- Update from version 2.67 to 2.69
- Update of rootfile
- Changelog
Release notes for 2.69
2023-05-14 19:10:04 -0700
An audit was performed on libcap and friends by https://x41-dsec.de/https://x41-dsec.de/news/2023/05/15/libcap-source-code-audit/
The audit (final report, 2023-05-10)
https://drive.google.com/file/d/1lsuC_tQbQ5pCE2Sy_skw0a7hTzQyQh2C/view?usp=sharing
was sponsored by the the Open Source Technology Improvement Fund,
https://ostif.org/ (blog). Five issues were found. Four of them are
addressed in this release. Each issue was labeled in the audit results as
follows:
LCAP-CR-23-01 (SEVERITY) LOW (CVE-2023-2602) - found by David Gstir
LCAP-CR-23-02 (SEVERITY) MEDIUM (CVE-2023-2603) - found by Richard Weinberger
LCAP-CR-23-100 (SEVERITY) NONE
LCAP-CR-23-101 (SEVERITY) NONE
Man page style improvement from Emanuele Torre
Partially revive the ability to build the binaries fully statically.
This was needed to make bleeding edge kernel debugging/testing via
qemu+busybox work again. Addressing an issue I realized only when I
tried to answer this stackexchange question.
https://unix.stackexchange.com/questions/741532/launch-process-with-limited-capabilities-on-minimal-busybox-based-system
Release notes for 2.68
2023-03-25 17:03:17 -0700
Force libcap internal functions to be hidden outside the library (Bug 217014)
Expanded the list of man page (links) to all of the supported API functions.
fixed some formatting issues with the libpsx(3) manpage.
Add support for a markdown preamble and postscript when generating .md
versions of the man pages (Bug 217007)
psx package clean up
fix some copy-paste errors with TestShared()
added a more complete psx testing into this test as well
cap package clean up
drop an unnecessary use of ", _" in the sources
cleaned up cap.NamedCount documentation
Converted goapps/web/README to .md format and fixed the instructions to
indicate go mod tidy is needed.
cap_compare test binary now cleans up after itself (Bug 217018)
Figured out how to cross compile Go programs for arm (i.e. RPi) that use C
code, don't use cgo but do use the psx package (all part of investigating
bug 216610).
Eliminate use of vendor directory
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- libcap places the files by default in /lib and not /usr/lib etc. To fix this libcap made
a symlink for the library file from /lib to /usr/lib. However the .pc files were left
in /lib/pkgconfig and not /usr/lib/pkgconfig and were therefore not found by the update
of rng-tools which now required libcap to be found.
- Changed the prefix settings for libcap which placed the libraries and .pc files in the
correct locations while keeping the executables in their existing location.
- This removed the need for symlinking /usr/lib/libcap.so to /lib/libcap.so.2.67 as the
libraries are now placed in /usr/lib
- Installed the ipfire build with these changes into a vm system and confirmed that
everything worked. Input from Michael Tremer that if ping worked then libcap was
functioning correctly.
- The prefixes have to be applied to both make and make install to end up with the files
in the correct places.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 2.66 to 2.67
- Update of rootfile
- Changelog
Release notes for 2.67
Replace use of fgrep with grep -F (POSIX grep flags preferred by GNU grep) - patch
from David Seifert.
Added SPDX identifiers to License file(s). Hopefully this will help the various
robots out there correctly identify the longstanding licenses for libcap and friends.
(Bug: 216609 reported by Günther Noack)
Started down the rabbit hole of trying to address (Bug: 216610 reported by Günther
Noack on behalf of Michael Stapelberg)
The basic issue is how to link C code with Go psx without using CGo. This is all
a low level hackery. If you are interested, browse the source.
Correct for bad whatis entries in man pages (this was throwing a Debian build test,
detail)
Also reviewed man pages and addressed cross linkage issues (Bug: 216585)
Cleaned up some README.md files (made a github mirror now just so I can
automatically render them).
Changed meaning of DYNAMIC=no builds.
This now builds everything with static linking except for libc. The reason for
this exception is explained in the commit message.
Inserted demonstration exploit code in capso.so to support article.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 2.64 to 2.66
- Update of rootfile
- Changelog
Release notes for 2.66
Fix documentation typos in cap_from_text.3 (Bug: 216514 reported by Paulo
Andrade.)
Some getpcaps code clean up and a fix for PID argument parsing from Jakub Wilk.
Slightly more robust Makefiles to address an error with make -j48 test
observed by Tomasz Kłoczko.
Include a simple Go program, captrace, to trace kernel capability validation
checks
This program can be used to figure out what capabilities a program needs
to operate.
captrace (a wrapper for bpftrace) uses BPF kprobes to monitor the kernel
for capability checks and whether or not they succeed for the system, a
specific PID or a program's direct execution.
Trim down the default file capabilities for contrib/sucap/su to those
actually needed and set USER and HOME environment variables so bash doesn't
complain about a sourcing error.
Release notes for 2.65
Fix syntax error in DEBUG build of protected code in setcap.c. (Bug reported
by yixiangzhike.)
Prevent bash from reading the wrong startup files when the capsh --user=xxx
argument is used to invoke a shell as the user xxx. This is done by capsh
now changing the USER and HOME environment variables when --user is
specified. The argument --noenv can be used to suppress this behavior to
what used to be the problematic default. (Bug: 215926)
Improved documentation:
Man page info for cap_get_pid() and cap_reset_ambient(). (Bug reports
from nomonemo and Tinkerer One.)
Improve documentation and help for the captree program.
Updated go/Makefile comment about an unfixed Go runtime bug in go1.16 and
go1.17 (resolved in go1.18+), and the deadlock behavior of the psx-fd test.
Refresh the signatures on the two GPG keys morgan@ uses. The 4096 bit one is
preferred, but the older one is also used for continuity reasons. This set
of signatures should also be available from the various key servers out there.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 2.63 to 2.64
- Update of rootfile
- Change sed line to ensure removal of static libs - environment names for static libraries
changed.
- Changelog
2.64
Fix memory leak in libpsx at program exit. (Bug: 215551 reported by Kalen Hall)
Be more resilient to CGo configuration with Go compiler when building tests.
(Bug: 215603)
Fix cap_*prctl() return code/errno handling. (Bug: 215772 reported by Anderson
Toshiyuki Sasaki)
Minor clarification to cap_get_pid() man page concerning pid value within
namespaces. (Bug: 215812)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
- Update from 2.61 to 2.63
- Update of rootfile
- Changelog
Release notes for 2.63
Restore errno to zero by the time main() is executed
Bug reported by Yang Xu
Consistent psx handling (a panic) for syscalls that return thread dependent status
Inconsistend behavior noticed by Lorenz Bauer (Bug: 215283)
Add a test case for a deadlock under investigation in golang #50113
Bug reported by Weixiao Huang
Trim some of the #include file use to make the tree compile more efficiently
Release notes for 2.62
Bug fix for Go package "cap" and launching:
There was a race condition, reported by Lorenz Bauer (Bug: 215283)
Build cleanups:
David Seifert cleaned up warnings for 32-bit builds
No longer use Perl in the libcap build process (Gentoo had a compelling reason to
avoid this dependency)
Documentation updates: cap_max_bits has a man page entry; Go module cap updates for
Launch detail.
Recognize default securebits as a libcap mode: HYBRID.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 2.50 to 2.61
- Update of rootfile
- Changelog
Release notes for 2.61
Better error handling of the numerical arguments for capsh and setcap.
Reported by meitingli with some bug de-duping help from Artem S. Tashkinov (Bugs 214909, 214911)
Fix executable mode for all of the .so files. There were two situations where this was failing (with a hard to debug SIGSEGV inside libc). Bugs reported by Sam James. Both the same solution related to stack alignment and use of SSE instructions:
glibc and the 32-bit x86 mode (Gentoo bug 820071)
musl runtime library for 64-bit x86 code (Bug 215009)
Added an example of a shared library object with its own file capability.
It demonstrates how to give a shared library a file capability and offer it as a linkable privileged API service to an otherwise unprivileged binary.
Fix the top-level include for Make.Rules in the contrib/sucap example application
Add support for running constructors at libcap.so start up time when running as stand alone binary.
This enables the binary executable to print out some dynamically generated content when given the --summary argument.
Release notes for 2.60
Some build, code linting fixes, the addition of the cap_fill_flag() API and a memory latency optimization contributed by Google (Bugs: 214579 214601 214599)
General improvement in thread safety for libcap and cap package (Bug: 214715)
Minor API change replacing libcap:cap_launch_*() void returning functions with int + errno status returns.
This should be backwardly compatible for code.
Added a cap_iab_dup(), and (*cap.IAB).Dup() to API.
Fixed (*cap.IAB).Fill() which was previously malfunctioning for certain Inh and Amb copies.
New features for capsh
--quiet can be used to suppress the start up check that the local libcap is modern enough to name all of the capabilities known to the hosting kernel
Added -+ and =+ arguments. These are fork+exec equivalents to -- and == respectively (that use the cap_launch API).
Release notes for 2.59
libcap-2.55 ... 2.58 would SIGSEGV if an operation was attempted on a NULL value for cap_t or cap_iab_t. Restore the more tolerant error return behavior last seen with libcap-2.54. (Bug 214525)
More make -j13 fixes (missing dependency for make -C progs sudotest).
Various minor documentation fixes.
Release notes for 2.58
Fixed a potential libcap memory leak by adding a destructor (Bug 214373 reported by yan12125)
Major improvement is that there is a path for Linux-PAM compliant applications to support setting Ambient vector Capabilities via pam_cap.so now (Bug 214377)
In addition to the bug, related discussion is in two Github issues: https://github.com/shadow-maint/shadow/pull/408#issuecomment-919673098 and https://github.com/rra/pam-krb5/issues/21
Added support for RPM builds that generate the build-id that RPM expects (see https://github.com/rpm-software-management/rpm/issues/367 for discussion)
Minor contrib/sucap/su.c cleanups
Clean up kdebug build rules
More documentation cleanup
Release notes for 2.57
capsh enhancements:
--mode makes a guess at the libcap mode of the current process (Bug 214319)
--strict makes capsh less permissive and expects the user to perform more deliberate capability transactions
useful for learning all the steps; and helps this article be more pedagogical.
Build system fixes
Preserve $(WARNINGS) (Fix from David Seifert)
Don't ever build test binaries unless make test etc is invoked (speeds builds on slower systems)
Support make -j12 for all, test and sudotest targets
getcap -r / now generates readable output (Bug 214317)
Some documentation cleanup: more consistency.
Release notes for 2.56
Canonicalize the Makefile use (in collaboration with David Seifert)
In the process fixed a bug in pam_cap/test_pam_cap (reported by David Seifert, Bug 214257)
Doc fixes for cap_iab.3
Added color support to captree, which helped make the following fix generate readable output:
Fixed captree to not display duplicate copies of sub-trees if also exploring their ancestor (Bug 214269)
Fixed contrib/sucap/su to correctly handle the Inheritable flag.
Release notes for 2.55
Two rounds of fixes for the results of some static analysis performed by Zoltan Fridrich
Removed a clang compilation warning about memory allocation by rewriting the way cap_free() and the various libcap memory allocation mechanisms work. (Bug 214183)
This generated a few broken builds until it was fixed.
Cleanup of some man pages; some fixes and shorter URL to bugzilla link.
Added libcap cap_proc_root() API function (to reach parity with the Go cap package).
This is only potentially useful with the recently added cap_iab_get_pid() function
Revamped what the GOLANG=yes builds install - used to install local copies of cap and psx, but these were effectively useless because of the Go module support in recent Go releases in favor of user controller GOPATH.
Now make GOLANG=yes only installs the captree utility
Added some features to captree and created a small article on it
Added a man page for the captree utility
Some small changes to the tests to account for the idiosyncrasies of some new testing environments I've accumulated.
Included adding --has-b support to capsh
Release notes for 2.54
Fix for a corner case infinite loop handling long strings (patch provided by Samanta Navarro)
Fixes to not ignore allocation failures (patch provided by Samanta Navarro)
Evolving work from Samanta Navarro, found and fixed a memory leak in cap_iab_get_proc()
More robust discovery of the name of the dynamic loader of the build target (patch provided by Arnout Vandecappelle)
Revamped the Go capability comparison API for *cap.Set and *cap.IAB: (x).Cf(), and added cap.IABGetPID()
Added libcap cap_iab_compare() and cap_iab_get_pid() APIs.
Added a Go utility, captree, to display the process (and thread) graph along with the POSIX.1e and IAB capabilities of each PID{TID} tree.
Extended getpcaps to support the --iab command line argument, which outputs a PID's IAB tuple too (if non-default).
Install *.so files as executable now that they are executable as binaries
A feature of 2.52 but not extended to install rules at that time.
Absorbed a lot of wisdom from a number of downstream package workarounds including wisdom from (Zhi Li and Arnout Vandecappelle and unknown others... Bugs 214023#c16, 214085)
Support make FORCELINKPAM=yes or make FORCELINKPAM=no for those packagers that feel strongly about not letting this be dynamically discovered at build time.
Fixed a compiler warnings from the GitHub build tester (Bug 214143)
Release notes for 2.53
The (C) cap_launch functionality was previously broken when launches failed (found and fixed by Samanta Navarro)
Added a test case for this too.
Lots of tyops fixed in code and documentation (also by Samanta Navarro)
Support distributions that aggressively link shared objects (reported by David Runge; Bug 214023)
These distributions failed to observe a runnable pam_cap.so and various make options failed.
Support clang builds (again). (Reported by Johan Herland 214047)
This used to work, but by accident. It broke with the advent of a runnable libcap.so , libpsx.so and pam_cap.so support. Fixed now, and added a build target to validate it still works at release time.
Minor documentation updates including one for Slavi Marinov who was trying to get cap.LaunchFunc() to work.
Worked up a couple of example modifications to goapps/web to demonstrate a different user per web query and enabling a custom chroot per web query.
Release notes for 2.52
Revived -std=c89 compilation for make all etc. (Bug 213541 reported by Byron Stanoszek.)
The shared library objects: pam_cap.so, libcap.so and libpsx.so, are all now runnable as standalone binaries!
The support is used to display some description information.
To activate it, these binaries need to be installed executable (chmod +x ...)
We also provided a write-up of how to enable this sort of feature in other .so files here.
The module pam_cap.so now contains support for a default=<IAB> module argument. (Bug 213611).
Enhanced capsh --suggest to also compare against the capability value names and not just their descriptions.
Added capsh --current support.
Minor documentation updates.
Added a contrib/sucap/su.c pure-capabilities PAM implementation of su.
This is primarily to demonstrate that such a thing is possible, and to validate that the pam_cap.so module is capable of adding any IAB tuple of inheritables per group or user.
At this time, it relies on features only present in this version of libcap and HEAD of the Linux-PAM sources for the pam_unix.so module.
Release notes for 2.51
Fix capsh installation (Bug 213261 - reported by Jan Palus)
Add an autoauth module flag to pam_cap.so (Bug 213279 - noted a feature request hidden in StackExchange)
Unified libcap/cap (Go) and libcap (C) default generation of external format binary data (Bug 213375 - addressing an issue raised by Mike Schilling)
This standard binary format should be forwards/backwards compatible with earlier libcap2 builds and libcap/cap packages
API enhancement cap_fill() and (*cap.Set).Fill() - to permit copying one capability flag to another.
This can be used to raise all the Permitted capabilities in a Set with one API call.
In tree build/run/test of Go packages now uses Go module vendoring (Bug 212453).
This is with an eye to the imminent golang change removing support for GOPATH based building.
Minor compilation warning fixes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 2.49 to 2.50
- Update rootfile
- Version 2.50 failed to install capsh - bug raised for this
https://bugzilla.kernel.org/show_bug.cgi?id=213261
patch to fix this bug created and used in this build
- Changelog
Release notes for 2.50
2021-05-24 12:05:16 -0700
Some new capsh features:
--explain=cap_foo: describe what cap_foo does (Bug 212451)
--suggest=phrase: search all the cap descriptions and describe those that match the phrase
Add "keepcaps" module argument support to pam_cap.so (reported by Zoltan Fridrich. Bug 212945)
extend libcap to include cap_prctl() and cap_prctlw() functions to regain feature parity with Go "cap" package. These are only needed when linking against -lpsx for keepcaps POSIX semantics.
this likely requires substantial application changes to make Ambient capability support usable in general, but doing our part for the admin.
Add a test case for recent kernel fix (Bug 212737)
Go pragma fix for convenience functions in "cap" module (reported by Lorenz Bauer. Bug 212321)
Minor man documentation updates
Minor build tree improvements (mostly for maintainer)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Most of these files still used old dates and/or domain names for contact
mail addresses. This is now replaced by an up-to-date copyright line.
Just some housekeeping... :-)
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
