2.2.11 cap-bound UI

Domas Mituzas (midom@dammit.lt)
Mon, 23 Aug 1999 10:12:11 +0200 (CEST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mofeed Shahin: "UDF FileSystem."
Previous message: Geert Uytterhoeven: "Re: Frame buffer problem in 2.2.11"

Hello all,
as 2.2.11 kernel has capability bounding option via /proc interface I
wrote user interface for this option. To learn more about every capability
just look at /usr/include/linux/capability.h... This is kind of same as
securelevel (grained)... Feel free to write comments personaly.

With respect,
Domas Mituzas

here comes the tool:

#!/usr/bin/perl
#
#
# system capability boundaries tool.
# author: Domas Mituzas <midom@dammit.lt>
# development hosts: home2.dammit.lt
# flag.dammit.lt
# path: /sbin/capbounds
# revision: 1.0 (1999/Aug/22 - 12.00CEST) - midom@flag
#
sub get_caps {
unless(open(DEFINES,"</usr/include/linux/capability.h")) {
print STDERR "Can't open /usr/include/linux/capability.h: $!\n";
return;
}

while(<DEFINES>) {
if (/^#define CAP_([A-Z_]+)\s*(\d+)$/) {
$caps{lc($1)}=$2;
}
}
close(DEFINES);
}

sub get_bound {
unless(open(BOUND,"</proc/sys/kernel/cap-bound")) {
print STDERR "Can't open /proc/sys/kernel/cap-bound: $!\nMake sure you are running 2.2.11 or newer kernel.\n";
exit;
}
while(<BOUND>){
if (/(-\d+)/) {
return $1;
}
}
close BOUND;
}

sub show_usage {
print <<END;
system capabilities setting tool

syscapset {list|set capability [capability [...]]}
END
}

sub cap_to_mask {
$tmpcap=$_[0];
return (1 << ($tmpcap));
}

sub list_caps {
foreach $cap (@scaps) {
if ($caps{$cap} eq "") { $status="does not exist"; }
$mask = cap_to_mask($caps{$cap});
if (($mask & $boundary) ne 0) {
$status="enabled"; } else {
$status="disabled"; }

printf("%-30s\t%10s\n",
$cap,$status);
}
}

$boundary= ~0;

&get_caps;

cap_to_mask(1);

$boundary=get_bound();
@scaps=sort keys %caps;

if ($ARGV[0] eq "list") {&list_caps;}
elsif ($ARGV[0] eq "help") {&show_usage;}
elsif ($ARGV[0] eq "set") {
if ($#ARGV==0) {&show_usage;} else {
while ( $i++ < $#ARGV) {
$_=$ARGV[$i];
if (/([a-z_]+)/i) {
if ($caps{lc($1)} eq "") {
print STDERR "Warning: capability $1 does not exist. \nConsult 'list' command.\n";
} else {
push @tounset,lc($1);
}
} else {
print STDERR "Warning: $_ command not recognized.\n";
}

}
foreach $cap (@tounset) {
$boundary &= ~cap_to_mask($caps{$cap});
}
unless (open(CAPBOUND,">/proc/sys/kernel/cap-bound")) {
print STDERR "Could not open /proc/sys/kernel/cap-bound for writing: $!.\nMake sure you are running 2.2.11 or newer kernel.\n";
return;
}

print CAPBOUND $boundary;

close CAPBOUND;
}
} else {&show_usage;}

# it's the end :-)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mofeed Shahin: "UDF FileSystem."
Previous message: Geert Uytterhoeven: "Re: Frame buffer problem in 2.2.11"