Build with a pam_cap module.

Note, I've been confused about the capset/capget system calls.
It would seem that the current way(TM) is to get the raw API
from libc.

10 files changed, 65 insertions, 56 deletions

diff --git a/CHANGELOG b/CHANGELOG
index d1d3cd9..f59a211 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,7 @@
+* See GIT repository for recent history
+
+  git://master.kernel.org/pub/scm/libs/libcap/libcap.git
+
 libcap 1.10
 
 * fixed cap_free to abide by correct documention - use it to free
diff --git a/Make.Rules b/Make.Rules
index de20875..3825291 100644
--- a/Make.Rules
+++ b/Make.Rules
@@ -49,16 +49,16 @@ MINOR=99
 CC=gcc
 COPTFLAGS=-O2
 DEBUG=-O2 -g #-DDEBUG
-WARNINGS=-fPIC -D_POSIX_SOURCE -Wall -Wwrite-strings \
+WARNINGS=-fPIC -Wall -Wwrite-strings \
         -Wpointer-arith -Wcast-qual -Wcast-align \
         -Wstrict-prototypes -Wmissing-prototypes \
         -Wnested-externs -Winline -Wshadow
-LD=ld
-LDFLAGS=-s #-g
+LD=$(CC) -Wl,-x -shared
+LDFLAGS=#-g
 
 KERNEL_HEADERS = /usr/include
 SYSTEM_HEADERS = /usr/include
-IPATH += -I$(topdir)/libcap/include
+IPATH += -I$(topdir)/libcap/include -I$(KERNEL_HEADERS)
 INCS=$(topdir)/libcap/include/sys/capability.h
 LIBS=-L$(topdir)/libcap -lcap
 CFLAGS=-Dlinux $(WARNINGS) $(DEBUG) $(COPTFLAG) $(IPATH)
diff --git a/Makefile b/Makefile
index af46428..14f0dce 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,6 @@
 #
-# $Id: Makefile,v 1.1.1.1 1999/04/17 22:16:31 morgan Exp $
-#
 # Makefile for libcap
-
+#
 topdir=$(shell pwd)
 include Make.Rules
 
@@ -12,6 +10,7 @@ include Make.Rules
 
 all install clean: %: %-here
 	$(MAKE) -C libcap $(MAKE_DEFS) $@
+	$(MAKE) -C pam_cap $(MAKE_DEFS) $@
 	$(MAKE) -C progs $(MAKE_DEFS) $@
 	$(MAKE) -C doc $(MAKE_DEFS) $@
 
diff --git a/libcap/Makefile b/libcap/Makefile
index f875c33..52927c4 100644
--- a/libcap/Makefile
+++ b/libcap/Makefile
@@ -10,7 +10,7 @@ LIBNAME=$(LIBTITLE).so
 STALIBNAME=$(LIBTITLE).a
 #
 
-FILES=cap_alloc cap_proc cap_extint cap_flag cap_text cap_sys cap_file
+FILES=cap_alloc cap_proc cap_extint cap_flag cap_text cap_file
 
 INCLS=libcap.h cap_names.h $(INCS)
 OBJS=$(addsuffix .o, $(FILES))
@@ -21,7 +21,7 @@ LDFLAGS+=-lattr
 all: $(MINLIBNAME) $(STALIBNAME)
 
 _makenames: _makenames.c cap_names.sed
-	$(CC) $(CFLAGS) $(LDFLAGS) $< -o $@
+	$(CC) $(CFLAGS) $< -o $@
 
 cap_names.h: _makenames
 	./_makenames > cap_names.h
@@ -36,19 +36,13 @@ $(STALIBNAME): $(OBJS)
 	ranlib $(STALIBNAME)
 
 $(MINLIBNAME): $(OBJS)
-	$(CC) $(COPTFLAG) -Wl,-soname,$(MAJLIBNAME) -Wl,-x -shared -o $@ $(OBJS)
+	$(LD) $(LDFLAGS) $(COPTFLAG) -Wl,-soname,$(MAJLIBNAME) -o $@ $(OBJS)
 	ln -sf $(MINLIBNAME) $(MAJLIBNAME)
 	ln -sf $(MAJLIBNAME) $(LIBNAME)
 
 %.o: %.c $(INCLS)
 	$(CC) $(CFLAGS) -c $< -o $@
 
-<<<<<<< HEAD:libcap/Makefile
-=======
-cap_sys.o: cap_sys.c $(INCLS)
-	$(CC) -include $(SYSTEM_HEADERS)/linux/unistd.h $(IPATH) -fPIC -Wall -O2 -c $< -o $@
-
->>>>>>> Add tentitive support for filesystem capabilities with 2.6.23-mm kernels:libcap/Makefile
 install: all
 	mkdir -p -m 0755 $(INCDIR)/sys
 	install -m 0644 include/sys/capability.h $(INCDIR)/sys
diff --git a/libcap/cap_sys.c b/libcap/cap_sys.c
deleted file mode 100644
index 8a486b0..0000000
--- a/libcap/cap_sys.c
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright (c) 1997-8 Andrew G. Morgan   <morgan@kernel.org>
- *
- * This file contains the system calls for getting and setting
- * capabilities
- */
-
-#define user        /* for more recent 2.6 kernels */
-
-#include <linux/unistd.h>
-#include <sys/capability.h>
-
-#define user
-
-_syscall2(int, capget,
-	  cap_user_header_t, header,
-	  cap_user_data_t, data)
-
-_syscall2(int, capset,
-	  cap_user_header_t, header,
-	  const cap_user_data_t, data)
-
diff --git a/pam_cap/Makefile b/pam_cap/Makefile
index 03d2597..453b63c 100644
--- a/pam_cap/Makefile
+++ b/pam_cap/Makefile
@@ -1,13 +1,19 @@
 # simple make file for the pam_cap module
 
+topdir=$(shell pwd)/..
+include ../Make.Rules
+
+all: pam_cap.so
+	$(MAKE) testcompile
+
 pam_cap.so: pam_cap.o
-	ld -x --shared -o pam_cap.so $< -lcap
+	$(LD) -o pam_cap.so $< $(LIBS)
 
 pam_cap.o: pam_cap.c
-	$(CC) -fPIC -c $<
+	$(CC) $(CFLAGS) -c $< -o $@
 
-test: test.c pam_cap.o
-	$(CC) -o test test.c pam_cap.o -lpam -ldl -lcap
+testcompile: test.c pam_cap.o
+	$(CC) $(CFLAGS) -o $@ $+ -lpam -ldl $(LIBS)
 
 clean:
-	rm -f *.o *.so test
+	rm -f *.o *.so testcompile
diff --git a/pam_cap/capability.conf b/pam_cap/capability.conf
index 30e4984..40d85fc 100644
--- a/pam_cap/capability.conf
+++ b/pam_cap/capability.conf
@@ -8,10 +8,9 @@
 # and thus you'll know about Linux's capability support.
 # [If you don't know about libcap, the sources for it are here:
 #
-#   ftp://linux.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/
+#   http://linux.kernel.org/pub/linux/libs/security/linux-privs/
 #
-# despite evidence to the contrary, the 2-2 library should be used for 2.3
-# kernels too.]
+# .]
 #
 # Here are some sample lines (remove the preceding '#' if you want to
 # use them
@@ -23,7 +22,7 @@
 # cap_net_raw,cap_fowner	luser
 
 ## 'everyone else' gets no inheritable capabilities
-# none  *
+none  *
 
 ## if there is no '*' entry, all users not explicitly mentioned will
 ## get all available capabilities. This is a permissive default, and
diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
index 2b887fc..94c5ebc 100644
--- a/pam_cap/pam_cap.c
+++ b/pam_cap/pam_cap.c
@@ -1,10 +1,8 @@
 /*
- * Copyright (c) Andrew G. Morgan <morgan@linux.kernel.org>
+ * Copyright (c) 1999,2007 Andrew G. Morgan <morgan@kernel.org>
  *
  * The purpose of this module is to enforce inheritable capability sets
  * for a specified user.
- *
- * $Id$ <- no version yet ;)
  */
 
 /* #define DEBUG */
@@ -13,6 +11,8 @@
 #include <string.h>
 #include <errno.h>
 #include <stdarg.h>
+#include <stdlib.h>
+#include <syslog.h>
 
 #include <sys/capability.h>
 
@@ -60,7 +60,7 @@ static char *read_capabilities_for_user(const char *user, const char *source)
 	    continue;
 	}
 
-	while (line = strtok(NULL, CAP_FILE_DELIMITERS)) {
+	while ((line = strtok(NULL, CAP_FILE_DELIMITERS))) {
 
 	    if (strcmp("*", line) == 0) {
 		D(("wildcard matched"));
@@ -191,7 +191,7 @@ cleanup_cap_s:
 	cap_free(cap_s);
 	cap_s = NULL;
     }
-    
+
     return ok;
 }
 
@@ -308,4 +308,3 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags,
 
     return (retval ? PAM_SUCCESS:PAM_IGNORE );
 }
-
diff --git a/pam_cap/test.c b/pam_cap/test.c
index 692ac28..5150ba5 100644
--- a/pam_cap/test.c
+++ b/pam_cap/test.c
@@ -1,6 +1,12 @@
 #include <stdio.h>
+#include <stdlib.h>
+#include <security/pam_modules.h>
 
-main()
+int main(int argc, char **argv)
 {
-    pam_sm_authenticate(NULL, 0, NULL, 0);
+    if (pam_sm_authenticate(NULL, 0, 0, NULL) != PAM_SUCCESS) {
+	printf("failed to authenticate\n");
+	exit(1);
+    }
+    exit(0);
 }
diff --git a/progs/setcap.c b/progs/setcap.c
index b312212..8cd7e6a 100644
--- a/progs/setcap.c
+++ b/progs/setcap.c
@@ -58,14 +58,35 @@ int main(int argc, char **argv)
 {
     char buffer[MAXCAP+1];
     int retval, quiet=0;
-    cap_t cap_d;
+    cap_t mycaps;
+    cap_value_t capflag;
 
     if (argc < 3) {
 	usage();
     }
 
+    mycaps = cap_get_proc();
+    if (mycaps == NULL) {
+	perror("fatal error - unable to get process capabilities");
+	exit(1);
+    }
+    capflag = CAP_SETFCAP;
+
+    /*
+     * Raise the effective CAP_SETPCAP.
+     */
+    if (cap_set_flag(mycaps, CAP_EFFECTIVE, 1, &capflag, CAP_SET) != 0) {
+	perror("unable to manipulate CAP_SETFCAP - try a newer libcap?");
+	exit(1);
+    }
+    if (cap_set_proc(mycaps) != 0) {
+	perror("unable to set CAP_SETFCAP effective capability");
+	exit(1);
+    }
+
     while (--argc > 0) {
 	const char *text;
+	cap_t cap_d;
 
 	if (!strcmp(*++argv,"-q")) {
 	    quiet = 1;
@@ -102,6 +123,9 @@ int main(int argc, char **argv)
 	if (--argc <= 0)
 	    usage();
 
+	/*
+	 * Set the filesystem capability for this file.
+	 */
 	retval = cap_set_file(*++argv, cap_d);
 	if (retval != 0) {
 	    fprintf(stderr, "Failed to set capabilities on file `%s' (%s)\n",