From 70328d6c37a8273e71e5d53e6a3648a6f48b4634 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Mon, 3 Aug 2015 13:30:17 -0400 Subject: [PATCH] Bump github.com/syndtr/gocapability/ to latest to support AUDIT_READ --- Godeps/Godeps.json | 2 +- .../gocapability/capability/capability.go | 3 +- .../capability/capability_linux.go | 46 ++++- .../syndtr/gocapability/capability/enum.go | 168 +++++------------- .../gocapability/capability/enum_gen.go | 129 ++++++++++++++ .../gocapability/capability/enumgen/gen.go | 92 ++++++++++ .../gocapability/capability/syscall_linux.go | 6 +- 7 files changed, 319 insertions(+), 127 deletions(-) create mode 100644 Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum_gen.go create mode 100644 Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enumgen/gen.go diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index 5ab6dba4fde..2cf0026a248 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -521,7 +521,7 @@ }, { "ImportPath": "github.com/syndtr/gocapability/capability", - "Rev": "3c85049eaeb429febe7788d9c7aac42322a377fe" + "Rev": "2c00daeb6c3b45114c80ac44119e7b8801fdd852" }, { "ImportPath": "github.com/ugorji/go/codec", diff --git a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go index 9df3b4151b6..c13f4e52a9c 100644 --- a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go +++ b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go @@ -60,7 +60,8 @@ type Capabilities interface { Apply(kind CapType) error } -// NewPid create new initialized Capabilities object for given pid. +// NewPid create new initialized Capabilities object for given pid when it +// is nonzero, or for the current pid if pid is 0 func NewPid(pid int) (Capabilities, error) { return newPid(pid) } diff --git a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go index c5f335f7fb2..3dfcd398dcd 100644 --- a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go +++ b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go @@ -24,12 +24,46 @@ const ( linuxCapVer3 = 0x20080522 ) -var capVers uint32 +var ( + capVers uint32 + capLastCap Cap +) func init() { var hdr capHeader capget(&hdr, nil) capVers = hdr.version + + if initLastCap() == nil { + CAP_LAST_CAP = capLastCap + if capLastCap > 31 { + capUpperMask = (uint32(1) << (uint(capLastCap) - 31)) - 1 + } else { + capUpperMask = 0 + } + } +} + +func initLastCap() error { + if capLastCap != 0 { + return nil + } + + f, err := os.Open("/proc/sys/kernel/cap_last_cap") + if err != nil { + return err + } + defer f.Close() + + var b []byte = make([]byte, 11) + _, err = f.Read(b) + if err != nil { + return err + } + + fmt.Sscanf(string(b), "%d", &capLastCap) + + return nil } func mkStringCap(c Capabilities, which CapType) (ret string) { @@ -351,7 +385,15 @@ func (c *capsV3) Load() (err error) { return } - f, err := os.Open(fmt.Sprintf("/proc/%d/status", c.hdr.pid)) + var status_path string + + if c.hdr.pid == 0 { + status_path = fmt.Sprintf("/proc/self/status") + } else { + status_path = fmt.Sprintf("/proc/%d/status", c.hdr.pid) + } + + f, err := os.Open(status_path) if err != nil { return } diff --git a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go index e2900a4e933..fd0ce7fe8ee 100644 --- a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go +++ b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go @@ -34,110 +34,30 @@ const ( BOUNDS = BOUNDING ) +//go:generate go run enumgen/gen.go type Cap int -func (c Cap) String() string { - switch c { - case CAP_CHOWN: - return "chown" - case CAP_DAC_OVERRIDE: - return "dac_override" - case CAP_DAC_READ_SEARCH: - return "dac_read_search" - case CAP_FOWNER: - return "fowner" - case CAP_FSETID: - return "fsetid" - case CAP_KILL: - return "kill" - case CAP_SETGID: - return "setgid" - case CAP_SETUID: - return "setuid" - case CAP_SETPCAP: - return "setpcap" - case CAP_LINUX_IMMUTABLE: - return "linux_immutable" - case CAP_NET_BIND_SERVICE: - return "net_bind_service" - case CAP_NET_BROADCAST: - return "net_broadcast" - case CAP_NET_ADMIN: - return "net_admin" - case CAP_NET_RAW: - return "net_raw" - case CAP_IPC_LOCK: - return "ipc_lock" - case CAP_IPC_OWNER: - return "ipc_owner" - case CAP_SYS_MODULE: - return "sys_module" - case CAP_SYS_RAWIO: - return "sys_rawio" - case CAP_SYS_CHROOT: - return "sys_chroot" - case CAP_SYS_PTRACE: - return "sys_ptrace" - case CAP_SYS_PACCT: - return "sys_psacct" - case CAP_SYS_ADMIN: - return "sys_admin" - case CAP_SYS_BOOT: - return "sys_boot" - case CAP_SYS_NICE: - return "sys_nice" - case CAP_SYS_RESOURCE: - return "sys_resource" - case CAP_SYS_TIME: - return "sys_time" - case CAP_SYS_TTY_CONFIG: - return "sys_tty_config" - case CAP_MKNOD: - return "mknod" - case CAP_LEASE: - return "lease" - case CAP_AUDIT_WRITE: - return "audit_write" - case CAP_AUDIT_CONTROL: - return "audit_control" - case CAP_SETFCAP: - return "setfcap" - case CAP_MAC_OVERRIDE: - return "mac_override" - case CAP_MAC_ADMIN: - return "mac_admin" - case CAP_SYSLOG: - return "syslog" - case CAP_WAKE_ALARM: - return "wake_alarm" - case CAP_BLOCK_SUSPEND: - return "block_suspend" - } - return "unknown" -} - +// POSIX-draft defined capabilities. const ( - // POSIX-draft defined capabilities. - // In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this // overrides the restriction of changing file ownership and group // ownership. - CAP_CHOWN Cap = 0 + CAP_CHOWN = Cap(0) // Override all DAC access, including ACL execute access if // [_POSIX_ACL] is defined. Excluding DAC access covered by // CAP_LINUX_IMMUTABLE. - CAP_DAC_OVERRIDE Cap = 1 + CAP_DAC_OVERRIDE = Cap(1) // Overrides all DAC restrictions regarding read and search on files // and directories, including ACL restrictions if [_POSIX_ACL] is // defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. - CAP_DAC_READ_SEARCH Cap = 2 + CAP_DAC_READ_SEARCH = Cap(2) // Overrides all restrictions about allowed operations on files, where // file owner ID must be equal to the user ID, except where CAP_FSETID // is applicable. It doesn't override MAC and DAC restrictions. - CAP_FOWNER Cap = 3 + CAP_FOWNER = Cap(3) // Overrides the following restrictions that the effective user ID // shall match the file owner ID when setting the S_ISUID and S_ISGID @@ -145,21 +65,21 @@ const ( // supplementary group IDs) shall match the file owner ID when setting // the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are // cleared on successful return from chown(2) (not implemented). - CAP_FSETID Cap = 4 + CAP_FSETID = Cap(4) // Overrides the restriction that the real or effective user ID of a // process sending a signal must match the real or effective user ID // of the process receiving the signal. - CAP_KILL Cap = 5 + CAP_KILL = Cap(5) // Allows setgid(2) manipulation // Allows setgroups(2) // Allows forged gids on socket credentials passing. - CAP_SETGID Cap = 6 + CAP_SETGID = Cap(6) // Allows set*uid(2) manipulation (including fsuid). // Allows forged pids on socket credentials passing. - CAP_SETUID Cap = 7 + CAP_SETUID = Cap(7) // Linux-specific capabilities @@ -171,17 +91,17 @@ const ( // to the current process' inheritable set // Allow taking bits out of capability bounding set // Allow modification of the securebits for a process - CAP_SETPCAP Cap = 8 + CAP_SETPCAP = Cap(8) // Allow modification of S_IMMUTABLE and S_APPEND file attributes - CAP_LINUX_IMMUTABLE Cap = 9 + CAP_LINUX_IMMUTABLE = Cap(9) // Allows binding to TCP/UDP sockets below 1024 // Allows binding to ATM VCIs below 32 - CAP_NET_BIND_SERVICE Cap = 10 + CAP_NET_BIND_SERVICE = Cap(10) // Allow broadcasting, listen to multicast - CAP_NET_BROADCAST Cap = 11 + CAP_NET_BROADCAST = Cap(11) // Allow interface configuration // Allow administration of IP firewall, masquerading and accounting @@ -196,36 +116,36 @@ const ( // Allow multicasting // Allow read/write of device-specific registers // Allow activation of ATM control sockets - CAP_NET_ADMIN Cap = 12 + CAP_NET_ADMIN = Cap(12) // Allow use of RAW sockets // Allow use of PACKET sockets // Allow binding to any address for transparent proxying (also via NET_ADMIN) - CAP_NET_RAW Cap = 13 + CAP_NET_RAW = Cap(13) // Allow locking of shared memory segments // Allow mlock and mlockall (which doesn't really have anything to do // with IPC) - CAP_IPC_LOCK Cap = 14 + CAP_IPC_LOCK = Cap(14) // Override IPC ownership checks - CAP_IPC_OWNER Cap = 15 + CAP_IPC_OWNER = Cap(15) // Insert and remove kernel modules - modify kernel without limit - CAP_SYS_MODULE Cap = 16 + CAP_SYS_MODULE = Cap(16) // Allow ioperm/iopl access // Allow sending USB messages to any device via /proc/bus/usb - CAP_SYS_RAWIO Cap = 17 + CAP_SYS_RAWIO = Cap(17) // Allow use of chroot() - CAP_SYS_CHROOT Cap = 18 + CAP_SYS_CHROOT = Cap(18) // Allow ptrace() of any process - CAP_SYS_PTRACE Cap = 19 + CAP_SYS_PTRACE = Cap(19) // Allow configuration of process accounting - CAP_SYS_PACCT Cap = 20 + CAP_SYS_PACCT = Cap(20) // Allow configuration of the secure attention key // Allow administration of the random device @@ -263,10 +183,10 @@ const ( // arbitrary SCSI commands // Allow setting encryption key on loopback filesystem // Allow setting zone reclaim policy - CAP_SYS_ADMIN Cap = 21 + CAP_SYS_ADMIN = Cap(21) // Allow use of reboot() - CAP_SYS_BOOT Cap = 22 + CAP_SYS_BOOT = Cap(22) // Allow raising priority and setting priority on other (different // UID) processes @@ -274,7 +194,7 @@ const ( // processes and setting the scheduling algorithm used by another // process. // Allow setting cpu affinity on other processes - CAP_SYS_NICE Cap = 23 + CAP_SYS_NICE = Cap(23) // Override resource limits. Set resource limits. // Override quota limits. @@ -287,33 +207,33 @@ const ( // Allow more than 64hz interrupts from the real-time clock // Override max number of consoles on console allocation // Override max number of keymaps - CAP_SYS_RESOURCE Cap = 24 + CAP_SYS_RESOURCE = Cap(24) // Allow manipulation of system clock // Allow irix_stime on mips // Allow setting the real-time clock - CAP_SYS_TIME Cap = 25 + CAP_SYS_TIME = Cap(25) // Allow configuration of tty devices // Allow vhangup() of tty - CAP_SYS_TTY_CONFIG Cap = 26 + CAP_SYS_TTY_CONFIG = Cap(26) // Allow the privileged aspects of mknod() - CAP_MKNOD Cap = 27 + CAP_MKNOD = Cap(27) // Allow taking of leases on files - CAP_LEASE Cap = 28 + CAP_LEASE = Cap(28) - CAP_AUDIT_WRITE Cap = 29 - CAP_AUDIT_CONTROL Cap = 30 - CAP_SETFCAP Cap = 31 + CAP_AUDIT_WRITE = Cap(29) + CAP_AUDIT_CONTROL = Cap(30) + CAP_SETFCAP = Cap(31) // Override MAC access. // The base kernel enforces no MAC policy. // An LSM may enforce a MAC policy, and if it does and it chooses // to implement capability based overrides of that policy, this is // the capability it should use to do so. - CAP_MAC_OVERRIDE Cap = 32 + CAP_MAC_OVERRIDE = Cap(32) // Allow MAC configuration or state changes. // The base kernel requires no MAC configuration. @@ -321,18 +241,24 @@ const ( // to implement capability based checks on modifications to that // policy or the data required to maintain it, this is the // capability it should use to do so. - CAP_MAC_ADMIN Cap = 33 + CAP_MAC_ADMIN = Cap(33) // Allow configuring the kernel's syslog (printk behaviour) - CAP_SYSLOG Cap = 34 + CAP_SYSLOG = Cap(34) // Allow triggering something that will wake the system - CAP_WAKE_ALARM Cap = 35 + CAP_WAKE_ALARM = Cap(35) // Allow preventing system suspends - CAP_BLOCK_SUSPEND Cap = 36 + CAP_BLOCK_SUSPEND = Cap(36) - CAP_LAST_CAP = CAP_BLOCK_SUSPEND + // Allow reading audit messages from the kernel + CAP_AUDIT_READ = Cap(37) ) -const capUpperMask = (uint32(1) << (uint(CAP_LAST_CAP) - 31)) - 1 +var ( + // Highest valid capability of the running kernel. + CAP_LAST_CAP = Cap(63) + + capUpperMask = ^uint32(0) +) diff --git a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum_gen.go b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum_gen.go new file mode 100644 index 00000000000..b9e6d2d5e1e --- /dev/null +++ b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum_gen.go @@ -0,0 +1,129 @@ +// generated file; DO NOT EDIT - use go generate in directory with source + +package capability + +func (c Cap) String() string { + switch c { + case CAP_CHOWN: + return "chown" + case CAP_DAC_OVERRIDE: + return "dac_override" + case CAP_DAC_READ_SEARCH: + return "dac_read_search" + case CAP_FOWNER: + return "fowner" + case CAP_FSETID: + return "fsetid" + case CAP_KILL: + return "kill" + case CAP_SETGID: + return "setgid" + case CAP_SETUID: + return "setuid" + case CAP_SETPCAP: + return "setpcap" + case CAP_LINUX_IMMUTABLE: + return "linux_immutable" + case CAP_NET_BIND_SERVICE: + return "net_bind_service" + case CAP_NET_BROADCAST: + return "net_broadcast" + case CAP_NET_ADMIN: + return "net_admin" + case CAP_NET_RAW: + return "net_raw" + case CAP_IPC_LOCK: + return "ipc_lock" + case CAP_IPC_OWNER: + return "ipc_owner" + case CAP_SYS_MODULE: + return "sys_module" + case CAP_SYS_RAWIO: + return "sys_rawio" + case CAP_SYS_CHROOT: + return "sys_chroot" + case CAP_SYS_PTRACE: + return "sys_ptrace" + case CAP_SYS_PACCT: + return "sys_pacct" + case CAP_SYS_ADMIN: + return "sys_admin" + case CAP_SYS_BOOT: + return "sys_boot" + case CAP_SYS_NICE: + return "sys_nice" + case CAP_SYS_RESOURCE: + return "sys_resource" + case CAP_SYS_TIME: + return "sys_time" + case CAP_SYS_TTY_CONFIG: + return "sys_tty_config" + case CAP_MKNOD: + return "mknod" + case CAP_LEASE: + return "lease" + case CAP_AUDIT_WRITE: + return "audit_write" + case CAP_AUDIT_CONTROL: + return "audit_control" + case CAP_SETFCAP: + return "setfcap" + case CAP_MAC_OVERRIDE: + return "mac_override" + case CAP_MAC_ADMIN: + return "mac_admin" + case CAP_SYSLOG: + return "syslog" + case CAP_WAKE_ALARM: + return "wake_alarm" + case CAP_BLOCK_SUSPEND: + return "block_suspend" + case CAP_AUDIT_READ: + return "audit_read" + } + return "unknown" +} + +// List returns list of all supported capabilities +func List() []Cap { + return []Cap{ + CAP_CHOWN, + CAP_DAC_OVERRIDE, + CAP_DAC_READ_SEARCH, + CAP_FOWNER, + CAP_FSETID, + CAP_KILL, + CAP_SETGID, + CAP_SETUID, + CAP_SETPCAP, + CAP_LINUX_IMMUTABLE, + CAP_NET_BIND_SERVICE, + CAP_NET_BROADCAST, + CAP_NET_ADMIN, + CAP_NET_RAW, + CAP_IPC_LOCK, + CAP_IPC_OWNER, + CAP_SYS_MODULE, + CAP_SYS_RAWIO, + CAP_SYS_CHROOT, + CAP_SYS_PTRACE, + CAP_SYS_PACCT, + CAP_SYS_ADMIN, + CAP_SYS_BOOT, + CAP_SYS_NICE, + CAP_SYS_RESOURCE, + CAP_SYS_TIME, + CAP_SYS_TTY_CONFIG, + CAP_MKNOD, + CAP_LEASE, + CAP_AUDIT_WRITE, + CAP_AUDIT_CONTROL, + CAP_SETFCAP, + CAP_MAC_OVERRIDE, + CAP_MAC_ADMIN, + CAP_SYSLOG, + CAP_WAKE_ALARM, + CAP_BLOCK_SUSPEND, + CAP_AUDIT_READ, + } +} diff --git a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enumgen/gen.go b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enumgen/gen.go new file mode 100644 index 00000000000..4c733809b1b --- /dev/null +++ b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enumgen/gen.go @@ -0,0 +1,92 @@ +package main + +import ( + "bytes" + "fmt" + "go/ast" + "go/format" + "go/parser" + "go/token" + "io/ioutil" + "log" + "os" + "strings" +) + +const fileName = "enum.go" +const genName = "enum_gen.go" + +type generator struct { + buf bytes.Buffer + caps []string +} + +func (g *generator) writeHeader() { + g.buf.WriteString("// generated file; DO NOT EDIT - use go generate in directory with source\n") + g.buf.WriteString("\n") + g.buf.WriteString("package capability") +} + +func (g *generator) writeStringFunc() { + g.buf.WriteString("\n") + g.buf.WriteString("func (c Cap) String() string {\n") + g.buf.WriteString("switch c {\n") + for _, cap := range g.caps { + fmt.Fprintf(&g.buf, "case %s:\n", cap) + fmt.Fprintf(&g.buf, "return \"%s\"\n", strings.ToLower(cap[4:])) + } + g.buf.WriteString("}\n") + g.buf.WriteString("return \"unknown\"\n") + g.buf.WriteString("}\n") +} + +func (g *generator) writeListFunc() { + g.buf.WriteString("\n") + g.buf.WriteString("// List returns list of all supported capabilities\n") + g.buf.WriteString("func List() []Cap {\n") + g.buf.WriteString("return []Cap{\n") + for _, cap := range g.caps { + fmt.Fprintf(&g.buf, "%s,\n", cap) + } + g.buf.WriteString("}\n") + g.buf.WriteString("}\n") +} + +func main() { + fs := token.NewFileSet() + parsedFile, err := parser.ParseFile(fs, fileName, nil, 0) + if err != nil { + log.Fatal(err) + } + var caps []string + for _, decl := range parsedFile.Decls { + decl, ok := decl.(*ast.GenDecl) + if !ok || decl.Tok != token.CONST { + continue + } + for _, spec := range decl.Specs { + vspec := spec.(*ast.ValueSpec) + name := vspec.Names[0].Name + if strings.HasPrefix(name, "CAP_") { + caps = append(caps, name) + } + } + } + g := &generator{caps: caps} + g.writeHeader() + g.writeStringFunc() + g.writeListFunc() + src, err := format.Source(g.buf.Bytes()) + if err != nil { + fmt.Println("generated invalid Go code") + fmt.Println(g.buf.String()) + log.Fatal(err) + } + fi, err := os.Stat(fileName) + if err != nil { + log.Fatal(err) + } + if err := ioutil.WriteFile(genName, src, fi.Mode().Perm()); err != nil { + log.Fatal(err) + } +} diff --git a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go index c18e6f69186..dd6f4540650 100644 --- a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go +++ b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go @@ -86,6 +86,10 @@ func getVfsCap(path string, dest *vfscapData) (err error) { } r0, _, e1 := syscall.Syscall6(syscall.SYS_GETXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_vfsXattrName)), uintptr(unsafe.Pointer(dest)), vfscapDataSizeV2, 0, 0) if e1 != 0 { + if e1 == syscall.ENODATA { + dest.version = 2 + return + } err = e1 } switch dest.magic & vfsCapVerMask { @@ -128,8 +132,6 @@ func setVfsCap(path string, data *vfscapData) (err error) { data.magic = vfsCapVer2 if data.effective[0] != 0 || data.effective[1] != 0 { data.magic |= vfsCapFlageffective - data.data[0].permitted |= data.effective[0] - data.data[1].permitted |= data.effective[1] } size = vfscapDataSizeV2 } else {