Attachment #545784 for bug #605082




++ fcaps.eclass

# This is not the same as USE=caps which controls runtime capability changes,
# often via packages like libcap.
#
# Due to possible capability-loss on moving or copying, this now happens
# both in src_install and pkg_postinst. If it was needed in pkg_postinst, this
# generates a warning.
#
# @EXAMPLE:
# You can manually set the caps on ping and ping6 by doing:

# @ECLASS-VARIABLE: FILECAPS
# @DEFAULT_UNSET
# @DESCRIPTION:
# An array of fcap arguments to use to automatically execute fcaps. See that
# function for more details.
#
# All args are consumed until the '--' marker is found. So if you have:
# @CODE
# 	FILECAPS=( moo cow -- fat cat -- chubby penguin )
# @CODE

# capabilities were properly set on the file.
#
# If the system is unable to set capabilities, it will use the specified user,
# group, and mode (presumably to make the binary set*id). The defaults there
# are root:0 and 4711. Otherwise, the ownership and permissions will be
# unchanged.
fcaps() {
	debug-print-function ${FUNCNAME} "$@"

		[[ ${file} != /* ]] && file="${root}/${file}"

		if use filecaps ; then
			# Try to set capabilities. Ignore errors when the
			# fs doesn't support it, but abort on all others.
			debug-print "${FUNCNAME}: setting caps '${caps}' on '${file}'"



			local out cmd notfound=0
			for cmd in _libcap _libcap_ng ; do
				# If in postinst, check whether caps were already set, as they normally should be
				if [[ ${EBUILD_PHASE} == "postinst" ]] ; then
					if out=$(LC_ALL=C ${cmd}_verify 2>&1) ; then
						debug-print "Caps '${caps}' were already set on '${file}'"
					else
						case ${out} in
						*"command not found"*)
							: $(( ++notfound ))
							continue
							;;
						*)
							ewarn "Caps weren't set, although we expected them to be set:"
							ewarn "* portage will now set caps ${caps} on $file"
							ewarn "* please verify that moving/copying files doesn't destroy XATTRs"
							;;
						esac
					fi
				else
					debug-print "Setting caps '${caps}' on '${file}'"
				fi

				if ! out=$(LC_ALL=C ${cmd} 2>&1) ; then
					case ${out} in
					*"command not found"*)

						break
						;;
					*)
						eerror "Setting caps '${caps}' on file '${file}' with '${cmd}' failed:"
						eerror "${out}"
						die "Could not set caps"
						;;
					esac
				else
					# Sanity check that everything took.
					${cmd}_verify && debug-print "Caps '${caps}' are set on '${file}'" || die "Checking caps '${caps}' on '${file}' failed"

					# Everything worked.  Move on to the next file.
					continue 2

	done
}


# @FUNCTION: fcaps_src_install
# @DESCRIPTION:
# Process the FILECAPS array.
fcaps_src_install() {
	local arg args=()
	for arg in "${FILECAPS[@]}" "--" ; do
		if [[ ${arg} == "--" ]] ; then
			fcaps "${args[@]}"
			args=()
		else
			args+=( "${arg}" )
		fi
	done
}

EXPORT_FUNCTIONS pkg_postinst src_install

fi

Return to bug 605082

Line Link Here

(-)file_not_specified_in_diff (-12 / +50 lines)
0	-- fcaps.eclass	0	++ fcaps.eclass
Lines 10-17 Link Here
10	# This is not the same as USE=caps which controls runtime capability changes,	10	# This is not the same as USE=caps which controls runtime capability changes,
11	# often via packages like libcap.	11	# often via packages like libcap.
12	#	12	#
13	# Due to probable capability-loss on moving or copying, this happens in	13	# Due to possible capability-loss on moving or copying, this now happens
14	# pkg_postinst phase (at least for now).	14	# both in src_install and pkg_postinst. If it was needed in pkg_postinst, this
		15	# generates a warning.
15	#	16	#
16	# @EXAMPLE:	17	# @EXAMPLE:
17	# You can manually set the caps on ping and ping6 by doing:	18	# You can manually set the caps on ping and ping6 by doing:
Lines 39-48 Link Here
39	# @ECLASS-VARIABLE: FILECAPS	40	# @ECLASS-VARIABLE: FILECAPS
40	# @DEFAULT_UNSET	41	# @DEFAULT_UNSET
41	# @DESCRIPTION:	42	# @DESCRIPTION:
42	# An array of fcap arguments to use to automatically execute fcaps. See that	43	# An array of fcap arguments to use to automatically execute fcaps. See that
43	# function for more details.	44	# function for more details.
44	#	45	#
45	# All args are consumed until the '--' marker is found. So if you have:	46	# All args are consumed until the '--' marker is found. So if you have:
46	# @CODE	47	# @CODE
47	# FILECAPS=( moo cow -- fat cat -- chubby penguin )	48	# FILECAPS=( moo cow -- fat cat -- chubby penguin )
48	# @CODE	49	# @CODE
Lines 72-79 Link Here
72	# capabilities were properly set on the file.	73	# capabilities were properly set on the file.
73	#	74	#
74	# If the system is unable to set capabilities, it will use the specified user,	75	# If the system is unable to set capabilities, it will use the specified user,
75	# group, and mode (presumably to make the binary set*id). The defaults there	76	# group, and mode (presumably to make the binary set*id). The defaults there
76	# are root:0 and 4711. Otherwise, the ownership and permissions will be	77	# are root:0 and 4711. Otherwise, the ownership and permissions will be
77	# unchanged.	78	# unchanged.
78	fcaps() {	79	fcaps() {
79	debug-print-function ${FUNCNAME} "$@"	80	debug-print-function ${FUNCNAME} "$@"
Lines 118-124 Link Here
118	[[ ${file} != /* ]] && file="${root}/${file}"	119	[[ ${file} != /* ]] && file="${root}/${file}"
119		120
120	if use filecaps ; then	121	if use filecaps ; then
121	# Try to set capabilities. Ignore errors when the	122	# Try to set capabilities. Ignore errors when the
122	# fs doesn't support it, but abort on all others.	123	# fs doesn't support it, but abort on all others.
123	debug-print "${FUNCNAME}: setting caps '${caps}' on '${file}'"	124	debug-print "${FUNCNAME}: setting caps '${caps}' on '${file}'"
124		125
Lines 155-160 Link Here
155		156
156	local out cmd notfound=0	157	local out cmd notfound=0
157	for cmd in _libcap _libcap_ng ; do	158	for cmd in _libcap _libcap_ng ; do
		159	# If in postinst, check whether caps were already set, as they normally should be
		160	if [[ ${EBUILD_PHASE} == "postinst" ]] ; then
		161	if out=$(LC_ALL=C ${cmd}_verify 2>&1) ; then
		162	debug-print "Caps '${caps}' were already set on '${file}'"
		163	else
		164	case ${out} in
		165	"command not found")
		166	: $(( ++notfound ))
		167	continue
		168	;;
		169	*)
		170	ewarn "Caps weren't set, although we expected them to be set:"
		171	ewarn "* portage will now set caps ${caps} on $file"
		172	ewarn "* please verify that moving/copying files doesn't destroy XATTRs"
		173	;;
		174	esac
		175	fi
		176	else
		177	debug-print "Setting caps '${caps}' on '${file}'"
		178	fi
		179
158	if ! out=$(LC_ALL=C ${cmd} 2>&1) ; then	180	if ! out=$(LC_ALL=C ${cmd} 2>&1) ; then
159	case ${out} in	181	case ${out} in
160	"command not found")	182	"command not found")
Lines 173-186 Link Here
173	break	195	break
174	;;	196	;;
175	*)	197	*)
176	eerror "Setting caps '${caps}' on file '${file}' failed:"	198	eerror "Setting caps '${caps}' on file '${file}' with '${cmd}' failed:"
177	eerror "${out}"	199	eerror "${out}"
178	die "could not set caps"	200	die "Could not set caps"
179	;;	201	;;
180	esac	202	esac
181	else	203	else
182	# Sanity check that everything took.	204	# Sanity check that everything took.
183	${cmd}_verify \|\| die "Checking caps '${caps}' on '${file}' failed"	205	${cmd}_verify && debug-print "Caps '${caps}' are set on '${file}'" \|\| die "Checking caps '${caps}' on '${file}' failed"
184		206
185	# Everything worked. Move on to the next file.	207	# Everything worked. Move on to the next file.
186	continue 2	208	continue 2
Lines 214-219 Link Here
214	done	236	done
215	}	237	}
216		238
217	EXPORT_FUNCTIONS pkg_postinst	239
		240	# @FUNCTION: fcaps_src_install
		241	# @DESCRIPTION:
		242	# Process the FILECAPS array.
		243	fcaps_src_install() {
		244	local arg args=()
		245	for arg in "${FILECAPS[@]}" "--" ; do
		246	if [[ ${arg} == "--" ]] ; then
		247	fcaps "${args[@]}"
		248	args=()
		249	else
		250	args+=( "${arg}" )
		251	fi
		252	done
		253	}
		254
		255	EXPORT_FUNCTIONS pkg_postinst src_install
218		256
219	fi	257	fi