Attachment #550998 for bug #605082




++ fcaps.eclass

# This is not the same as USE=caps which controls runtime capability changes,
# often via packages like libcap.
#
# Due to possible capability-loss on moving or copying, this now happens
# both in src_install and pkg_postinst. If it was needed in pkg_postinst, this
# generates a warning.
#
# @EXAMPLE:
# You can manually set the caps on ping and ping6 by doing:

# @ECLASS-VARIABLE: FILECAPS
# @DEFAULT_UNSET
# @DESCRIPTION:
# An array of fcap arguments to use to automatically execute fcaps. See that
# function for more details.
#
# All args are consumed until the '--' marker is found. So if you have:
# @CODE
# 	FILECAPS=( moo cow -- fat cat -- chubby penguin )
# @CODE

# capabilities were properly set on the file.
#
# If the system is unable to set capabilities, it will use the specified user,
# group, and mode (presumably to make the binary set*id). The defaults there
# are root:0 and 4711. Otherwise, the ownership and permissions will be
# unchanged.
fcaps() {
	debug-print-function ${FUNCNAME} "$@"

		[[ ${file} != /* ]] && file="${root}/${file}"

		if use filecaps ; then
			# Try to set capabilities. Ignore errors when the
			# fs doesn't support it, but abort on all others.
			debug-print "${FUNCNAME}: setting caps '${caps}' on '${file}'"



			local out cmd notfound=0
			for cmd in _libcap _libcap_ng ; do
				# If in postinst, check whether caps were already set, as they normally should be
				if [[ ${EBUILD_PHASE} == "postinst" ]] ; then
					if out=$(LC_ALL=C ${cmd}_verify 2>&1) ; then
						debug-print "Caps '${caps}' were already set on '${file}'"
					else
						case ${out} in
						*"command not found"*)
							: $(( ++notfound ))
							continue
							;;
						*)
							ewarn "Caps weren't set, although we expected them to be set:"
							ewarn "* portage will now set caps ${caps} on $file"
							ewarn "* please verify that moving/copying files doesn't destroy XATTRs"
							;;
						esac
					fi
				else
					debug-print "Setting caps '${caps}' on '${file}'"
				fi

				if ! out=$(LC_ALL=C ${cmd} 2>&1) ; then
					case ${out} in
					*"command not found"*)

						break
						;;
					*)
						eerror "Setting caps '${caps}' on file '${file}' with '${cmd}' failed:"
						eerror "${out}"
						die "Could not set caps"
						;;
					esac
				else
					# Sanity check that everything took.
					${cmd}_verify && debug-print "Caps '${caps}' are set on '${file}'" || die "Checking caps '${caps}' on '${file}' failed"

					# Everything worked.  Move on to the next file.
					continue 2

	done
}

# @FUNCTION: fcaps_parse
# @DESCRIPTION:
# Process the FILECAPS array.
fcaps_parse() {
	# only proceed if FILECAPS is set and not empty
	if [ ${FILECAPS[0]} ] ; then
		local arg args=()
		for arg in "${FILECAPS[@]}" "--" ; do
			if [[ ${arg} == "--" ]] ; then
				fcaps "${args[@]}"
				args=()
			else
				args+=( "${arg}" )
			fi
		done
	else
		debug-print "${FUNCNAME}: FILECAPS is empty but ebuild uses fcap, assuming direct fcaps call"
	fi
}


# @FUNCTION: fcaps_pkg_postinst
# @DESCRIPTION:
# Process the FILECAPS array.
fcaps_pkg_postinst() {
	fcaps_parse
	for arg in "${FILECAPS[@]}" "--" ; do
		if [[ ${arg} == "--" ]] ; then
			fcaps "${args[@]}"
			args=()
		else
			args+=( "${arg}" )
		fi
	done
}

EXPORT_FUNCTIONS pkg_postinst

Return to bug 605082

Line Link Here

(-)file_not_specified_in_diff (-20 / +55 lines)
0	-- fcaps.eclass	0	++ fcaps.eclass
Lines 10-17 Link Here
10	# This is not the same as USE=caps which controls runtime capability changes,	10	# This is not the same as USE=caps which controls runtime capability changes,
11	# often via packages like libcap.	11	# often via packages like libcap.
12	#	12	#
13	# Due to probable capability-loss on moving or copying, this happens in	13	# Due to possible capability-loss on moving or copying, this now happens
14	# pkg_postinst phase (at least for now).	14	# both in src_install and pkg_postinst. If it was needed in pkg_postinst, this
		15	# generates a warning.
15	#	16	#
16	# @EXAMPLE:	17	# @EXAMPLE:
17	# You can manually set the caps on ping and ping6 by doing:	18	# You can manually set the caps on ping and ping6 by doing:
Lines 39-48 Link Here
39	# @ECLASS-VARIABLE: FILECAPS	40	# @ECLASS-VARIABLE: FILECAPS
40	# @DEFAULT_UNSET	41	# @DEFAULT_UNSET
41	# @DESCRIPTION:	42	# @DESCRIPTION:
42	# An array of fcap arguments to use to automatically execute fcaps. See that	43	# An array of fcap arguments to use to automatically execute fcaps. See that
43	# function for more details.	44	# function for more details.
44	#	45	#
45	# All args are consumed until the '--' marker is found. So if you have:	46	# All args are consumed until the '--' marker is found. So if you have:
46	# @CODE	47	# @CODE
47	# FILECAPS=( moo cow -- fat cat -- chubby penguin )	48	# FILECAPS=( moo cow -- fat cat -- chubby penguin )
48	# @CODE	49	# @CODE
Lines 72-79 Link Here
72	# capabilities were properly set on the file.	73	# capabilities were properly set on the file.
73	#	74	#
74	# If the system is unable to set capabilities, it will use the specified user,	75	# If the system is unable to set capabilities, it will use the specified user,
75	# group, and mode (presumably to make the binary set*id). The defaults there	76	# group, and mode (presumably to make the binary set*id). The defaults there
76	# are root:0 and 4711. Otherwise, the ownership and permissions will be	77	# are root:0 and 4711. Otherwise, the ownership and permissions will be
77	# unchanged.	78	# unchanged.
78	fcaps() {	79	fcaps() {
79	debug-print-function ${FUNCNAME} "$@"	80	debug-print-function ${FUNCNAME} "$@"
Lines 118-124 Link Here
118	[[ ${file} != /* ]] && file="${root}/${file}"	119	[[ ${file} != /* ]] && file="${root}/${file}"
119		120
120	if use filecaps ; then	121	if use filecaps ; then
121	# Try to set capabilities. Ignore errors when the	122	# Try to set capabilities. Ignore errors when the
122	# fs doesn't support it, but abort on all others.	123	# fs doesn't support it, but abort on all others.
123	debug-print "${FUNCNAME}: setting caps '${caps}' on '${file}'"	124	debug-print "${FUNCNAME}: setting caps '${caps}' on '${file}'"
124		125
Lines 155-160 Link Here
155		156
156	local out cmd notfound=0	157	local out cmd notfound=0
157	for cmd in _libcap _libcap_ng ; do	158	for cmd in _libcap _libcap_ng ; do
		159	# If in postinst, check whether caps were already set, as they normally should be
		160	if [[ ${EBUILD_PHASE} == "postinst" ]] ; then
		161	if out=$(LC_ALL=C ${cmd}_verify 2>&1) ; then
		162	debug-print "Caps '${caps}' were already set on '${file}'"
		163	else
		164	case ${out} in
		165	"command not found")
		166	: $(( ++notfound ))
		167	continue
		168	;;
		169	*)
		170	ewarn "Caps weren't set, although we expected them to be set:"
		171	ewarn "* portage will now set caps ${caps} on $file"
		172	ewarn "* please verify that moving/copying files doesn't destroy XATTRs"
		173	;;
		174	esac
		175	fi
		176	else
		177	debug-print "Setting caps '${caps}' on '${file}'"
		178	fi
		179
158	if ! out=$(LC_ALL=C ${cmd} 2>&1) ; then	180	if ! out=$(LC_ALL=C ${cmd} 2>&1) ; then
159	case ${out} in	181	case ${out} in
160	"command not found")	182	"command not found")
Lines 173-186 Link Here
173	break	195	break
174	;;	196	;;
175	*)	197	*)
176	eerror "Setting caps '${caps}' on file '${file}' failed:"	198	eerror "Setting caps '${caps}' on file '${file}' with '${cmd}' failed:"
177	eerror "${out}"	199	eerror "${out}"
178	die "could not set caps"	200	die "Could not set caps"
179	;;	201	;;
180	esac	202	esac
181	else	203	else
182	# Sanity check that everything took.	204	# Sanity check that everything took.
183	${cmd}_verify \|\| die "Checking caps '${caps}' on '${file}' failed"	205	${cmd}_verify && debug-print "Caps '${caps}' are set on '${file}'" \|\| die "Checking caps '${caps}' on '${file}' failed"
184		206
185	# Everything worked. Move on to the next file.	207	# Everything worked. Move on to the next file.
186	continue 2	208	continue 2
Lines 199-217 Link Here
199	done	221	done
200	}	222	}
201		223
		224	# @FUNCTION: fcaps_parse
		225	# @DESCRIPTION:
		226	# Process the FILECAPS array.
		227	fcaps_parse() {
		228	# only proceed if FILECAPS is set and not empty
		229	if [ ${FILECAPS[0]} ] ; then
		230	local arg args=()
		231	for arg in "${FILECAPS[@]}" "--" ; do
		232	if [[ ${arg} == "--" ]] ; then
		233	fcaps "${args[@]}"
		234	args=()
		235	else
		236	args+=( "${arg}" )
		237	fi
		238	done
		239	else
		240	debug-print "${FUNCNAME}: FILECAPS is empty but ebuild uses fcap, assuming direct fcaps call"
		241	fi
		242	}
		243
		244
202	# @FUNCTION: fcaps_pkg_postinst	245	# @FUNCTION: fcaps_pkg_postinst
203	# @DESCRIPTION:	246	# @DESCRIPTION:
204	# Process the FILECAPS array.	247	# Process the FILECAPS array.
205	fcaps_pkg_postinst() {	248	fcaps_pkg_postinst() {
206	local arg args=()	249	fcaps_parse
207	for arg in "${FILECAPS[@]}" "--" ; do
208	if [[ ${arg} == "--" ]] ; then
209	fcaps "${args[@]}"
210	args=()
211	else
212	args+=( "${arg}" )
213	fi
214	done
215	}	250	}
216		251
217	EXPORT_FUNCTIONS pkg_postinst	252	EXPORT_FUNCTIONS pkg_postinst