procenv

port to POSIX capabilities API via libcap

Bug #1087134 reported by Mike Miller
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
procenv
Fix Released
Undecided
James Hunt

Bug Description

Procenv currently uses prctl to get Linux process capabilities. This limits use to linux >= 2.6.25. Effect is no capabilities information on RHEL5, for example.

A more compatible / well-defined / backport-friendly alternative would be to use the POSIX capabilities API through the libcap or libcap-ng libraries. I can hack on this when I get a free moment, but let me know if you'd object to such a change.

Revision history for this message
James Hunt (jamesodhunt) wrote :

Hi Mike,

Thanks for the offer! I don't have any objections as long as it doesn't stop it working on the platforms its already running on :-)

Changed in procenv:
status: New → Confirmed
Revision history for this message
Mike Miller (mtmiller) wrote :

Cool, I'll look into it. It's not a high priority for me, but I notice right away that the capabilities section is completely blank for RHEL5.

Revision history for this message
Mike Miller (mtmiller) wrote :

So I looked again at the way capabilities are queried in procenv and did some re-reading of capabilities(7). I wonder now what you intend to show in this function.

Do you want to show capabilities that the process actually has enabled or capabilities that it has in its bounding set that it could potentially enable in itself or a child process? When I run procenv in my terminal I know I do not have any capabilities enabled, but it shows all capabilities as "yes" because they are not masked out of my bounding set.

I originally reported this assuming the former, but procenv currently reports the latter.

Revision history for this message
James Hunt (jamesodhunt) wrote :

Hi Mike - I've now added POSIX capabilities to procenv v0.33.

Changed in procenv:
status: Confirmed → Fix Released
assignee: nobody → James Hunt (jamesodhunt)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.