From patchwork Sun Apr  4 14:16:59 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Layton <jlayton@samba.org>
X-Patchwork-Id: 49352
Return-Path: <linux-cifs-client-bounces@lists.samba.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.samba.org (fn.samba.org [216.83.154.106])
	by ozlabs.org (Postfix) with ESMTP id DBC04B7C48
	for <incoming@patchwork.ozlabs.org>;
	Mon,  5 Apr 2010 00:17:05 +1000 (EST)
Received: from fn.samba.org (localhost [127.0.0.1])
	by lists.samba.org (Postfix) with ESMTP id B8B92AD231;
	Sun,  4 Apr 2010 08:17:05 -0600 (MDT)
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on fn.samba.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.5 required=3.8 tests=AWL, BAYES_00, NO_MORE_FUNN,
	SPF_PASS autolearn=no version=3.2.5
X-Original-To: linux-cifs-client@lists.samba.org
Delivered-To: linux-cifs-client@lists.samba.org
Received: from cdptpa-omtalb.mail.rr.com (cdptpa-omtalb.mail.rr.com
	[75.180.132.122])
	by lists.samba.org (Postfix) with ESMTP id D6A69AD223
	for <linux-cifs-client@lists.samba.org>;
	Sun,  4 Apr 2010 08:17:00 -0600 (MDT)
X-Authority-Analysis: v=1.1 cv=hj1FozfAy03f2h6OmyVtKRmRTx0FcRdqEzJSNo8ldKo=
	c=1 sm=0 a=MZ1_FPrQso8A:10
	a=ld/erqUjW76FpBUqCqkKeA==:17
	a=hGzw-44bAAAA:8 a=QNpA4U754o34n7StWaUA:9
	a=vAnUj4Ddn77X1Jw-5n9R9cyfCQoA:4 a=dowx1zmaLagA:10
	a=ld/erqUjW76FpBUqCqkKeA==:117
X-Cloudmark-Score: 0
X-Originating-IP: 71.70.153.3
Received: from [71.70.153.3] ([71.70.153.3:52412] helo=mail.poochiereds.net)
	by cdptpa-oedge03.mail.rr.com (envelope-from
	<jlayton@poochiereds.net>) (ecelerity 2.2.2.39 r()) with ESMTP
	id 78/97-28114-B5F98BB4; Sun, 04 Apr 2010 14:16:59 +0000
Received: by mail.poochiereds.net (Postfix, from userid 4447)
	id 2B9A958076; Sun,  4 Apr 2010 10:16:59 -0400 (EDT)
From: Jeff Layton <jlayton@samba.org>
To: linux-cifs-client@lists.samba.org
Date: Sun,  4 Apr 2010 10:16:59 -0400
Message-Id: <1270390619-24136-1-git-send-email-jlayton@samba.org>
X-Mailer: git-send-email 1.6.6.1
Subject: [linux-cifs-client] [PATCH] mount.cifs: use libcap-ng to manage
	capabilities
X-BeenThere: linux-cifs-client@lists.samba.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Linux CIFS VFS client <linux-cifs-client.lists.samba.org>
List-Unsubscribe: <https://lists.samba.org/mailman/options/linux-cifs-client>,
	<mailto:linux-cifs-client-request@lists.samba.org?subject=unsubscribe>
List-Archive: <http://lists.samba.org/pipermail/linux-cifs-client>
List-Post: <mailto:linux-cifs-client@lists.samba.org>
List-Help: <mailto:linux-cifs-client-request@lists.samba.org?subject=help>
List-Subscribe: <https://lists.samba.org/mailman/listinfo/linux-cifs-client>,
	<mailto:linux-cifs-client-request@lists.samba.org?subject=subscribe>
MIME-Version: 1.0
Sender: linux-cifs-client-bounces@lists.samba.org
Errors-To: linux-cifs-client-bounces@lists.samba.org

...in preference to libcap if it's available.

Signed-off-by: Jeff Layton <jlayton@samba.org>
---
 Makefile.am  |    2 +-
 configure.ac |    5 ++++-
 mount.cifs.c |   43 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 9cf25f6..01f1762 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,7 +4,7 @@ ACLOCAL_AMFLAGS = -I aclocal
 root_sbindir = "/sbin"
 root_sbin_PROGRAMS = mount.cifs
 mount_cifs_SOURCES = mount.cifs.c mtab.c util.c
-mount_cifs_LDADD = @LIBCAP@
+mount_cifs_LDADD = @LIBCAP@ @CAPNG_LDADD@
 
 man_MANS = mount.cifs.8
 
diff --git a/configure.ac b/configure.ac
index a64113a..857b0d8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -118,6 +118,9 @@ LIBS=$cu_saved_libs
 
 AM_CONDITIONAL(CONFIG_CIFSUPCALL, [test "$enable_cifsupcall" != "no"])
 
-AC_LIBCAP
+LIBCAP_NG_PATH
 
+if test "x$CAPNG_LDADD" = "x"; then
+	AC_LIBCAP
+fi
 AC_OUTPUT
diff --git a/mount.cifs.c b/mount.cifs.c
index eb72c46..1ff1846 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -44,9 +44,13 @@
 #include <fstab.h>
 #include <sys/mman.h>
 #include <sys/wait.h>
+#ifdef HAVE_LIBCAP_NG
+#include <cap-ng.h>
+#else /* HAVE_LIBCAP_NG */
 #ifdef HAVE_LIBCAP
 #include <sys/capability.h>
 #endif /* HAVE_LIBCAP */
+#endif /* HAVE_LIBCAP_NG */
 #include "mount.h"
 #include "util.h"
 
@@ -322,6 +326,44 @@ static int parse_username(char *rawuser, struct parsed_mount_info *parsed_info)
 	return 0;
 }
 
+#ifdef HAVE_LIBCAP_NG
+static int
+drop_capabilities(int parent)
+{
+	capng_setpid(getpid());
+	capng_clear(CAPNG_SELECT_BOTH);
+	if (capng_update(CAPNG_ADD, CAPNG_PERMITTED, CAP_DAC_OVERRIDE)) {
+		fprintf(stderr, "Unable to update capability set.\n");
+		return EX_SYSERR;
+	}
+
+	if (parent) {
+		if (capng_update(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, CAP_SYS_ADMIN)) {
+			fprintf(stderr, "Unable to update capability set.\n");
+			return EX_SYSERR;
+		}
+	}
+	if (capng_apply(CAPNG_SELECT_BOTH)) {
+		fprintf(stderr, "Unable to apply new capability set.\n");
+		return EX_SYSERR;
+	}
+	return 0;
+}
+
+static int
+toggle_cap_dac_override(int enable)
+{
+	if (capng_update(enable ? CAPNG_ADD : CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE)) {
+		fprintf(stderr, "Unable to update capability set.\n");
+		return EX_SYSERR;
+	}
+	if (capng_apply(CAPNG_SELECT_CAPS)) {
+		fprintf(stderr, "Unable to apply new capability set.\n");
+		return EX_SYSERR;
+	}
+	return 0;
+}
+#else /* HAVE_LIBCAP_NG */
 #ifdef HAVE_LIBCAP
 static int
 drop_capabilities(int parent)
@@ -426,6 +468,7 @@ toggle_cap_dac_override(int enable)
 	return 0;
 }
 #endif /* HAVE_LIBCAP */
+#endif /* HAVE_LIBCAP_NG */
 
 static int open_cred_file(char *file_name,
 			  struct parsed_mount_info *parsed_info)