Attachment #544732 for bug #605082

View | Details | Raw Unified | Return to bug 605082 | Differences between

and this patch




++ fcaps.eclass

# This is not the same as USE=caps which controls runtime capability changes,
# often via packages like libcap.
#
# Due to possible capability-loss on moving or copying, this now happens
# both in src_install and pkg_postinst. If it was needed in pkg_postinst, this
# generates a warning.
#
# @EXAMPLE:
# You can manually set the caps on ping and ping6 by doing:

# @ECLASS-VARIABLE: FILECAPS
# @DEFAULT_UNSET
# @DESCRIPTION:
# An array of fcap arguments to use to automatically execute fcaps. See that
# function for more details.
#
# All args are consumed until the '--' marker is found. So if you have:
# @CODE
# 	FILECAPS=( moo cow -- fat cat -- chubby penguin )
# @CODE

# capabilities were properly set on the file.
#
# If the system is unable to set capabilities, it will use the specified user,
# group, and mode (presumably to make the binary set*id). The defaults there
# are root:0 and 4711. Otherwise, the ownership and permissions will be
# unchanged.
fcaps() {
	debug-print-function ${FUNCNAME} "$@"

		[[ ${file} != /* ]] && file="${root}/${file}"

		if use filecaps ; then
			# Try to set capabilities. Ignore errors when the
			# fs doesn't support it, but abort on all others.
			debug-print "${FUNCNAME}: setting caps '${caps}' on '${file}'"



			local out cmd notfound=0
			for cmd in _libcap _libcap_ng ; do
				# Check whether caps were set
				if out=$(LC_ALL=C ${cmd}_verify 2>&1) ; then
					debug-print "Caps '${caps}' were already set on '${file}'"
				else
					if [[ ${EBUILD_PHASE} == "postinst" ]] ; then
						ewarn "Caps weren't set, although we expected them to be set:"
						ewarn "* portage will now set caps ${caps} on $file"
						ewarn "* please verify that moving/copying files doesn't destroy XATTRs"
					else
						debug-print "Setting caps '${caps}' on '${file}'"
					fi
				fi

				if ! out=$(LC_ALL=C ${cmd} 2>&1) ; then
					case ${out} in
					*"command not found"*)

					esac
				else
					# Sanity check that everything took.
					${cmd}_verify && debug-print "Caps '${caps}' are set on '${file}'" || die "Checking caps '${caps}' on '${file}' failed"

					# Everything worked.  Move on to the next file.
					continue 2

	done
}


# @FUNCTION: fcaps_src_install
# @DESCRIPTION:
# Process the FILECAPS array.
fcaps_src_install() {
	local arg args=()
	for arg in "${FILECAPS[@]}" "--" ; do
		if [[ ${arg} == "--" ]] ; then
			fcaps "${args[@]}"
			args=()
		else
			args+=( "${arg}" )
		fi
	done
}

EXPORT_FUNCTIONS pkg_postinst src_install

fi

Return to bug 605082

Line Link Here

(-)file_not_specified_in_diff (-10 / +40 lines)
0	-- fcaps.eclass	0	++ fcaps.eclass
Lines 10-17 Link Here
10	# This is not the same as USE=caps which controls runtime capability changes,	10	# This is not the same as USE=caps which controls runtime capability changes,
11	# often via packages like libcap.	11	# often via packages like libcap.
12	#	12	#
13	# Due to probable capability-loss on moving or copying, this happens in	13	# Due to possible capability-loss on moving or copying, this now happens
14	# pkg_postinst phase (at least for now).	14	# both in src_install and pkg_postinst. If it was needed in pkg_postinst, this
		15	# generates a warning.
15	#	16	#
16	# @EXAMPLE:	17	# @EXAMPLE:
17	# You can manually set the caps on ping and ping6 by doing:	18	# You can manually set the caps on ping and ping6 by doing:
Lines 39-48 Link Here
39	# @ECLASS-VARIABLE: FILECAPS	40	# @ECLASS-VARIABLE: FILECAPS
40	# @DEFAULT_UNSET	41	# @DEFAULT_UNSET
41	# @DESCRIPTION:	42	# @DESCRIPTION:
42	# An array of fcap arguments to use to automatically execute fcaps. See that	43	# An array of fcap arguments to use to automatically execute fcaps. See that
43	# function for more details.	44	# function for more details.
44	#	45	#
45	# All args are consumed until the '--' marker is found. So if you have:	46	# All args are consumed until the '--' marker is found. So if you have:
46	# @CODE	47	# @CODE
47	# FILECAPS=( moo cow -- fat cat -- chubby penguin )	48	# FILECAPS=( moo cow -- fat cat -- chubby penguin )
48	# @CODE	49	# @CODE
Lines 72-79 Link Here
72	# capabilities were properly set on the file.	73	# capabilities were properly set on the file.
73	#	74	#
74	# If the system is unable to set capabilities, it will use the specified user,	75	# If the system is unable to set capabilities, it will use the specified user,
75	# group, and mode (presumably to make the binary set*id). The defaults there	76	# group, and mode (presumably to make the binary set*id). The defaults there
76	# are root:0 and 4711. Otherwise, the ownership and permissions will be	77	# are root:0 and 4711. Otherwise, the ownership and permissions will be
77	# unchanged.	78	# unchanged.
78	fcaps() {	79	fcaps() {
79	debug-print-function ${FUNCNAME} "$@"	80	debug-print-function ${FUNCNAME} "$@"
Lines 118-124 Link Here
118	[[ ${file} != /* ]] && file="${root}/${file}"	119	[[ ${file} != /* ]] && file="${root}/${file}"
119		120
120	if use filecaps ; then	121	if use filecaps ; then
121	# Try to set capabilities. Ignore errors when the	122	# Try to set capabilities. Ignore errors when the
122	# fs doesn't support it, but abort on all others.	123	# fs doesn't support it, but abort on all others.
123	debug-print "${FUNCNAME}: setting caps '${caps}' on '${file}'"	124	debug-print "${FUNCNAME}: setting caps '${caps}' on '${file}'"
124		125
Lines 155-160 Link Here
155		156
156	local out cmd notfound=0	157	local out cmd notfound=0
157	for cmd in _libcap _libcap_ng ; do	158	for cmd in _libcap _libcap_ng ; do
		159	# Check whether caps were set
		160	if out=$(LC_ALL=C ${cmd}_verify 2>&1) ; then
		161	debug-print "Caps '${caps}' were already set on '${file}'"
		162	else
		163	if [[ ${EBUILD_PHASE} == "postinst" ]] ; then
		164	ewarn "Caps weren't set, although we expected them to be set:"
		165	ewarn "* portage will now set caps ${caps} on $file"
		166	ewarn "* please verify that moving/copying files doesn't destroy XATTRs"
		167	else
		168	debug-print "Setting caps '${caps}' on '${file}'"
		169	fi
		170	fi
		171
158	if ! out=$(LC_ALL=C ${cmd} 2>&1) ; then	172	if ! out=$(LC_ALL=C ${cmd} 2>&1) ; then
159	case ${out} in	173	case ${out} in
160	"command not found")	174	"command not found")
Lines 180-186 Link Here
180	esac	194	esac
181	else	195	else
182	# Sanity check that everything took.	196	# Sanity check that everything took.
183	${cmd}_verify \|\| die "Checking caps '${caps}' on '${file}' failed"	197	${cmd}_verify && debug-print "Caps '${caps}' are set on '${file}'" \|\| die "Checking caps '${caps}' on '${file}' failed"
184		198
185	# Everything worked. Move on to the next file.	199	# Everything worked. Move on to the next file.
186	continue 2	200	continue 2
Lines 214-219 Link Here
214	done	228	done
215	}	229	}
216		230
217	EXPORT_FUNCTIONS pkg_postinst	231
		232	# @FUNCTION: fcaps_src_install
		233	# @DESCRIPTION:
		234	# Process the FILECAPS array.
		235	fcaps_src_install() {
		236	local arg args=()
		237	for arg in "${FILECAPS[@]}" "--" ; do
		238	if [[ ${arg} == "--" ]] ; then
		239	fcaps "${args[@]}"
		240	args=()
		241	else
		242	args+=( "${arg}" )
		243	fi
		244	done
		245	}
		246
		247	EXPORT_FUNCTIONS pkg_postinst src_install
218		248
219	fi	249	fi