From 8f113f155b641e2d0cdeecf2c799662600133792 Mon Sep 17 00:00:00 2001 From: Toni Uhlig Date: Fri, 2 Mar 2018 18:48:46 +0100 Subject: [PATCH] libcap: libcap executables * add option to install additional executables - capsh, getcap, getpcaps, setcap * capsh can be configured to execute a different shell rather than /bin/bash Signed-off-by: Toni Uhlig --- libs/libcap/Makefile | 37 +++++++++++++++++-- .../200-change-hardcoded-shell-to-sh.patch | 34 +++++++++++++++++ 2 files changed, 67 insertions(+), 4 deletions(-) create mode 100644 libs/libcap/patches/200-change-hardcoded-shell-to-sh.patch diff --git a/libs/libcap/Makefile b/libs/libcap/Makefile index e60b8978c..444ba1d95 100644 --- a/libs/libcap/Makefile +++ b/libs/libcap/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libcap PKG_VERSION:=2.25 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@KERNEL/linux/libs/security/linux-privs/libcap2 @@ -30,19 +30,41 @@ define Package/libcap URL:=http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/ endef +define Package/libcap/config + if PACKAGE_libcap + + config PACKAGE_libcap-bin + bool "install libcap executables" + help + Install capsh, getcap, getpcaps, setcap into the target image. + default n + + config PACKAGE_libcap-bin-capsh-shell + string "capsh shell" + depends on PACKAGE_libcap-bin + help + Set the capsh shell. + default "/bin/sh" + + endif +endef + MAKE_FLAGS += \ - CFLAGS="$(TARGET_CFLAGS)" \ BUILD_CC="$(CC)" \ BUILD_CFLAGS="$(FPIC) -I$(PKG_BUILD_DIR)/libcap/include" \ CFLAGS="$(TARGET_CFLAGS)" \ - LD="$(TARGET_CC)" \ - LDFLAGS="$(TARGET_LDFLAGS) -shared" \ + LD="$(TARGET_CC) -Wl,-x -shared" \ + LDFLAGS="$(TARGET_LDFLAGS)" \ INDENT="| true" \ PAM_CAP="no" \ RAISE_SETFCAP="no" \ DYNAMIC="yes" \ lib="lib" +ifneq ($(CONFIG_PACKAGE_libcap-bin-capsh-shell),) +TARGET_CFLAGS += -DSHELL='\"$(CONFIG_PACKAGE_libcap-bin-capsh-shell)\"' +endif + define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include/sys $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ @@ -53,6 +75,13 @@ endef define Package/libcap/install $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_INSTALL_DIR)/lib/libcap.so* $(1)/usr/lib/ +ifneq ($(CONFIG_PACKAGE_libcap-bin),) + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/sbin/capsh $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/sbin/getcap $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/sbin/getpcaps $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/sbin/setcap $(1)/usr/sbin/ +endif endef $(eval $(call BuildPackage,libcap)) diff --git a/libs/libcap/patches/200-change-hardcoded-shell-to-sh.patch b/libs/libcap/patches/200-change-hardcoded-shell-to-sh.patch new file mode 100644 index 000000000..c2156ad81 --- /dev/null +++ b/libs/libcap/patches/200-change-hardcoded-shell-to-sh.patch @@ -0,0 +1,34 @@ +--- a/progs/capsh.c ++++ b/progs/capsh.c +@@ -24,6 +24,9 @@ + #include + #include + ++#ifndef SHELL ++#define SHELL "/bin/sh" ++#endif + #define MAX_GROUPS 100 /* max number of supplementary groups for user */ + + static const cap_value_t raise_setpcap[1] = { CAP_SETPCAP }; +@@ -557,10 +560,10 @@ int main(int argc, char *argv[], char *envp[]) + } + printf("\n"); + } else if ((!strcmp("--", argv[i])) || (!strcmp("==", argv[i]))) { +- argv[i] = strdup(argv[i][0] == '-' ? "/bin/bash" : argv[0]); ++ argv[i] = strdup(argv[i][0] == '-' ? SHELL : argv[0]); + argv[argc] = NULL; + execve(argv[i], argv+i, envp); +- fprintf(stderr, "execve /bin/bash failed!\n"); ++ fprintf(stderr, "execve " SHELL " failed!\n"); + exit(1); + } else { + usage: +@@ -582,7 +585,7 @@ int main(int argc, char *argv[], char *envp[]) + " --killit= send signal(n) to child\n" + " --forkfor= fork and make child sleep for sec\n" + " == re-exec(capsh) with args as for --\n" +- " -- remaing arguments are for /bin/bash\n" ++ " -- remaing arguments are for " SHELL "\n" + " (without -- [%s] will simply exit(0))\n", + argv[0], argv[0]); +