Provide a '--current' command line argument for capsh.

This is equivalent to 'capsh --print|fgrep Current'. I've been using
that combination a lot in the write-ups on the libcap website
(https://sites.google.com/site/fullycapable/) and so it struck me
that capsh probably should support it natively.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>

3 files changed, 33 insertions, 13 deletions

diff --git a/doc/capsh.1 b/doc/capsh.1
index 524d9ac..3e26842 100644
--- a/doc/capsh.1
+++ b/doc/capsh.1
@@ -1,4 +1,4 @@
-.TH CAPSH 1 "2020-10-27" "libcap 2" "User Commands"
+.TH CAPSH 1 "2021-07-01" "libcap 2" "User Commands"
 .SH NAME
 capsh \- capability shell wrapper
 .SH SYNOPSIS
@@ -21,6 +21,9 @@ Display the list of commands supported by
 .B \-\-print
 Display prevailing capability and related state.
 .TP
+.B \-\-current
+Display prevailing capability state, 1e capabilities and IAB vector.
+.TP
 .BI \-\- " [args]"
 Execute
 .B /bin/bash
diff --git a/progs/capsh.c b/progs/capsh.c
index 9a2d7b8..7b52dd9 100644
--- a/progs/capsh.c
+++ b/progs/capsh.c
@@ -83,33 +83,45 @@ static void display_prctl_set(const char *name, int (*fn)(cap_value_t))
     }
 }
 
-/* arg_print displays the current capability state of the process */
-static void arg_print(void)
+static void display_current(void)
 {
-    long set;
-    int status, j;
     cap_t all;
     char *text;
-    const char *sep;
-    struct group *g;
-    gid_t groups[MAX_GROUPS], gid;
-    uid_t uid, euid;
-    struct passwd *u, *eu;
-    cap_iab_t iab;
 
     all = cap_get_proc();
     text = cap_to_text(all, NULL);
     printf("Current: %s\n", text);
     cap_free(text);
     cap_free(all);
+}
+
+static void display_current_iab(void)
+{
+    cap_iab_t iab;
+    char *text;
 
-    display_prctl_set("Bounding", cap_get_bound);
-    display_prctl_set("Ambient", cap_get_ambient);
     iab = cap_iab_get_proc();
     text = cap_iab_to_text(iab);
     printf("Current IAB: %s\n", text);
     cap_free(text);
     cap_free(iab);
+}
+
+/* arg_print displays the current capability state of the process */
+static void arg_print(void)
+{
+    long set;
+    int status, j;
+    const char *sep;
+    struct group *g;
+    gid_t groups[MAX_GROUPS], gid;
+    uid_t uid, euid;
+    struct passwd *u, *eu;
+
+    display_current();
+    display_prctl_set("Bounding", cap_get_bound);
+    display_prctl_set("Ambient", cap_get_ambient);
+    display_current_iab();
 
     set = cap_get_secbits();
     if (set >= 0) {
@@ -1011,6 +1023,9 @@ int main(int argc, char *argv[], char *envp[])
 		    }
 		}
 	    }
+	} else if (strcmp("--current", argv[i]) == 0) {
+	    display_current();
+	    display_current_iab();
 	} else {
 	usage:
 	    printf("usage: %s [args ...]\n"
@@ -1018,6 +1033,7 @@ int main(int argc, char *argv[], char *envp[])
 		   "  --cap-uid=<n>  use libcap cap_setuid() to change uid\n"
 		   "  --caps=xxx     set caps as per cap_from_text()\n"
 		   "  --chroot=path  chroot(2) to this path\n"
+		   "  --current      show current caps and IAB vectors\n"
 		   "  --decode=xxx   decode a hex string to a list of caps\n"
 		   "  --delamb=xxx   remove xxx,... capabilities from ambient\n"
 		   "  --explain=xxx  explain what capability xxx permits\n"
diff --git a/progs/quicktest.sh b/progs/quicktest.sh
index aaabbca..e508d0b 100755
--- a/progs/quicktest.sh
+++ b/progs/quicktest.sh
@@ -43,6 +43,7 @@ pass_capsh () {
 }
 
 pass_capsh --print
+pass_capsh --current
 
 # Validate that PATH expansion works
 PATH=$(/bin/pwd)/junk:$(/bin/pwd) capsh == == == --modes