git.99rst.org / openwrt-packages.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side (parent: ab786cb)
libcap: libcap executables
authorToni Uhlig <redacted>
Fri, 2 Mar 2018 17:48:46 +0000 (18:48 +0100)
committerToni Uhlig <redacted>
Sat, 10 Mar 2018 10:40:49 +0000 (11:40 +0100)
* add option to install additional executables - capsh, getcap, getpcaps, setcap
* capsh can be configured to execute a different shell rather than /bin/bash

Signed-off-by: Toni Uhlig <redacted>
libs/libcap/Makefile patch | blob | history
libs/libcap/patches/200-change-hardcoded-shell-to-sh.patch [new file with mode: 0644] patch | blob

diff --git a/libs/libcap/Makefile b/libs/libcap/Makefile
index e60b8978c5829d0a2b31c5e5fcb1d5c70bbb0563..444ba1d95db02b7c8936b674972429caefbdc1b3 100644 (file)
--- a/libs/libcap/Makefile
+++ b/libs/libcap/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libcap
 PKG_VERSION:=2.25
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@KERNEL/linux/libs/security/linux-privs/libcap2
@@ -30,19 +30,41 @@ define Package/libcap
   URL:=http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/
 endef
 
+define Package/libcap/config
+  if PACKAGE_libcap
+
+  config PACKAGE_libcap-bin
+    bool "install libcap executables"
+    help
+      Install capsh, getcap, getpcaps, setcap into the target image.
+    default n
+
+  config PACKAGE_libcap-bin-capsh-shell
+    string "capsh shell"
+    depends on PACKAGE_libcap-bin
+    help
+      Set the capsh shell.
+    default "/bin/sh"
+
+  endif
+endef
+
 MAKE_FLAGS += \
-    CFLAGS="$(TARGET_CFLAGS)" \
     BUILD_CC="$(CC)" \
     BUILD_CFLAGS="$(FPIC) -I$(PKG_BUILD_DIR)/libcap/include" \
     CFLAGS="$(TARGET_CFLAGS)" \
-    LD="$(TARGET_CC)" \
-    LDFLAGS="$(TARGET_LDFLAGS) -shared" \
+    LD="$(TARGET_CC) -Wl,-x -shared" \
+    LDFLAGS="$(TARGET_LDFLAGS)" \
     INDENT="| true" \
     PAM_CAP="no" \
     RAISE_SETFCAP="no" \
     DYNAMIC="yes" \
     lib="lib"
 
+ifneq ($(CONFIG_PACKAGE_libcap-bin-capsh-shell),)
+TARGET_CFLAGS += -DSHELL='\"$(CONFIG_PACKAGE_libcap-bin-capsh-shell)\"'
+endif
+
 define Build/InstallDev
        $(INSTALL_DIR) $(1)/usr/include/sys
        $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
@@ -53,6 +75,13 @@ endef
 define Package/libcap/install
        $(INSTALL_DIR) $(1)/usr/lib
        $(CP) $(PKG_INSTALL_DIR)/lib/libcap.so* $(1)/usr/lib/
+ifneq ($(CONFIG_PACKAGE_libcap-bin),)
+       $(INSTALL_DIR) $(1)/usr/sbin
+       $(CP) $(PKG_INSTALL_DIR)/sbin/capsh     $(1)/usr/sbin/
+       $(CP) $(PKG_INSTALL_DIR)/sbin/getcap    $(1)/usr/sbin/
+       $(CP) $(PKG_INSTALL_DIR)/sbin/getpcaps  $(1)/usr/sbin/
+       $(CP) $(PKG_INSTALL_DIR)/sbin/setcap    $(1)/usr/sbin/
+endif
 endef
 
 $(eval $(call BuildPackage,libcap))
diff --git a/libs/libcap/patches/200-change-hardcoded-shell-to-sh.patch b/libs/libcap/patches/200-change-hardcoded-shell-to-sh.patch
new file mode 100644 (file)
index 0000000..c2156ad
--- /dev/null
+++ b/libs/libcap/patches/200-change-hardcoded-shell-to-sh.patch
@@ -0,0 +1,34 @@
+--- a/progs/capsh.c
++++ b/progs/capsh.c
+@@ -24,6 +24,9 @@
+ #include <sys/wait.h>
+ #include <sys/prctl.h>
++#ifndef SHELL
++#define SHELL "/bin/sh"
++#endif
+ #define MAX_GROUPS       100   /* max number of supplementary groups for user */
+ static const cap_value_t raise_setpcap[1] = { CAP_SETPCAP };
+@@ -557,10 +560,10 @@ int main(int argc, char *argv[], char *envp[])
+           }
+           printf("\n");
+       } else if ((!strcmp("--", argv[i])) || (!strcmp("==", argv[i]))) {
+-          argv[i] = strdup(argv[i][0] == '-' ? "/bin/bash" : argv[0]);
++          argv[i] = strdup(argv[i][0] == '-' ? SHELL : argv[0]);
+           argv[argc] = NULL;
+           execve(argv[i], argv+i, envp);
+-          fprintf(stderr, "execve /bin/bash failed!\n");
++          fprintf(stderr, "execve " SHELL " failed!\n");
+           exit(1);
+       } else {
+       usage:
+@@ -582,7 +585,7 @@ int main(int argc, char *argv[], char *envp[])
+                  "  --killit=<n>   send signal(n) to child\n"
+                  "  --forkfor=<n>  fork and make child sleep for <n> sec\n"
+                  "  ==             re-exec(capsh) with args as for --\n"
+-                 "  --             remaing arguments are for /bin/bash\n"
++                 "  --             remaing arguments are for " SHELL "\n"
+                  "                 (without -- [%s] will simply exit(0))\n",
+                  argv[0], argv[0]);
git clone https://git.99rst.org/PROJECT