTY_CONFIG Cap = 26
+	CAP_SYS_TTY_CONFIG = Cap(26)
 
 	// Allow the privileged aspects of mknod()
-	CAP_MKNOD Cap = 27
+	CAP_MKNOD = Cap(27)
 
 	// Allow taking of leases on files
-	CAP_LEASE Cap = 28
+	CAP_LEASE = Cap(28)
 
-	CAP_AUDIT_WRITE   Cap = 29
-	CAP_AUDIT_CONTROL Cap = 30
-	CAP_SETFCAP       Cap = 31
+	CAP_AUDIT_WRITE   = Cap(29)
+	CAP_AUDIT_CONTROL = Cap(30)
+	CAP_SETFCAP       = Cap(31)
 
 	// Override MAC access.
 	// The base kernel enforces no MAC policy.
 	// An LSM may enforce a MAC policy, and if it does and it chooses
 	// to implement capability based overrides of that policy, this is
 	// the capability it should use to do so.
-	CAP_MAC_OVERRIDE Cap = 32
+	CAP_MAC_OVERRIDE = Cap(32)
 
 	// Allow MAC configuration or state changes.
 	// The base kernel requires no MAC configuration.
@@ -321,18 +241,24 @@ const (
 	// to implement capability based checks on modifications to that
 	// policy or the data required to maintain it, this is the
 	// capability it should use to do so.
-	CAP_MAC_ADMIN Cap = 33
+	CAP_MAC_ADMIN = Cap(33)
 
 	// Allow configuring the kernel's syslog (printk behaviour)
-	CAP_SYSLOG Cap = 34
+	CAP_SYSLOG = Cap(34)
 
 	// Allow triggering something that will wake the system
-	CAP_WAKE_ALARM Cap = 35
+	CAP_WAKE_ALARM = Cap(35)
 
 	// Allow preventing system suspends
-	CAP_BLOCK_SUSPEND Cap = 36
+	CAP_BLOCK_SUSPEND = Cap(36)
 
-	CAP_LAST_CAP = CAP_BLOCK_SUSPEND
+	// Allow reading audit messages from the kernel
+	CAP_AUDIT_READ = Cap(37)
 )
 
-const capUpperMask = (uint32(1) << (uint(CAP_LAST_CAP) - 31)) - 1
+var (
+	// Highest valid capability of the running kernel.
+	CAP_LAST_CAP = Cap(63)
+
+	capUpperMask = ^uint32(0)
+)

Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum_gen.go

@@ -0,0 +1,129 @@
+// generated file; DO NOT EDIT - use go generate in directory with source
+
+package capability
+
+func (c Cap) String() string {
+	switch c {
+	case CAP_CHOWN:
+		return "chown"
+	case CAP_DAC_OVERRIDE:
+		return "dac_override"
+	case CAP_DAC_READ_SEARCH:
+		return "dac_read_search"
+	case CAP_FOWNER:
+		return "fowner"
+	case CAP_FSETID:
+		return "fsetid"
+	case CAP_KILL:
+		return "kill"
+	case CAP_SETGID:
+		return "setgid"
+	case CAP_SETUID:
+		return "setuid"
+	case CAP_SETPCAP:
+		return "setpcap"
+	case CAP_LINUX_IMMUTABLE:
+		return "linux_immutable"
+	case CAP_NET_BIND_SERVICE:
+		return "net_bind_service"
+	case CAP_NET_BROADCAST:
+		return "net_broadcast"
+	case CAP_NET_ADMIN:
+		return "net_admin"
+	case CAP_NET_RAW:
+		return "net_raw"
+	case CAP_IPC_LOCK:
+		return "ipc_lock"
+	case CAP_IPC_OWNER:
+		return "ipc_owner"
+	case CAP_SYS_MODULE:
+		return "sys_module"
+	case CAP_SYS_RAWIO:
+		return "sys_rawio"
+	case CAP_SYS_CHROOT:
+		return "sys_chroot"
+	case CAP_SYS_PTRACE:
+		return "sys_ptrace"
+	case CAP_SYS_PACCT:
+		return "sys_pacct"
+	case CAP_SYS_ADMIN:
+		return "sys_admin"
+	case CAP_SYS_BOOT:
+		return "sys_boot"
+	case CAP_SYS_NICE:
+		return "sys_nice"
+	case CAP_SYS_RESOURCE:
+		return "sys_resource"
+	case CAP_SYS_TIME:
+		return "sys_time"
+	case CAP_SYS_TTY_CONFIG:
+		return "sys_tty_config"
+	case CAP_MKNOD:
+		return "mknod"
+	case CAP_LEASE:
+		return "lease"
+	case CAP_AUDIT_WRITE:
+		return "audit_write"
+	case CAP_AUDIT_CONTROL:
+		return "audit_control"
+	case CAP_SETFCAP:
+		return "setfcap"
+	case CAP_MAC_OVERRIDE:
+		return "mac_override"
+	case CAP_MAC_ADMIN:
+		return "mac_admin"
+	case CAP_SYSLOG:
+		return "syslog"
+	case CAP_WAKE_ALARM:
+		return "wake_alarm"
+	case CAP_BLOCK_SUSPEND:
+		return "block_suspend"
+	case CAP_AUDIT_READ:
+		return "audit_read"
+	}
+	return "unknown"
+}
+
+// List returns list of all supported capabilities
+func List() []Cap {
+	return []Cap{
+		CAP_CHOWN,
+		CAP_DAC_OVERRIDE,
+		CAP_DAC_READ_SEARCH,
+		CAP_FOWNER,
+		CAP_FSETID,
+		CAP_KILL,
+		CAP_SETGID,
+		CAP_SETUID,
+		CAP_SETPCAP,
+		CAP_LINUX_IMMUTABLE,
+		CAP_NET_BIND_SERVICE,
+		CAP_NET_BROADCAST,
+		CAP_NET_ADMIN,
+		CAP_NET_RAW,
+		CAP_IPC_LOCK,
+		CAP_IPC_OWNER,
+		CAP_SYS_MODULE,
+		CAP_SYS_RAWIO,
+		CAP_SYS_CHROOT,
+		CAP_SYS_PTRACE,
+		CAP_SYS_PACCT,
+		CAP_SYS_ADMIN,
+		CAP_SYS_BOOT,
+		CAP_SYS_NICE,
+		CAP_SYS_RESOURCE,
+		CAP_SYS_TIME,
+		CAP_SYS_TTY_CONFIG,
+		CAP_MKNOD,
+		CAP_LEASE,
+		CAP_AUDIT_WRITE,
+		CAP_AUDIT_CONTROL,
+		CAP_SETFCAP,
+		CAP_MAC_OVERRIDE,
+		CAP_MAC_ADMIN,
+		CAP_SYSLOG,
+		CAP_WAKE_ALARM,
+		CAP_BLOCK_SUSPEND,
+		CAP_AUDIT_READ,
+	}
+}

Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enumgen/gen.go

@@ -0,0 +1,92 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"go/ast"
+	"go/format"
+	"go/parser"
+	"go/token"
+	"io/ioutil"
+	"log"
+	"os"
+	"strings"
+)
+
+const fileName = "enum.go"
+const genName = "enum_gen.go"
+
+type generator struct {
+	buf  bytes.Buffer
+	caps []string
+}
+
+func (g *generator) writeHeader() {
+	g.buf.WriteString("// generated file; DO NOT EDIT - use go generate in directory with source\n")
+	g.buf.WriteString("\n")
+	g.buf.WriteString("package capability")
+}
+
+func (g *generator) writeStringFunc() {
+	g.buf.WriteString("\n")
+	g.buf.WriteString("func (c Cap) String() string {\n")
+	g.buf.WriteString("switch c {\n")
+	for _, cap := range g.caps {
+		fmt.Fprintf(&g.buf, "case %s:\n", cap)
+		fmt.Fprintf(&g.buf, "return \"%s\"\n", strings.ToLower(cap[4:]))
+	}
+	g.buf.WriteString("}\n")
+	g.buf.WriteString("return \"unknown\"\n")
+	g.buf.WriteString("}\n")
+}
+
+func (g *generator) writeListFunc() {
+	g.buf.WriteString("\n")
+	g.buf.WriteString("// List returns list of all supported capabilities\n")
+	g.buf.WriteString("func List() []Cap {\n")
+	g.buf.WriteString("return []Cap{\n")
+	for _, cap := range g.caps {
+		fmt.Fprintf(&g.buf, "%s,\n", cap)
+	}
+	g.buf.WriteString("}\n")
+	g.buf.WriteString("}\n")
+}
+
+func main() {
+	fs := token.NewFileSet()
+	parsedFile, err := parser.ParseFile(fs, fileName, nil, 0)
+	if err != nil {
+		log.Fatal(err)
+	}
+	var caps []string
+	for _, decl := range parsedFile.Decls {
+		decl, ok := decl.(*ast.GenDecl)
+		if !ok || decl.Tok != token.CONST {
+			continue
+		}
+		for _, spec := range decl.Specs {
+			vspec := spec.(*ast.ValueSpec)
+			name := vspec.Names[0].Name
+			if strings.HasPrefix(name, "CAP_") {
+				caps = append(caps, name)
+			}
+		}
+	}
+	g := &generator{caps: caps}
+	g.writeHeader()
+	g.writeStringFunc()
+	g.writeListFunc()
+	src, err := format.Source(g.buf.Bytes())
+	if err != nil {
+		fmt.Println("generated invalid Go code")
+		fmt.Println(g.buf.String())
+		log.Fatal(err)
+	}
+	fi, err := os.Stat(fileName)
+	if err != nil {
+		log.Fatal(err)
+	}
+	if err := ioutil.WriteFile(genName, src, fi.Mode().Perm()); err != nil {
+		log.Fatal(err)
+	}
+}

Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go

@@ -86,6 +86,10 @@ func getVfsCap(path string, dest *vfscapData) (err error) {
 	}
 	r0, _, e1 := syscall.Syscall6(syscall.SYS_GETXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_vfsXattrName)), uintptr(unsafe.Pointer(dest)), vfscapDataSizeV2, 0, 0)
 	if e1 != 0 {
+		if e1 == syscall.ENODATA {
+			dest.version = 2
+			return
+		}
 		err = e1
 	}
 	switch dest.magic & vfsCapVerMask {
@@ -128,8 +132,6 @@ func setVfsCap(path string, data *vfscapData) (err error) {
 		data.magic = vfsCapVer2
 		if data.effective[0] != 0 || data.effective[1] != 0 {
 			data.magic |= vfsCapFlageffective
-			data.data[0].permitted |= data.effective[0]
-			data.data[1].permitted |= data.effective[1]
 		}
 		size = vfscapDataSizeV2
 	} else {